the secure:channel

Click here to read more about SpamStopsHere, the e-mail security company that brings you this blog.

Criminals are constantly finding new ways to get a hold of your credit card number and expiration date. Businesses to whom you give your credit card information are constantly finding ways to lose this information. Why is it so easy to steal credit card numbers, and should you be worried?

Why is credit card information not secure?

Credit card information prior to Windows 95 was relatively secure. A credit card number was provided to few people, and there were fewer ways in which it could be stolen. Once Windows 95 came, the average personal computer user had a TCP/IP compatible system, and millions of users poured onto the Internet and Web. Internet commerce became widely available, credit card information started being transmitted through many more computers, and the technology used to transmit credit card information became standard.

In previous years, the following were the most common methods used by criminals to steal credit card information:

• Digging through the trash at stores, a.k.a. dumpster diving
• Purchasing information from colleagues that worked at stores that could get receipts

Today, it is now a violation of Visa and MasterCard rules and regulations to print the full credit card number on a receipt. Additionally, most credit cards now have an additional three or four digit number that isn’t even allowed to be stored by a merchant, for added security. The current most common ways for criminals to get working credit card account numbers are:

• Social engineering and phishing 
• Purchasing information from colleagues that deal with credit card information for work
• Hacking into computers and networks that deal with credit card information
• Looking at the credit card of the person next in line at a store’s checkout counter
• Opening credit card accounts in other people’s names through identify theft

Unfortunately, all the precautions in the world won’t stop someone from becoming a victim. The whole credit card system is based on a promise to pay. It’s just too simple for someone to make a promise that someone else will pay, since at most times the security is simply posession of a an account number, with no real authentication mechanism in place.

For face to face transactions, the fear of a security camera and the security features on the credit card itself are supposed to protect the account holder. In telephone and Internet transactions, the shipping of a product only to the account holder’s address and the three to four digit security code are supposed to protect the account holder. For both types of transactions, the valid expiration month and year offers a little protection.

However, credit cards are being counterfeited in order to use stolen credit card numbers, for face to face transactions. Most cashiers at stores are not trained to look for the security features on a credit card and rather improperly concentrate on shopper profiling.

Merchants are incorrectly storing  the three to four digit security number when they’re not supposed to, resulting in successful electronic thievery of all information needed to purchase a service or product online or on the telephone. Additionally, merchants are more often offering to ship goods to addresses other than those on the credit card account in order to keep in business by taking the financial risk in a buyer’s market.

Today it’s also easy to purchase a disposable cell phone or a virtual telephone system in order for the criminals to provide telphone numbers to merchants for “telephone verification”. Telephone verification hasn’t been a good way to rule out credit card fraud for the past couple of years when dealing with even the most basic criminal.

What can be done?

The credit card banks expected the lack in security of the credit card account information. An individual’s credit card usage isn’t safe because criminals don’t have the account information. Credit card usage is safe due to agreements in place between the credit card issuing banks and the merchants that accept those credit cards for payment.

Even though many merchants simply aren’t playing it safe, and not following the rules, it’s these merchants that are taking the financial risk by not ensuring that they are dealing with the account holder. Most credit card account holders are completely protected from criminals purchasing products and services on the victim’s account. Simply reporting any suspiscious activity or the loss of possession of a card completely relieves the card holder of any financial responsibility. Even if the card or card number isn’t reported lost or stolen, the financial responsibility of the card holder is usually limited to only $50.

I recommend that all credit card holders demand that stores verify the signature and check the security features of the card before accepting it for payment. If a store clerk doesn’t do these things, ask why, and then ask for a manager. If a merchant is suspicious, don’t let them ask for identification (ID), which really proves nothing, especially if they haven’t checked the security features of the card or verified the signature. It’s against all of the major card issuer’s rules and regulations that a merchant require ID to accept a credit card for payment, as it leads to lax security and to customer profiling. Having an unsigned card presented for payment is the only time that a merchant should ask for identification and then ask the card holder to sign the card. If a merchant is suspicious, the merchant should call the credit card issuer for further instructions, but never ask for identification.

It’s a common misconception that one can simply write “See ID” on the signature panel of a credit card to ensure that the merchant checks for ID. In theory, this should only work once, since a card presented without a signature can’t be accepted until it’s signed.

Additionally, don’t let a merchant copy down or store the three to four digit security code on the back or front of the credit card.

If someone calls and asks for your credit card information to pay a bill, ask if you can call them back at the number printed on your invoice to pay.

However, most of all, don’t worry. If a criminal gets your credit card information, most likely it won’t be because you weren’t cautious enough. Using a credit card is safe and offers protections not offered by using cash. The fact that credit card theft is on the rise is nothing to lose sleep over, for a card holder. On the other hand, if you’re a merchant, you should call your credit card processor and ask what precautions you can be taking to help prevent fraud.