Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

I’ve had my credit card compromised three times; how do I prevent this from happening again?

//
In the last six months, I’ve had to cancel my credit card three times due to fraudulent activities. I frequently shop online. I have Windows 7; I use a firewall, etc. I use reliable (I thought) sources. I don’t let them save credit card info. I always check for https, etc. I seldom use my credit card at stores and when I do, I watch it carefully. My credit card company suggested either a computer virus or a malware or possibly leaks with online merchants. I have McAfee online. Could they be missing a virus or malware? How can I determine where the leak is and how on earth can I shop safely online? It angers me that I’m held hostage by these hackers every time I’ve had my credit card compromised. Can’t we get smarter than them?

Sometimes it certainly seems like we can’t, doesn’t it?

It also seems that for every barrier we put in place to protect our credit card use, hackers find new ways to run off with our card information.

Let’s look at some of the ways credit cards can be compromised and ways you can protect yourself.

Become a Patron of Ask Leo! and go ad-free!

I’ve had my credit card compromised too

It can be very frustrating.

Once I had both my cards compromised, for different reasons, while I was travelling – to Las Vegas, no less. I was afraid I’d have to do dishes to pay for my room, but my credit card company overnighted me a new card in time for check-out.

One of my cards was compromised by what I suspect was a service into whom I had simply placed too much trust. The other? I have no idea.

So let’s look at some of the ways it can happen.

Check for malware

To answer your very first question, could your anti-malware tool be missing something?

Absolutely!

There is simply no anti-malware tool that is guaranteed to catch every bit of malware. That’s simply the nature of malware and anti-malware tools.

Hand over the cardWhat I suggest you do is get yourself another anti-malware tool, perhaps a couple, and periodically run additional complete scans of your system. (What Security Software do you Recommend? has some recommendations.) One specific tool I recommend often is the free version of  Malwarebytes Anti-malware, which has a reputation for catching a lot of things that many other tools do not.

Make sure that all of your anti-malware software is up-to-date, running the most recent versions, and running its most recent database. Remember, the version of the software may change every year or six months or so, but the database it uses will change daily, if not multiple times per day.

Always make sure you’re running the latest version of both the software and its malware database.

Check the  network

Make sure that other machines on your network aren’t compromised.

If you have more than one machine at home, and they are connected to a single router, then by definition you have a local network. Make sure that all the other machines on that network are free of malware.

It’s possible that malware on a machine could be “sniffing”, or watching the traffic on your network. Usually, that’s not the case, but given the number of times that things have gone wrong for you, that’s something else that quickly comes to mind.

When you’re not able to trust another machine on your network, it’s very much like using an open Wi-Fi hotspot. That other machine could be doing all sorts of interesting things that could compromise your security. It’s important that all of the machines connected to your router are secure and free of malware. Make sure you’re up-to-date and running appropriate scans on all of them.

Physical theft

We’re often quick to blame our computers (or the internet) when we experience credit card fraud.

Frequently, the issues are much more low-tech.

For example, have you ever annoyed the wait staff at a restaurant? Well, annoyed or not, when you give them your credit card, it’s out of your eyesight while they process it!1 There definitely have been stories of clerks who take your credit card and clone or otherwise compromise it while it’s in their possession and out of your view.

The less obvious, slightly higher-tech case is hardware that’s actually installed on card readers.

Every once in a while you’ll hear about bank machines or gas station pumps that have had what’s called a “skimmer” installed in front of the card slot. It looks like a regular card slot, and unless you know what you were looking for2, you wouldn’t know that there was something else reading your card in addition to the pump or the cash machine. The hackers let the skimmers collect card data for a while, and then come back and remove it, walking away with the credit card information for everyone who used the machine while the skimmer was active.

That’s one way card information can be stolen without the card ever having left your hands.

Compromised databases

To be honest, by far most of the card theft that I am aware of, like most of the scenarios that you describe, are things that are typically completely out of our control.

What happens is that large databases of credit card and other information are stolen. It’s not somebody targeting you or me, going after cards one at a time – it’s someone targeting the computers at your bank, or the grocery store where you use the card.

Those are the kinds of things that you and I don’t really have a lot of control over.

Fortunately, in addition to being rare (that’s why it makes the news, after all), most credit card companies cover your losses as long as the loss isn’t due to your personal actions. Unless you’re hacking in and stealing large databases of information, you’re very likely covered.

But it is an inconvenience, no doubt about it. My Las Vegas experience was nerve-wracking enough, but to have cards compromised three times in a row, and that quickly, would be maddening.

I would most definitely look closely into both your local network and computer security, and keep a very close eye on where the card is being used.

If you are compromised a fourth time, I’d want more information to help find the cause.

Podcast audio

Play

Footnotes & references

1: To be clear, this is uncommon – most restaurant servers wouldn’t dream of abusing your credit card no matter how much of a jerk you might be. But I can see it happening. So, don’t be a jerk. It’s an unexpected and yet important part of keeping your information secure. Tipping generously helps as well, I’m sure.
2: I wish I could tell you what to look for, but it varies. I just keep an eye out for anything that seems out of the ordinary, particularly for those places I visit frequently.

46 comments on “I’ve had my credit card compromised three times; how do I prevent this from happening again?”

  1. Until the original poster is able to figure out how his/her credit card number is being stolen, he may want to try using a “virtual credit card” for his online purchases. These virtual credit cards are offered by many banks on their websites, and they are linked to the number on your physical credit card. You create one virtual credit card with a given unique number for each vendor. You set the dollar limits and the expiration dates for each virtual credit card. The vendors see only your virtual credit card numbers — not your “actual” credit card number with the big credit limit. You can shop online more safely when you use this method recommended by many security experts.

  2. In my earlier post, I should have said: Try using a virtual credit card only AFTER you first have taken the steps Leo provided to determine whether your PC’s are clean. Obviously, setting up a virtual credit card online by using a malware-infected PC will not make online shopping any safer.

  3. How timely. My credit card was just cancelled because it’s been compromised. The magnetic stripe on the back of your card is the most common way to steal your card.

    In Canada we have “chip + pin” technology. A chip is embedded in the credit card. The credit card is inserted into the credit card machine and you are asked to verify the transaction using a PIN (like your ATM card does).

    The chips are hard to counterfeit and so thieves tend to focus on the magnetic stripe because it’s cheap and easy (I’m sure some are working on cracking the chip technology). And even if they do, they will still need your PIN.

    Your signature for a credit card transaction is old fashioned. That comes from when you were friends with the furniture salesman and bank manager. You signed your name to say you promised to pay. Now stolen credit card numbers are a hot commodity. Credit cards need to change with the times. Chip + pin make a lot more sense.

    We were visiting Pennsylvania recently and I suspect it was a gas station that we visited. Because I couldn’t pay at the pump, I had to go inside and have the guy swipe my card through his machine.
    Mastercard suspected two transactions which were both “swiped.”

    As a rule, I never shop online, unless the company has a physical presence that I can go and visit.

  4. I took Leo’s advice, and installed the free version of Malwarebytes.
    I then tried to do the same with Microsoft Security Essentials – however, it wanted me to uninstall other security systems first ( I’ve got AVG)
    When I didn’t do so, Security Essentials got a bit stroppy, and gave so many dire warnings about the disastrous effects on my laptop of running two security systems, that I gave up and discontinued its installation.
    Is this true? – it seems to conflict with what Leo had said, and I’ve always found his advice to be really good.

  5. The poster appears to be compromised whilst purchasing online. I know many of your readers might not like what I suggest but – I only shop online where the seller agrees to PayPal. No problems ever and 100% piece of mind. The other post reply regarding MS Essentials I can sympathise with – if it is as clever as Leo says (and I love Leo) why does it not want to share a bed with other respectable Malware companies?

    It’s not about wanting or not wanting to. The actual techniques used to scan for malware in real time will by their very nature come into conflict. It’s the nature of the technology.

    Leo
    30-Oct-2012
    • I use a PayPal debit card for anything online. It was compromised once, but PP was much faster than my bank (on another occasion) to notify me, replaced the card, & covered all illegitimate charges.

  6. The only time I used PayPal in the last year was when I was using my Ipad in Venice, Italy at the apartment I was staying at. It had free WiFi. I used it to pay for a hotel in Hawaii. Someone then tried to use my PayPal account to send money to their email address but they were not registered, so it did not go through. i cancelled it and tried too get PayPal to follow up but they were not interested. Is this how PayPal is secure -You must be registered? I changed my password but should i do anything else? Could they do it again?

  7. @Jay,
    The thing is that you don’t want them bumping into each other. Here’s an article from Leo in that.

    Can I run more than one anti-virus program? Anti-spyware program? Firewall? Should I?.

    Here’s a quote from there: “However, as I’ve noted elsewhere, there’s no single anti-virus or anti-spyware program that will catch all viruses or spyware. So there is a case to be made for having more than one. But if you do, you need to be careful because they can, and often do, interfere with each other.”

  8. Virtual Account Numbers! Many credit card providers will let you create a single-use number for internet use only. The first time you use it, it will then be good only for that vendor–and nowhere else. Not helpful for normal point-of-sale use, but a God-send for the internet.

  9. I use PayPal and have for about 12 years and never had a problem. Ever. As more and more places accept PayPal it becomes more convenient. They don’t give your card number to the vendor. They reimburse themselves either from the card you provide them or from a bank account you set-up to provide funds.

    I do regularly get phishing emails telling me something has been added to or done with my PayPal account and it wants me to log in to approve or disapprove it or change something. I NEVER click a link I get in an email no matter what it’s for. I ALWAYS open a web browser, enter the site into the address bar and log in the long way.

    I have a couple tricks for that such as I use one of the 7 emails my ISP gives me exclusively for banking and financial related activities. That’s all I use it for. I use another for bill pay. Another is for forums and social things. There’s my ‘professional’ address, my shopping email, and my casual correspondence one. When I get a phishing email and it’s not sent to that financial only email address, I know immediately it’s bogus. If I get SPAM I know by the address where it’s likely coming from.

    I also use RoboForm for my password manager and it’s very secure and IMHO the best password manager on the market. I use both the RoboForm2Go and the regular RoboForm on my home PC. The portable version, RoboForm2Go is installed on a flash drive. When I use it on another computer it starts up and when I’m done and close it, it cleans all traces of itself leaving nothing behind. Since it automatically fills in user names and passwords, there is no typing those in so a key logger is useless, even the hardware kind that connect between a keyboard and the plug on the computer. I have my flash drive’s contents locked and encrypted and my file with my passwords are also in a locked folder on the drive. RoboForm added an online version called Roboform Everywhere or something like that but it is a yearly subscription.

    Remember, when you use a credit card at any establishment where you hand it to somebody and it leaves your sight you are at risk. A friend had his card number stolen on a trip to Vegas. The only place he used it was at his hotel. A local restaurant has a waitress who was copying down numbers when she’d take the cards in her little black bill folder to the back to run them. A local liquor store used to make employees put a piece of paper over a credit card and rub it with a pencil to take an impression that was stapled to the register receipt. After they did the books they threw them in the trash which ended up in a dumpster out back. My card number was stolen that way and I didn’t know until CDW called because my $6,000.00 worth of computers and components ordered against the card was on hold because the expiration date on the card that was used was wrong.

    The point is that it may not be you but who you do business with.

    • Be wary if you receive ANY emails from a so-called bank.
      I regularly get some from “banks” I don’t deal with and rarely, from one I do use.

      NEVER click on a link in an email like this.
      If your bank actually did contact you, use your normal means to look into it, even the phone if necessary.

  10. PayPal might give you some security, but don’t let that security lull you into a false sense of security. About a year and a half ago, PayPal charged my credit card and I don’t even have a PayPal account.

    As long as there are humans on this earth, they will continue to find ways to rip you off.

    I stand by this one thing: I only shop online where the seller has a physical presence. If they are only represented by an email, website, or PO Box, that’s not good enough. I should be able to visit them in person (OK, I might have to take a plane to visit them, but I can visit nonetheless).

  11. Use only one credit card for internet and one for physical transactions. This will indicate the leak source.
    A debit card can also be used for internet where only a limited amount of money is deposited.

    For super security load a boot disk when doing banking. Ultimate CD {Parted Magic} has Firefox included and all drivers to connect to the internet.
    Long term a reformat and reinstall of Windows is the only real safe method to clean a compromised computer. Newer computers have a backup copy of Windows in a hidden partition. Google how to do access partition if unsure.
    Jp

    • Good one Johnpro2 … that’s our method also. And we keep the on-line card’s credit limit very low. Folks shouldn’t get sucked into that good feeling when an institution raises their credit limit, that’s another arena full of stories of financial woes. However, after reading the comments so far, we will reexamine PayPal and look into this one-time-use or virtual number issued by the credit card institution, sounds pretty cool … can tie it to the on-line card for another layer of protection. We never use a credit card in a situation where it will be out of our sight, like restaurants, for the reasons Leo stated. We go to the cashier. One last word: RFID blocking metal wallets that are NFC compliant.

  12. Get that card hotlisted / cancelled & a new one with a different number issued.

    I belong to India and you are supplied with a password which the Bank’s Credit System requests you before authenticating any transaction.

    Next, in case of a high volume transaction I always receive a call from my credit card company to verify authenticity of the transaction.

    Plus, I always receive an SMS on my registered mobile number for any transaction done on my Credit Card.

    With so many checks, its almost impossible to get caught in a fraud. Even if you do, then you have ample time / opportunity to revoke the transaction.

    Check out with your Credit Card Company if they offer such facilities.

    Ravi.

    • It is a good idea to have your credit card company notify you automatically for any purchase over an amount you choose. Keep it small enough to be truly protective.

  13. One comment re credit card info to buy things- simple answer is don’t ever divulge that info over the net USE PAYPAL instead- two tier protection- them and your bank, and the seller never knows WHAT YOUR BANK DETAILS ARE – you only have to give bank info to Paypal ONCE. A lot of sellers on anything are using Paypal now and its easy to see those who don’t Paypal logo is not visible. And if a seller doesn’t like using Paypal, my answer is TOO BAD FOR THEM for you have the choice to go somewhere else and don’t be afraid to say so directly! And this is not an ad for Paypal- I have been using it for years and it works. And do give a latte to Ask Leo – you might be unsurprised in the ways you can do that and this is not an ad either. I can transfer money overseas and its there in 24 hours usually-no bank can or will do that and guess who owns the credit card companies? Cheers. Mark

  14. Some credit cards offer a small program that creates a one time use credit card number with all of the other appropriate info. When you shop you open the program and it creates a new number just for that transaction. I use it when paypal is not available.

  15. the person who had their credit card hacked didn`t mention if they kept passwords on their computer. if hackers are in your computer your passwords are theirs. i keep a ring binder with tabbed dividers for my passwords. never on my computer. its a little more of a hassle and if there`s ever a fire my passwords are gone. but i know i can get the important ones back from whatever company i need.

  16. Did you know that apparently, credit and debit cards can be cloned whilst they’re still in your wallet, using portable cloning equipment? I don’t know how often this method is used but I keep all my cards in a RFID Protected wallet just in case 🙂 I also use PayPal whenever it is accepted by online shops. And I NEVER allow restaurant staff to take my card out of my sight. Fortunately, most restaurants now use portable card machines, so they no longer need to take your card to the till:-)

  17. I am using a CitiCard credit card. The company offers a small free program which generates virtual card numbers with associated security codes. Features permit you to define a maximum dollar amount and an expiration date for that specific transaction. The program generates a unique number for each transaction. The charge is then transferred automatically to your real credit card. You have private access to records of each transaction along with cancel capability on transactions
    which are still active (not processed).

    i have been using this system for years for internet purchases and have been very pleased with the service. It can be used for internet purchases only. It is known as Citi Virtual Account Numbers, again, available from CitiCard.

  18. I recently read a story of a man whose credit card number was stolen 10 times, at least one of those times before the replacement card came in the mail because the scammer had cracked some kind of coding that the bank uses to generate the numbers. http://www.cbc.ca/news/canada/sequencing-fraud-on-9-cibc-visa-cards-like-groundhog-day-for-ottawa-man-1.2989611

    What I have never understood is why businesses like Home Depot need to save my credit card number in their computer after they have settled the transactions with the bank (usually over night for most large businesses). Businesses that do this are posting an open invitation to be hacked. Sure a refund happens a few seconds quicker, but it really doesn’t take that much time for me to pull out my wallet and insert my card in their machine. A minor inconvenience for a ton of security.

    • I can think of one case where storing the credit card number might help. Once I went to a shop for a refund and didn’t have the card I used with me at the time. Lost more time than a few seconds on that one, although the time lost was compensated by the security.

      • I would rather have to accept a gift card because I forgot my credit card so that I could gain confidence that no hacker is going to break in and steal my credit card. If it didn’t happen, I wouldn’t worry. But it happened to Target; it happened to Home Depot; it happened to Home Sense. These are all major retail stores. How can they be so lackadaisical in their security? Or maybe security is not all that it’s cracked up to be. If I can’t trust the major chains to be fool-proof in their security, how can I trust anyone else?

  19. Unfortunately some card companies just don’t seem to care. To explain further. For business reasons I used to visit Brasil, and did this several times over the past years. Every single time at least one of my cards would be compromised. I did get reimbursed. In Brasil the large majority of credit card transactions are wireless, the vendor brings a wireless machine to the buyer. This must be one of the reasons. This got so bad for me that eventually I just took lots of cash and only paid by cash.
    However on one trip I only used my Amex and only in one place so I knew with 100% certainty exactly where the card details had been stolen. On finding yet again that the card data had been stolen I thought OK, now I know where. My Amex is UK based and I live in far east so it cost me a bundle to report all this by phone to Amex but they just did not care. They did not even ask for information. And I thought I was helping them against the bad guys. Never again.

  20. It’s available to newsletter subscribers – either subscribe, and you’ll get a copy, or if you’re already a subscriber just reply to an emailed copy of the newsletter asking for a copy and my assistant will get one to you. Thanks!

  21. I have had several accounts compromised, including my Discover card (2x), Chase Mastercard and my PayPal account. Each time the credit card company recognized the activity and contacted me. I was not charged for anything I did not charge myself.

    Now, I was always liable for charges I made and charges based on automated billing that I had arranged, which is fair.

    One of the times, I believe my card info was captured by a hacked gas station pump credit reader – as I only use that card for gas purchases.

    Another time, the company told me they thought it was compromised at a restaurant. A third time, by someone processing my purchase over the phone.

    PayPal said that my password was hacked.

    The good thing in my experience is that the companies that handle my payments have, so far, always covered the fraudulent charges.

    The bad thing is that there are people out there trying to take advantage of others.

  22. In Canada, we don’t swipe our credit cards like in the U.S. Our credit cards have an embedded chip. We insert our cards into the chip reader on the terminal and we enter a PIN. The credit card never leaves our hands. Chip & PIN technology saved my bacon a couple years ago. MasterCard thought there was something odd when I swiped my credit card in Winnipeg to purchase something at approximately the same time I used chip & PIN to buy groceries at home (a difference of over 2100 km — 1300 miles for you American folk).

    So Leo’s sage advice for keeping your online accounts safe with proper passwords also apply to credit cards. Select the best PIN that you can and use the same precautions as Leo recommends for account passwords.

      • Still sloooowwwww. Over a year after Leo’s comment and the two Credit Unions I bank with and my Citi MasterCard have yet to offer me a card with a chip in it. However, Samsung and Google’s Android phone pay systems are working pretty well. That may be a good secure alternative.

  23. Although nobody wants issues with their credit card online, you can mitigate the damage by having a designated card with a preset, low spending limit, say from $100- $500 or whatever you can work with. This is what I do.

  24. Most major credit card providers offer one time use or disposable numbers. You may have to dig around on their site or contact them to find out if they do but they these are life savers if you never want to use your real/permanent card number online.

  25. One sure way of protecting your on-line purchases is to pay for the protection from a legitimate firm such as LIFE LOCK… it
    worked and is working for me…$100 bucks a year ain’t bad…

  26. Ive just had 4 cards with 2 different banks cloned the only common store is home depot. They aren’t used online much just instore. Its happening once a month as soon as i get the new one it gets cloned again, i suspect something is going on at the merchant or the bank itself as i alwya shave the cards on me?? Captialone seems to be the problem? Any ideas. I have to keep updating various bills and they get hacked all over. The rare times they are used online, its from a mac with a secure internet and virus scanner…

  27. I am no expert, but it seems to me that the best way to not get your credit information stolen is to minimize exposure. I too have had my credit card information stolen in 2015. In addition to checking for spy ware, etc. I am just trying to use more cash. It is a little more cumbersome to carry the cash, but it is truly untraceable. Of course there is a chance of have having to cash stolen from me so i don’t carry much of it. When I shop online. I use gift cards like Amazon gift card. I have also notice something interesting. I hope you guys have any answer. After the last time I change my credit card number two websites got the number without me giving it to them. The websites were efax.com and google wallet. My credit card did not know how it happen. They trying to say I did it but I did not remember. Google said the same thing. I have not heard from efax.com, yet.

    • Dan, the same thing has happened to me. For example, I got an email from a company about an annual charge, one that I’d planned to cancel, saying they couldn’t use the card on file. That card number had been replaced since it was last used. So I did nothing, thinking I was going to cancel anyway. Then suddenly, I got an email a couple of weeks later showing the charge had happened! I had this happen this week when I was expecting a credit from where a company charged me after cancellation. This happened months ago, and I have a new card now. Guess what? The credits came through before I could give the company the new card number. The card company HAS to be the ones allowing the charge, and the question is: Did they give the entire new number out? I had fraud on my account at the end of September, and now it’s happened again. The card company caught it fast (under $3 in charges were authorized), but I don’t know how this happened again, and I wonder if the card company was complicit.

  28. A few years back, I received a call from my identity theft company I used. They called to say a payment got rejected from a cc. Since the company had my computer i.p. address bc I gave them watch it too…..they said the charge came from my computer….yet my wife and I were home the whole time and not on our computer.
    Since it was rejected, I never thought about looking into too much. Card was canceled and we moved on.
    Is that a malware or Trojan virus that let’s people do that?
    We were running xp at the time….never used it much, so we never updated it too much.

    • It could be multiple things LT. The IP that the company sees is your external IP address, not internal. Any computer or smart phone on your wireless network would produce the same external IP address. Also anyone who may have cracked your wireless security on your router, using your internet for free, would produce your external IP address. A good place to start is to make sure your wireless routers have strong security settings, with all default username and passwords removed. I personally use a password generator for my network password so that it isn’t anything that could ever be guessed. It could easily have been the XP computer though. If malware infected it a hacker could have used your home network as a VPN. They would connect to your computer, then connect to any other site through your computer.

  29. I’m in Australia and we’ve had chip-enabled cards for years, but I’ve still had my card number compromised several times. The bank security people tell me that it is because a scammer can write any number onto a card with a mag-stripe writer and then use it any-where. Once was a restaurant for several thousand dollars. There was a Senate inquiry (last year or 2015?) into USA banks non-use of chip enabled cards and apparently the reason was the cost to the banks of replacing all the retail POS (Point of Sale) machines. So to save the banks money (who also gave the world the GFC) the rest of us have to put up with periodic replacement of our cards and the consequent hassle.

  30. Credit Cards are in fact broken by design. Most cyberattacks or hacks seem to take place due to a lax attitude of institutions when it comes to ensuring that computer networks are secured or updated with the latest operating systems and security protocols. Whilst technology or security audits are certainly required across the banking industry, it is only a step in addressing the larger problem of a fundamental under-investment.

    So from a banking perspective, it would seem that fraud has never qualified as a major threat. A banker looks at his balance sheets and writes off fraud as simply a cost of doing business. Such fraud may amount to billions each year, but the cost is spread across all sectors of the banking industry and ultimately indirectly to us (that’s you & me) as paying customers all over the world.

    Banks have dealt with fraud for many, many decades, forget the Internet. Fraud existed back in the days of credit card machines with carbon paper forms. The technology of fraud gets better each year. Fraud remains consistent. From a banking perspective, the cost to obey government regulations dwarfs the cost of any individual case of fraud. Don’t be fooled that the Banks are meeting these costs – it is us as consumers that ultimately pays for them (and through the nose), every time, yet Bankers still find the excess to award themselves million pound bonuses.

    https://youtu.be/6yR8iwKsE_E

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.