Credit card fraud: How can I protect myself?

Skimming, phishing, card trapping: Cyber criminals are becoming increasingly sophisticated – and anyone can fall victim to credit card fraud. Find out in this blog where the greatest dangers lurk, in which cases banks or credit institutes do not cover the financial damage, and what you should do if you fall victim to fraud.

What is credit card fraud?

Credit card fraud refers to the illegal activities of criminals or fraudsters to gain unauthorized access to money in your bank or credit card account. These include:

• the theft of credit or debit card data
• and the fraudulent use of this data to make unauthorized purchases, to withdraw money illegally, or to sell the information.

The fraud can occur online if information is stolen, but also offline if the criminals stand at transaction sites and get physical copies of the card.

Are credit card payments even secure? What would be the alternative?

There will never be absolute security in credit card payments – regardless of whether they are made physically or online. There are several alternatives: Buying on account, paying in advance, or paying through a payment service like Twint or PayPal. At the same time, the convenience of credit card payments cannot be dismissed and so it is probably best to familiarize yourself with the potential risks.

Are there major differences in security when it comes to credit card payments?

Payment services such as PayPal or Twint have the advantage that these systems are exclusively geared to payments and the providers invest a lot of time and money to make their service as secure as possible. Thus the security standard is accordingly high. By contrast, if I make a payment in a small boutique which “also” offers credit card payments, I, as the customer, must trust that the shop operator maintains their system, thus guaranteeing security. Another advantage of payment services such as PayPal that should not be underestimated is the buyer protection they offer. In the event of misuse, this means the customer then has another authority besides the credit card provider that will intervene if problems occur.

For some online shops, I also have to enter a code I receive by text message. Does that increase security?

Absolutely. Whenever possible, “two-factor authentication” should be used. This applies equally to payments and to logins. The additional identification of the user with the second component improves security considerably yet again.

Does multi-factor authentication protect me against credit card fraud?

Absolutely. Whenever possible, “two-factor authentication” should be used. This applies equally to payments and to logins, as besides your mere login data, which consists of your user name and password, a second device is generally also needed – your cell phone.

Only if the fraudsters have the login data and the cell phone in their possession can they gain access to the corresponding user account. However, the theft of hardware is much less likely than that of login data. The additional identification of the user with the second component thus improves security considerably yet again.

Can cyber criminals steal my data when I am making a payment on a website?

Yes. Unfortunately, that is possible. It can happen if the website is not https encrypted. You can see if the website has this encryption in the address line. If it is encrypted, the address will begin with https:// and there will be a little lock icon displayed on the left. If there is no encryption, the data is transferred in unencrypted form from server to server during the payment process and is thus easy to intercept and pick out.

However, even with https encryption, it is always important to keep in the back of your mind that data can also be stolen after the payment process – namely, in the form of a data leak. In this case, hackers steal entire user databases which may also have stored payment data.

For this reason, we recommend the following:

1. Choose the option “Order as a guest” instead of setting up a user account.
2. Payment by invoice is the most secure option, as no payment information is stored in potentially unsecure databases. 
   

Important: If there are indications of fraud, you should report them immediately to the customer service of the corresponding bank or card issuer.

Will the bank pay if my credit card is hacked?

That depends on the individual situation. The bank or credit institution is generally liable only for damage that occurs as the result of a culpably caused breach of contract. This is the case if, for example, obvious security issues were not remedied.

However, if the bank complied with the contract and its security mechanisms meet prevailing market standards, there is generally no obligation for it to cover the damage. In addition, financial institutions have the option of restricting their liability as part of their GTC and stipulating duties of care for customers.

You should also note: Such a breach of contract must be proven on an individual basis, which is not that easy.

When am I liable if my credit card is hacked?

Here, too, the liability depends on the individual situation. If you violate elementary duties of care while using your credit card – for example, proven use of a login on insufficiently secure devices or saving codes in a wallet – then you must bear the cost of the damage yourself.  

If such inappropriate behavior cannot be proven and there is no contractual basis for a limitation of liability, then the bank is obligated to cover the damage incurred.

Since each case must be looked at individually, we recommend obtaining legal advice.

What is the duty of care in connection with a credit card agreement?

The duty of care in credit card contracts and also for the use of e-banking is defined as the behavior required when using the card and what must be avoided. Banks can decide for themselves when there has been a violation of the duty of care and when not.

This fact is decisive since the bank can in this way transfer a large part of the risks to customers, and thus limit its own liability at the same time.  

Furthermore, practice shows that customers either do not know what duties of care have been placed upon them, or they are unaware that certain behaviors entail risks that could result in a breach of the duty of care. Cyber insurance (subsidiary coverage) offers reliable protection in such cases.

In which cases am I deemed to have violated this duty of care – and who decides what these are?

As mentioned above, banks determine themselves which duties of care apply to their customers. When a duty of care has been violated and when not thus depends on the contractual agreement in question.

Which information can be “hidden” in the small print of the GTC of credit card institutions?

A lot is possible in this regard. GTC often include more details and definitions of the abovementioned duties of care. Moreover, it is worth getting more information on your bank’s limitations of liability.

Should I immediately raise an objection if I discover irregularities on my credit card statement?

If you find suspicious or obviously fraudulent transactions on your statement, you should block the card immediately. With most providers, this can easily be done on your computer or cell phone, or via the relevant telephone hotline.

In a second step, you should contest the suspicious amounts or transactions and lodge a complaint. The corresponding forms can be found on the website of the provider, bank, or credit card company. The objection must be made in writing and signed. A call is not enough. As a rule, you have 30 days to do this. If you miss this deadline, you may in the end have to bear the loss yourself.

As a final step, you should report the Internet fraudsters to the police – in many cases, a report is required as proof for the bank or credit card company.

Is there a deadline within which I must report the damage?

Card holders often realize their data has been stolen months after the fact because they do not regularly check their statements. In many cases, it is then already too late to make a complaint about the credit card misuse. Banks and credit card providers only have to reimburse the lost money if the complaint is raised within a time period defined by the card provider.  

Conclusion

Cyber criminals continually find new ways to access your sensitive data. That’s why you should regularly get informed about the latest security measures and technologies for protecting your data.

The exclusive prevention services of AXA’s cyber insurance give you early warning about potential dangers and can therefore prevent the worst case scenario from happening. You also receive push notifications on the current risk situation regarding cyber crime and tips and information on correct behavior on the Internet.

If you become the victim of credit card fraud because you authorized the payment – i.e. you violate your duty of care – you are protected through cyber insurance.