Another Credit Card Fraud Detection Fail

I recently wrote about challenges with using my Citi Costco Anywhere Visa card while in Japan. Shortly thereafter, we visited Singapore, Indonesia, and Thailand, and given my previous experience in Japan, I was ready to use my data-only eSIM to login to my Citi account to approve purchases if they had tripped the credit card fraud detection.

Moments after landing in Singapore and retrieving luggage, I was ready to use the Grab app to request a ride to our hotel. I was feeling confident about using Grab, as I had set up my account while in the United States, and it had even placed a $1 charge on my Citi Costco Anywhere Visa card to verify my credit card during the account setup process. After selecting my destination and choosing the kind of car I wanted to ride, I expected the payment process to occur smoothly (foreshadowing). However, I was taken to a Visa verification screen and was given the option to verify my identity via phone or SMS text, neither of which I had access to with my data-only eSIM card. Even though I was unable to verify my identity, I was still allowed to request the ride and pay the driver with cash.

Interestingly, after being forced to pay with cash for our first Grab ride in Singapore, I was able to pay with my Visa card on a subsequent ride without the additional verification step. After landing in Indonesia, I was also successful with paying for a ride on Grab with my Visa card, but in Thailand my first Grab ride was intercepted again by Visa, so we took a taxi instead (we had not yet exchanged currency so were unable to pay in cash). Because the identity verification was not initiated by my Citi Costco Anywhere Visa card but rather by Visa itself, I was unable to approve the usage of the card by logging in to my Citi account. As prepared as I thought I was, it turns out that I did not anticipate this particular hurdle.

After returning home and doing some research, it appears that the additional verification was likely due to the Verified by Visa program which was later rebranded as Visa Secure or EMV 3-D Secure. EMV stands for Europay, Mastercard, and Visa — the three companies that originally created the global standard for secure chip-based payment cards. They claim that their fraud detection is user friendly.

In my personal experience, the Visa fraud detection algorithm has the greatest chance of triggering a verification event when users are purchasing things online or when traveling internationally. For international travelers, I think they really need to provide an email verification option in addition to phone and SMS text. The lack of this option makes this feature very user un-friendly in my opinion. I fully understand a credit card company’s need to minimize fraud, but the experience for law-abiding customers has room for improvement.

Meanwhile, although I have not fully validated this approach, a possible way to avoid these problems when traveling abroad while using a data-only eSIM plan is to use a Google Voice number as your main contact number for your credit cards. Google Voice will route voice and SMS text to your Google Voice app using data, so in theory you should be able to authenticate through this method.

Protect Your Identity

Last month, news broke that hackers stole and sold personal records of 2.9 billion people. The records were stolen from a company called National Public Data which provides services to staffing agencies, employers, private investigators, and other organizations who perform background checks. This apparently places a vast majority of people who live in the United States, Canada, and United Kingdom at greater risk for fraud and identity theft. Also, while this was perhaps the largest data breach of personal records, there are countless other data breaches that have likely resulted in your personal data being released to the dark web. To protect yourself, here’s what most experts recommend.

1. Set up accounts at all 3 major credit bureaus: Equifax, Experian, and TransUnion. While all 3 credit bureaus offer security products and services, setting up an account is free. Remember to safely store your username and password information (that is perhaps the topic of another blog post).

2. Check your credit report from all 3 major credit bureaus. If you’re not accustomed to doing this, the key things to look for are the accuracy of your contact information, revolving lines of credit, and inquiries. If a criminal has attempted to open up credit cards, take out a loan, or change your home address, you should immediately spot those. In the unfortunate event that someone has tried to steal your identity, follow the steps at IdentityTheft.gov.

3. Place a fraud alert on all 3 major credit bureaus. This will make it harder for a criminal to obtain credit in your name because businesses must verify your identity before issuing credit in your name—note that this is why it is important to verify your contact information in item 2 above. All 3 credit bureaus offer fraud alerts for free, and it lasts a year, after which you can renew it (also free). If you were a victim of identity theft and have a police report, you can place an extended fraud alert which will last for 7 years.

4. Place a credit freeze on all 3 major credit bureaus. This provides even greater security than a fraud alert because when your credit is frozen, nobody will be able to access your credit report or open a new credit account until your account with the specific credit reporting bureau is unfrozen (or “thawed”). Like all the other steps above, credit freezes are also free, and they remain in place until you thaw your account. Note that when you thaw your account, you do not necessarily need to thaw all 3 credit bureaus. Let’s say you want to buy a car, and the dealer wants to check your credit before issuing you a loan—if you know which credit bureau they use, you can temporarily thaw that one and then freeze it again after you complete your transaction. Also visit this FTC site to read about differences between fraud alerts and credit freezes.

5. Optionally place a credit lock on all 3 major credit bureaus. I say this is optional becuase the differences between freezing and locking your credit are minor. According to NerdWallet, freezing your credit usually occur within 1 business day and thawing occurs within 1 hour if done online, while locking and unlocking occur instantaneously. Although Equifax offers locking/unlocking for free, Experian and TransUnion charge a fee for this service. If you value the convenience of instant locking/unlocking and are willing to pay the fees (if any), then this may be a desirable option. Otherwise with just a little bit of planning, you can skip this step and achieve all 4 prior steps for free.

One last word on Equifax credit locks. As I mentioned above, Equifax offers credit locks for free, and this is done through its Lock & Alert service. Just note that if you sign up for Lock & Alert, you will need to register with another account that is separate from your “regular” Equifax account where you check your credit report, place fraud alerts, and freeze/thaw your account. I don’t know why they don’t just combine them together, but just note when storing your account information that these are 2 separate accounts. If you’re an Apple user like me and use iCloud to store your passwords, note that there seems to be a limitation where iCloud tries to be helpful by merging these 2 accounts because they have similar domain names. Do NOT overwrite your “regular” Equifax username/password with your Equifax Lock & Alert username/password or you will lose one of them. Hopefully Apple will come up with a solution for this scenario soon.

Social Media Friend Requests

If you spend time on social media accounts, you’ve probably received friend requests from people you don’t know. In my experience, there is a good chance that many of those friend requests are not from your real friends. For example, the screenshot above shows only a partial list of my most recent friend requests. I don’t know any of those “people” and have only 1 mutual friend with one of them. My guess is that they are all AI-generated profiles from people who are trying to build up their networks and then sell them to people who will then use those profiles for advertising, information gathering, or other purposes.

This website talks about more reasons the kinds of people who might want to send fake friend requests: scammers, malicious linkers, catfishers, exes, significant others, or even private investigators. It also describes ways that you can identify fake friend requests: common connections, “attractive” photo, limited history, friend composition, and timeline content. The friend requests in the screenshot all happen to be Asian females, and they all seem to be airbrushed or AI-generated which to me were dead giveaways, and the lack of common connections further reinforces their lack of authenticity.

Professional networking sites like LinkedIn are also inundated with fake profiles as discussed here. While I don’t accept friend requests on social media accounts, my policy on LinkedIn had been to accept known connections as well as people in my industry who might be good professional connections to have. I’ve personally accepted at least 1 fake profile which I detected because that person posted a somewhat strange comment on a thread which sounded to me like it was AI-generated. I then realized that their profile made no sense, and furthermore I noticed that the work experience and education changed from day to day. LinkedIn and other networking sites have mechanisms to allow you to report fake accounts, so consider using them.

Fake accounts are a growing problem, and I hope this helps raise awareness and prevents you from falling victim to this practice.

COVID-19 Shenanigans

As with any crisis situation, a small number of “opportunists” (or shall we say “sociopaths”?) prey on public anxiety and fear for their personal gain. Amidst the COVID-19 pandemic, I’ve seen various kinds of shenanigans and will summarize some of them here.

Malware

Although there is a perennial battle against malware and cyberattacks, some hackers have impersonated the CDC and WHO as part of phishing scams. Others have launched COVID-19 email campaigns to bait recipients into clicking malicious links or have created fake coronavirus maps that look similar to authentic ones to attract unsuspecting clicks.

Hospitals are especially busy now, and new ransomware attacks are targeting remote employees to get through VPN connections and exploit other security vulnerabilities. Interestingly, some ransomware groups have pledged not to target hospitals during the COVID-19 pandemic, but I would guess that this represents a minority of hackers. Nevertheless, it is interesting to see that some criminals have enough of a conscience to hold back—unfortunately it is hard for me to feel positive about this news. Meh.

Credit Card Fraud

In a similar vein, coronavirus-related credit card fraud is also on the rise, so be on the lookout for scams and make sure you manage your credit cards wisely.

Additionally, I’ve seen a variety of restaurants offer special deals if you place orders through their mobile apps. I would recommend that if you take advantage of these kinds of offers, check to see if the app requires you to store your credit card or if you can enter your credit card for payment and choose not to store your card number. The more companies that have your credit card information, the more likely your personal information will be compromised in a security breach at some point. Balance the convenience of saving your credit card information against the risk of your credit card information getting into the wrong hands.

Zoombombing

Due to social distancing efforts, many workplaces have transitioned partly or completely to remote work, and most schools have switched to online learning. This has resulted in a sudden and dramatic increase in demand for videoconferencing. While there are a large number of video conferencing solutions, Zoom has seen explosive growth due in large part to its ease of use. In its most basic meeting configuration, participants can join a Zoom video chat by simply entering a meeting ID. Although password protection is an option, not everyone has been aware of it, so meeting crashers have engaged in a variety of activities ranging from disruptive to obnoxious to salacious, resulting in coinage of the term Zoombombing.

As a result, Zoom has created a website to provide recommendations on how to prevent Zoombombing. While most video conferencing solutions share a core set of common features, check with your video conferencing solution about both corrective and preventive actions you can take to video conference safely.