Hackers don’t just open new accounts in your name, they prey on existing credit and debit cards. Here are a few ways to keep yours secure.
When consumers battle identity theft, they often focus on strategies that prevent criminals from opening new accounts.
But that’s only part of the problem. Existing credit cards and debit cards are still catnip to hackers. Already open with ready cash and lines of credit, they can be attractive and vulnerable.
Luckily, a few smart moves can strengthen your defenses. Here’s a quick list:
Set card alerts
Card issuers offer transaction alerts, and you can often set them by dollar-amount thresholds. Set them low, and you’ll be notified almost every time there’s activity on your card. That’s exactly what Eva Velasquez, president and CEO of the Identity Theft Resource Center, recommends: “Set it as low as you can. And you will know when your card is used.”
You can also set them higher if you want to focus on larger or more atypical transactions. Some cards will also let you arrange alerts only for online transactions.
The most important step to make alerts effective: Customize them.
“There’s no one-size-fits-all,” says Teresa Murray, a U.S. Public Interest Research Group consumer advocate.
An alert that comes to an email account you check sporadically is nearly worthless. So are text alerts that ping so often you routinely ignore them.
“Set them in a nuanced way, so that you’re happy to have them,” says Jim Van Dyke, senior vice president of innovation for Sontiq and inventor of BreachIQ, which operates Breach Clarity. “And fine-tuning these controls is very important.”
He also advises adjusting those settings until you get the right combination for you – rather than shutting them off entirely.
Consider a digital wallet
“If you’re comfortable enough and savvy enough, use a digital wallet,” says Velasquez.
The reason? Digital wallets, like Apple Pay or Google Pay, don’t give your actual card number to merchants when you make a purchase. Instead, they substitute a one-time use “token.” So if the merchant’s website or point-of-sale machine is hacked, criminals don’t get your card number. They get a number that’s no longer valid.
Opt for two-factor authentication on favorite shopping sites
If you’re like many people these days, you have a couple of online retail accounts you use heavily – and probably store your card on the site. So enable the site’s two-factor authentication, says John Breyault, vice president of Public Policy, Telecommunications, and Fraud for the National Consumers League.
“A lot of account take-over fraud occurs because people use the same password across multiple accounts,” Breyault says. “So turn on two-factor authentication whenever it is available.”
And that includes your devices, too.
Overall, two-factor authentication is “extremely powerful and would cut a lot of fraud if [consumers] would just use it,” says Van Dyke.
Be strategic about storing card information on shopping sites
It pays to pause when a shopping site asks if you want to store your card for future purchases.
“The answer is always ‘heck no,’” says Murray, who advises consumers to use digital wallets instead.
But Breyault disagrees.
“In some cases, it can be good to do,” he says. He says, from “man-in-the-middle” attacks to malware that searches out those 16-digit card numbers and logs keystrokes, it’s sometimes safer to avoid repeatedly inputting card numbers.
Conversely, storing that information puts the safety of your card largely in the hands of the merchant, he says. “I know that my local pizza joint makes a great pizza. I don’t know that they’re great at protecting my credit card information.”
His solution: “Yes” to storing cards on large merchants, services or browsers with cutting-edge technology. And “no” to keeping it on sites for mom-and-pop merchants and places where the tech is less sophisticated.
Take advantage of virtual card numbers
Virtual credit card numbers are literally made for online shopping. And if they’re available, they can be great fraud-fighting tools, says Murray.
How they generally work: Your bank or card issuer gives you a substitute number that’s good for shopping online or by phone. That way, if the merchant is hacked, criminals don’t get your actual card number.
Not all issuers offer virtual account numbers, but American Express, Capital One, and Citi are among those that do.
Use secure connections only
Your card number is only as safe as the privacy of your connection. So skip surfing shopping sites when you’re logged on at the library, the office or the corner coffee house, says Breyault.
Instead, do online shopping and banking from your home network – equipped with “a strong password,” he advises.
Inquire about your card issuer’s fraud-protection tools
Ask, “what protections do you have that I can avail myself of?” advises Velasquez.
Mobile banking can help you keep an eye on your account more regularly than once-a-month statements.
Scanning recent transactions “takes like two minutes – and daily isn’t too often to check it,” says Murray. “Nobody takes care of you as well as you do.”
Make time to look at monthly card statements, too. Federal law limits your liability from credit card theft to $50 if you report the crime within 60 days of receiving the statement with the fraudulent charge. (And most credit card issuers cap your losses at $0.)
Also, “know when to expect your monthly statement, electronically or by mail,” she says. “If the statement is late, it could be a clue that someone has hacked your account.”
See related: Credit card fraud and ID theft statistics
Be strategic with passwords
Devise account passwords that are at least 12 characters long, says Velasquez. “It can be a phrase,” she says. “Something you’ll remember.”
Never use the same password on more than one account. The reason: If criminals crack your password on a site with less scrupulous security, they can then use it to get into high-security sites where you store card information.
Be smart with peer-to-peer payment services
With peer-to-peer (P2P) payment networks, such as Venmo, PayPal and Zelle, if you send money to the wrong person, in the wrong amount, or for a product or service that never materializes, you’re usually out that money – unless the recipient chooses to give it back.
What’s important for consumers to understand with P2P systems, Breyault says, is that when something goes wrong, “their protections are significantly less than if someone gets hold of your credit card.”
He adds that fraud rates on P2P platforms are “three to four times what they are with credit cards,” he adds. “Frankly, the reason that’s the case is fraudsters know when there’s a problem, not a lot that can be done.”
Breyault’s advice: Save peer payment services for what the networks were originally intended: Paying friends and family – whether it’s splitting a restaurant tab or a vacation rental, he says. “That’s the sweet spot for most consumers.”
See related: How to choose a P2P payment service
Set boundaries on your cards
Depending on how you use plastic and whether you’re dealing with credit cards or debit cards, you might not want them to work in all situations.
For instance, some issuers “will let you set up use by geo-fields and allow you to prohibit your card being used anywhere outside of your state or online,” says Murray.
Don’t shop online? Find out if your card issuer will let you block online use, she says. “You don’t know unless you ask.”
And if you only use your debit card to get money from the ATM, ask your bank to issue you a plain vanilla ATM card (without a Visa or Mastercard logo) instead of a debit card, says Murray. If it won’t, ask if you can disable the signature function – so that the card only works with a PIN – or set the purchase limit at $1, she advises. And that won’t affect your ability to withdraw money at the ATM, Murray adds.
“You don’t have to have a debit or ATM card if you don’t want one,” says Murray. And if you already have a card you never use, ask the bank to deactivate it.
Secure your device
If you’re shopping and banking electronically, “be responsible with your [mobile] device,” says Velasquez. That includes using biometrics and two-factor authentication to turn it on and not letting anyone else use it – just as you wouldn’t let someone else use your credit card.
In case your device is ever stolen, know how to turn it off or even “brick” it remotely, she says.
Pay attention to data breaches
“The average consumer is breached twice a year,” says Van Dyke. And while data breach notices can be oblique and confusing, you’re looking to learn two things: What did criminals get, and what can they do with that information?
A couple of tools to help you: Once you’re notified, look up the incident on Breach Clarity. The database will list the type of information exposed, along with proactive steps you can take to protect yourself and your finances.
And the Identity Theft Resource Center has its own breach database and offers free assistance, advice, and resources.
Don’t be afraid to take card security a step at a time
“Instead of getting overwhelmed and saying ‘I can’t do [all these] things,’ do one or two,” says Velasquez.
When it comes to criminals, “don’t be the low-hanging fruit,” she says. Pick a few “easy to manage” strategies and do those first, Velasquez advises. “It’s not this all or nothing situation. You reduce your risk with every action you take.”