'Tis the season for card data theft — more than ever
The holiday shopping season has begun, and so have the scams and identity theft schemes aimed at ruining your holiday cheer.
Oct. 1 was the deadline for retailers and the companies that issue credit cards to switch over to using the new EMV credit cards. The cards contain a computer chip that creates and encrypts a new number every time the card is used, which will dramatically reduce the amount of credit card fraud.
However, most Americans still have not received new EMV chip cards from their credit card companies. And many retailers, both large and small, have not switched over to the new processing equipment necessary to handle the new EMV chip cards.
So, most people are still using their old-style magnetic strip credit cards, which are susceptible to being hacked by sophisticated identity thieves — as so many learned when data from 40 million debit and credit cards was stolen by hackers who gained access to the credit card processing equipment of Target two years ago.
Hackers and identity thieves are well aware that this may be their last holiday shopping season before the new EMV chip cards are more widely used, thereby making stealing credit card information much more difficult. You should expect that many of the stores where you are shopping have already been hacked, and they merely haven't discovered it yet. Generally, it takes months or even as long as a year before many hacked companies realize that they have been hacked. It should be noted that some stores, such as Walmart and Target, have switched over to the new EMV chip cards.
So what can you do to protect yourself while shopping in a brick-and-mortar store?
The first thing you should do is retire your debit card from use in shopping. Credit cards provide significantly better protection from fraud. If your credit card number is stolen and fraudulent purchases are made, your liability is limited by law to no more than $50, and most card issuers don't hold you responsible for any fraudulent charges if you promptly report the fraud.
However, if your debit card information is stolen, your liability jumps to $500 if you do not report the fraudulent use within two business days after learning of the breach. And if you are not regularly monitoring your bank statements and fail to notice and report the fraudulent use for more than 60 days after receiving your bank statement indicating fraudulent purchases, your liability is totally without limit. You can lose the entire bank account tied to your debit card. And even if you do report the fraudulent use of your debit card immediately, your bank account will be frozen and you will lose access to your own bank account while the bank investigates the matter, which can be a tremendous inconvenience, particularly if you have bills automatically paid from your account.
But what about people who use their debit card as a credit card at the register when paying for purchases?
When you present your debit card to the cashier at a store, you are asked if you want to use it as a debit card or credit card, which leads many people to think that if they use it as a credit card, they are receiving the legal protections that apply when you use a credit card.
These people could not be more wrong. Regardless of whether your debit card transaction is processed as a debit purchase with a PIN or as a credit card transaction without a PIN, the purchase is still processed as a debit card purchase with the funds being immediately withdrawn from your bank account.
Frankly, the only difference to the consumer is the fee associated with the use of the card. Some banks charge you a transaction fee if you use your debit card as a debit card with a PIN for purchases, but charge the retailer a fee when the card is used as a "credit card" purchase.
But it is not just hackers located physically far away who may be after your credit card information when you shop in a brick-and-mortar store. Rogue employees can take your credit card and before they process it through the store's legitimate card processing equipment, run it through a small device called a skimmer that captures the data from your old-style magnetic strip credit card and uses that information to make purchases using your credit card. It is for this reason that even after you have handed your credit card to the salesperson, you should watch it carefully to make sure that it does not get skimmed.
So are you safer shopping online?
No, not really. As a matter of fact, even if you have a new EMV chip credit card, the chip cannot be used for online purchases, so you use your regular credit card number. That makes you susceptible to credit card fraud if either the online store you are using gets hacked or your computer or other electronic device you may be using gets hacked, such as when you make purchases using unsecure public Wi-Fi.
In addition, whenever you are sending any sensitive personal information over the Internet, such as your credit card number, make sure that the URL for the company starts with "https" rather than merely "http." The extra "s" means that your communication is being encrypted and therefore more secure.
I will have more thoughts for you about safe holiday shopping online in my next column.
Steve Weisman is a lawyer, a professor at Bentley University and one of the country's leading experts in scams and identity theft. He writes the blog scamicide.com, where he provides daily update information about the latest scams. His new book is Identity Theft Alert.