If you're like most Americans, you'll probably use credit cards to buy gifts this holiday season. But in light of recent data breaches at Equifax, Yahoo! and other companies, there are good reasons to be concerned that you may be at risk of identity theft thanks to exposed Social Security numbers (SSN) and other private information.
In July, the Identity Theft Resource Center reported a 29 percent jump in data breaches in the U.S., hitting record of 791 incidents for the first half of 2017. Steven Andrés, Ph.D., who teaches cyber warfare/terrorism and critical infrastructure protection at the Graduate Program in Homeland Security at San Diego State, says it's worth considering these six pieces of advice before you start your shopping:
1. Freeze your credit.
California law allows you to place a legally binding "security freeze" at each of the three major credit bureaus (Experian, Equifax, and TransUnion). This freeze is like a firewall for your credit file, says Dr. Andrés, and prevents anyone from opening or obtaining your information (including yourself).
A criminal armed with your SSN would meet resistance when the bank or financial institution attempts to look up your credit worthiness.
"When you want to legitimately use your credit file to buy a car or a house, for example," says Andrés, "a phone call and a few minutes is all it takes to temporarily 'thaw' your credit freeze for a few days or weeks." The protection is automatically restored after the thaw period that you define.
2. Beware credit locks.
"Credit agencies will try to sell you on supposedly better protection afforded by their 'lock' or 'monitoring' services, for a monthly fee," Andrés explains. "While a credit freeze does incur a $10 one-time fee at each bureau and another $10 fee for each temporary thaw, this is far more affordable than a monthly service that only notifies you when criminals use your credit."
The security freeze actually prevents them from using your credit, so it's much stronger than a monitoring service. A security freeze is your best friend in the face of ever-present personal data breaches. Andrés, who teaches graduate students about cyber crime, is certain his SSN is out there on the "Dark Web," but he's had a security freeze in place for over a decade without incident.
3. Skip the strip.
The magnetic strip encoded on the back of your credit card is 1970s technology and easily cloned by “skimmers,” palm-sized devices that swipe the information from your credit card's magnetic strip and resell that information to criminals, says Andrés. Thanks to recent regulations, banks now issue cards with embedded microchips that allow for more secure in-store payment, but adoption among vendors has been slow.
“The ancient, low-tech magnetic strip is still included on chip cards just in case,” Andrés notes. “Because of this, your card is still vulnerable even if it has the higher security chip.” Ask your bank if they offer "chip-only" cards like those used in Europe. Andrés says you that “if you're brave, you can try to peel off your magnetic strip using a craft knife.”
4. Use Apple Pay.
At online stores and brick-and-mortar stores that offer it, ApplePay is an "order-of magnitude better security than the status quo" says Andrés, who is also the founder of cybersecurity assessment firm Special Ops Security.
Since the ApplePay system only sends a random, temporary, one-time credit card number to the vendor — done through a "tokenization" process — any breach at that vendor will not have an effect on your account. “The tokenized card number is only used for that one transaction and the bank's computers do the hard work of matching the temporary number to your real account number,” he explains.
Similar payment systems are available from Android, Samsung, PayPal, and Zelle, a consortium of banks, with varying degrees of security.
5. Try refillable debit cards.
One low-tech way to insulate yourself from skimmers and scammers is to pick up a few refillable debit cards at your local convenience store. Dedicate one for restaurant outings, another for clothing and gifts. Says Andrés, “Fill them up before you set off for your shopping spree and if any of their card numbers are compromised, just laugh it off and get a new one.”
Which is Safer, Buying Online or in Person?
You might think that in-store purchases are more secure than those done online, but an unscrupulous store clerk can use a “skimmer” to take information from your credit card's magnetic strip; that data is then sold and your card number imprinted on newly minted plastic in other parts of the world. These devices can also be found in some gas pumps and ATMs, stealing your information right off the back of the card.
While online you avoid the possibility of skimmers, says cybersecurity expert Dr. Steven Andrés, “you have the danger of poorly secured websites that may store your credit card and 3- or 4-digit verification code even though it is against payment industry best practices.” So the truth is that no matter where you shop, "buyer beware" is still the best advice.