There\u2019s no question that credit cards were one of the great financial inventions of the modern era. They\u2019ve made it possible for just about any retailer to offer cashless purchases, and they\u2019ve also helped millions of ordinary people with minimal savings to ride out emergencies that might otherwise have been crushing. <\/p>\n\n\n\n
Of course, credit cards have a downside as well. The most obvious is that they\u2019ve made it far too easy to become financially overextended, a lesson most of us learn in early adulthood. Another risk is that if your credit card information is leaked, criminals could use it to run up a huge tab under your name. Let\u2019s look at how credit card data is leaked, and how you can recognize when it happens. <\/p>\n\n\n\n
Credit cards are just as useful to criminals as they are to anyone else. Stolen cards can be used for any number of purposes: making purchases that criminals don\u2019t want connected with their real name; making purchases to be resold; taking cash advances; using them for rentals or security deposits; or even just harvesting and then selling them at a profit without actively exploiting them. <\/p>\n\n\n\n
The last of those is especially dangerous, because it affects people in large numbers.\u00a0 Small-time criminals might scam only one victim at a time, but those who treat credit card information as a product for resale often aim to capture them in bulk.\u00a0 They\u2019ll often target major retailers<\/a> or financial institutions<\/a>, for the simple reason that those businesses have plenty of credit card data.\u00a0<\/p>\n\n\n\n Sometimes those come in the form of a data breach, where hackers actively exploit weaknesses in a company\u2019s security either at the software level<\/a> or by skillful phishing campaigns.\u00a0 Sometimes companies inadvertently expose data themselves<\/a> through misconfigurations or bad security practices, which can be considered a leak rather than a breach.\u00a0 According to the Identity Theft Resource Center<\/a>, more of these security lapses occurred in the first three quarters of 2021 than in all of 2020 combined.\u00a0<\/p>\n\n\n\n Stolen credit card information can be used in a couple of different ways.\u00a0 One way is online purchases, referred to in the trade as \u201ccard not present\u201d transactions.\u00a0 The other way is \u201ccard present\u201d transactions, where the scammer presents a cloned physical card in a brick-and-mortar retail store (or some other real-world setting).\u00a0<\/p>\n\n\n\n It\u2019s harder for criminals to get enough data to clone a physical card.\u00a0 Those typically come in situations where a point-of-sale system is infiltrated, either by an outside hacker \u2014 or an inside accomplice \u2014 installing malware, or through the use of a hardware-based skimming device<\/a>.\u00a0 The data is then batch-retrieved in a \u201cdump\u201d of credit card information<\/a> from the infected system or the physical device (software-driven attacks can steal credit card numbers in much higher volumes, of course).\u00a0<\/p>\n\n\n\n Historically, information that could help create a physical card commanded a higher price in underworld marketplaces.\u00a0 Today, with the rise of online shopping turbocharged by the pandemic, a card number with its CVV (that three-digit code from the back) is worth almost as much: Current figures at the time of writing<\/a> show cloned cards selling for $25 to $35, while a U.S. credit card with CVV fetches $17.\u00a0 When those same cards include details full of personal information and a healthy credit limit, the price can rise to $240 or more.\u00a0<\/p>\n\n\n\n Ideally, you\u2019d be notified quickly when your credit card information is leaked, but it doesn\u2019t always happen immediately. Companies may need some time to assess the breach and determine who is affected, and what information has been stolen. They may also need time to correct the vulnerability the hackers exploited. <\/p>\n\n\n\n Less creditably (no pun intended), companies may defer disclosure because they simply don\u2019t know yet that the breach has happened.\u00a0 Many long-standing vulnerabilities are still actively exploited<\/a>, years after they were recognized and patches for those vulnerabilities were issued.<\/p>\n\n\n\n The hard truth is that many companies don\u2019t have world-class IT talent in their ranks, especially among small- and medium-sized businesses<\/a> and smaller financial institutions<\/a>.\u00a0 That makes them attractive to hackers: They\u2019re not capable of coping with a sophisticated attack, but have enough data or other resources to be worth the effort of mounting an attack.<\/p>\n\n\n\n By all means, if your financial institution or credit card provider offers security alerts, take advantage of them. Just don\u2019t count on them to be your only protection from a data breach or other attack.<\/p>\n\n\n\n Your first line of defense, now and always, is simply paying attention to your accounts. Scrutinizing your monthly statements for \u201cmystery transactions\u201d is a good start, or better yet, setting a specific day of the week to check all of your accounts. You should also check your credit report regularly: You can pull a free one from each of the main credit reporting agencies every year, so if you stagger them that\u2019s one every four months. <\/p>\n\n\n\n The most proactive step you can take is subscribing to Spokeo Protect<\/a>, our identity theft protection service.\u00a0 \u201cDark web<\/a>\u201d monitoring is one of its included features: We constantly check the shady internet black markets where personal information is bought and sold, and if your credit card numbers \u2014 or bank accounts, or SSN, or passport number, among other things \u2014 show up for sale, we\u2019ll let you know.\u00a0 That gives you the opportunity to act before<\/em> scammers can exploit your credit and good name.\u00a0<\/p>\n\n\n\n However you learn that your card has been leaked, the steps you\u2019ll take to mitigate the damage are always pretty similar.\u00a0 First, report the incident on the FTC\u2019s IdentityTheft.org<\/a> website.\u00a0 The site walks you through the process of creating a personalized recovery plan, essentially a checklist of everything else you need to do.\u00a0<\/p>\n\n\n\n Those steps may include the following: <\/p>\n\n\n\n You might need to take additional steps if the criminals have used your identity for other purposes, such as tax fraud or medical fraud<\/a>, but this is at least a starting point.\u00a0<\/p>\n\n\n\n You can also reduce the likelihood of losing your credit card information in a breach by simply having fewer active cards. Your lesser-used cards represent a potential danger, because you won\u2019t necessarily notice if a scammer runs up a tab. If you stick to just a few cards with specific purposes \u2014 one for gas, one for groceries, one for emergencies \u2014 it\u2019s easier to spot bogus transactions when they happen (\u201cWhy did a jewelry store bill my grocery card?\u201d). <\/p>\n\n\n\n It\u2019s also helpful to have a separate card, ideally a prepaid card, for purchases at online retailers (especially ones you haven\u2019t dealt with previously). Remember, smaller merchants are a popular target for hackers: If the card number they steal is for a prepaid card, that automatically limits your exposure. <\/p>\n\n\n\n Every time you use one of your cards it\u2019s a risk, but realistically that risk is acceptably low.\u00a0 If you limit the number of cards you use, take full advantage of security alerts from your provider (and Spokeo), and keep a close eye on your accounts, there\u2019s no reason you shouldn\u2019t be able to use your cards with confidence.\u00a0<\/p>\n\n\n\n <\/p>\n\n\n\n Sources<\/p>\n\n\n\n The Verge: PSA: Neiman Marcus Still Exists and It Was Hacked<\/a><\/p>\n\n\n\n The Hill: Financial Firms Facing Serious Hacking Threat in COVID-19 Era<\/a><\/p>\n\n\n\n VentureBeat: Next-gen Software Supply Chain Attacks Up 650% in 2021<\/a><\/p>\n\n\n\n SiliconAngle: Report Finds Companies Continue to Expose Data Through Misconfigured Cloud Storage<\/a><\/p>\n\n\n\n Identity Theft Resource Center: Notified<\/a><\/p>\n\n\n\n Krebs on Security: Data: E-Retail Hacks More Lucrative Than Ever<\/a><\/p>\n\n\n\n Privacy Affairs: Dark Web Price Index 2021<\/a><\/p>\n\n\n\n Ars Technica: Feds List the Top 30 Most Exploited Vulnerabilities. Many Are Years Old.<\/a><\/p>\n\n\n\n Inc.: 6 Things Every Small Business Needs to Know About Ransomware Attacks<\/a><\/p>\n\n\n\n Georgia Bankers Association: Never Too Small to Target<\/a><\/p>\n\n\n\n\u201cCard Present\u201d vs. \u201cCard Not Present\u201d<\/h2>\n\n\n\n
You May Not Find Out Immediately<\/h2>\n\n\n\n
Knowing When Your Card Has Been Compromised<\/h2>\n\n\n\n
Minimizing the Damage from a Leaked Credit Card<\/h2>\n\n\n\n
\n
A Couple of Extra Pointers<\/h2>\n\n\n\n