Saturday, May 31, 2008

Why my credit card # gets stolen so often

So, in my post last month about my fifth run-in with fraudulent charges on a credit card (two different cards, not five on one), a number of commenters expressed shock that I could possibly be hit so many times. Typical response: "How can this be happening so often? I never had to deal with this situation."

Why do I get nailed so frequently? (First time was in maybe 2002? I'm averaging just under once a year, I think.) Here's my best guess:

-Two out of the five times, my ATM card got hacked: Someone made a fake card and physically withdrew cash from my checking account. This means they not only had the account number, they had my PIN -- which, as I think I've mentioned previously, absolutely no one else on Earth knows, not even my spouse. (I don't know his PIN, either. Neither of us withdraws cash from the others' checking account.)

In those cases, I strongly suspect I used a dodgy ATM. PINs have also been stolen from the systems of retailers that allow PIN-based debit transactions, but I do that very rarely. On the other hand, in the seven or so years I was with NetBank, I often used ATMs in random delis. I'm cautious about avoiding shoulder surfing, and techie enough to likely notice an obvious skimming device, but New York City has been home to several crime rings using internal skimmers and backdoor software on unrelated, "white label" ATMs -- the kind I used probably 60 times a year. I try to be disciplined about using bank ATMs, but ... I am weak. Especially when I was with NetBank and paid the upfront withdraw fee every time I needed cash (since NetBank had no NYC ATMs), I tended to simply use whatever was closest. Which means I probably got nailed on a corrupted ATM.

-On the other hand, three of the five fraud incidents I've had were "classic" cases, where someone only had my credit card number (not the physical card; every time, it's been in my possession the whole time I was being ripped off). So why did I get hit three times in 10 or so years, when other people go decades without ever getting nailed?

I have two theories. First, sheer statistical probability. I use my credit card constantly - literally, multiple times in an average day. I probably run 500 transactions a year through my primary card, my Amex. (I pay it off each month. I just prefer it to cash -- and hey, rewards points!) I don't know what "average" credit-card usage is, but my count has got to be on the high end. Simply by using my card so much, I'm increasing the opportunities for someone to steal the number.

Second: I go to restaurants a lot - the #1 place credit-card data gets stolen. Also, I live in NYC. If you want to set up shop stealing credit-card info, a big city with a police department unlikely to pay attention to small financial crimes is a pretty good place to do it.

So, in summary: I think I get hit so frequently through a combination of high exposure and just sheer bad luck. I can and should avoid shonky ATMs, but on the classic-fraud cases where my numbers get stolen, I simply don't think there's much I can do to prevent it.

Here's the real kicker: This week, as I finally got everything refunded from my Amex fraud, David got hit. On his Citibank debit card. To the tune of $1,000 or so in train tickets around Italy. It's the second time he's been hit (in the eight years he's had this bank account) -- and since it's not a credit card, this came straight out of his checking account. He's now waiting for the paperwork from Citibank to dispute the charges and start getting a refund processed.

Maybe we really should start stuffing our cash under a damn mattress.