credit card mess

Beyond their breach

At this point, we might as well walk around with our credit card numbers plastered on our foreheads. That semblance of payment security that Americans once tried to maintain? Even that now seems a complete waste of time.

It’s been about four months since Target suffered a massive data breach across its 1,800 U.S. stores during the height of the holiday shopping season. While initial reports suggested that 40 million cardholders had sensitive personal info stolen from Target points of sale, it emerged later that the figure was in the staggering 70-110 million range - no less than a third of all American adults.

We’ve since seen even more payment card data breaches at other major American retailers, including Neiman Marcus, Sally Beauty, the California DMV, and now Michaels Stores.  A new ACI survey finds that fully 44% of customer accounts at U.S. financial institutions have been compromised by recent data breaches.

So we have a national data breach epidemic on our hands, and our card info has never been less secure. Yet we still have to use plastic – there’s no other viable option for the majority of purchases by the majority of consumers. Something has to give, and don’t count on it to be the hackers.

You have to find the fraud

Ask around and you’ll find a lot of people still have a blasé attitude about the data breaches. They figure that their bank or card provider will catch any fraudulent charges, and that in any case they’re not liable for any false charges that get through. News reports sometimes reinforce this – from InTheCapital’s report on the Michaels breach (emphasis added):

On Thursday Michaels admitted that up to 2.6 million of its customers had their credit card data exposed to hackers for eight months between May 2013 and January this year.  Not because of the Heartbleed Bug this time, but a more regular case of hacking. Of course the customers won’t have to pay for any fraudulent charges, but the latest case of credit data hacking has the National Association of Federal Credit Unions all worked up.

The fact of the matter, though, is that banks catch only about a third of the fraud that was attempted to be posted to our cards. And while it’s true that cardholders usually cannot legally be held liable for fraudulent charges they report, the burden is on us to find those charges in the first place – and most consumers don’t check our statements carefully enough to notice.

According to the Aite Group, among all reported fraud, just 35% is reported by banks’ systems soon after a transaction posts to an account. The remaining 65% is caught by consumers doing post-transaction monitoring – that is, checking their charges carefully, on the rare occasion when they do.

Credit monitoring won’t cut it

Credit monitoring or identity theft services are often presented as compensation to victims of the larger data breaches.  Target, Sally Beauty and Michaels all offered customers a year of free credit monitoring in the wake of the massive payment info theft at their stores.

But credit monitoring is not the solution. The activity these services aim to protect you from – an attempt to open a new account in your name – typically doesn’t take place for many months after the theft. In the immediate wake of the breach, the only real prevention you have outside of the banks’ transactional fraud systems – which, again, only catch around a third of known fraud – is personal diligence via careful transaction monitoring.

Over a $1 million in fraud found since Target

Transaction monitoring is the heart of what we do at BillGuard – via active, crowdsourced alerts when we find a questionable charge on a user’s card, and, perhaps more importantly, via our app’s swipe-to-verify function, which prompts cardholders to check their charges carefully. There’s no magical technical solution to catch most card fraud – there’s only creative design that makes it easy to be personally diligent.

Since the Target data breach, BillGuard users have flagged approximately $1 million in fraudulent charges on their cards. Moreover, we’ve seen a 50% rise in fraud reports from BillGuard users since November.

Our data suggest that the rise in fraud reports is not due to aggregate growth in fraudulent charges since the Target breach. Rather, it appears simply to be from increased activity of BillGuard users, who are using our app more effectively to find unwanted, unfair and outright fraudulent charges that passed through their banks’ fraud prevention systems. Each one of those user flags contributes to the effectiveness of our crowdsourced network, helping others avoid the same charges.

Sometime in the future we’ll look back on this era in awe at how banks, regulators and retailers left consumers hung out to dry on payment security. In the meantime, we’re paying the price every month in unseen fraudulent charges.

As the epidemic of data breaches continues, we’ll continue to improve BillGuard’s effectiveness in protecting consumers’ payment security. And we hope you’ll join our nationwide transaction monitoring network.

Photo: kainr