Last year, one of my family’s credit cards was used to rack up hundreds of dollars in bogus charges at Apple.com. Another card was compromised four times in a row, as thieves repeatedly charged merchandise and Uber rides.
We ultimately got our money back, but repeated credit card fraud can be frustrating and disheartening. Dealing with the aftermath taught me to prize security over convenience, and to change some bad habits that made me an easier target.
The clock is ticking on credit card fraud
Under the Fair Credit Billing Act, consumers have 60 days after bogus charges show up on a statement to report them to the credit card issuer to avoid most liability, says attorney Amy Loftsgordon, legal editor at Nolo, a self-help legal site. (The law limits a consumer’s liability to $50 per series of unauthorized uses, but most issuers waive that, Loftsgordon says.)
So my heart sank when I realized that the fraud on our Apple.com account had started at least six months earlier.
I’d noticed that the Apple.com charges had been ticking up, but assumed my husband was buying more audiobooks and my daughter was downloading more games. I’d grouse at them occasionally, they would proclaim innocence and the charges would continue.
Finally, the thief went too far and charged over $300 in a single month. I contacted Apple and discovered our card had been used to purchase dating apps and virtual phone numbers, which were likely being used to scam other people. The electronic receipts for these purchases were sent to an email address I didn’t recognize.
A new card didn’t stop the fraud
The kicker: The thief was using a credit card number that had already been reported as compromised. Normally, credit card issuers will deny new charges on a compromised number. But according to the card issuer, the thief started their crime spree during the few days that my replacement card was in the mail. Since we already made regular purchases at Apple.com, the card issuer assumed the charges using the old card were legit and allowed them to go through “as a courtesy” — month after month. (I was assured that this sequence of events “is extremely rare and hardly ever happens.”)
An Apple customer service representative deleted the most recent month’s charges and the issuer removed the rest — even those well past the 60-day mark.
My takeaways: Sites where you make multiple purchases each month need to be monitored carefully for bogus transactions. Compare what your credit card statement says you’ve charged with your purchase history on the site. You may have to search online for how to find that history; Apple certainly doesn’t make it easy or intuitive to find your charges. And if you find fraud, report it — even if it’s beyond the 60-day deadline.
Make fraudsters work harder
It’s still not clear why my other card was repeatedly compromised. I’d no sooner get a replacement card than I would receive a text from the issuer asking about another suspicious transaction.
I removed the card from the browsers and websites where it had been stored. We may like the convenience of not having to type in our credit card numbers, but every place we store our cards is another place where they can be stolen, says security expert Avivah Litan, a distinguished vice president analyst with research firm Gartner Inc.
The mobile app for this card allowed me to see many of the places where my card was saved. But the list wasn’t complete. After the fourth hack, a phone rep said my card was stored at Airbnb, Walmart.com and Uber — three places that didn’t show up in my app and that I hadn’t authorized. The rep disconnected the card from those accounts. In the future, I’ll call in to report fraud so I can ask for this review rather than merely responding to a text warning or going online. I also learned that I could “lock” my card in the mobile app to prevent unauthorized use. Unlocking it when I want to make a charge just takes a few seconds. I wish more issuers offered this feature.
At the issuer’s suggestion, I ran antivirus and anti-malware software (my devices were clean) and changed the passwords on my email accounts as well as my financial accounts, in case a thief had broken into those. I already had two-factor authentication, which requires a code and a password to sign in, on my financial and email accounts. I added it to my most-used retail sites as well.
I’ve also started using a mobile payment system wherever possible. These systems — which include Apple Pay, Google Pay and Samsung Pay — create a “token” that’s transmitted to merchants so that your credit card number is never exposed or stored. Similarly, some credit card issuers will provide virtual numbers that you can use instead of your real account number when making purchases online.
I don’t imagine all this will make me fraud-proof, because that’s impossible. I’m just trying to make the thieves work a little harder next time.
This article was written by Liz Weston, CFP® for NerdWallet and was originally published by The Associated Press.