Finally, the thief went too far and charged over $300 in a single month. I contacted Apple and discovered our card had been used to purchase dating apps and virtual phone numbers, which were likely being used to scam other people. The electronic receipts for these purchases were sent to an email address I didn’t recognize.
A NEW CARD DIDN’T STOP THE FRAUD
The kicker: The thief was using a credit card number that had already been reported as compromised. Normally, credit card issuers will deny new charges on a compromised number. But according to the card issuer, the thief started their crime spree during the few days that my replacement card was in the mail. Since we already made regular purchases at Apple.com, the card issuer assumed the charges using the old card were legit and allowed them to go through “as a courtesy” — month after month. (I was assured that this sequence of events “is extremely rare and hardly ever happens.”)
An Apple customer service representative deleted the most recent month’s charges and the issuer removed the rest — even those well past the 60-day mark.
My takeaways: Sites where you make multiple purchases each month need to be monitored carefully for bogus transactions. Compare what your credit card statement says you’ve charged with your purchase history on the site. You may have to search online for how to find that history; Apple certainly doesn’t make it easy or intuitive to find your charges. And if you find fraud, report it — even if it’s beyond the 60-day deadline.
MAKE FRAUDSTERS WORK HARDER
It’s still not clear why my other card was repeatedly compromised. I’d no sooner get a replacement card than I would receive a text from the issuer asking about another suspicious transaction.
I removed the card from the browsers and websites where it had been stored. We may like the convenience of not having to type in our credit card numbers, but every place we store our cards is another place where they can be stolen, says security expert Avivah Litan, a distinguished vice president analyst with research firm Gartner Inc.
The mobile app for this card allowed me to see many of the places where my card was saved. But the list wasn’t complete. After the fourth hack, a phone rep said my card was stored at Airbnb, Walmart.com and Uber — three places that didn’t show up in my app and that I hadn’t authorized. The rep disconnected the card from those accounts. In the future, I’ll call in to report fraud so I can ask for this review rather than merely responding to a text warning or going online. I also learned that I could “lock” my card in the mobile app to prevent unauthorized use. Unlocking it when I want to make a charge just takes a few seconds. I wish more issuers offered this feature.
At the issuer’s suggestion, I ran antivirus and anti-malware software (my devices were clean) and changed the passwords on my email accounts as well as my financial accounts, in case a thief had broken into those. I already had two-factor authentication, which requires a code and a password to sign in, on my financial and email accounts. I added it to my most-used retail sites as well.
I’ve also started using a mobile payment system wherever possible. These systems — which include Apple Pay, Google Pay and Samsung Pay — create a “token” that’s transmitted to merchants so that your credit card number is never exposed or stored. Similarly, some credit card issuers will provide virtual numbers that you can use instead of your real account number when making purchases online.
I don’t imagine all this will make me fraud-proof, because that’s impossible. I’m just trying to make the thieves work a little harder next time.
NerdWallet: How to prevent credit card fraud https://bit.ly/nerdwallet-protect-against-credit-card-fraud
Liz Weston is a columnist at NerdWallet, a certified financial planner and author of “Your Credit Score.” Email: email@example.com. Twitter: @lizweston.