Is Firefox To Blame For Your Credit Card Fraud?

If you look at this chart, somewhere between 3.5% to 4.7% of Americans are victims of identity theft in a given year. What’s the most common type? Credit card fraud. When this happens to us, sometimes we know exactly why (i.e. lost wallet) but other times, we haven’t the slightest clue as to how our credit card information was compromised.

But if you ask Jeff, a reader who recently emailed me, he claims to know exactly how his card numbers were stolen… Firefox.

Saving what you don’t want saved

According to him, the reason he was slapped with $3,122 in fraudulent charges on his Citi Platinum MasterCard is because Firefox inadvertently saved the data while he was placing an online order. It just so happens that the computer he used was his girlfriend’s, whom he happened to go through a nasty breakup with shortly thereafter.

Fast forward a couple weeks and his Citibank bill arrives, chocked full of fraudulent online orders from clothing retailers, jewelry stores – and most entertaining of all – a site which sells nothing but padded lingerie.

So what does Jeff do? Well before he calls up Citi to dispute the charges, he plays private eye and hits up these retailers, to try and find out exactly who is behind all this. Most refuse to provide him any details but one of them does… lo and behold, the order was shipped to a vacant house right next door to his ex-girlfriend, with the explicit instructions to “leave package at doorstep.”

How often does this happen?

You probably won’t experience an ex using your platinum MasterCard to buy padded garments, however the whole problem of web browsers saving information you don’t want saved seems to be quite common. Not only have I heard from many on my forum complain about this, but I have also experienced the problem firsthand a number of times.

But don’t be so fast to bash Firefox or whatever browser it is you’re using. As it turns out, the website’s coding has something to do with it.

There’s an HTML attribute “AUTOCOMPLETE=OFF” which is supposed to be used on input fields containing sensitive information (including credit card numbers, expiration dates, and security codes).

Unfortunately there are still many sites – both small and large – which fail to code these fields properly. For example according to one poster in this Chromium discussion, as recently as last year Verizon was allegedly still not including this attribute where it should be.

Ultimately who is to blame?

Is it really fair to blame a website, when at the end of the day it’s the browser which added the functionality of auto-fill and failed to adequately manage its security risk? Many say that a simple regex to ignore 16 digit numbers (Visa/MasterCard/Discover) and 15 digit numbers (American Express) would solve the problem 99% of the time.

Regardless of which side of the argument you stand, just make sure you’re aware of this problem and regularly clear your browser’s form history. Or better yet, just disable the feature altogether.

This post was written by Mike, the creator of CreditCardForum, a place to discuss deals for credit cards and whatever else you want to get off your chest about them.