Help me with debit card security
March 11, 2013 8:02 AM   Subscribe

So, my debit card number has now been "compromised" twice in as many months. How am I supposed to approach security with cards nowadays?

The first time I ended up reading an article in the paper about a business that had numbers stolen from their automated cash registers. There was no statement posted in the business itself, which is a whole 'nother WTF. My card had been used there in the time frame, so I called my bank immediately and had it reissued with a new number. No suspect transactions ever appeared on my account.

Then last week my new card mysteriously stopped working, and I then got ANOTHER new card in the mail. I called the bank this morning for an explanation, and all they can tell me is that the card showed up on a "compromised" list and they canceled it. They can't tell me how or where this occured. Again, no weird transactions at the bank.

So after all this, I feel like every ATM or business I swipe at is hacked. What's the best way to deal with this, beyond shrugging my shoulders? Is it better to mainly use a credit card so you can more easily dispute transactions? Should I be paying for everything in cash? I guess I just want to minimize my exposure to this stuff, since it seems on the rise (at least anecdotely) in my area.
posted by selfnoise to Work & Money (19 answers total) 2 users marked this as a favorite
Never, ever, ever use a debit card for anything except cash withdrawals from ATMs you trust, or charges during absolute emergencies. This is what a credit card is for, because a credit card isn't linked directly into your bank account.

Should I be paying for everything in cash?

This will screw you over in the long run. Buying everything with a credit card (again: not debit card) means you have a more-or-less ironclad paper trail for all of your purchases, which is a very necessary thing in this day and age (plus it builds your credit if you're paying your card off every month.)
posted by griphus at 8:10 AM on March 11, 2013 [7 favorites]

It's possible the issue is something else, like the security of your computer.
posted by J. Wilson at 8:11 AM on March 11, 2013

(Also, this sort of stuff happens with credit cards, but if you credit card gets knocked out for a little while, you still have your debit card and access to cash. Not so if your debit card is the one turned off.)
posted by griphus at 8:12 AM on March 11, 2013 [1 favorite]

Listen to griphus. His comment is wise.

There's another reason not to use a debit card - if your bank account is compromised and your bank account is emptied, your recurring payments start bouncing. It turns out that banks don't like it when your mortgage payment or your car payment bounces. Now, you will (probably) get your money back quite promptly, but that doesn't change the fact that your payment bounced.

Get a credit card, and stop worrying if it's compromised since you literally have zero liability. Unfortunately, my credit card seems to get compromised on a yearly basis, but it's of minimal concern to me; I just switch to my "backup" card for a couple days while the new card gets sent to me. Most of the time, the credit card company overnights the new card anyway.

Cash is the worst of all of these forms of payment. It offers you no fraud protection, no float (credit cards allow you about two months to pay off any amount with no interest), no warranty protection, and it can be literally lost.
posted by saeculorum at 8:23 AM on March 11, 2013

So after all this, I feel like every ATM or business I swipe at is hacked. What's the best way to deal with this, beyond shrugging my shoulders? Is it better to mainly use a credit card so you can more easily dispute transactions?

My personal point of view is that fraud happens enough that you should act as if your credit or debit card can be compromised at any time. Credit cards have a lot of advantages over debit cards with fraud protection. The biggest one is that since you don't actually pay immediately, someone can hit you with a $500 fraudulent charge and you can get it charged back before your next payment as long as you are paying attention to your transactions. This has happened to me with credit cards multiple times over the years and in each case either I or the bank caught it (usually the bank these days) and it was always corrected before even showing up officially on a statement. Also, if your physical credit card is stolen you are limited by law to $50 in liability, and if just the number is stolen and you still have the physical card you are legally not liable for any of the charges. Meanwhile with debit cards if you don't report a physically stolen card within 2 days you are liable for up to $500. Overall a credit card is more designed to treat transactions as not being "real" and give you time to verify them, which is all you really need to do to protect yourself from losing any money.
posted by burnmp3s at 8:27 AM on March 11, 2013

Some simple steps:

1) Cover your hand when you tap in your PIN number at an ATM.
2) Always keep your receipts, especially for void or "incomplete" transactions.
3) Check your receipts against your bank statements once a week.
4) Don't use your debit card for high value purchases.

A well known (European) retailer I know of had severe problems with their chip and pin machines a couple of years back. Basically, the hardware on the machines themselves was compromised at delivery. It is rare enough, but does happen. The security breach was not made public but to my knowledge it has not happened since. At least here in the UK, the industry has enacted extremely stringent guidelines on card data handling with punitive fines for companies that do not put the correct processes in.

Also - banks all use sophisticated data mining techniques to identify fraud. Their algorithms are not foolproof and the banks play a constant cat and mouse game of catching new means of fraud and sources of fraud without raising the risk of false positives too high. It is likely that just the act of cancelling a bank card places you in a higher risk bracket that could lead to a false positive.

If you look at UK data, for example, you see fraud going down across the board. Except for fraud on lost and stolen cards. The overall rate of fraud is very low - less than 1% by value and the overwhelming majority of that is card not present fraud.

Also - there are debit cards in the US that come with fraud protection (e.g.). Ask your issuer.
posted by MuffinMan at 8:30 AM on March 11, 2013

Maine's Bureau of Consumer Credit Protection has a "Dealing with a Security Breach" page.

In my state companies that have security breaches must notify both the consumers and the state itself and the equivalent web page has a link to an index of notifications submitted to the state government so that you can check whether it includes any merchants you frequent but I'm not finding that for Maine. They have a consumer alerts page but it only has four updates from the last half-decade.

I refrain from using debit cards too, btw.
posted by XMLicious at 8:30 AM on March 11, 2013

Forget the debit card and just get a plain old ATM card instead, and use that ATM card only at bank ATMs. Pay with cash, credit card, or an anonymous VISA/Amex gift card (whose purchase fees will cost you less than the interest on most credit cards).

From my own experience, I want anonymity and limited liability in a transaction. That means cash. Cash is the ultimate limit of liability against fraud; if it's stolen, yes, you're out the money, but you're out only that sum. And no one can trace the transaction back to you unless you provide your name & address at time of purchase.

I had a credit card stolen once and one of the merchants refused to recognize a charged-back transaction as fraudulent despite several certified mailings I sent them. They started pursuing the debt via collections. (Yep, this is unethical and probably illegal, but good luck trying to nail them on it.) The fraud investigator at the issuing bank stepped up and helped me out; without his help (which he was under no legal obligation to provide) I probably would have had to pay a debt that I didn't incur.
posted by Currer Belfry at 8:41 AM on March 11, 2013

When using your card in public, cover up the number on the card with a thumb or finger. There have been scams with strategically placed small cameras or even cell phone cameras when people are standing behind you in line.
posted by Brandon Blatcher at 8:42 AM on March 11, 2013

Is it possible this was not two incidents, but one? Timeline like this:

1) You read about the business that had numbers stolen from it.
2) You contact the bank.
3) They issue you a new card (I would not think of this as an admission on their part - you can generally call a bank at any time and ask for a new card for most any reason).
4) Some internal investigation at the bank of the business you mentioned completes, and your account is on the list of affected ones.
5) The bank issues new cards to everyone on their 'connected with compromised business' list, including you, again.

In any case, being that you didn't lose any money from your account, I would see all this as a success of your bank's systems at protecting you from fraud, rather than a reason to worry.
posted by Morn at 8:42 AM on March 11, 2013 [5 favorites]

Agreeing with griphus. I only use my debit card at trusted ATMs (ie, ATMs belonging to the bank that issued the card and other nation-wide bank's ATMs in emergencies only) and never swipe it at retailers. I've never had a security issue.
posted by charlemangy at 8:46 AM on March 11, 2013 [1 favorite]

I'll second the above and say only use a debit card to withdraw cash from a trusted ATM, and use the credit card for larger purchases (such as gas, groceries, etc) - as long as you can pay the balance each month. I always use cash for most of my other purchases, especially at mom-n-pop shops, or if I'm buying stuff from a specialty shop that could build an interesting profile of me (booze, smokes, firearms, tentacle porn, etc).

In your case, my guess is that even after you called and got a new card reissued, the bank in question had a policy to just reissue cards to every customer that was compromised, regardless of whether they had a card reissued since the date of the compromise.
posted by antonymous at 8:49 AM on March 11, 2013

A credit card is a small loan from the CC company to you to pay the merchant. You repay the loan at the end of the month; or you dispute the charges (i.e: I didn't make that loan). When you dispute the loan, the CC company fights with the merchant to split the loss. You are liable only upto $50 on a fraudulent charges. You better believe that both the CC company and the merchant are very interested in avoiding fraud (since they are out a of lots of money when fraud occurs). This is why CC company asks you to sign the receipts, has fraud algorithm running on all transactions, and is generally very quick in replacing the card. The merchant too, asks to see your IDs, or enter your secret codes...etc

For all these works, the CC company take 2% of what you spent as profit. Banks see this and they want a cut of that money stream, hence debit card. But there is a crucial difference: the debit card is linked directly to your account, and a transaction is between you and the bank (i.e: you make a withdrawal right there, then pay the merchant with cash). This is why you only need to enter a 4 digit pin, and why the cashier ask: "do you want to withdraw more money?" during the transaction, hoping with extra cash you may spend a bit more. The bank get the 2% wire fee, and everyone is happy. That is, until there is fraud. Fraud charges on a debit card doesn't concern the merchant: a debit card transaction is just like cash (well, maybe less than cash because of that 2%) to the merchant. You can't take back the cash in the till. Fraud on a debit card is between YOU and the bank: you now have to prove that you didn't withdraw and spend that money. And the bank has no interest in helping you. It considers itself neutral, and your problem is with the thief who stole your money. You will also have to do all this litigation with an empty account that the thief has make away with.

In short, CC involves 2 relationships: you with the CC company, and the CC company and the merchant. Thus, you are insulated from the frauds. Just like having an car insurance company to insulate you from the other person in an accident. The CC company has a lot more interest and expertise to combat fraud. A debit card involve only 1 relationship: between you and the bank. It's a lob-sided relationship in a fraud: you fighting the bank. And it's an adversarial relationship: the bank is not helping you. You will have to hire your own attorney to defend your side in a disputed transaction. Hopefully, by understanding the differences, you now can make the right conclusion (which griphus described) to NEVER use your debit card. Debit card is greedy banks playing fast-and-loose security on YOUR money for the measley 2% wire fee. You take ALL THE RISK, and the bank take the money from you (and the merchant).
posted by curiousZ at 9:28 AM on March 11, 2013

gas stations.......always select credit even on debit cards. Better for one to know your zip code, then your debit pin

Their has been a massive upswing in gas station skimming. This is organized crime as well as amateur. They go inside the gas pumps and place a skimmer and then they place a camera to see your pin. In a few days a new card is encoded with your bank info and your pin number and used.
posted by couchdive at 2:06 PM on March 11, 2013

This is really what you guys actually do? How do you keep track of how much money you have if you are running up your expenses on a credit card?
posted by Mars Saxman at 2:36 PM on March 11, 2013

In the second case, what most likely happened is that a bank, merchant, or credit card processor down the line (as in, not just your bank, and not just your card number) got compromised, and as a preemptive measure everyone potentially affected got new cards, even if the compromise didn't actually reveal credit card numbers. This happens with unfortunate frequency (I've gotten a few preemptive card replacements, including one last week as well) and has nothing to do with you or your actions, so there isn't really anything you can do about it other than make sure that you're not totally screwed when it happens. You do this as everyone else has said above--don't use your debit card for anything other than withdrawing money from an ATM. You're not liable for fraudulent activity in either case, but if it's just a charge on your credit card it's easily reversed and you're not out any money, whereas if someone is using your number to spend $400 on dog food halfway across the country (this happened to me) and it comes directly out of your bank account, that $400 disappears immediately and while you will eventually get it back, until then it may be the difference between making rent or not, or eating dinner or not.

(And to answer Mars Saxman's question, you keep track of it the same way you keep track of using a debit card: by knowing how much money you have available and not "running up expenses" beyond that. There are applications for smartphones and computers that can help you track it if you cant or don't want to keep track of it in your head, plus you can log into your bank's website 24/7 to see exactly what you've spent. It's not that difficult.)

Other types of credit card fraud--such as skimming from ATMs and merchants--are also unfortunately inevitable, but you can reduce your risk somewhat by following the excellent advice above about only using trusted ATMs and covering the PIN pad when you enter your number. You should also become familiar with what your usual ATMs look like, and be wary if one suddenly looks different than it did the last time you used it. If it does, ask the bank, and they'll be able to tell you if they recently upgraded their ATMs or check themselves if there's no reason for it to look different.
posted by rhiannonstone at 4:11 PM on March 11, 2013

Maybe I'm misunderstanding the question Mars Saxman but if you need to know how much money you have at any given time you just subtract your credit card balance (which you can find out by phone or online) from your bank account balance. Unless using the credit card alters how much money you spend (it doesn't for me, I'm stingy no matter how much money I have) you're just delaying the point at which you "really" spend the money by between a few days and a month, when the bill comes, and spending the exact same amount. I usually don't bother to keep a running tally in my head of how much money I have unless I'm expecting a really big expense.

So as long as your bank account always contains at least as much money as the largest credit card bill you ever get you just pay off the full bill every month. Apart from an occasion when a severe illness totally screwed up everything in my life I guess I've been fortunate to only have gotten things out of sync and had to carry over a balance a handful of times, which really doesn't cost that much if it's only for a month or two. (Though I have to admit that in past years I've forgotten to pay the bill and been hit with late fees pretty frequently, so that's a down side.)
posted by XMLicious at 4:17 PM on March 11, 2013

Response by poster: Thanks for the advice all. I've discussed this with my SO and it makes sense, although we have a certain amount of distaste for credit cards. For those of you that do this, what kind of card do you use? I'd like to find something that A: has a good website that updates quickly with the latest transactions and B: returns some cash to me.
posted by selfnoise at 6:03 AM on March 12, 2013

How do you keep track of how much money you have if you are running up your expenses on a credit card?

I check my bank and credit card balances in Mint every two days or so (OP, that may be a useful thing for you to do if you do not already, especially if your credit card isn't issued by your bank and requires a different website to check balances.)
posted by griphus at 8:00 AM on March 12, 2013

« Older Pharmacist looking for work outside of the retail...   |   Is Google Maps the best way to do this? Newer »
This thread is closed to new comments.