Is Letting Google Chrome Autofill My Credit Card Number a Huge Mistake?
Money recently launched Dollar Scholar, a new personal finance newsletter written by a 27-year-old who’s still figuring it out: me.
Every week, I’ll talk to experts about a money question I have, whether that’s “Are online banks sketchy? or “How many credit cards do I need?” As I learn, I’ll share simple ways to improve your financial life… and post some funny memes.
This is (part of) the seventh issue. Check it out below, then subscribe to get future editions of Dollar Scholar every Wednesday.
I spend a ridiculous amount of time online every day. We're talking at least eight hours on WordPress, Gchat, and Slack during work, plus usually an hour or two on Twitter, Instagram, and reddit at home. The internet knows me better than I know myself: the kind of coffee creamer I like, the college friends I actually want to keep up with, the sneakers I briefly considered buying three weeks ago.
It also knows my credit card info. Google Chrome autofills it whenever I'm shopping on my laptop, which is… uh… often. All I have to do is click in the right field, choose a saved card from the dropdown menu and go. Sometimes the browser will prompt me for my CVV number, but even so — checkout is dangerously fast. I can shop at the speed of light, no fumbling through my wallet necessary.
It's hella convenient, but I've never given much thought as to whether it's wise. Should I let my Chrome autofill my credit card number on websites? Is it safe?
I decided to find out. I began by digging into my Chrome settings, where I found a page with the option "Save and fill payment methods" selected. It showed my cards were linked to Google Pay, which I learned encrypts payment info and stores it on secure servers.
That sounded good until I called Robert Siciliano, a cybersecurity market segment expert. He explained that despite the encryption on the back end, I'm still in danger if my computer is accessed by someone who's not me (which can happen through malware or being physically stolen). So letting Chrome store my payment info isn't exactly the most secure move.
"I always suggest people log out of everything," he says. "It reduces risk."
Another thing that reduces risk is when Chrome requires a CVV — that three-digit number printed on the back of your card. Siciliano says it's an added layer of protection "because only you should have your card," meaning it lowkey verifies you are who you say you are. But not even that is foolproof. As Credit Karma points out, not all merchants force you to enter a CVV.
Scammers can also trick you into giving up your code, according to Adam Levin, the founder of identity and data defense company CyberScout. One way is through vishing, in which bad actors pretend to be your bank, call you and ask for your CVV in order to "verify" your identity. (But really they steal it.) Another is through SMiShing, in which a hacker texts you a link that "reauthenticates" your account. (But really they install malware.)
The names are silly, but the threat is serious.
"Autofilling or being receptive to what you think is an institution you trust or do business with could get you into a little bit of trouble," Levin says. "[Sites could be] taking info from you that you don't realize you're giving."
Sure enough, tech site ZDNet wrote in January about a Chrome extension that conned people into installing a fake Flash player. In reality, it scanned their web activity for Mastercard, American Express, Visa, and Discovery info — and collected it. My nightmare.
As far as my autofill concerns go, Levin told me to follow the three Ms: minimize exposure, monitor effectively and manage the damage.
To minimize exposure, I should cut down on the discoverable data I have floating around on my devices. He and Siciliano both recommended using a password manager, which will protect my info by formulating, storing and inputting hard-to-crack passwords on various sites. LastPass, KeePass, Dashlane and 1Password are among the most well-reviewed options.
To monitor effectively, Levin said I should set up transaction monitoring alerts that ping me and my bank every time money comes out of my account. That way, I'll know right away if someone else uses my card info.
And should I end up in a situation where I need to manage the damage, I should check out whether my bank or employer offers identity theft support.
Unfortunately for my shopping addiction, I should probably delete my payment info from Chrome and just start entering it in… every. Single. Time. Over. And. Over.
"Whatever the inconvenience is, it's nothing compared to the inconvenience of having someone take over an account or commit identity theft," Levin says.
Plus, he mentioned, having to take the 30 seconds to type in my credit card number every time I want to buy something online has the added benefit of making me slow down and think.
"As you're entering the numbers on the website, you're reflecting upon what the result will be," Levin says. "Am I sure I really want to spend this money here?"