Keeping your credit and debit cards safe from harm

October 14 2007 by Ellen Roseman

I’m really concerned about payment fraud and identity theft (an occupational hazard, given what I do). So, I can’t help noticing how often companies ask for personal information without paying attention to privacy or security concerns.

My travel agent asked me to fax my credit card number and three-digit security code. No way, I said. I’ll give you the forms in person, but I’m not giving you my three-digit code (or CVV2). Show me why you need it and if you can’t, you won’t get it.

The University of Toronto wanted both a credit card number and CVV2 for my son’s meal plan. But since that was an online transaction I initiated, I agreed to supply it. The code provides extra security for the retailer and the cardholder in situations where the card can’t be handed over in person.

Tonight, we went out for dinner with friends who had been the victims of debit card fraud. They were driving home from their cottage and stopped at a gas station, where the wife used the CIBC automatic teller machine to take out cash. Later, while checking her bank statement, she noticed a couple of withdrawals with extra fees. But that didn’t make sense, since she never used other banks’ ATMs, only CIBC ATMs.

When she called the bank, the first question was: “Did you withdraw cash at a gas station?” Fraudsters install hidden cameras that take pictures of your debit card and PIN at places that aren’t as secure as bank branches. And unless you check your statements really carefully, you might not even spot those small withdrawals that aren’t yours.

Thicken My Wallet, a personal finance blog, found a rather large ATM withdrawal ($361.29) on his bank statement. He discovered that his card had been skimmed and withdrawals made from outside the country. The odd amount was because of currency conversion.

He had two observations to make after this experience, while waiting for the money to be reimbursed by his bank:

If someone wants to commit fraud they will. Just try to catch it as quickly as possible to minimize the damage. I caught the withdrawal by pure dumb luck – it appears I found it within 6 hours of it happening. The moral of the story: don’t wait until you get a bank statement to check your balance. Check it often for cash flow and fraud prevention purposes and report anything out of the ordinary immediately.

As dumb luck on my part and not part of any design, I never raised the withdrawal limit on my bank card in the 15 years since I’ve had this account. Thus, they hit the ATM withdrawal limit quickly. If you don’t need large amounts of cash at one time, limit your ATM withdrawal maximum for both budgeting and fraud prevention purposes.

One day, Canadians will have much more protection from card fraud. That’s because every card will have a computer chip embedded in it. It’s fun to read the fancy footwork in a Q&A published by the Interac Association, trying to say the chip is safe without saying the magnetic stripe is not so safe.

Here’s what you need to konw:

Financial institutions will be required to store the same type of information on the chip that is currently stored on the magnetic stripe. But while the information is the same, it will now be stored within the chip, which is personalized with data unique to the financial institution and is more difficult to duplicate. This will significantly reduce debit card skimming and the production of counterfeit cards.

If only chips were here now! But the transition will take years. Interac has a deadline of Dec. 31, 2012, after which magnetic stripe transactions will no longer be accepted at ATMs. And it won’t be until Dec. 31, 2015 that magnetic stripe transactions will be phased out at the point of sale.

So, pay attention to your cards and your monthly statements. Your scrutiny is all that’s keeping you from losing money to sophisticated thievery.

6 comments

  1. Fraud victim

    Oct 14 2007

    Someone stole my identity and used my Visa card last week. Luckily, Visa phoned me to verify (I still don’t know how they found it). I have followed their advice and reported to three credit bureaus – EquiFax, TransUnion and Experian – and all of my banks and credit card issuers, asking them to post a fraud alert on my record.

    I am going to the police this afternoon to make a report (as I was told it has to be in person). I have also filed a complaint with the RCMP-OPP PhoneBusters. I guess I have done everything I can (if not, please advise).

    What I really want to know is what else the thieves can do by having my identity in addition to using my credit card? They got my name, date of birth, SIN # and my bank info. What other damage they can wreak in my life? I really want to know so I can take action up front.

  2. TP

    Oct 14 2007

    I noticed your article had a question about some merchants blocking the customer’s credit card numbers and others not blocking. As a small merchant, it took about 60 transactions before I realized that I was handing the merchant’s copy of the slip to the client and retaining the client copy with the signature for myself.

    Most credit card machines will print two copies, one for the merchant with the numbers exposed and the other for the client with the numbers obscured. However, a number of machines, mine included, do not identify the copies as Merchant or Client.

    Now that I know, I make sure I get the correct copy signed and retain that copy.

    As for unsigned cards, I’m surprised by the number of clients who come with unsigned copies or who keep the validation sticker on the card in case they need it. About 10% to 15% of my sales are to people in that boat and it causes headaches for me as a merchant. My service is highly personal and I obtain considerable private information prior to making a sale. Yet people who don’t sign cause me to ask for ID time and time again, much to their surprise given the other material I obtain.

  3. Andy

    Oct 15 2007

    I usually have a look at my bank statement daily just to make sure nothing funny has happened. I can certainly remember what I spent in the previous 24 hours! Indeed, I used to scoff at my sister in law – an OPP inspector – who obsessed about identity thefy until …

    Until it happened to me! Someone had my debit card number and my pin and extracted $500 from a bank machine in Montreal (I live in Toronto). The bank called my home, office and cell the nest day. What tipped them off, apparently, was that the same somebody tried to extract more money a few more times that night.

    Fortunately, I had reduced my daily limit a couple of years ago, at the suggestion of the bank. I got my money back and changed my card, pin, etc.

    What disturbs me is that, while the bank credited me with the $500 within a day or two, that is still $500 that the bank paid out. Someone (like all of us) get to pay for that. I was just one, but you hear stories every day about both debit and credit cards. I only hope that the chip that is going to get installed will reduce this.

  4. Jackie

    Oct 17 2007

    One reason why retailers collect this consumer data is to manage returns and prevent fraud. They figure by collecting sensitive consumer data that thieves would think twice about committing a crime. This is a fallacy, as those who are willing to commit return fraud are probably using fake identification to begin with. So who are retailers really hurting? Their consumers, as their data can be compromised.

    There’s a bigger retail industry story here: The ability to create “electronic receipts” by tracking product and controlling returns exists without having to collect consumer data (no license info, SIN, credit card info, etc.).

    SIRAS.com, an offshoot of Nintendo, developed a solution that tracks products, not people – and is being used by major retailers and manufacturers nationwide. This should be the industry standard.

    It’s amazing that more CIOs haven’t realized the importance of protecting their customers — while still being able to protect their bottom line. SIRAS’s solution also allows retailers and manufacturers to protect themselves from information exposure incidents and all other related fallout such events may bring (TJX). And it has been proven to save retailers millions of dollars in preventing fraudulent returns, all by simply removing the information ID thieves seek and focusing on tracking the products via unique identifiers (a combination of product UPC code and serial number). That way, if a data breach occurs, no important consumer data is compromised.

    SIRAS’s system is being piloted at several Canadian retailers for product POS Electronic Registration. Some of these retailers include Best Buy, Future Shop, EB, Toys ‘R Us and Wal-Mart. It really is a fascinating technology — with several benefits, especially when you factor in protecting consumer privacy.

  5. Riscario Insider

    Oct 18 2007

    Why would you carry your SIN card with you?

    In a recent identity theft presentation, over a third of the attendees had their SIN cards with them. The presenter called that our most useful piece of identification — for identity thieves. There are very few places that need our SIN. As a teen, I memorized my SIN number and destroyed the card. I’ve never been asked to produce the physical card. It’s one less piece of plastic to carry. And lose.

    Cards with computer chips won’t make me feel more secure. Wouldn’t it be great if one card could replace all the others? That would be progress.

  6. Canadianfinancialdiy

    Oct 19 2007

    Just as a matter of interest, both credit and debit cards have been using chip and pin for a couple of years in the UK. What is taking so long in North America?