If you rely on News Feed in Facebook to find my posts, you're missing most of them. On average, only 16% of updates in Facebook make it into News Feeds. Let me suggest that you subscribe to me in Facebook, follow me on Twitter (@ccengct), or use an RSS reader.

Monday, December 15, 2014

Credit card compromise... again!

A credit card of mine has been compromised for the fourth time in fifteen years. Two of the exposures happened while I was traveling, perhaps attributable to a restaurant or hotel worker. I don't know how the other two happened. Notifying the card issuers is not difficult, but it takes time to surveil my card records for the next several months — and changing the card numbers at the online merchants takes time too. Meanwhile, when traveling you're out of luck unless you have a second card with you for standby use.

Fortunately mine were true credit cards, not debit cards. Consumer protections on debit cards are generally less than on credit cards. I distrust debit cards. By the way, just because your card says "Visa" or "MasterCard" does not necessarily mean that it is a credit card. Visa and MasterCard branding can be applied to debit cards also. Sometimes the card issuer does not make it clear whether your card is credit or debit. If you don't know that it's credit, it's probably debit. Two years ago, one of my card issuers tried to convert a card from credit to debit without explicitly telling me. Caveat emptor! Some card issuers will voluntarily extend additional protections to debit card holders, even to the extreme of matching the protections provided by federal law for credit card holders. I doubt you have much recourse, however, if a voluntarily extended protection turns out to be hollow because of limitations that you weren't aware of.

Europe has had "chip and PIN" cards for years now. In restaurants, a server brings a portable card reader to your table; you insert the card yourself, enter your PIN, and complete the transaction without the server's ever seeing your card number. That's the theory, anyway, and it seems to work quite well. Why did the Europeans get so far ahead on chip-and-PIN technology? The European telephone networks were not conducive to real-time validation of card use at the point of sale, and therefore the European banks had to devise an alternative. On the other hand, card issuers and retailers in the U.S. have avoided the higher cost of chip-and-PIN cards and terminals. Until now, they've preferred to pay out the occasional bad claim. It seems crazy but it's true.

EMV cards, as they're known technically, are coming to the U.S. at last. By December 2017 the traditional swipe card will be eliminated, even at gas station pumps. But one thing to note: unless I'm mistaken, the so-called chip-and-signature variant of EMV technology — halfway between the traditional U.S. card and the superior European card — will still be permitted in 2018 and beyond. That's unfortunate because many automated ticket dispensers in Europe do not accept chip-and-signature; they insist on chip-and-PIN.

Beyond mere surveillance, do you have techniques to minimize the possibility that your card numbers will be compromised?