With all the news about massive data breaches in the biggest retail chains and the ever-present risk of online fraud, you may be wondering whether or not it is really a good idea to use credit cards at all. Of course it is! After all, it’s much safer than carrying lots of cash in your pockets, and you have no viable alternatives when buying something online – be it a new smartphone app or a car. So, banking cards are good, despite the possibility of security issues. You just have to make sure your “virtual pockets” are not wide open for a thief’s convenience.
Selecting a proper card
There is no one-size-fits-all solution on the banking card market. There is AmEx, MasterCard, Visa, UnionPay, plus many local payment systems. There are credit and debit cards, which differ significantly on some markets. You may want to use two, three or even more cards for various occasions―each one is equipped with its own set of security measures. Credit cards are typically better protected on many levels. Banks utilize stricter security procedures while checking credit card transactions. In many countries, credit card purchases are insured, and fraudulent transactions are never charged to a well-intentioned card owner. Moreover, criminals in some countries simply avoid dealing with credit cards as it poses higher risks of prosecution. However, none of these reasons cover everything, and there are no guarantees, so you can’t just select a credit card and forget every other security measure.
Credit cards are typically protected better, and criminals avoid them often. However, there are no guarantees and you can’t forget every other security measure.
When selecting a payment system, consider the planned usage of the card. There are many “global” systems, but only MasterCard and Visa currently operate in almost every country without major white spots. For Europeans or people frequently travelling to Europe, MasterCard is probably the best option, as some ATMs in Europe accept only MasterCard. Notable exceptions are China (local regulations are strict, and the best option for China is obviously UnionPay) and Olympic cities (during the Olympics, official venues accept only Visa). More importantly, MC and Visa are leading the pack in terms of technology and security. Moreover, they are able to enforce security solutions in whole industries.
While the most important stuff you will be looking into while selecting your card are probably bank rates and offers, consider security measures as well. Check the “security advice” section of a bank’s website. There will be many general tips like “don’t give your card to strangers”, but you can also find a list of available security tools provided by this bank to its customers. Here is the list of useful security tools to watch for.
Card security tools
- Chip card. So-called chip cards (or, more officially, EMV cards) are typical for European banks already, but they are just emerging in the US, Canada and some other regions. In addition to a magnetic stripe, these cards are equipped with a chip, which provides much better security and prevents most attempts to steal card data to clone it (as seen in the Target breach, ATM skimmers and other schemes). Chips cards are still compatible with old (swipe) readers and MasterCard and Visa require these cards to become mandatory from late 2015. Payment systems threaten that they won’t compensate fraudulent charges made using non-EMV cards starting in 2016.
- Chip & PIN. While a chip provides a new, more secure option for a merchant or a bank to read your card, there’s still a need to authenticate a card owner. For older cards, it’s done using a signature, which is often not checked by the seller and generally easy to fake. Another option involves typing your 4-digit PIN code on every purchase, as is currently done on ATMs. It’s as fast as signing a slip but much, much more secure.
- PIN change. Very easy and useful, but still not a standard feature; it allows a customer to change a predefined PIN code to something more memorable. Additionally, in some banks, it allows to avoid re-issuing a card when you forgot your PIN code. Important note―avoid using simple PINs like date of birth or four progressive digits.
- Photo on card. Ultra simple, yet effective measure that prevents a stolen card from being used in major retail―to incorporate a cardholder photo into the card design.
- Instant notification. Typically done via SMS, this easy feature allows you to check instantly if card withdrawals are correct. An SMS with exact transaction description and sum deducted arrives in mere seconds after withdrawal, which helps to spot fraudulent charges, as well as billing mistakes. Early notifications significantly ease the dispute process.
- 3D Secure. This feature improves the security of online transactions. It is often called by its brand names (Verified by Visa, MasterCard SecureCode, J/Secure, AmEx SafeKey, etc.), but the essence is still the same―your bank and payment system verifies each online payment with you. The typical scheme consists of two steps. First, you enter your credit card details on the merchant’s website (or his payment processors’ site), then you’re redirected to the special page of your bank where you confirm the purchase with a special password. For some implementations, it’s just a secondary static password (which is not so secure); for newer ones, it’s a one-time password sent via SMS (which is very secure and prevents phishing). This feature is strongly recommended for any card you plan to use online often.
- Virtual cards. Another measure to counteract online fraud, a virtual card is used strictly for Internet purchases, as it has no physical representation. You can instantly issue it via online banking. It might be a secondary card, tied to your primary one, or a separate card. In the first case, this card is valid for one purchase only, and then it’s blocked. In the second case, the card is managed via online banking to balance between security and convenience. Possible security measures include setting spending limits (daily, monthly, total), re-issuing the card regularly (monthly, weekly or even daily ― as needed), and keeping the card balance at almost zero (you’ll have to manually top-up the card before each purchase).
- NFC. Not exactly a security measure, Near Field Communication (NFC), better known under brand names (MC PayPass, Visa PayWave), is a wireless technology allowing the exchange of information by briefly tapping two devices. An NFC chip is very small, and it might be embedded in the card, in addition to the usual magnetic stripe and EMV chip. To pay with NFC, you have to touch a terminal with your card; it may even work from inside of your wallet. This increases your security, as it’s not required to hand your card to anyone or even show it. Chances to forget or misplace a card are fewer. However, NFC usage in the banking sphere is relatively new and, being a wireless technology (although, ultra-near range of a few centimeters), it may be susceptible to yet unknown exploit schemes. That’s why we suggest the use of NFC-enabled cards only for smaller scale payments, where instant, contactless payments prove to be most useful: public transport, gas stations, fast food, parking lots, etc.
Simple safety rules
So, you have selected your bank and card and, hopefully, added all possible security measures. Using chip-and-pin card plus 3D secure and SMS notification greatly improves your funds’ security while paying both online and offline, but this protection is only effective if you exercise these other simple safety rules:
- Don’t give your card to anyone. While being very obvious, this rule is actually hard to follow in some common scenarios. You may be giving your card to a waiter in a restaurant to be processed somewhere in the back office, or you may lend a card to your significant other or your teenage kid. To avoid possible misuse, insist on keeping your card in sight, e.g. follow a waiter to the cash desk. This is especially important when using your card abroad. To better use credit cards with your family, you may get supplementary credit cards for the kids and spouse.
- Don’t use your card in unsafe places. The biggest threats are street ATMs and ATMs in less-controlled public spaces. There is a possibility of skimming―an attempt to record your card details and PIN code to produce a duplicate. You may also want to limit card usage in very small shops and other places with outdated equipment.
- Never tell your PIN code. No one has the right to ask for it ― no exceptions here. Don’t write your PIN code down. If you fear forgetting it, use a special password manager for your smartphone (see our iOS and Android apps review). When keying in your PIN on an ATM or POS terminal, cover the keypad with another hand. Don’t let anyone stand too close and watch you. If you suspect that a PIN code was somehow stolen, report to your bank immediately.
- Report any trouble. In case of any issues―from lost card to unexpected charges―report to your bank right away. Time is crucial, as fraudsters try to use your stolen card as soon as possible.
- Make sure you pay online safely. In brief, your computer should be malware-free, your network should be secured and the connection must be encrypted. Moreover, you have to make sure that you’re connected to the genuine server of a shop or your bank and not a fake one. These rules are actually hard to implement manually; that’s why there is a simple “packaged” solution which makes these checks automatically. It is called “Safe Money” and ships as a component of Kaspersky Internet Security and Kaspersky PURE.
- Avoid phishing. One very popular criminal tactic involves sending mass mails pretending to be from a big bank (e.g. Barclays), online retailer (e.g. Amazon) or online service provider (e.g. Apple). These emails say that you have to “confirm your account”, “check suspicious withdrawals” or “confirm expensive delivery”, etc. When you click the link, you’ll be taken to the fake website of the bank/retailer/provider, and asked to enter your password or credit card details. To avoid this threat, never click a link in such emails. If you’re concerned about your account safety, open the corresponding web site (e.g. icloud.com or amazon.com) manually, and log in to your account there. Don’t click the link. Just don’t.
If you have extra advice, do not hesitate to leave it in the comments below!
About Serge Malenkovich