By Paul W. Pocalyko, CPA, CFF, CFE

With the summer season upon us, many people are about to embark on their much anticipated travel plans. Some of these happy vacationers will enter the trifecta of credit card number theft locations: airports, restaurants, and hotels. Vacations are supposed to be a joyful time, so you don’t want to be a victim of fraud. There are actions you can take to minimize threats to your financial wellbeing.

Let’s start with a basic planning strategy. As a teenager, when I left home my parents wanted to know where I was going and when I planned to return. If you are traveling, particularly abroad, do the same with your credit card. Call the issuing company to let it know your plans. If you do not do this, you could be in a remote location trying to check into a hotel and the credit card transaction may be denied. The algorithms used by the card issuers may suspect fraud and deny use because the attempted purchase is outside the normal cycle of historical purchases and your typical geographic location.

Once you notify your credit card company, you still have a little more work to do (see the list at end of this blog). These efforts may be time consuming, but I can assure you that if your credit card information is taken the strategies below will help you mitigate potential harm.

If you think that because you have one of the newly developed chipped cards there is nothing to worry about, you would be very wrong. Credit card numbers, the expiration date, and the card verification value (CVV) are still valuable commodities to thieves participating card not present (CNP) fraud. A 2017 report by the US Payments Forum, the increased security of chip cards has forced criminals to shift the focus of their activities to CNP transactions.¹ The Payments Forum report predicts that the security chip implementation is projected to more than double CNP fraud in the United States from $3.1 billion in 2015 to $6.4 billion in 2018.

Any time your credit card is not in your physical possession, theft is a potentiality. Consider your last vacation. How many times did you hand your credit card to an employee at a restaurant, a front desk clerk at a hotel, or a cashier within a retailer in an airport?² Each interaction is a theft opportunity. Invariably, many hotels, restaurants, and airports also have free Wi-Fi. This is a convenience for you, but it also provides gateways to hackers attempting to obtain credit card transaction data and other personally identifying information (PII) of the patrons. In addition, many employees of these venues behind the public-facing personnel have access to digital data and PII.

Here is a hypothetical story that illustrates a criminal collection of credit card data and the PII of hotel guests and patrons.³ It starts with check-in. The hotel will likely gather the following:

• Your credit card information
• Your name and address
• Your email
• Your phone numbers
• Your passport number if traveling abroad
• Your hotel’s brand-specific identification number if a frequent guest

Now, that information provided at the time of your stay can be collected either through physical theft (employee) or digital theft (direct computer access or hacking) and transmitted to some enterprising villain. This thief can make a few online CNP purchases before the credit card is shut off due to the algorithms picking up on unusual activity. Or an enterprising thief can use the data obtained to get access to your email account, banking data, and phone records in order to score an even bigger prize.

Here is what our thief knows: Many internet service providers (ISPs) that offer personal email will reset a customer’s email password using strong customer authentication (SCA) protocols over the phone or via online portals.⁴ The ISP wants to make sure the person requesting the reset has knowledge of discrete information to do the reset: sometimes it’s the credit card used to pay the bill and your street address are the only two factors required.⁵ The thieves determine what specific SCA information is required from what provider, and they exchange these protocols in dark web internet forums.

So, while you are on vacation, the thief gets into your private email, and then attempts are made on bank and investment accounts. The thief may ask that a password reset be sent to your email, which the thief now controls. The thief then gets into your bank account, links it to the thief’s online account, and transfers money. The thief could also use built up hotel points to order merchandise and ship it to unrelated intermediaries, or go into your online wireless phone account, order new cellular smart phones, and ship them to more unrelated intermediaries.⁶

A thief can conduct an amazing amount of fraud based on the treasure trove of data in your email accounts: bank information, investment information, cell phone provider, and vendors you regularly make purchases from.

Here are 10 things you can do to help protect your credit cards, your other financial accounts, and your PII:

1. Call your card companies to inform them of your travel plans. If your credit card number is stolen and a CNP purchase is attempted while you are away, there is a good chance an algorithm will pick up that the attempted transaction is not within your buying pattern and that is not shipping to your home location.
2. Maintain a secure list of credit card numbers, CVVs and expiration dates, and all passwords for accounts. Use varied passwords for log in on any internet activity. Place those within a safe deposit box or a safe.
3. In the event you learn that your credit card number may be compromised, report it immediately. When you do get a new card, change all recurring billings to the new card. Cell phone and internet services are typical recurring monthly charges.
4. If possible and practical, use cash for small purchases and food while traveling, use cash at airports for transactions that would require the credit card leaving your possession.
5. Make sure you have online access to your credit card accounts and check them frequently (daily when traveling).
6. Call your email and ISP to see if they will establish a PIN or other secondary form of identification for account changes. Do not rely on the default SCA data they have on file.
7. Call your banks and investment companies to find out what other forms of secondary authentication they can provide, such as PINs, unique identifying questions, unique picture identification, or word codes and voice verification.
8. Use your business address for travel, not the address on your credit card statements. At hotel check in, register with a secondary email address. Do not use the one that may be linked to financial data.
9. Set up automatic notices from your bank and credit card companies for all purchases of a set dollar limit, such as $250 or $500. Many will send a text message or email notification. If you did not make the purchase, you will know immediately.
10. Maintain multiple email accounts: separate accounts for financially related activity and for contact purposes. On at least a weekly basis, if not more frequently, delete old emails. If they must be retained, save them on media that is not accessible on your home network.

There is no absolute way to fully protect your credit card numbers, financial accounts, and PII. But by using these steps you can greatly reduce your exposure and the harm that can happen if your information is disclosed inappropriately. Enjoy your time off, but be proactive about your financial security.

¹ https://www.creditcards.com/credit-card-news/credit-card-security-id-theft-fraud-statistics-1276.php and http://www.uspaymentsforum.org/cnp-fraud-around-the-world/
² Many modern U.S. airports are implementing check-out kiosks that keep your credit card in your possession. While this can reduce physical theft, it is still possible that data can be compromised via hacking.
³ Note: Many hotels have rigorous security protocols and perform extensive background checks on employees. However, there is no uniformity in the hospitality industry, nor do the same security expectations apply throughout the world.
⁴ Typically, wireless phone providers, banks, and other service providers have established SCA protocols.
⁵ Discrete SCA information includes items such as the last four digits of the social security number, your mother’s maiden name, prior residence locations, and other out-of-the-wallet questions. Email and wireless phone companies are typically less stringent than banks or investment companies.
⁶ Thieves tend to use unrelated intermediaries to facilitate these crime so there is no ability to trace the activity to the thief’s actual location. Duped intermediaries are paid small amounts to reship the stolen merchandise.

Paul W. Pocalyko, CPA, CFF, CFE, is with HKA in Philadelphia. He can be reached at ppocalyko@comcast.net.