How to physically secure your credit card
By  Elie | Oct, 17 2011 | Security | 5 comments
You liked this post, share it !
card-stealing

 

In this post I want to share with you the two simple steps I came up with to “harden” my credit card security against theft and duplication. In a nutshell, this hardening technique works by removing all the extra information written on the credit card (signature and security code) that are not necessary for it work and are valuable to an “attacker”. If you know another hardening technique please leave a comment or let me know via Twitter  / Google+

Removing the security code

Your credit card three digits security code is located at the back of your card as visible in the photo below:

Where the secure code is located on the credit card

Its only purpose as far as I know is to “prove” while doing online payment that you “have” the original card as this security code is not contained in the data stored on your card magnetic strip/chip. The problem with having this code in plain sight is that any one who manipulate you card (waiter, cashier..) can easily copy it and then shop online with your credit card.
Before erasing it from the card, make sure you copy this code in a safe location like your password manager BE CAREFUL where you store it as you need it for online shopping. Erasing this code is actually harder than you might think because it is engraved in the card so simply “blanking it” with a marker won’t be enough. So far, I had the most success by first scratch it with a nail-file and then blank it with a heavy marker. It is not perfect but it it is very very difficult to read it after this treatment.

Replacing the signature with the mention “SEE ID”

The other part of the hardening process is to replace the signature in the back of the card the mention “SEE ID”. As far as I can tell, the rational behind having your signature at the back of your card (at least in the US where they generally don’t ask for a PIN code to make a purchase) is to allow cashiers to make sure you are the true owner of the card by comparing the receipt signature and the signature at the back of the card. This approach have obviously two flaws: First the person who stole the card, have plenty of time to look at the signature and learn how to forge it. Secondly the security of this approach rely on the fact that cashiers are able to detect forged signature in a blink of an eye and under bad lighting conditions … So instead of hoping that every cashiers is an expert in graphology it is actually better to ask them to compare the credit card name with a valid ID by writing the mention SEE ID on the back of the card.

 

Return of experience

I have been using the hardened credit card visible on the picture below for almost two years.


During this period of time, I never had any issue with it: I was always able to pay with it no matter which store or country (US, France, Germany, Italy, Indonesia, Canada…) I used it. The sad part of the story is that very few cashiers ever asked me for my ID which tend to show that this whole signature idea is a fluke. The only stores that consitenly ask me for my ID no matter which one I go, are the Apple stores (Kudo to them). So will you secure your card ? Let me know via the comment system or on Twitter  or on Google+
About: Elie Bursztein
Elie Bursztein is a researcher at Google where he works on fixing Internet security and privacy problems.
  • Guest

    This sounds more like a labor of paranoia than actual sense. Writing SEE ID on your credit card is technically against the rules because the card has to be signed. That’s in the long bit of small print that most people don’t read but they agree to by using the card. Plus, businesses aren’t really allowed to ask to see your ID. That’s in their merchant agreements with Visa and Mastercard. As for hardening your card against people who would copy your credit card information, well, any site worth their salt running secure transactions also checks your address on file with the credit card company, which you have to enter as a billing address. As long as you’re not going around showing your ID to anyone who asks for it, you should be able to keep that under wraps.

    • https://elie.im Elie Bursztein

      Some people suggest to actually leave it blank so you don’t have to show your id and don’t have your signature out.

  • Rjw

    I sign mine and apply a sticky label over the signature indicating See ID. Serves both purposes, and technically follows the rules.

  • Yaofengchen

    After having had my credit card hacked into a few times the past few years while traveling overseas I did exactly that about four years ago except I only scratched off the three digit security code on the card.  I haven’t had another incident since. 

    In my case the thefts occurred with merchants (mostly restaurants) where the dishonest seller took my card in the payment process and copied the credit card information including the security code.  He then used that information to go on a shopping spree on line. As you know the security code is not needed at a point of sale and is required only for online transactions.  I would not say physically removing the security code stops credit card theft altogether. It at least stopped some, particularly the illegal transactions online.

    • https://elie.im Elie Bursztein

      Thanks for the story.

Popular blog posts
Latest social News
about 10 hours ago
New survey: 19% of users use their browser private mode - http://t.co/2BTgm6SA #security #privacy #infosec #smo
about 21 hours ago
19% of users use their browser private mode - http://t.co/ed2NqpaZ #security #privacy #infosec
1 day ago
Blizzard fixing GAME Australia's bankruptcy mess, giving Diablo 3 to those who preordered - http://t.co/JjpVm5X5 #d3 #diablo #diablo3
3 days ago
SessionJuggler Secure Web Login from an Untrusted Terminal Using Session Hijacking - http://t.co/IRQsBcVY #security #infosec #www2012...
6 days ago
Fascinating: An interview with a cybercriminal - http://t.co/amO1M5wN < guy operate a 10k botnet. #botnet #security #infosec