What Can Be Done About Security of Debit Cards? 511
JumpDrive writes "I have been the victim of (Visa) debit card theft. I do not know where they stole or got the number, but it was used one day on the other side of the country and the next day it was used in Europe until they cleaned out my account. I had been monitoring my account online and immediately went to the bank and filed a claim. I was told at that time it would be 3 to 5 weeks for them to investigate the claim before they could return my money. Recently I tried to make a purchase with a debit card and was told that they couldn't use the card since it wasn't a Visa or MasterCard check card; this led to a discussion of why I no longer have a Visa or MasterCard check card. Which then led to the question of 'What can be done about it?' Currently I have a separate account for debit usage for my personal safety. But I also think that those producing these check cards should be required to advertise the hazards of having one of these cards (not in small print and maybe required in advertisement of these cards, similar to what is required with pharmaceutical drugs on television) and/or that if a debit or check card is issued a separate account should be required for its use, and users informed of the issues of placing all of their money in the same account that their debit card has access to. What other precautionary measures should be required or taken?"
What can be done? Nothing. (Score:5, Informative)
The short answer? The banks will do nothing for you today.
The long answer: Nobody will do anything for you tomorrow, either.
Why? Because Visa does two things, only one of which makes money. First, they are in charge of defining financial card security through the PCI council, and they own and operate the secure network VisaNet, which carries authorizations from retailers to banks. Guess which one makes them money?
If Visa were to design and offer a cryptographically secure solution, one based only on smart cards for the customers and Hardware Security Modules (HSMs) at the banks, then I could safely route my charge authorizations over the plain ol' Internet. I wouldn't need to use the charge-per-transaction VisaNet. Visa would stop making money.
So instead of offering a secure solution, Visa and the PCI council say, "Merchants must lock down their systems, protect this data, follow these 12 steps, acknowledge that you are powerless over alcohol (oh wait, wrong 12 steps), and if you don't, we'll loudly blame you for allowing someone to see our non-existent security."
Visa owns the protocols used between merchants and banks. They could strengthen the protocols. They could prescribe encryption. They could require the deployment of chipped banking cards. But they do not, and have not for many, many years, despite a pathetic track record of security.
If you want the banks to be safe with your money, you ironically have to take charge of your own security. If you switch to using the green paper stuff, your losses will be finitely limited to what you carry on your person. If you want a more achievable answer in today's plastic world, DO NOT CARRY DEBIT CARDS. Debit cards do not offer you protection against loss. Credit cards are limited by U.S. law to a maximum of $50 liability to the cardholder. Debit cards losses are usually covered by the bank, but they are under no legal obligation to do so. For ATM access, most banks will honor your request for an ATM-only card instead of accepting their default ATM/Debit card. Of course, the use of credit cards requires personal discipline to always pay the debt on time, but otherwise you would see little difference.
Does your bank not call your or text you ? (Score:4, Informative)
Re:What can be done? Nothing. (Score:3, Informative)
Re:What can be done? Nothing. (Score:5, Informative)
(Emphasis mine).
Actually, I don't think the part about the lack of debit card consumer protections is factually accurate. Here's the blurb from The FTC's Facts for Consumers [ftc.gov]:
Re:What can be done? Nothing. (Score:4, Informative)
They could require the deployment of chipped banking cards.
And this is where most of the problem has been caused. The belief that if we put those RFID chips in our bank cards, they [boingboing.net] must [engadget.com] become [daniweb.com] safer. [hackaday.com] The problem is, it's the chip that is the biggest security issue since its RFID it's 'always on' and more then willing to send it's information to whomever asks. The banks and credit card companies have invested millions, if not in the billions, of dollars into the technology and its a flop. A massive, expensive flop. And now they have 2 options. Fess up that it's a failed experiment and have very pissed off investors. Or, censor/intimidate anyone who wishes to publicly expose [engadget.com] this as the failure it truly is.
What to do? Tell you're bank they're full of it (Score:5, Informative)
IAABG (I am a banking geek).
The rules for provisional credit on debit cards is very well established. They fall under Regulation E, section 205.11. [bankersonline.com] The bank has ten days to get you a provisional refund, and can take up to 45 days in certain circumstances to complete their investigation and finalize the credit.
Make sure you get them a notice in writing! Once you do, they have ten days to credit you, and many banks will do it much faster. If the bank drags their feet, just tell them "I want provisional credit within the mandated timeline per Regualtion E".
Here's more on this topic:
http://www.bankersonline.com/technology/guru2008/gurus_tech022508c.html [bankersonline.com]
http://usa.visa.com/personal/security/visa_security_program/zero_liability.html [visa.com]
http://finsolinc.com/Reg%20E%20EFTA%20Error%20Resolution%20Flowchart.pdf [finsolinc.com]
The protection for misuse of debit cards is strong, you just need to know what to do. If your bank isn't responsive, Move Your Money [moveyourmoney.info] to a smaller institution that cares.
Re:What can be done? Nothing. (Score:3, Informative)
Sure, a single bank can stand up their own system. But what retailers are going to sign up and connect to them? What retailers want to take on that expense? And if I create John's Credit Network and Bruce creates Bruce's Credit Network, how would we get cooperative protocols? Finally, who is going to finance and pay to create a system that competes with Visa but doesn't actually generate revenue?
And forgetting the difficulties in creating such a system, think about another hard problem, the human element. It's well-demonstrated that ordinary consumers don't care about security. It's not a selling point. Why not? Even if they cared greatly, the $50 liability limit that the consumer protection laws mandate means that they're not at any real risk for fraud if they stick with their current bank. Where is the consumer appeal for "John's Crypto Credit Card, good at more than two retailers citywide, and your money is mathematically safe!" If I can use John's card at two retailers in town, or a Visa at over 6 million locations worldwide, and I'm only risking $50 to go with the Visa, guess which convenient card I'm going to choose?
Re:What can be done? Nothing. (Score:5, Informative)
Naah - no modding down. Everyone here should be smart enough to distrust debit cards immensely.
As for internet buys - use 1 time numbers. My main credit card has them available, although I'll admit it is a pain in the tukas to get to the screen that gives you one, and it's not exactly advertised. (read that as you have to know what you're looking for and what the specific verbage is on the menus, or you won't find it)
Re:What to do? Tell you're bank they're full of it (Score:2, Informative)
I work in banking, and this is absolutely correct. In fact, the Reg-E clock starts ticking even before a written notice. It begins as soon as you report, in any capacity, unauthorized charges.
Re:It was a horrible idea then AND now (Score:5, Informative)
You are paranoid. And ignorant. As long as you report the theft to your financial institution as soon as you learn about it, there are strong protections in place. It's simply not true that it's up to YOU to track down your money. It's up to your financial institution. They are required by law to credit you in the case of errors or unauthorized purchases, and are even required to issue a provisional credit in many cases before the investigation is complete.
A Visa Debit card carries the same protections [visa.com] as a Visa Credit card for signature based-transactions. PIN based transactions are still covered by Regulation E [wikipedia.org], which protects the consumer.
And there's no such thing as a perfectly good ATM card: with a skimmer, a fraudster can clone your ATM card and have your PIN. Fraudulent PIN based transactions are MUCH harder to refute. People call up all the time and say, "I have no idea how that person got my PIN number, I've never given it to ANYONE!" We (my bank) pull the ATM video, and sure enough it's their son/daughter. The consumer sheepishly admits, "Oh, well, I just told them my PIN once, months ago..." Given the choice between turning the video over to the police or rescinding the claim of unauthorized use, many people will choose the latter.
Re:What can be done? Nothing. (Score:5, Informative)
I work in bank security, and I just wanted to offer some clarification on your rant:
If you want a more achievable answer in today's plastic world, DO NOT CARRY DEBIT CARDS. Debit cards do not offer you protection against loss.
A debit card can be used in two ways. It can either be used with a PIN in what's commonly called a debit transaction (or at an ATM), or it can be used as a "credit" transaction and processed through the Visa or MasterCard network. There is little to no protection against loss for the former of these transaction types, except keeping your PIN secure. The "credit" style transaction, on the other hand, is protected by a zero liability guarantee (at least Visa cards... not sure about MasterCard). Yes, your bank account may get cleaned out (or depleted up to the daily spending limit of your debit card), and outstanding checks may bounce, and you may have a freeze on your account until it gets resolved. However, this zero liability guarantee means any transactions found to be fraudulent will be reimbursed by your bank. The bank then goes after the merchant that processed the transaction to recoup their own losses. If you have a good bank, they'll also refund your overdraft fees. Debit or ATM transactions, on the other hand, are not covered by the same guarantee, so having your card skimmed and PIN captured is far worse - UNLESS your bank offers a guarantee on these types of transactions as well.
See http://usa.visa.com/personal/cards/debit/visa_check_cards_faq.html [visa.com]
Credit cards are limited by U.S. law to a maximum of $50 liability to the cardholder. Debit cards losses are usually covered by the bank, but they are under no legal obligation to do so.
Losses due to fraudulent transactions processed through the Visa network are actually covered by the merchant that accepted the transaction, not your bank. Your bank only covers "Debit"-style losses they agree to cover if they offer protection against Debit or ATM transactions, but that's not a standard program.
For ATM access, most banks will honor your request for an ATM-only card instead of accepting their default ATM/Debit card.
An ATM-only card means you will have to use ATMs more frequently, thereby potentially exposing yourself to skimmers, as well as use of your PIN in public. Since there's no zero-liability coverage with most banks for skimmed ATM transactions, you're putting your money at greater risk by doing this. Oh, and by the way, the skimmers have this one figured out too. You no longer have to worry about the shady looking person loitering near the ATM watching you enter your PIN. They install a tiny camera painted to match the fascia of the ATM, and they aim it at the keypad.
Re:What can be done? Nothing. (Score:5, Informative)
Great idea. But my bank doesn't offer me such a system.
In its place though I have a credit card issued from the bank. It is linked to only one account and I have to transfer money into it before I use it for any transactions so otherwise it is mostly empty. Try to withdraw any more then is in it, the transaction is automatically rejected. Seems to work for me so far with online transactions quite well.
Re:What can be done? Nothing. (Score:2, Informative)
Re:What can be done? Nothing. (Score:4, Informative)
According to them you have up to 60 days to report from the time they mail you the statement containing the fraudulent withdrawal before you start losing your own money.
Re:What can be done? Nothing. (Score:4, Informative)
One thing can be done:
http://www.my-spy.com/ [my-spy.com]
A service which will notify you via email or text message whenever any transaction occurs on your accounts.
--jeffk++
Doesn't happen like that in AU (Score:2, Informative)
Banks must roll differently stateside, here in Australia my visa debit card has been compromised twice. Both times I was contacted by the bank (different banks in each case) before I even knew what was going on. They had a new card and number out to me in 3 days and the dodgy charges were refunded by the time I logged on to my internet banking to check.
Another time I was on my honeymoon and the resort we were staying at put a rather large hold of funds on my visa debit card. My bank rang me and said they had a large charge on my card and asked if it was ok.
Impressive all round.
Re:What can be done? Nothing. (Score:2, Informative)
Actually if your debit card has a Visa or Mastercard logo on it, it has the exact same protections on it as a credit card.
Only if it's run as if it were credit and not a PIN transaction.
Re:What can be done? Nothing. (Score:3, Informative)
you've obviously never dropped your wallet then.
I have. I'd gladly pay $200 cash in exchange for all the time spent straightening out my finances.
I would come out ahead big time (Vs. lost income from normal hourly pay where I work).
I use a debit only card for ATM and a Low limit Visa for internet/day to day purchases ($1K). I have another account that can charge an obscene amount of money, but I try not to use that for anything, and don't carry the card with me as a day to day thing. ;)
Worst case scenario is I lose $400 cash from the ATM (daily limit) before I can notify the bank to freeze my account. The credit card purchases are not my problem beyond $50, and if they push the issue I simply refuse to pay
-nB
Re:What can be done? Nothing. (Score:4, Informative)
In fact, not only is it a good answer, it's the only correct answer. Credit is better than cash is better than debit. Why? If you have a dispute with a merchant you paid in cash, you need to sort it out with them directly before you can get your money back. If you have a dispute with a merchant and you paid with credit, and you're in good standing with your credit card provider, then you can just have them fight it out for you and reimburse you immediately. No hassle, no worries.
I pay credit for everything I can. Absolutely everything. I have no shame whipping out a credit card for a $3 purchase if the merchant will accept it. Why should I care?
Oh, and of course, all of this requires the very simple discipline of paying off your bills every month, and thereby incurring no fees. As a bonus, you get points/miles/whatever. Sure, you're paying for it because the merchant builds the card fees into the price of whatever you're buying, but by and large paying cash won't get you a better rate these days.
Debit? Never use it. Unfortunately my ATM card HAS to also be a debit card, and there's no way to deactivate its debit usage. It's a shame. There is literally no point, whatsoever, to using a debit card. Unless, I suppose, you lack discipline, and well in that case you've got bigger problems.
Interesting, cos a bank account isn't your money (Score:3, Informative)
Legally.
In most countries a bank account is legally a loan to the bank. Legally it isn't a safety deposit box where they store your money for you.
This means the money is theirs to do with as they please and they are graciously allowing you to use their credit instead, with the attached terms and conditions.
Re:Get a credit card (Score:5, Informative)
Regulation E Dispute (Score:2, Informative)
The bank HAS to refund your money..... (Score:4, Informative)
Re:What can be done? Nothing. (Score:3, Informative)
Uhmmm, that's not what a chipped card is. This is a chipped card http://en.wikipedia.org/wiki/Smart_card [wikipedia.org] and it's way
Who would use a debit card off primary checking? (Score:2, Informative)
Re:Only use a credit card (Score:3, Informative)
Re:What to do? Tell you're bank they're full of it (Score:2, Informative)
Absolutely correct; however, without a paper trail, the bank can just claim they weren't notified.
Re:What can be done? Nothing. (Score:3, Informative)
A debit card where you transfer money into that account just before each transaction has a similar effect if your bank doesn't offer one-time cards.
Personally I have a credit union (I know not everyone is eligible to join one). When a similar thing happened to me as happened to OP, my CU refunded the missing funds the same day I filed the police report (over a certain dollar value a police report is required to file a dispute), which also happens to be the day I found out about it. I found out about it because my CU called me about suspicious activity. This was not credit card fraud prevention services (who honestly has no real motivation to really provide much in the way of fraud prevention - they get their cut either way). The transactions had already completed, once they posted to my CU, the CU is who called - specifically Linda, a kind teller who knows my name and can pull up my account even though I only see her a couple of times per year.
In the time the funds were missing, one payment did incur overdraft. My CU's overdraft is nicer than a normal bank's overdraft too - it's a line of credit, and there is no charge for dipping into that LOC, there is just an interest charge for any remaining balance 30 days later (basically if my checking account runs dry, my debit card turns into a normal credit card). Linda told me that it's possible there were other transactions working their way through (even though my card was now canceled, it can take up to 24 hours for some charges to post to the account - particularly if they are foreign in origin), and assured me that any true overdrafts (the sorts which with a charge) which might occur as a result would have their fees reversed.
So like I said, I know not everyone has a credit union as an option. But when your bank is actually watching out for your interests, there are better options out there without even needing to invent something new.
BofAmerica (Score:3, Informative)
Re:What can be done? Nothing. (Score:1, Informative)
It's honestly just the sorry state of American culture that we have so many people out to defraud others, without a concern at all for the person who may get fired for it.
Myself, personally, I've had people try to short-change me (constantly swap money in an effort to confuse me into giving them more than they gave me. "No can I get two tens, actually make that four fives. Okay, I'll keep these two fives and give you this fifty if you give me a twenty, and three tens.")
I've had lots of people scratch off one digit on a personal check's account#, cleverly sign their name over the missing digit, and attempt to give that to me. They're usually stolen checkbooks, but the banks don't care even if not, they won't honor the check.
I've also had lots of fake currency handed to me. The most pathetic case was the asshat who gave me a $5 bill that was xeroxed, and if you flipped the bill over, it was copied upside down.
So yeah, sorry about your experience. The thing is, our managers will fire us if we take bad money, and there are an absolutely huge number of fraudsters out there. It's also hugely embarrassing. I fell for one trick exactly one time (I was 15 and still under the impression that people were generally "good" -- hah), and I swore to never let that happen again, which made me ten times as scrutinizing as before.
Re:What can be done? Nothing. (Score:4, Informative)
Yes, your bank account may get cleaned out (or depleted up to the daily spending limit of your debit card), and outstanding checks may bounce, and you may have a freeze on your account until it gets resolved. However, this zero liability guarantee means any transactions found to be fraudulent will be reimbursed by your bank. The bank then goes after the merchant that processed the transaction to recoup their own losses. If you have a good bank, they'll also refund your overdraft fees.
Meaning no offense, but why in the hell would this make me want a debit card?
Maybe the bank would give me back my fees and losses, but I've still bounced checks with God-knows-who and caused them all manner of hassle and had them incur fees and lost trust with them. If my bank account gets cleaned out the day before my IRS check hits, do you seriously think they'll just chuckle and say "oopsie, well, we'll clear it again". No. I'm going to spend hours on the phone with everyone I sent a check or made an automated payment to, trying to dig my way out of the hole that used to be my bank account.
I've had an account cleanout happen (account was cleaned out by lawyers suing my parents, and I stupidly left my mother's name on my bank account). My mortgage and car payment checks were in the outgoing mail the same day I received the "summons to trustee" notice, and all my money was gone. It worked out, but I had to take two days off work (lost vacation time) to make all the necessary phone calls, and I still had a black mark on my credit rating for several years afterward, even though none of the bounced checks were determined to be my fault. I worked for a bank service company at the time, and they routinely pulled credit ratings (since I handled account details on a lot of people). I had to spend a couple of hours explaining the whole situation at work, and it's possible I could have lost my job over it. Fortunately I didn't. Net result was an absolute nightmare, and my bank was actually pretty nice and helpful about the whole thing.
I also had my credit card number compromised once (Hannaford breach, and my card was actually used overseas). Visa called me, said that the card had been suspended but that any automated payments I had set up would work for another week to give me time to transition to the new card number, went through the outstanding charges over the phone to verify that they were all valid, apologized for the inconvenience, and I never even saw any of the fraudulent charges at all. I spent 15 minutes on the phone with them, 10 minutes entering the new card on my automated payments, and another 5 minutes cutting up the old card when the new one came in. Impact to my credit rating: none.
"Yes, the debit card can be almost as secure as the credit card if you use it as a credit card, and if your bank is really nice the resulting damage to your account and credit rating can be built back to almost new after a lot of effort!"
Thanks, I'll use a credit card. If it gets used fraudulently, the onus is on the credit card company to help me out, because my money is not gone. A credit card does not have access to my checking account. That's a very important distinction to me.
Re:What can be done? Nothing. (Score:4, Informative)
No. I pay my credit card company with an ACH transaction. I log on to my credit union's web site and authorize transfer of the funds every month. No paper checks, and the only people who have access to that information are my credit union and my credit card company.
And the only account authorized for ACH and checks is one I keep a limited amount of funds in. So even if my checking account was compromised, they could only take what I had deposited in it to cover the bills outstanding against it at the moment.
Plus, even if I did pay them with a check, that's one transaction per month I am taking a risk with. I pay for nearly everything with my credit cards, so I am using them multiple times PER DAY with various and sundry vendors.
I'd rather have my bank account with my real money exposed for one transaction per month than many. And even that is a "front" account with little funds in it.
In other words, I use the technique most people here espouse to make debit cards more secure - keep only a small amount exposed to the card.. except I use that as a SECOND layer of defense, not a primary one.
Credit cards may not be absolutely secure, but in terms of their ability to drain my actual money from my actual accounts, they are as close as we're gonna get.
If someone uses my credit card for fraud, I may have an uncomfortable time with the one creditor (my credit card company), but my cash in my bank/credit union accounts cannot be compromised by that. That means that any other payments I might make are unaffected by the fraud, my checks clear, and all of the people I am honestly paying will get paid.
To me, debit cards represent the worst of all possible worlds. I am exposing my actual bank account in each transaction, I am not receiving any float on my funds, I am not receiving any cashback or awards for my purchases, and the vendor I am doing business with is still paying a transaction fee.
For someone disciplined enough to pay off a credit card every month, I have yet to hear of any benefit to using a debit card. There are lots of disadvantages, and not a single advantage I've ever heard of.
Re:What can be done? Nothing. (Score:4, Informative)
One thing to be aware of... If you're doing an in-store merchandise pickup, they will normally want to see your card when you pick it up - for verification of your identity, and their computer systems generally require them to swipe the card. The programmers of said system were lazy enough to make that the only verification method, and the salespeople can't change it. Not the best way to do it, but it will save you a lot of hassle if you DON'T use a one-time number for these particular online transactions.
Disclaimer: I used to work in a store. These one-time numbers caused us endless headaches and hassles because customers would get downright nasty when we simple and unempowered salespeople would have to jump through all these ridiculous hoops (return, refund, repurchase) to make our system handle them. This would take half an hour or so, while the customer did this to "save time"... so just use your actual card number for in-store pickups, or call the store to confirm merchandise availability, have them hold it for you, and buy it at the store.
tl;dr if you need to verify your identity as the purchaser at a later date, especially with physical evidence, don't use one-time numbers.