What you can do to protect against credit card fraud

JDN 2457923

This is the second post in my ongoing series on financial fraud, but it’s also some useful personal financial advice. One of the most common forms of fraud, which I have experienced, and most Americans will experience at some point in their lives, is credit card fraud. The US leads the world in credit card fraud, accounting for 47% of all money stolen by this means. In most countries credit card fraud is declining, but not here.

The good news is that there are several things you can do to reduce both the probability of being victimized and the harm you will suffer if you are. I am of course not the first to make such recommendations; similar lists have been made by the Wall Street Journal, Consumer Reports, and even the FTC itself.

1. The first and simplest is to use fewer credit cards.

It is a good idea to have at least one credit card, because you can build a credit history this way which will help you get larger loans such as car loans and home loans later. The best thing to do is to use it for regular purchases and then pay it off as quickly as you can. The higher the interest rate, the more imperative it is to pay it quickly.

More credit cards means that you have more to keep track of, and more that can be stolen; it also generally means that you have larger total credit limits, which is a mixed blessing at best. You have more liquidity that way, to buy things you need; but you also have more temptation to buy things you don’t actually need, and more risk of losing a great deal should any of your cards be stolen.

2. Buy fewer things online, and always from reputable merchants.

This is one I certainly preach more than I practice; I probably buy as much online now as I do in person. It’s hard to beat the combination of higher convenience, wider selection, and lower prices. But buying online is the most likely way to have your credit card stolen (and it is certainly how mine was stolen a few years ago).

The US is unusual among developed countries because we still mainly use magnetic-strip cards, whereas most countries have switched to the EMV system of chip-based cards that provide more security. But this security measure is really quite overrated; it can’t protect against “card not present” fraud, which is by far the most common. Unless and until you can somehow link up the encrypted chips to your laptop in order to use them to pay online, the chips will do little to protect against fraud.

3. Monitor your bank and credit card statements regularly.

This is something you should be doing anyway. Online statements are available from just about every major bank and credit union, and you can check them at any time, any day. Watching these online statements will help you keep track of your spending, manage your budget, and, yes, protect against fraud, because the sooner you see and report a suspicious transaction the more likely you are to recover the money.

4. Use secure passwords, don’t re-use passwords, and use a secure password manager.

Most people still use remarkably insecure passwords for their online accounts. Hacking your online accounts —especially your online retail accounts, like Amazon—typically means being able to steal your credit cards. As we move into the cyberpunk future, personal security will increasingly be coextensive with online security, and until we find something better, that means good passwords.

Passwords should be long, complicated, and not easily tied to anything about you. To remember them, I highly recommend the following technique: Write a sentence of several words, and then convert the words of that sentence into letters and numbers. For example (obviously don’t use this particular example; the whole point is for passwords to be unique), the sentence “Passwords should be long, complicated, and not easily tied to anything about you.” could become the password “Psblcanet2aau”.

Human long-term memory is encoded in something very much like narrative, so you can make a password much more memorable by making it tell a story. (Literally a story if you like: “Once upon a time, in a land far away, there were seven dwarves who lived in a forest.” could form the password “1uatialfatw7dwliaf”.) If you used the whole words, it would be far too long to fit in most password systems; but by condensing it into letters, you keep it memorable while allowing it to fit. The first letters of English words are not quite random—some letters are much more common than others, for example—but as long as the password is long enough this doesn’t make it substantially easier to guess.

If you have any doubts about the security of your password, do the following: Generate a new password by the same method you used to generate that one, and then try the new password—not the old password—in an entropy checking utility such as https://howsecureismypassword.net/. The utility will tell you approximately how long it would take to guess your password by guessing random characters using current technology. This is really an upper limit—computers will get faster, and by knowing things about you, hackers can improve upon random guessing substantially—but a good password should at least be in the thousands or millions of years, while a very bad password (like the word “password” itself) can literally be in the nanoseconds. (Actually if you play around you can generate passwords that can take far longer, even “12 tredecillion years” and the like, but they are generally too long to actually use.) The reason not to use your actual password is that there is a chance, however remote, that it could be intercepted while you were doing the check. But by checking the method, you can ensure that you are generating passwords in an effective way.

After you’ve generated all these passwords, how do you remember them all? It’s unreasonable to expect you to keep them all in your head. Instead, you can just keep a few of the most important ones in your head, including a master password that you then use for a password manager like LastPass or Keeper. Password managers are frequently rated by sites like PC Mag, CNET, Consumer Affairs, and CSO. Get one that is free and top-rated; there’s no reason to pay when the free ones are just as good, and no excuse for getting any less than the best when the best ones are free.

The idea of a password manager makes some people uncomfortable—aren’t you handing your passwords over to someone else?—so let me explain it a little. You aren’t actually handing over your passwords, first of all; a reputable password manager will actually encrypt your passwords locally, and then only transmit encrypted versions of them to the site that operates the password manager. This means that no one—not the company, not even you—can access those passwords without knowing the master password, so definitely make sure you remember that master password.

In theory, it would be better to just remember different 27-character alphanumeric passwords for each site you use online. This is indisputable. Encryption isn’t perfect, and theoretically someone might be able to recover your passwords even from Keeper or LastPass. But that is astronomically unlikely, and what’s far more likely is that if you don’t use a password manager, you will forget your passwords, or re-use them and get them stolen, or else make them too simple and allow them to be guessed. A password manager allows you to maintain dozens of distinct, very complex passwords, and even update them regularly, all while remembering only one or a few. In practice, this is what provides the best security.

5. Above all, report any suspicious activity immediately.

This one I cannot emphasize enough. If you do nothing else, do this. If you ever have any reason to suspect that your credit card might have been compromised, call your bank immediately. Get them to cancel the card, send you a new one, and check any recent transactions.

Do this if you lose your wallet. Do it if you see something weird on your online statement. Do it if you bought something from an online retailer that seemed a little sketchy. Do it if you just have a weird hunch and something doesn’t feel right. The cost of doing this is a minor inconvenience; the benefit could be thousands of dollars.

If you do report a stolen card, in most cases you won’t be held liable for a penny—the credit card company will have to cover any losses. But if you don’t, you could end up making payments on interest on a balance that a thief ran up on your behalf.

If we all do this, credit card fraud could become a thing of the past. Now, about those interest rates…

Financial fraud is everywhere

Jun 4, JDN 2457909
When most people think of “crime”, they probably imagine petty thieves, pickpockets, drug dealers, street thugs. In short, we think of crime as something poor people do. And certainly, that kind of crime is more visible, and typically easier to investigate and prosecute. It may be more traumatic to be victimized by it (though I’ll get back to that in a moment).

The statistics on this matter are some of the fuzziest I’ve ever come across, so estimates could be off by as much as an order of magnitude. But there is some reason to believe that, within most highly-developed countries, financial fraud may actually be more common than any other type of crime. It is definitely among the most common, and the only serious contenders for exceeding it are other forms of property crime such as petty theft and robbery.

It also appears that financial fraud is the one type of crime that isn’t falling over time. Violent crime and property crime are both at record lows; the average American’s probability of being victimized by a thief or a robber in any given year has fallen from 35% to 11% in the last 25 years. But the rate of financial fraud appears to be roughly constant, and the rate of high-tech fraud in particular is definitely rising. (This isn’t too surprising, given that the technology required is becoming cheaper and more widely available.)

In the UK, the rate of credit card fraud rose during the Great Recession, fell a little during the recovery, and has been holding steady since 2010; it is estimated that about 5% of people in the UK suffer credit card fraud in any given year.

About 1% of US car loans are estimated to contain fraudulent information (such as overestimated income or assets). As there are over $1 trillion in outstanding US car loans, that amounts to about $5 billion in fraud losses every year.

Using DOJ data, Statistic Brain found that over 12 million Americans suffer credit card fraud any given year; based on the UK data, this is probably an underestimate. They also found that higher household income had only a slight effect of increasing the probability of suffering such fraud.

The Office for Victims of Crime estimates that total US losses due to financial fraud are between $40 billion and $50 billion per year—which is to say, the GDP of Honduras or the military budget of Japan. The National Center for Victims of Crime estimated that over 10% of Americans suffer some form of financial fraud in any given year.

Why is fraud so common? Well, first of all, it’s profitable. Indeed, it appears to be the only type of crime that is. Most drug dealers live near the poverty line. Most bank robberies make off with less than $10,000.

But Bernie Madoff made over $50 billion before he was caught. Of course he was an exceptional case; the median Ponzi scheme only makes off with… $2.1 million. That’s over 200 times the median bank robbery.

Second, I think financial fraud allows the perpetrator a certain psychological distance from their victims. Just as it’s much easier to push a button telling a drone to launch a missile than to stab someone to death, it’s much easier to move some numbers between accounts than to point a gun at someone’s head and demand their wallet. Construal level theory is all about how making something seem psychologically more “distant” can change our attitudes toward it; toward things we perceive as “distant”, we think more abstractly, we accept more risks, and we are more willing to engage in violence to advance a cause. (It also makes us care less about outcomes, which may be a contributing factor in the collective apathy toward climate change.)

Perhaps related to this psychological distance, we also generally have a sense that fraud is not as bad as violent crime. Even judges and juries often act as though white-collar criminals aren’t real criminals. Often the argument seems to be that the behavior involved in committing financial fraud is not so different, after all, from the behavior of for-profit business in general; are we not all out to make an easy buck?

But no, it is not the same. (And if it were, this would be more an indictment of capitalism than it is a justification for fraud. So this sort of argument makes a lot more sense coming from socialists than it does from capitalists.)

One of the central justifications for free markets lies in the assumption that all parties involved are free, autonomous individuals acting under conditions of informed consent. Under those conditions, it is indeed hard to see why we have a right to interfere, as long as no one else is being harmed. Even if I am acting entirely out of my own self-interest, as long as I represent myself honestly, it is hard to see what I could be doing that is morally wrong. But take that away, as fraud does, and the edifice collapses; there is no such thing as a “right to be deceived”. (Indeed, it is quite common for Libertarians to say they allow any activity “except by force or fraud”, never quite seeming to realize that without the force of government we would all be surrounded by unending and unstoppable fraud.)

Indeed, I would like to present to you for consideration the possibility that large-scale financial fraud is worse than most other forms of crime, that someone like Bernie Madoff should be viewed as on a par with a rapist or a murderer. (To its credit, our justice system agrees—Madoff was given the maximum sentence of 150 years in maximum security prison.)

Suppose you were given the following terrible choice: Either you will be physically assaulted and beaten until several bones are broken and you fall unconscious—or you will lose your home and all the money you put into it. If the choice were between death and losing your home, obviously, you’d lose your home. But when it is a question of injury, that decision isn’t so obvious to me. If there is a risk of being permanently disabled in some fashion—particularly mentally disabled, as I find that especially terrifying—then perhaps I accept losing my home. But if it’s just going to hurt a lot and I’ll eventually recover, I think I prefer the beating. (Of course, if you don’t have health insurance, recovering from a concussion and several broken bones might also mean losing your home—so in that case, the dilemma is a no-brainer.) So when someone commits financial fraud on the scale of hundreds of thousands of dollars, we should consider them as having done something morally comparable to beating someone until they have broken bones.

But now let’s scale things up. What if terrorist attacks, or acts of war by a foreign power, had destroyed over one million homes, killed tens of thousands of Americans by one way or another, and cut the wealth of the median American family in half? Would we not count that as one of the greatest acts of violence in our nation’s history? Would we not feel compelled to take some overwhelming response—even be tempted toward acts of brutal vengeance? Yet that is the scale of the damage done by the Great Recession—much, if not all, preventable if our regulatory agencies had not been asleep at the wheel, lulled into a false sense of security by the unending refrain of laissez-faire. Most of the harm was done by actions that weren’t illegal, yes; but some of actually was illegal (20% of direct losses are attributable to fraud), and most of the rest should have been illegal but wasn’t. The repackaging and selling of worthless toxic assets as AAA bonds may not legally have been “fraud”, but morally I don’t see how it was different. With this in mind, the actions of our largest banks are not even comparable to murder—they are comparable to invasion or terrorism. No mere individual shooting here; this is mass murder.

I plan to make this a bit of a continuing series. I hope that by now I’ve at least convinced you that the problem of financial fraud is a large and important one; in later posts I’ll go into more detail about how it is done, who is doing it, and what perhaps can be done to stop them.