/stories/2019/07/think-before-you-swipe

Think before you swipe

By Janette Neuwahl Tannen

Think before you swipe

By Janette Neuwahl Tannen
Recent credit card and credit bureau data breaches emphasize the need to protect yourself against cybercriminals.

Just a few months ago, University of Miami Professor Dilip Sarkar was at the airport ready to board an airplane for a vacation in Brazil when he got a text message alert on his phone. Someone was using his credit card to buy Taco Bell for lunch.

“Since I had the text alert I knew it was not me,” said Sarkar, who teaches computer science courses in the College of Arts and Sciences. “The card was canceled and no damage was done.”

Luckily for Sarkar, who has studied cybersecurity for four years, he knew exactly how to minimize the damage and called his credit card company right away. But for many people whose financial information is filched by cybercriminals, they are left feeling helpless and anxious about who has their private information. 

Associate Professor Dilip Sarkar
Associate Professor Dilip Sarkar

CapitalOne is just the latest company under scrutiny, as it announced this week that personal data of more than 106 million people who applied for the company’s credit cards was compromised. The cyber thief: a Seattle woman named Paige Thompson who was caught by bragging about her loot through social media posts.

Yet, at a time when credit cards are used for most of our purchases, UM cybersecurity experts say no one is able to avoid falling victim to a data breach.

“People will get hacked, it is a matter of when, not a matter of if and that’s how you should approach [data] security,” said Tarek Sayed, a cybersecurity and privacy lecturer in the University of Miami School of Law and the Miami Business School. “If you assume you’re 100 percent secure, that’s probably a careless assumption.”

So how exactly do hackers get a hold of people’s credit card information?

In the case of CapitalOne, Thompson worked at Amazon Web Services, which provided a server, or a type of storage space, for CapitalOne’s credit card application information. Since all of the information was not encrypted — encryption is a process where each customer’s personal information is turned into unintelligible code — Thompson was able to download the personal information of millions of people from her office for distribution and misuse, Sarkar said.

The responsibility of keeping personal data secure lies with consumers and the organizations they entrust with their personal information, Sayed said.

However, the growing number of data breaches highlights some industrywide security gaps that must be addressed, Sarkar added. First is the issue that credit card companies often keep all of a person’s information in one place. Therefore, even though your social security number and date of birth are not needed to make a purchase, this information may be kept with your transaction history, so if your credit card information gets into the wrong hands, so does your personal privacy.

“They don’t have to keep all that information in one place, but they keep everything on one server and that’s a problem,” Sarkar said.

Also, if businesses encrypted even more data it could help thwart hackers, said Sayed.

Tarek Sayed
Lecturer Tarek Sayed

“Organizations in today’s environment must make sure they are protecting consumers’ data with the highest level of encryption possible and that they constantly review security measures because things are constantly changing,” Sayed added.

Another thing to be aware of is that companies like CapitalOne, Equifax, Target and others who have suffered massive data breaches often do not publicly announce the problem until after it was discovered. In the meantime, cybercriminals could be selling the data, so the lag time opens people up to more harm.

“They delay the relaying of information and do it in phases to control the damage. I think it’s dishonest but that’s the way it is,” Sarkar said.

Still, UM cybersecurity experts say there are several things everyone can do to protect themselves from credit card fraud:

  • Monitor your credit card transactions as much as you can. Set up email or text message alerts for every transaction, so you will know as soon as another person uses your credit card information.
  • If you can avoid handing over your credit card to another person, do it.
  • Change your passwords and login information for credit cards often, and use strong passwords that are not easily guessed.
  • Try to use credit cards instead of debit cards for transactions. Credit cards have more purchase protections, whereas debit cards lead straight to your bank account.
  • Whenever you have to swipe your card (often at gas stations or ATMs), look out for credit card skimmers, which are removable plastic overlays that use magnetic tape readers to steal your card's information. If there is a skimmer, do not swipe your card.
  • Sign up for a credit monitoring service, so you can find out quickly if someone has tried to open a new card in your name.
  • Most new credit cards come with a data sharing agreement, where customers can opt out from the data being shared by the credit card companies to third party affiliates. This is an important way to maintain data privacy.
    Lokesh Rammamoorthi
    Lecturer Lokesh Ramamoorthi

If you suspect that your credit card information has been compromised, Sarkar says call and ask for a freeze on your credit. Then, nobody can use your information to open a new account, or get a different credit card.

“As a customer, there’s no way we can avoid this in the future because our data is owned [by these credit card companies] and unfortunately we don’t have direct control over where they store it,” said cybersecurity lecturer Lokesh Ramamoorthi, who teaches in the College of Engineering. “At least we can control what happens to us immediately after a breach by being proactive.”