Google Chrome autofill: Is it safe to store a credit card?

Money recently launched Dollar Scholar, a new personal finance newsletter written by a 27-year-old who’s not yet in the know: me.

Every week, I’ll talk to experts about a money question I have, whether it’s “Are online banks sketchy?” or “How many credit cards do I need?” As I learn, I’ll share simple ways to improve your financial life…and post fun memes.

This is (part of) the seventh issue. Check it out below, then subscribe to get future editions of Dollar Scholar every Wednesday.


I spend an insane amount of time online every day. We talk at least eight hours on WordPress, Gchat and Slack while at work, more usually an hour or two on Twitter, Instagram and Reddit at home. The internet knows me better than I know myself: the kind of coffee creamer I like, the college friends I actually have want to to follow are the sneakers that I briefly considered buying three weeks ago.

It also knows my credit card information. Google Chrome automatically fills it in every time I shop on my laptop, which is… uh… often. All I have to do is click in the right field, choose a saved card from the drop-down menu, and go. Sometimes the browser will ask for my CVV number, but even so the payment is dangerously fast. I can shop at the speed of light, without rummaging through my wallet.

It’s very convenient, but I never gave much thought to whether it was wise. Should I let my Chrome autofill my credit card number on sites? Is it safe?

I decided to find out. I started by digging into my Chrome settings, where I found a page with the “Save and fill payment methods” option selected. This showed that my cards were linked to Google Pay, which I learned encrypts payment information and stores it on secure servers.

Sounded good until I called Robert Siciliano, an expert in the cybersecurity market segment. He explained that despite the encryption on the back, I’m still in danger if someone who isn’t me gains access to my computer (which can happen through malware or theft physical). So letting Chrome store my payment information isn’t exactly the most secure solution.

“I always suggest people disconnect from everything,” he says. “It reduces the risk.”

Another thing that reduces risk is when Chrome requires a CVV – that three-digit number printed on the back of your card. Siciliano says it’s an extra layer of protection “because only you should have your card,” meaning she discreetly verifies that you are who you say you are. But even that is not infallible. As credit karma points out that not all merchants require you to enter a CVV.

Scammers can also trick you into giving up your code, according to Adam Levin, founder of the identity and data defense firm. CyberScout. One of them is to use vishing, in which bad actors pretend to be your bank, call you and ask for your CVV in order to “verify” your identity. (But really they steal it.) Another is through SMiShing, in which a hacker sends you a link that “reauthenticates” your account. (But in reality, they install malware.)

The names are silly, but the threat is serious.

“Auto-filling or being receptive to what you think is an institution you trust or do business with could land you in some trouble,” Levin says. “[Sites could be] taking information from you that you don’t realize you are giving. »

Indeed, technical site ZDNet wrote in January about a Chrome extension that tricked people into installing a fake Flash player. In fact, it analyzed their web activity for information on Mastercard, American Express, Visa and Discovery – and collected it. My nightmare.

When it comes to my autofill concerns, Levin told me to follow the three Ms: minimize exposure, monitor effectively, and manage damage.

To minimize exposure, I should reduce the detectable data flowing through my devices. Both he and Siciliano recommended using a password manager, which will protect my information by formulating, storing, and entering hard-to-crack passwords on various sites. LastPass, KeePass, Dashlane, and 1Password are some of the best-reviewed options.

To monitor effectively, Levin said I should set up transaction monitoring alerts that notify me and my bank whenever money comes out of my account. That way, I’ll know right away if someone else is using my card information.

And if I find myself in a situation where I have to deal with the damage, I should check to see if my bank or employer offers identity theft assistance.

Unfortunately for my shopping addiction, I should probably delete my payment information from Chrome and start entering it in…every. Only. Time. More than. And. More than.

“Whatever the inconvenience, it’s nothing compared to the inconvenience of having someone take over an account or commit identity theft,” Levin says.

Plus, he mentioned, having to take 30 seconds to type in my credit card number every time I want to buy something online has the added benefit of making me slow down and think.

“When you enter the numbers on the website, you think about what the outcome will be,” says Levin. “Am I sure I really want to spend this money here? »

Comments are closed.