People often share too much on social media, and the Twitter account @NeedADebitCard highlights this by shaming the people who post photos of their debit cards — but as anti-fraud systems advance, how much danger is there from these photos, which show names, account numbers and expiration dates?
Some of the people whose tweets are reposted by the @NeedADebitCard account are bragging about obtaining a credit or debit card, some are showing off its design, and some are griping about issues such as a misspelled name. Some try to obscure the account number with their finger, but many show the card's entire front image.
This doesn't seem to bother American Express Co. Even though the New York company prints the card's security code on the front of its products, Amex says its technology is up to the task of spotting fraudsters who operate with just the information available from a card's photo.
"We have found that the best way to approach this issue is from a holistic perspective," said Marina Norville, American Express' vice president of public affairs and communications for corporate, financial and risk. "This means preventing fraud both on the consumer and merchant side of the transaction, looking at physical features of the card as well as security information only the true cardmember would know about the account."
This process is designed to work even when a large amount of card data is exposed, such as the data that might be revealed in a photograph posted online.
"I have not heard of [the Twitter account] but internally, we are not viewing this as a concern," she says.
MasterCard Inc. of Purchase, N.Y., also keeps an eye on potentially fraudulent uses of its cards, but it says that practice doesn't absolve consumers of their responsibility to keep their account details secure.
"While we have many ways to safeguard against fraud, we strongly encourage our cardholders to practice good judgment," said Amanda Gioia, a senior business leader for MasterCard's worldwide communications, in an email. "Taking photos of their cards and sharing them via social media is not something we recommend."
The @NeedADebitCard Twitter account had fewer than 30 posts as of July 3, and by that time it attracted over 9,000 followers and the attention of several news outlets. Some of those followers offered either advice or mockery to encourage the people who posted card photos to cancel those cards due to the risk of fraud.
And the risk is real, says Aite Group senior analyst Shirley Inscoe, who viewed the Twitter account and says there is more than enough information pictured for criminals to forge payment cards.
"I can't believe people could be this irresponsible," says Inscoe. "A lot of people have affinity cards, from their college or their favorite NFL teams, and maybe that's what led to this and they just purely were not thinking. But from a financial perspective this is a totally irresponsible action."
The pictured information can be paired with other incomplete account information obtained through data breaches, Inscoe says. This combined information could be enough to trick an ATM or an online retailer.
"If the card is expired and they've closed the account, then I would say they're pretty safe, but if that expiration date has not been reached and they are not closing the account, I think they're running a major risk," Inscoe says. "I don't think the public in general realizes with all of the data breaches that have occurred in the past few years, there's just a tremendous amount of information out there available to these crooks."