The Checkout

Credit-Card Firms Key in Fight Against ID Theft

Credit-card companies do a good job of helping consumers resolve identity-theft problems once they occur. But they could reduce ID fraud even more if they gave consumers better tools to monitor their accounts and limit high-risk transactions, such as large cash advances or foreign transactions. That's the conclusion of a recent study by Javelin Strategy & Research, a research and consulting firm specializing in the financial services industry.

Javelin cites a previous study that found that almost half of all ID theft cases are detected by consumers, one-third of the cases by banks. The rest are through third parties such as police, debt collectors and credit bureaus.

If the consumer is the one who's going to find the problem, "why not empower them," said Rubina Johannes, a Javelin research analyst and author of the latest study. "This doesn't mean businesses are off the hook."

For one thing, Johannes found, too many credit card companies still use people's full Social Security numbers in their interactions with customers, whether by phone, Internet or mail. "This is a risky practice that unnecessarily increases the customer's exposure to identity fraud," the report concluded. At the very least, credit-card companies should only ask for the last four digits of a Social Security number after the initial application process (when it's still needed for credit-report data).

Because a previous Javelin study found that identity theft is greatest through the continued use of paper documents and not the Internet, the company also said credit-card firms should offer consumers greater ability to view statements online and shut off paper statements.

At the same time, it called on banks to offer consumers the flexibility to place restrictions on their account activity, such as limiting cash advances or foreign transactions. "No one knows his spending habit better than the consumer, so if a consumer knows he's never going to do a foreign transaction, why not give him the option of restricting it. You can always change it later," Johannes said.

Banks should also send e-mail alerts when there are high-risk transactions -- such as a card not being present, a foreign transaction or activity on a dormant account -- or requests to make changes in the account (for a new PIN or password, address relocation, addition of an authorized user, etc.).

Right now, only Discover "offers customers the option to be notified should there be a change in authorized users on their account. This notification could be essential in the early detection of account takeover fraud," the report said.

"Everything we're recommending is a choice for the consumer. The customer can choose to do it or not," Johannes said.

Beth Givens, director of Privacy Rights Clearinghouse, a public-interest advocacy group that specializes in ID-theft issues, said the report has some good suggestions, including the curb on the use of Social Security numbers. However, she expressed skepticism about the e-mail notifications of high-risk transactions. "I don't think e-mail notices will be very effective these days; most people would probably ignore them, thinking they were another phishing message or scam." The banks need to figure out a better way to alert consumers, she said.

More important, Givens said, credit-card issuers "shouldn't rely on consumers alone to detect fraud, especially when most consumers only review their accounts once a month. Banks needs to make more use of sophisticated pattern-recognition programs that can detect and halt fraudulent transactions almost immediately."

Any thoughts?

By  |  May 18, 2006; 8:30 AM ET Consumer News
Previous: Credit Card Bills Due Faster Than You Think | Next: A Witty Warning About Wireless


Please email us to report offensive comments.

Question: When a waiter walks off with one's credit card he can observe both the card number and the three-digit ID code on the backside. What additional risk is associated with his knowing that three-digit code?

Posted by: F. Arntz | May 18, 2006 9:05 AM

I view my accounts every day on-line, just to ward off this kind of issue. I use my credit cards like cash (paying them off every month, of course), so I do have heavy use. I review them every day to make sure that no strange transactions show up. I have found Discover, American Express and Chase to be helpful in this. In fact, several times when I have made large purchases out of my usual spending pattern, a Discover security representative has called me to verify that I have made the purchases. I also call them to let them know I am going overseas if I plan to use a credit card while traveling outside the country. Consumers really do need to take responsibility for monitoring their own accounts -- whether banks and credit card companies should do better is beside the point. It's my card, I am responsible for it, so I think I should make the effort to be organized enough to look after it. I'd rather not depend on someone else to do that for me.

Posted by: Arlington, VA | May 18, 2006 9:10 AM

I agree with Arlington, VA (and do the same). I check my account daily (sometimes twice a day). It's my account and my credit so I'm responsible for the security. Would I leave the security of my house to somebody else?

And as "F. Arntz" says, the biggest risk is when you hand your card to the waiter and he/she disappears. By them being able to write down your card number and 3-digit code, they can use the card online and make it seem like they have the card in hand. That's way online retailers need to ask information not on the card - like address, etc.

Posted by: Non debtor | May 18, 2006 9:14 AM

I know a few e-tailers, that apparently have been burned by fraud before, actually require that you register a shipping address with your credit card company before they'll ship to anything other than your registered billing address.

As for the waiter thing, it has always amazed me that some people who are afraid of internet shopping because of fraud, think nothing of handing a card to a waiter who goes off somewhere to run it.

Posted by: tallbear | May 18, 2006 9:24 AM

Credit card fraud happens whenever someone obtains your credit card account number, and then uses it to make fraudulent purchases. How does this happen?

A dishonest store clerk might make an extra imprint of your card

A thief can get your account number and expiration date from a discarded receipt

Someone pretending to be a telemarketer might ask for your card number with the stated intention of entering you in a contest

A restaurant cashier might swipe your credit card in a small handheld deviceknown as a skimmer, which copies the information on your card including your PIN, in order to make a counterfeit copy of your card. This method is called Skimming

Posted by: Non debtor | May 18, 2006 9:29 AM

I was in Miami over Spring Break, and several times when I bought gas with my card I was prompted for my zip code.

I thought that was better than nothing. Perhaps cards will go to requiring authentication like this all the time.

Posted by: Traveler | May 18, 2006 9:33 AM

Credit card processing companies are reaping huge profits from credit card theft. Processing companies who take a percentage of every transaction-legal or not. In fact, the payment processing companies profit DOUBLE from every fraudulent charge. I have proof of this as my company was robbed last year.

Furthermore, the payment processors have the means to prevent this crime, but do nothing because they would actually loose money if the crimes were stopped. CV2 verification was developed by the credit card companies over 20 years ago to prevent this type of crime, but the payment processors won't implement it.

The small businesses who sold the good are 100% responsible for paying back all of the money-plus fees from the processing companies.

The kicker is that the payment proccessor told us in writing that if we could provide them with the correct CV2 numbers we would not be responsible for the charges-after they denied us the chance of checking the CV2 numbers in the first place. If we could, we would not have ever been robbed!

My web site, is a non-profit site that explores this issue even more-because the media does not do a good job of covering this story.

Most of the credit card fraud in this country can be stopped, quickly, within days, if this story just gets out.

Posted by: Brian Mortensen | May 18, 2006 10:23 AM

So to answer the question, in most cases that 3-digit code is not needed to complete a transaction because most payment processing companies don't check it because they would loose money if fraud was stopped.
So no, it doesn't matter to the point that the crooks just swipe hundreds of cards a day and never get the cv2 number, nor do they need it. You question implies that they need it to rob you, they don't.

Posted by: Brian Mortensen | May 18, 2006 10:34 AM

I read a comment above that was incorrect-a skimming device DOES NOT collect CV2 information-it isn't on the magnetic strip, nor is it written anywhere. That's what makes it so effective.
I'm not trying to spam, I just want to provide readers accurate facts on the subject, and that is a major fact that should not go overlooked.

A side note: Most clerks don't even look to see if your card is singed.

Posted by: Brian Mortensen | May 18, 2006 10:45 AM

tallbear - "As for the waiter thing, it has always amazed me that some people who are afraid of internet shopping because of fraud, think nothing of handing a card to a waiter who goes off somewhere to run it."

You're right. I operate a web site selling various items and prefer customers to order online vs. via the phone because it's easier for me and takes less time to process the order. It always amazes me that when people call and while ordering say something like "I prefer to order over the phone and not use my credit card info over the internet." I sometimes ask them what about paying with a credit card at a restaurant, is that any safer?" People think nothing of giving their credit card to someone who could copy all the pertinent credit card info off the card and later use that info to run up a bunch of fraudulent charges.

Posted by: ABH | May 18, 2006 10:50 AM

You can use any debit/credit card at most gas stations without a pin number or signature. A neighbor's daughter stole my father's debit card while he was in a nursing home and used it at a gas station for gas, etc. She would even buy cartons of cigarettes using the card then return them for cash (she also worked at the station).
Most of us complain about having to remember more pins but it would certainly keep things like this from happening.

Posted by: Silver Spring | May 18, 2006 10:52 AM

Non debtor - "A thief can get your account number and expiration date from a discarded receipt."

Not anymore. About three years ago, all the major credit card companies required merchants to upgrade their credit card terminal software where only the last for digits of the credit card are shown on receipts.

Posted by: ABH | May 18, 2006 10:54 AM

Identity theft insurance is very misleading. Read the fine print!

Posted by: Chris | May 18, 2006 11:15 AM

Chris: So is small business insurance, ours stated that our loss was noth covered because it was "theft by deception".
I wondered at the time if I was robbed with a fake gun if that would also be "theft by deception".
Most small business insurance doesn't cover credit card fraud, and the poor merchant has to pay everybody, the banks, his supplier and the payment proccessor's fees for being robbed.

Posted by: Brian Mortensen | May 18, 2006 11:20 AM

ABH, that was from the American Express website. Guess they need to update their info.

Posted by: Non debtor | May 18, 2006 11:22 AM

Silver Spring - my MIL had her credit card stolen when she went into a nursing home. She took her purse with her, and we didn't even think about it until the bills started showing up.

I think the facilities don't remind you about it because they don't want you to think that their employees would do such things -- but it happens.

Posted by: RoseG | May 18, 2006 11:45 AM

I've had two frauds using my personal info. One was probably skimming and the other was by counterfeiting checks. Delays of up to 5 days in posting card transactions are pretty routine, so monitoring isn't as effective as it might be. Check frauds are easier, since services like Telecheck don't validate the account number; there's no need to steal one since it can just be made up.
I fault the public for not wanting to provide stronger ID (photograph and/or thumbprint of the customer at the counter) when they make transactions. That resistance is the reason that retailers like Wal-Mart give for not taking those steps. And my experience is that most of the dollar volume of fraud is on these in person, at the counter transactions at chain retailers.
I haven't lost any of my own money to these frauds - merchants and collection agencies have absorbed many thousands - but the cost to me in time has been quite burdensome.
A truly useful service, which as far as I know no one provides, would be to send a text message to my cell phone every time a card _authorization_ is processed.

Posted by: WW | May 18, 2006 11:58 AM

WW: Those "at the counter" transactions you speak of is where the payment processing companies make their money. They make more than double the profits every time a stolen card is used, and the merchant has no way to verify the card.

Two laws can stop it right away:
1. Make advanced authentication mandatory on every transaction.
2. Make it a crime for payment processing companies to profit from credit card fraud.

In case no one knows, the payment processing companies own all of the terminals that you/you waiter/whomever swipes your card on when you use your card.

My company lost over $25,000 in fraud that included fees to the payment processing company who never verified the transactions. Only AFTER we were robbed did they bother to ask us for the CV2 (pin numbers) on the cards.

Posted by: Brian Mortensen | May 18, 2006 12:10 PM

I was nervous about an on-line purchase I made on a Monday and cancelled on Tuesday. I contacted Mastercard to try to set up a warning that if the canceled charge was posted by what I considered a crooked merchant, I would be notified and/or the charge would be denied. They could do nothing to protect my account. All they suggested was that I cancel the card and open a new one, and wait two weeks for the new card to arrive.
I think there should be a better arrangement to protect the customer.

Posted by: Winchester | May 18, 2006 1:52 PM

To the person who suggested text messages with every authorization....who's going to pay for that? The consumer @ $.10 per message? That could get expensive for, say, a debit card or someone who travels at lot and uses their card at hotels, gas stations, restaurants, etc. I suppose the traveller could do it as a business expense and be reimbursed....

Scary POS (point of sale) stories abound. My boss will sometimes send me out to purchase supplies for the office and send me with her card....she's a 4' 11" female, I'm a 6' 6" male. I started refusing because I was uncomfortable doing so. To justify, I told her I was afraid of being caught, which I was not, because no one ever looked at A) the signature (her card wasn't signed), B) the name (I don't look like a girl, and her name is clearly a girl name), or C) ever asked for photo ID (stores like Staples, Best Buy, Office Depot, etc.)

And wouldn't it be great if you could spell out the parameters for your card in advance? Like things it could and couldn't be used for, maybe? I wonder how close we are to tech like that, or if we already have it and it's just "something that our studies tell us consumers don't want/won't pay for."

Posted by: BT | May 18, 2006 2:24 PM

BT: It would be great, so would the text messages, but the same companies that provide the first and only line of security happen to also be the same companies profiting from credit card theft. There is only one industry in the world that profits directly from credit card fraud, and that's the payment processing industry.
Nothing will be done to improve any kind of security unless that changes.

Posted by: Brian Mortensen | May 18, 2006 2:59 PM

Discover told me that their Identity Theft Protection was great. They said they would contact me everytime a charge card was opened in my name. Its $12.99/month. Do you think this really works, or is it a waste of money?

Posted by: MN | May 18, 2006 7:01 PM

IMHO-it's a waste of money. 2 good ways of protecting your identiy-
1. If you have a roadside mailbox, consider switching over to a PO Box-they are much more secure and would cost less per year than what you are paying Discover. Tell the mailman that nothing gets delivered to your house.
2. Don't put your trash out to the curb at night-try to put it out in the morning or as close to your pickup time as you can. If you can't, you must get a shredder.
Those two steps helps lock down your information flow going into and out of your home.

Posted by: Brian Mortensen | May 19, 2006 8:47 AM

"They said they would contact me everytime a charge card was opened in my name. Its $12.99/month. Do you think this really works, or is it a waste of money?"

Waste of money.

Sad but true - if you wait long enough, one of the companies with whom you do business will "lose" a computer with you financial data. As a result, they will give you a free 1-year subscription to a credit monitoring service (like Equifax). Then, you can pull a report as often as you like during the year as well as have them send you alerts when there is activity on your account.

In the past 10 months, I've gotten 2 of these letters.

Posted by: Non debtor | May 19, 2006 8:59 AM

My son has "ASK FOR SIGNATURE" on a label on the front of his bank & credit cards - only about 1/4 of the clerks do so.

About 25 years ago I got a call from my credit card company asking if I had ordered electronic equipment to be delivered to an address that wasn't mine. I said no, so they said they'd cancel it. I asked if they would send the order (or at least an empty box) to the address in an effort to catch the crooks. They said no, it's too much effort. I've assumed since then that credit card security is my problem.

Waiters have been known to use their cell phones to take a photo of the front and back of credit cards.

Posted by: Virginia | May 19, 2006 11:42 AM

On losing track of your card - last time I was in Paris (years), the waitress brought the machine to the table and a PIN was required. The procedures for better security are out there. US companies don't want to implement them unless required to.

Posted by: Bill | May 19, 2006 5:28 PM

I try to call my credit card when I am traveling and they refuse to take any note of it. I did a cruise for my honeymoon and they didn't care/notice that a slew of charges starting coming in from all over Miami and the Caribbean. On the other hand, I was at the Hagerstown Outlets and had to verbally confirm a transaction since we had used the card at several places. I wish they would do something about that so they know if to send up a red flag or not!

Posted by: Colette | May 22, 2006 4:38 PM

As a cashier I check signatures and ID on credit purchases over 200$. Also when the signature does not match or the name on the front is clearly incorrect. I have turned away many customers who brought in their "mother's"/"girlfriend's"/spouse's Card.
Personally I use a different credit card for online purchases/purchases by phone. This card has a smaller limit on it. This is easier to keep track of, and gives me a least some security that someone can't go crazy with it.

Posted by: Sarah | May 25, 2006 11:09 PM

I was so surprised when my credit card company called me immediately after I attempted to withdrawal cash. I guess because I went to two different machines (and they didnt work) they thought I was someone else. Then they asked all these questions about other cards I held, my mortgage, my car notes, even what counties I previously lived in. They also knew my daughter's name and birthdate! How they got all that from my SS number I will never know. She was an authorized user at one point, so that could be why. Though I never put her down as one, they sent me a card with her name on it! Talk about credit companies knowing it all. But I guess it's good for fraud protection. I just felt a criminal or something for trying to use my card!

Posted by: Lisa | July 26, 2006 1:41 PM

Credit-card companies do a good job of helping consumers resolve identity-theft problems once they occur. But they could reduce ID fraud even more if they gave consumers better tools to monitor their accounts and limit high-risk transactions, such as large cash advances or foreign transactions. That's the conclusion of a recent study by Javelin Strategy & Research, a research and consulting firm specializing in the financial services industry.
I do not agree.For more info go to System.String[]

Posted by: krakow hotels | September 27, 2006 6:19 AM

The comments to this entry are closed.


© 2010 The Washington Post Company