When I get a new credit (or debit) card from a bank, I like to do a few things to strengthen its security, none of it ends up breaking my use cases or anything, but it could do so to you. So beware.
- Do not ever use your physical card for online purchases or any form of purchase using its details, if you've done so, even for Google Pay, get a new one.
- This guide assumes the card is brand new, as some stuff depends on certain details never being revealed, you can follow it anyway, but beware
- Credit cards overall are not great at security, you can not confirm the value of the purchase before making one, for example.
The mag stripe is a legacy method of authentication in your credit card that contains static data that allows a payment terminal to approve a purchase in your name.
Because we're talking about static data, a single purchase reveals the authentication data needed to make any number of purchases.
You can use a magnet in order to delete this magnetic data, afterwards, it should be unrecoverable and unusable.
After you do this, you pretty much make it 'impossible' to physically clone a credit card.
You can watch about this here: https://www.youtube.com/watch?v=OU4VoE15wIw
Warning
Doing this will make it impossible to swipe your card to pay. It is also good to highlight that many terminals/processors have mitigations applied to them to disallow swiping when the chip is available in that card.
The CVC is mainly used for digital purchases, which we have defined as something we don't want in our physical card.
To decrease attack surface, you can either wipe it off, which can be hard, or more easily just use a few layers of duct tape.
Tip
You can also hide your credit card number and expiry date and other data such as that, they aren't as important in authentication, but it may provide some privacy in the event of a camera trying to record it for example. Note the payment terminal will always know these details.
Warning
This number may be used for authentication by your bank! A good idea is to keep your true numbers in your password manager so you don't get locked out.
Virtual cards give you a few nice and significant benefits:
- In the case of a security breach, you know what entity is responsible for your credit card data.
- You can revoke it without needing to go and replace every provider.
- You can usually make single-use cards, so that a single purchase does not mean give authentication data for others.
Note
Your bank or virtual card provider may offer even more sandbox security features, like limiting the spend on a specific virtual card.
Tip
If you use payment processors like Google Pay, Apple Pay, you should also use a virtual card for them.
Credit cards are not necessarily the most secure payment method. They still offer insecure authentication methods as we've seen, are put behind payment processors usually in the US which may collect your data or give power to another country over yours' citizens. Some countries (like Brazil with Pix) offer transfer methods that allow you to confirm the value being sent, and are P2P. If your country offers this and it is common, it's worth it to use it in most cases.
Note
Note that these methods may not available offline which is a benefit of credit cards and services like Apple Pay.
Some banks will allow you to configure your credit card to disallow online purchases, purchases outside the country, contactless (without affecting services like e.g. Google Pay), maybe even mag stripe somewhere. You can usually do this online, through the app or such.
Some banks may want to break your privacy to try and protect you. This can be things such as enabling call filtering from your bank, or constant access to location. Instead of letting them access these things, take better practices and try not to fall for these things, anything that can be used to attack you, will be used.