Last week my husband accused me — nicely, in the way that spouses do — of having gone on a little shopping spree in Torrance, California, at a retailer called Smart & Final. My defense: I’ve never been in a Smart & Final, and we live in North Carolina, more than 2,500 miles away from Torrance.
I denied the accusation — nicely of course — but then realized that my “Morgan Stanley Debit Card Enhanced with Chip and PIN technology” had some explaining to do. The card, which was sitting right there in my wallet, had been used in three California transactions.
So much for enhanced technology. It was only a few months ago that the bank had sent me this new debit card, touting its improved security features.
Last week, after explaining to the customer service rep I reached in the Morgan Stanley Fraud Department that I’d never visited a Smart & Final (or shopped on its site) I asked him how he thought my card had been scammed.
Rep: “Did you use the card at a Wal-Mart? A gas station? In fact, did you swipe the card anywhere?”
Me: “No, yes, and yes. But the only reason I swipe the card is that no retailer seems to be chip enabled.” I realized then that my card might have been compromised almost anywhere because so few terminals are chip-enabled.
Rep: “A lot of times the scammers will put these little devices on the gas pump that will read the magnetic strip. Then they either make a new card or just use it online.”
Me: “Really? What can I do to make these transactions more secure?”
Rep: “Instead of doing the transaction at, say, the gas pump, I recommend going into the store and using one of their machines, where you can input your PIN number. I know it’s more convenient to swipe the card at the pump but if the scammers are doing this you might want to [go inside].”
Here I was again, right back at the same question a security expert had posed to meafter my laptop had been hacked. How much convenience am I willing to give up to protect my privacy and security?
SAFE IN THEORY, LESS IN PRACTICE
For those of you who think these chip-enabled cards are more secure, as I did until recently, allow me to burst your bubble. In theory, they are; in practice, not so much.
Tim Logan, chief of cash management products at Morgan Stanley, explained that “he’s never seen a counterfeit situation with a chip-enabled card” when the transaction is fully encrypted from end to end. Good news!
But he also confirmed that less than 40% of merchants in the U.S. have chip-enabled terminals, meaning most of us are using our high-tech cards as plain old “mag stripe” cards, with all their weaknesses. Bad news.
Alas, these new cards are just as vulnerable as the magnetic stripe ones, leading to a false sense of security
To learn more, I spoke with Jeff Wichman, a managing security consultant at Optiv, about these new chip cards. His headline to me: “[T] hey are limited in their security,” which is to say no better than a traditional mag stripe card. “Why’s that?” I asked. He explained to me that, “When we shop online, we still have to give up the three-digit code on the back of the card.” Even more unsettling, Wichman says: “There are reports of chips cards being cloned and reprogrammed with a new chip.”
Despite the promises of banks and retailers in Europe, chip-enabled cards are still vulnerable. Here’s what you can do to lower your risk of becoming a fraud victim like me:
- Make purchases from chip-enabled retailers. That’s much easier said than done, unfortunately.
- Monitor your transactions daily, and review statements for irregularities.
- When making online purchases use secure sites that have “https” at the beginning of the URL. You want that “s” – it stands for “secure,” and as imperfect as that may be, you don’t want to shop on a site that doesn’t use it.
- Sign up for text alerts from your credit or debit card issuer so that you’ll be notified immediately of suspicious charges
- If you save credit card information on a retailer’s site, change the password frequently (at least four times a year).
- Ask the bank that issued your credit card for a virtual card number, which lets you shop online without revealing your actual card information to the merchant.
- Finally, use common sense: Whenever you’re entering a PIN, don’t forget to shield the keypad from bystanders. You never know who is looking over your shoulder.
As Morgan Stanley’s Duffy reminded me at the end of our conversation: “Being vigilant is the best way to catch fraud.” As for me, I’m glad my husband excels in that department.