An important part of your personal digital security is making sure your credit and debit cards are secure. In this episode, Liz and Geoffrey take a look at how attackers clone credit and debit cards, how newer cards resist these attacks, whether it's safer to use mobile payment apps, and how to keep an eye on your credit reports. Also, cell phone carriers continue to sell your location data, and phishing attacks against accounts with two-factor auth have become more powerful.
- 1:18 - Security news: selling real time cell phone location data
- 2:54 - Security news: Facebook gathering location data, even when location services is off
- 4:05 - Security news: automated two-factor phishing for Gmail accounts
- 6:10 - Credit vs. debit card protections
- 9:12 - Skimmers
- 9:50 - CVV security codes
- 11:04 - Skimmers, continued
- 11:23 - Chip cards
- 13:36 - Online vs. offline transactions
- 14:22 - Shimmers
- 16:07 - Virtual credit card numbers and contactless payment systems (like Apple Pay, Google Pay, Samsung Pay)
- 18:27 - Fraud alerts and transaction notifications
- 23:26 - Credit reports
- 25:17 - Credit score monitoring services
- 27:11 - Identity theft monitoring services
- 27:35 - Credit report fraud alerts and credit freezes
- 31:39 - Outtake
Show notes & further reading
Credit and debit cards
Security reporter Brian Krebs' series on "skimmers" is a great starting point for being aware of these attacks. It's often possible to notice skimmers, especially if it's an ATM you're familiar with, since they're devices that clip over the regular card slot and PIN entry pad. There are also "shimmers," which can read the fixed card number during a chip card (EMV) transaction - while the chip can't be cloned, the card number and other data is often enough to make fraudulent online or magnetic-stripe transactions.
Wikipedia has a decent (though rather technical, and not completely current) overview of the EMV card system. In particular the "Implementation" section tracks the current status of EMV and the liability shift throughout the world. Individual merchants are becoming liable for fraudulent transactions using magnetic stripes, so as the liability shift date passes, they're likely to stop accepting non-EMV cards.
On the other side of the technical spectrum, if you've never seen a manual card imprinter (popular through the 1990s), this page from an online card processor has a nice overview. It used carbon-copy paper and a mechanical slider to make an impression of the raised digits on the card for the merchant to use later. Nowadays, as digital measures become mandatory and card numbers are treated as sensitive information, even raised numbers are disappearing. But as recently as 2014, American Chinese restaurant chain P. F. Chang's briefly started using mechanical imprinters after suffering a breach which caused them to no longer trust their online transaction system.
The urban legend about entering your PIN backwards to alert police is just an urban legend: the Federal Trade Commission found that "no ATMs employ or have employed an emergency-PIN system, and very few employ an alarm button system."
Making credit-network transactions on compatible debit cards was fairly straightforward in the days of swiped magnetic stripes: you'd usually just select the "credit" option. With EMV debit cards the prompts are a little more confusing, but the option still exists.
Contactless payment apps
Apple's documentation on Apple Pay security and privacy is pretty readable and discusses where the data is available, what card number is used, and how to disable it. Google has a less detailed overview of Google Pay, but many of the principles are the same, including the ability to revoke the card remotely without changing your real credit card number. Samsung Pay also lets you use their Find My Mobile service to disable the card until you can get your phone back.
Credit reports and freezes
US listeners: you can get your federally-mandated free annual credit report from https://www.annualcreditreport.com - note the https, and "annual" not "free". There are various other sites that promise this; some of them are even semi-legitimate, like one that was run by one of the actual credit agencies, though they later paid a fine for deceptive advertising. You can confirm that https://www.annualcreditreport.com is the right URL because it's mentioned on usa.gov. There are three major credit reporting agencies in the US (Equifax, Experian, and TransUnion), and you're entitled to one report a year from each of the three agencies. If you like, you can get your free reports for the three agencies at different times, so you could get one report every four months from a different agency.
In September 2018, credit freezes, which prevent new creditors from accessing your credit report, became free by law. In the past a popular free option was a fraud alert, which keeps your credit report available, but adds a note that the creditor should contact you before opening the account. NerdWallet has a pretty good discussion of the various options: there's also the option of "credit locks," which you can quickly enable/disable with a smartphone app, but they're mostly a weaker form of freeze.
In the news
Despite a promise last summer from the major US cell carriers to stop selling location data "as soon as practical" (which we covered in the news segment of our June 26, 2018 episode "Securing your phone"), Motherboard reported that location data was still being sold to bounty hunters over six months later. This also came as a surprise to Google, who resells T-Mobile and Sprint service as "Google Fi" and had demanded that they not sell customer location data. The major carriers have all stated that they intend to stop selling location data, some now giving specific time lines - for example, T-Mobile and AT&T will end their contracts in March. The US Congress has also gotten involved: some representatives have sent letters to the companies involved, and several senators have called for an FTC and FCC investigation.
"Phishing" is an attack where someone tries to trick you into logging into a fake copy of a website with your real credentials, so they can gain access to your account. While two-factor authentication makes phishing harder - an attacker can't just passively collect passwords and try using them a long time later - most two-factor authentication mechanisms don't completely stop phishing. If you're entering a short code, an attacker can use that code to immediately log into the website. Amnesty International found that this attack has been deployed at scale by attackers automating the phishing of two-factor authentication codes to break into Gmail accounts. Motherboard has additional reporting on the discovery, and we agree with their advice - if you can use a hardware security key for two-factor authentication, do so. Since the key verifies the website instead of giving you a token to type in, it can't be tricked by cleverly-designed fake websites. See our two-factor authentication resource page, as well as our episode "Two-factor authentication and account recovery," for more about various kinds of two-factor authentication. Another good defense against phishing is to use a password manager and the associated browser extension - we have an episode about password managers, too!
Liz Denys (LD): Geoffrey, you left some old receipts lying around the recording studio last time. And one of them appears to have your full credit card number?
Geoffrey Thomas (GT): Oh, don't worry, Liz, as we're going to talk about in today's episode, even if an attacker has your credit card number they can't clone my credit card, because it has a chip.
LD: Well, as we'll also get into in a bit, that's not quite true - they can still use it. It won't work in chip-enabled readers, but it will work in some older devices and maybe even on some online stores.
GT: Oh, hm, that's a good point.
LD: Also, the real problem is you left your trash around the studio.
GT: That's also a good point.
LD: Anyway, today's episode is all about digital security for your debit and credit cards.
GT: We'll talk about your cards' built-in security measures and ways you can make sure they aren't being misused.
LD: Step one: don't leave your full credit card number out where other people can see it.
Intro music plays.
LD: Hello and welcome to Loose Leaf Security! I'm Liz Denys,
GT: and I'm Geoffrey Thomas, and we're your hosts.
LD: Loose Leaf Security is a show about making good computer security practice for everyone. We believe you don't need to be a software engineer or security professional to understand how to keep your devices and data safe.
GT: In every episode, we tackle a typical security concern or walk you through a recent incident.
Intro music fades out.
GT: Motherboard broke a pretty big privacy story recently. Several episodes ago we talked about cell phone companies saying they would stop selling location data, after one of the "data brokers" had a free demo on their website that would locate anyone's phone. It turns out that data was still available for sale, months later.
GT: The bounty hunter pinpointed the phone's live location to about a few hundred meters or a couple city blocks accuracy, which is honestly pretty disturbing given that there wasn't any particular reason the bounty hunter had to track this particular phone number.
LD: Cell phones communicate with nearby cell phone towers to send and receive calls and text messages, and your cell phone's location can be worked out based on how close it is to the towers it's communicating with. It's fairly well known that law enforcement agencies can access this sort of location tracking with a warrant, but that's very different from being able to call up a bounty hunter and just getting this data yourself.
GT: U.S. telecom companies sell access to cell phone location data to companies known as location aggregators. Those location aggregators, in turn, will resell the data to customers like financial companies who claim to use it for fraud detection or roadside assistance companies who might use it to locate customers who've phoned in for help, but Motherboard reports there's also a complex chain of resellers who don't always adhere to the same rules about how this data can be sold as the location aggregators telecom companies directly sell to.
LD: The lack of privacy Motherboard exposed is quite troubling, but unfortunately, there's not a lot you can do to avoid this kind of tracking, beyond talking with your elected officials and pushing for better regulation of how your location data is being used and resold.
GT: Gizmodo highlighted another place location data was being unexpectedly gather - even if you turn off Location Services for Facebook on your phone, Facebook still gathers location data for you in other ways. Facebook says that it also gathers location information based on the IP addresses you're using to access the site and information you post to your Facebook account such as current city and location check ins. Facebook could also be getting location information through wifi data, but claims not to do so. Facebook says, quote "There is no way for people to opt out of using location for ads entirely."
LD: While I understand the confusion of turning off location services but still having non-GPS based methods essentially tracking you, this isn't really surprising from a technical perspective. It's sort of more or less a function of how you communicate over the internet - IP addresses are more imperfect than GPS coordinates, but can still be used to make a pretty good guess as to where you generally are.
GT: You could potentially obscure your IP address, the data Facebook is likely referring to when they say you can't opt out of their using location entirely.
LD: We'll talk about this in a future episode - there are mechanisms like VPNs and Tor to hide your IP address, but they come with their own risks and complications, so it's not a topic we want to get into right now.
GT: An Amnesty International report discussed how attackers have been automating the phishing of two-factor authentication codes to break into Gmail accounts. These attackers are creating fake phishing websites to ask you to login to your Gmail account, and instead of the typical phishing site that just collects your password, the attackers have automated passing your password along to Gmail and then automatically prompt you for your second factor code. If you're using SMS or a code authenticator app for your Gmail's second factor and you type it into their phishing site, the attacker then has access to your account.
LD: The automation is what's most novel about this: it enables attackers to get access to a lot more accounts more quickly, and because it handles that second factor automatically, it might not raise the same red flags to a user who knows they need to enter that second factor as with simpler phishing sites.
GT: This automated attack is a good reminder that two-factor authentication isn't foolproof account security and also serves as an example of why you want to use the strongest form of two-factor authentication available whenever you can, namely security keys. As we discussed in our episode "Two-factor authentication and account recovery," your browser communicates the website's name to your security key, which responds with a specific answer for that website, so if you're accidentally visiting a phishing site instead of the real one you wanted, the security key won't even be able to compute the right answer. In turn, the automated phishing sites described here can't pass your response along to successfully log into the real site.
LD: Gmail supports security keys, so you could get one that works with your laptop and browser and use that whenever you can, but that's not the only thing you can do to help protect yourself from this type of attack. It's also a great reason to use a password manager and its browser extension or phone integration for entering any passwords because your password manager will be checking the url of the site you're on against the origin it expects for your passwords. If you asked your password manager extension or phone integration to try to fill in a password for a phishing site, it won't be able to because the origins won't match.
Interlude music plays.
GT: All right, before we dive into the main segment, a couple of disclaimers. First, we're going to focus primarily on the United States because that's what we're familiar with. Those of you who have nifty bank transfer systems that everyone can just use - we don't quite have that in America, unfortunately.
LD: That said, a lot of things that are true in the US are going to be common worldwide. Credit cards with chips are commonplace everywhere; America mostly adopted what the rest of the world already had. And the principles of staying safe with mobile payments are basically the same everywhere.
GT: Also, we just want to clarify that this is in no way financial advice - we're not telling you which sorts of accounts make sense for your financial situations.
LD: Yeah, we just want to highlight the non-monetary security concerns around common types of accounts.
GT: Right, we're not telling you what to do your money, just how to do it securely.
LD: Well, as securely as you can.
GT: For instance, we're not going to say whether it's better from a financial or budgeting perspective to buy things on credit or by debiting money from your bank account, but we will say that if you have the option, you'll have more protections against fraud if you process the transaction through the credit card system. There are some debit cards where you can select the credit card option when buying something at a store.
LD: Oh, I don't use my debit card for purchases much. What does that do?
GT: I don't any more either, but I used to in college - I got my bank account before I was 18 so I couldn't get a credit card. But they did give me a thing with "Debit MasterCard" printed on it. You know how you sometimes get the option to choose debit or credit? It will work with both.
LD: Oh, I see - and it won't ask you for your PIN if you use credit, right? And it goes through as a credit card transaction?
GT: Right, the other way to select it is that if it asks you for the PIN, you can usually hit cancel and it will process it as a credit transaction. It costs a little more to the merchant, and also you can't choose to get cash back. But you generally get credit-card-style protections against misuse: you can dispute the charge if they overcharge you.
LD: You also get protection against your card being stolen: the merchant doesn't have your PIN, so they can't clone your card and go to an ATM and withdraw money.
GT: Yeah, let's talk about cloning credit cards for a bit, but before we do that, once again, talk to your own financial advisor and read your own card agreements about things like debit versus credit. There will occasionally be weird fees in the fine print, and we don't want you to be surprised by those!
LD: So a debit or ATM card has a PIN, and the card and the PIN together can immediately authorize a transfer of money out of your account, like a withdrawal from an ATM.
GT: So they're a very high-value target. With a credit card you can dispute a transaction if your card gets stolen and misused; there's something like insurance built in as a result of the fees. If your debit card and its PIN both get stolen, your protections are much weaker.
LD: PINs are essentially short, and thus weak, numerical passwords, so it's a good idea to pick a random one instead of something significant to you like a special date. Your password manager probably has a generator that will create and save a numerical password.
GT: By the way, we should mention an urban legend about entering your PIN backwards at an ATM to alert the police that you're being forced to withdraw cash - it's an idea that's been discussed a lot but ATMs don't actually implement it. An FTC report found that no ATMs actually employed such a system, so don't count on it if you ever find yourself being forced to withdraw money.
LD: A much more common risk with ATMs is skimmers - devices that clip onto ATMs and grab the data on the card as well as the PIN. They're very slim and designed to look like nobody has tampered with the ATM.
GT: Security reporter Brian Krebs has a series on skimmers that we'll link to in the show notes. They slip right onto the card reader and the PIN pad, so an attacker can go up to an ATM, spend no more time than a legitimate ATM user would, and leave a skimmer attached.
LD: There have even been reports of skimmers at self-service checkouts, again where nobody's looking very closely at someone clipping something onto the device, so that's another good reason to use a debit card as credit card whenever possible: a skimmer won't get your PIN.
GT: Credit cards - and debit cards that are usable as credit - have one additional piece of data besides just the card number: they have a 3- or 4-digit security code, sometimes called a CSC or CVV, that isn't part of the card number. The reason for this is that a long time ago, credit cards were processed by making a physical carbon copy of the raised digits on the credit card. The security code - along with other information like the expiration date - is just printed, not embossed, so it's less vulnerable to theft.
LD: The security code is just used as an indicator that the transaction is non-fraudulent. Unlike an ATM PIN, it doesn't 100% guarantee the transaction, so you can still dispute a transaction that was made with the security code.
GT: There are actually two security codes: one's encoded on the magnetic stripe and one's printed on the card. They can't be used in place of each other, so for instance when you give your card number and security code as part of an online purchase, an attacker can't make a usable physical card with that data - it's the wrong security code.
LD: But they are usable for the same type of transaction: an attacker who gets your security code with an online purchase can make more online purchases, which is why it's important to only make purchases at websites you trust to handle your card securely. And the magnetic stripe data captured by credit card skimmers can still be used to print a duplicate credit card.
GT: I'm in the habit of pulling gently on the keypad and card slot of an ATM before I use it, just to see if anything looks like it was hastily attached. If the keypad looks unusually raised from the rest of the machine, it's probably a good idea to avoid it.
LD: Well, you've also got a chip-enabled ATM card now, right?
GT: Yeah, my bank sent me one about a year ago, and that does help a lot.
LD: Chip cards are pretty cool - they're like many of the good two-factor authentication mechanisms like security keys or code generators. If you think back to why we recommended using two-factor authentication even if you've got a good, strong password, it's because a password is a single steady target, and the two-factor codes change, so even if an attacker gets a copy of your two-factor code, they can't use it again. Chip cards are pretty similar in theory to security keys - when you plug it in, just like with a security key, it gets sent a random "challenge" value and has to come up with a specific cryptographic "response." No matter how many previous responses an attacker sees, they can't come up with a response to a new challenge unless they've physically got the card or the security key.
GT: On the other hand, the magnetic stripe on a credit card just encodes your card number. Well, it's got the CVV, so you can't completely clone a credit card from just a photo, but if you have a magnetic stripe reader and writer - which you can get for under $100 - it's very easy to copy credit cards.
LD: So Target suffered a massive credit card breach a few years ago - 40 million shoppers who went to a one of their stores over a three week period towards the end of 2013 had their credit card's magnetic stripe information stolen. Target settled with banks, and American credit card companies started the push to switch to the chip cards that were already popular in the rest of the world. So that's how America got on the EMV standard, which is short for "Europay, Mastercard, and Visa", the three companies that created the chip standard. The EMV standard specifies how the devices at stores communicate with the chip on your card to make sure they're talking to your actual card and not a clone.
GT: There's another layer of security in some countries called "chip and PIN": you have to enter a PIN on a keypad while your card is inserted. It gets sent to the card, and without it, the little applet running on the card won't unlock. It protects you from someone trying to use your card if they stole it but haven't seen your PIN, but the bulk of the security is still in the chip.
LD: Other countries, like America, just have "chip and signature" - there's nothing digital in the signature, the merchant just stores the record if they need it. By the way, if you don't have a PIN on your card and you're planning to travel to a country that needs one, you should check with your card company if there's a PIN you need to know about. It's also possible that your chip and signature card will just work without a signature - that's happened to me a lot of times when I've gone to buy transit tickets in Europe.
GT: Yeah, you might have mixed results depending on whether the card reader is online. In places like subway stations that don't have a reliable internet connection, or even some small businesses, it's common to have a credit card machine that's "offline" and only sends its transactions to the credit card network later. To reduce the risk of stolen cards being used, there's generally a limit on how much money they can charge offline. And in countries that use PINs, they usually let you make small online transactions without a PIN, but require a PIN for all offline ones.
LD: Along those lines, some offline terminals will require a working chip and not permit swiping the magnetic stripe - because an offline terminal can't contact the card network and ask if the card has been reported stolen, it might require using the harder-to-clone chip, even if online terminals in that area still let you swipe the card.
GT: There is still one risk with chip cards: it's possible to ask the chip for the credit card number, or in other words, the information on the magnetic stripe. Even though it's a chip card, it stores this unchanging information and you can request it. While that same information won't work for another chip-based transaction, it is enough data to write a magnetic stripe with the same card number.
LD: So there's a newer variant of skimmers called shimmers: an attacker secretly inserts a very thin shim with a microchip and some flash storage into the chip reader card slot to intercept the chip data during a transaction. The attacker won't get enough information to replicate the chip, but they can get enough information to make a magnetic stripe clone of your card. They can then use that in places that still require you to swipe to pay.
GT: I actually got an alert for this recently - I don't know if it was from a shimmer, but somehow I was sitting at home and got a text message saying, your recent transaction at such-and-such gas station was declined because you should use the chip instead of swiping. So clearly someone had gotten enough info about my credit card to clone a magnetic stripe, and I only knew because they didn't manage to clone the chip card.
LD: In some places, merchants can still swipe your card instead of using the more secure chip method because the timeline credit card companies gave to merchants to twilight swiping the magnetic stripes hasn't come yet. You only get the increased security when the chip-based payment method is actually used, so your card having it isn't enough to keep you safe.
GT: There's been a process called the "liability shift" - where the credit card companies are telling merchants with magnetic stripe readers, if someone uses a cloned card, you need to pay the cost of that, we're not going to pay it. It's been completed in most places, although gas stations in the US are still exempt. Which is probably why they tried using my cloned card at a gas station, but this particular gas station apparently had a chip card reader.
LD: And, of course, online purchases use your fixed credit card number. So if some site you've ordered from gets breached or doesn't take proper security measures for their databases, that info can be reused on another website.
GT: One way to keep yourself safer for online purchases is to use a virtual credit card number - several credit card companies let you get a second, temporary number that you can use for online purchases. They usually expire after a short time, maybe after even one transaction, and they aren't valid for in-person credit card transactions, so it's a little less risky if your virtual card number gets stolen. But it can get tedious to switch out virtual card numbers constantly.
LD: Actually, this is one of the nice things about using the contactless payment system on your phone, like Apple Pay or Google Pay or Samsung Pay. Contactless payments usually support EMV, just over near-field radio waves instead of a physical connection. But for most contactless apps, the card number it uses is a virtual number that's only usable through the payment app. If someone sniffs the transaction and tries to print a magnetic stripe with that number, it won't work at all.
GT: Some websites also let you make online purchases through your phone's payment app. That's probably the safest way of making online purchases if it's available to you. When you use your phone's payment app to complete an online purchase, it's actually using a device-specific virtual card number called the Device Account Number, and the only thing that account number can be used for is online purchases.
LD: And there's a neat trick to keep online purchases secure - although the virtual Device Account Number itself doesn't change, the security code is different for each transaction. It's a separate kind of security code, sometimes called a CVV3, that's different from both the one printed on the card and the one that goes on the magnetic stripe, so it's completely unusable for anything except that one transaction.
GT: If you lose your phone, you probably won't have to change your real credit card number entirely, because you can just revoke the virtual Device Account Number by un-linking your mobile payment app.
LD: You likely won't even have to contact your credit card company to do this - Lost Mode in Find My iPhone will revoke this for Apple Pay, and Find My Device on Android is similarly easy for Google Pay, and Find My Mobile will also lock down Samsung Pay.
GT: That about covers the security features of different ways you can use your cards. We'll discuss some ways to help ensure your cards aren't being misused after a quick break.
Interlude music plays.
GT: If your card gets stolen, it's generally easiest to deal with that as soon a possible - in the US, you're more financially liable the longer it takes to discover a charge you didn't make - so while it's likely still good practice for budgeting reasons to review your card statements each month, real time monitoring is a lot better.
LD: I've also found it to be a more frustrating process the longer you wait - this is just my personal anecdotes, of course, but when I've disputed charges immediately, it was usually a straightforward process, but about six years ago, I didn't notice one fraudulent charge until a week after the charge, after it had been processed, and it took more than a month to reverse.
GT: Card companies try to detect fraud for you, too, but they don't always get this right. You can be your own fraud detection by turning on notifications for every transaction you make. Banks and card companies typically offer this over email, text message, or push notification through their apps, though not every bank offers all of those options for transaction notifications.
LD: SMS is the least secure of these, and it might not be that helpful for you anyway if you're travelling internationally a lot and might not be receiving texts at your normal cell number.
GT: I have push notifications turned on through my apps - for one of my cards, simply having it in Apple Pay lets you get a notification for all transactions using the card, even if they're through the physical card. Another one lets me get notification for transactions over a certain amount, so I just set that to zero. And for one of my bank accounts that I don't use regularly, I just told it to let me know if my balance goes below a certain amount, and I set that to what's currently in that account.
LD: I also turned on notifications for every card transaction I made - well nearly every one since one of my cards won't notify me on transactions under a certain small number of cents, I have no idea why - but I did this a few years ago so I could make sure I wasn't forgetting about any recurring subscriptions and found it incredibly useful for a lot of other reasons and a lot less annoying than I anticipated - I don't have too many automatic recurring payments, so I'm usually getting messages when I'm already paying for something, and it's not actually interrupting me. I'm somehow really unlucky at my credit cards getting stolen, though: I've had my cards stolen three times over the last couple years, and only one of those times did I get both a notification for a transaction I didn't recognize and an explicit fraud alert from the bank that issued the card. So I've definitely found these transaction notifications are a value add.
GT: Card issuers use metrics to try to guess which transactions you did and didn't make - sometimes, if you're travelling or making an atypically large purchase or if it's a really small purchase to a new merchant, that will flag things, and they'll generally deny the transaction and send you a text or email asking if it was you. They usually want you to reply with something brief, and it's actually pretty safe to reply to those messages - it doesn't give away a lot of information just if you made or didn't make a specific transaction which the sender already knew about.
LD: By the way, one of the ways they guess your location is by using location data from your cell network - which is one of the few legitimate use cases for third parties getting your location data like we talked about in the news.
GT: Well, somewhat legitimate - I feel like I'd still want to download the app and actively opt into location tracking specifically.
LD: Yeah, if they're finally shutting down third-party use of location data, chances are that these guesses will get less accurate, so you'll want to make sure you have a way to say, yes, I'm making this unusual transaction and it's actually me.
GT: It's easiest when it's a push notification from the app, but SMS is fine, too. SMS is generally insecure but just replying "yes" or "no" isn't a huge risk, even if it turns out the message wasn't from your card company.
LD: Yeah, that's not leaking anything particularly sensitive. When you do say "no, that wasn't me", generally you need to follow up over the phone, and that's where you should be more wary of a phone number given over that text message. Look up what number you should call by checking the back of your card instead of just trusting whatever's in that text message, just in case it's not really your issuer. And when I've discovered fraudulent charges through a transaction notification instead of a fraud notification, I've done the same thing - check the back of my card, call that number, and go from there.
GT: If that doesn't quell your paranoia about fraud alert texts, getting notifications for every transaction also helps you identify if those fraud alerts were real or not - sometimes, the transaction notification will come a bit after the fraud alert, but you'll still be able to cross reference them. Another good reason to get those transaction alerts.
LD: Also, if you're using SMS, sometimes fraud alerts and transaction notifications will come from different numbers. They're different departments usually in the same bank, so this isn't necessarily unexpected, but it can throw you for a little bit of a loop.
GT: I guess it's a lot easier if you have push notifications from your app and it's everything is just coming in from the app and then it's pretty trustworthy.
LD: Yeah. Oh, that reminds me - many transactions will come through right away in your transaction alerts, but it's also normal for things to be delayed for up to a couple days. For instance, offline transactions, like we talked about earlier, will only show up once the payment device goes online again. But there are plenty of other reasons why the notification might be delayed.
GT: Oh, another thing that came as a bit of a surprise to me with transaction notifications: tipping at a restaurant usually doesn't show up if it's added on after the restaurant runs your card. It's generally treated as an adjustment of a previous transaction, and so far none of my card issuers have a way to set up alerts for those adjustments.
LD: None of mine either. Another thing you can do to make sure your financial information is secure is to look through your full credit reports. Credit reports have information about your loans, debts, bill payment history, as well as information about where you work and live and whether you've been sued, arrested, and filed for bankruptcy - a lot more than just the credit score people worry about when taking out a loan or a mortgage or opening a credit card. You should make sure all the information is correct, and you should definitely double check that all the financial accounts are ones you recognize.
GT: Like with charges you didn't make, it's easier to shut down accounts that you didn't open sooner rather than later - unfortunately, at least in the US, credit opened in your name without your knowledge is difficult to erase and often hard to hold the person who opened the accounts accountable instead of you.
LD: As a reminder, a lot of the things we're about to talk about are specific to the United States because that's what we're familiar with, but the same sort of principles tend to apply elsewhere in the world too.
GT: Under the Fair and Accurate Credit Transactions Act of 2003, you have the right to see your credit reports for free from each of the three major credit bureaus once every 12 months.
LD: The correct place to get your credit reports from is https://AnnualCreditReport.com. There are other sites that sound like a plausible place to get your free credit reports from, but they generally don't give your full report and might be selling your information. As with every time we tell you to go to a website directly, make sure you type "https" to establish a secure connection and if you see a certificate error, don't ignore it - close out the tab and try to visit the website again later.
GT: Some credit cards will also give you free access to your credit report, so if you have that a yearly option there, it could be worth intentionally staggering that with your checks on https://AnnualCreditReport.com. Since there are three major credit agencies that use this website, I have calendar reminders to go there every four months and get a credit report from a different agency each time.
LD: Lots of people also monitor their credit scores, but because credit scores aren't calculated off a public formula, a shift in your credit score, even one in the double digits, could mean the data has changed, or it could just be the credit agencies changing how they calculate them.
GT: The official credit reports don't include your scores, so if you need your credit score because you're planning on applying for something that needs a good score, like getting a new credit card or applying for an apartment lease, you might want to find a way to get your score. One of my credit cards actually offers it as a free feature in the app, so you might want to see what you already have access to.
LD: But if you're just looking to see whether you have unexpected accounts opened and make sure you haven't been a victim of identity theft, it's enough to just get your credit report.
GT: There's a couple of credit monitoring services you can sign up for that periodically monitor your credit in exchange for a small fee or even just in exchange for advertising. If you're comfortable with them having the data, it's not a bad idea. They'll periodically do what's called a "soft pull" on your account - the sort of request that doesn't affect your credit, unlike a "hard pull" from a bank considering giving you a loan.
LD: I use one of these that's free and advertising-supported. I've decided I'm not too concerned about them advertising new credit cards to me - I simply don't pay attention to its suggestions. And because I do have a privacy-keeping browser extension, I'm not too worried about the data getting sent to other sites - after all, anyone who really wants that data can probably figure out how to pull my credit report themselves anyway. One of the big reasons I use this credit monitoring service is because it will email me when a new account has been opened in my name, so I know if someone else was trying to open an account in my name. And if I feel like I've missed one of those emails somehow, I can just log in and check that all the accounts listed are accounts I recognize.
GT: If you're actually opening a new account, it's important to note that the transaction alerts for your existing cards that we talked about earlier won't automatically apply to new cards, even if they're taken out with the same card issuer. So keeping an eye out with a credit score monitoring service will tell you different information you won't get from those transaction alerts.
GT: We're not sure there's a lot of a value here compared to credit monitoring, but if you get it for free following a breach, you might as well use it, especially since the last time a credit agency was breached, they shared all your personal information with the identity theft service so you could get a free trial with them and they'd know to give that free trial to you.
LD: Yeah, that was not the most privacy conscious decision. You can also place a fraud alert on your credit, which requires businesses to verify your identity before issuing you new credit. You contact one credit bureau and ask that credit bureau to put a fraud alert on your credit report, and whichever bureau you pick has to contact the others. The fraud alert will only last for a year, though.
GT: Another similar, more popular tool is a credit freeze, which restricts access to your credit reports. Unlike fraud alerts on your credit, credit freezes don't expire, so if you're actively applying for new credit cards or looking to move to a new apartment or take out a mortgage, you'd probably need to unfreeze your credit because most creditors will want to pull your credit reports before opening a new account.
LD: There are three major US credit agencies, and each one of them will freeze your credit by phone, by mail, or online. The different credit bureaus have slightly different mechanisms for how to freeze your account online. Equifax and TransUnion currently have you freeze and unfreeze your credit with an online account - you should put a strong password on that like any other account and make sure you keep track of it - but Experian uses a PIN for freezing online.
GT: This is a lot better than Equifax's old PIN system, which was just a date and time stamp and easily brute-forced, but you still need to protect that PIN carefully - it's essentially a password that you can't change.
LD: Experian also won't make you completely unfreeze your account if you need to get your credit pulled - you can get a one time pin to give to a bank or a rental agency - but often new lenders will want all three reports, so you'll still have to manage freezing and unfreezing.
GT: Credit freezes used to cost money in the US, but after Equifax got breached in 2017, new legislation to make freezes free went into effect in September 2018.
LD: So speaking of that Equifax breach - nearly half of Americans were affected in this breach, and it included names, social security numbers, personal information like birth dates and addresses, driver's license information, credit card numbers... a whole lot of data that probably should be watched a lot more closely and ideally also have stronger, easier to use native monitoring tools.
GT: Oh, there was one other pretty bad vulnerability with Experian recently - they had a method for resetting your credit freeze PIN if you forgot it. They'd ask you a series of questions like, in which year did you open this account, but if someone answered "None of the above" to all the questions, they'd successfully reset the PIN and then they could lift the freeze.
LD: A lot of the recent improvements to credit reporting practices seem to have been driven by public and government pressure, not by the companies themselves. So if this sort of thing interests you, maybe the most effective step is to contact your elected officials. I'm glad I'm using a third-party credit monitoring service, though.
GT: Yeah, I don't personally have my credit frozen, in part because of these reasons and in part because I've been moving apartments and opening credit cards somewhat frequently over the last few years, so it's seemed like a hassle to freeze and repeatedly unfreeze. I'm probably getting to the point where starting a freeze makes sense, though.
LD: Maybe it makes sense to sign up for accounts at the credit agencies, just so you can put a strong password on them?
GT: Yeah, that's a good idea. When you signup for one of these accounts, they'll usually do the same thing Experian did about asking you questions about your credit history, so it is worth making the account before someone else does. I think I'll plan to do that this weekend, even if I'm not freezing my credit yet.
LD: So that's about all we've got time to cover today. Next episode, we'll go past just debit and credit card security and talk about other digital security concerns for your personal finances.
GT: Until next time!
Outro music plays.
LD: Loose Leaf Security is produced by me, Liz Denys.
GT: Our theme music, arranged by Liz, is based on excerpts of "Venus: The Bringer of Peace" from Gustav Holst's original two piano arrangement of The Planets.
LD: For a transcript of this show and links for further reading about topics covered in this episode, head on over to looseleafsecurity.com. You can also follow us on Twitter, Instagram, and Facebook at @LooseLeafSecure.
GT: If you want to support the show, we'd really appreciate it if you could head to iTunes and leave us a nice review or just tell your friends about the podcast. Those simple actions can really help us.
Outro music fades out.
GT: Cwedit cards are what bring us together-
LD: They, they are what bring us together today.