Key Post How to keep your credit and debit cards secure

[Freelance]

Some time back @Brendan Burgess asked me to extract a Top 5 Tips from the point in post #2, to save people having to read the whole lot. I'm not certain that this is a great idea, but the following might be helpful. Oh and it's 7 points rather than 5 !

Use a card which offers instant notifications for all transactions. This way you are aware of any transaction as soon as it occurs, enabling you to investigate or take action if required. For example, I receive an immediate notice to my phone and watch for all transactions (card and other) on my N26 account. I am aware that Revolut offer something similar. The notifications show the amount of the transaction, and the name of the party involved. This is particularly reassuring when travelling. Certain Irish banks offer a basic version of this, but to date it appears to be inconsistent, incomplete and unreliable.

Check your accounts daily, every day
Pick a time of day (before getting out of bed, over or after breakfast/lunch, sitting down after dinner, before bed) and make a habit of checking your accounts at this time daily. Query any transaction you didn’t initiate/expect. Block your card/account if in doubt. This may sound like overkill, but it is good practice and should only take a couple of mins.

Freeze or Lock unused or infrequently used cards
Many of us have more cards than we need. Some are necessary or desirable for backup or occasional use. Consider culling these. If this isn’t possible, freeze of disable the cards, and reactivate them only when required. Many card providers allow this to be done using online self-service options.

Configure Cards/Accounts appropriately
Many card providers now have a online facilities to set daily/monthly limits , ATM withdrawal limits, transaction limits, and to restrict certain types of use such as overseas, online, gambling, etc. Explore the facilities that your card provider/s offer and use them.

Use One Time Cards
Some providers offer one time virtual cards which give you a single use card number. This can be very useful for online purchases where you ar dealing with an unknown third party.

PIN/Passcode
Use different PIN/Passcodes for each card/account. Change them annually, at least.

3rd Party Communications
Treat all communications (SMS, phone, e-mail) as suspicious. Never ever give out identity or security information in response to a call or email you receive. Never ever give out your full PIN number or full password and never ever give out a One Time Code (OTC)

 

[Freelance]

Would someone like to write a Key Post on the following

Steps you can take to keep your credit and debit cards secure

Brendan I've taken a stab at this. I've left it deliberately rough as I would welcome any feedback and suggestions and will edit it accordingly. Also, if anybody wanted to take it over and give it a thorough edit I have no problem passing it on.

The Basics - Your Card/s

• Keep the number of cards you have to the minimum that works for you (perhaps one live and one for backup, or one debit card and one credit card, or one fintech and one "bricks and mortar") and cancel and destroy any others
• If using a debit card, consider having it attached to an account that is used exclusively for that purpose and keep the balance on this account as low as possible (i.e. top it up weekly or in advance of card use)
• If you change your phone no, address etc ensure that your bank is notified so they can contact you if there is suspicious activity on your card/account
• Switch on any transaction notifications that your bank/app allows (e.g. N26 and Revolut send instant notification of all transactions to your phone/watch)
• Familiarise yourself with the safety features that your bank/app has and use these frequently e.g. limits on transactions, limit types of transactions, suspend or freeze card when not in use etc
• Make a habit of looking at your online transaction history at a set time daily ( first thing when you wake or at breakfast, when you arrive at work, at lunchtime, before/after dinner, before bed)
• Never ignore a small or trivial unrecognised transaction that appears on your account, these are often a test and will be followed hours/days later with a large transaction
• Consider using a digital wallet (ApplePay or Google Pay) These can offer added protection as they don’t provide your credit card information to the merchant, instead the send a token code
• When using your card to pay in restaurant etc, never part with your card, go to the payment terminal or have it brought to you
• When using your cards in public, look around before use, and shield the keypad before entering your pin or passcode
• When giving your card details over the phone, choose your location carefully and look around you before doing so
• Keep a record of all cards in a secure location at home, and keep your bank/s emergency phone numbers in your phone

The Basics - Your Devices

• Keep your phone/computer software up to date. This includes the operating system, all apps and any security, anti-virus and anti-malware software
• Switch on the highest level of security/authentication available on your phone, in particular; encrypt your phone, use facial or other biometric recognition and if only using passcodes change these from time to time
• Switch on any in-app security available for banking and payment apps
• When you are finished with a device that has been used for financial transactions, ensure that (1) the device is wiped prior to disposal and (2) that it is de-registered by the financial institutions and/or their applications

Online Purchases

• Consider having a separate card for online use only
• If available to you, use one-time cards
• Consider using PayPal
• If using a credit card ensure that it's one with a low credit limit, and in the case of a debit card ensure that the balance in the account is kept low
• Avoid using your cards when on unsecured connections (e.g. free WiFi). If you must use your card online when in an airport for example, turn off WiFi and use your 4G connection for the duration of the transaction
• Avoid using your card on devices that you don't own/use exclusively and never use your cards on a shared/public computer/device
• Know the retailer that you are buying from and go directly to their website (i.e. enter http://www.retailers-name.com/ (www.retailers-name.com) in your browser to initiate the transaction, do not click on a link supplied in an email or message)
• Check that the url begins with https:// at all times during the transaction, and in particular on the "checkout page" when entering your credit card details even if you checked it previously
• Be particularly careful if using an unknown retailer

Foreign/Overseas Use

• Block all foreign currency and overseas use, and switch on these on only when needed (e.g. when travelling) and off again afterwards. Use a diary to remind you to turn them off on arrival home
• Some Banks/Apps allow you to specify the countries/currencies that are active, use this facility if it is available

Other Considerations

• The so called Fintechs such as Revolut operate online only businesses which tend to have lots of convenient and innovative features, however they can be very difficult to deal with when issues arise as it is impossible to meet them face to face and often difficult to make useful phone contact, whereas you can always walk into a branch of one of the traditional banks and discuss your problem
• There is a perennial argument as to whether it is better to use a credit card with a low limit or a debit card with a low balance in your account. Each of these has its merits/demerits. Either can be made to work. Educate yourself and make the decision that is best for you.
• Free banking comes at a price. Putting all your money into one Fintech account can simplify life and can save you the cost of account maintenance and transaction charges, but you get what you pay for and when things go wrong resolving problems can be very difficult

Examples of how to organise yourself and your cards

• Have your salary paid into a bricks and mortar bank, pay your mortgage utilities and and other large transactions from this account, and have a debit card associated with this for limited use (e.g. occasional large in-person purchases). Use a Revolut debit card for for all other chip and pin, contactless, online transactions. Keep the balance in the Revolut account to the minimum necessary and top it up frequently "as required"
• Have your salary paid into a bricks and mortar bank, pay your mortgage and other large transactions from this account, and have a debit card associated with this for limited use (e.g. occasional large in-person purchases). Use a credit card from all other chip and pin, contactless, online transactions and pay this off monthly by DD. Keep the credit limit on the credit card to the minimum
• Use an N26 debit card for overseas transaction when traveling (no transaction charges, no commission, very good exchange rates (same as xe.com) and instant transaction notification. (Drain the account the moment you deplane and switch it off until your next trip

 

[Dr Strangelove]

@Freelance I think that’s excellent!

Perhaps warn people that it is a belt and braces approach. If your digital hygiene is perfect, then it shouldn’t matter if you have one card or 10 for example.

On specific points.

Consider using PayPal

Personally, I would avoid it. The security features are good, but as a product it’s not user-friendly and my customer experience was not good with them when I had a problem.

Avoid using your cards when on unsecured connections (e.g. free WiFi). If you must use your card online when in an airport for example, turn off WiFi and use your 4G connection for the duration of the transaction

I am open to correction on this, but to my knowledge the encryption protocols from device to your bank are now super strong. I’ve used online banking on dozens of Wi-Fi networks over the years and never had a problem. I think the risk is so close to zero here as to be negligible.

I would perhaps also add something on the need for caution when using social media or messaging apps. Scammers increasingly take over accounts and exploit the connections within the network. If someone gets in touch with you looking for any kind of financial assistance seek to speak to them in person.

Finally, share your IBAN not more than strictly necessary. I won’t disclose scammers’ techniques, but there is a risk of fraud when someone has your name and IBAN.

 

[arbitron]

Brilliant job @Freelance

I would add that you should never give your card details over the phone or by email.

I was checking in at a hotel not long ago and a member of staff was talking payment over the phone. Instead of taking secure payment, she just wrote the full 16-digit card number, expiry date, and CVV code in a book which I could see was full of previous customer card payment details!!!

 

[Ballycumber]

Excellent ideas above folks - I have learned a lot - thank you. One further suggestion- switch off any automatic top-up from you bank to Revolut etc.

 

[Brendan Burgess]

switch off any automatic top-up from you bank to Revolut etc.

Interesting.

I find this feature very handy.

If someone is using my card I will get messages - as long as I am awake.

Brendan

 

[Concrete]

Thanks @Freelance - great work!

I am open to correction on this, but to my knowledge the encryption protocols from device to your bank are now super strong. I’ve used online banking on dozens of Wi-Fi networks over the years and never had a problem. I think the risk is so close to zero here as to be negligible.

@Dr Strangelove - you are incorrect to trust public wi-fi - it's very high risk for anything important like payments, and Freelance's comment is correct.
See here for example:
https://www.aura .com/learn/dangers-of-public-wi-fi

 

[murphaph1]

If you must use public wifi then I would suggest setting up a VPN on your phone. Either a privately hosted one on your home router (this often needs technical know how and is a niche solution for most) or a reputable paid VPN provider. In most countries it would be safe to just use your mobile data instead when making payments or checking balances, but I guess in some countries even the telcos can't be trusted to run a secure operation. I would probably not really trust the local telco in x, y or z country and would enable my VPN.

 

[SlugBreath]

My cards were scanned while in my pocket. I purchased a RFID blocking wallet where I now store my cards.

 

[arbitron]

My cards were scanned while in my pocket. I purchased a RFID blocking wallet where I now store my cards.

How did you figure out that this was how they skimmed you?

 

[SlugBreath]

How did you figure out that this was how they skimmed you?

It was a brand new card, never used. Brought it with me to France. I contacted the Ulster Bank and they suggested that this is what happened. They could offer no other explanation.

 

[Dr Strangelove]

you are incorrect to trust public wi-fi - it's very high risk for anything important like payments,

Thanks.

I do 90% of business via the mobile app, either 4G, home WiFi with VPN or occasionally public WiFi but I’ll put a stop to the latter. In any case my understanding was that encryption via app was better than via browser.

I login via browser occasionally either from work PC or home PC both VPN.

Would you say my habits are low risk once I stop using public WiFi?

 

[Freelance]

A word of warning about VPNs. Not all VPNs are equal. A properly managed and secured VPN with up to date security brings benefits, but is expensive to operate and this has to be paid for. A VPN is worse than useless if the owner isn’t fully on their game or worse turns out to be a bad actor. The following are a couple of comments from a Microsoft article on using VPNs:

Just how secure is a VPN?​

A VPN may boast strong protocols and military-grade encryption, but that doesn't mean it's infallible. It can't prevent cookie tracking, viruses, or malware, and it can't protect against phishing scams. Data leaks could occur. But most pivotally, a VPN is only as secure as the company that runs it. A VPN provider that uses out-of-date protocols, leaks IPs, and logs your data isn't one you can trust. No VPN can guarantee absolute security, though choosing a reliable one—and being proactive with securing your systems—can bring a world of difference.

Are free VPNs safe?​

It's best to go with a premium service. To pay for the costs of running a service, a free VPN provider may limit your usage, skimp on features, or even access and sell your data to third-party advertisers. Even free VPNs come at a price.

in general, if using a VPN I would avoid free VPNs and only use a reputable premium service.

 

[Brendan Burgess]

@Freelance

Would it be useful to add a post to this thread on "How to avoid being scammed on Revolut?"

@thedaddyman tells people not to use public wifi for banking transactions.

Revolut - Fraudulent Transactions

Can't vouch for the accuracy of the survey, but it claims Ireland is the most phished country in the world. https://www.rte.ie/news/business/2024/0927/1472219-ireland-phishing/

www.askaboutmoney.com

Does that need to be incorporated?

What is "public wifi"? Is it all wifi outside your home?

The initial post is very comprehensive. Most people won't read it. I wonder would it be worth "Top 5 mistakes people make which result in them being scammed" . I can edit it so that it appears at the top.

Brendan

 

[Giggs11]

Excellent advice OP - Well done
Some of these might be worth considering on the Devices Section:

Add a PIN to your SIM card (as well as phone security) and do not disable.
If someone steals your device and you have the device securely locked down with face ID etc, they can remove your SIM from your phone, and put it in another unlocked phone. - If you have no SIM PIM. they can then receive all six digit codes, make call pretending to be you etc

Add some security to your email app (fingerprint, face ID etc)
If someone gets past your phone security, you have another level of security before they can get reset password emails etc.

Add some security to your chosen Authenticator app (fingerprint, face ID etc)
As above another level of security, before they get six digit codes for 2FA logins or new app setup on their own device

Delete all saved passwords from your browser, and do not enable saving them for banking apps, email app, etc to prevent unauthorized logins

 

[mathepac]

Delete all saved passwords from your browser, and do not enable saving them for banking apps, email app, etc to prevent unauthorized logins

Great work guys, thanks.

As of the last release of their OSes on various devices, (Mac, iPad, iPhone, etc) Apple now includes a new password-protected app called Passwords, that can store encrypted passwords and passkeys. This is an alternative to storing passwords multiple times for each of the browsers you use or entrusting your security information to a 3rd-party product.

Apple Passwords App

MODS: If this is unhelpful or confusing the thread, please delete

 

[Brendan Burgess]

There is a good series on BBC Radio 4 about scams.

BBC - 5 Ways They Get You

With Shari Vahl

www.bbc.co.uk

“Many banks allow you to get your PIN from your banking app. If someone steals your bank card and your phone, they can load your card onto the banking app on their phone.

“Your bank sends a one-time pass code to your phone which is in their hand.

“They put that code into their phone, open the app on their phone to let them see your PIN.”

Shari gives tips on how to prevent this scam, saying: “If your phone allows it, get into your settings and turn off the ability to see messages when they ping up on your phone without unlocking it first.”

“Do not keep your bank card next to your phone, the theft of the two together gives criminals a way in.”

I would have my wallet with my bank card and my phone with me most of the time. But maybe I should just use my phone.

 

[ClubMan]

“Many banks allow you to get your PIN from your banking app.

But there should be security to prevent just anyone from logging into your banking app even if they nick your phone. And the phone should ideally be locked by default too and require unlocking via the SIM PIN, phone PIN, fingerprint, face unlock, etc.

 

[Brendan Burgess]

They said they could not go into details but the key point is that you should not have codes appearing on a locked phone.

 

[Dr Strangelove]

I would have my wallet with my bank card and my phone with me most of the time. But maybe I should just use my phone.

My cards rarely use the house. My debit card is linked to my phone via Apple Pay which is all my day to day spending. Bringing a debit card around is just one more thing to lose.

I don’t bring my credit card unless I’m making a big purchase in store.

They said they could not go into details but the key point is that you should not have codes appearing on a locked phone.

On iPhone you can set up FaceID to get into certain apps. I’ve set it up for all money and messaging apps. Means even if I’m shoulder surfed and phone stolen hacking is very hard.