Credit Cards, the Internet, and Security

userpic=cardboard-safeThe LA Times has an interesting article today on the payment card problem: it points out that the movement to EMV (chip and PIN) is painfully slow, that credit/debt card breaches are increasing, and that its going to get worse before it gets better. I’ve also been looking into the issue, finding the investigatory work of Brian Krebs regarding the Target incident fascinating. So what advice would I give based on all of this?

  1. Don’t Use Debit Cards. Debit cards are basically electronic checks. You have no protection in terms of fraudulent charges, although you might be able to get money back after the fact. I would tend to believe that Debit Cards are slightly riskier than checks, simply because the information on checks is not stored in databases as much as debit cards are.
  2. Monitor Your Credit Cards. Don’t wait for your monthly statement; check your credit card transactions every few days. This is easy to do if you use Quicken (or a similar service) and download transactions; you can also check with your card issuer on the web. As soon as you spot a fraudulent transaction, report it via phone to the credit card company and follow that up with a written report. Credit cards are better because you typically have this grace period to report transaction fraud without being liable, and often the cost of that fraud is born by the banks or the merchants.
  3. Don’t Fear the Internet. If you look at a lot of the breaches, the problem has not been the connection between your computer and the merchant — just make sure you have an encrypted connection and are talking to the merchant’s web site. The massive problems have been attacks on the merchant’s databases themselves — and these database often contain both web and physical transaction information. Work needs to be done to encourage merchants to improve their overall security stance — the PCI standards are just a start and focus on the transactions; the merchants needs to adopt appropriate risk management frameworks and security controls (see NIST SP 800-37 Rev 1, SP 800-53 Rev 4, SP 800-30, SP 800-39 Rev 1) to secure how they are storing their information.
  4. Check Where and How You Swipe Your Card. One of the easiest ways that adversaries gain information with our insecure mag-stripe cards is with credit card skimmers. When you are swiping your card (especially at ATMs), always look for skimmers over the reader and potential cameras to capture PINs.

You can never bring your personal risk of credit card fraud to zero (well, unless you only pay cash, and then you have a different set of risks). You can, however, transfer the risk to an acceptable level by using credit cards over debit cards, and further mitigate it down by being prudent where and when you use your card.