By JOE SHARKEY, New York Times
MY wife looked up from her iPad, where she was routinely reviewing a credit card statement.
“You’re going to Bogotá?” she asked.
“Not that I know of,” I replied.
“So I’m guessing you also didn’t buy a $10 cup of coffee yesterday in Antelope, California?” she asked.
No. The charge of $740.04, for a one-way ticket on Delta Air Lines to Bogotá, Colombia, and the charge for $10.20 at a coffee shop were fraudulent.
We are vigilant in our house about monitoring credit card activity, especially after traveling, and this was not the first time that unauthorized charges had appeared after recent trips. So I immediately got on the phone and reported the problem to the American Express Platinum Card office. The card was invalidated, a fraud investigation was begun, the charges were removed, and a few days later a new card arrived via FedEx.
Then I called my friend the security expert, Anthony C. Roman, and said, problem solved, right? Not exactly. “Red alert! Red alert! Red alert!” he responded.
What’s the big deal? Aside from the inconvenience of having to enter the new credit card information on recurring accounts, the cost to me was zero.
“Well, hopefully it was,” said Mr. Roman, president of Roman & Associates, which specializes in investigations and risk management consulting. He explained, however, that isolated unauthorized charges on your credit card statement most likely indicate that sophisticated cybercriminals are waiting to see if you will notice.
“What credit card fraudsters do is test your vigilance, how carefully you’re watching your account, and how carefully the credit card providers are watching your account. They do this by making relatively small purchases first, to see if it sets off any bells and whistles,” he said. Many frequent travelers are lax about checking activity statements in a timely manner, which flashes a green light to criminal hackers. Then, he said, “Hell or high water, the big charges are coming.”
Worse, he said, a hacked card could indicate that more serious identity theft might have occurred.
In its 2013 Global Security Report, Trustwave, a data security management firm, says that the top three industries targeted for data breach attacks in 2012, measured by the number of its investigations, were retailing (45 percent), food and beverage (24 percent) and hotels (9 percent). Three years ago, the hotel industry was at the top, but hotels have since made “significant strides” in improving credit card security measures, the report says.
Still, criminal hackers gravitate to some hotels because, like retail stores and restaurants, hotels do many credit card transactions at a local level, where centralized and highly sophisticated data security safeguards may be lacking. Last year, for example, the Federal Trade Commission sued Wyndham Worldwide, the hotel chain, for what it said was inadequate safeguarding of credit card information that led to three data breaches at hotels in under two years, with “millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.”
Wyndham responded that it had done all it could to report the crimes and carry out “significant remedial measures.” The company also charged that the commission had overstepped both its authority and its expertise in hotel data security enforcement.
Most hotels are locally owned, though managed by big hotel chain companies. For hotel owners, it is expensive to come into full compliance with the tough global data security criteria set by the credit card companies. And, Trustwave says, “Cybersecurity threats are increasing as quickly as businesses can implement measures against them.”
The threat is constant, Mr. Roman said. “The best protection is vigilance, and that takes work,” he said. That includes using complex passwords, being wary of public Wi-Fi, updating antivirus software — and checking credit card statements carefully.
Speaking of work, I hate to memorize passwords and PINs, but that appears to lie ahead. In the United States, credit cards use magnetic strips that are more vulnerable to hacking than the electronic chips embedded in credit cards in Europe and elsewhere. Such cards also require entry of a PIN.
These so-called chip-and-PIN cards are headed our way, said Kathy Orner, vice president for information security at Carlson Rezidor, a worldwide hotel company that is among the industry leaders in data security.
All of the major credit card issuers plan to start introducing these cards in the United States within two or three years. Ms. Orner had some advice for when that happens. “Do not use the same PIN on your credit card that you use on your debit card” or anywhere else, she said.
Right: more numbers to remember, coming soon.