Originally Posted by markem
I'm gonna drop some info here because it is convenient, not because I'm bashing anyone. I've been involved in information security since time immemorial (at least it seems that way). I used to teach graduate information security and some of my former students are in very secret places as well as very critical places for protecting the financial health of (at least) our country. I speak with them often about the state of affairs.
Credit card theft (it's not identity theft) has been going on for years and years. It is one of the reasons that the credit card companies are required by law to limit your personal liability in case of provable compromise. In the old, old days, they sort of needed to somehow get hold of your card, but not anymore - technology is your friend, you will recall.
Credit card companies calculate the costs to see if better security is worth it for their customers. Customers rarely demand better security because of a lack of personal liability and because it often makes using the card harder (e.g., no online/telephone transactions).
The universal use of the CCV (or similar, the code on the back of the card) has largely rendered this supposed security feature useless. The code is fairly easy to calculate from the card number and some other information, but it is easier to just plain steal.
People think of the vendor being at fault when charges appear on their cards. This is rare. A legit vendor wants your repeat business and can't really gain by fraud since the CC company will refuse the charges. The vendor is hurt at least as much as (if not more) than the card holder.
The card processing companies have become huge targets as have the CC issuers themselves. One of the nasty little secrets is that almost no company encrypts their backup tapes and any company of any size stores them offsite in a so-called "secure facility". Some of the largest thefts of the past 5 years have been of backup tapes going to/from secure locations.
There has been a lot of talk about devices placed on ATMs, CC swipe readers, etc. to steal card info. These work pretty well, but only manage to get a small number of cards. But since people swipe their cards frequently, they get a bunch of press.
The short of it is that a legit vendor will likely never bilk you via CC (prices, now, well, that's a different story). An unscrupulous employee might, but not the vendor. The systems that they use to process your online trasnactions are almost never owned by the vendor, but a hosting company that works with the processing company. The processing company is the big fish here.
If you are in the US, you really can't really lose if your CC is compromised except that you may have to go without for a few days while they send you another. Cards tied to bank accounts are a different matter - not a good idea at all. The onus is on the issuer and the issuer puts great pressure on the processing company. Processing companies often handle millions of transactions a day, so your little cigar vendor is a small fish in a very lucrative pond.
All this is to say that casting aspersions at the vendor is largely misplaced. You wanted something they had, you chose to use your CC online where it can be stolen easily, you (at least in the US) are almost immune to any losses, but somehow you want your pound of flesh. Not really a sane thing to do, in my opinion.
Yes, my CC has been compromised. I was issued a new one, all fraudulent charges reversed and I went about my merry way. For me, it was 2 emails and three days, but I have a very tech-savvy bank.
Finally, a word about ATM cards. Keep very little money in the account tied to the ATM card - just a couple hundred or so. This way, you can get emergency cash if you need it but also limit your inconvenience in case someone steals that card information. The ATM card offers substantially less protections in case of compromise, btw.
|