This was getting serious.
Earlier this fall, hundreds of Ouray County residents’ credit card numbers were stolen, along with a large number of cards used by travelers passing through the area. In October, the Ridgway Marshal’s office, which was coordinating a probe of the fraud, handed the reins to the Colorado Bureau of Investigation, the state agency that steps in when local municipalities lack the resources or the manpower to investigate a crime. County officials announced then that the crime spree was, essentially, over.
They had narrowed down the theft to a single merchant in the area, they said, and had reason to believe the thief (or thieves) had moved along, making it safe for residents to charge their purchases again. Ridgway Town Manager Jen Coates has not released a statement on this latest wave of card fraud, and declined to comment for The Watch. But she said earlier this fall “As soon as we have information that is prudent to share, we will.”
The fact that the fraud keeps happening in the same community points to a “convergence of compromise,” says Adam Levin, the former head of consumer affairs for the state of New Jersey, who is now the president of Credit.com, an online card-information service. The Ouray County fraud, he believes, can most likely be attributed to a point-of-sale machine that allows “skimming.” “Based on what I’ve seen” in other cases, he said, “this smells like it happened at a gas station, a supermarket or a restaurant. Where did you all go and make purchases at about the same time? We saw this in Palo Alto, Calif., Texas and Seattle.” Levin says gas stations, restaurants and supermarkets are three of the most common places where skimming happens. The crime occurs when the magnetic strip of a credit card is passed through a device – a point-of-sale machine – that has been compromised. The data is captured instantly, and usually sold online to someone who has a card-cloning machine (cost: $300 or less). That information is then transferred to new cards, which can be purchased online for as little as $3 each. People who buy the “hot” cards comprise the third tier of the criminal chain. They use these cards to make purchases, and then go back to the merchant and exchange what they’ve bought for cash. The point of the theft is not a shopping spree – it’s cash.
Beyond asking the bank to give a new card, what more can you do to protect yourself if your card number has been stolen more than once?
For starters, report the crime. Most people don’t. When I contacted the CBI to discuss our fraud, I was advised to file a report with the Ouray County Sheriff’s Office, which will pass it along to the CBI for further investigation. For most people, the bottom line is getting their money back, so they only notify their banks about the fraud, the CBI representative said. But the agency needs as many details as it can get about these crimes in order to track down the thieves. Specifically, you should report the number of your card, where you used it, and which bank issued it. Consider filing a fraud report with the Federal Trade Commission, as well. The FTC tracks credit card fraud across state lines, and can find connections between crimes that smaller investigative agencies might not be privy to. To file an FTC report, go to ftccomplaintassistant.gov.
Beyond that, the best way to stay fraud-free is to stick with using cash, which is awfully inconvenient for most people. The second-best idea is to only use credit cards to make your purchases. If your credit card is stolen, the most you can be liable for is $50, and all you’ll have to do is dispute your monthly statement. Have your debit card hacked, and you can quickly be drained of money. “If your credit card is stolen, it’s the bank’s problem,” Levin points out. “If your debit card number is stolen, the problem is yours.”
Stop thinking that your credit and debit cards are the same thing. If you believe you’re safe, for example, because you only use the “credit” feature on your bank card, think again: cards with a Visa or Mastercard logo on them that can be “run” as credit or debit cards. Period. In a sense, these cards offer the worst of both worlds. If you use one to pay for something, the money is taken directly out of your account (so much for the “credit” feature). And if the card is stolen, it can quickly become a liability, because no one will need to know your PIN in order to quickly spend down your account. When checking accounts are linked to savings accounts, things can get really scary; some checking accounts include a feature that allows money to be swept from savings to checking if the account becomes overdrawn (which it quickly could if your card was stolen). This could leave you wiped out entirely. Although the bank will refund the money, legally, it can take up to 10 days to do so (as it did for two of our fraudulent charges), leaving you out of cash.
If you insist on using a debit card, put only as much money in that account as you need and can afford to lose, and keep the majority of your funds in a different checking or savings account. “The most important thing is to check your account frequently,” says Robert Siciliano, an expert on identity theft and consultant for McAfee, the computer security firm. “Once a week is sufficient, and even two weeks is okay. Just be sure to refute any unauthorized transactions within the limit stipulated by your bank.” For most credit cards, that limit is 60 days, Siciliano says, but for debit cards the limit can be 30 days or less.
Some banks offer “real-time notification,” alerting you instantly when a charge is made to your card. If you are concerned about unauthorized charges, consider asking for this feature. You can also request that the bank alert you any time you or anyone you give the card to, such as someone in your family, spends over a pre-set amount – say, $150.
Finally, regardless of whether you continue to use a debit account or switch entirely to credit cards, victims of card fraud, especially two- or three-time victims, should consider having a fraud alert added to their credit report.
“The problem is, when a debit card is compromised, the trail doesn’t necessarily stop at your card,” Levin says. A person could use the stolen data “to try to recreate” other facts about you, one step at a time. For instance, this Ouray County fraud happened in a relatively small area. “It’s likely that you only have one or two zip codes where you live,” Levin says, “So the thieves who stole the data probably know your zip code, and the name of your bank, and your name.” The fraud alert accomplishes two things: it gives you a chance to notify creditors that you’ve been a victim of fraud and to be suspicious of strange charges on your account. It also affords you a free look at your report. There are three credit bureaus; whichever one you file with will alert the other two. What you really don’t want is to become a victim of identity fraud, which can be a major headache and take years to unravel.
“If my card had been compromised twice,” Levin says, “I would want to know that this is as far as it goes.”