By Paul W. Pocalyko, CPA, CFF, CFE
With the summer season upon us, many people are about to embark on their much anticipated travel plans. Some of these happy vacationers will enter the trifecta of credit card number theft locations: airports, restaurants, and hotels. Vacations are supposed to be a joyful time, so you don’t want to be a victim of fraud. There are actions you can take to minimize threats to your financial wellbeing.
Let’s start with a basic planning strategy. As a teenager, when I left home my parents wanted to know where I was going and when I planned to return. If you are traveling, particularly abroad, do the same with your credit card. Call the issuing company to let it know your plans. If you do not do this, you could be in a remote location trying to check into a hotel and the credit card transaction may be denied. The algorithms used by the card issuers may suspect fraud and deny use because the attempted purchase is outside the normal cycle of historical purchases and your typical geographic location.
Once you notify your credit card company, you still have a little more work to do (see the list at end of this blog). These efforts may be time consuming, but I can assure you that if your credit card information is taken the strategies below will help you mitigate potential harm.
If you think that because you have one of the newly developed chipped cards there is nothing to worry about, you would be very wrong. Credit card numbers, the expiration date, and the card verification value (CVV) are still valuable commodities to thieves participating card not present (CNP) fraud. A 2017 report by the US Payments Forum, the increased security of chip cards has forced criminals to shift the focus of their activities to CNP transactions.1 The Payments Forum report predicts that the security chip implementation is projected to more than double CNP fraud in the United States from $3.1 billion in 2015 to $6.4 billion in 2018.
Any time your credit card is not in your physical possession, theft is a potentiality. Consider your last vacation. How many times did you hand your credit card to an employee at a restaurant, a front desk clerk at a hotel, or a cashier within a retailer in an airport?2 Each interaction is a theft opportunity. Invariably, many hotels, restaurants, and airports also have free Wi-Fi. This is a convenience for you, but it also provides gateways to hackers attempting to obtain credit card transaction data and other personally identifying information (PII) of the patrons. In addition, many employees of these venues behind the public-facing personnel have access to digital data and PII.
Here is a hypothetical story that illustrates a criminal collection of credit card data and the PII of hotel guests and patrons.3 It starts with check-in. The hotel will likely gather the following:
Now, that information provided at the time of your stay can be collected either through physical theft (employee) or digital theft (direct computer access or hacking) and transmitted to some enterprising villain. This thief can make a few online CNP purchases before the credit card is shut off due to the algorithms picking up on unusual activity. Or an enterprising thief can use the data obtained to get access to your email account, banking data, and phone records in order to score an even bigger prize.
Here is what our thief knows: Many internet service providers (ISPs) that offer personal email will reset a customer’s email password using strong customer authentication (SCA) protocols over the phone or via online portals.4 The ISP wants to make sure the person requesting the reset has knowledge of discrete information to do the reset: sometimes it’s the credit card used to pay the bill and your street address are the only two factors required.5 The thieves determine what specific SCA information is required from what provider, and they exchange these protocols in dark web internet forums.
So, while you are on vacation, the thief gets into your private email, and then attempts are made on bank and investment accounts. The thief may ask that a password reset be sent to your email, which the thief now controls. The thief then gets into your bank account, links it to the thief’s online account, and transfers money. The thief could also use built up hotel points to order merchandise and ship it to unrelated intermediaries, or go into your online wireless phone account, order new cellular smart phones, and ship them to more unrelated intermediaries.6
A thief can conduct an amazing amount of fraud based on the treasure trove of data in your email accounts: bank information, investment information, cell phone provider, and vendors you regularly make purchases from.
Here are 10 things you can do to help protect your credit cards, your other financial accounts, and your PII:
There is no absolute way to fully protect your credit card numbers, financial accounts, and PII. But by using these steps you can greatly reduce your exposure and the harm that can happen if your information is disclosed inappropriately. Enjoy your time off, but be proactive about your financial security.
1 https://www.creditcards.com/credit-card-news/credit-card-security-id-theft-fraud-statistics-1276.php and http://www.uspaymentsforum.org/cnp-fraud-around-the-world/
2 Many modern U.S. airports are implementing check-out kiosks that keep your credit card in your possession. While this can reduce physical theft, it is still possible that data can be compromised via hacking.
3 Note: Many hotels have rigorous security protocols and perform extensive background checks on employees. However, there is no uniformity in the hospitality industry, nor do the same security expectations apply throughout the world.
4 Typically, wireless phone providers, banks, and other service providers have established SCA protocols.
5 Discrete SCA information includes items such as the last four digits of the social security number, your mother’s maiden name, prior residence locations, and other out-of-the-wallet questions. Email and wireless phone companies are typically less stringent than banks or investment companies.
6 Thieves tend to use unrelated intermediaries to facilitate these crime so there is no ability to trace the activity to the thief’s actual location. Duped intermediaries are paid small amounts to reship the stolen merchandise.
Paul W. Pocalyko, CPA, CFF, CFE, is with HKA in Philadelphia. He can be reached at ppocalyko@comcast.net.
Order by
Newest on top Oldest on top