Credit card details stolen every 1-2 years. What am I doing wrong?

Question

Background

I just had my credit card canceled because of fraud. This is actually a perfectly normal occurrence for me, which is the impetus behind this question. The card in question was only about 1.5 years old, because that is how long it has been since my previous card details were stolen. Over the past decade I would say that I have had my credit card canceled for fraud on average once every 2 years. I think there was once I made it to 3 years, but also at least once where I only made it a year before it happened again.

To be clear it isn't being physically stolen and I've never once lost my card. I obviously have no idea how it happens every time (although I'm certainly aware that there are plenty of ways for your card data to be stolen without you knowing). I generally consider myself someone who practices reasonable credit card security. I don't use my card at gas pumps (gas pump skimmers were common in my area for a while), I only use it with major e-commerce vendors online, and I usually use cash at restaurants rather than handing someone my card.

Most people seem surprised that my details get stolen so often, which makes me wonder if I'm doing something wrong even still. However, I don't actually know if that is the case. Fortunately it isn't more than a nuisance for me when it happens. I've never had to pay for any of the fraud and the bank always sends me a new card with a minimal of hassle. It just "costs" me the inconvenience of being card-less for a week or two and then having to update my credit card details everywhere. Still if there were additional steps I could take to minimize the chance of fraud I would take them to try to stop this from happening so often. So, I realize this is a bit broad, but:

The Question

1. Is having my card details stolen every 2 years a sign that I am unlucky, doing something wrong, or is it perfectly normal?
2. Are there any other steps I can take to minimize the chances of this happening in another 1-2 years?

A Second card

So far I've had lots of comments about having a second card. That's not a crazy idea, and hasn't really occurred to me. It can certainly help when I'm down a card, although it also has its own disadvantages (one more thing to check every week, one more place to make payments, etc...). Still, while strategies to minimize the inconvenience when my card gets stolen are helpful, I'd rather come up with ways to minimize the chances of my card getting stolen in the first place.

Fraud Example

As an example of the actual fraud, I found out my card was canceled when it was declined at a grocery store. I immediately went home and checked my transactions online. I saw a number of smaller transactions that were definitely fraud. Two were $0.30 transactions from a retailer who's name was literally a random string ~20 characters long and based out of Indiana (I'm in Florida). Then there were two ~$10 charges claiming to be from a magazine which I had never heard of. Those transactions were allowed by my card (although the transactions will likely be canceled before any money exchanges hands, and I certainly won't have to pay for them).

When I called Visa they asked about further charges that I didn't see on my bank statement because they had been declined. That included my attempt to get groceries, ~$500 at a travel center in Zurich, and a large number of smaller transactions that I can't remember. All of this makes me suspect that regardless of how my credit card was obtained, it found its way into the larger credit card fraud world where criminals try to turn stolen cards into actual cash. The small transactions followed by larger ones matches my own expectations in this area from my personal and professional experience - small transactions are first performed to verify that the credit card details are still valid while trying to stay under the radar, and then larger transactions are made for products that can be converted to cash (unfortunately I have no idea what was being "purchased" at the travel center in Zurich).

Answer 1

Statistically, one of the e-commerce sites you used your card on was hacked. Once every 2 years is above average for that kind of attack, but not by that much. There's no good way around those types of attacks, other than not saving your credit card details on e-commerce sites.

It would be a good idea to double-check your computer security, though.

Answer 2

No, it's not common to replace your card so often

I'm going to attempt an answer on this one to provide a few steps you can take to minimize your risk of having your credit card number stolen. It sounds like you've taken a few steps already, but there are definitely other ways for scammers to get ahold of your digits.

Shred/burn Paper Credit Card Statements or switch to paperless statements

Considering your statement that scammers are using skimmers at gas pumps, it's probable that they are also dumpster diving for more ways to commit fraud. This is common if you keep your trash can outside and regularly add bags as needed -- and if you take the can to the curb the night before trash day. Completely destroying your statements before disposing of them could reduce your risk substantially. Another option would be to switch to paperless statements (double bonus - saving the environment). Switching to paperless has the added effect of eliminating the chance that someone takes your statement out of your mailbox.

Online Merchant Security

Another potential way for scammers to get your information is to send phishing e-mails that look legitimate. It may have all the hallmarks of an Amazon e-mail asking you to update card information, but it's best to avoid using links at all. If Amazon really wants you to update any information, simply type the address into your web browser and make sure you're on the correct site.

Additionally, it might be wise to get a solid anti-virus program to ensure there are no malicious programs that could be logging your keystrokes. Unlikely, but always a possibility. As another answer mentioned, do avoid public networks if you are doing any shopping from your mobile phone. Best to just disconnect from the WiFi and use a mobile network while you make the purchase.

Get an RFID blocking wallet

As I mentioned in my comment, it's possible for a scammer to walk up behind you in the mall and scan your card from your back pocket without you even knowing. You can purchase a specially designed wallet that will block these types of scanners and prevent your numbers from being stolen. As Will pointed out in a comment, there has been little evidence of RFID attacks occuring, but this remains an option for improving general security. It is more probable that your card information was stolen another way.

Another note on this -- the efficacy of this sort of attack has been hotly debated in the comments below. The chances of this being the cause of your card's theft is unlikely, at best. RFID-blocking technology is only potentially useful if you know that you do have an RFID card -- which is uncommon in the United States and more common overseas(such as in the UK).

---

Personally, I've carried 4 different cards for the better part of 5 years and the only reason I've needed to replace them is that they get worn down and unusable -- and I live in a fairly large city. Having to replace your card for fraud this often speaks to some very determined scammers in your area or particularly bad luck. A few small changes could increase your odds of keeping the same card longer.

Answer 3

It might be worth asking your bank for more details about the fraud (e.g. what triggered the fraud alert) because you might find that some perfectly legitimate sites are causing fraud errors.

About a month ago I got a phone call from my (Australian) bank informing me my card had been disabled due to potential fraud. When I asked what triggered it, they told me it was a payment attempt to Apple. I had renewed my Apple Developers subscription just days before, and due to a spike in scammers asking people to buy iTunes gift cards, they locked my card as a preventative measure.

My other advice is to change your account passwords for sites where you store your credit card details, and have a look on lists of compromised websites (such as HaveIBeenPwnd's list of websites to see if a company you're dealing with has been compromised and what data was breached.

Finally, as others have suggested, do a scan of your computer for malware and other nasties, in case attackers are getting to your details that way.

Answer 4

I have been in your shoes, and solved the problem. I followed all bank advice, but it didn't help at all. I finally switched to using strictly cash for all brick-and-mortar purchases, and the fraud stopped completely.

I think it was gas pumps. Soon after I switched, I saw a CBC documentary on skimmers used on gas pumps, and particularly ones furthest from the building. Those are the ones I preferred, too. U.S. pumps now have labels that break if the panel has been tampered with.

Something in your habit has a skimmer. It could be a restaurant, or gas pump, or whatever. I have resumed using my card, but not at far pumps, and have had no problem. My recommendation is to switch to cash for a long while and see if the fraud is local, vs online.

Answer 5

I am really surprised that no one told about create a virtual card. Whenever i want to buy something with my CC, i genereate a virtual card. It has modififed data but can be used only once. After your first payment, you cannot reuse it.

Updated 04 Dec 2019: I would like to add that is also possible to use virtual cards phisically. You only need a NFC compatible phone and an app like Samsung Pay, Google Pay or Apple Pay. You could use a compatible wearable too.

Answer 6

The second card idea is useful more than just having a card when everything else goes down.

• Pick up a card attached to a new account specifically for online purchases (They might know what you mean if you ask for a "Firewall" account).
• Set it up so that the balance cannot go negative (it will decline rather than overdraft).
• Keep a small balance, use a phone app to transfer money in before you do a major online purchase
• Use ONLY this card for online transactions, never use it offline, never use your offline cards online

The really big advantage here is that the next time one of your cards are canceled, you will know if the thief was online or offline. Further subdivision is possible if you have the interest and patience--You might even identify the culprit in a decade or so :)

Also: Don't assume you are safe because you use Linux/Mac (However, assume you are compromised if you use Windows)

Answer 7

To be clear it isn't being physically stolen and I've never once lost my card.

Are you sure someone with physical access to your credit cards isn't selling the details online? They don't need to steal it in order to get the details.

For example: roommates, family members, hired help, coworkers?

Answer 8

My immediate reaction is that your account(s) is compromised. Do you have an easy to guess password? Change it. Turn on multi-factor authentication if your bank offers it. Check your "last visited" note every time you log in (if the bank doesn't offer this, change to a bank that does). If you don't bank online, immediately call your bank and see if someone opened an online account for you. You might want to quietly observe your mailbox and see if people are snooping.

Instead of just sending you a new card, your bank should be changing your account numbers, changing your login id and such.

Other steps: If you do anything requiring login from public wifi, stop that. Make sure your "major ecommerce vendors" are in fact the real address, and you haven't been using a front the entire time. As mentioned in the comments, consider separate cards for things like your online purchase, automatic billing and everyday use and only carry the everyday use one around. Consider a RFID-shielded wallet.

Answer 9

Many good suggestions have been made here. I just wanted to add that there are more secure alternatives to pay online. For example, Amazon gift cards can be purchased with cold hard cash - if compromised, your more sensitive accounts are still protected. Mobile providers sell top-up cards at the grocery store (at least by me). I use Amex Serve a lot: it's prepaid debit that can be pre-loaded with cash, but then functions like a card. One obtained in-store starts out anonymous, but you can sign up for an online account, add sub-accounts with extra cards for subsets of purchases, delegate one to -let's say- your teenager to use as allowance... It's a different, probably lower, tier of services than you are probably used to with credit cards, but it can confine the damage: if my Serve card is stolen/skimmed, the most the thief gets is the $50 in my account at the time, and certainly no credit score damage.

Answer 10

Yes, this is common.

I had a call from the bank, saying that they unfortunately had to change my card, because the details were stolen. They detected this in the internal audit, I didn't have to do anything to verify the card statement.

Fast-forward, less than a year!

I had a new call from the bank, saying they again unfortunately had to change my card, because the details were stolen.

Sites get hacked all the time. There's nothing you can do for it. Even I, as a professional software developer keenly interested in security, do not have enough time in my hands to fix every single e-commerce site.

Let's just say security of most online sites is way too low by professional standards. It's interesting how these unprofessional programmers are hired massively at low cost and do a poor job in all aspects of software design.

The only thing you can do is to be careful of how you use your card online, and to use it less online and pay more in physical stores. But is that worth it? Probably not. You're missing a lot of good deals by avoiding e-commerce.

I think your card terms & conditions should say that as long as you are careful enough with using the card online, you are not personally responsible for the losses caused by card detail theft.

Edit: there's of course the option of only using sites that support PayPal. Most of the E-commerce sites I don't trust, but if a site uses PayPal, your card details are only handled by PayPal and thus I'd say your card details are in safe hands.

Answer 11

There are some great answers already, but I realized one more likely culprit for this latest theft that hasn't been mentioned in the answers:

I recently signed up for pest control services from local companies (one spraying for standard household pests, and one for mosquitoes). Since both are a monthly service they wanted to have a payment method on file, and so took my credit card details. Both companies took a copy of our card details when they fist came out (I'm not sure how exactly because my wife set it up), and I didn't give it a thought at the time. Both started within the last 4-6 weeks though, which makes the timing very suspicious.

I'm definitely not going to let them put my new card on file, although unfortunately I don't know what other payment options they have for me. I'm sure card-on-file is their preference, but it's definitely not my preference anymore. I may have to see if they'll just accept a check or cash everytime. Check fraud is a risk too of course, but in my experience is not as common as credit card fraud.

Answer 12

As a few answers above have intimated it appears your main issue has been very lax social security when it comes to your financial information.

The more you use your credit / debit card(s). Be it at Macy's , Best Buy or the local restaurant and bar...the vastly more likely it will be that you'll encounter fraud against one of those accounts.

Social Engineering is THE low hanging fruit method for fraudsters to get access to your card data. Among their methods:

1) Fishing , either via phone calls or emails that get you to provide information to fake services or response to fail emails purporting to be from your bank or card holder.

2) Eye surfing, you'll be surprised how quickly some one trained at doing it can remember a 16 digit card number. Any live agent at a store, bar, restaurant, mall... is thus a potential breach point. Trust that the pimply faced 18 year old who just sold you a shirt could have recorded your digits (assuming they handle the card).

3) Device scanning, by using very simple swipe devices on cards without chips ... live agents can grab hundreds of numbers. Using clandestine devices in ATM's or metro transit fill machines is one of the biggest vectors for mass gathering of card numbers.

So what you can do to dramatically reduce your exposure is clear.

When making purchases in any real life store, get cash and pay with that.

When making purchases at a restaurant or bar, similarly always use cash.

To prevent theft of your cards, just keep one in your wallet or bag. There is no reason to carry all your cards out to the world if you don't plan on using them all.

It is a vast misnomer that online spending is a vector for such breaches WHEN you stick to large well known businesses. Google, Facebook, Macy's , Best Buy, Amazon....etc. tend to have extremely rare incidences of security breaches and when they do happen they are contained and restricted to a small impact due to isolation of data.

Do buy or shop from big companies for this reason and shun smaller/ newer companies that don't outsource their e-commerce needs to a bigger provider. Amazon and Paypal both have excellent secure payment services that many smaller companies implement so look for these as providers for small companies if you insist on buying from them...that said, again..online breaches are still a vastly smaller vector for credit card data theft compared to the earlier described real world examples. Get rid of those vulnerabilities and your breach incidence should fall dramatically.

Answer 13

I would recommend buying cards from revolut and transferwise to be used in online shopping transactions. When not in use keep the cards frozen. I mean keep it disabled from the app.

Some normal banks also do offer to disable/freeze the card from the mobile app when its not being used actively.

Answer 14

Video skimming? I used to have my card compromised annually. I realized that my card information was easily available ... on my card. Any good video camera can skim my number from distance at a gas pump or short range at a diner. I put a piece of tape over my card number and haven't had a problem in three years (knock on wood). Nobody needs to see the number at the gas station or most any other uses, and if they need to, they can peel back the tape.

Answer 15

I expect your identity is compromised. This will be the fault of one of the retailers you use (not necessarily where you use this particular card), or possibly a criminal working in a card issuer's customer support centre. You might volunteer to help your bank's fraud team, but don't push it. They have the "hall of mirrors" problem well known in spy novels -- they have to guard their procedures carefully and they have to regard every defrauded customer as a possible perpetrator of fraud.

I have always had several cards, and the risk of having one suspended because of fraud is one of the reasons. (It only ever happened once to me). It also means that if one bank's computer systems have failed while I am trying to pay, or if the chip or mag-stripe on the card has gone bad, I just pull out another one. NB never use the same PIN for two or more cards! (To keep the issuers happy, make sure you use all your cards occasionally. They'll expect you to have a favourite and will occasionally send you offers to try to get you to make their card your new favourite. But if you don't ever use it and have zero balance they'll cancel it).

In the UK there is a system called (IIRC) CIFAS which adds extra security precautions to your identity with respect to obtaining new cards or making "risky" purchases (such as high-value goods online). Crucially, being CIFAS-registered does not affect your credit rating, although it may make your life more irksome after you are approved for a new card.