November 12, 2014

Five lessons I’ve learned from having my credit card hacked

Advice Security

One morning when I was in a hurry to get to work, everything went wrong in an instant: an SMS message alerted me to an $80 charge to my credit card for a purchase that I never made.

Three-lessons-I-learnt-from-my-credit-card-hack

What did I do next? I blocked my card, filed a claim at the bank, and got a new card issued. I must say that in the end, all the troubles were resolved and I got my money returned to me. Mostly, thanks to my prompt reaction. However, how it all ended is not the purpose of the story — it is about the lessons that I’ve learned.

Lesson #1. Promptness is what matters

It applies to any bank in the world: the faster you react and prove that there was a hack, the better the chance that you will have to get your money back. In order to succeed, you need to be notified of unsolicited transactions ASAP, ideally via SMS notifications.

Daily e-mails on an account status are also OK. Scrupulous tracking of monthly bank reports is a last-resort measure if you’ve got no better options. I had SMS notifications enabled, so it took me just 5 minutes to block the card and claim the unsolicited transaction in question that same day.

Lesson #2. All types of insurance will do

Each extra level of protection makes it harder for scammers to reach their goal, and ultimately minimizes your losses. For this reason, you should enable 3D-Secure (MasterCard SecureCode, Verified by Visa) for all online payments and two-step authentication in your online banking tool, choose terminals with chip and PIN support and say no to those requiring only a swipe and signature.

Do online payments only on secure Wi-Fi networks and install a robust antivirus solution on your PC. Additionally, insurance would also help: such products can be activated together with any banking card.

I approached all of these measures together. So maybe there had been attempts by scammers to steal money from my card before, but I never noticed because these attempts had been fruitless.

Lesson #3. Precaution is not a cure-all

Unfortunately, scammers’ wellbeing directly correlates to their ability to bypass all security measures that may be in place. That’s why all of the measures I described above cannot fully protect you. The most effective way to say goodbye to your hard-earned money is by withdrawing cash in ATMs with scamming software installed by culprits, or by executing online payments on a compromised machine. In the first case, the criminals would duplicate your card credentials to withdraw cash. In the second case they will spend your funds online.

I have been very cautious with my cards, so I likely fell victim to a more sophisticated approach. As we have learned this year, paying with your credit card at large retailers can be potentially dangerous, if a special Trojan has infected their systems. This specifically applies to American retailers because often they use outdated POS terminals. My card used to be frequently used in the US and there it is likely to have fallen victim to such a scam.

There is one more option that cannot be ignored — a leak of payment data from one of the online merchants. I have 3D-Secure enabled on my card, but a criminal could have somehow managed to track down the shop, which used an outdated processing system with no support of 3D-Secure, and therefore charged my card.

Lesson #4. Using credit card scams is an organized crime precedent

About a week after that I received a new SMS alerting me to a new attempt to charge my card in some other US online marketplace, and another some days later. The next week there was an attempt to execute an offline payment at a store in Mexico.

I came across the answer in a curious way. After having successfully blocked my credit card, I had no reason to worry for about a week. But then I received a text message alerting me to a new attempt to charge my card in some other American online marketplace, and another some days after that.  In a week’s time there was another, notifying me of an attempt to execute an offline payment at a store in Mexico.

All attempts were, ultimately, unsuccessful due to the fact that the card was blocked. That meant that someone who stole my card credentials resold it to various people (presumably in the form of a database with thousands of other card credentials), and each of them tried to use it again and again.

Lesson #5. Always have a plan B

And plans C, D and E also would be useful. In my case, the hypothetical loss was not that significant, and no serious harm would have been inflicted even if I were unable to regain my money.

However, some of my friends have lost a good deal of money due to scams like this. Some of them have even faced this situation while on vacations, and then simply had nothing left to cover any immediate expenses like food or fares.

In order to avoid such situations, you’d better have a minimum of two or, even better, three or four cards. Use different payment systems, have cards issued by different banks, and distribute your budget evenly. One dedicated card should be used only for online payments and you should avoid storing large sums on it. One convenient option is virtual cards issued by many banks specifically for online payments.