It was 4 am when the first message arrived. “Did you authorise $173.50 from card ending 2222 for a purchase from Sunshine Ltd in Hong Kong? Reply Y or N.” I have a nightly scheduled Do Not Disturb setting on my phone, so the message slid silently into my message box without a ripple.
At 4.45 am, one of my dogs was restless, and her scratching woke me. After swearing at the dog under my breath, and while still in bed, I was looking at my phone when the second message arrived. “It is important that you answer Y or N to the previous message.”
Groggily, I texted “N” in response. (Normally I would do a reverse number lookup on any random texts to check if the number was legitimate, but I was not on my regular security game at that time of the morning).
The phone instantly started ringing, and I was put through to the Commonwealth Bank Fraud team. They asked again if I had just authorised the purchase of beauty products from the card ending 2222.
“Not me”, I responded.
“Yeah – we didn’t think it was you. You only spend on tech and geeky stuff and not beauty products”.
I didn’t know whether to be delighted or offended.
“O.K. – we have just cancelled your card for you and lodged a disputed transaction for you. You will receive a new card in the mail in 2-3 days to your post office address, and the disputed transaction will process in approximately three weeks.”
As I went downstairs for my first coffee of the morning (now that I was wide awake), I wanted to check what else I should be doing at this point. The bank was great, but I knew there were other steps I should take.
After finding a lot of the information on the web less than complete, here’s my list for fellow paranoid, tin-foil hat wearing travellers who want a quick checklist of things to do if you find your credit card has been shopping without you. This is in keeping with our overarching philosophy of “online without the overwhelm.”
Actions to Take When Your Credit Card is Compromised
1. Call your bank
If you are the one who found the questionable transactions on your account, and you were not notified by your bank’s fraud team, then call your bank. They will cancel your card and reissue you with a new card. Lodge a disputed transaction report for all questionable transactions.
2. Change your passwords & PINs
Change your passwords anywhere that has links to your bank accounts:
- All of your PINs
- Email accounts
- Social media accounts
- Online banking log-in
- Mobile phone lock screen log-in
- Any website where you have saved your credit card details after a purchase (e.g. PayPal, eBay, the random website where you bought a remote controlled R2D2).
3. Check to see if any websites you are on have been breached
These lists are comprehensive, but don’t include breaches that have not yet been disclosed or where details are not publicly available.
4. Put a ban on your credit history report
When you apply for credit or a loan, the business checks with one of the credit history companies. Periodically getting a copy of your own credit history report helps you to know your own number and to identify any problems with your credit history.
After you have had any personal details stolen (including your credit card), you can apply to have a ban put on anyone accessing your credit report without your explicit consent. This stops scammers attempting to set up new accounts in your name and running up debts in your name.
You can generally get a copy of your report and place a ban on your reports for free. This ban lasts for 21 days, but you can apply to have the ban extended.
Unfortunately, you need to apply to all three businesses separately to have a ban placed.
How to reduce your risk of a compromised credit card
Fixing a card that has been compromised is only part of the solution. You also need to reduce your risk of it happening again. Here’s a checklist of security steps to help keep you safe.
Have strong passwords.
Always use complex and strong passwords that are unique to each site you visit. Never re-use a password across multiple sites and use a password manager like Norton Password Manager, LastPass, Keeper or Dashlane to help keep track of your passwords.
By using a complex and strong password on every site us use you can instantly increase your security,
Never give your credit card details to someone you don’t know
Especially people on the phone alleging they are from your bank or other organisation.
Check your bank statements regularly
Check all your transactions are legitimate (and keep copies of your statements on file). Having at least a year’s worth of statements helps if you need to go back and change your stored credit card details after a compromise.
Set your cards to alert you
Most banking phone apps allow you to set alerts for purchases over a specific dollar value or when a transaction has occurred in an overseas location.
Regularly check your credit history report and correct any errors
Not everything in your credit report may be accurate. Correct any errors that you find.
Prune your wallet and your handbag
Only carry essential information with you instead of your entire filing cabinet.
Use RFID blocking purses or wallets
An RFID blocking purse or wallet stops people being able to “scan” your identity while standing near you. You can also pick up some anti-RFID sleeves (that look like aluminium lined envelopes) in the travel section of your local K-Mart, Big W or travel shop, and pop your cards in them when not in use in your wallet. I have a non-RFID blocking purse, so have lined all of my card pockets in my purse with cut open sleeves, so I can combine security with ease of access.
Destroy personal information
Shred all statements, receipts and any document with identifying information rather than just putting them in the bin. On a plus, shredded receipts make great mulch for your garden under a layer of sugar cane or other mulch.
Get a Post Office Box or add a lock to your mailbox
A PO Box for a business is a brilliant extra layer of security and for solopreneurs is a brilliant reason to get out of the home office every now and again.
Only install legitimate apps and software
Don’t jailbreak your phone or install nulled software as you don’t know what else is in there or where they are sending your information.
Check for the padlock in your browser
Only enter your details on websites that have the SSL padlock. No padlock = no security!
Whatever you think about the company, if there is an option online, always use PayPal to reduce your security risk of storing your credit card in strange places around the web.
Run strong security and malware scanning programs
Run strong and reliable security and anti-malware programs on your computer to detect suspicious activity or sites. Check out Choice Magazine in Australia for unbiased reviews or sites like PC Mag or CNet.
If your computer, phone, browser or website wants you to run an update, always run the patch. Most updates contain security updates to help keep you safe.
Don’t touch random USBs (and preferably don’t use USBs at all)
USBs are a common way that hackers introduce malware/viruses onto computers. They rely on curiosity and natural “niceness” of people: People find a USB on the floor and stick it in their computer to find out who owns it so they can return it. The USB promptly infects everything on your computer or installs keylogging programs so they can watch your keystrokes. Assume any unattended USB is as healthy as a discarded syringe and put it in the bin.
Don’t do your banking or email on public Wi-Fi or public computers
Assume any public tech is as private as having an audience of thousands watching everything you do and writing down your details. It is reality TV without the rose.
Don’t use public USB phone charging points
When your phone is low on battery, you gratefully take any chance for a charge. While most public USB charging points are legitimate, hackers now target them (which is why we can’t have nice things).
Just plugging your USB into that point allows hackers to install malware on your device or scrape your data. Use your own external powerbank or carry a power plug and cord to plug into a power socket and not a USB charging point. For the truly paranoid – never plug your phone into a charger you don’t own.
Add Dual Factor Authentication
Dual factor or multifactor authentication is where you get a text (unsecure) or a code to an app before you log in to a website. If a site offers it, use it!
While Google Authenticator is the grand-daddy of dual-factor apps, I now use Authy simply because you don’t have to redo everything every time you change phones, it syncs across devices and has added layers of security so even if your phone is stolen and they get past the screen lock, they still can’t get to your dual-factor codes.
On a minus – the Microsoft Authenticator App is a piece of seriously poor code, so expect problems if you try to add dual factor to your Microsoft account.
Hide the back of your card if you tap and go
We all love the convenience of tap and go – especially at carparks! Be cautious when you tap and go that you are not exposing the back of your card and showing the CSV code to the world when you tap. If there is a skimmer on the “tap” and they can see your CSV numbers, and then it’s all over red rover – your card is suddenly buying Louis Vuitton handbags in Dubai.
More identity fraud resources
Want still more handy resources for more information and support on identity fraud, and how to deal with the emotional impacts?
IDCARE – This is a free government service for Australia and New Zealand people to help mitigate the impact of identity fraud on you and your business. They also have trained counsellors if you need emotional assistance.
ASIC – Money Smart – ASIC has a fantastic resource on preventing identify fraud, and what to do if your details are compromised.
Major Banks – Each bank has their resources on security that are worth exploring.
OAIC – Has more information about credit history reports and bans.
All of these actions will help to reduce your risk of credit card fraud, but hackers and scammers are always on the hunt. I am super conscious of security and yet my credit card was still compromised, and I still don’t know how or where.
Like everything in life, crap happens. It’s how you respond that makes the difference. If your card is compromised, don’t be a victim. Take back control and use it to step up your security game one step further.
Taking action on even a few of these tips will help you to stay safe online.
Finally, I would like to do a public shout-out to the Commonwealth Bank. They cop a lot of well-deserved flack for many of their actions, but their security team are exceptional – even if they do know I am a rabid geek who missed the beauty school memo.