The Learning Center

Follow the procedures recommended by your payment processor and the credit card companies. You can loose your merchant account for failing to follow their rules.

If a merchant suspects a fraudulent order, contact the registration service, so they can cut reduce the total number of charge backs. Registration services with a large number of charge backs will likely be charged higher services fees, which will be passed on to merchants. Everyone wins when the registration service, the card issuing bank, and the card holder are notified of a fraudulent or suspected fraudulent order. 

Authorization approval does not mean that the merchant is guaranteed payment. Approval only indicates that at the time the approval was issued, the card hasn't been reported stolen or lost, and that the card credit limit has not been exceeded. If someone else is using the credit card number illegally, the card holder has a right to dispute the 'approved' charges. 

AVS is only available for the U.S. and partially available in four European countries. In the US, AVS checks if the cardholder's address and zip code matches the information at the card-issuing bank. AVS only uses the zip code and numeric portion of the billing street address. There are many reasons why AVS may fail (recent address change, AVS computers down, etc.). If the address verification fails on any level, the merchant may decline the transaction. If the AVS fails for any reason, the merchant should contact the customer for additional information (for example, the name of the issuing bank, the bank's toll-free telephone number, etc.).

If your current system of authorization approval can not provide AVS, then you can get address verification from the card holder's issuing bank for MasterCard and VISA. Discover and American Express purchases can be verified by calling them directly. Only American Express can verify all international credit cards. When you call, have your merchant number, your phone number, the customer's full name, address, and phone number ready. If you call MasterCard/Visa directly regarding a purchase, they can provide you with the issuing bank's phone number (foreign and domestic). It is up to the merchant to make the phone call to the issuing bank. With today's cheap phone rates from calling cards, and using the Internet to place phone calls, there is no excuse for not checking for possible fraud.

American Express 1-800-528-5200
Discover Card 1-800-347-2000
Visa/MasterCard 1-800-228-1122

Once a fraudster has a legitimate customer name and the stolen credit card number, they can use the Internet to look up their victim's telephone number, address, and zip code. This allows a software purchase to pass AVS, and the fraudster can download the software before the fraud is reported. With orders that are shipped, the thief can provide the correct billing address for AVS approval, but request a different ship to address. 

Card Verification Methods (VISA = CVV2, MasterCard = CVC2, and American Express = CID use a security code of 3 or 4 extra digits imprinted on the card, but not embedded or encrypted in the magnetic stripe. This verification code does not appear on credit card receipts. Since most fraudulent transactions result from stolen card numbers rather than the actual theft of the card, a customer that supplies this number is much more likely to be in possession of the credit card. VISA claims that the use of AVS with CVV2 validation for card-not-present transactions can reduce chargebacks by as much as 26%.

 

Merchants that accept Internet, mail-order, and telephone orders must be prepared to request the verification code when the cardholder is not present to help validate a transaction. Even if a merchant cannot confirm the CVV2 number, they can still ask for it, or provide a space for the number on their web order form. If the crook does not have the number, they could look somewhere else to commit their fraud. The merchant is not allowed to store the CVM numbers. The merchant should never keep the customer's credit card "on file". Each transaction should be treated as a new order. We've all seen too many reports of computer files being compromised by hackers. 

Authentication programs (Verified by Visa and MasterCard's SecureCode) use personal passwords to ensure the identity of the online card user. If merchants use this program, card issuers may occur some of the losses for online fraud that was previously entirely borne by the merchants. If merchants do not participate, they remain liable for the losses.

The pop up windows for authentification can be blocked if card holders have installed software to disable pop-ups. This also adds an extra step in the ordering process. There is also an additional processing fee incurred by the merchant. Another loophole is if the customer claims they never received the merchandise. I have seen information indicating Visa always trusts their card holders, so the customer gets their money back and the merchant gets stuck with a chargeback.

Even if Visa rules against the merchant, the merchant can still take the customer to small claims court. If the merchant can prove the customer did receive the product, the merchant is entitled to recover the value of the product plus all their costs when they win. Most licenses included with software includes a clause concerning court actions. This is one more reason to keep accurate records, document customer phone calls, keep copies of emails, delivery signatures, and web logs.

 

Credit card information is sent to the processor for immediate approval (usually 5 seconds or less). This method ensures that the credit card has not been reported as lost or stolen and that the number is valid. The customer is still in contact with the merchant, and incorrect information can be corrected. There is an additional cost for real-time authorization. Authorization does not tell you if the person using the card is authorized to use the card. 

The first 6 digits of the credit card are called the Bank Identification Number (BIN). You can determine if the credit card holder and the issuing bank for the credit card are located in the same country. Legitimate users sometimes use a credit card from another country. You can enter the BIN of a credit card number at http://all-nettools.com/toolbox,financial . The site provides the bank name, card type, and a 3 character code for the country. 

When you call the card-issuing bank, have your merchant number, your phone number, the customer's full name, address, and phone number ready. You can ask the card-issuing bank to make a courtesy call to your customer to verify the charge. 

Use Google to search for the numeric street address, street name, and zip code. The web site at http://www.anywho.com integrates telephone numbers, maps, and email addresses. Check for bogus billing addresses like 123 Main Street. Use resources like http://maps.yahoo.com to see if the address can be verified. If the billing and shipping addresses are different, request telephone numbers for both addresses. You can also establish a company policy and charge an extra fee to recover your costs to require a delivery signature (UPS, Federal Express, post office) if the billing and shipping addresses are different. You could require advance payment with a cashiers check or money order when different ship to and bill to addresses are used.

Be careful of remailing services, such as Mailboxes, etc. Remailing services can remail your packages to overseas destinations. 

Keep a database of prior fraud attempts, problem customers, charge back records, and customers receiving refunds. This file should include the customer name, shipping/billing addresses, phone numbers, credit card numbers, IP addresses, and email addresses, and merchant comments. Incoming orders can be searched for matches in this database. This method reduces the incidence of repeat offenders, has a relatively low cost, but does not stop new fraudsters. 

Several merchants combine their negative historical database. Since this database has fraud data from several merchants, using this file should reduce fraudulent hits. Pattern-specific fraud should be reduced. One drawback is that a bad customer for one merchant may not be a bad customer for other merchants. 

This file contains a list of good customers, for example, customers eligible for upgrade purchases. Customers who purchased successfully in the past will more than likely not committing fraud. This file can contain the same types of information as the negative file. You must have some limits to people accessing the information in this file. This file should also be encrypted. 

A credit database service, such as Equifax ( www.equfax.com ), Experian ( www.experian.com ), and Trans Union (www.tuc.com) are most appropriate for high-dollar value items, The customer would be asked to verify some very specific information such as the mother's maiden name or their social security number. This can be expensive and time consuming. 

Some E-commerce merchants feel this is the best method to catch fraud. The merchant sets up rules to stop or flag specific orders for review. For example, the merchant could set up rules to review all orders from a specific IP address, specific country or if a certain dollar amount is exceeded, or shipping to a specific address. This method may flag valid customers for review, but it will reduce repeat or pattern-specific types of fraud. If the IP address is dynamically assigned by an ISP, a legitimate order could be delayed or rejected. 

The merchant assigns points for different elements of a transaction (IP Address, free-email account, time of day, AVS results, amount of sale, type of products ordered, shipment method, different shipping/billing addresses, certain zip codes, etc) to generate a fraud score to indicate the likelihood of fraud. Points could also be added back for other factors such as previous orders, length of time as a customer, etc. The merchant decides what point levels should be used to approve, reject, or review the order. The merchant can adjust these values based on trends and time of the year.

Large merchants have built their own scoring model based on their historical data of fraud and charge backs. This very targeted model should catch more fraud, but requires additional time and/or money to implement the new software. 

Check if multiple orders are placed shipping to the same address, but different credit cards were used. Check orders for an unusually high quantity of a single item. Thieves may have access to several stolen card numbers. Check if multiple orders are being sent from the same IP address.

If the credit card numbers vary by only a few digits, it is very likely these numbers were generated by software.

Identify users who repeatedly submit the same credit card number with different expiration dates. Often the crooks have the credit card number, but not the expiration date, so they will just keep submitting that number with a different expiration date until they hit the right combination,"

Most fraudulent orders in the US are made between midnight and 2 a.m. 

If an order is being shipped to a non-English speaking country, display an alternate thank you page. Explain that before you can ship the product, you need to have the customer fax either a photo of the credit card or a xerox of his/her credit card billing. For the customer's trouble, explain you will deduct $3 from his total amount. 

Some merchants have branded their software, displaying the customer's name in the software. This could require a recompile of code before the software is made available to the customer. When reports are printed, the reports always include the customer's last name for an individual license or the name of the institution that purchased a site license. 

There is a much higher incidence of fraud from free email services. Many businesses refuse to accept orders from any free email accounts or any web-based, non-ISP email domains. (I've seen numbers indicating there are over 3000 available free email accounts.) Virtually everyone who has a free, web-based, or email forwarding address also has a traceable ISP address. Many legitimate customers use free email addresses. Many fraudsters use free email addresses to remain anonymous. Most businesses purchasing a business product would not use a free email address.

 

Depending on the value of the purchase, the merchant may want to request additional information from the customer either by phone or email. The merchant can ask the customer for their business or local email address (not a free email account such as Hotmail), the name and phone number of the bank that issued the credit card (located on the back of the card), the CVM code imprinted on the card, the exact name with middle initial on the credit card, and the exact billing address (nine digit zip code instead of five digits in the US), and the customer phone number. If you get a reply to your email request, you should be able to verify the additional information. A fraudster most likely will not reply to your request for more information.

 

Your customer will not have a local ISP if they do not have a computer. This customer could be required to telephone the merchant or fax the order. The fax order should also have a photocopy of the customer's credit card. The merchant should also have caller ID.

 

Unfortunately, IP addresses can also be forged. These forged IP addresses hide the true location of the fraudster. Organized credit card fraud rings often use anonymous proxies. When a computer is infected by a virus, it can be used by spammers and credit card thieves to place fraudulent orders. A legitimate order could come from from an infected computer. The IP address sent by the infected computer can be an open proxy IP address instead of their real IP address. The customer can visit the web site http://www.all-nettools.com or www.openrbl.org to check if the IP address their computer is sending to the Internet is an open proxy IP address.

 

The web site at http://www.freeality.com/finde.htm and http://www.theultimates.com/ provides plenty of tools to match the telephone area code to a postal zip code, reverse telephone directories, search for email addresses, maps, directions, etc. The web site at http://www.anywho.com integrates telephone numbers, maps, and email addresses. The web site http://nt.jcsm.com/ziproundacx.asp also provides zip code and telephone area code matching. Any telephone book is out of date as soon as it is sent to the printer. The Baby Bells update as many as 500,000 records every day.

For under $10, the merchant can purchase a Rand McNally book each year titled the ZIP Code Finder, which includes telephone area code maps and ZIP codes for more than 120,000 places. You can also purchase a set of CD-ROMS which have address and telephone numbers. Use caller-ID to match names and telephone numbers. The merchant can call directory assistance to determine if the number on the order phone matches their number. 

When a credit card order is received by fax, require the customer to also fax copies of both sides of the credit card. This at least provides proof that the customer has possession of the credit card at the time of the order. You could also require a copy of their state-issued ID, or drivers license. It also provides additional proof the person authorized the purchase, preventing a chargeback. 

Calling customers is not only an excellent way to detect fraud, but it can also be a valuable part of your customer service. The telephone call also gives the merchant the opportunity to welcome the customer, answer their questions, and build a solid relationship.

Sometimes the fraudster will submit the actual phone number of the person whose card was stolen. If the card holder did not authorize the charge, suggest that they call their credit card company to report their card as stolen.

I have personally called telephone numbers on the same day I received approved orders from registration services, and been told that the telephone number had been disconnected, or the number had been changed. This certainly sent up some red flags for filling an order that was approved by a registration service.

 

If your order form includes places to enter the CVV2 verification code imprinted on the credit card, the name of the card-issuing bank, and the bank's toll-free telephone number printed on the card, and the customer's telephone number and email address, your additional verification can be quicker, and you may scare potential fraudsters away. Indicate incomplete information will delay their order. State you may need to contact the customer if there are any problems with their order. A fraudster will not reveal their telephone number as he/she can be traced, and the number would most likely not match one of the on-line phone directories.

Signs and camera in brick and mortar stores help prevent shoplifting to some degree. Place prominent warnings on your site indicating that all orders are screened for fraud before processing. Web page graphics are available from www.merchant911.org to use on your site.

State on your website that you have anti-fraud safeguards in place, and will pursue prosecution for all fraudulent orders. Indicate that you will report all fraud to the FBI Internet Fraud Complaint Center at http://www.ic3.gov/ Even though federal investigators usually pursue larger fraud cases, knowledge of smaller frauds can reveal patterns to possibly break up larger fraud rings.

If the merchant wants to process orders immediately, issue thirty-day temporary validation keys for downloaded software. The permanent validation key can be emailed to the customer weeks later when all fraud checks have been completed. Emailing the permanent key could be automated to save time. If a customer is upgrading, there is less likelihood of fraud, so they could be sent the permanent key immediately. 

Educate yourself by attending a seminar offered by credit card companies and card processors.

Some merchants are joining fraud-screening organizations and beginning to use extra security software that determines the risk assessment. The merchant can decide to accept the card number or not based on that fraud rate value. Some organizations such as www.antifraud.com offer less expensive help ($10 per month). These groups also offer tips, databases of stolen credit cards, and web look up tools.

Terry Jepson http://www.wiscocomputing.com

 2)  http://articles.moneycentral.msn.com/Banking/FinancialPrivacy/LockAwayYourCreditFromIDThieves.aspx

 

Lock your credit away from ID thieves

 

When California introduced the first credit-freeze law in 2003, I thought it was overkill for most consumers.

I still do. But the universe of people for whom credit freezes make sense is rapidly expanding, and you might be among them.

A credit freeze, for those who don't know, is a way to block your credit reports to make it a lot tougher for an identity thief to get a loan or open a credit account in your name. That's because while a freeze is in place, no one, not even you, can open an account in your name. Lenders, insurers and even employers doing background checks are not able to access your credit file.

You can have the freeze lifted, or "thawed," if you need to get new credit, but you have to give the bureaus a specially issued personal identification number and a few days' notice to do so.

Since California pioneered credit freezes, dozens of other states and the District of Columbia have passed laws allowing at least some residents to lock up their credit reports. All other states except Alabama are considering similar laws.

Fraud alerts, credit freezes differ

Despite their rapid spread, credit freezes remain a bit of a mystery to consumers. Many people don't realize they have access to this tool. Others confuse credit freezes with old-fashioned fraud alerts, which allow consumers to put an electronic red flag on their credit reports at the three major bureaus, Equifax, Experian and TransUnion.

In a couple of ways, credit freezes and fraud alerts are similar. Neither prevents or limits you from using the credit you already have. And neither prevents your current lenders from cruising your credit reports to see how well you're handling your cards, loans and lines of credit.

But freezes and fraud alerts differ in several important ways:

Fraud alerts can be ignored by lenders. By law, lenders who see a fraud alert on your file are supposed to take "reasonable steps" to verify the identity of someone who is applying for credit in your name. Those steps haven't been spelled out, however, and consumer advocates say fraud alerts are too often ignored.

"The law-enforcement folks I talk to say the fraud alert is not doing what it's supposed to do," said Michelle Jun, a staff attorney for Consumers Union, the nonprofit that publishes Consumer Reports magazine. "Lenders and retailers aren't paying attention to it."

When you have a credit freeze in place, however, ignoring it isn't an option. Lenders who try to view your reports to check an application for credit just get a code saying your reports are frozen.

Fraud alerts are pretty easy to put in place. All it typically takes to get a fraud alert is a phone call to each credit bureau. (The bureaus say you need to contact only one of them and that the fraud-alert information will be shared with the other two, but that doesn't always work.) By contrast, to get a credit freeze you have to send a letter via certified mail that includes a bunch of identifying information and, typically, two proofs of your residence, such as copies of your driver's license and a utility bill.

If you want to lift the freeze so you can get credit, you have to call the bureaus, supply the PINs they gave you and then wait. The amount of time the bureaus have to honor your request varies by state. Kentucky gives the bureaus 10 business days; California requires the freeze to be lifted within three days. Utah passed a law that says the freeze must be lifted within 15 minutes, Jun said, but that won't go into effect until September 2008. In any case, a freeze puts an end to "instant credit'; you'll actually have to plan ahead if you want to open an account (which, for most of us, is not such a bad thing).

Fraud alerts are free. With a credit freeze, you'll typically have to pay $10 to $12 to each bureau to freeze your credit reports, for a total cost of $30 to $36. The fees are typically waived if you're a victim of identity theft, and a few states also waive fees for senior citizens.

Lifting and reinstating the freeze may also cost money. In several states, you'll pay $10 to each bureau for a general credit-report thaw, or $12 per bureau to thaw your report for a single lender. Fees can also be assessed for removing the freeze completely or for reissuing a PIN if you forget it.

Fraud alerts expire. In as little as 90 days, a fraud alert can disappear from your file. You can keep renewing it -- if you remember. You also can extend the alert for seven years but only if you're a victim of identity theft with a police report to prove it. By contrast, a credit freeze generally remains in place until you lift it -- that is, in every state except South Dakota, where credit freezes expire in seven years.

The fees you pay and the hassles you endure for a credit freeze make it clear: The credit bureaus would much rather you place fraud alerts on your files than to freeze them entirely. The bureaus are in the business of collecting and selling credit information about you; anything that impedes that costs them money.

Not that you need to care. What matters most is whether a credit freeze makes sense for you.

When to freeze

You probably need to freeze your credit if:

You've already been the victim of "new account" fraud. If someone stole enough information about you to open a credit card account or get a loan in your name, then you need to make sure such fraud doesn't happen again.

On the other hand, if the thief just swiped your credit card or credit card number, a freeze is definitely overkill. Just report the theft to your credit card issuer, fill out its paperwork and go on your way with your new card.

You've been told that your personal identifying information has been compromised. More than 100 million personal records have been stolen, hacked into or otherwise compromised since the Privacy Rights Clearinghouse started keeping track in 2005. This is what I meant about there being a rapidly expanding universe of people who could benefit from a freeze. You probably don't need to bother with a freeze if thieves accessed a database that contained just your credit card number. Credit card fraud is relatively easy to catch and fix without long-term damage to your credit reports.

If, on the other hand, the criminals got into records that contained the keys to your financial identity -- your name, Social Security number, address and date of birth -- you should start to sweat. Although there's no guarantee you'll become the victim of new-account fraud, the odds just went up considerably.

Your wallet or purse is missing. The thief now has your driver's license with your name and address. You may have been smart enough not to carry your Social Security card, but the number may be on your health-insurance card. Or the thief could use the information he now has to buy your number online. In any case, it's time to shut down the candy store.

You don't trust your nearest and dearest. As I outlined in "8 signs you may know an identity thief," you may be most at risk not from strangers but from relatives, friends, acquaintances and household employees who have access to the details of your personal and financial life. If you have reason to suspect someone in your life is less than honest, a credit freeze could be warranted.

You just can't sleep at night without it. I'd ask you first to read "The hysteria over identity theft" so you'll have a clearer idea of your actual risk. If you still want to get a freeze after that, you have my blessing. I've heard from many readers who weren't at any great risk for identity theft, but who still insisted on getting a credit freeze for peace of mind -- and are glad they did.

If you want to institute a credit freeze and your state allows it, just use the links in the chart above to connect to instructions on how to go about it. Although several companies offer to place fraud alerts or freezes for you, it doesn't make much sense to pay others to do what you could do yourself for less (or for free, in the case of fraud alerts).

If you just want to place fraud alerts, you can call Equifax at 1-800-525-6285, Experian at 1-888-397-3742 and TransUnion at 1-800-680-7289.

If your state doesn't yet have a law allowing credit freezes, tell your lawmakers to get on the stick. You can call or write them directly, or send an e-mail from Consumers Union's FinancialPrivacyNow.org.

 

 

 

3)  http://articles.moneycentral.msn.com/Banking/FinancialPrivacy/TheFiveMinuteGuideToProtectingYourIdentity.aspx

 

Your 5-minute guide to protecting your identity

 

Thieves may sell your information on the black market or use it to obtain money, credit or even expensive medical procedures. Unless you're vigilant in protecting your records, you'll have to work even harder to repair the damage to your credit. The average victim spends 30 to 40 hours rectifying the problem.

Some of the e-threats to your identity are:

• Phishing. You get an e-mail that appears to be from your bank or an online service, most often PayPal or eBay, instructing you to click on a link and provide information to verify your account.

• Pharming or spoofing. Hackers redirect a legitimate Web site's traffic to an impostor site, where you'll be asked to provide confidential information.

• Smishing. This is phishing done with text messaging on your smart phone. It instructs you to visit a bogus Web site.

• Spyware. You've unknowingly downloaded illicit software when you've opened an attachment, clicked on a pop-up or downloaded a song or a game. Criminals can use spyware to record your keystrokes and obtain credit card numbers, bank-account information and passwords when you make purchases or conduct other business online. They also can access confidential information on your hard drive.

You don't need to have a computer to become a victim. (See "How safe is your financial information?")

• Vishing -- voice phishing. You get an automated phone message asking you to call your bank or credit card company. Even your caller ID is fooled. You call the number and are asked to punch in your account number, PIN or other personal information (See "Your phone may be under attack.")

• ATM skimming. Crooks use a combination of a fake ATM slot and cameras to record your account information and PIN when you use a cash machine.

• Crooks will steal your wallet, or go through your mail or trash.

More than half of identity theft cases involve credit card fraud. Checking accounts are the second most popular target. (See "Keep thieves out of your bank account.") But some crooks have other plans:

• At least 250,000 people have been the victim of medical identity theft in the last several years. (See "Diagnosis: Identity theft.") Crooks use fraudulently obtained personal information to get expensive medical procedures or dupe insurance companies into paying for procedures that were not done.

• The victims of about 5% of reported identity theft cases are children. The fraud often goes undetected for years -- until the young adult applies for credit. (See "Stolen innocence: Child identity theft.")

16 tips to protect yourself

You can take steps to protect yourself from identity fraud:

 

• Keep your confidential information private. Your bank or credit card company won't call or e-mail to ask for your account information. They already have it.

• Keep an inventory of everything in your wallet and your PDA, including account numbers. Don't keep your Social Security card in your wallet.

• Stop getting banking and credit card information in the mail. (See "Go paperless for safer banking.")

• Monitor your bank and credit card transactions for unauthorized use. Crooks with your account numbers usually start small to see if you'll notice.

• If you conduct business online, use your own computer. A public computer is less secure, as is wireless Internet.

• Look for suspicious devices and don't let anyone stand nearby when you use an ATM. Take your card and receipt with you. Keep your PIN in your head, not your wallet.

• Don't store credit card numbers and other financial information on your cell phone. (See "Is your cell phone spilling your secrets?")

Protect your computer from vulnerability:

• Install anti-virus, anti-spyware and firewall protection, and keep them up to date.

• Don't open e-mails from strangers. Malware can be hidden in embedded attachments and graphics files.

• Don't open attachments unless you know who sent them and what they contain. Never open executable attachments. Configure Windows so that the file extensions of known file types are not hidden.

• Don't click on pop-ups. Configure Windows or your Web browser to block them.

• Don't provide your credit card number online unless you are making a purchase from a Web site you trust. Reputable sites will always direct you to a secure page with an URL starting with https:// whenever you actually make purchases or are asked to provide confidential information.

• Use strong passwords: at least six characters, including at least one symbol and number, and no reference to your name or other personal information. Use a different password for every site that requires one, and change passwords regularly.

• Never send a user name, password or other confidential information via e-mail.

• Consider turning off your computer when you're not using it or at least putting it in standby mode.

• Don't keep passwords, tax returns and other financial information on your hard drive.

6 steps to clean up the mess

If you suspect your identity may be compromised, place a fraud alert with the three credit bureaus. When you place an alert, you are entitled to a free copy of your credit report. After that, take advantage of the free annual reports the bureaus are required to give all consumers. Stagger your requests so that you get a report every four months.

• If you've been phished, contact the bank or company named in the fraudulent e-mail. You also may want to notify the Internet Crime Complaint Center and forward the e-mail to spam@uce.gov.

If you are the victim of identity theft, take the following steps:

• Make an identity-theft report to the police and get a copy. File a complaint with the Federal Trade Commission.

• Close accounts that have been tampered with. Contact each company by phone and again by certified letter. Make sure the company notifies you in writing that the disputed charges have been erased. Document each conversation and keep all records.

• Place a seven-year fraud alert or, if you live in a state that allows it, a "freeze" on your credit reports. (See "Lock your credit away from ID thieves.")

• Begin the process of having the fraudulent information removed from your credit reports. (See "Don't let credit-report errors fester.")

 

 

 

1)            http://articles.moneycentral.msn.com/Banking/CreditCardSmarts/NewCreditCardsAllowHandsFreeTheft.aspx

 

New credit cards allow hands-free theft

 

Millions of so-called contactless credit cards have been mailed to Americans in recent months on the theory that we just don't spend money fast enough.

While you're absorbing that little nugget, consider this as well: The cards, which wirelessly communicate information about you and your account, don't have an "off" switch.

Contactless smart cards rely on radio-frequency-identification (RFID) technology to speed retail transactions. Instead of handing our credit cards to a clerk or swiping them through card readers, we just wave our plastic in front of a scanner. Often, no signature is required; it's whoosh and go.

Mobil's Speedpass was an early example of this technology. After trial runs in several cities, MasterCard, Visa and American Express began issuing contactless cards in earnest last year. If you watch television, you've probably seen the ad for MasterCard's PayPass version, which features Olympic marathoner Meb Keflezighi waving his card to buy sports drinks and other small items on the way to a race's finish line.

The technology looks cool; the card issuers assure us these transactions are encrypted and safe. But privacy advocates aren't so sure.

Grad students from Johns Hopkins University hacked a Speedpass a couple of years ago to get free gas. More recently, two researchers at the University of Massachusetts pulled unencrypted names, account numbers and expiration dates off contactless credit cards using a homemade scanning device.

The New York Times reported that one of the UMass researchers, Tom Heydt-Benjamin, was able to buy electronic equipment online using information pulled off a contactless card sealed inside an envelope.

The "Today" show aired footage demonstrating another data capture, in which Heydt-Benjamin concealed the scanner in a briefcase and "read" data from a contactless credit card in another person's back pocket.

The problem, you see, is that radio-frequency tags are always open to wireless access, whether you're using them or not. So anyone with the right equipment can read the data, and the equipment needed to do so is getting cheaper and more sophisticated all the time.

RFID technology isn't new or novel. It's gotten a lot more popular, but it's been used for years in:

• Corporate, government and student ID badges.

• Electronic passes that allow drivers to zoom by toll booths.

• Plastic tags on clothes to discourage shoplifting.

• Identification tags embedded under pets' skin.

• Books, compact discs and other media at many libraries.

Wal-Mart and other retailers are using RFID chips to track inventory. Ports use the technology to track shipping containers.

Furthermore, if you're a U.S. citizen, the next passport you get will contain an RFID chip. The federal government started issuing these in October 2006. Concerns about RFID signals led the government to include a small shielding device in the passports to block access to the chips' data.

Your contactless card doesn't have such a shield, but you can buy RFID-blocking sleeves for your contactless cards or create a simple one out of -- seriously -- aluminum foil.

Card issuers say sleeves aren't necessary, of course. They insist the unencrypted account information that the UMass researchers found was an anomaly and that most contactless cards employ stronger security.

Still, the idea that the card is always "open" -- and that we might not be able to control who is picking up our information and what's being done with it -- should concern every consumer.

"We think it's a pretty serious issue," said Marc Rotenberg, the head of the Electronic Privacy Information Center. "The contactless card design is inherently flawed."

It's not just the evildoers that concern Rotenberg. He wonders if retailers and others might quietly pull information from the cards sitting in unsuspecting consumers' wallets and add it to their databases.

Adam Levin, the founder of Credit.com, paints a more nightmarish scenario. He can picture bad guys who could access RFID data, then combine that information with other data about you that can be purchased off the Web.

"This could give someone yet another avenue into destroying your life," Levin said. "With enough information, they could get a feel for how much you're worth. ... They could target people for robberies, burglaries, carjacking."

The good news, if there is any, is that you typically wouldn't be on the hook for any charges made by a crook who merely stole and used your account data to buy stuff. And there are much easier ways for thieves to take your data.

So what do you do if your credit card issuer sends you a contactless card or you already carry one in your wallet? You have a couple of choices:

• You can send it back and demand a regular credit card. Your card issuer should comply; few will risk losing your business by trying to force the cards down your throat.

• If you like the technology and want to use it, consider buying or making a signal-blocking sleeve. Yeah, it might feel a little like making a tinfoil hat to keep out alien mind-reading beams, but better safe than sorry.

 

 

 

Identity Theft: Advice From the FTC Chairman

 

As chairman of the Federal Trade Commission, Deborah Platt Majoras is charged with protecting consumers from unfair, deceptive, and illegal business practices. Since her appointment in 2004, she has focused on identity-theft prevention through consumer education campaigns and lawsuits against companies that fail to protect consumer data. She spoke with Associate Editor Kimberly Palmer.

How vulnerable is the average person to identity theft?

The average person is vulnerable enough to identity theft that each and every one of us has to take some precautions in the way we handle our own information. It's difficult to get our arms around the true scope of the problem, but we do know that millions of Americans are victimized every year.

What should people do to protect themselves?

The first thing to know is that you need to be a smart consumer about protecting your personal information both online and offline. Online, you never give account information out unless you've initiated the contact. Don't throw away your bank statements that have your account numbers on them. Make sure you shred them. Make sure your wallet isn't lying around when you have people coming in and out of your home. Check your bank account and credit card statements very carefully to make sure there are no unauthorized withdrawals or transactions, and you need to check your credit reports from all three credit bureaus at least once a year. If you are victimized, act immediately. Report it to the police department, call the credit bureau, get an alert put on your credit report, and report it to the FTC.

Didn't your own credit card information get stolen?

Yes. The breach was at DSW Shoe Warehouse [in 2005]. They had their system hacked into, and my credit card was one of the card numbers that were taken. But to date, the card has not had any unauthorized use on it.

What should a person do in that situation?

You can cancel the card if you'd like. That's being the most cautious, or you can just monitor your statements very carefully. All I've been doing is just looking at my statement every month to make sure the charges are mine or my husband's.

Should people give out their Social Security number when they're asked for it?

I think it's perfectly legitimate for people to ask, "Do you really need to have this?" I've done this in the doctor's office, and I've been told, "Yes, we need to match it up with your insurance and so forth," and I've given it in those kinds of situations. I do think that there are likely places in the economy where we've always used Social Security numbers, but it may not be necessary, and we really should whittle it down to places where it is absolutely necessary.

You've said that you would support a national law against identity theft. What would that look like?

It would be useful if we had a standard across the board for all businesses [that] collect and use consumer information so everyone is subject to the same standard. The other thing we would support is that if there's been a data breach, organizations should have to inform consumers so they can take steps to protect themselves.

Why are those changes necessary?

We've been moving so quickly in this information age with new technology that is so fabulous, but we left some of these safety issues behind. What we're trying to do now is to literally catch up and develop a culture of security. It's important not just that consumer data not be stolen, but it's important that consumers keep confidence in the marketplace and that they know that if they go online and make a purchase, or they go into a store and hand over their credit card, that they're not at great risk. That is really important because the marketplace is all built on consumer confidence.