Solving credit card fraud, or at least narrowing it down
June 26, 2021 9:31 PM   Subscribe

My credit card has been compromised two or three times in around that many years. I don't feel like I do anything particularly risky with it, so I'm a bit baffled about why this keeps happening. Can you help me try to prevent it from happening again, or at least make it less of a hassle if it does?

I use my credit card to pay for pretty much everything. The main regular purchases are: groceries from major supermarkets, occasional purchases of things like food and coffee from small businesses, my phone bill, one streaming service, a couple of meal delivery apps, a fair bit of online shopping (mainly to buy things for my kid like clothes). None of the vendors where I have used the card have seemed suspicious, but I guess that doesn't say much.

The most recent fraud seems to have been committed by someone who lives in the same city as me, so I'm wondering whether my card was skimmed somewhere.

When I get the new card, I'll be cutting down to just one meal delivery app but I don't think this is going to solve the issue, as that doesn't seem to be where it was breached.

One thing I am considering doing is getting a second credit card and then having a system for how I use the cards. For example, maybe I have one card for all online purchases and one for all physical store purchases? Has anyone done something similar and have any advice on how to do this?

I figure that if I use this system then if any fraud happens, I might be able to work out how it happened and it will also just be less of a hassle because I'd still have one working card!
posted by kinddieserzeit to Work & Money (26 answers total) 7 users marked this as a favorite
Some cards allow you to allocate virtual card numbers, which will only work at a single place. It's a bit of a hassle to configure, but if one of those gets stolen, it can't be used elsewhere. Also, I believe that if you have a bunch of virtual cards running various services and your real card gets compromised, you can leave the virtual cards in effect and not have to re-enter new cards everywhere.
posted by spacewrench at 10:13 PM on June 26, 2021 [3 favorites]

as spacewrench mentions above, I use "" and it generates virtual cards for either recurring charges, or one-time payments. If anything goes wrong (hasn't yet luckily) only the single virtual card is compromised and not my actual card. You can also set spending limit rules (max this $ amount, and only once a month, for example) per virtual card.
posted by alchemist at 10:49 PM on June 26, 2021 [6 favorites]

That honestly feels like a pretty normal rate in America. Based on your purchase history, your card is either getting skimmed at local businesses, or your card is being stolen when people hack internet databases. I don't think you're doing anything wrong and you're just getting a bit unlucky.

Having 2 cards is a good idea for many reasons. I don't usually have a problem with fraud, but my bank is overly paranoid so denies a purchase I make once every few months until I can text them back half an hour later. Also, it makes things much better if you physically lose a card, you can use your backup. Or you can get cards with different types of bonuses, so you use one for travel or whatever, and the other for cashback on groceries. As long as you pay both accounts off every month, there's basically no downside to having 2 credit cards (5 credit cards is a different story, that looks suspicious).
posted by JZig at 10:52 PM on June 26, 2021 [11 favorites]

I don't know if buying gasoline is a factor for you, but it's not infrequent for gas pumps to be vandalized by having skimmers installed. If you want to use your card to buy gas, pay inside.
posted by yohko at 11:25 PM on June 26, 2021 [7 favorites]

I don't feel like I do anything particularly risky with it ... I use my credit card to pay for pretty much everything.

That feeling is misleading.

You're using a credit card exactly as designed, and credit cards are fundamentally insecure by design. This is actually a large part of the reason why credit card interest rates are as ruinously high as they are: they need to be that high in order to keep the credit card business profitable in the face of the insane amounts it's constantly leaking by quietly paying for credit card fraud.

The fact that fraud is inconvenient for you doesn't matter even slightly to the credit card providers as long as their business model remains profitable, which it clearly does. It would matter to them if you could fix the fraud issue by switching to competing providers, but because susceptibility to fraud is so thoroughly baked into the design of credit cards as a system, you don't have that option available to you.

If you try to mitigate that susceptibility by using multiple cards so that you still have at least one available while those cancelled due to fraud are being re-issued, all you're doing from the credit card providers' point of view is increasing their chance of being able to ding you their extortionate interest rates for overlooked bill payments.

Funnelling more of your business through some of the remoras on the credit card shark, like PayPal or the virtual card generator recommended above, is probably about the best you can do.
posted by flabdablet at 3:04 AM on June 27, 2021 [2 favorites]

2 cards yes, but split it between recurring bills (phone, electricity, internet, subscriptions, etc) and one time bills (food delivery, anything in person, clothes, etc).

The recurring one is unlikely to get scammed, so when the other one does, you won't have to set up all those accounts again.
posted by february at 3:51 AM on June 27, 2021 [12 favorites]

The security depends a bit on how you use the card. Insert into a machine for the chip to be used, and it's difficult to copy your card. I believe tapping is similar, but not 100% on this. Prefer to insert for the chip to be used.

Swiping your card, or punching the numbers into an app it's trivial to steal. Online needs a better system than just 16 copy able numbers, but I don't think they are working on it.
posted by TheAdamist at 4:02 AM on June 27, 2021

Yes- mine's been compromised a few times in the past years, and I've started paying in cash at restaurants and other places where the card is taken away to charge a transaction.

When you really stop to think about it, isn't it astonishing that we so blithely do this? Just hand over the keys to part of our financial kingdom to a random stranger? It's nothing to copy all the necessary info, and get your details online. Boom, you're a victim.
posted by I_Love_Bananas at 4:52 AM on June 27, 2021 [2 favorites]

I use my credit card to pay for pretty much everything.

There you go. Many, many more chances a scammer gets your info with lots of transactions.
posted by tiny frying pan at 4:53 AM on June 27, 2021 [2 favorites]

Honestly, past the normal caution you’re already doing or just using your card way less, I don’t know how much you’re going to stay ahead of this kind of thing. After getting caught up in a few of the giant leaks, what I do now is have a list of all the places that do recurring charges or that I know have my card on file. When I do need to change my card number, it’s easier to make sure I change it everywhere. Also, I’ve switched more payments over the years through PayPal, ApplePay, etc. I don’t know that it’s much safer but it cuts down on how many vendors I have to give my info and keep updated. Handy for when I change addresses, too.
posted by jameaterblues at 5:04 AM on June 27, 2021 [1 favorite]

According to experts, 80% of active credit cards have been compromised. It's less likely to be a card skimmer (although these do happen) and more likely to be a data breach. With a card skimmer you'll get a few hundred credit card numbers, with a data breach you'll get millions. You are not going to be able to figure out how it happened because most major companies keep the data breaches secret for weeks/months/years. Here's just some of the data breaches from last year. It is likely you have not heard of most of them. At least one is a credit card processor, which is the middleman between the store and your credit card company. There's also a hotel reservation engine, which is the middleman between online travel sites like Travelocity, hotels, and your credit card company. Those are things where, even if you were as meticulous as possible, you couldn't narrow it down to the one transaction that leaked your data.
posted by rednikki at 6:58 AM on June 27, 2021

(5 credit cards is a different story, that looks suspicious)

5 credit cards does not "look suspicious". Lots of us who play the high credit score game have ten or more. The original poster's inquiry if anyone uses cards in specific contexts, the answer is, heck yeah.

We stopped spending cash by default many years ago, and while we both still carry cash for when it is needed, we try to put everything on credit cards (specifically, not debit cards). Credit cards come with very generous protections against fraud, and may offer extended warranties and other benefits, along with kickbacks in the form of dividends or rewards.

Having a card that is used in a small number of contexts is very helpful. We have an AmEx card that issues 5% rewards on gas and groceries, and is only used in those contexts, which definitely includes the risk of being skimmed. We have a card that we use primarily for Costco (because it's a Visa), another card for IHG (Holiday Inn) hotels, another card used for recurring payments, another card for Amazon, another for Uber, etc. We also have a "main" card used for most everyday transactions, a Citi DoubleCash card that pays 2% back, which we usually try to ApplePay or contactless pay if we can, and another Citi card that is never used for anything, and is effectively a standby card in case anything gets breached.

This is nontrivial, and there are both upsides and downsides. The upsides are that most of our payments have some sort of kickback or reward, and that if a card is rejected for any reason, we have diversity of card types (MC/V/AmEx), issuing banks (Chase/Citi/etc), and cannot easily be locked out of accessing credit lines. When I'm travelling, I typically split up cards between me, the luggage, the car, etc., so that if anything were to happen, a mugger or a burglar is less likely to get all my stuff. However, it becomes slightly challenging to track all of this, so if you don't have financial management software like Quicken, or you like to rely on e-statements and don't track your transactions yourself, it becomes somewhat easier to lose sight of what is going on. We are very strict about managing all our pennies, so we enter all transactions manually and then reconcile them to the paper statements that we insist banks send us. Cards are paid off entirely once or twice a month, depending. This avoids bank charges of any kind, and since all the cards pay rewards or dividends or some other benefit, the banks end up actually paying us a little bit.
posted by jgreco at 7:05 AM on June 27, 2021 [11 favorites]

Lots of good advice above. I just want to add one thing. If all of the fraud you have experienced is unauthorized charges (like the most recent one you describe), this may not apply. But I have quite a few cards, and I have noticed that some issuers seem either more prone to or (more likely) more paranoid about mass compromises. What I mean is that I have certain cards which pretty regularly get (or got, before I stopped using them because of this) shut down when the issuer told me it had been involved in a mass compromise, but no unauthorized charges ever appeared on my card. Miraculously this completely stopped when I switched cards, despite using the new card in exactly the same places and ways. I think that particular bank just had an itchy trigger finger about shutting down cards.
posted by primethyme at 7:07 AM on June 27, 2021 [1 favorite]

Adding the sentiment that having 5+ cards isn't a problem if they are paid off monthly. With this kind of annoyance, you really do need more than one card so you're not inconvenienced when one is shut off. See this question for an example of a situation where having two cards instead of one would make a compromised card a much easier to deal with.
posted by soelo at 7:29 AM on June 27, 2021 [1 favorite]

Some of us also use personal credit cards for business expenses we later reimburse or deduct. In that circumstance having a completely separate card you use for each business setting you work in (some of us also have more than one) is just good financial hygiene.

I too use one card for online purchases, one for subscriptions, and one for around town everyday stuff like gas. And one for every purchase I make that’s reimbursable by my employer, regardless of setting.

I’m not going to go inside a gas station every time I buy gas to avoid a risk of being skimmed, by the way. It’s never once happened to me, or anyone I know, you are indemnified if you report it, and paying at the pump and flying is one of the great innovations of our decadent times. You ever stand in line behind someone buying lottery tickets?

Credit card fraud and identity theft are just the risks and costs of doing business now. You can take every reasonable precaution and still get screwed, but you should anyway within reason. At a point where taking precautions means significant inconvenience for you, amortize the inconvenience of dealing with fraud.

It’s their business model. I just work here.
posted by spitbull at 7:46 AM on June 27, 2021 [1 favorite]

1. Never let someone take your card away for swiping
2. Use Apple Pay or equivalent as much as possible
3. Update any cards which don't have a chip
4. Use the chip rather than swiping a card
5. Pay cash instead of using a card when possible
6. Use only gas stations that accept Apple Pay or equivalent
7. Use for online and recurring charges
posted by conrad53 at 7:57 AM on June 27, 2021 [3 favorites]

Capturing data from physical cards does happen. But, there's a better chance that someone's database was badly designed and got hacked. If so, it doesn't matter what you do or whether the card use was physical or online. Have a backup card. Don't use a debit card with access to damaging amounts of bank account money.
posted by eotvos at 8:11 AM on June 27, 2021 [4 favorites]

they need to be that high in order to keep the credit card business profitable in the face of the insane amounts it's constantly leaking by quietly paying for credit card fraud.

Credit card companies don’t generally cover the cost of fraud, merchants do.

Your experience doesn’t seem too far out of the norm. A backup card (or more) isn’t a bad idea to avoid the hassle of being without a card when one is being replaced.
posted by jimw at 11:38 AM on June 27, 2021

I suspect banks vary by how vigilant they are. I have a Chase card and a Discover card, have had no fraud. I have made large and/or out-of-state purchases, and gotten a call to verify that the charges were valid.

I have a temp job for a retailer that takes credit cards. This retailer uses several methods to screen for card fraud, and has a lower % taken in return. We also don't collect the CSV number, because we use other forms of security, which are not publicized even to staff.

It's my understanding that merchants pay 2 - 5% of purchases to cover 'costs' which include fraud (and profit). Vendors should verify your name as it appears on the card, your phone # and address. If someone has all that, the card #, exp. date, and CSV, they can usually make purchases shipped to your address.

In some countries, credit cards and ATMs use 'chip & pin' - a one-time-use PIN is texted to you to verify the transaction. US credit card companies and banks elected not to implement this, because they assume Americans couldn't/ wouldn't cope. The very high costs of credit card fraud are reflected in high interest rates and costs to vendors. Credit cards are still wildly profitable.
posted by theora55 at 12:47 PM on June 27, 2021

We were able to cut down on a lot of the fraud issues with our card by switching to the gas station's app rather than using the card at the point of sale.
posted by tafetta, darling! at 1:11 PM on June 27, 2021 [1 favorite]

FWIW, I'm in the UK and the one time I've had credit card fraud is on a card I use only when I visit the USA (because the card issuer doesn't charge fees for overseas purchases). and where it's only been used by me for in-person (i.e. not online) purchases. The fraud was a few months after I last used the card, which I thought was odd, but as it was during the first pandemic lockdown my bank picked it up immediately as they thought it was unlikely I was spending money in Brooklyn when I was meant to be locked down in the UK.

Most of the places I used the card were chain stores where I had to input the PIN, but a few times in restaurants or smaller stores it was just the swipe and a signature, which is how most card fraud is done.
posted by essexjan at 1:12 PM on June 27, 2021

In my former place of employment, I used a company credit card to constantly make travel purchases for staff. We're talking around $25,000 per month. The company credit card kept getting hacked, and so I'd have to order a replacement card on a regular basis, which drove me crazy. The company I worked for decided to change banks, which also meant the company credit card provider would be changed to the new bank. After that, I experienced no more credit card hacking. Moral of the story is: You might consider changing your credit card provider to see if that helps.
posted by SageTrail at 1:16 PM on June 27, 2021

Response by poster: Thanks everyone. I feel better that this is normal and expected.

It's actually extremely rare for the card to ever leave my hand when paying and it never leaves my sight. Restaurants have EFTPOS terminals at the front counter here, nobody takes your card away.
posted by kinddieserzeit at 3:48 PM on June 27, 2021

It's my understanding that merchants pay 2 - 5% of purchases to cover 'costs' which include fraud (and profit).

These processing and interchange fees (and swipe fees, etc) also cover your rewards points and promotional kickbacks. When you dispute a charge (or the card issuer decides it was fraudulent), the merchant is charged a chargeback fee ($15 and up), the money for the purchase is clawed back, and the merchant is given a chance to prove the charge was not fraudulent, which is often impossible.

I’d love to see evidence proving otherwise, but my experience as a retailer is that the banks and other processing middlemen are extremely good at pushing the actual cost of fraud on to merchants.

It’s not a dissimilar situation to cash, really, since there is nobody that makes the merchant whole if we happen to take in a counterfeit bill.

So if the chip in your card goes bad and you want to swipe it instead (or worse, just type in the number) or if you need to pay with a credit card that your boss sent you to the store with a picture of, don’t be surprised if the merchant is not at all excited or refuses.
posted by jimw at 4:48 PM on June 27, 2021

Gas stations are usually the easiest place for a skimmer. I love the Exxon Mobile app and luckily there are Exxons convenient to me. I open the app when I pull up and activate the pump from the app (I use apple pay though i believe they take cards directly in the app as well as probably android pay), pump gas, then leave. I'm sure others have similar things in their apps but my husband was picky about gas so Exxon is the one I use.

Yes of course Exxon could just be hacked, but so can any online merchant, so that doesn't feel like my risk is increased the same way a gas pump increases it. Plus during covid, one less thing to touch.
posted by magnetsphere at 7:07 AM on June 28, 2021

Best answer: I have a suggestion to mitigate the pain of a compromised credit card. Presumably you have your CC number on file with various monthly subscriptions (e.g. Netflix), and you have to update each of those services every time a new card is issued to you. What I've done is use one credit card ONLY for those subscription services, and another card for general retail use (swiping etc.). In about a decade of doing this my "subscription" card has NEVER been compromised, and my "retail" card has been compromised multiple times.

A neat fringe benefit of this method is that you can see how much you are spending on monthly subscriptions. That credit card bill has them totaled every month.

The credit card companies lose money every time a compromise happens (at the very least they have the hassle of notifying you and issuing a new card) so I'm sure they are doing everything that can to hunt the offenders down. But by separating the cards as above, you reduce the personal hassle for yourself.
posted by intermod at 9:41 AM on June 28, 2021

« Older App that simply pushes notifications to phone?   |   How should I go about planning my arrival to... Newer »
This thread is closed to new comments.