What Can Be Done About Security of Debit Cards? 511
JumpDrive writes "I have been the victim of (Visa) debit card theft. I do not know where they stole or got the number, but it was used one day on the other side of the country and the next day it was used in Europe until they cleaned out my account. I had been monitoring my account online and immediately went to the bank and filed a claim. I was told at that time it would be 3 to 5 weeks for them to investigate the claim before they could return my money. Recently I tried to make a purchase with a debit card and was told that they couldn't use the card since it wasn't a Visa or MasterCard check card; this led to a discussion of why I no longer have a Visa or MasterCard check card. Which then led to the question of 'What can be done about it?' Currently I have a separate account for debit usage for my personal safety. But I also think that those producing these check cards should be required to advertise the hazards of having one of these cards (not in small print and maybe required in advertisement of these cards, similar to what is required with pharmaceutical drugs on television) and/or that if a debit or check card is issued a separate account should be required for its use, and users informed of the issues of placing all of their money in the same account that their debit card has access to. What other precautionary measures should be required or taken?"
Get a credit card (Score:5, Insightful)
Use a credit card, duh (Score:5, Insightful)
How the banks advertise it: "Use your own money to shop online!"
What it actually means: "Expose the cash you need to live on to fraud."
The banks like it because you're putting your money at risk, not theirs.
just use a CREDIT card (Score:5, Insightful)
Step 2: Just use a CREDIT card. You're protected. Problem solved.
In Canada you need an ATM PIN to use a debit card linked to a bank account, but the PINs can still be skimmed by compromised payment terminals. I only pay by credit card.
How about a real solution? (Score:5, Insightful)
But I also think that those producing these check cards should be required to advertise the hazards of having one of these cards
NO, NO, NO. No stupid, pointless warnings. Make the financial institutions solely liable for all identity theft. They're the only ones with the ability to stop it, and they should be the ones that bear the full economic incentive for managing fraud.
But I didn't say it first, Bruce Schneier did [wired.com]:
The actual problem to be solved is that of fraudulent transactions. Financial institutions make it too easy for a criminal to commit fraudulent transactions, and too difficult for the victims to clear their names.
[...]
It's not that financial institutions suffer no losses. Because of something called Regulation E, they already pay most of the direct costs of identity theft. But the costs in time, stress and hassle are entirely borne by the victims.
The whole article is +5 Insightful, well worth reading.
Re:Get a new bank (Score:3, Insightful)
This happened to me recently with B of A. I live in FL, and someone used my card in NJ. Bank of America shut my card off right after it happened, sent me an email, text message, and gave me a phone call letting me know they'd detected fraud. When I called them back, they gave me the option to turn the card back on (in case I'd jumped on a plane to NJ) or initiate a fraud investigation.
I think the fraud algorithm they use is pretty good, they found it right away. Fortunately it was only a $4.80 "test" charge. But they prevented any more money from coming out, and got the 4.80 back to me within 48 business hours.
Re:What can be done? Nothing. (Score:4, Insightful)
Re:Get a new bank (Score:3, Insightful)
I've had to have transactions purged from my card a number of times... once stolen... a few times just stupid hotels double billing me 4-figure hotel bills.. and others.
Wells Fargo got me my money back immediately on claim (with restrictions) and within a week for real (once they had investigated).
No bank is perfect but for a large one I'm generally happy with the wagon.. of course don't get me started on over-draft fees :)
Only use a credit card (Score:5, Insightful)
Debit cards are functionally useless, since they give you nothing that using credit card which you pay off every month wouldn't while costing you quite a bit.
If you have a credit card you pay off every month, you get an interest free loan for a month. You earn points for rewards. You get protection against fraud. You often get warranties on things you wouldn't normally get.
You get NONE of this with a debit card. The only reason a debit card is preferable is if you don't have the self control to spend an amount you can pay off every month, or you have such a bad credit rating you can't get a credit card with a grace period.
Protection (Score:4, Insightful)
I have a separate account with debit card that stays zero. When I know I'm going to pay a bill online or use for some other purchase, I move just however much I need into that account to cover the purchases or debits. In this way, if some one gets ahold of the number, there isn't a lot they can do with it.
Also I don't have overdraft protection on that specific account so that again, if someone gets my number(s), there isn't much they can do about it. Sure I may get nailed for a hundred bucks - if they catch it at the right time - otherwise, they just don't get my money.
Re:What can be done? Nothing. (Score:5, Insightful)
In this day and age, with online banking so prevalent, checking your account every few days is only prudent. It's not unreasonable for the consumer to have some burden of identifying the loss, since each of us are the best and most efficient judge as to whether or not the transactions on our accounts are in fact ones we performed. Millions of dollars in software development and analyst training have been spent on helping banks to detect fraud, but those systems aren't fail proof.
In the end, there's no substitute for each of us keeping an eye on our own accounts' transactions.
If we don't take responsibility for our own financial affairs, should we really expect the banks to carry the whole burden on our behalf? No matter how good it is, any security measure can (and likely will, sooner or later) be defeated. (and let's not forget good old fashioned social engineering...)
In the end, the best protection against a breach is constant vigilance. (Or, said another way, prevention only goes so far, detection is still requried ;-)
Network effects (Score:3, Insightful)
On the flip side of that argument, someone stands to make a lot of money by entering the market and challenging Visa with the selling point of increased security.
Theoretically true but it would take someone with VERY deep pockets. Visa and the other large credit card vendors have a the very powerful asset of network effects [wikipedia.org] on their side. Virtually every merchant takes Visa and Mastercard. Somewhat fewer take Discover and Amex. Very few merchants have the equipment to handle more secure cards. This means that even though there are safer cards available, there is no network to handle them and it would cost a sizable fortune to get enough merchants to carry them. From the consumer's point of view there is little incentive to carry a card that is not widely accepted especially if they are protected against loss anyway. Visa can simply promise to cover any losses which makes it uneconomical for someone to build a more secure network. In other words, ain't gonna happen.
Only way I can see a secure card network being installed in the US is if it is mandated by Congress. I've seen some efforts by Amex and some others but unless somehow we can convince Congress to get involved (unlikely in my opinion) I just don't see it happening any time soon.
Banks don't want security (Score:3, Insightful)
Signature debt card fraud is about 15 times as high as PIN debt fraud. When was the last time somebody checked your signature on a card?
So, it's more wasteful, and enables vastly more fraud, but the banks love it. But I guess that makes sense; bankers are, after all, parasites and crooks under the protection of law.
Let me give another example of how they don't care about real security. USbank's online banking service now interrupts the standard username/password entry process by asking you a "security question." These questions are things that you could find about most people in a couple of minutes, by looking at Facebook/google, knowing them casually, guessing, etc etc. The answers are shown in the clear. So where, on every other site you've ever used (including, until recently, this one) you'd expect to be typing your password into an obscured field (********), you instead are typing into a box that anybody near you can read. Awesome. And in exchange, the security you get is... a trivial question, and a picture from a handful of pictures you're allowed to set as your "security image". Which anybody within 50 feet can see.
[Reviews comment in case caffeine has led to unfortunate or controversial comments. Nope, looks good!]
Re:Protection (Score:4, Insightful)
Re:What can be done? Nothing. (Score:3, Insightful)
This is EXACTLY why I don't carry one (Score:4, Insightful)
This is EXACTLY why I refuse to carry a debit card. With one swipe, your account is empty and your mortgage bouncing.
With a credit card, you argue with the bank about THEIR money.
With a debit card, you argue with the bank about YOUR money.
Guess which sort of inquiry receives more attention?
SirWired
Re:What can be done? Nothing. (Score:3, Insightful)
This really is a good answer. Not necessarily the low limit, but credit cards have far more protections than debit cards and are used in an identical manner (well, except for signature vs pin). If it's a credit account with the same bank your checking or savings account is with, it's usually pretty simple to transfer the money from your bank account to pay off the credit account monthly. Doing so incurs no additional cost. If the card is charged maliciously, you still have all the money in your bank account, and once the investigation is complete you don't pay interest on the balance that was on your card. It's a win-win.
If you absolutely have to have a card, there is no additional hardship doing it this way. Even if you have bad credit, you can get a secured card through your bank.
Not trying to be mean... (Score:2, Insightful)
Re:What can be done? Nothing. (Score:5, Insightful)
Did I say RF? No, I said "chipped", although once the security is done correctly RF might not matter as much as you might think.
The correct protocol is for the merchant to tally the merchandise, and present the customer's card with their merchant ID and the transaction amount. The cardholder then has to see and approve that amount by entering a PIN in order to generate an authorization. (The cardholder needs to enter that PIN into a trusted device, which is best met by a smart card with a built-in keyboard and tiny display, or alternately by a trusted keycard device issued by the bank.) The card uses the PIN to generate a one-time approval code, which is forwarded by any means to the bank, along with the card data (account number or whatever), the amount, and the merchant ID. The bank returns an approval code to the merchant, who gives the merchandise to the customer. All this is digitally signed, of course, and the protocols need to be well laid out to avoid potential problems with respect to money laundering, man in the middle attacks, etc.
Note that the customer's account number is only usable for identification. It's only the chip-generated authorization combined with the user entered PIN that carries the value. Something you have plus something you know.
The authorization data is carried by the merchant and delivered by whatever means to the bank. The Internet would work fine. The merchant can see your account number, but they cannot charge you anything other than the value included in your approval. The authorization code is accepted by the bank for one time only use, and they will pay only the merchant ID indicated in the transaction.
Note that in this case, the card is issued by the bank. The certificates and keys are created and injected in the card by the bank. That means it's 100% bank-owned-and-provided hardware from customer to bank and back again. The bank is 100% in charge of security. All you have to do as a customer is not to lose your chipped card AND keep your PIN secret.
An RF based card would make only a minor difference in security. Sure, someone could ping it, but they couldn't get it to emit an authorization token unless they had it in their hands and pushed the tiny buttons. Protections would have to be taken to prevent RF based man-in-the-middle attacks between the merchant and the customer's card, otherwise the merchant might not get paid. But the customer's money is never at risk except when they are entering their PIN, and are staring at the tiny screen that says "PAY WALMART AMT=$34.56".
Re:What can be done? Nothing. (Score:4, Insightful)
Re:What can be done? Nothing. (Score:2, Insightful)
I hate to say this, but use cash.
Agreed.
No more overdraft fees either. If you don't have the cash, you can't make the purchase.
Also, if you're going to carry your entire paycheck on you, consider getting your own 'Federal [federalfirearms.net]' deposit insurance...
Re:What can be done? Nothing. (Score:5, Insightful)
GGP is on the mark, when he says "Use cash". But, in today's world, it seems a necessity that we are able to make purchases online. So, I have exactly what Recovery1 has - a plain debit card. I put money on the card, make my purchase, the card is dry, and no one can make any more withdrawals. Doesn't much matter if someone around the world gets my number, they can ONLY steal the money that I have put on the card that day, and if I've already made my purchases, the balance is zero, they can't steal anything at all.
But, their attempts to do so will trigger alarms, and the bank knows that security has been compromised!! In theory, the bank will contact me, and ask about those attempted purchases.
Re:Only use a credit card (Score:4, Insightful)
Actually, I view debit cards as just the opposite - for people who aren't inclined to spend money they don't have. Credit cards are a trap that get people into a lot of trouble, quite frequently.
Account Alerts (Score:3, Insightful)
All of my accounts will alert me by text and/or email of any transactions exceeding $500, or if the monthly transactions exceed $2000. I don't need to monitor my accounts daily, because the most anyone can take without triggering an alert is usually $500.
That being said, I check my accounts on a weekly basis, which is a good habit to get into. I get my balance and recent transaction history emailed to me on monday mornings, again using the banks' own systems.
Account alerts are wonderful tools. Use them!
Re:Only use a credit card (Score:5, Insightful)
Only if you let it. I have had credit cards for all my adult life and never once paid any interest. If you are the type of person who controls their spending, it doesn't have to trap you into spending money you don't have.
Re:Get a new bank (Score:2, Insightful)
This happened to me recently with B of A. I live in FL, and someone used my card in NJ. Bank of America shut my card off right after it happened, sent me an email, text message, and gave me a phone call letting me know they'd detected fraud. When I called them back, they gave me the option to turn the card back on (in case I'd jumped on a plane to NJ) or initiate a fraud investigation.
I think the fraud algorithm they use is pretty good, they found it right away. Fortunately it was only a $4.80 "test" charge. But they prevented any more money from coming out, and got the 4.80 back to me within 48 business hours.
Two weeks ago, almost $3000 was withdrawn from my account via ATMs around the city I live in. I never lost the card, so I figure I must have been skimmed.
I can second BofA's good policy regarding this: the money is already back in my account!
Re:What can be done? Nothing. (Score:3, Insightful)
So...it's more efficient for the central transaction processor (bank) to try and verify the legitimacy of transactions, rather than each individual? Let's break that down.
Let's just take an imaginary small consumer bank, with 10,000 customers in a local community. If we assume that, on average, their customers all have debit cards and use them to the tune of 20 times a week, that brings us right away to 200,000 transactions that the bank has to review and analyze per week. In the course of a month, it's 6,000,000.
So, how can the bank determine fraudulent transactions? Well, they can try and baseline everyone's average buying habits (stores, categories of purchasing), but that could cause false positives as people very often do unusual things. They can try and flag transactions based upon the use of the card in unusual places, but with so much interstate and even international commerce thanks to the Internet, that's not such a sure sign either, now.
Let's not forget that with a small bank, they don't have big and fancy computers with trained analysts to throw at the problem. I would think such small institutions have a staff on the order of a couple of hundred people, at best?
Of course, the big banks certainly have the money to throw at the problem to buy proper computers, software, and hire enough analysts, but the complexity is now far, far worse, as they service millions of customers all over the country (and possibly/probably international). Now we're talking probably in excess of billions of transactions for the same time period, and I think it's safe to say the complexity rockets up at an exponential rate, as you're now dealing with the rich, the poor, and everyone in between, all with their own buying patterns, habits, life changes, etc.
So, it's easier for the banks to be responsible for analyzing EVERYBODY'S transactions, which are complete black boxes to them?
Or, is it easier for us to log into our online account once or twice a week, scan our virtual checkbooks of 20(ish) transactions and say, "Yup, I remember buying all that stuff"...?
Whatever happened to taking a little personal responsibility?
For my part, I've been using Quicken for almost 5 years now to track every single account I have in my name, from mortgage to checking to retirement funds and all the rest. I'd venture to say nothing happens in my accounts without me noticing it in a few days. (It's a nice feeling to have such total understanding of your complete financial situation at any given moment. ;-) Sure, it takes some discipline, but after a while, it becomes habit.
About that comment you linked? Interesting, and he makes a good point about identity theft - but that's not what we're talking about here.
The case of the original poster was simple theft. Yes, the debit card number was lost, but it wasn't his SSN or some other critical piece of Personally Identifiable Information that allowed the thief to then take out a loan in the guy's name and walk off with the money, never to be heard from again and ruining that victim's credit rating in the process while leaving him personally liable for a debt he probably could never cover.
I'm not sure I see what liability for identity theft has to do with the efficiencies of who should be ultimately responsible for monitoring an individual's banking transactions for fraud.
Adult or child? (Score:1, Insightful)
I am an adult and act responsibly.
I have been using credit cards for 20 years and have rarely paid anything but the amount I owe due to my purchases.
The bank is providing you with a credit facility, if one does not learn to use it the cardholder is the only person to blame.
Re:What can be done? Nothing. (Score:5, Insightful)
Once you have made the formal claim for a stop payment it should be resolved in a couple of days, if your bank does not support you in this, it is time to change banks.
This is the most sensible advice I've seen on this thread. When my Commerce Bank debit card details were compromised, and several unauthorized charges started appearing on my bill, I called the number of the back of my debit card to report the losses. The bank immediately reversed all the charges and offered to send me a new card through overnight delivery.
I told them to cancel my compromised card, and to send me a new one. They told me I would be without access to my funds via debit card until I activated the new one, but that it should be here within 24 hours (it was at my house in less than 12 hours). I was responsible for $0 of the unauthorized amount, and life went on normally.
Bottom line: the debit card is only as risky as the bank with which you choose to do business. Get a bank that doesn't suck, and your debit card is a safe financial instrument.
The Credit Card Tax (Score:4, Insightful)
There's another perspective on this, and another reason to do as you do - the credit card tax.
Everyone is up in arms about taxes these days - longer than just that really. People give up their days to protest taxes in various places. But I'll be that those very same people think nothing of using their credit cards to pay for that day's expenses. Or even if they don't, they don't realize that they're paying for the privilege of others using their credit cards.
The credit cards get a transaction fee - typically somewhere in the 3-4 % range. Years ago, I remember some places used to charge a slight premium for using a credit card. I'm not sure if it was through legislation or other pressure, but that practice stopped, in favor of "same price, cash or credit." What that really means is that EVERYONE is paying for the credit card transaction fee, whether you're paying cash or credit.
What do you call it when there's an extra percentage fee tacked onto your purchases? One word might be "tax", except this one isn't collected by any government, but by private agencies. Nor is it voluntary, like a "free market" thing, because it's tacked onto your purchases, whether you use credit or not.
I have a lot of sympathy for small, local businesses. I try to have a premium I will pay to buy locally, knowing that that money stays in my area, though I can't always do it, and I have my limits. But one thing I try even harder to do is avoid using my credit card with local businesses. They have to set their prices to account for the transaction fees, or else they go out of business. But by paying them in cash or check instead of credit, that piece of transaction fee goes to them instead of to some far-off bank. I can't get the "tax" back for myself, but at least I can give it to a local business.
Re:How about a real solution? (Score:2, Insightful)
And let's stop calling it identity theft. It's really just a case of the bank mistaking person X for person Y, and thus mistakenly giving person Y's money to person X. It's the bank's error, yet the term implies that it was connected with you in some way, that you didn't protect something of yours well enough. Bullshit.
Re:Get a new bank (Score:2, Insightful)