Most leading credit card companies offer similar advice for online security – that you should secure devices used for online transactions, use unique, complex passwords for each online account, reduce your susceptibility to phishing, and set up alerts for certain types of transactions.
Credit card companies have a vested interest in providing advice for online security. Under the Fair Credit Billing Act and Electronic Fund Transfer Act, consumer losses are limited to $50 in the event of theft or fraud (subject to conditions) with credit card companies liable for the rest. However, these loss limitations should not be seen as a reason to ignore online security.
Credit card companies are in business to make a profit, so any losses attributable to theft or fraud are clawed back through higher interest payments and service fees. Consequently, it is in everyone’s best interests to follow credit card company advice for online security – notwithstanding that if you lose $50 often enough, it quickly adds up to a substantial amount!
What is the Advice for Online Security?
The advice for online security consists of a series of best practices generally broken down into four categories – securing devices, password management, phishing awareness, and transaction alerts. While the advice specifically applies to online credit and debit card transactions, it could equally be applied to most types of online transactions for both individual and business consumers.
Surprisingly, none of the credit card companies advocate the use of PIN locks on devices used to conduct online transactions. This may be because most modern devices apply this security measure by default; but, if you don’t currently use the PIN lock feature, it is recommended you activate it (or a biometric equivalent) to prevent unauthorized access when your device is left unattended.
However, all credit card companies recommend keeping antivirus and firewall software up-to-date, with some (notably Chase) warning customers not to take advantage of free software, but rather investing in security measures that offer better-than-basic protection. Visa also advocates protecting online accounts by using two-factor authentication whenever possible.
Mastercard defers to the Cyber Readiness Institute for advice on password management – which notes that 63% of data breaches are attributable to weak or stolen passwords. The Institute suggests using harder-to-crack passphrases and two-factor authentication to protect online accounts – advice that is easier to follow if you use a cross-platform password manager such as Bitwarden.
Chase, Visa, and Citi also highlight the importance of using unique passwords that do not include information such as your name or your pet’s name that hackers could easily find on social media sites. All three companies advocate changing passwords frequently, while Amex advises that you should consider changing passwords after you have finished shopping with an online retailer.
Phishing attacks are deployed in a variety of ways and are constructed to exploit consumers’ fear, greed, curiosity, or helpfulness. Phishing attacks usually also contain an element of urgency intended to prompt an immediate interaction; and while it is hard to ignore an email asking you to click on a link to address an account issue, it is always better to log in to the service on the verified domain (website). If there is a security issue, you will be alerted when you log in. Alternatively, verify the legitimacy of the request using verified contact information – not the contact information included in the email or text message.
The Visa website hosts an excellent phishing awareness webpage with advice for online security that goes beyond email phishing scams to include text message phishing, phone phishing, and website phishing. The webpage explains the most common techniques used by scammers to deploy phishing attacks, how you can recognize a phish, and how you should report it.
Most credit cards companies now provide apps that generate a notification whenever a transaction occurs on your account. It is also possible for people with older mobile devices to set up SMS alerts. While these are good solutions for individual consumers, businesses with a large volume of online transactions can become accustomed to frequent notifications and experience alert fatigue.
To prevent notifications from being overlooked due to alert fatigue, some credit card companies now provide a customizable service that only sends notifications for certain types of transactions – for example, if your credit card is not present at the time of the transaction, if a transaction exceeds a pre-set amount, or if a transaction is processed outside the country where the user resides.
How to Easily Follow the Advice for Online Security
The credit card companies’ advice for online security can be easily followed by implementing just a few changes to the devices you use for online transactions, how you protect online accounts, how you react to unsolicited messages, and what notifications you set up to alert you to potential theft and fraud. To summarize:
- Activate time-controlled PIN lock controls or the biometric equivalent on all devices.
- Protect devices with fully-featured and self-updating firewalls and antivirus software.
- Use complex passwords for each account and manage them with a password manager.
- Enable two-factor authentication wherever possible to add an extra layer of security.
- Learn the triggers used by scammers to prompt an urgent reaction to phishing scams.
- Ensure customized notifications are set up on your accounts to alert you to unusual activity.