Fraud fighters offer tips to thwart ever-smarter thieves

Credit card and identity thieves are getting so believable in their scams that they fooled even Robert Moraca. Briefly.

Moraca is a former police detective, an expert on credit card fraud, and vice president for loss prevention for the National Association of Retailers. A few weeks ago he opened snail mail of what looked like a notice from his phone service.

“It said I owed money. It fooled me,” he said.

Not for long. Moraca called his phone company, which said the letter was a fraud.

The good news, Moraca said, is that we can still do simple things to thwart ever-smarter thieves. Moraca and other fraud fighters say we’re all potential victims, especially during the holiday season when we’re more vulnerable.

Nationally, 16.6 million people, or 7 percent of all people age 16 or older in the U.S., were victims of identity theft in 2012, according to the U.S. Bureau of Justice.

The cost of identity theft in 2012: a staggering $24.7 billion, more than $10 billion more than all other property crimes combined, the bureau says.

Data breaches at retailers are happening more frequently. Last year, a breach at Target during Black Friday shopping compromised the credit card information of about 40 million customers. Home Depot confirmed in September that about 56 million card numbers had been compromised.

There are different kinds of fraud fighters, fighting theft from different angles. Here are suggestions for protecting yourself:

Monitor your bank accounts

Cheryl Kastner and Tom Morrison fight fraud on behalf of customers at Intrust Bank in Wichita. She’s the senior manager over bank cards and consumer lending; he’s the division director over payments, technology and operations.

Two easy things, they said: Whenever something even a little unusual occurs concerning your accounts or you get a query from your bank about an account, call your bank or other financial institution. And check your accounts online frequently. Many people don’t do these simple things, they said.

Many scammers just a couple of years back were small-time crooks, some of them low-tech, who stole checks or cards out of mailboxes, Morrison said.

That still happens. But now many scams involve organized crime groups in Russia, the Ukraine or some other place. “The masterminds behind these operations are often very sophisticated now, and know how the computer technology and the financial processes work,” Morrison said.

They even employ “mules”– real American citizens using their own legitimate bank accounts as theft mechanisms. The mules speak English and give believable pitches to unsuspecting people on the phone or in e-mail.

Banks take a huge hit from these people every year; banks therefore have a motive to help us stop these people. Besides checking our accounts every day, we can ask for banks or credit card companies to send e-mail and text alerts when a purchase is made on our cards.

Most will offer a service to alert customers when a transaction is over a certain amount, Kastner said. To see every transaction, she suggests setting the number at a low amount, such as a penny.

“It is very important to us to fight this fraud,” Morrison said. Intrust wants people to call, as often as anyone wants to call, to check on accounts.

The power of passwords

Here’s a scary story, from an assistant professor at Wichita State University who teaches advanced computer technology, security threats and privacy challenges.

Murtuza Jadliwala sometimes assigns his grad students to crack his password. Passwords are our gateway to much of life now, but also a gateway for thieves to rob us.

Because cracking a stranger’s password is hard, he gives those students six hours to do it.

Do you dislike having to create multiple passwords? Get over it, Jadliwala said.

Most of Jadliwala’s students crack his password, he said. One student even created a Web crawler program to trawl everything it could find about Jadliwala, with the assumption that Jadliwala, like so many of us, bases his passwords on easy-to-remember names like those for pets, children, hometowns.

“He cracked my password in less than an hour,” Jadliwala said.

If really smart WSU students can do that, imagine what experienced criminal organizations can do employing tech-savvy hackers, he said.

Don’t worry about trying to remember all your passwords, he said. “If you can’t remember it, what’s the worst that can happen?” Nothing, really, he said, if you just hit the “forgot your password” link and create a new one. It is annoying, and it takes time, but you might save yourself trouble.

And don’t create passwords that are easy to figure out. “I would rather forget my password and reset it than use a simple password,” Jadliwala said.

Having to create and keep multiple passwords annoys even bankers. Some companies are working on software – Single-sign-on is one example now available, he said – that might soon relieve us of having multiple passwords, but widespread use of that technology has not happened yet.

Like Kastner and Morrison from Intrust, Jadliwala said the smartest thing we can do to protect ourselves and our lending institutions from thieves is to check our accounts frequently.

That suggestion often annoys people, he said. It annoys some of his students when he suggests it in class.

“But I point out to them, these are the same people who I know are checking their Facebook or Twitter accounts 20 times a day,” he said.

One way thieves got a lot smarter recently is that after they hack into somebody’s financial account, they take only a few dollars here and a few more there, he said.

Small purchases and small thefts can go unnoticed by busy victims who don’t religiously monitor their accounts, he said.

Who pays?

Some retailers, trying to prevent credit card theft, occasionally ask for photo IDs when customers make purchases. It makes sense in a way, Jadliwala said. A thief can fake a credit card for you, but can’t necessarily fake what you look like.

Merchants, customers and banks and credit card companies all work in a delicate ecosystem, Morrison said. When a thief strikes, who pays? The customer, or the merchant, or the bank, for example? Usually, if customers did the right things (reported a stolen card immediately, check their accounts regularly), it’s the merchants or the financial institutions who pay. And those two entities have their own protocols.

“That is a gray area and depends on the relationship between the retailer and the card company you are using,” Moraca said. “Sometimes the retailer will take the hit. But if the retailer followed all that fraud criteria they are supposed to follow, the bank will take the loss.”

Moraca, who works for retailers, doesn’t think it would be fair to require retailers to ask for photo IDs. “Retailers have to walk a fine line, balancing service to customers with compliance with credit card company rules,” he said. “It’s a constant struggle.”

But Morrison, who works in banking, doesn’t think photo ID requirements would be fair to retailers either.

If a clerk at a coffee shop asks for a photo ID on a two-dollar purchase of decaf, for example, that might be all right if there’s no line behind the customer, Morrison said.

“But what if there are 40 people in line? It might take 30 seconds to make that sale, but if you ask for a photo ID it might take a minute and a half per customer.”

Banks like Intrust know that merchants survive in part by making sales as painless and as pleasant to customers as possible, Morrison said.

Thieves will continue to rob us and get smarter about it, Morrison said. It’s changed the banking industry he works to protect. A year and a half ago, he said, Intrust faced several significant attacks every year. So it responded to each threat with a series of meetings to develop plans tailored to meet that threat, he said.

But now, Kastner said, these attacks “happen all the time.” So she, Morrison and the rest of the bank staff fight these frauds more efficiently. The meetings tailored to individual threats are less common, replaced in part by a bank company playbook. Everybody and every team in the bank, experienced in fighting daily significant threats now, knows what to do and follows that daily playbook, Morrison said.

Review credit reports

To make certain someone isn’t taking out loans or obtaining credit cards in your name, check your credit reports at www.annualcreditreport.com.

Reports on your payment history have become much more important. They can affect everything from getting a mortgage to getting a new credit card, Morrison said. Reviewing your credit reports helps you catch identity theft, he said.

Under federal law, everyone is entitled to a free credit report every 12 months from each of the credit reporting companies. And because there are three companies, everybody can get three separate credit reports a year. To check your credit year-round, put a reminder on your calendar to request the reports four months apart.

Getting a credit report “is one of the best practices out there for people to do credit monitoring,” Kastner said.

Another option is contacting the three credit bureaus and placing a security freeze on your credit report. Since most businesses won’t grant credit without access to your credit report, an identity thief can’t open accounts in your name.

When you freeze a credit report, you get either a PIN number or a password that only you know. When you want to apply for credit, you can use the password to thaw your account for a few days.

The credit agencies charge $5 for a security freeze and will waive the charge if you have been the victim of a fraud. For more details, search the term “security freeze” at consumerfinance.gov.

There are other simple things we can all do:

▪  Moraca, the ex-cop and fraud fighter, keeps many of his cards in a separate folio at home and carries only two cards with him daily. And he carries cash, which many people think has gone out of fashion. He doesn’t agree. He leaves home with $40 in his wallet.

▪  Many institutions and merchants now provide prepaid temporary cards that can be loaded with only a few hundred dollars, Jadliwala said. Those accounts close after a few weeks or less, he said. The extra time required to get one of those cards balances against the fact that they don’t expose your entire checking account to theft.

▪ If you want a debit card tied to an account, another option is to open two checking accounts. Keep a small amount of money in one for shopping with a debit card. If thieves attack that account, the money in your main account for paying the mortgage, utilities and other living expenses is still protected.

▪ Don’t store user names and passwords to financial accounts digitally.

▪ Watch out for card skimmers placed on ATM machines or gas station pumps that allow thieves to record your credit or debit card numbers. Try to wiggle the card reader where you are supposed to insert your card. If it is loose and doesn’t appear to be permanently attached to the machine, alert the gas station attendant or authorities.

▪ Never volunteer your Social Security or bank numbers or any other private information to any agency, unless you yourself made the call that started the conversation, Kastner said.

▪  Don’t let mail accumulate in your outside mailbox, and don’t let newspapers pile up in your driveway because that shows that you’re not at home, Kastner said. Old-fashioned mailbox theft of charge cards, bank statements and other identity information still happens a lot, she said.

▪ If an offer you receive in a telephone call, e-mail or snail mail looks too good to be true, Jadliwala said, “it probably is.”

This story was originally published November 22, 2014 at 4:39 PM with the headline "Fraud fighters offer tips to thwart ever-smarter thieves."