The fundamentals of scams are the same. However the technology used is increasingly more clever. It is important to know how to spot identity theft and credit card fraud and where to report it if and when it happens. Today’s guest is Paige Hanson. Paige is an authority in consumer and digital safety with nearly 20 years of experience in identity management. As co-founder and Head of Communications and Partnerships at Secure Labs, Paige has dedicated her career to protecting consumers and businesses from identity theft and cyber threats. She is a certified Identity Theft Risk Management Specialist and holds a certificate in Identity Leadership from the University of Texas. Paige also serves as an advisory board member to R.O.S.E. (Resources/Outreach to Safeguard the Elderly).“It’s best practice to fill out affidavits and forms and connect with the vendor immediately to tell them that it was not you.” - Paige Hanson Click To Tweet
- [1:16] – Paige shares her background and what she does in her current roles.
- [3:02] – She worked with LifeLock in the early days of her career, but the experience led to her expertise in identity theft now.
- [6:08] – Chris shares what happened to a friend and their experience with identity theft.
- [7:40] – The Federal Trade Commission has an Identity Theft Affidavit.
- [9:25] – If you pay a bill that was made by a fraudster, it will be considered that you made the charge. Paige explains what best practice is.
- [12:06] – Always watch your credit card bills and take note of things that look unusual. Pay attention, even to the small charges.
- [13:47] – Notifications from your credit card company are a must have.
- [16:07] – Sometimes the notifications can seem annoying, but when something is out of the norm, these tools are critical.
- [17:48] – When you get an email that includes a link to login to an account, even if you recognize the sender, don’t click it. Develop the habit of using your browser.
- [20:22] – It can happen to anybody! Chris and Paige are security-minded, but it could happen to them as well.
- [22:48] – Paige shares an experience of noticing charges that she did not make and how noticing it early, she could cancel the order.
- [24:29] – Always use multi-factor authentication. Paige also recommends using an app in addition to what is included with your credit card company.
- [26:37] – Check links and make sure they are correct.
- [29:02] – At one time, Chris owned a business and shut it down because of the number of people making a fraudulent order.
- [30:45] – Online shopping and online payments are so common and a credit card doesn’t even need to be present to make a purchase.
- [32:35] – Paige explains how skimmers work and how they store card numbers.
- [35:19] – The likelihood of this happening is slimmer than other scams, but there are low-inconvenience and low-cost preventative measures you can take.
- [36:07] – The safest way to make in person payments is through mobile pay. If a location is breached, it doesn’t have your card info.
- [37:18] – If you use mobile pay, it is crucial that you keep your operating system up to date.
- [41:23] – When it comes to ATMs, it is best to go inside your bank’s branch and use the one inside. The worst ATMs to use are stand alone that are not attached to a bank.
- [44:33] – Identity theft could be accomplished by fraudsters by just taking advantage of low hanging fruit.
- [46:29] – Paige recommends using a credit card rather than a debit card.
- [49:11] – When traveling, Chris has a specific card that limits the amount of loss in the event of an issue.
- [52:47] – Using a service like PayPal helps with keeping things updated on accounts.
- [54:33] – When we make a convenient choice, we need to consider all the parts of risk management.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
Paige, thank you so much for coming on the Easy Prey Podcast today.
Thanks for having me.
Can you give myself and the audience a little bit of background about who you are and what you do?
I’m a cyber safety expert. I have spent about 20 years educating consumers, law enforcement, victim advocates, about vulnerabilities when it comes to identity theft, broad digital safety-type tips. Right now, I'm just sort of a compliance management company, so we’re helping businesses with their HIPAA and regulatory compliance.
HIPAA is always so fun and exciting.
Isn’t it, though? It is. I’m knee deep in HIPAA right now.
How did you get into this field? Was it something that you planned on doing, that coming out of college you’re like, “Hey, I just want to go into consumer protection”? Or was this someone told you, “Hey, we need to fill this position”?
I was very fortunate enough. I’m originally from the Midwest, and I did an internship in Arizona. Actually, one of the people I did an internship for was starting a company. It’s called LifeLock. It’s an identity theft company. It went from baby, baby, blew up through IPO, acquisitions. So I was there right in the beginning.
There was a need from a marketing and a communication standpoint to fill. I’m very grateful for the opportunity to fill this in this company that was growing like it was and fill this educational need. I always had an interest in public speaking and in helping people.
The fact that I was able to develop and maintain this program where we educated law enforcement across the country and worked on that content really drove where I am now from just really wanting to get out there and help people become less vulnerable. Just with simple tips, there are so many little things you can do. That’s how I got here in a nutshell.
LifeLock started 25 years ago now? Twenty years ago?
Oh goodness, yeah. Well, actually, it was 2005, so we were coming up on about 20 years. That brand is part of Norton and Gen, so it’s evolved. Back then, I knew identity theft was happening, but no one was really talking about it as much as fraud was happening. You didn’t hear much about it.
The messaging first straight on was really just getting the awareness that this is happening. Let’s talk about it. Let’s do something about it. It’s just interesting with technology evolving how it has so much just these past 20 years, that scams are, a lot of it the same. They might be using just fancier technology, just a lot of the scam, so in the base of it a lot is the same.
Because yeah, conceptually, all scams are the same.
You give me money. I’m going to have a fear-based message. Person gives money. OK. Done.
Exactly. It’s interesting that you were at LifeLock. A relative of mine, probably predating LifeLock’s existence, was a victim of identity theft with someone working under their Social Security number and name, and not paying their income taxes in half a dozen different states.
I forget how they ultimately found out about it, probably the IRS said, “Hey, you short-paid your taxes. You forgot about these other taxes that you earned in these six other states.” There were no consumer alerts from the credit bureaus at the time.
Because these other individuals hadn’t paid their taxes, they were taken to court, which of course they never bothered to show up. There was a default judgment against this person that I know, and now they were stuck with having to hire lawyers in all those states to try to fix the identity theft.
It was with a lot of the states. This whole identity theft thing is kind of new, but there was already a default judgment against you. The only way to resolve the issue is to pay the back taxes, prove that identity theft happened, and then petition to get your money back.
Oh my goodness. That sounds awful.
It took this person years to clean it up because the identity theft in terms of your credit and stuff was just such a new experience that everyone saw it. We’re starting to see it as a problem, but no one knew how to actually help consumers.
Right, and then there weren’t the consumer resources like there are now. And even with the resources, it is like you mentioned, you’re guilty. This person had to prove himself innocent in not just one state or one entity, multiple states.
That’s just scary. No one wants a big scary letter from the IRS anyway. They were probably getting all these notifications and thinking, “Oh, well. That’s not me.” Then you had to really take them seriously to say, “I’ve got to do something about that.” That sounds awful.
Are they made whole again? Are they better?
Yes. Thankfully, multiple decades in the past now.
Good. Well, hopefully it’s a ha-ha 20 years later, but it sounds awful. It does not sound fun, no.
Let’s work backwards into this. How has identity theft recovery changed since then? What resources are available to people now?
The Federal Trade Commission has done a really good program. It’s an identity theft affidavit that is an official document that you fill out with exactly what happened. You get this affidavit to say, “I’ve been a victim of identity theft.” That is one of the biggest things that people didn’t have previously that they do now, is they can establish themselves as a victim.The Federal Trade Commission has done a really good program. It’s an identity theft affidavit that is an official document that you fill out with exactly what happened. You get this affidavit to say, “I’ve been a victim of identity… Click To Tweet
Law enforcement knows enough about it that in some of the bigger metropolitan areas, you’re actually able to file an identity theft police report, say you were a victim, get a police report number, and an actual police report online. You don’t even have to go anywhere.
That’s really helpful in the recovery process for a victim because a lot of these lenders, they need some form of official documentation that you are a victim, what happened, your account, dates, time stamps, amounts, things like that, and all of that is in an official form. Whether it’s the identity theft affidavit or a police report, it is very helpful in the recovery process of a victim.
Are there steps that people often miss in trying to deal with an identity theft incident? Because I haven’t heard of the affidavit before. I haven’t looked into it a whole lot, but I wouldn’t have thought to have done that.
Well, a lot of times as an identity theft victim, you’re guilty and you have to prove yourself innocent. If you are paying a bill that was made by a fraudster, it wasn’t you, then you’re saying that this was me because a lot of times when we’re paying a bill, you have to check that box paying it online.
Have you ever noticed you pay your credit card online and you have to check a box that says, “I confirm all of these purchases are mine”? Well, if you’re paying a bill or you have a car that was opened up in your name, and you’re paying on that car even though it’s not you, yes, it might be negatively affecting your credit at the time, but you’re paying it. So you’re admitting, in the eyes of the process, you’re saying that, “It’s me. I’m paying. I’m paying on it.”
One of the mistakes—and we steer people away from—is actually paying on things that are not theirs and they did not commit. It’s best practice to fill out those, whether it’s the FTC affidavit form or the police report, then also connect with the vendor immediately with those forms and say, “This is not me,” and come up with a plan.
Now, you may not like the answer. The answer might be, “OK, we will look into this.” Meanwhile, your credit score is going down and down and down because you’re late on certain payments, but it will. There are forms with the credit bureaus that will remediate that, but in some cases, it’s going to take a little bit of time.
OK. So again, some percentage of people, even though they know it’s a bad debt, they’re going to pay it. They don’t want to see their credit score cratered because they know if they don’t pay it, it’s going to negatively impact their credit. That’s like, you’re damned if you do, damned if you don’t.
Oh yes. Give the example of automatic payments on your credit card. I find it to be extremely helpful because you’re doing a million things. I know on a certain date, my credit card payment gets paid out of my bank account. But before that gets paid, a week before I have a reminder to go in and actually check my statement. Before it’s paid, I want to make sure that those are actually every single charge that I made and know there were no fraudulent charges
As financial institutions, they allow 60 days to report the fraudulent activity. So if you have 60 days to report it but you’ve already paid your bill, that just makes it a little trickier to get reimbursed. It might take longer on their side to do an investigation because you’ve already paid and said that that was actually you.
It’s just another tip that if you are automatically paying your credit card or before you pay your credit card, actually look at your statement, verify those are your transactions, and then go ahead and make that payment.
And the pro tip is to be always looking at your credit card bills, because who knows what’s going to show up there.
And that’s where I’ve really heard a lot of the credit card scams have started to do, to validate cards and to see if the owner of the card is paying attention. They’ll do smaller charges.
Most people are not going to notice a $12 Amazon charge. They’re going to figure, “Oh, my spouse made that,” or, “Was that the refill on my lemonade?” They’re just going to assume it’s a legitimate charge. And now the scammer knows, “Hey, I’ve got a card that works. Now I can start racking up the real charges.”
You hit it on the head. It works. That works for them because people are not going to notice all these smaller charges. Actually, I’ve seen fraudsters even get away from the 5¢, 10¢ charges because that’s a red flag. I’m not spending 10¢ anywhere, so it’s going to be in that $6–$25 range almost because that could be any lunch or quick grocery stop into the grocery store, any of the, like you said, Amazon order. Those are quickly gone. When you’re looking at your statement, you’re like, “Oh, that’s probably my spouse or somebody. I think that was me.” So, yeah, it makes it hard.
We’re talking credit cards here. We’re looking for transactions that we don’t recognize and reporting them right away. What’s your thought on alerts for credit cards? What amounts, how frequent, how to get those alerts?
Oh, it’s a must. It is a must-have. Those threshold and notification alerts are for you and your convenience. The credit card company does a really good job about knowing your spending algorithm and your spending habits, so you might get a text message or a message from them. But why not get them yourselves on how you feel comfortable?
The beauty about this is you can get notified every single time your credit card is used. You can do a threshold notification. Mine personally is $100. Anything over $100, I automatically get a text message. It doesn’t matter if it’s in-person or an online transaction.
I also get a card-not-present transaction. What that means is if I buy something online or if I have my credit card stored, let’s say, in an app that I’m using, like my kid loves to play at the McDonald’s play place, so we get bacon and apples every weekend, but I use the app. So my card is stored there. Every time it’s like $5.62 every Saturday. I get a notification from my credit card because my app, it’s a card-not-present transaction that’s made.
I also have set up for international transactions. I get a notification. Again, these are my preferences. So if somebody else prefers $10 every charge, $1000, it doesn’t matter. It’s where your comfort level is. I know for me, it’s caught fraud. I’ve caught fraud this way. It’s something that the bank did not catch because it was within my spending cadence or algorithm. And I find that it is an extremely helpful benefit that is free.
Just log on to your credit card company. It’s usually in your security settings. Sometimes it’s in the notification settings. Go to your portal, explore that portal. See what you can be notified of and use it.
And they’ve gotten pretty advanced now in that you can get it via email, you can get the notification via SMS, you can get it within the app. A lot of the bells and whistles you can say, “Well, if it’s this amount, just do it on an email. If it’s this amount, send me an alert.”
I’m the same way. I set my threshold for international charges at 1¢. It’s really annoying when I’m traveling internationally, but I know normally I’m really aware if I’m making an international purchase when I’m sitting at home, and definitely, it’s not my norm. I want to know right away.
Right, it’s helpful. These are the tools that didn’t exist or weren’t as common. Maybe one card company had these, but now pretty much any way you pay, you can get notifications. You get notifications even on your accounts from Amazon every time you make a charge or every time you order something.
A lot of the retailers, a lot of the credit card companies, you opt into those. But the key here is—and here’s the key)—every time I get a notification, if it is via text message, email, it sends a handy-dandy link to check your account. We’re a little desensitized into thinking, “Oh, good. I’m just going to click on this link. They’ll take me to my account, and I’ll go ahead and check my activity.” What we want to do is pause. While that is a helpful link to get you where you’re going, that’s exactly what scammers will do, too. They start sending you saying, “Oh, there’s fraudulent activity on your XYZ card. Click this link to log in.” Then it’s going to take you to a fake website; they’ll steal your credentials.
So, really, a habit that I stick to, even in the most, most inconvenient times, I will open up a browser, go to my credit card website, or in this case—oh, I got an email the other day, it was, Ulta Beauty, “You’ve made your platinum status this year.” I was like, “Yes!” And it said, “Check your account.” So what did I do? I was like, “Oh, I could easily click on this. Nope, I’m sticking to my guns here.” So I opened up a browser, went to ulta.com, logged in that way, and then oh, in fact, yes, I did have achieved that status.
That’s just one example in the probably hundreds of emails you get in a week that you could easily click on that link, that you want to just get out of the habit of that convenience. In case it is a scam, go click on and go on a different browser.
This is a scenario that I ran across yesterday. I was renewing. I have a global entry card from the US government. I have it in my reminders to, “Hey, it’s about time for me to renew it,” and I actually got an email from them saying, “Hey, it’s time to renew it.” I don’t remember. Again, where is the web page for this program?
I thought I googled “global entry renewal,” and I thought I clicked on the government website link. The page looked like the government website, at least the color scheme was what I thought it should be. I started going through the process. I get down to the bottom.
The global entry program’s $100 for every however many years. It says, “Hey, we’re going to charge you $149.” I’m like, “When did the program change?” I start looking at the fine print and it’s, “We’re going to charge you $149 plus the federal government $100 fee.”
It was a company that they set up. Maybe I clicked on the ad link or I misspelled something in my Google search, so it wasn’t the government website. If I wasn’t paying attention, I would have given some yahoo $150 to submit paperwork on my behalf.
Luckily, I wasn’t providing a Social Security number or anything like that, or a password, but I got far enough in the process. I’m like, “Oh, gosh. How in the world did I miss that?”
Oh my goodness. I’m so glad you did, but this is a good point, though, is that it can happen to anybody. I would call both of us very secure people or secure-minded people, security-versus-convenience people, and these sorts of things can happen to anybody. I’m glad you caught that before you clicked that submit button.
I went and told my wife and she goes, “Oh, well, you should try to figure out how to report that website.” I had already gone off of it and I couldn’t figure out how to get back to it. I’m like, “I don’t know what I did. Did I click on an ad? Did I misspell something?” I, for the life of me, could not figure out how to get back to it. I guess I could have gone back in the browser, but at that point I’m done and over with it at this point.
Right, you want nothing to do with that website any longer, but oh my goodness.
I don’t need to be going back, but in my mind, it was the exact color scheme, the same layout that you would expect from the government site. I’m pretty sure they wouldn’t have used the DHS seal because that’s a federal crime, but maybe they were.
Maybe you would have hoped that they submitted it on your behalf. Otherwise, they’re just racking up the money behind the website.
And they may very well have sent out fake confirmation emails saying, “Hey, we’ll send you an email when you’re ready for an interview. This process could take up to three or four months. The program’s backed up with applicants.” I potentially wouldn’t have known about it for months.
Because all of that sounds about right, and you get email communications or updates, too. It sounds about right. Then you’re due for your next trip and all of a sudden, you don’t have your global entry; that would have had a huge impact on your travel.
Then I go on the actual global entry site and say, “Hey, your card expired six months ago and you didn’t renew it.” Well, I paid.
Man, you dodged that one.
Has that ever happened to you, something similar?
Well, actually, I was trying to work. It was a while back, but I got those threshold notifications. I got a text from Groupon. It was a few hundred dollars, and I found that to be weird because it wasn’t me. That’s usually a discussion my husband and I had before we make large purchases. Then I got an additional one from Groupon confirming the purchase. What ended up happening is I logged into our Groupon account. Someone had purchased a PlayStation bundle and sending it to Georgia.
Luckily, it was such a fresh transaction, I was able to cancel the order within the Groupon account. I changed the password, and then the person would probably no longer be able to gain access to that. I was so (1) grateful for my threshold notifications, but (2) it’s a reminder that it wasn’t a password. We likely reused a password and some other site had a breach, then here they were using those same credentials.
You likely use a lot of the same usernames and passwords on websites. It was a really good reminder, a couple of takeaways for both me and my husband. One, the reuse of passwords, you just can’t do it. There are so many breaches that you have to use a username and password that’s different for every one.The reuse of passwords, you just can’t do it. There are so many breaches that you have to use a username and password that’s different for every one. -Paige Hanson Click To Tweet
Two, it’s really risky saving your payment information in any format. Yes, I do it for some websites, but saving your payment information just makes it easier for fraudsters if they get into that account to then charge on that account.
And then three, adding a layer of authentication, so two-factor authentication. Whether you’re doing SMS and you’re having a text message go to your phone, or what I like to do now is a third-party app—so Google Authenticator, Duo, Microsoft has one—it’s providing a key for you every time. It’s something you have, which I have, this device that has that on there, and it’s also something I know, which is your password. So that’s two layers of authentication.
Thankfully, because we canceled the order, it didn’t go through. It wasn’t an actual credit card fraud. It was more of an account fraud. We didn’t have to change any of our credit card numbers. I’m grateful for those threshold notifications saving me on that one.
I like that you also have a spousal notification, if you will. My wife and I do the same thing if one of us is going to spend more than a certain amount of money. We at least let the other one know, “Hey, I’m going to do this.”
Then there’s always the random, I’m going through the credit card statements and there’s, “Honey, what’s this?” “I don’t recognize that.” “Well, it’s $49.75 last Tuesday.” “Oh, that was whatever.”
It irks me—I’ll go on a rant here. When businesses aren’t clear on their credit card line, the name of the business versus where you’re actually doing business, if that makes sense. Instead of it showing up with the credit card as target.com, it shows as TGT859 Tustin. OK, what the heck is that?
It would limit their amount of customer support calls, and there’s probably a rhyme or reason. Who knows? But, yeah. If they could just spell that out for us people that are actually looking at our statements and verifying purchases, that would be really great.
I’ve run across it a lot with mom-and-pop type of businesses. It’s mom’s bakery, but that’s not really the name of the company. It’s Aunt Rosa is the name of the company. Mom’s bakery and Aunt Rosa, how would you ever know that they’re the same thing?
I know, and you almost wonder it’s like, was that the process of them when they set up their account? Did they have an additional name or are they sharing an account with someone else to save on user’s names or fees? I don’t know. It’d be interesting to understand the rhyme and reasoning around what they post for you to see, a consumer to see.
I know decades ago, I had set up a credit card processing account. They didn’t ask me, “What do you want to show in the statement?” I was running a couple of websites selling things, and the company name wasn’t domain.com. It was the name of the company. While that was in the footer, they never asked me.
This is back when if you want to do credit cards or businesses, it was like 8% of their ridiculous credit card processing fees. They never asked me, “What do you want to show up on the line?” I didn’t even think about it until someone disputed the charge because they didn’t recognize the company name versus the website.
I feel bad for both sides. You’re disputing it because you don’t know that it’s actually a legitimate charge, but then also disputing it because it was a fraudulent charge and someone fraudulently made that charge. And here, this merchant is likely, the work or whatever they were selling went out the door and that they can’t recoup that.
That’s sad. It’s too bad of a situation for some of these merchants, especially small businesses that have frauds. They don’t probably have it built in their light budget to have fraud, where some larger retailers have a line item or fraud built into their budget already. They already know that’s going to happen and they could easily recoup that; in a sense, they have a line item to put that budget towards. That’s a little tricky.
That was ultimately the reason why I ended up shutting down that business, was because I was getting fraudulent. People were using stolen credit cards to buy stuff from me. At the time, this was quite a few years ago—20 years ago. I couldn’t figure out how to figure out the fraudulent orders. I can’t afford to be shipping product out, losing the product, getting the credit card reversed, and then having to pay a penalty.
Oh, that’s a bummer. That’s a bummer that you had to stop doing that.
But it was a massive lesson of like, oh, you really have to think about these things when you own a business, that it’s not just, “Hey, do I make money on every transaction? Well, what if someone steals something that’ll impact you?”
Well, I don’t know. Now, I’ll be talking to people. They’ll be like, “Oh, well, there isn’t as much fraud anymore because of the chip cards.” And while yes, chip cards have cut down on fraud, you still have—I actually have a card here; I’ll just show for visual—this magnetic stripe on the back of this chip card.
This is an old card, so somebody’s trying to charge this, charge all you want. This is an old card. But yeah, this chip card, yes, this is an encrypted transaction. But what’s on the back if the fraudsters get ahold of it—this is all static information of your credit card information—it could easily be duplicated with a skimmer. Probably charges can still happen because we can complete online transactions with just plain text credit card numbers.
We’ve made this great security mechanism, and then we’re going to fall back to this thing that’s totally not secure. Can I peel off the magnetic stripe and will they still accept it?
They will accept it, so you can, actually. I’ve heard of people just snipping it, cutting it, because really all they’re wanting to do is use the magstripe. I guess if you’re assessing your risk there, and you could be in a situation where your chip isn’t working.
I was at the grocery store the other day. The card I was using, I put it in, that beep, murr, murr. Well, typically in the US, you have three times where they’ll allow you to try to do the chip, and then there’ll be the fallback method which is the magstripe, because heaven forbid we don’t complete a transaction here in the US.
But in other countries, if you can’t complete a purchase with this chip, they say, “Bye. See you later. Use a different card, or come back some other time when you have a different form of payment.” Versus here in the US, they’re going to allow the magstripe.
I have seen people that cut their magstripe so it can’t be swiped, or they’re just relying then on the chip itself. So that works for a lot of people.
Are the skimmers pulling both the chip and the magstripe? Or just the magstripe?
It’s just the magstripe. I actually have one here for some of the law enforcement training we used to do. This here is a skimmer. This holds about 5000 card numbers. This is in a typical scenario. This is what you’d find in a restaurant scene. Still, to this day, you give your card to the waiter or waitress, they leave, they either swipe your card or they put the chip in, and they come back and tip them. It’s wild, by the way, that we still do that
And it’s just in the US. People from other countries come here and like, “Wait, why are you taking my credit card away from me?”
“Because I’ve got to go run it in the back, behind the wall.”
This is my apron, so no, this is not just the service industry, but just a lot of times where it is normalized to give your card. All they have to do is swipe the card like that and they have your credit card information.
This is static information, so the number is going to be the same. Whether I use this card, whether I clone it to this card, it’s going to be the same credit card number and expiration date that’s on this card.
This, however, is encrypted. It ends up being harder to unencrypt and then encrypt on a different chip. It can be done. It takes a certain skill set, but we’re not seeing it as much as just the static.
But then there is RFID. You probably have seen this on your card here.
Looks like a Wi-Fi logo.
That’s a Wi-Fi logo. That’s going to be a proximity card. Prox card, you’ll also hear. This is where you would just wave your card in front of this machine. Usually, it’s zero to three inches is the amount that it will read, and then you’re able to then put your card back in your wallet.
We’ve seen some in larger, busier areas, you’ll hear the term RFID bumping. They’ll actually put a device like this with an amplifier on it. They’ll put it in their backpack, and they’ll just bump into people. If you have one of these cards that have the RFID capabilities, then it’ll automatically just skim the information from your card.
What I like to do with any card that has this RFID is put it in a foil lined sleeve. You can just use tin foil, too. I wouldn’t spend more than 50 cents on what you’re trying to do here. You just put it in here and then it’s fine.
A lot of licenses, passports, things, all of that have RFID in them, so you’ll see a lot of travel stores that have RFID blocking shields and things like that. The likelihood of it happening is low, but it doesn’t hurt to just put them in that sleeve if you have that.
And it’s also one of those things where that level of safety is very little, very low inconvenience, or cost to the consumer. You can go on Amazon and buy 20 of those RFID blocking sleeves for $3 or whatever. It’s not that hard to pull out your credit card, put it back. It’s one small extra step if you’re physically using your card. It’s not like it’s a major inconvenience.
I will say, I’m missing one form of payment and that is mobile payment. If you are using, let’s say, your mobile device or your watch for payment, that is going to be your safest way to pay, because it is encrypted. When you make a payment that way, if that merchant is breached, it’s not your actual card number that would be showing to them because it’s encrypted. That’s really the best way to pay if you’re looking for my security standpoint.If you are using, let’s say, your mobile device or your watch for payment, that is going to be your safest way to pay, because it is encrypted. -Paige Hanson Click To Tweet
I usually, whenever I can, will always use the credit card, but then I usually use my watch. I feel so futuristic too. I’m like, “Beep, beep.” It’s too easy to make a payment that way. But I do get those questions a lot, too, about mobile payments or something like that, so I do recommend that.
I guess the question would be—I know the answer to it, but I’m going to ask it anyway—are the watches and the phones at risk to the RFID bump?
Typically, it’s not. A couple of things: It’s very important that you keep your operating system up-to-date. Usually, when it’s not up-to-date is when it’s going to be a vulnerability, because the fraudsters have exposed that vulnerability.It’s very important that you keep your operating system up-to-date. Usually, when it’s not up-to-date is when it’s going to be a vulnerability, because the fraudsters have exposed that vulnerability. -Paige Hanson Click To Tweet
Usually, it takes interaction with the owner of the watch. For me, it has to be unlocked, but then I have to double-tap it and then place it upon the reader. With my phone, I’ve got to not only unlock it with your face or your password or your fingerprint, depending on your device, I have to activate it, then put it within proximity of the reader.
There are steps on my side that make it, so it’s not just like this Wi-Fi card that’s just in my pocket or in my purse. It’s a little bit different.
I’m one of those people that I use my watch whenever I can. If I can go a week, a month with never pulling my wallet out of my pocket, I’m a happy camper. I’m still surprised, though, at major grocery stores and businesses. They’re like, “Oh, I’ve never seen someone pay with her watch before.” Like, really?
That is so funny you said that. I was at the Dollar Tree the other day. The person checking out is like, “Oh, my goodness. I’ve never seen anybody do something like this.” I loved it. Actually, I thought it was, “Well, it could be your first.” It was just so funny to me because it happens. It’s super easy.
With your experience, like you got the skimmers there, have you ever run across a skimmer in person anywhere?
Not that I’m aware of. But here’s the thing. Here’s my theory on that is that I want it too bad, so I don’t know. Tell me if you do this. Even if I am at the gas station and I’m putting my card in, I’m always tugging on what you’re putting your card into in hopes of finding a skimmer. I don’t know. I hope that for me someday, but they exist.
These overlays are extremely intricate and it’s so easy to buy online for these fraudsters. It used to require a certain skill set that required you to take apart these skimmers and then place them.
Oh, actually, I have a gas station pump one. At this gas station, one pump, is this little skimmer here. It’s taken out of its hard shell and then placed into this. You’d open up the gas station pump, put it in there. You would be none the wiser at a gas station pump. But now, you can just buy them when they’re already like this online.
I’m not advocating for that. This is educational only. Just makes it easier for fraudsters to just not be as technical as maybe they used to but still be able to commit this low-hanging fruit and low-level crime.
I have to admit, even if I’m paying for my gas at a gas station with my watch, while waiting for that transaction to go through, waiting for my watch to beep and authenticate, I’m tugging on the credit card reader. I haven’t found one yet.
I’d be interested. I’d love to hear from somebody who has found one, because I’ve seen a number of articles where the entire face of an ATM has come off, or where they’re putting their credit card in has come off. But yeah, never anybody I’ve known personally, so I’m waiting for that day.
Do you know of any reports to talk about what credit card ATM machines are safer to use, less safe to use? Are there ones that you should never use? I have my own opinions and theories about this, but we’ll see what you say.
Well, it’s safer to go inside the branch. It always is going to be safer to go in and talk to somebody. That’s the first level. But that’s not always. You can’t always do that. But then, the ATM located inside the branch, if you don’t want to talk to somebody, you’re safer.What wouldn’t be as safe is ATMs that are the standalone ATMs and have no bank affiliation. Those are usually run by individuals or outside companies. -Paige Hanson Click To Tweet
What wouldn’t be as safe is ATMs that are the standalone ATMs and have no bank affiliation. Those are usually run by individuals or outside companies. While they should have to abide by certain security standards with their ATM, they’re sometimes usually not because they’re like these standalone ATMs.
ATMs at festivals; ATMs that are in a dark alley. Yes, there are ATMs in a dark alley. ATMs at hotels. Those that are not being monitored. Also likely until they’re putting money back in, which is probably weekly, and then they find a skimmer. You want to go to a highly active ATM because likely then they’re putting more money in every other day. They’re going to spot the skimmer or anything weird going on with that ATM.You want to go to a highly active ATM because likely then they’re putting more money in every other day. They’re going to spot the skimmer or anything weird going on with that ATM. -Paige Hanson Click To Tweet
What’s your theory?
I generally work from the theory of where are people going to be in a situation where they’re going to be least likely to notice a fraudulent transaction? I think touristy locations. There’s some really popular plaza in some country that you’re visiting, that that’s going to be where the scammer wants to put the skimmer because when you’re on vacation, it’s probably going to be a longer time before you look at your bank account. They’ve got more time to execute fraud.
It’s an ATM machine that in different countries, things look different. If something doesn’t look or feel right, you’re going to be less likely to notice that it’s wrong. You’re distracted by what’s going on. You’ve been desensitized, you’re distracted, all these kinds of things that lower your guard in my mind.
Now, maybe people are more paranoid in those situations that are tugging on the skimmers like you and I are, but in my mind, if I were a scammer, that would be what I would probably want to do. But again, the standalone ATM machines as well that aren’t associated with the bank, I don’t even want to get near those things, let alone actually use them.
I think people are surprised to know that those exist, that it’s a business. A lot of them at the gas stations and stuff are not affiliated with any bank or anything like that. So, yeah, it’s interesting, which is why threshold notifications.
And those things usually charge horrific transaction fees. That’s how that entity makes their money. That $20 bill that you got out actually cost you $25 or something.
Exactly. People need the cash, so they will do that. It makes an, again, almost just low-hanging fruit. That’s why just making little tweaks, how you pay, and not just assuming, “This is how we do it, so this is how I’m going to do it.” You said to make small tweaks and more awareness thing, I found to be the most helpful in just spotting tricky or weird things because you’re actually paying attention.
I think it’s always trust your gut. If something feels weird and it’s not a life-or-death situation, you don’t need the money to go to the hospital, go to a different machine. Go to one inside a grocery store, somewhere where it’s lit and there are cameras pointing at the machine. That sort of thing.
Although I have to admit on my last trip, even internationally, we only use cash for tipping people. It’s probably been two months since I’ve gone to an ATM machine and gotten cash. Since COVID, no one wants to touch cash anyway.
It’s so true. Unless you’re my child and you want to go with those little vending machines or claw things, I need cash for those. Although, those take credit cards now. Nope, I’m not going there. I’m not going there. But same, Chris. I have not used cash in such a long time. It is interesting.
I guess that reduces getting the cash out of the ATM. Before we wrap up here, any thoughts between using debit cards versus ATM cards? I know it’s almost the same consumer experience, but on the back end, is one more risky than the other?
I have thoughts, and that is to use a credit card versus a debit card, and here’s the reason why: You have 60 days to report the fraudulent activity, regardless of both. However, if there is fraud, let’s compare the two scenarios.
You have fraud on your credit card and you report the fraud. You’re not liable for anything. You haven’t paid anything out of pocket. Usually, it takes, I don’t know, 5–10 business days for them to do their—usually it’s quicker—investigation internally, and the charges are reversed. Other than getting maybe a new credit card number, you’re not out any money. You’re spending the credit card company’s money.
Debit card, on the other hand, that same charge, that is debited out of your account. The fraudster could keep going and going and going, and withdraw all the money from your bank account. Do you have overdraft protection? Oh, all of the money from that savings account until you’ve (1) reported the fraud, and then (2) they’ve done the investigation and they have reversed the funds.
Meanwhile, you’ve got all the bills from cell phone to the Internet to kids’ school practices and events, all of those things are due. Sometimes, they’ve taken the ability to then pay for those items. You’re in a scenario where now you’re not paying your bills on time, all because you can’t have access to those funds until they’re reversed. The fraud was using your money. For this scenario alone, I use the credit card.
But you also get people manage their money best using debit cards. Maybe the history with the credit card or maybe a family member’s history of the credit card is not a positive one, so that’s how they found best to budget. If that is the case, you run it as credit versus debit, it’s still coming out of your bank account and that scenario will still apply where your money is out of your account, but at least don’t be putting your pin number into multiple places to have transaction to reduce your risk there. Short answer, credit card versus debit card.
I know one of the things that my wife and I do is, just because there are weird times when you travel and you may need cash when you’re outside of the country, we have a debit card that we specifically use for traveling that doesn’t have overdraft on it. There’s enough cash to support what we might need to do on a vacation, but it’s not the regular bank account that we would use. It’s not where our paychecks get deposited.
In my mind, if this card gets compromised, someone steals this card from me or it gets skimmed, I know my maximum losses are this and it’s not going to impact where I pay my mortgage from, where I pay all my other bills from. I’ve kept it siloed in its own little thing. That’s the only thing I use. There are no other accounts at that bank. So if something goes horribly awry, it can’t infect anything else.
That is impressive and way to go. That really is the best practice what you’re doing. People are like, “That’s so extra,” but you need to do that because, at least for me, I’ve seen the impact of fraud. At least my time with seeing a number and working with a number of victims that don’t have access to cash, just that extra step, yes, it takes a second to set up a bank account, get a debit card, and all that stuff, but not a lot of time in the whole scheme of things.
And once it’s done, it’s not like you have to redo that process every six months. They’ll send you the new cards in the mail and you don’t even ever have to go into that bank.
That’s amazing. I’m impressed. Very cool.
Do you think I’m paranoid much?
Well, here’s the thing. Some may call it paranoid, but you’re very educated in the sense that you’ve heard enough fraud stories and you know tech. That’s exactly the steps you have to take.
Unfortunately, I think this is not based on lessons that I’ve personally experienced, but lessons I’ve seen other people experience. I know someone who their debit card did get compromised and their bank account was drained. It was the same sort of thing where, “Oh, great. My rent check bounced and I can’t make my car payment.”
All that eventually got sorted out. But going to your landlord and saying, “Oh, let me write you a new check. I’m sorry.” The landlords don’t take really kindly to that.
They really don’t. The best lessons that we can apply in our life are ones that we can learn through others, at least when it comes to fraud that way.
A big thing I hear, at least years ago of my education, I had heard a lot more was, “Oh, that’s not going to happen to me.” If it doesn’t, you’re so lucky you don’t have an identity theft or cybersecurity incident. But there are enough people in your circle that this has happened to, that you should take those learnings and apply whatever it is you’re going to do to help be more secure.
I have one or more of my credit cards get compromised, or they’re cloned, or however you want to say it. It probably happens every couple of years. I’ve got to get a new card issued. It’s the sort of thing that comes up with regular conversations with friends and family.
I had to go through the hassle of getting a new credit card, and all those 45 different auto-billpays I now had to go update every single one of them. It took me four days and I forgot one, and then I got hit with a late fee because the charge didn’t go through.
That’s why one of the reasons why using a service like PayPal or similar is helpful because then you update your card one time, and it’s then updated for other automatic services that you might have. I found that out the easy way, I should say. When I recently had fraud, I was like, “Well, this was a lot easier than connecting with all of the other places.” So it’s an option for people if they prefer that route.
I haven’t tried to switch over to doing that. Yeah, you only have to update it in one place. I’m going to have to look at that.
Some actionable tips here.
But then, I’ve got to make sure that my PayPal account is extra secure.
I guess in some of these things, you’re risk-shifting. I’m moving the risk from one place to another. You may feel more comfortable increasing risk with an entity that has really good security and lowering the risk with someone who has bad security.
Exactly. That’s really just a lot of these choices you’re making, whether it’s how you’re using your phone, the security settings on your computer, your tablet, your identity, and form ways of payment. You’re assessing your risk, you’re assessing your family’s risk, and then you’re making that decision.
The part of what any assessment of risk is understanding where you’re vulnerable, and then understanding the action and steps that’ll be needed to be taken if you do become a victim or something bad does happen. I think that’s part of the risk assessment that is missing a lot of times when people do make the convenient choice versus maybe a more secure choice.
Absolutely. As we wrap up here, where can people find you online if they want to find out more about you and what you do?
I’m on LinkedIn. Check me out, Paige Hanson. My current company is SecureLabs, so securelabs.ai. I’d love to connect and talk tech with anybody who would like to.
Awesome, Paige. Thank you so much for coming on the podcast today.
It was my pleasure. Thanks so much.