Identity Theft

Q&A: Using a separate credit card for online purchases and automatic payments

December 29, 2014 By Liz Weston

Dear Liz: I saw your recent column from the couple upset about the inconvenience of having to reset the automatic payments when their credit card was reissued due to fraud. We had the same problem (our credit card has been reissued six times now!) and got some great advice I’d like to share. We got a separate credit card that is used for nothing but automatic payments and online purchases. It has never been hacked like our other card that we use constantly in the community because we earn airline miles. The last two times our regular card had to be replaced was in the Target and Home Depot hacking, but the other card has been fine so far. We are keeping our fingers crossed. Our issuer has now given us a chip card to replace the constantly hacked one, so I hope we have better luck going forward with both credit cards.

Answer: Several other readers wrote to say they do something similar by using different cards for different purposes, including devoting one to making automatic charges.

It might be wise to have a separate card just for online purchases, however, since the incidence of “card not present” fraud (including online and phone transactions) is higher than that for transactions where the card is physically presented to the merchant.

Q&A: Credit card fraud and automatic payments

December 1, 2014 By Liz Weston

Dear Liz: We’ve had three cases of credit card fraud. Each time, the credit card company issued new cards with new numbers and canceled the old ones (along with the fraudulent charges). We had nine monthly auto-payment authorizations set up, and we seethed at the fact that the card company would not offer to authorize our auto-payments via the new numbers. We eventually received late-payment notices and charges, since the old numbers were still on the record with payees. Are there companies that offer updates to payees when cards are canceled, and new ones issued, in such fraud situations?

Answer: Given all the database breaches lately, automatic updates to auto-payments might come in handy.

But it seems you’re on your own. Your agreements with your billers typically state that you’re required to update them whenever a card expires or its number changes. Many billers will alert you when an expiration date is near or if a charge doesn’t go through, but ultimately it’s your responsibility to keep track.

It’s a good idea to keep a list of your auto-payments so you don’t forget to update them all when this happens again. If you don’t have a list, simply checking your past statements should remind you which accounts are on auto-pay.

Q&A: Fraud or forgetfulness?

October 27, 2014 By Liz Weston

Dear Liz: I think I’ve been scammed, but my credit union has decided I’m simply forgetful. I noticed a debit to my checking account that I did not recognize from a merchant I cannot identify. The merchant name appears on my statement as simply “Portland Portland OR.” My credit union can tell me only that it is a used-merchandise store or secondhand store. I questioned the charge by email and replaced my card. Then I got a letter from the credit union upholding the charge, saying that my card and PIN were present at the time of the transaction. I never did learn the merchant’s name. Can this merchant really not be identified? The $10.48 in dispute is unimportant compared with the complete opacity of the supposed purchase. No name, no address, only a day and time. Is this mystery the best the banking system can do?

Answer: Your credit union could identify the merchant by contacting the card network that processed the transaction, but has apparently decided it’s not worth the effort, said Odysseas Papadimitriou, chief executive of Evolution Finance, which operates the CardHub.com card comparison site. You can demand the credit union identify the merchant for you, but there’s reason to believe this transaction is legitimate, he said.

It’s not just because a personal identification number was used, however, since PINs certainly can be stolen. Hackers have compromised keypads at Michael’s stores and Barnes & Noble, among other retail chains, while Target said encrypted PIN data were stolen in its massive database breach.
But the use of a PIN combined with the small amount of the transaction indicates the culprit here likely is forgetfulness rather than an identity thief, Papadimitriou said. ID thieves are unlikely to make one small transaction and then wait, he said.

“They try to extract the max they can before they get shut down,” Papadimitriou said.
Still, your experience should make you think twice about using a debit card for a retail transaction. With debit card fraud, you may have to fight with your financial institution to get the money back, since the transaction comes directly out of your checking account. With credit cards, you don’t have to pay a disputed transaction until the card company investigates.

Close any cards you used at Target during the breach

January 13, 2014 By Liz Weston

Dear Liz: My debit card was part of the recent Target data breach (my credit union called me). I’ve read articles telling me to pull my credit reports. Here’s the thing: I already requested two of my three free credit reports in early December. When I read about the Target incident, I requested the third one. So now, if I pull a credit report, I’d have to pay for it. I’m very concerned about this, as my finances are tight.

Answer: The information that was stolen in the Target breach — and immediately put up for sale on black-market sites — is not the kind of personal information that’s typically needed to open new accounts, said John Ulzheimer, credit expert for CreditSesame.com. So buying your credit reports or investing in credit monitoring, which is how you would spot new account fraud, isn’t strictly necessary, he said.

The information that was stolen can be used in what’s known as “account takeover,” which means the bad guys can take over existing accounts and make fraudulent charges. In the case of a debit card, that means they can drain your bank account. With a credit card, you wouldn’t have to pay the fraudulent transactions, but dealing with them could still be a hassle.

Either way, you would be smart to close any debit or credit card used at Target between Nov. 27 and Dec. 15, the time of the breach, and ask for a replacement, Ulzheimer said.

Monday’s need-to-know money news

June 10, 2013 By Liz Weston

How to get the most out of your summer vacation, protecting yourself from medical identity theft, correcting financial myths and how to start saving for retirement.

3 Ways to Maximize Your Frequent Flier Miles This Summer

While holiday blackouts can make redeeming frequent flier miles difficult during the summer, there are still good deals to be had if you know where to look.

How to Protect Yourself from Fraud at the Hospital

Identity thieves are targeting victims at their most vulnerable. Find out what you can do to protect yourself.

Want More Time Off? Some Employers Let You Buy It

A novel approach to managing vacation time could allow you to purchase a day off or sell time you’re not going to use.

Financial Advisers Correct Common Personal Finance Myths

Meet the five common personal finance myths and how to avoid them.

How To Start Saving For Retirement

The good news is that it’s not too late. The bad news is that it will be if you wait any longer.

Companies make it easy to hack your identity

April 24, 2013 By Liz Weston

You might think breaking into a corporate database would be hard. Not so. A recent report from the Verizon RISK Team found the vast majority of incidents required minimal skills and took place in a few hours. Unfortunately, those breaches often weren’t discovered for months or even years–and it typically wasn’t the company but rather a third party that discovered a breach.

From a Credit.com post on the study:

While one in 10 were so easy the average Internet user could have caused them, another 68 percent were the result of hacking attacks using the most basic methods, requiring relatively few resources to complete. Only one breach suffered in all of 2012 required “advanced skills, significant customizations, and/or extensive resources” to complete.

That is likewise reflected in the amount of time it took to cause most data breaches, the report said. Altogether, 84 percent took hours or even minutes to perpetrate, while these incidents typically took months or even years to discover. Nearly two-thirds of all breaches took at least that long, up from just 56 percent the year before, proving that it’s actually becoming more difficult to spot breaches, as well as contain them. While most were remediated in hours or days, nearly a quarter took months.

The take-away from this is that companies aren’t doing nearly enough to protect the information they collect about you. And the sad truth is that you have little control over what goes into these databases. You can do your best to protect your identity, and still have your information breached.

You should still take steps to reduce your exposure, steps like not giving your Social Security number to companies that don’t need it and refusing to give businesses permission to share your information. You should use tough-to-hack passwords and stop sharing secrets on social media. You also should monitor your credit reports and financial accounts.

Until companies get serious about protecting your data, though, you’re still a target for identity theft.