Cancel my credit card?
November 15, 2013 10:16 AM   Subscribe

I just got a call from my credit card company. it seems my card's number got compromised, along with about a million others. they strongly urge me to cancel the card and get a new one. this will be a major pain, as i have all sorts of accounts linked to the card for automatic billing. and, besides, isn't security their responsibility? because what if this happens next week and the week after? do we have to change numbers each time there's a breach? does anyone have any experience with a situation like this and how did you resolve it? thanks.
posted by holdenjordahl to Computers & Internet (28 answers total) 2 users marked this as a favorite
What does "strongly urge" mean exactly? If they are giving you the option not to do it, then are they warning you of any possible consequences or ramifications? I believe that your liability, at least in the US, is capped at a certain dollar amount and therefore most of the risk is on them as far as fraudulent charges go.
posted by Dansaman at 10:21 AM on November 15, 2013

does anyone have any experience with a situation like this

This happens anytime a card you have *expires* as well -- you have to go update all your automatic payments and everything then, too. The solution is to link as many things as possible to your bank account rather than your card, but I am skeptical that that is actually as secure, partly because of the permanence of it.

isn't security their responsibility?

Security is the responsibility of everyone involved. They had a problem and they are alerting you trying to fix that problem. They are currently in a position where if someone makes a purchase with your card, they are not sure if that person is actually you. They are advising you of the situation and giving you a recommended course of action. What do you expect them to do? Their only other realistic option is to summarily cancel your card and issue you anew one. You'd be forced to update all your accounts in that case, as well.

do we have to change numbers each time there's a breach?

Yes, just like you change the locks on your house each time someone breaks in and steals your keys.
posted by tylerkaraszewski at 10:21 AM on November 15, 2013 [15 favorites]

This has happened to me more than once. The last time, for added frustration, it was my check card--the university had a security breach and the bank canceled everyone's card without notifying them. Yes, I've always just canceled the card; yes, it's a headache. Then again, yes, my money stayed where it was supposed to be, so, there's that.
posted by thomas j wise at 10:21 AM on November 15, 2013 [1 favorite]

Wait -they called you? I would find a local branch if possible, and call them, to confirm. This screams scam city to me! Make your own calls before doing anything!
posted by kellyblah at 10:22 AM on November 15, 2013 [15 favorites]

The way you resolve it is, basically... you deal with it and change all the accounts linked to your card. Yes, they really are kind of awful about security, and that does kind of suck. But once the breach happens, there's absolutely no way to handle it except cancelling that card an issuing new cards. If you keep that number, how can anyone tell whether any new charges on that number are from hackers or from you?

Yes, it sucks, and yes, it's frustrating as a consumer that participating in the economy means relying upon companies with an astonishingly poor track record of protecting data. And to try to encourage better behavior in the future, you could absolutely switch to a different bank that hasn't had a breach, and inform your old one that you're switching because of the breach, which in aggregate can help us all push these companies to be more responsible. But today, right now, you absolutely really do need to cancel your card, get a new one, and update all your automatic billing. This is not something they can retroactively fix in any way, even if they really wanted to.
posted by Tomorrowful at 10:22 AM on November 15, 2013 [1 favorite]

Actually no you don't always have to change your number every time there is a breach. I've had my American Express card used fraudulently and American Express's security department said I didn't need to change the number. It depends on the situation. Their analysis of the particular situation was that there was minimal risk of that person trying to use it again.
posted by Dansaman at 10:22 AM on November 15, 2013

You cancel the card and you go through the pain. If you don't cancel the card and it has been compromised, you're going to find the bank a lot less willing to deal with the fake charges.

What I personally started doing after this happened twice in one year was holding two separate cards. I have one card that I only ever use for recurring and automatic payments -- things like monthly bills that roll onto the card, monthly charitable contributions, etc. I don't use that card in stores, I don't use it to buy things from random websites, etc. By doing that, I decrease the likelihood that it will be compromised.

Then I have a main card that I use for actual purchases where I'd be typing in the number anyway, or where I'm shopping in stores or booking hotels or whatever. It gets compromised and replaced every year or two, but it doesn't affect my automatic payments.
posted by jacquilynne at 10:24 AM on November 15, 2013 [2 favorites]

This is a credit card and not a debit card, yes?

If it's a debit card, cancel and NEVER USE IT IN ANYTHING BUT AN ATM. You hold most of the risk on debit card transactions.

With a credit card, are you willing to deal with the headache of disputed charges? There's a chance your info may not be used, but if it is you'll have to deal with disputes. So which sounds better, a chance of not needing to cancel and update things until the card expires, or dealing with all of that now? I'd go with the fixed cost and stop worrying, personally.
posted by bfranklin at 10:25 AM on November 15, 2013

The first thing you should do is call the telephone number printed on the back of the card to make sure the telephone call you got was legitimate. If the people who called you gave you a phone number, don't call that one. Call the one printed on your card.

If your card was compromised, then unfortunately you do basically have to cancel it and update all those automatic payments. It's a pain, but them's the breaks.
posted by alms at 10:26 AM on November 15, 2013 [3 favorites]

Your credit is ultimately your responsibility. If the bank is being negligent, you and the other cardholders could initiate a class-action suit.

Automatic payments have many disadvantages -- becoming dependent on convenience is one of them.
posted by amtho at 10:35 AM on November 15, 2013

This just happened to me. BofA notified me by email and sent me a new card.
posted by brujita at 10:35 AM on November 15, 2013

This happens to me at least twice a year now. No exaggeration. It never stops being a pain, but it's also something you're not likely to completely avoid if you continue to use credit cards.

One thing I did that has helped is I now have one card I use solely for recurring payments (cell phone, cable, etc.), and another I use for all other purchases. The one I use for normal purchases has been compromised and replaced twice, and the recurring charge one hasn't ever had to be replaced since I started this system.
posted by primethyme at 10:37 AM on November 15, 2013 [1 favorite]

If the bank is being negligent, you and the other cardholders could initiate a class-action suit.

Banking lawyer here. I bet you dollars to doughnuts that the card agreement contains a class action waiver and an arbitration clause.

OP, yes, you have to go through the trouble of updating your automatic payment accounts and your Amazon "1-Click". And, as noted, security is everyone's responsibility. It could be your number was potentially comprised through a merchant, for example, rather than by your card's issuer. Asking, "what if this happens next week and the week after?" isn't a very helpful question, but the answer is that you deal with it each time it happens.
posted by Tanizaki at 10:40 AM on November 15, 2013

I would call the 800 number direct and ask about the problem. I am skeptical that if there were a million others that they are making a million phone calls. If it is legit, I would just change the number and sleep better at night.
posted by JohnnyGunn at 10:40 AM on November 15, 2013

I have had my card cancelled for me when the issuer detected fraudulent activity and more recently had to replace all my cards when they were demagnetized in and MRI scanner. Its a pain to redo all you automatic payments but if you just buckle down and do it it shouldn't take too long. I have had to change numbers for other reasons as well (such as cards expiring and being reissued with new numbers) That is why I tend to minimize the use of cards for automatic payments and use that feature on my bank account's website instead. Another strategy is to spread your automatic payments across multiple cards so that if any one is compromised it won't be as big a hassle (of course that didn't help in the aforementioned mass demagnetization). But to a large extent having to redo your automatic payments is just part of life in the internet age. I am old enough to remember having to write a check, put it in an envelope with a stamp and then mail it, for each and every account, every month. So redoing your autopayments every so often isn't that big a deal from my perspective.
posted by TedW at 10:40 AM on November 15, 2013 [1 favorite]

What I learned from the Schnucks credit-card breach (affecting 2.4 million people) was to link as many recurring payments as possible to my checking account and/or use its bill-pay system, rather than a card. Everyone I know shops there and had to replace one or more cards.
posted by limeonaire at 10:42 AM on November 15, 2013 [1 favorite]

This happened to me twice in two months, and it was my debit card, and I found out by my bank calling and saying that they WERE canceling my card and issuing a new one. Fun times.

It sucks, but what else can you do?

Start making a list of all your auto-pay setups and changing them one by one. I was under the mistaken impression that any bills I missed would ping me saying my card hadn't gone through. Au Contraire! A few months later I was surprised by a $400 cell phone bill.

One good thing that came of the whole mess was that I was able to put a lot of my auto-pay bills directly on my checking account rather than associated with my debit card. Which will prevent this ever being a thing again.
posted by Sara C. at 10:42 AM on November 15, 2013

thanks, everyone, for the responses.
i did call the number on the card (thanks alms): it was verified there was breach.
and, yes, jacquilynee, i do believe the bank would be more inclined in the future to be less friendly if i declined.
and, yes, tylerkaraszewski, i reckon security is the responsibility of both parties.
and, yes, amtho, automatic payments also have disadvantages.
so, as per JohnnyGunn, i will change the card and sleep better tonight, at least until the next breach comes along.
thanks everyone!
posted by holdenjordahl at 10:46 AM on November 15, 2013

Yeah, I have had this happen, both when the credit card company contacted me (via email) and when I spotted a fraudulent charge on my card while I was reviewing my statement. Each time they immediately canceled the card and did not give me a choice to keep the number. They sent me a new card very quickly. It is a super pain in the ass, I get that, but if you don't change the number then you run the risk of having someone fraudulently use your card, so you will have to keep an eagle eye on your account. Just cancel the card and update your automatic payments as they come due.
posted by bedhead at 10:47 AM on November 15, 2013

Sorry - This isn't your fault, I didn't mean to imply that it was.

I try to have all automatic payments through my _bank's_ bill payment interface. That way not only are they centralized and easier to manage, and not linked to a particular credit card number, but they are also more within my control -- I don't have to worry so much about some freaked out business employee (or independent craftsperson) doing weird things when I'm not paying attention.

I also figure I'm less likely to "Just forget about" some service I sign up for if I'm just _reminded_ every month to enter a payment by hand. (exceptions - I have signed up for some automatically-renewing services, like Consumer Reports, but these are exceptions AND I wish they'd give me another choice. If enough people refused to go along with it, then I'd be _more likely_ to have another choice - so I can get a little annoyed at the whole system.)
posted by amtho at 10:50 AM on November 15, 2013 [1 favorite]

One summer, this happened to me twice. Frustrating!

For future reference, what helped me stay sane after the first time, is I made a list of all the places that have my cc# and/or automatic payment so I can just refer to it when I need to change everything. It has been so helpful.
posted by mamabear at 10:53 AM on November 15, 2013

Such breaches aren't always the fault of the bank or the credit card company. Sometimes it's a break-in at a retailer that does it. In that case the bank and credit card company are just as much victims as you are.
posted by Chocolate Pickle at 11:10 AM on November 15, 2013

The new con is dubbed ‘vishing’. It involves a fraudster posing on the phone as someone from a bank or building society fraud investigation team, the police or another legitimate organisation such as a telephone or internet provider.

An automated system calls the unsuspecting victim. Once they pick up the receiver the criminal, posing as a representative of a reputable organisation, clams an urgent need for their debit or credit card. In a cruelly ironic twist, this typically involves telling the bank customer their card has been cloned and fraud is about to be enacted on their account.

The crook urges the victim to act straight away to avoid the disaster.
If he or she can sense doubt, they urge their victim to put down the phone and ring back. However, the criminal simply stays on the line and either pretends to answer the phone or passes the receiver to another member of the gang.

When you call the bank use a different phone line.
posted by Lanark at 11:49 AM on November 15, 2013

If they instituted any level of security that required purchasers to have more information than what was compromised... then the next time there was a compromise they'd just get more information and start it all over again. By using an identifying number for the card rather than, say, your social security number, they allow numbers that may have been compromised to be dropped easily and replaced. So, basically, this IS a security feature. It's not always necessary because not all breaches actually end up revealing enough for them to use the account, but in the event that one does, you'd far rather have to replace the card than most other options.

The other option would be requiring two-factor authentication for everything, which technologically is only just starting to reach the point where it's not a huge hassle to make purchases.
posted by Sequence at 11:53 AM on November 15, 2013 [1 favorite]

This happens to me fairly frequently. I got smart and moved all my auto-pays to direct debit from my bank account (or debit card if I can't do an automatic draft). This has the added bonus of not incurring further credit card interest for those things.

I've never had this happen with my debit card, however, I have lost my debit card. When I reported it to the bank they changed the number (I wasn't given a choice, but I would have chosen to change the number).
posted by tckma at 11:59 AM on November 15, 2013

I have a Bank of America issued credit card that I use for everything, all the time. Just two months ago they sent me a new card with a new number and a letter stating that there was a security breach and my old card would no longer work as of xx date and here is your new card!

I didn't even have a choice. At least they gave you a choice.

I also have to update all my auto drafts every two/three years when the card expires - even when the card # is the same.

It's a pain, yeah, but what can you do? Living in the modern world and all.
posted by ZabeLeeZoo at 12:38 PM on November 15, 2013

The one time I've had a problem, they canceled that card/number and issued a new one; I wasn't given a choice.

Love the idea of a separate card specifically for the auto-pays; that's never occurred to me to do. Thank you guys for mentioning it!
posted by stormyteal at 2:22 PM on November 15, 2013

What's more of a hassle, getting a new card and setting up all of your auto-payments again or having your card stolen and maxed out by a thief?
posted by OneHermit at 4:32 AM on November 16, 2013

« Older What jobs were unique to the Renaissance era? And...   |   Streaming Theater Newer »
This thread is closed to new comments.