Last year, one of my family’s credit cards was used to collect hundreds of dollars in fake charges on Apple.com. Another card was compromised four times in a row, as thieves repeatedly charged for merchandise and Uber rides.
We eventually got our money back, but repeated credit card scams can be frustrating and upsetting. Dealing with the aftermath taught me to value safety over comfort, and to change some of the bad habits that made me an easier target.
THE CLOCK IS TICKING ON CREDIT CARD FRAUD
Under the Fair Credit Billing Act, consumers have 60 days after a fraudulent charge appears on a statement to report it to the credit card issuer to avoid most liability, said attorney Amy Loftsgordon, legal editor at Nolo, an independent legal website. (The law limits consumer liability to $50 per series of unauthorized use, but most publishers waive it, says Loftsgordon.)
So my heart broke when I realized that the fraud on our Apple.com account had started at least six months earlier.
I noticed that my Apple.com bill continued to increase, but assumed that my husband was buying more audiobooks and my daughter was downloading more games. I would grumble at them every now and then, they would plead not guilty and the accusations would continue.
Finally, the thieves went too far and collected over $300 in one month. I contacted Apple and learned that our cards had been used to purchase virtual dating apps and phone numbers, which were most likely used to scam other people. An electronic receipt for this purchase was sent to an email address I don’t recognize.
NEW CARD DOESN’T STOP FRAUD
The kicker: Thieves are using credit card numbers that have been reported to have been compromised. Usually, credit card issuers will refuse new charges on compromised numbers. But according to the card issuer, the thieves started their crime a few days after my replacement card was sent. Because we’ve made regular purchases on Apple.com, the card issuer assumed the fee on the old card was legitimate and allowed it to pass “as a courtesy” – month after month. (I am convinced that this series of events is “very rare and almost never happens.”)
Apple’s customer service reps write off the last month’s bill and the publisher writes off the rest — even those past the 60 day mark.
My note: Sites where you make multiple purchases each month need to be monitored carefully for fake transactions. Compare what your credit card statement says you’ve charged with your purchase history on the site. You may have to search online to find the history; Apple certainly doesn’t make it easy or intuitive to find your bill. And if you spot a scam, report it — even if it exceeds the 60 day time limit.
MAKES SCAMS WORK HARD
It’s still unclear why my other cards are repeatedly compromised. As soon as I get a replacement card, I will receive an SMS from the issuer asking about another suspicious transaction.
I took the card out of the browser and website where it’s stored. We may like the convenience of not having to type in our credit card numbers, but every place we store our cards is another place they can be stolen, says security expert Avivah Litan, a leading analyst vice president at research firm Gartner Inc.
The mobile app for this card lets me see how many places my card is stored. But that list is not complete. After the fourth hack the phone rep said my card is stored at Airbnb, Walmart. com and Uber — three places that don’t show up in my app and that I don’t allow them to. The representative disconnects the card from the account. In the future, I will be calling to report the scam so I can request this review rather than just responding to a text or online warning. I also noticed that I can “lock” my card in the mobile app to prevent unauthorized use. Opening it when I want to charge only takes a few seconds. I wish more publishers offered this feature.
At the publisher’s suggestion, I ran antivirus and anti-malware software (my device is clean) and changed the passwords on my email account as well as my financial account, in case a thief broke in. I already have two-factor authentication, which requires a code and password to log in, on my financial and email accounts. I’ve also added it to my most used retail sites.
I also started using mobile payment systems wherever possible. These systems — which include Apple Pay, Google Pay, and Samsung Pay — create “tokens” that are sent to merchants so your credit card number is never revealed or stored. Similarly, some credit card issuers will provide you with a virtual number that you can use in place of your real account number when making purchases online.
I don’t imagine any of this will make me anti-fraud, because that’s impossible. I’m just trying to make the thieves work a little harder next time.