How ID thieves are outsmarting "smart cards"

Millions of credit cards have been converted to so-called “smart cards” -- credit cards embedded with computer chips -- over the past year in an effort to cut down on fraud. But it turns out that crooks just got smarter too, pushing identity theft to record-breaking levels.

“We saw criminals diversifying the way they commit crimes,” said Al Pascual, senior vice president and head of fraud and security at Javelin Strategy & Research, which released its annual identity theft survey today. Instead of cutting credit card fraud, new technology simply changed the type of fraud committed, Pascual added.

 “Criminals can’t counterfeit as many cards as they used to,” he said, “so what do they do? They take over your account.”

ID theft jumped 16 percent last year, with a whopping 15.4 million consumers hit, according to the survey. That’s 2 million more people than in 2015. The latest survey found that six in every 100 consumers in the nation -- the highest fraud incidence since Javelin started conducting this survey in 2003 -- were victimized in 2016.

ID theft encompasses multiple types of fraud, from the creation of counterfeit cards to improper use of an existing credit card or card number. This year, the biggest growth was in “account takeover” fraud, up 61 percent. This involves a criminal changing the contact information for an existing account so that the crook will receive new cards and the hijack notifications about their own fraudulent activity, while keeping the real account owner in the dark.

Because this fraud disconnects the account owner from his or her own account information, it can be a particularly difficult fraud to catch promptly, Pascual said.

The other big jump -- 40 percent year-over-year -- was in so-called “card-not-present” transactions. This involves a crook getting your credit card information and using it to buy something online.

Additionally, said Pascual, Javelin saw a rise in new account fraud, where a crook opens a new account in a consumer’s name without the consumer’s knowledge or consent.

People at the biggest risk of ID theft are those who use social media and aren’t too careful about their passwords, according to Javelin. A common way criminals get into bank and credit card accounts, for instance, is to buy purloined online passwords. The Yahoo breach, for example, put information on 1 billion consumers at risk.

The crook then starts pinging other sites, using the stolen credentials, to see if the consumer’s other accounts, including bank and credit card accounts, use the same passwords. If so, the criminal may be able to hijack the account relationship.

What can you do to protect yourself?

Pay attention to privacy settings. Only let friends see your social media posts and be discriminating about accepting requests from “friends” you don’t know. Also beware new “friend requests” from existing friends. Often, these are hackers, who have taken over one of your friends’ accounts and are now trolling to hack your account, too.

Set new passwords. Don’t use “password” or “12345678” as the password for any account. As stupid as those sound, they remain commonplace. Take the time to develop hard-to-guess identifiers and have different passwords for different accounts. If you’re lost in a sea of passwords, at least set unique passwords for your financial accounts.

Sign up for two-factor authentication. Many bank, brokerage and shopping sites now allow you to authenticate purchases with a second contact -- perhaps a code sent to your phone or email. These systems make it tougher for criminals to steal from you. While it’s still possible to get taken, don’t make yours the path of least resistance.

If your account has been compromised, set a fraud alert or security freeze on your credit file. A fraud alert is a temporary measure that requires lenders to contact you before opening a new account in your name. A credit freeze bars creditors from issuing new credit on your account, until and unless the freeze is lifted. 

If you’ve been involved in a data breach, using one of these measures can help deter criminals. Use the fraud alert if you might want new credit in the next several months. Use the freeze if you’re pretty sure you won’t be applying for credit for the next year.

Say “yes” to account alerts. If your financial services providers allow the option of getting a text messages or an email any time they detect suspicious activity on your account, sign up. You can ignore anything that’s legit, while getting real-time notification of -- and the ability to head off -- fraudulent transactions.

Monitor your accounts. It goes without saying, but read your monthly account statements and make sure that you recognize all the spending.

Check your credit report. At least once a year, get a copy of your free credit report at Read through it, and make sure all the accounts are familiar. If they’re not, report fraud immediately and take other steps, such as instituting a credit freeze, promptly. 

For pernicious problems, hire someone. Credit monitoring firms, such as LifeLock, offer to notify you whenever your private data is being used to open an account and to block criminal attempts. These services typically cost between $8 and $30 per month, so they’re not for everyone. 

But if you’re concerned about ID theft or have had a nagging ID theft issue, they can be well worth the money.