What to do when asked for your credit card number by phone or email

New security technology is taking hold, but being vigilant goes a long way in staving off identity theft

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Recent­ly, I was book­ing a hotel reser­va­tion for a fam­i­ly mem­ber and in the process was asked to pro­vide cer­tain infor­ma­tion. It was a sim­ple third-par­ty cred­it card autho­riza­tion. What could pos­si­bly go wrong?


Adam Levin, chair­man and co-founder of Credit.com and Cyber­Scout (for­mer­ly IDT911)

Beyond the fact that I am pro­fes­sion­al­ly paranoid—I wrote a book about it—there are so many ways for your infor­ma­tion to wind up in the wrong hands, espe­cial­ly your cred­it card infor­ma­tion. When we pro­vide our cred­it card infor­ma­tion via remote means, we are often made more vul­ner­a­ble to iden­ti­ty theft by the authen­ti­ca­tion process itself.

There is no best way to con­duct this sort of busi­ness remote­ly with­out putting our­selves in dan­ger of becom­ing vic­tims of iden­ti­ty theft, but there are bet­ter and worse ones. These days, it’s more expe­di­ent to focus on the very few ways sen­si­tive infor­ma­tion can be made avail­able to third par­ties with­out cre­at­ing unnec­es­sary exposure.

A bet­ter way?

If you are unfazed about send­ing your infor­ma­tion via elec­tron­ic means, con­sid­er some­thing sim­i­lar: pay­ing for a meal with a cred­it card. We expose our data and send it on a jour­ney every time we pay a bill at a restaurant.

I saw my first portable cred­it card read­er on Amer­i­can soil the oth­er day when pay­ing the bill at a new restau­rant. First, I want to say that the lunch was excel­lent, and I would have gone back even if the wait­er hadn’t trot­ted out that mar­velous hand­held iden­ti­ty theft reduc­tion device. I am scam-obsessed, and have long envied our friends on the oth­er side of the Atlantic—and loca­tions in oth­er direc­tions as well—for the ubiq­ui­ty of at-table card payment.

The rea­son those machines are great is sim­ple: The serv­er has no oppor­tu­ni­ty to write down or pho­to­graph your card information.

Let that sink in … It’s unset­tling now that you think about it, right? All those times a serv­er has walked away with your cred­it card, what stopped him or her from snap­ping a quick pic of the front and back before return­ing to your table?

That card read­er is new tech­nol­o­gy. The ser­vice indus­try is final­ly (belat­ed­ly) get­ting hip to the chal­lenge of pro­tect­ing con­sumers from iden­ti­ty theft and oth­er scams, but what should you do while it’s still in catch-up mode?

How to send your stuff

The form that was emailed to me by the hotel made the threat of a sneaky wait­er snap­ping pics of my cred­it card seem like ama­teur hour.

Obvi­ous­ly, the reser­va­tions depart­ment asked for my cred­it card num­ber and expi­ra­tion date. They also want­ed my billing address, work and home phone num­bers, email address and sig­na­ture. Then there was the out­line of a box, under which were the words: “Copy front of the cred­it card” and “Copy of ID.”

Now, I’ve already con­fessed to being some­one who looks for the angle crooks will try to use. The idea of send­ing, in addi­tion to all the oth­er infor­ma­tion request­ed, an image of a valid form of identification—in my case, my driver’s license—was tru­ly unthink­able. I’d soon­er have my Social Secu­ri­ty num­ber puffed out by a sky­writer over the House that Ruth Built dur­ing a Yan­kees-Red Sox play­off game. (Not con­vinced? Read up on the sur­pris­ing ways iden­ti­ty theft can hurt you.)

The form gave me the option of send­ing my cor­nu­copia of sen­si­tive per­son­al infor­ma­tion via email or by way of fax. Which is the bet­ter choice?

Hack­ers are real­ly good at what they do

Phone calls and fax­es con­duct­ed over phone lines can be rerout­ed, emails can be inter­cept­ed. Phone calls also can be lis­tened to, and there­in lies anoth­er prob­lem. When you call a ser­vice provider—any kind that costs a set amount every month—there will come a time dur­ing the call when you will have to pro­vide your Social Secu­ri­ty num­ber so that the com­pa­ny can run a cred­it check. A ser­vice rep is going to ask you for it—the whole thing.

Remem­ber the wait­er? Same problem.

Absolute­ly noth­ing can stop that per­son from writ­ing down your infor­ma­tion. And before you ask why you can’t input the infor­ma­tion on your key­pad, remem­ber: Phone calls are not secure, the tones can be inter­cept­ed. Encryp­tion is both com­plex and cost­ly. This is why the fed­er­al gov­ern­ment has been inves­ti­gat­ing the pos­si­bil­i­ty of a uni­ver­sal iden­ti­fi­er. But in the mean­time, those cred­it checks or authen­ti­ca­tions pose the same, if not greater, per­il as your cred­it card’s jour­ney at most restaurants.

Old is new, but not fail-safe

As coun­ter­in­tu­itive as it seems, using the fax in this sce­nario is the safer path, though it is not com­plete­ly safe giv­en the pos­si­bil­i­ty of data interception.

Pro tip: Call before send­ing a fax that con­tains per­son­al­ly iden­ti­fi­able infor­ma­tion or any­thing else that is for as few eyes as nec­es­sary, and ask the per­son on the phone if they are near the fax machine, or if not if they can be. Call again to make sure the trans­mis­sion has been retrieved and isn’t just sit­ting in a tray wait­ing for a scam artist to come saun­ter­ing by with a smart­phone and a shop­ping list of things they want to pur­chase using your information.

While we await bet­ter solu­tions, you are the ulti­mate guardian of your per­son­al infor­ma­tion, and your vig­i­lance giv­en the myr­i­ad threats out there will lead the way for change. In the mean­time, get in the habit of mon­i­tor­ing your finances for any sign of mis­chief. You can view two of your free cred­it scores, with help­ful updates every 14 days, for free on Credit.com.

Full dis­clo­sure: Cyber­Scout spon­sors Third­Cer­tain­ty. This sto­ry orig­i­nat­ed as an Op/Ed con­tri­bu­tion to Credit.com and does not nec­es­sar­i­ly rep­re­sent the views of the com­pa­ny or its partners.

More on iden­ti­ty theft:
Iden­ti­ty Theft: What You Need to Know
3 Dumb Things You Can Do With Email
How Can You Tell If Your Iden­ti­ty Has Been Stolen?