December 26, 2019: Chances are you pay for most everything with either a debit or credit card. Whether it’s your seamless order, your internet bill, or your morning cup of coffee, you likely pull out that piece of plastic and swipe without giving it a second thought.
In fact, according to the Federal Reserves’ 2019 Federal Reserve Payments Study, total card payments grew to 131.2 billion transactions in 2018, totaling $7.08 trillion. That’s up from 29.7 billion transactions totaling $1.56 trillion in 2015.
But that simple swipe can open you up to a world of hurt. That’s because magnetic stripes, the black bars on the back of your credit and debit cards, are among the least secure payment methods around, leaving you at risk of fraud.
And if you frequently use your debit card, you could end up giving criminals access to your entire bank account. That’s because unlike credit cards, debit cards use money from your checking or savings account. And if a criminal drains your account, you could end up waiting days for your bank to reinstate your cash, leaving you high and dry.
The best way to stay safe? Use services like Apple (AAPL) Pay, Google (GOOG, GOOGL) Pay, or Samsung Pay, which are among the most secure payment methods. If you can find them.
Why magnetic stripe cards are so vulnerable
Magnetic stripe cards have been around for decades. And they’ve got their benefits.
"The pro...is that you can pretty much use it anywhere," explained Paige Hanson, chief of identity education at NortonLifeLock on payment security.
"But there is a lot of risk involved, because the magstripe itself, all of that credit card information is static, and it’s unencrypted," she added.
Swipe cards are so fast and convenient because a lack of encryption makes them easy for point-of-sale terminals to quickly read and get you on your way. But that’s also their biggest flaw.
When you swipe, the card reader gets a snapshot of your name, card number, and expiration date. If a criminal has installed a card skimmer in a point-of-sale terminal, they can extract all three of those pieces of information to make online or in-person purchases.
"All of the information is included on the magstripe," said Eric Chan-Tin, assistant professor in the Department of Computer Science at Loyola University Chicago.
In some instances, fraudsters will sell that data to other criminal organizations, which can then make a physical duplicate of your card. But those phony cards can be defeated if sales clerks ask for your ZIP code or require you to input the CVV number found on the back of the card.
Unfortunately, you’ll likely only run into those kinds of roadblocks at gas pumps or when making online purchases.
And with the Fed estimating that 55.4% of all card payments made in 2018 used debit cards, that’s a massive number of potential victims to pick from.
If a fraudster ends up running through your cash, you’ll have to wait days to have it restored to your account. In the meantime, you’ll have no money to pay your bills, whereas a credit card company may just be able to quickly void any purchases and get you back to spending.
Chip and PIN is better, but flawed
According to Chan-Tin, using chip and PIN credit and debit cards are more secure than standard cards, but still suffer from the same issues as their less secure stablemates. That’s because chip and PIN cards still have the same magstripes on them that are so easy to swipe your data from.
When used at a compatible point-of-sale terminal, chip and PIN cards use encryption to lock down the information sent back and forth between the terminal and the payment processing center.
"The benefit of using this card is that in the event there is a breach... it’s encrypted," Hanson said. "So the likelihood of a fraudster having access to your credit card number is pretty low."
Instead of your credit or debit card information, the criminals will only get access to a string of characters used to mask your data.
But since chip and PIN cards have magstripes, they’re still vulnerable to skimming devices embedded in everything from ATMs to gas station pumps when you use them with standard swipe point-of-sale terminals. And while more and more merchants accept chip and PIN, consumers still find themselves having to swipe at times.
And while chip and PIN payments accounted for a 48.8 billion card transactions in the U.S. in 2018, according to the Fed’s study, 37.3 billion credit and debit transactions did not involve chip and PIN cards.
Mobile payments are your safest bet
The safest form of in-person payments, according to both Hanson and Chan-Tin, are smartphone-based mobile payments.
"The contactless, Apple Pay, Google Pay, and so on. Whenever you have your phone to the reader, it actually sends a different number than your credit card. So I would say this is the most secure," Chan-Tin explained.
"The merchant, or whoever is in the middle, can’t get your actual credit card number. Every time it’s a unique number that is not linked to your credit card number."
That unique number Chan-Tin refers to is a special one-time code that can’t be tracked back to your credit card. Each time you use your mobile payment service, one of these codes is generated and sent out for processing as a payment.
The problem with mobile payments is that they aren’t as widely accepted as standard credit card readers. As a result, they can’t be used for in-person transactions as frequently.
How to protect yourself
Your best bet to keep your credit card information safe is to have mobile payments active on your phone, so you’re able to use them at compatible point-of-sale terminals. If one isn’t available, only use a chip and PIN credit card.
You should also set up spending alerts on your smartphone for your various accounts. This way, if you make a payment from your credit card or, as a last resort, your debit card, you’ll immediately be alerted via email, text, or an app notification.
If you receive a notification for a transaction that you didn’t make, reach out to your credit card company or bank immediately to find out what the purchase was for, and, if need be, dispute it.