For the severalth time in a couple years, our Bank of America credit card has been “compromised” at an “undisclosed” merchant or provider. It’s a major pain in the ass to change all accounts that use that card number. Again. I’m just wondering if Bank of America has any options available to them, say, in the design of the cards, that would keep this from happening so readily. could they limit their (and my) vulnerability to these “compromises”? Or is this just the price we pay for the convenience of paying by credit card? At this point, maybe they’re convincing some of us to pay another way.
By “compromised”, do you mean it was used for a fraudulent purchase, or that you got a warning that your card information might have been hacked from a merchant’s database? If it’s the latter, it’s certainly not the card issuer’s fault.
The latter. But why is all the personal information coded into the card anyway? Why can’t a merchant just contact the bank that someone with the card number xyz just bought $100 worth of stuff in our store, so you have to pay us back. Why is it necessary to include any personal information on the magnetic strip?
I don’t think any personal data is encoded on the magnetic strip beyond what is on the physical card; your name, CC number, expiration date, and CVV code. It’s the same information they would get if they stole your physical card. The retailer’s data base can associate that with your address, possibly your DOB and SSN, and other critical bits of information.
What Telemark said. There’s no personal information in the magnetic strip, other than your name. More likely, the retailer already has your personal information because you signed up for a rewards account or an extended warranty or bought something online. Occasionally, the authorization process may result in personal information being sent to the merchant from the bank - such as a billing zip code when one is required for security purposes.
You’ve missed the point. If the retailer keeps the credit card number and expiration date on file, that info alone is enough for somebody to use to make another purchase eslewhere. So that’s the info bad guys steal from merchants. If the bad guys can get a name and address as well, so much the better.
Now the rules put out by VISA and MasterCard both prohibit merchants from keeping the credit card number & expiration date in their files. Unless encrypted. But not all merchants do so. And to date Visa/MC has not had the guts to terminate a big merchant for violating the rules.
As well, if a bad guy can slip spyware into a machine processing the transactions, as they did at Target a yearish ago, then even if the merchant is complying with all the rules, the spyware eavesdrops on the transactions flying past on the way to Visa/MC and copies down the info of interest to later forward home to the bad guy HQ.
The fancy new chipped cards coming out this year (in the US) will greatly reduce the opportunity for bad guys to capture legit card details at retailers and to use fake cards with stolen data at retailers. But chipped cards and all the affiliated infrastructure will help exactly zero for protecting legit online purchases from bad-guy spyware stealing card info and also will do exactly zero to prevent fraudulent online purchases using stolen card info.
This goes back to the mid 80’s:
A large bank in SF sent out a “Premium” card - with PINs generated on the wrong machine, by the wrong program. This was a package deal - high limit credit line, a safe deposit box, etc - not aimed at the 48%,
These affluent folks took their shiny new cards to the ATM and keyed in their brand-new PINs.
And the ATMs ate them and gave them the “If you aren’t really a thief, see a teller” message.
But not all of them - a few actually worked - but accessed the wrong accounts.
Yes, card issuers can screw up.
The stripe contains the card number, expiration data and your name.
Merchants are FORBIDDEN from keeping the Credit Card verification code in their systems - it should last only as long as the transaction.
However, if the thieves can read what’s on the card, or the necessary data to compose a copy - they can use that as if it were the same card. The signature doesn’t even have to match, because, obviously, they have a blank fake card to sign, and when you buy at a store, nobody asks for or uses the verification code.
if somehow they can get the verification code, they can then use your credit card online. The trick is to know the billing address, which is why hacking a vendor and getting full customer information is also convenient.
For ATMs, they just need the contents of your stripe and the PIN. I’ve heard all sorts of tricks, from shoulder surfing to tiny camera in the ceiling above the pin-pad, to the latest - an infrared camera add-on for your iPhone, so you can see/snap which 4 keys the last customer pressed.
Generally, though banks usually have the best security, since that is their core business and any hole has probably been found and plugged (maybe, after some serious losses) already. A company whose core business is power tools or appliances or clothing, probably does not spend as much on IT as a business whose core business is shuffling information that represents money.
Banks screw up too. When only a few big cities had ATMs, back in the early 80’s, the idiots at my branch hooked my bank card to the wrong account. I could never figure out why the balance was wrong for a month or more, until one day I transferred $1000 that shouldn’t be in savings into chequing, just to see what happened - then they fixed it very fast. (I typically withdrew from chequing, and when I did passbook transactions inside the branch the balances were correct… just my savings account on the card seemed wonky.)