Updated every Monday!   Subscribe to free weekly newsletter.

April 20, 2009

Security Flaw Found in Some Credit Cards

Filed under: Finance — Edgar (aka MrConsumer) @ 6:18 am

Consumer advocates have always advised the public to cut expired credit cards in half so they could not be used for fraudulent purposes by a garbage-picking crook. Following that conventional wisdom, however, is no safeguard that your full credit card number will not be stolen and used.

Here is the left half of an expired American Express card:

amexfrontm

With only half the number showing, even an enterprising crook could not use it to make a purchase. However, that is only one side of the story, so to speak. Turn over that half of the card:

*MOUSE PRINT:

amexbackm

The back side of the card reveals a small engraved number that represents the second half of the card number. (The leading “7” duplicates the last number visible on the front of the card.) And, note to crooks, the number on the reverse side has been altered so as not to jeopardize the real credit card number.

With the full credit card number visible, as well as the cardholder’s name, a clever crook could surmise the expiration date from the portion showing, and could potentially use the card to make online purchases. (Amex’s four digit security code, however, is not visible, and should a retail website ask for that information, this card would be rejected.)

When asked to comment on this security issue, and in particular why they issue cards with such an obvious security flaw and whether they were going to change the card’s design, a spokesperson for American Express responded in relevant part:

“I’m following up to let you know that we take the security of our cardmembers’ information, as well as fraud prevention, very seriously and have a number of sophisticated monitoring systems and controls in place to detect fraudulent card activity. We are constantly evolving these techniques to adapt to the changing activities of fraudsters.

We have learned that the best way to approach fraud prevention is from a holistic perspective. This means preventing fraud both on the consumer and merchant side of the transaction, looking at physical features of the Card as well as security information only the true Cardmember would know about the account. I cannot discuss specifics on this since the techniques would no longer be effective if we made them public.

One suggestion is for cardmembers to protect their personal and account information by shredding documents or cards before discarding them.” –Manager, Public Affairs & Communications | Risk, Information Management & Banking Group

Lest you think this is only an American Express issue, it is not. Below is the left half a Washington Mutual Visa card, front and back. The full credit card number is visible when putting the numbers found on the front and back of just that half together, as is the customer’s name and the security code. The expiration date can be discerned with a little guessing.

*MOUSE PRINT:

wamufandbm

A spokesperson for Chase, which took over Washington Mutual said:

“Chase only prints the last four digits of the customer account number on the back of the plastic. So, as WaMu accounts convert to Chase, the plastics will follow this specification.”

This is not a new problem.  It does not affect all card issuers by any means, and not all cards of the above issuers are affected.  The practice of printing the full account number on the reverse side of credit cards has been going on for a long time, as this was a problem first noticed with some MasterCards about 15 years ago.

Does your card have all 15 or 16 digits of credit card number printed on the back?

The lesson here is to not merely cut your old, expired cards in half when disposing of them, but to shred them.  If you don’t have a shredder, just cut the card in a number of small pieces, and throw them away in separate garbage bags.

Share this story:



 

 

  ADV


• • •

18 Comments

  1. Duh,

    Just take an extra moment and cut it into several pieces (3 – 5).

    Then, it’s extremely unlikely that the complete number will be on any one fragment.

    Comment by ldg — April 20, 2009 @ 6:56 am
  2. I always thought to myself “what if someone finds both halfs in the garbage?” so I cut my expired credit cards in tiny pieces with scissors and shred old bills. Just seemed like common sense to me.

    Comment by Peter — April 20, 2009 @ 7:35 am
  3. I noticed this on my own card a couple years ago. Since then, when it’s time to throw out a card, I

    1.) cut it up into tiny shreds (to small to see anything on)
    2.) Divide the pile into several parts
    3.) Roll those bits in duct tape
    4.) Throw out each duct taped bit in a separate can

    Overkill? Totally! Entertaining? Occasionally, especially when on a conference call. Will anyone ever get my card numbers if I can help it? NEVER 😀

    Comment by Kelley — April 20, 2009 @ 8:40 am
  4. I just keep my old ccs. I cut them up, and them put them in a safe. Another thing you can do, is cut the card in 4-5 pieces and then distribute those pieces over several trash bins. One piece in the kitchen, one piece at your desk, one in the bath room, etc. The chance of someone finding them is near nill. Your point is good though. Banks are not helping. But then, who is surprised at that? When is the last time anybody felt that a bank worried about their money?

    Comment by Jasper — April 20, 2009 @ 8:49 am
  5. That is why I cut up my Credit Cards into little pieces.

    Comment by Stephen — April 20, 2009 @ 9:32 am
  6. Tell me why credit card security hasn’t been “upgraded” to be more like an ATM. Consider that an ATM card generally has a $500 limit. Also note that in order to use it you usually have to key a PIN that’s not imprinted on the card. Now the credit card; the limit is normally in the $10k to $20k range, and the “secret” code is just the billing zip code, which happened to be on the drivers license also in the stolen wallet. Which one is more secure? Why don’t the credit card companies switch from the zip code to a PIN? All of the technology is there. Most CC’s also have PIN’s anyhow to support cash advances. Requiring the use of a PIN on all credit cards should pretty much eliminate most credit card fraud.

    Comment by Tim Hawkins — April 20, 2009 @ 10:06 am
  7. overkill… you spend all this time protecting your card in the trash, but think nothing of giving it to a minimum wage (well below) worker at a restaurant.

    I imagine most card numbers are obtained from processors that have their databases cracked.

    The bottom line is don’t worry about it. Monitor your card usage and call in with a problem. You have 20-30 days to dispute a charge before you have to pay your CC statement. (or, as in my case the full balance is automatically drafted)

    Avoid bank “debit” cards w/o pins at all costs. (I’ve threatened to change banks when they sent me one.) You lose the 20-30 day float to detect/resolve issues. There is little or no consumer benefit for a “debit” card… just pay your CC in full at the end of the month and you pay no interest.

    Comment by Robert — April 20, 2009 @ 10:48 am
  8. Thanks for posting this info. It’s a nice break from the typical see-how-you’re-getting-ripped-off posting.

    Comment by Ken Row — April 20, 2009 @ 11:24 am
  9. I cut my old cards into about 20-30pcs and spread those parts out amongst 4-5 trash cans. I’ve been doing that ever since my first expired credit/debit card. The only way I would trust a shredder is if it was a cross-cut type. But I’d still separate the pieces into different places.

    Comment by Mike — April 20, 2009 @ 11:25 am
  10. I DON’T SEE ANYBODY MENTION TO ERASE THE MAG STRIP BEFORE DOING ANYTHING ELSE.

    Comment by LEN — April 20, 2009 @ 12:30 pm
  11. My permanent way of disposing of old credit cards is fire. They either go to a family member’s burn barrel for disposal or my charcoal grill after dinner is on the table and the embers are still hot. The remenants get disposed of with the ash.

    Comment by Julie — April 20, 2009 @ 1:15 pm
  12. I always cut mine across the numbers. DUH! Not in HALF! (?)

    Comment by Shasta — April 20, 2009 @ 1:44 pm
  13. Credit card numbers (not expired numbers, mind you) are stolen by the million from various databases. As far as I understand, on the open market these numbers are actually worth a few pennies each (yes, there is a market for stolen credit card numbers). What I would like to know is whether there are still actual live criminals out there that spend their time picking through trash trying to find a piece of an expired credit card…

    Comment by max — April 20, 2009 @ 11:50 pm
  14. We have an inexpensive paper shredder that has a place right in the center of the shredder for inserting credit cards. I would think most paper shredders have that feature.

    Comment by Myra — April 21, 2009 @ 2:28 pm
  15. I cut mine into small pieces and then separate into a few piles and then throw away one pile a week.

    Comment by Toni — April 23, 2009 @ 6:49 pm
  16. I have collected all of my credit cards that I have been issued over the last 10 years. I have only two left to pay off. I will not be using credit cards again. I have been canceling the accounts as I have paid them off and I am going to send a video of myself destroying them for the Dave Ramsey Show on the Fox Business Network. He plays the best videos from his listeners that send in their credit card carnage and gives out awards once a year. It is hilarious how some people have destryed their cards.

    Comment by Shawna Neill — May 1, 2009 @ 7:52 am
  17. I have always found that a shreder works best. Thanks for the great article.

    Comment by Frank — July 7, 2009 @ 11:20 am
  18. Cut the card up, and put the bits into a dirty diaper!

    Comment by Guest — February 1, 2010 @ 7:31 pm

Comments RSS

Sorry, the comment form is closed at this time.

Powered by: WordPressPrivacy Policy
Mouse Print exposes the strings and catches buried in the fine print of advertising.
Copyright © 2006-2019. All rights reserved. Advertisements are copyrighted by their respective owners.