Here are the 5 ways I bulletproof my credit cards against identity theft, and you can use them yourself very easily. As a bonus, at the end of the post I have added an experimental step to defend against the recent chip downgrading attack.
1. Don’t be an easy mark: never share a photo of your credit card on a social network
This tip might seem obvious but people still do share a photo of their credit card on social networks. The screenshot above, taken from Twitter, shows an example of what not to do. I did obfuscate the key information as the person who shared it had not. As a matter of fact, never share any photo of a document on a social network 🙂
2. Reduce the risk of online fraud by blanking the security code
The CVV code at the back of your card is only useful for online shopping, so once it is stored securely in your password manager, there is no reason not to scratch it from the card. The method that I found works best is to use a nail file to remove most of the marking and then blank what’s left with a permanent marker. The result of this process is visible in the figure above.
3. Limit the risk of fraudulent charges when your card is stolen by not signing your card.
You don’t want to disclose your signature, especially because it adds nothing in terms of security. However, you can’t leave the space blank either, because an attacker will then just sign it when they steal it. This leave us with two options, both of which have quite a few supporters:
a. Write “SEE ID” in place of the signature as visible in the screenshot of one of my cards above. This indicates that you want a store to ask you for ID instead of just doing a bogus check on the signature. This is the preferred option if you are more concerned about fraudulent charges and your card being stolen. Back when that was my favorite method, the Apple Store always asked me for my ID when I had a card with “SEE ID,” which shows it sometime works.
b. Blanking the signature field with a black marker is the other option, as visible in the screenshot above. This option will be appealing to privacy-conscious people who would rather avoid showing their ID in a store. This more privacy-preserving approach has the drawback of not mitigating the risk of fraudulent charges when the card is stolen. This is the approach I personally moved to recently.
4. Prevent remote reading by using a RFID blocking sleeve or wallet
If you have a recent card, the chances are it is contactless, which might leave you open to remote attacks and privacy leaks. For example, as visible in the screenshot above, using a dedicated Android app, I was easily able to use a remote NFC reader to extract my credit card number, its expiration date and the log of the last 10 transactions. Testing with various cards, it seems that the last transactions are not always reported, in particular in european cards. Researchers have shown that it is possible to read this information from the (short) distance of 45 cm, so protecting against remote reading is important.
To see if your card supports contactless reading, look for the wave symbol like the one highlighted in the screenshot above. Note that the contactless symbol could appears in another part of the credit card like the top right corner.
Fortunately, it is fairly easy to defend against this type of threat by carrying your credit cards in sleeves that block remote reading. I used a few different sleeves until I settled for the one depicted in the screenshot above which is thin, fairly durable, and cheap. You can get 8 of those RFID/NFC blocking sleeves for $10 on Amazon.
Alternatively you can also resort to using a wallet that protects all your cards, your ID and your passport all at once. I personally use one from Ogon, visible in the screenshot above, but there are many other brands that I am sure work fine.
5. Defend against dumpster attacks by shredding your old card and PIN letter
The chances are you will receive a new card while the old one is still valid. Make sure you shred the old card as the card number will be the same. Similarly, shred the letter that came with your new card and the letter with your PIN—though be sure to store it beforehand in your password manager!
If you don’t have a shredder, then I recommend buying one which does micro-cut shredding, as visible in the screenshot above. They make it very hard to reconstruct documents and are not much more expensive. Additionally, with micro-cutting you can’t shred documents in the wrong direction, which leaves them open to reconstruction, like in the Enron case.
At home I use the cheapest one from Amazon, which has worked flawlessly so far. As visible in the screenshot above the resulting micro-cuts are what you expect from a micro-cut shredder. Overall a shredder is a good investment as you should shred all bank statements, insurance letters, bills and other sensitive papers to avoid dumpster-diving attacks. It is also a great gift next time you don’t know what to offer for a birthday 🙂
[Experimental] Prevent a downgrade attack by demagnetizing the strip
In 2015, Sami Kamkar demoed how you can modify the magnetic strip of a card to trick a reader into believing that the card doesn’t have a chip, which, therefore, makes it open to cloning. For more information, read the security issues part of his blog post. The only way to prevent this type of attack is to demagnetize the strip.
This is a risky modification, especially in the US, because some retailers don’t accept cards with a chip. As a matter of fact, while in the US all retailers were supposed to be able to read cards with chips by 2015, only 37% accept them as of February 2016. That being said, things are getting better and I am considering doing this for a few of my cards to reduce my exposure. However, this is very risky, so only do it if you have a backup plan and do so at your own risk 🙂
Make sure to share this post so your friends and family can learn how to protect their credit cards too. Let me know via your favorite social network if you did blank out or wrote “SEE ID” in the signature space on your card and which sleeve you are using.