Simon Griffiths

Focusing on Data, Architecture and AI

,

Why You Should Change Your Debit Card Now

There’s a piece of advice you won’t hear from your bank. Not because they don’t know — their security teams absolutely do — but because saying it out loud is uncomfortable when you’re also in the business of reassuring people that everything is fine.

So I’ll say it instead: if your debit card is more than a couple of years old and you’ve used it on smaller websites, you should replace it. Now, not eventually.

Here’s why.

Something just changed

In April 2026, Anthropic — the AI company behind the Claude family of models — quietly announced something significant. Their latest model, Claude Mythos Preview, had been used internally to find thousands of previously unknown security vulnerabilities across every major operating system and every major web browser. Many of these bugs had survived for decades undetected. One was 27 years old.

That’s notable, but not the part that matters most for you.

What matters is this: the model didn’t just find the vulnerabilities. It wrote working exploit code. Autonomously. On the first attempt, more than 83% of the time. And it can do the same thing with closed-source software — taking a compiled binary with no source code available, reverse-engineering it, and finding the holes.

This isn’t a research curiosity. It represents a fundamental shift in who can attack what, and at what cost.

The assumption that kept you relatively safe

For most of the internet’s commercial history, there was an implicit triage happening in the world of cybercrime. Sophisticated attacks — the kind that could exploit subtle vulnerabilities in obscure software — required serious skill and time. That meant attackers focused on high-value targets: large retailers, payment processors, banks.

The small online shop running an older version of WooCommerce, or the regional business with a custom checkout built in Node.js five years ago and touched infrequently since — these weren’t worth the effort. Not because they were secure. Because exploiting them required more skilled attacker time than the return justified.

That constraint has now effectively gone.

The economics of targeting have collapsed. What previously required a skilled security researcher working for days now takes an AI model a few minutes and costs a fraction of a penny per attempt. Mass automated scanning and exploitation of long-tail targets — the thousands of small sites that collectively hold a lot of card data — is now viable at industrial scale.

What this means for your debit card specifically

Every time you’ve used your debit card on a smaller website, you’ve trusted that site’s security. Some of those sites were fine. Some were running software with known vulnerabilities they hadn’t patched. Some may have been quietly compromised without ever knowing it — or without it ever making the news.

Your card details from those transactions may already exist somewhere they shouldn’t. You have no way of knowing.

The four-year-old debit card in your wallet carries four years of that history.

And debit cards carry a specific risk that credit cards don’t: fraud hits your actual bank balance. You’re not disputing a charge on borrowed money while your life continues normally. You’re potentially short on real funds while a dispute resolves — and disputes take time.

The practical response

None of this requires paranoia. It requires a modest update to your habits.

Replace the card. Call your bank and request a replacement. It’s free, it takes a few days, and it closes the window on any previously harvested card number. Whatever exists in the wild from your old transactions becomes useless.

Switch to Apple Pay or Google Pay for online purchases where you can. When you pay via these services, the merchant receives a one-time token — not your actual card number. There is nothing reusable to steal. This is the single most effective change most people can make.

For the occasional site that doesn’t accept digital wallets, consider a prepaid or virtual card with a low limit — something like a Revolut disposable card — as a sacrificial layer. Your real card stays out of it.

Move online spend to a credit card rather than debit where possible. The consumer protections are equivalent, but fraud on a credit card doesn’t drain your bank account while the dispute works through the system.

Check haveibeenpwned.com — enter your email address and it will tell you which known data breaches your details have appeared in. It won’t tell you everything, but it gives you a factual baseline rather than uncertainty.

Why your bank isn’t telling you this

Partly institutional lag — this shift is recent and bank customer communications move slowly. Partly because the advice implies their merchant ecosystem has a problem, which is an uncomfortable thing to say when those merchants are also customers. And partly because telling you to use Apple Pay is, from their perspective, endorsing a competitor’s product.

Their fraud teams know the landscape has changed. That awareness has not yet reached the leaflet in your online banking app.

The advice here is about twelve to eighteen months ahead of what mainstream consumer guidance will eventually catch up to. Acting on it now costs you nothing except a few minutes on the phone to your bank.

That seems like a reasonable trade.

Leave a comment

Navigation

About

Simon Griffiths architects data-first systems, sceptical about the rest. Drawing on long experience across enterprise data, architecture, and AI, he prefers platforms designed for reality, not just the latest narrative.