Crooks Beating Chipped Cards
For you Yanks (Canadians have been using this technology for years), have your magnetic strip credit and debit cards been upgraded to embedded chip cards?
The EMV (Europay, MasterCard and Visa) technical standard that embedded chip cards facilitate helps prevent fraud. When you use an embedded chip card, you must enter a PIN at the point of purchase. Unless you tell a crook your PIN—purposely or inadvertently by, say, writing your PIN on your card—or use a PIN that’s very easy to guess like 1234, fraudulent transactions with your card are, theoretically, impossible. (Many financial institutions are claiming embedded chip card fraud is impossible, and are holding cardholders responsible for all transactions, period. See “Card Fraud Blame Shift“.)
Crooks Working Around EMV
As embedded chip cards become the standard, guess what: crooks are finding another way, as they seem always to do, dubbed “account takeover.” Potentially far more rewarding for the bad guys than a few fraudulent card purchases made with a stolen account number, account takeover has already overtaken in number the simpler forms of credit card fraud. Account takeover fraud jumped 112% from the first quarter of 2014 to the first quarter of 2015.
What is Account Takeover?
As the name implies, in this sort of fraud a crook attempts essentially to assume your identity for the purpose of impersonating you digitally and taking over one or more of your financial accounts. The trick typically is accomplished by filching a few key pieces of identity info. With this information, to the financial institution, the crook ‘looks’ just like you.
Once a crook gains access to your account, his first order of business is likely to reroute communications. With that done, unless you proactively check up on your account, you’ll be kept in the dark about all the shenanigans going on with your account because the financial institution’s communications about what’s happening will be going to the crook instead of to you.
Account Takeover Fraud Potential Damage
Think for a moment about what a crook who has accessed your bank or credit card account can do. For example:
- Request a new credit card (which will be mailed to the crook’s address)
- Request an increase in an account’s credit limit
- Transfer out of or withdraw your funds from the account
- If you’ve established links to other accounts, those accounts could also be exploited
- If you’ve used the same username and password for other accounts or web properties, the crook could wreak all sorts of havoc
- Take out a loan in your name
How to Protect Against Account Takeover Fraud
You probably already know most of the standard advice for online fraud protection, such as:
- Don’t click on links in any email from a source you don’t recognize as legitimate
- Use different username / password combinations on different sites, and change passwords regularly
- Reconcile account statements
Nothing is bullet proof, but to help protect me to potential fraud, I take full advantage of a set of Alerts my bank (and credit card issuer) offers. Here are the alerts I’ve activated:
When any of my alerts is dinged, I get immediately an email (or I could choose a text message). That prompts me to investigate if the alert should not have been activated. As you can see, not all of these are strictly about fraud, but also help me avoid doing something dumb like overdrawing my checking account or missing a credit card payment.
Again, not perfect, but worthwhile. Also I think my bank will be more sympathetic if I’m victimized by fraud if I’ve taken advantage of all the fraud protection features it offers.
What do you think of my account alert settings? This isn’t on the list, but if the email address or phone number attached to the account are changed, my bank immediately sends an alert about that too (to both the old and new contact info).