Fortunately, the call was legitimate. Sadly, my number had been stolen even though the card was still in my possession. This was the third time in 2016 this has happened: once each with Chase (Visa), American Express, and Comenity (Visa).
What am I doing wrong? Probably nothing. But more tools may help me be even safer, and I’m considering changing how I shop online.
I remember when it wasn’t cool to pay online
I don’t recall ever losing a physical credit card, and have never had one taken from me. Rather, every problem I’ve ever had has related to the number being stolen, sometimes for a card that I never even used online, say, after a brick-and-mortar retailer had a breach. Lately, it’s all been related to online card breaches, though I can’t connect the thefts to specific announcements.
Credit-card companies care deeply about fraud, because U.S. regulation leaves them entirely in the lurch in most cases. The FTC’s consumer credit-card fraud site lists a number of scenarios for theft or loss, and notes bluntly, “If your credit card number is stolen, but not the card, you are not liable for unauthorized use.” (Debit cards have the same rules when used as de facto credit cards, and when only the number has been stolen, but different limits and rules for in-person payments and withdrawals.)
The merchant banks that issue cards can claw back money paid out to the merchant where a card was used, depending on the circumstances. Online stores are at the greatest risk, because it’s easier to impersonate someone and obtain enough personal information for a card transaction to go through.
At retail stores, the calculus has changed from when it was easy to take purloined credit-card information (which had to include the verification number) and forge a card that could be swiped. Since a liability shift in October 2015, stores are completely on the hook for fraud if a card that is issued with a chip for a "dip" transaction is swiped at a terminal that lacks dipping capability. (Card issuers who haven’t put a chip on their cards yet retain liability if the transaction is otherwise approved and handled correctly.)
I haven’t yet figured out a way to deter my number from being stolen, and this last six months already represents more fraud on my accounts than at least the last four or five years. Lifestyle changes, as doctors like to say about one’s physical health, may have the biggest impact.
All three of the purloined numbers were enrolled in Apple Pay, as are a few other debit and credit cards I have. (This is a good reminder that I should cancel some cards.) With the Chase Visa and American Express, new virtual card numbers arrived in Apple Pay while I was still on the phone with the card issuer. In Comenity’s case, I’m waiting for a card to arrive to scan or tap into Apple Pay.
Based on everything I’ve seen and heard, and all my discussions with security experts and those in the financial industry, it’s effectively impossible that my actual card numbers were stolen due to an Apple Pay flaw. In the worst case, the device-specific number that Apple Pay receives from a bank might be handled badly and exposed, but Apple notes that bank can prevent such numbers from being used for off-device transactions.
Issuers and networks are getting vastly smarter in identifying fraud. In all three cases this year, only a single charge was processed, for under a dollar. A fraud representative I spoke with when getting my American Express card sorted out said that such charges (in this case to an innocent charity) were carried out to ensure the card remained valid. It was refunded. But nothing else was successful, and no products shipped. That wasn’t true with some card number thefts in years past.
In case your card issuer or bank doesn’t catch the error, I recommend an extra bit of awareness. I install the native app for every card I use, whether or not the card is (or can be) enrolled in Apple Pay, because the apps can use push notifications to let me know about charges. So far, this hasn’t been helpful because the card issuers are on the ball.
Less fraught and less fraud
I wrote recently about testing out Walmart Pay, an option rolled out via its native apps to all the company’s outlets just under two weeks ago, and how despite my misgivings and cynicism, it worked fairly well.
It wouldn’t seem like Walmart Pay could reduce fraud in the same way Apple Pay and Android Pay do, but it does eliminate someone having to fish out and provide a credit card number in person, and that does eliminate vectors related to other people taking a picture of your card in use, dishonest cashiers, point-of-sale skimmers (less common than ATM skimmers), and even dropping a card and having the finder abuse it. If Walmart’s internal database of cards is hacked, you’re at risk, but the same is true if you swiped or dipped a card, too.
I’m looking forward to two changes coming that will help reduce the ease of account number theft.
The first is Apple Pay in Safari, announced at WWDC in June. I’ve been receiving press releases and seeing announcement from many payment processors and site/ecommerce hosts since then touting how they’ll add such support as soon as it’s available.
It’s possible Apple Pay in Safari will be absurdly available compared to in-person Apple Pay at retail stores, because it’s a relatively trivial change for sites that take payment online to make. Sites work with payment processors who handle all the infrastructure for charges already. And in most cases, Apple Pay in Safari will seem effectively identical to the online retailer as the options they have now.
When this becomes available, it’s very likely I’ll stop making purchases at sites that don’t offer it, because the arm’s length nature of paying within Safari using my phone (whether on the desktop or an iPhone) dramatically reduces worrying about a site’s security. (This Safari-only option doesn’t help people without iPhones or Macs, but Android Pay in browsers is on the way, too.)
The second is the above-mentioned chipped cards. While it may be a pain for you now, when the shift is effectively fully implemented, it means fewer places where a stolen number can be converted into a card that can be swiped. Eventually, swiping will be nearly non-existent, partly because, as one analyst told me last year, stores that can’t handle chipped transactions will wind up becoming magnets for fraud and go under.
Fraud will never be eliminated, but I can’t wait until it’s reduced below its current state. I’ve had a number of delightful conversations with the fraud people at credit-card companies, who seem to be crackerjack and amusing, but I’d give up those talks for less wasted time.