What you can do to protect against credit card fraud

JDN 2457923

This is the second post in my ongoing series on financial fraud, but it’s also some useful personal financial advice. One of the most common forms of fraud, which I have experienced, and most Americans will experience at some point in their lives, is credit card fraud. The US leads the world in credit card fraud, accounting for 47% of all money stolen by this means. In most countries credit card fraud is declining, but not here.

The good news is that there are several things you can do to reduce both the probability of being victimized and the harm you will suffer if you are. I am of course not the first to make such recommendations; similar lists have been made by the Wall Street Journal, Consumer Reports, and even the FTC itself.

1. The first and simplest is to use fewer credit cards.

It is a good idea to have at least one credit card, because you can build a credit history this way which will help you get larger loans such as car loans and home loans later. The best thing to do is to use it for regular purchases and then pay it off as quickly as you can. The higher the interest rate, the more imperative it is to pay it quickly.

More credit cards means that you have more to keep track of, and more that can be stolen; it also generally means that you have larger total credit limits, which is a mixed blessing at best. You have more liquidity that way, to buy things you need; but you also have more temptation to buy things you don’t actually need, and more risk of losing a great deal should any of your cards be stolen.

2. Buy fewer things online, and always from reputable merchants.

This is one I certainly preach more than I practice; I probably buy as much online now as I do in person. It’s hard to beat the combination of higher convenience, wider selection, and lower prices. But buying online is the most likely way to have your credit card stolen (and it is certainly how mine was stolen a few years ago).

The US is unusual among developed countries because we still mainly use magnetic-strip cards, whereas most countries have switched to the EMV system of chip-based cards that provide more security. But this security measure is really quite overrated; it can’t protect against “card not present” fraud, which is by far the most common. Unless and until you can somehow link up the encrypted chips to your laptop in order to use them to pay online, the chips will do little to protect against fraud.

3. Monitor your bank and credit card statements regularly.

This is something you should be doing anyway. Online statements are available from just about every major bank and credit union, and you can check them at any time, any day. Watching these online statements will help you keep track of your spending, manage your budget, and, yes, protect against fraud, because the sooner you see and report a suspicious transaction the more likely you are to recover the money.

4. Use secure passwords, don’t re-use passwords, and use a secure password manager.

Most people still use remarkably insecure passwords for their online accounts. Hacking your online accounts —especially your online retail accounts, like Amazon—typically means being able to steal your credit cards. As we move into the cyberpunk future, personal security will increasingly be coextensive with online security, and until we find something better, that means good passwords.

Passwords should be long, complicated, and not easily tied to anything about you. To remember them, I highly recommend the following technique: Write a sentence of several words, and then convert the words of that sentence into letters and numbers. For example (obviously don’t use this particular example; the whole point is for passwords to be unique), the sentence “Passwords should be long, complicated, and not easily tied to anything about you.” could become the password “Psblcanet2aau”.

Human long-term memory is encoded in something very much like narrative, so you can make a password much more memorable by making it tell a story. (Literally a story if you like: “Once upon a time, in a land far away, there were seven dwarves who lived in a forest.” could form the password “1uatialfatw7dwliaf”.) If you used the whole words, it would be far too long to fit in most password systems; but by condensing it into letters, you keep it memorable while allowing it to fit. The first letters of English words are not quite random—some letters are much more common than others, for example—but as long as the password is long enough this doesn’t make it substantially easier to guess.

If you have any doubts about the security of your password, do the following: Generate a new password by the same method you used to generate that one, and then try the new password—not the old password—in an entropy checking utility such as https://howsecureismypassword.net/. The utility will tell you approximately how long it would take to guess your password by guessing random characters using current technology. This is really an upper limit—computers will get faster, and by knowing things about you, hackers can improve upon random guessing substantially—but a good password should at least be in the thousands or millions of years, while a very bad password (like the word “password” itself) can literally be in the nanoseconds. (Actually if you play around you can generate passwords that can take far longer, even “12 tredecillion years” and the like, but they are generally too long to actually use.) The reason not to use your actual password is that there is a chance, however remote, that it could be intercepted while you were doing the check. But by checking the method, you can ensure that you are generating passwords in an effective way.

After you’ve generated all these passwords, how do you remember them all? It’s unreasonable to expect you to keep them all in your head. Instead, you can just keep a few of the most important ones in your head, including a master password that you then use for a password manager like LastPass or Keeper. Password managers are frequently rated by sites like PC Mag, CNET, Consumer Affairs, and CSO. Get one that is free and top-rated; there’s no reason to pay when the free ones are just as good, and no excuse for getting any less than the best when the best ones are free.

The idea of a password manager makes some people uncomfortable—aren’t you handing your passwords over to someone else?—so let me explain it a little. You aren’t actually handing over your passwords, first of all; a reputable password manager will actually encrypt your passwords locally, and then only transmit encrypted versions of them to the site that operates the password manager. This means that no one—not the company, not even you—can access those passwords without knowing the master password, so definitely make sure you remember that master password.

In theory, it would be better to just remember different 27-character alphanumeric passwords for each site you use online. This is indisputable. Encryption isn’t perfect, and theoretically someone might be able to recover your passwords even from Keeper or LastPass. But that is astronomically unlikely, and what’s far more likely is that if you don’t use a password manager, you will forget your passwords, or re-use them and get them stolen, or else make them too simple and allow them to be guessed. A password manager allows you to maintain dozens of distinct, very complex passwords, and even update them regularly, all while remembering only one or a few. In practice, this is what provides the best security.

5. Above all, report any suspicious activity immediately.

This one I cannot emphasize enough. If you do nothing else, do this. If you ever have any reason to suspect that your credit card might have been compromised, call your bank immediately. Get them to cancel the card, send you a new one, and check any recent transactions.

Do this if you lose your wallet. Do it if you see something weird on your online statement. Do it if you bought something from an online retailer that seemed a little sketchy. Do it if you just have a weird hunch and something doesn’t feel right. The cost of doing this is a minor inconvenience; the benefit could be thousands of dollars.

If you do report a stolen card, in most cases you won’t be held liable for a penny—the credit card company will have to cover any losses. But if you don’t, you could end up making payments on interest on a balance that a thief ran up on your behalf.

If we all do this, credit card fraud could become a thing of the past. Now, about those interest rates…

How we sold our privacy piecemeal

Apr 2, JDN 2457846

The US Senate just narrowly voted to remove restrictions on the sale of user information by Internet Service Providers. Right now, your ISP can basically sell your information to whomever they like without even telling you. The new rule that the Senate struck down would have required them to at least make you sign a form with some fine print on it, which you probably would sign without reading it. So in practical terms maybe it makes no difference.

…or does it? Maybe that’s really the mistake we’ve been making all along.

In cognitive science we have a concept called the just-noticeable difference (JND); it is basically what it sounds like. If you have two stimuli—two colors, say, or sounds of two different pitches—that differ by an amount smaller than the JND, people will not notice it. But if they differ by more than the JND, people will notice. (In practice it’s a bit more complicated than that, as different people have different JND thresholds and even within a person they can vary from case to case based on attention or other factors. But there’s usually a relatively narrow range of JND values, such that anything below that is noticed by no one and anything above that is noticed by almost everyone.)

The JND seems like an intuitively obvious concept—of course you can’t tell the difference between a color of 432.78 nanometers and 432.79 nanometers!—but it actually has profound implications. In particular it undermines the possibility of having truly transitive preferences. If you prefer some colors to others—which most of us do—but you have a nonzero JND in color wavelengths—as we all do—then I can do the following: Find one color you like (for concreteness, say you like blue of 475 nm), and another color you don’t (say green of 510 nm). Let you choose between the blue you like and another blue, 475.01 nm. Will you prefer one to the other? Of course not, the difference is within your JND. So now compare 475.01 nm and 475.02 nm; which do you prefer? Again, you’re indifferent. And I can go on and on this way a few thousand times, until finally I get to 510 nanometers, the green you didn’t like. I have just found a chain of your preferences that is intransitive; you said A = B = C = D… all the way down the line to X = Y = Z… but then at the end you said A > Z. Your preferences aren’t transitive, and therefore aren’t well-defined rational preferences. And you could do the same to me, so neither are mine.

Part of the reason we’ve so willingly given up our privacy in the last generation or so is our paranoid fear of terrorism, which no doubt triggers deep instincts about tribal warfare. Depressingly, the plurality of Americans think that our government has not gone far enough in its obvious overreaches of the Constitution in the name of defending us from a threat that has killed fewer Americans in my lifetime than die from car accidents each month.

But that doesn’t explain why we—and I do mean we, for I am as guilty as most—have so willingly sold our relationships to Facebook and our schedules to Google. Google isn’t promising to save me from the threat of foreign fanatics; they’re merely offering me a more convenient way to plan my activities. Why, then, am I so cavalier about entrusting them with so much personal data?

 

Well, I didn’t start by giving them my whole life. I created an email account, which I used on occasion. I tried out their calendar app and used it to remind myself when my classes were. And so on, and so forth, until now Google knows almost as much about me as I know about myself.

At each step, it didn’t feel like I was doing anything of significance; perhaps indeed it was below my JND. Each bit of information I was giving didn’t seem important, and perhaps it wasn’t. But all together, our combined information allows Google to make enormous amounts of money without charging most of its users a cent.

The process goes something like this. Imagine someone offering you a penny in exchange for telling them how many times you made left turns last week. You’d probably take it, right? Who cares how many left turns you made last week? But then they offer another penny in exchange for telling them how many miles you drove on Tuesday. And another penny for telling them the average speed you drive during the afternoon. This process continues hundreds of times, until they’ve finally given you say $5.00—and they know exactly where you live, where you work, and where most of your friends live, because all that information was encoded in the list of driving patterns you gave them, piece by piece.

Consider instead how you’d react if someone had offered, “Tell me where you live and work and I’ll give you $5.00.” You’d be pretty suspicious, wouldn’t you? What are they going to do with that information? And $5.00 really isn’t very much money. Maybe there’s a price at which you’d part with that information to a random suspicious stranger—but it’s probably at least $50 or even more like $500, not $5.00. But by asking it in 500 different questions for a penny each, they can obtain that information from you at a bargain price.

If you work out how much money Facebook and Google make from each user, it’s actually pitiful. Facebook has been increasing their revenue lately, but it’s still less than $20 per user per year. The stranger asks, “Tell me who all your friends are, where you live, where you were born, where you work, and what your political views are, and I’ll give you $20.” Do you take that deal? Apparently, we do. Polls find that most Americans are willing to exchange privacy for valuable services, often quite cheaply.

 

Of course, there isn’t actually an alternative social network that doesn’t sell data and instead just charges a subscription fee. I don’t think this is a fundamentally unfeasible business model, but it hasn’t succeeded so far, and it will have an uphill battle for two reasons.

The first is the obvious one: It would have to compete with Facebook and Google, who already have the enormous advantage of a built-in user base of hundreds of millions of people.

The second one is what this post is about: The social network based on conventional economics rather than selling people’s privacy can’t take advantage of the JND.

I suppose they could try—charge $0.01 per month at first, then after awhile raise it to $0.02, $0.03 and so on until they’re charging $2.00 per month and actually making a profit—but that would be much harder to pull off, and it would provide the least revenue when it is needed most, at the early phase when the up-front costs of establishing a network are highest. Moreover, people would still feel that; it’s a good feature of our monetary system that you can’t break money into small enough denominations to really consistently hide under the JND. But information can be broken down into very tiny pieces indeed. Much of the revenue earned by these corporate giants is actually based upon indexing the keywords of the text we write; we literally sell off our privacy word by word.

 

What should we do about this? Honestly, I’m not sure. Facebook and Google do in fact provide valuable services, without which we would be worse off. I would be willing to pay them their $20 per year, if I could ensure that they’d stop selling my secrets to advertisers. But as long as their current business model keeps working, they have little incentive to change. There is in fact a huge industry of data brokering, corporations you’ve probably never heard of that make their revenue entirely from selling your secrets.

In a rare moment of actual journalism, TIME ran an article about a year ago arguing that we need new government policy to protect us from this kind of predation of our privacy. But they had little to offer in the way of concrete proposals.

The ACLU does better: They have specific proposals for regulations that should be made to protect our information from the most harmful prying eyes. But as we can see, the current administration has no particular interest in pursuing such policies—if anything they seem to do the opposite.