How to Survive a Credit Card Hack

Shutterstock/David Evison
A series of recent high-profile hacks –- from Target (TGT) to eBay (EBAY) to Kickstarter –- have reinforced the fear that personal financial information is rarely safe. A newly released report from Verizon (VZ) found that many businesses fail to meet compliance standards or fail to properly maintain their compliance.

Simply, data breaches will continue.

For consumers trying to keep their credit card data safe, basic precautions are no longer enough. Hacking software is getting more sophisticated -- and easier to obtain, making a credit card breach a matter of when, not if. But with vigilance and speed, the damage from a breach can be mitigated, making the effects nearly non-existent.

Card or Card Number?

If there's any silver lining to the massive security breaches like the ones at Target or TJX Cos. (TJX), it's this: When credit card numbers -- rather than the cards themselves -- are stolen, the cardholders aren't responsible for charges. If the card itself is reported stolen before the account is used, the same is true. However, if the loss of the physical card is reported after additional charges have been made, the cardholder is responsible for up to $50 a card.

Visa (V) takes it one step further. Customers are fully covered if their card information is used to commit fraud and won't be held liable for unauthorized purchases made using a Visa card, whether the transaction occurs online or off, Visa says.

Same goes for American Express (AXP). According to spokeswoman Amelia Woltering, "If we discover activity on an account that we believe is suspicious, we will contact the card member. If a fraudulent charge is detected, in many cases we'll issue a temporary refund [while it's being investigated]."

MasterCard (MA) has a similar "zero-liability" policy. Customers only pay for authorized transactions. %VIRTUAL-article-sponsoredlinks%The company says: "As long as your account is in good standing, you have exercised reasonable care in safeguarding your card, and you have not reported two or more unauthorized events in the past 12 months, unauthorized purchases are not your responsibility."

Discover (DFS) also offers zero-liability and monitoring of all Discover card purchases.

In theory, the same holds true for debit cards. If a card is reported lost or stolen before any additional charges are made, the cardholder isn't responsible for any of the charges. If it's reported within two days, liability tops out at $50 and $500 if the loss is reported two to 60 days after the theft of the card. If the number, rather than the card, is stolen, the cardholder isn't responsible for the charges as long as the loss is reported within 60 days.

However, with debit cards, recouping any lost cash or emptied accounts can be difficult and time-consuming, and have far-reaching consequences when the rent is due and the bank account is empty.

But the hack itself may just be the beginning. Once the credit card information has been obtained, the thieves can contact cardholders posing as representatives of their bank's fraud department to gather more information.

Old Protections No Longer Apply

The Federal Trade Commission offers advice for protecting personal credit information and the FBI offers tips for keeping online retail transactions safe.

The same technologies that help enable credit card theft can help thwart it, says Steve Weisman, author of "50 Ways to Protect Your Identity in a Digital Age." He points to email and text alerts and real-time transaction updates as means of tracking potentially fraudulent transactions.

He also recommends not storing credit card information in online retail accounts, ensuring smartphones have a complex pass code and limiting information sharing on social media networks, which can be used to piece together passwords and security questions for bank accounts.

These tips are helpful for keeping credit card information safe while it's still in your possession, but there currently are no safeguards for inoculating against theft due to a retail hack -- except, of course, to use cash.

Why Your Bank Thinks Someone Stole Your Credit Card
See Gallery
How to Survive a Credit Card Hack

One reason why Marquis' gas purchases might have triggered a fraud lockdown? Filling their tank is a common first move for credit card thieves.

"Some of the things they look at are small-dollar transactions at gas stations, followed by an attempt to make a larger purchase," explains Adam Levin of Identity Theft 911.

The idea is that thieves want to confirm that the card actually works before going on a buying spree, so they'll make a small purchase that wouldn't catch the attention of the cardholder. Popular methods include buying gas or making a small donation to charity, so banks have started scrutinizing those transactions.

Of course, it's not a simple matter of buying gas or giving to charity -- if those tasks triggered alerts constantly, no one would do either with a credit card. But Levin points to another possible explanation: Purchases made in a high-crime area are going to be held to a higher standard by the bank.

"It's almost a form of redlining," he says. "If there are certain [neighborhoods] where they've experienced an enormous amount of fraud, then anytime they see a transaction in the neighborhood, it sends an alert."

(Indeed, Erin tells me that one of the gas purchases that triggered an alert took place in a rough part of Detroit, which she visited specifically for the cheap gas.)

People who steal credit cards and credit card numbers usually aren't doing it so they can outfit their home with electronics and appliances. They don't want the actual products they're fraudulently buying; they're just in it to make money. So banks are always on the lookout for purchases of items that can easily be re-sold.

"Anytime a product can be turned around quickly for cash value, those are going to be the items that you would probably assume that, if you were a thief, you would want to get to first," says Karisse Hendrick of the Merchant Risk Council, which helps online merchants cut down on fraud. Levin says electronics are common choices for fraudsters, as are precious metals and jewelry.

Many thieves don't want to go through the rigmarole of buying laptops and jewelry, then selling them online or at pawnshops. They'd much prefer to just turn your stolen card directly into cold, hard cash.

There are a few ways that they can do that, and all of them will raise red flags at your bank or credit union. Using a credit card to buy a pricey gift card or load a bunch of money on a prepaid debit card is a fast way to attract the suspicions of your credit card issuer. Levin adds that some identity thieves also use stolen or cloned credit cards to buy chips at a casino, which they can then cash out (or, if they're feeling lucky, gamble away).

When assessing whether a purchase might be fraudulent, banks aren't just looking at what you bought and where you bought it. They're also asking if it's something you usually buy.

"The issuers know the buying patterns of a cardholder," says Hendrick. "They know the typical dollar amount of transaction and the type of purchase they put on a credit card."

Your bank sees a fairly high percentage of your purchases, so it knows if one is out of character for you. A thrifty individual who suddenly drops $500 on designer clothes should expect to get a call -- or have to make one when the bank flags the transaction. If you rarely travel and your card is suddenly used to purchase a flight to Europe, that's going to raise some red flags.

Speaking of Europe, the other big factor in banks' risk equations is whether you're making a purchase in a new area. I bought a computer just days after moving from Boston to New York, and had to confirm to the bank that I was indeed trying to make the purchase. Levin likewise says that making purchases in two different cities over a short period of time raises suspicions.

"I go from New York to California a lot, and invariably someone will call me [from the bank], " he says. Since one person can't go shopping in New York and California at the same time, any time a bank sees multiple purchases in multiple locations in a short period, it's going to be suspicious.

Read Full Story