People often ask me what can they do to prevent themselves from being victims of card fraud when they pay with their cards at shops or use them in ATMs (for on-line card fraud tips see e-victims.org, for example). My short answer is usually “not much, except checking your statements and reporting anomalies to the bank”. This post is the longer answer — little practical things, some a bit over the top, I admit — that cardholders can do to decrease the risk of falling victim to card fraud. (Some of these will only apply to UK issued cards, some to all smartcards, and the rest applies to all types of cards.)
1. If you have a UK EMV card, ask the bank to send you a new card if it was issued before the first quarter of 2008. APACS has said that cards issued from January 2008 have an iCVV (‘integrated circuit card verification value‘) in the chip that isn’t the same as the one on the magnetic stripe (CVV1). This means that if the magstripe data was read off the chip (it’s there for fallback) and written onto a blank magstripe card, it shouldn’t — if iCVVs are indeed checked — work at ATMs anywhere. The bad news is that in February 2008 only two out of four newly minted cards that we tested had iCVV, though today your chances may be better.
2. In places that you are able to pick up the PIN entry device (PED), do it (Sainsbury’s actually encourages this). Firstly, it may allow you to hide your PIN from the people behind you in the queue. Secondly, it allows you to give it a cursory inspection: if there is more than one wire coming out from the back, or the thing falls apart, you shouldn’t use it. (In the picture on the right you see a mounted PED at a high-street shop that is crudely taped together.) In addition, be suspicious of PEDs that are mounted in an irregular way such that you can’t move or comfortably use them; this may indicate that the merchant has a very good camera angle on the keypad, and if you move the PED, it may get out of focus. Of course, some stores mount their PEDs such that they can’t be moved, so you’ll have to use your judgment.
3. Put a hand, wallet, purse, hat over your hand when you punch in the PIN at an ATM or PED. Don’t be shy about it. Practice punching in the PIN in such a way that your hand movements do not reveal the digits (one way is to use your thumb underneath your palm). Hiding your PIN as you enter it is prudent and good practice, though it may not save you if the PED has been compromised during manufacturing, or as we have demonstrated in the past.
4. If you have a debit card, keep as little money as possible in the account that is associated with that card so you minimize the amount of money criminals have access to. Also, try to set the account such that there is no overdraft allowed on it.
5. When you travel outside of the UK with an EMV card, local criminals can steal it and sign for goods at places without EMV infrastructure; they don’t need to know the PIN. You will then have to fight for your money with your bank. So don’t take along cards you do not intend to use, and if you do, hide them well, especially if you leave them behind in a dodgy hotel.
6. Set your cards to have different PINs: if someone saw your PIN when you entered it at a shop and later steals your wallet, he will be able to withdraw money from all of your cards. Even if the PIN wasn’t compromised, if the criminal assums that all PINs are the same, he now has more attempts to guess it. If you find it hard to remember multiple PINs, then set them to have some relationship (that you keep to yourself). Say, each digit of the second card’s PIN is an increment of the corresponding digit of the first card’s PIN; there are many ways to do this such that it is easy to derive PINs from the one you remember.
7. Be observant at ATMs. A broken ATM should either be off, or more properly, display an “out of order” message on the screen. A note posted on the screen may indicate that the criminals are trying to divert you to an ATM they have compromised (by installing an ATM skimmer or a Lebanese loop). Or, they have placed a fake ATM nearby that may give you the cash, but will empty your bank account. In general, avoid using mobile or detached ATMs; fake or tampered ones can be easily passed off as legitimate, and you are unlikely to notice. (The advice on how, where and when to install ATM skimmers by a seasoned card fraudster can also tell us what to look out for.) Finally, be suspicious of anyone “helping” you to use an ATM.
8. Put a thin opaque tape over the CVV2 (the three digit number on the back of the card that is used for card-not-present, i.e. on-line, transactions). All a cashier or waiter needs to know in order to make an on-line transaction with your card is the account number, name, expiry date, and the CVV2; all helpfully available on the card itself. Hiding the CVV2 from being remembered on casual inspection may save you from paying for someone else’s big screen TV. In some cases the crooks may need your address as well, so the waiter that skims your card also gives you a raffle card to put your details on for a chance to win a free bottle of wine on your next visit. Since the address verification in the UK is inadequate, all they need to do in order to get the TV delivered is to find an address that matches the digits within yours.
The CVV2 is used as a weak indicator that the person making the on-line purchase is actually in possession of the card. There is nothing preventing you from scratching off the three digits and keeping them safe elsewhere (near the only computer you do on-line transactions on, for example). In addition, when you lose your card, it will be harder for criminals to use it on-line.
9. If you have access to a magstripe encoder, replace account details on the magstripe with 0’s. The disadvantage is that this card will be useless where smartcards are not accepted. So if you know that you’ll always use the chip, erasing the magstripe may be a good idea. (Practically, you may not want to erase the whole stripe because some ATM card slots check for data at the front of the stripe in order to accept the card; if that data is gone, you won’t be able to get cash. I also suppose that there are other ways to make the magstripe data invalid other than erasing it with an encoder.)
10. After you return from a trip abroad, if you have any doubt about the places that swiped your cards, change your PIN at an ATM. This will prevent criminals from withdrawing money from your account in countries that do not have EMV. You may also want to consider canceling the card, or ask your bank what to do. (In the UK, it is easy to change the PIN at an ATM, and I am unaware of any limitations on the amount of times that that can be done. I believe that some banks will re-issue you cards a small number of times per year for free, and then start charging you for them.)
11. If you know of shops that let you pay with your card as a chip transaction but also swipe the magstripe for good measure and no apparent good reason, stop shopping there (I’ve experienced this in two different chain stores in the UK). They are not supposed to do that, and it is bad practice to educate cardholders that this is OK. Sometimes, it happens so fast you can’t stop the swipe; if you are concerned, change the PIN. It is common for cashiers to use a ‘swipe-and-dock’ register if the PED fails (or always!) Avoid letting them use it if you can.
12. If a waiter takes your card and walks away, call them back or follow them. With Chip and PIN, they are not supposed to take the card away; in fact, they are not supposed to handle the card at all. If they see you following them, they might think twice before skimming your card and details with a tiny portable card reader.
13. If your PIN has two (or more!) digits that are the same one after another (‘1066‘, is a good example of a really bad one), make sure you pause between them such that you do not help the criminals guess your PIN.
We can argue that in a well designed system some of the tips above would not be necessary, but that’s what we have to work with. It will be interesting to observe how banks will deal with card fraud in the current state of financial affairs. It seems to me that banks are going to be stricter with giving money back when fraud occurs, even in clear cases in favour of the cardholder, while victims are going to suffer even more due to the loss.