There’s no question that Credit cards were one of the great financial inventions of the modern era.  They’ve made it possible for just about any retailer to offer cashless purchases, and they’ve also helped millions of ordinary people with minimal savings to ride out emergencies that might otherwise have been crushing. 

Of course, credit cards have a downside as well.  The most obvious is that they’ve made it far too easy to become financially overextended, a lesson most of us learn in early adulthood.  Another risk is that if your credit card information is leaked, criminals could use it to run up a huge tab under your name.  Let’s look at how credit card data is leaked, and how you can recognize when it happens. 

Leaks and Breaches

Credit cards are just as useful to criminals as they are to anyone else.  Stolen cards can be used for any number of purposes: making purchases that criminals don’t want connected with their real name; making purchases to be resold; taking cash advances; using them for rentals or security deposits; or even just harvesting and then selling them at a profit without actively exploiting them. 

The last of those is especially dangerous, because it affects people in large numbers.  Small-time criminals might scam only one victim at a time, but those who treat credit card information as a product for resale often aim to capture them in bulk.  They’ll often target major retailers or financial institutions, for the simple reason that those businesses have plenty of credit card data. 

Sometimes those come in the form of a data breach, where hackers actively exploit weaknesses in a company’s security either at the software level or by skillful phishing campaigns.  Sometimes companies inadvertently expose data themselves through misconfigurations or bad security practices, which can be considered a leak rather than a breach.  According to the Identity Theft Resource Center, more of these security lapses occurred in the first three quarters of 2021 than in all of 2020 combined. 

“Card Present” vs. “Card Not Present”

Stolen credit card information can be used in a couple of different ways.  One way is online purchases, referred to in the trade as “card not present” transactions.  The other way is “card present” transactions, where the scammer presents a cloned physical card in a brick-and-mortar retail store (or some other real-world setting). 

It’s harder for criminals to get enough data to clone a physical card.  Those typically come in situations where a point-of-sale system is infiltrated, either by an outside hacker — or an inside accomplice — installing malware, or through the use of a hardware-based skimming device.  The data is then batch-retrieved in a “dump” of credit card information from the infected system or the physical device (software-driven attacks can steal credit card numbers in much higher volumes, of course). 

Historically, information that could help create a physical card commanded a higher price in underworld marketplaces.  Today, with the rise of online shopping turbocharged by the pandemic, a card number with its CVV (that three-digit code from the back) is worth almost as much: Current figures at the time of writing show cloned cards selling for $25 to $35, while a U.S. credit card with CVV fetches $17.  When those same cards include details full of personal information and a healthy credit limit, the price can rise to $240 or more. 

You May Not Find Out Immediately

Ideally, you’d be notified quickly when your credit card information is leaked, but it doesn’t always happen immediately.  Companies may need some time to assess the breach and determine who is affected, and what information has been stolen.  They may also need time to correct the vulnerability the hackers exploited. 

Less creditably (no pun intended), companies may defer disclosure because they simply don’t know yet that the breach has happened.  Many long-standing vulnerabilities are still actively exploited, years after they were recognized and patches for those vulnerabilities were issued.

The hard truth is that many companies don’t have world-class IT talent in their ranks, especially among small- and medium-sized businesses and smaller financial institutions.  That makes them attractive to hackers: They’re not capable of coping with a sophisticated attack, but have enough data or other resources to be worth the effort of mounting an attack.

Knowing When Your Card Has Been Compromised

By all means, if your financial institution or credit card provider offers security alerts, take advantage of them.  Just don’t count on them to be your only protection from a data breach or other attack.

Your first line of defense, now and always, is simply paying attention to your accounts.  Scrutinizing your monthly statements for “mystery transactions” is a good start, or better yet, setting a specific day of the week to check all of your accounts.  You should also check your credit report regularly: You can pull a free one from each of the main Credit Reporting Agencies every year, so if you stagger them that’s one every four months. 

The most proactive step you can take is subscribing to Spokeo Protect, our identity theft protection service.  “Dark web” monitoring is one of its included features: We constantly check the shady internet black markets where personal information is bought and sold, and if your credit card numbers — or bank accounts, or SSN, or passport number, among other things — show up for sale, we’ll let you know.  That gives you the opportunity to act before scammers can exploit your credit and good name. 

Minimizing the Damage from a Leaked Credit Card

However you learn that your card has been leaked, the steps you’ll take to mitigate the damage are always pretty similar.  First, report the incident on the FTC’s IdentityTheft.org website.  The site walks you through the process of creating a personalized recovery plan, essentially a checklist of everything else you need to do. 

Those steps may include the following: 

• Reaching out to the credit reporting agencies to let them know you’ve been the victim of identity theft.
• Placing a fraud alert or credit freeze with the credit reporting agencies (that makes it a LOT harder for scammers to open new credit in your name, or rack up big charges without your knowledge).
• Identifying any fraudulent purchases, transactions or new accounts, and reaching out to the corresponding vendors or financial institutions.  Each of them will have its own process you’ll need to follow, in order to close those accounts or challenge and reverse the transactions. 
• Reporting your case to local law enforcement (some merchants or institutions may require a copy of the police report before they’ll process a reversal). 
• Reporting your case to the FBI’s Internet Crime Complaint Center (IC3).

You might need to take additional steps if the criminals have used your identity for other purposes, such as tax fraud or medical fraud, but this is at least a starting point. 

A Couple of Extra Pointers

You can also reduce the likelihood of losing your credit card information in a breach by simply having fewer active cards.  Your lesser-used cards represent a potential danger, because you won’t necessarily notice if a scammer runs up a tab.  If you stick to just a few cards with specific purposes — one for gas, one for groceries, one for emergencies — it’s easier to spot bogus transactions when they happen (“Why did a jewelry store bill my grocery card?”). 

It’s also helpful to have a separate card, ideally a prepaid card, for purchases at online retailers (especially ones you haven’t dealt with previously).  Remember, smaller merchants are a popular target for hackers: If the card number they steal is for a prepaid card, that automatically limits your exposure. 

Every time you use one of your cards it’s a risk, but realistically that risk is acceptably low.  If you limit the number of cards you use, take full advantage of security alerts from your provider (and Spokeo), and keep a close eye on your accounts, there’s no reason you shouldn’t be able to use your cards with confidence. 

Sources

The Verge: PSA: Neiman Marcus Still Exists and It Was Hacked

The Hill: Financial Firms Facing Serious Hacking Threat in COVID-19 Era

VentureBeat: Next-gen Software Supply Chain Attacks Up 650% in 2021

SiliconAngle: Report Finds Companies Continue to Expose Data Through Misconfigured Cloud Storage

Identity Theft Resource Center: Notified

Krebs on Security: Data: E-Retail Hacks More Lucrative Than Ever

Privacy Affairs: Dark Web Price Index 2021

Ars Technica: Feds List the Top 30 Most Exploited Vulnerabilities. Many Are Years Old.

Inc.: 6 Things Every Small Business Needs to Know About Ransomware Attacks

Georgia Bankers Association: Never Too Small to Target

IdentityTheft.gov: Report Identity Theft and Get a Recovery Plan