What Can Be Done About Security of Debit Cards?

JumpDrive writes "I have been the victim of (Visa) debit card theft. I do not know where they stole or got the number, but it was used one day on the other side of the country and the next day it was used in Europe until they cleaned out my account. I had been monitoring my account online and immediately went to the bank and filed a claim. I was told at that time it would be 3 to 5 weeks for them to investigate the claim before they could return my money. Recently I tried to make a purchase with a debit card and was told that they couldn't use the card since it wasn't a Visa or MasterCard check card; this led to a discussion of why I no longer have a Visa or MasterCard check card. Which then led to the question of 'What can be done about it?' Currently I have a separate account for debit usage for my personal safety. But I also think that those producing these check cards should be required to advertise the hazards of having one of these cards (not in small print and maybe required in advertisement of these cards, similar to what is required with pharmaceutical drugs on television) and/or that if a debit or check card is issued a separate account should be required for its use, and users informed of the issues of placing all of their money in the same account that their debit card has access to. What other precautionary measures should be required or taken?"

What can be done? Nothing.

[plover]

The short answer? The banks will do nothing for you today.

The long answer: Nobody will do anything for you tomorrow, either.

Why? Because Visa does two things, only one of which makes money. First, they are in charge of defining financial card security through the PCI council, and they own and operate the secure network VisaNet, which carries authorizations from retailers to banks. Guess which one makes them money?

If Visa were to design and offer a cryptographically secure solution, one based only on smart cards for the customers and Hardware Security Modules (HSMs) at the banks, then I could safely route my charge authorizations over the plain ol' Internet. I wouldn't need to use the charge-per-transaction VisaNet. Visa would stop making money.

So instead of offering a secure solution, Visa and the PCI council say, "Merchants must lock down their systems, protect this data, follow these 12 steps, acknowledge that you are powerless over alcohol (oh wait, wrong 12 steps), and if you don't, we'll loudly blame you for allowing someone to see our non-existent security."

Visa owns the protocols used between merchants and banks. They could strengthen the protocols. They could prescribe encryption. They could require the deployment of chipped banking cards. But they do not, and have not for many, many years, despite a pathetic track record of security.

If you want the banks to be safe with your money, you ironically have to take charge of your own security. If you switch to using the green paper stuff, your losses will be finitely limited to what you carry on your person. If you want a more achievable answer in today's plastic world, DO NOT CARRY DEBIT CARDS. Debit cards do not offer you protection against loss. Credit cards are limited by U.S. law to a maximum of $50 liability to the cardholder. Debit cards losses are usually covered by the bank, but they are under no legal obligation to do so. For ATM access, most banks will honor your request for an ATM-only card instead of accepting their default ATM/Debit card. Of course, the use of credit cards requires personal discipline to always pay the debt on time, but otherwise you would see little difference.

Re:What can be done? Nothing.

[Master+Moose]

I suggest everyone reading this with a debit card transfer all of their money to my account. I do not have a debit card so it will be free from this sort of attack.

Re:What can be done? Nothing.

[stonewallred]

I hate to say this, but use cash. I have several credit cards, and I use some of them daily. But unless the interest rates are lower than what I can make by not paying them (seldom if ever) they get paid off monthly. I do not have a debit card. I have a paypal account tied to a bank account I use strictly for buying and selling on ebay(lego if you are interested). My bills I pay with check or cash, and sent via mail or delivered by hand (the HVAC/R supply houses, as it credits immediately to my accounts when paying at the store). If I want something off the internet, I get a buddy of mine to order it using his data, not mine. Plus with cash, there is never a question of bouncing a check or overdraft fees or charges. Will probably get modded down for suggesting such an anti-tech idea as using cash, but oh well. Karma is overrated anyway.

Re:What can be done? Nothing.

[halowolf]

I just use a credit card with a low limit for shopping both out in the real world and on the internet and just act smart. I have never had any theft from my card by any unauthorised charges yet. I have had one retailer not supply the goods I purchased (on an authorised charge mind you) because he was a lying scum bag, but I got my money back from that and hopefully my complaints to the regulatory authorities will land him in jail, since he was an insolvent trader.

Re:What can be done? Nothing.

[RenQuanta]

Credit cards are limited by U.S. law to a maximum of $50 liability to the cardholder. Debit cards losses are usually covered by the bank, but they are under no legal obligation to do so.

(Emphasis mine).

Actually, I don't think the part about the lack of debit card consumer protections is factually accurate. Here's the blurb from The FTC's Facts for Consumers:

ATM or Debit Card Loss or Fraudulent Transfers (EFTA). Your liability under federal law for unauthorized use of your ATM or debit card depends on how quickly you report the loss. If you report an ATM or debit card missing before it's used without your permission, the EFTA says the card issuer cannot hold you responsible for any unauthorized transfers. If unauthorized use occurs before you report it, your liability under federal law depends on how quickly you report the loss.

For example, if you report the loss within two business days after you realize your card is missing, you will not be responsible for more than $50 for unauthorized use. However, if you don't report the loss within two business days after you discover the loss, you could lose up to $500 because of an unauthorized transfer. You also risk unlimited loss if you fail to report an unauthorized transfer within 60 days after your bank statement containing unauthorized use is mailed to you. That means you could lose all the money in your bank account and the unused portion of your line of credit established for overdrafts. However, for unauthorized transfers involving only your debit card number (not the loss of the card), you are liable only for transfers that occur after 60 days following the mailing of your bank statement containing the unauthorized use and before you report the loss.

If unauthorized transfers show up on your bank statement, report them to the card issuer as quickly as possible. Once you've reported the loss of your ATM or debit card, you cannot be held liable for additional unauthorized transfers that occur after that time.

Re:What can be done? Nothing.

[Kitkoan]

They could require the deployment of chipped banking cards.

And this is where most of the problem has been caused. The belief that if we put those RFID chips in our bank cards, they must become safer. The problem is, it's the chip that is the biggest security issue since its RFID it's 'always on' and more then willing to send it's information to whomever asks. The banks and credit card companies have invested millions, if not in the billions, of dollars into the technology and its a flop. A massive, expensive flop. And now they have 2 options. Fess up that it's a failed experiment and have very pissed off investors. Or, censor/intimidate anyone who wishes to publicly expose this as the failure it truly is.

Re:What can be done? Nothing.

[plover]

Sure, a single bank can stand up their own system. But what retailers are going to sign up and connect to them? What retailers want to take on that expense? And if I create John's Credit Network and Bruce creates Bruce's Credit Network, how would we get cooperative protocols? Finally, who is going to finance and pay to create a system that competes with Visa but doesn't actually generate revenue?

And forgetting the difficulties in creating such a system, think about another hard problem, the human element. It's well-demonstrated that ordinary consumers don't care about security. It's not a selling point. Why not? Even if they cared greatly, the $50 liability limit that the consumer protection laws mandate means that they're not at any real risk for fraud if they stick with their current bank. Where is the consumer appeal for "John's Crypto Credit Card, good at more than two retailers citywide, and your money is mathematically safe!" If I can use John's card at two retailers in town, or a Visa at over 6 million locations worldwide, and I'm only risking $50 to go with the Visa, guess which convenient card I'm going to choose?

Re:What can be done? Nothing.

[Gr8Apes]

Naah - no modding down. Everyone here should be smart enough to distrust debit cards immensely.

As for internet buys - use 1 time numbers. My main credit card has them available, although I'll admit it is a pain in the tukas to get to the screen that gives you one, and it's not exactly advertised. (read that as you have to know what you're looking for and what the specific verbage is on the menus, or you won't find it)

Re:What can be done? Nothing.

[RenQuanta]

In this day and age, with online banking so prevalent, checking your account every few days is only prudent. It's not unreasonable for the consumer to have some burden of identifying the loss, since each of us are the best and most efficient judge as to whether or not the transactions on our accounts are in fact ones we performed. Millions of dollars in software development and analyst training have been spent on helping banks to detect fraud, but those systems aren't fail proof.

In the end, there's no substitute for each of us keeping an eye on our own accounts' transactions.

If we don't take responsibility for our own financial affairs, should we really expect the banks to carry the whole burden on our behalf? No matter how good it is, any security measure can (and likely will, sooner or later) be defeated. (and let's not forget good old fashioned social engineering...)

In the end, the best protection against a breach is constant vigilance. (Or, said another way, prevention only goes so far, detection is still requried ;-)

Re:What can be done? Nothing.

[socsoc]

We should control the banks in the US, since we basically own them via bailouts anyway.

Re:What can be done? Nothing.

[Fjandr]

This really is a good answer. Not necessarily the low limit, but credit cards have far more protections than debit cards and are used in an identical manner (well, except for signature vs pin). If it's a credit account with the same bank your checking or savings account is with, it's usually pretty simple to transfer the money from your bank account to pay off the credit account monthly. Doing so incurs no additional cost. If the card is charged maliciously, you still have all the money in your bank account, and once the investigation is complete you don't pay interest on the balance that was on your card. It's a win-win.

If you absolutely have to have a card, there is no additional hardship doing it this way. Even if you have bad credit, you can get a secured card through your bank.

Re:What can be done? Nothing.

[plover]

Did I say RF? No, I said "chipped", although once the security is done correctly RF might not matter as much as you might think.

The correct protocol is for the merchant to tally the merchandise, and present the customer's card with their merchant ID and the transaction amount. The cardholder then has to see and approve that amount by entering a PIN in order to generate an authorization. (The cardholder needs to enter that PIN into a trusted device, which is best met by a smart card with a built-in keyboard and tiny display, or alternately by a trusted keycard device issued by the bank.) The card uses the PIN to generate a one-time approval code, which is forwarded by any means to the bank, along with the card data (account number or whatever), the amount, and the merchant ID. The bank returns an approval code to the merchant, who gives the merchandise to the customer. All this is digitally signed, of course, and the protocols need to be well laid out to avoid potential problems with respect to money laundering, man in the middle attacks, etc.

Note that the customer's account number is only usable for identification. It's only the chip-generated authorization combined with the user entered PIN that carries the value. Something you have plus something you know.

The authorization data is carried by the merchant and delivered by whatever means to the bank. The Internet would work fine. The merchant can see your account number, but they cannot charge you anything other than the value included in your approval. The authorization code is accepted by the bank for one time only use, and they will pay only the merchant ID indicated in the transaction.

Note that in this case, the card is issued by the bank. The certificates and keys are created and injected in the card by the bank. That means it's 100% bank-owned-and-provided hardware from customer to bank and back again. The bank is 100% in charge of security. All you have to do as a customer is not to lose your chipped card AND keep your PIN secret.

An RF based card would make only a minor difference in security. Sure, someone could ping it, but they couldn't get it to emit an authorization token unless they had it in their hands and pushed the tiny buttons. Protections would have to be taken to prevent RF based man-in-the-middle attacks between the merchant and the customer's card, otherwise the merchant might not get paid. But the customer's money is never at risk except when they are entering their PIN, and are staring at the tiny screen that says "PAY WALMART AMT=$34.56".

Re:What can be done? Nothing.

[tibit]

If you use citicards, the URL you're looking for is
here.

Re:What can be done? Nothing.

[archmcd]

I work in bank security, and I just wanted to offer some clarification on your rant:

If you want a more achievable answer in today's plastic world, DO NOT CARRY DEBIT CARDS. Debit cards do not offer you protection against loss.

A debit card can be used in two ways. It can either be used with a PIN in what's commonly called a debit transaction (or at an ATM), or it can be used as a "credit" transaction and processed through the Visa or MasterCard network. There is little to no protection against loss for the former of these transaction types, except keeping your PIN secure. The "credit" style transaction, on the other hand, is protected by a zero liability guarantee (at least Visa cards... not sure about MasterCard). Yes, your bank account may get cleaned out (or depleted up to the daily spending limit of your debit card), and outstanding checks may bounce, and you may have a freeze on your account until it gets resolved. However, this zero liability guarantee means any transactions found to be fraudulent will be reimbursed by your bank. The bank then goes after the merchant that processed the transaction to recoup their own losses. If you have a good bank, they'll also refund your overdraft fees. Debit or ATM transactions, on the other hand, are not covered by the same guarantee, so having your card skimmed and PIN captured is far worse - UNLESS your bank offers a guarantee on these types of transactions as well.

See http://usa.visa.com/personal/cards/debit/visa_check_cards_faq.html

Credit cards are limited by U.S. law to a maximum of $50 liability to the cardholder. Debit cards losses are usually covered by the bank, but they are under no legal obligation to do so.

Losses due to fraudulent transactions processed through the Visa network are actually covered by the merchant that accepted the transaction, not your bank. Your bank only covers "Debit"-style losses they agree to cover if they offer protection against Debit or ATM transactions, but that's not a standard program.

For ATM access, most banks will honor your request for an ATM-only card instead of accepting their default ATM/Debit card.

An ATM-only card means you will have to use ATMs more frequently, thereby potentially exposing yourself to skimmers, as well as use of your PIN in public. Since there's no zero-liability coverage with most banks for skimmed ATM transactions, you're putting your money at greater risk by doing this. Oh, and by the way, the skimmers have this one figured out too. You no longer have to worry about the shady looking person loitering near the ATM watching you enter your PIN. They install a tiny camera painted to match the fascia of the ATM, and they aim it at the keypad.

Re:What can be done? Nothing.

[Kral_Blbec]

We can't all have a friend buy stuff for us...

Re:What can be done? Nothing.

[Recovery1]

Great idea. But my bank doesn't offer me such a system.

In its place though I have a credit card issued from the bank. It is linked to only one account and I have to transfer money into it before I use it for any transactions so otherwise it is mostly empty. Try to withdraw any more then is in it, the transaction is automatically rejected. Seems to work for me so far with online transactions quite well.

Re:What can be done? Nothing.

[exasperation]

Who said anything about RFID? Debit cards in Canada have a public key encryption chip built-in. They also require physical contact with the reader to work. I suspect that is what the parent was talking about.

Re:What can be done? Nothing.

[Skreems]

Not according to the FTC, as quoted in the very thread to which you're replying...

However, for unauthorized transfers involving only your debit card number (not the loss of the card), you are liable only for transfers that occur after 60 days following the mailing of your bank statement containing the unauthorized use and before you report the loss.

According to them you have up to 60 days to report from the time they mail you the statement containing the fraudulent withdrawal before you start losing your own money.

Re:What can be done? Nothing.

[statusbar]

One thing can be done:

http://www.my-spy.com/

A service which will notify you via email or text message whenever any transaction occurs on your accounts.

--jeffk++

Re:What can be done? Nothing.

[Runaway1956]

GGP is on the mark, when he says "Use cash". But, in today's world, it seems a necessity that we are able to make purchases online. So, I have exactly what Recovery1 has - a plain debit card. I put money on the card, make my purchase, the card is dry, and no one can make any more withdrawals. Doesn't much matter if someone around the world gets my number, they can ONLY steal the money that I have put on the card that day, and if I've already made my purchases, the balance is zero, they can't steal anything at all.

But, their attempts to do so will trigger alarms, and the bank knows that security has been compromised!! In theory, the bank will contact me, and ask about those attempted purchases.

Re:What can be done? Nothing.

[EvanED]

Actually if your debit card has a Visa or Mastercard logo on it, it has the exact same protections on it as a credit card.

Only if it's run as if it were credit and not a PIN transaction.

Re:What can be done? Nothing.

[networkBoy]

you've obviously never dropped your wallet then.
I have. I'd gladly pay $200 cash in exchange for all the time spent straightening out my finances.
I would come out ahead big time (Vs. lost income from normal hourly pay where I work).

I use a debit only card for ATM and a Low limit Visa for internet/day to day purchases ($1K). I have another account that can charge an obscene amount of money, but I try not to use that for anything, and don't carry the card with me as a day to day thing.
Worst case scenario is I lose $400 cash from the ATM (daily limit) before I can notify the bank to freeze my account. The credit card purchases are not my problem beyond $50, and if they push the issue I simply refuse to pay ;)

-nB

Re:What can be done? Nothing.

[rtb61]

One thing to watch out for is being fobbed off by banks. Standard law for credit or debit cards is the onus is upon the seller to prove that you made the purchase not upon you to prove you didn't. If your bank wants to take a few weeks to resolve it immediately complain to your regulatory authority, the bank can take a few weeks to resolve it with the seller, not with you. Once you have made the formal claim for a stop payment it should be resolved in a couple of days, if your bank does not support you in this, it is time to change banks.

The reality the person who used your credit or debit cards details, did not steal from you, the seller with the assistance of the credit or debit card company stole from you, they should be required by law to prove that charge in fact did occur, that they were defrauded and that they attempted to defraud you in error.

The lie being spread by mass media, to suit their advertisers the credit card companies and the merchants is a lie, that the money was stolen from your by the thief that used the card details. Your money was stolen by the merchant who claimed you made the purchase, once you have made the complaint, the police should pursue the merchant who by law should prove they did not just attempt to defraud you, that someone defrauded the merchant has absolutely nothing to do with you and at no time should be considered your problem.

Re:What can be done? Nothing.

[Throtex]

In fact, not only is it a good answer, it's the only correct answer. Credit is better than cash is better than debit. Why? If you have a dispute with a merchant you paid in cash, you need to sort it out with them directly before you can get your money back. If you have a dispute with a merchant and you paid with credit, and you're in good standing with your credit card provider, then you can just have them fight it out for you and reimburse you immediately. No hassle, no worries.

I pay credit for everything I can. Absolutely everything. I have no shame whipping out a credit card for a $3 purchase if the merchant will accept it. Why should I care?

Oh, and of course, all of this requires the very simple discipline of paying off your bills every month, and thereby incurring no fees. As a bonus, you get points/miles/whatever. Sure, you're paying for it because the merchant builds the card fees into the price of whatever you're buying, but by and large paying cash won't get you a better rate these days.

Debit? Never use it. Unfortunately my ATM card HAS to also be a debit card, and there's no way to deactivate its debit usage. It's a shame. There is literally no point, whatsoever, to using a debit card. Unless, I suppose, you lack discipline, and well in that case you've got bigger problems.

Re:What can be done? Nothing.

[Zironic]

Uhmmm, that's not what a chipped card is. This is a chipped card http://en.wikipedia.org/wiki/Smart_card and it's way

Re:What can be done? Nothing.

[AegisFang]

I suggest everyone reading this with a debit card transfer all of their money to my account. I do not have a debit card so it will be free from this sort of attack.

Hello Sir, I currently have over 3000000$(3 million) US dollars in account from my late uncle (Nigerian Royalty). If I could, please, to be put this inheritance in your account for 1 month to avoid Nigerian Tax Liability, I would gladly pay 10 percent to you in 1 month time. Please to send me your account number as offered and PIN. I will deposit funds forthrightly. Thank you God Bless! Kindest regards, Eeaye Eeayeou

Re:What can be done? Nothing.

[xero314]

Hey let's not compare what I proposed in one short little sentence fragment with what Stalin took years to destroy.

Why, because if you provided for all my needs, then I wouldn't need to work.

Then I put your ass on a boat and drop you off in the middle of the pacific with a bologna sandwich and life vest.

Others would see me not working and decide to follow suit.

I imagine most people would rather be productive than have die of exposure.

This trait is called greed and you will never be able to take it out of the equation.

Greed only exists because there is incentive to do so. Remove the incentive and you remove the greed.

And this is where someone goes on about how no one would have the incentive to invent new things, but that's only because we assume the only motivation in monetary gain. While in reality most true inventions happen because the inventor actually wants to use his invention.

Re:What can be done? Nothing.

Read this.

Re:What can be done? Nothing.

[RenQuanta]

So...it's more efficient for the central transaction processor (bank) to try and verify the legitimacy of transactions, rather than each individual? Let's break that down.

Let's just take an imaginary small consumer bank, with 10,000 customers in a local community. If we assume that, on average, their customers all have debit cards and use them to the tune of 20 times a week, that brings us right away to 200,000 transactions that the bank has to review and analyze per week. In the course of a month, it's 6,000,000.

So, how can the bank determine fraudulent transactions? Well, they can try and baseline everyone's average buying habits (stores, categories of purchasing), but that could cause false positives as people very often do unusual things. They can try and flag transactions based upon the use of the card in unusual places, but with so much interstate and even international commerce thanks to the Internet, that's not such a sure sign either, now.

Let's not forget that with a small bank, they don't have big and fancy computers with trained analysts to throw at the problem. I would think such small institutions have a staff on the order of a couple of hundred people, at best?

Of course, the big banks certainly have the money to throw at the problem to buy proper computers, software, and hire enough analysts, but the complexity is now far, far worse, as they service millions of customers all over the country (and possibly/probably international). Now we're talking probably in excess of billions of transactions for the same time period, and I think it's safe to say the complexity rockets up at an exponential rate, as you're now dealing with the rich, the poor, and everyone in between, all with their own buying patterns, habits, life changes, etc.

So, it's easier for the banks to be responsible for analyzing EVERYBODY'S transactions, which are complete black boxes to them?

Or, is it easier for us to log into our online account once or twice a week, scan our virtual checkbooks of 20(ish) transactions and say, "Yup, I remember buying all that stuff"...?

Whatever happened to taking a little personal responsibility?

For my part, I've been using Quicken for almost 5 years now to track every single account I have in my name, from mortgage to checking to retirement funds and all the rest. I'd venture to say nothing happens in my accounts without me noticing it in a few days. (It's a nice feeling to have such total understanding of your complete financial situation at any given moment. ;-) Sure, it takes some discipline, but after a while, it becomes habit.

About that comment you linked? Interesting, and he makes a good point about identity theft - but that's not what we're talking about here.

The case of the original poster was simple theft. Yes, the debit card number was lost, but it wasn't his SSN or some other critical piece of Personally Identifiable Information that allowed the thief to then take out a loan in the guy's name and walk off with the money, never to be heard from again and ruining that victim's credit rating in the process while leaving him personally liable for a debt he probably could never cover.

I'm not sure I see what liability for identity theft has to do with the efficiencies of who should be ultimately responsible for monitoring an individual's banking transactions for fraud.

Re:What can be done? Nothing.

[j0uSt]

I have fell victim to this from a hotel in Rio Grand de Norte in Brazil where when I checked out with my debit card used my pin (covered my hand) and fly back to Rio de Janeiro. By the time I had arrived my account was cleaned out as someone had made a duplicate card and bought shoes, jewelry and even hit the ATM machine and withdrew cash. I showed my airline ticket and the money was returned.

The second time I used my CHIP and PIN card from my UK bank account thinking I was safe. Well guess what the CHIP and PIN is a dog and pony show! I used a UOB ATM machine and someone was able to duplicate my card and use my PIN with a new NON CHIP and PIN card and wipe my account out. Meaning the system doesn't verify if the CHIP is in place it only uses it assuming one is on the card. Once again some fancy new sneakers, jewelry, cash from the ATM and even had a movie at my expense.

I will tell you it took well over a month to get the money back but in each instance the money was returned.

I now rarely use my DEBIT cards for anything and I make damn sure there is no money in the account (second non-linked account) and if I want to make a large transaction I just move the money make the transaction and be done with it. My other option is good ole american express.. I can pull up to a 1000 pounds a day and while it can be expensive as long as you pay promptly its not too bad.

Just my 2 cents!

Re:What can be done? Nothing.

[nacturation]

Interestingly enough, your post highlights a potential risk in the way Slashdot shortens the square bracket preview of long URLs. Example of what I mean

Re:What can be done? Nothing.

[Neoprofin]

I've lost two wallets. 1) Call Wells Fargo, cancel debit card and order replacement. 2) Call Chase, cancel credit card and order replacement.

Re:What can be done? Nothing.

[blindseer]

I suggest everyone reading this with a debit card transfer all of their money to my account. I do not have a debit card so it will be free from this sort of attack.

Sure, I'll do that. Please post your routing number and account number so that I can complete the transaction.

Re:What can be done? Nothing.

[Cimexus]

Hehe I noticed that as a foreigner visiting America.

Obviously I didn't want to use my debit card from my home bank for every transaction since I would incur a currency exchange fee every time. So I generally used cash (and this was mostly in large denominations like 50s and 100s, since thats what they give you when you get your money changed at the airport).

The first thing I noticed was the signs at various shops saying "we don't accept 100s". This was 'new' to me. At home, money is money, and has to be accepted for a payment (it's legal tender after all). I don't think the retailer has a right to refuse you paying with particular denominations (although I suppose they can refuse to trade with you altogether which has the same effect). Having said that, I suppose the reason for this might not be related to counterfeiting at all - it could simply be that they don't like to count out a large amount of change (slows down the line etc).

The second thing I noticed was the weird looks they gave you paying in 100s, or in some cases, even 50s. Wtf...

The third thing I noticed was all the weird little things they did to check for forgeries ... running it between their fingers, the UV light, etc etc. Some places even had little machines to check the bills. At home (Australia FWIW), I've NEVER seen anyone check a bill for authenticity (not even in a cursory fashion) ... hell they barely even glance at it. Probably mostly because Australian bills are considered among the most secure in the world (they are polymer rather than linen/paper, and virtually unforgeable).

I think it's just one of those cultural things though. At home people use $50s and $100s all the time and it's not considered unusual at all. Noone even raises an eyelid. 50s are especially common since Australian ATMs dish out both 50s and 20s (so you can make withdrawals of 20, 40, 50, 70, 80, 90, 100 etc).

Of course it's not as bad as in Europe. Last time I travelled there the currency changer gave me a 500 Euro note. I'm sure dishing out change for that annoyed whoever I ended up giving it to.

Re:What can be done? Nothing.

[nahdude812]

A debit card where you transfer money into that account just before each transaction has a similar effect if your bank doesn't offer one-time cards.

Personally I have a credit union (I know not everyone is eligible to join one). When a similar thing happened to me as happened to OP, my CU refunded the missing funds the same day I filed the police report (over a certain dollar value a police report is required to file a dispute), which also happens to be the day I found out about it. I found out about it because my CU called me about suspicious activity. This was not credit card fraud prevention services (who honestly has no real motivation to really provide much in the way of fraud prevention - they get their cut either way). The transactions had already completed, once they posted to my CU, the CU is who called - specifically Linda, a kind teller who knows my name and can pull up my account even though I only see her a couple of times per year.

In the time the funds were missing, one payment did incur overdraft. My CU's overdraft is nicer than a normal bank's overdraft too - it's a line of credit, and there is no charge for dipping into that LOC, there is just an interest charge for any remaining balance 30 days later (basically if my checking account runs dry, my debit card turns into a normal credit card). Linda told me that it's possible there were other transactions working their way through (even though my card was now canceled, it can take up to 24 hours for some charges to post to the account - particularly if they are foreign in origin), and assured me that any true overdrafts (the sorts which with a charge) which might occur as a result would have their fees reversed.

So like I said, I know not everyone has a credit union as an option. But when your bank is actually watching out for your interests, there are better options out there without even needing to invent something new.

Re:What can be done? Nothing.

[StormReaver]

Once you have made the formal claim for a stop payment it should be resolved in a couple of days, if your bank does not support you in this, it is time to change banks.

This is the most sensible advice I've seen on this thread. When my Commerce Bank debit card details were compromised, and several unauthorized charges started appearing on my bill, I called the number of the back of my debit card to report the losses. The bank immediately reversed all the charges and offered to send me a new card through overnight delivery.

I told them to cancel my compromised card, and to send me a new one. They told me I would be without access to my funds via debit card until I activated the new one, but that it should be here within 24 hours (it was at my house in less than 12 hours). I was responsible for $0 of the unauthorized amount, and life went on normally.

Bottom line: the debit card is only as risky as the bank with which you choose to do business. Get a bank that doesn't suck, and your debit card is a safe financial instrument.

Re:What can be done? Nothing.

[natehoy]

Yes, your bank account may get cleaned out (or depleted up to the daily spending limit of your debit card), and outstanding checks may bounce, and you may have a freeze on your account until it gets resolved. However, this zero liability guarantee means any transactions found to be fraudulent will be reimbursed by your bank. The bank then goes after the merchant that processed the transaction to recoup their own losses. If you have a good bank, they'll also refund your overdraft fees.

Meaning no offense, but why in the hell would this make me want a debit card?

Maybe the bank would give me back my fees and losses, but I've still bounced checks with God-knows-who and caused them all manner of hassle and had them incur fees and lost trust with them. If my bank account gets cleaned out the day before my IRS check hits, do you seriously think they'll just chuckle and say "oopsie, well, we'll clear it again". No. I'm going to spend hours on the phone with everyone I sent a check or made an automated payment to, trying to dig my way out of the hole that used to be my bank account.

I've had an account cleanout happen (account was cleaned out by lawyers suing my parents, and I stupidly left my mother's name on my bank account). My mortgage and car payment checks were in the outgoing mail the same day I received the "summons to trustee" notice, and all my money was gone. It worked out, but I had to take two days off work (lost vacation time) to make all the necessary phone calls, and I still had a black mark on my credit rating for several years afterward, even though none of the bounced checks were determined to be my fault. I worked for a bank service company at the time, and they routinely pulled credit ratings (since I handled account details on a lot of people). I had to spend a couple of hours explaining the whole situation at work, and it's possible I could have lost my job over it. Fortunately I didn't. Net result was an absolute nightmare, and my bank was actually pretty nice and helpful about the whole thing.

I also had my credit card number compromised once (Hannaford breach, and my card was actually used overseas). Visa called me, said that the card had been suspended but that any automated payments I had set up would work for another week to give me time to transition to the new card number, went through the outstanding charges over the phone to verify that they were all valid, apologized for the inconvenience, and I never even saw any of the fraudulent charges at all. I spent 15 minutes on the phone with them, 10 minutes entering the new card on my automated payments, and another 5 minutes cutting up the old card when the new one came in. Impact to my credit rating: none.

"Yes, the debit card can be almost as secure as the credit card if you use it as a credit card, and if your bank is really nice the resulting damage to your account and credit rating can be built back to almost new after a lot of effort!"

Thanks, I'll use a credit card. If it gets used fraudulently, the onus is on the credit card company to help me out, because my money is not gone. A credit card does not have access to my checking account. That's a very important distinction to me.

Re:What can be done? Nothing.

[natehoy]

No. I pay my credit card company with an ACH transaction. I log on to my credit union's web site and authorize transfer of the funds every month. No paper checks, and the only people who have access to that information are my credit union and my credit card company.

And the only account authorized for ACH and checks is one I keep a limited amount of funds in. So even if my checking account was compromised, they could only take what I had deposited in it to cover the bills outstanding against it at the moment.

Plus, even if I did pay them with a check, that's one transaction per month I am taking a risk with. I pay for nearly everything with my credit cards, so I am using them multiple times PER DAY with various and sundry vendors.

I'd rather have my bank account with my real money exposed for one transaction per month than many. And even that is a "front" account with little funds in it.

In other words, I use the technique most people here espouse to make debit cards more secure - keep only a small amount exposed to the card.. except I use that as a SECOND layer of defense, not a primary one.

Credit cards may not be absolutely secure, but in terms of their ability to drain my actual money from my actual accounts, they are as close as we're gonna get.

If someone uses my credit card for fraud, I may have an uncomfortable time with the one creditor (my credit card company), but my cash in my bank/credit union accounts cannot be compromised by that. That means that any other payments I might make are unaffected by the fraud, my checks clear, and all of the people I am honestly paying will get paid.

To me, debit cards represent the worst of all possible worlds. I am exposing my actual bank account in each transaction, I am not receiving any float on my funds, I am not receiving any cashback or awards for my purchases, and the vendor I am doing business with is still paying a transaction fee.

For someone disciplined enough to pay off a credit card every month, I have yet to hear of any benefit to using a debit card. There are lots of disadvantages, and not a single advantage I've ever heard of.

Re:What can be done? Nothing.

[Rastl]

The problem is, counterfiting is likely as easy as Visa/Debit fraud. So when you start paying cash for things, you're made to feel like a bloody criminal - they look at you a few times too often, scan the bills under UV light and yadd yada.

Fight back. Get yourself one of the pens they use to check money (they're legal) and whenever they hand you back money to the same thing to them. It's quite amusing to see their faces when you check the money. Honestly it's not just being a dick - you're on the hook if you get a counterfeit bill and you can't pass it along if you know it's counterfeit. *

* You're also supposed to turn it into Secret Service and then you can claim it on your taxes as a loss. Oo. Regardless you're out the money if someone passes you a dud bill.

Re:What can be done? Nothing.

[djdanlib]

One thing to be aware of... If you're doing an in-store merchandise pickup, they will normally want to see your card when you pick it up - for verification of your identity, and their computer systems generally require them to swipe the card. The programmers of said system were lazy enough to make that the only verification method, and the salespeople can't change it. Not the best way to do it, but it will save you a lot of hassle if you DON'T use a one-time number for these particular online transactions.

Disclaimer: I used to work in a store. These one-time numbers caused us endless headaches and hassles because customers would get downright nasty when we simple and unempowered salespeople would have to jump through all these ridiculous hoops (return, refund, repurchase) to make our system handle them. This would take half an hour or so, while the customer did this to "save time"... so just use your actual card number for in-store pickups, or call the store to confirm merchandise availability, have them hold it for you, and buy it at the store.

tl;dr if you need to verify your identity as the purchaser at a later date, especially with physical evidence, don't use one-time numbers.

Re:What can be done? Nothing.

[Kiaser+Zohsay]

Same thing happens in the US.

http://www.schneier.com/blog/archives/2010/02/another_debit_c.html

Never, never, EVER punch your PIN into a pad that is not attached to an ATM machine that is owned by your financial institution. And even then, pay close attention.

http://www.krebsonsecurity.com/2010/03/would-you-have-spotted-this-atm-fraud/

Cash is looking better all the time.

Get a credit card

[HeavyD14]

If it gets stolen, it's not your money. Also, you got skimmed.

Re:Get a credit card

Most likely skimmed.

What's your card number and PIN so I can check.

Re:Get a credit card

[Citizen+of+Earth]

Also, you got skimmed.

I saw a news show recently reporting that lots of crooks have been breaking in to stores to steal the hard drives out of the cash registers. Lots of the registers store your debit/credit card information unencrypted and criminals can recover and use tit. One more reason I always use cash for minor purchases.

Re:Get a credit card

[scdeimos]

A lot of the audit rolls in cash registers also record card numbers. And yet business is heard to say, "we only store card numbers in encrypted data marts." My ass.

Re:Get a credit card

[Alarindris]

I work at a gas station part time. We just got a new computer system and I was appalled to see that when we printed off the numbers for the day, the credit/debit card numbers for each transaction are listed with the name on the card and expiration date. Although we do hold on to them for 7 years and then they are sent to the main office for another 8, it seems pretty damn sloppy to me.

Use a credit card, duh

[QuantumG]

How the banks advertise it: "Use your own money to shop online!"
What it actually means: "Expose the cash you need to live on to fraud."

The banks like it because you're putting your money at risk, not theirs.

just use a CREDIT card

[CohibaVancouver]

Step 1: Cut DEBIT "check" card in half
Step 2: Just use a CREDIT card. You're protected. Problem solved.

In Canada you need an ATM PIN to use a debit card linked to a bank account, but the PINs can still be skimmed by compromised payment terminals. I only pay by credit card.

Re:just use a CREDIT card

[ArundelCastle]

Casual debit card fraud in Canada is pretty limited. Credit cards have better protection *after* a complaint has been logged. I've heard co-workers in nearby cubicles spout out all the information on their credit card, and I may already know their home address. Within a half hour I could ship a dozen toilet seats to their house, or go on an iTunes shopping spree for myself, with only a Hotmail and an IP address log to find me. If the whole office shares an external IP, good luck tracing it to the department laptop I borrowed during coffee break. (Note: risk-management is part of my job)

These days convincing credit companies NOT to raise my credit limit is hard. If I want to limit my debit liability, I simply don't put excess cash or overdraft into the accounts linked to my card. No money, no cry.

The newsworthy cases of debit fraud involve compromised card readers or fake fronted ATMs. That is serious effort. To use debit, you have to have a card in hand. If I have your debit card number and your PIN written down, that won't even buy me a pizza. You can't use them over the phone, so a fraudster has to be well equipped by recreating fake cards, or tapping into financial networks. This is why they're adding chips to debit cards now.

For all the millions that Interac reimburses to fraud victims, it's a tiny drop in the bucket for the total amount of transactions every year in Canada. For one, banks can set daily AND transactional withdrawal limits with Interac, just as they can for their ATMs. Hard to steal 5,000 if it takes a week. Why don't we mind? Canada isn't Japan, it's unlikely the average person walking around has over a grand in cash on them. We love debit.

Businesses love debit too. Less fees than Visa in many cases. Same-as-cash, so grocery stores will gladly give you cash back. No issues with charge backs. There are much fewer Canada-wide banks, so Interac-by-email is a viable option. Think Paypal but with actual bank protections for the buyer.

I'm really not sure who decided that giving Visa the ability to create debit cards was a good idea.

Get a new bank

[KalvinB]

Shop around for a bank that actually values you as a customer. I believe Bank of America will give you your money back within 24 hours. I'm not a fan of theirs but at least they do that for you. I personally use US Bank.

Re:Get a new bank

[Sean5033]

This happened to me recently with B of A. I live in FL, and someone used my card in NJ. Bank of America shut my card off right after it happened, sent me an email, text message, and gave me a phone call letting me know they'd detected fraud. When I called them back, they gave me the option to turn the card back on (in case I'd jumped on a plane to NJ) or initiate a fraud investigation.

I think the fraud algorithm they use is pretty good, they found it right away. Fortunately it was only a $4.80 "test" charge. But they prevented any more money from coming out, and got the 4.80 back to me within 48 business hours.

Re:Get a new bank

[Matheus]

I've had to have transactions purged from my card a number of times... once stolen... a few times just stupid hotels double billing me 4-figure hotel bills.. and others.

Wells Fargo got me my money back immediately on claim (with restrictions) and within a week for real (once they had investigated).

No bank is perfect but for a large one I'm generally happy with the wagon.. of course don't get me started on over-draft fees :)

Re:Get a new bank

This happened to me recently with B of A. I live in FL, and someone used my card in NJ. Bank of America shut my card off right after it happened, sent me an email, text message, and gave me a phone call letting me know they'd detected fraud. When I called them back, they gave me the option to turn the card back on (in case I'd jumped on a plane to NJ) or initiate a fraud investigation.

I think the fraud algorithm they use is pretty good, they found it right away. Fortunately it was only a $4.80 "test" charge. But they prevented any more money from coming out, and got the 4.80 back to me within 48 business hours.

Two weeks ago, almost $3000 was withdrawn from my account via ATMs around the city I live in. I never lost the card, so I figure I must have been skimmed.

I can second BofA's good policy regarding this: the money is already back in my account!

Re:Get a new bank

[laughingskeptic]

We had a Bank of America business account. We live in Austin, TX and someone in intercepted one of our two cards in transit, probably at the point of shipping and sent it to London where it was used to clean out our account. Yes BoA put all of the money back immediately, but apparently they do not have a lock-out policy on PIN tries. There were thousands of PIN tries executed by some computer in London before they got the PIN and then cleaned out the account. When I called, the person looking at the logs simply said "Oh boy, someone was sure trying hard to remember the PIN, oh ..." and then they apologized and promised the return of the money. I was absolutely shocked that there was a way to access the PIN validation system that allowed this.

How about a real solution?

[John+Whitley]

But I also think that those producing these check cards should be required to advertise the hazards of having one of these cards

NO, NO, NO. No stupid, pointless warnings. Make the financial institutions solely liable for all identity theft. They're the only ones with the ability to stop it, and they should be the ones that bear the full economic incentive for managing fraud.

But I didn't say it first, Bruce Schneier did:

The actual problem to be solved is that of fraudulent transactions. Financial institutions make it too easy for a criminal to commit fraudulent transactions, and too difficult for the victims to clear their names.
[...]
It's not that financial institutions suffer no losses. Because of something called Regulation E, they already pay most of the direct costs of identity theft. But the costs in time, stress and hassle are entirely borne by the victims.

The whole article is +5 Insightful, well worth reading.

Re:How about a real solution?

[noidentity]

Make the financial institutions solely liable for all identity theft. They're the only ones with the ability to stop it, and they should be the ones that bear the full economic incentive for managing fraud.

And let's stop calling it identity theft. It's really just a case of the bank mistaking person X for person Y, and thus mistakenly giving person Y's money to person X. It's the bank's error, yet the term implies that it was connected with you in some way, that you didn't protect something of yours well enough. Bullshit.

I had a better experience

[roc97007]

One day I found that my bank account had been cleaned out. There were a massive number of $50 charges from one vendor -- essentially they kept charging $50 until they got a decline. The charges had occurred after 11:00 PM and before 5:00 AM local time, which made me think that time zones were involved.

I called the bank immediately and reported it, had the card frozen but by that time there was only about $20 left.

I did some research from the transaction information -- the company had an address in California that appeared to be fake, an 800 number that was disconnected, and the domain was owned by a different company in Korea.

I printed all this out, took it to the credit union. They had me fill out some forms, and gave me access to some money (I was pretty much broke) while they worked on it.

Within 3 days all my money was returned to me. It's possible that the credit union fronted me the cash while they worked with the authorities -- they never said. But as far as I was concerned, the event was over in less than a week.

Maybe it makes a difference which bank you use. Or maybe it's the difference between a bank and a credit union. I dunno.

I never did figure out how they got my numbers.

Does your bank not call your or text you ?

[parallel_prankster]

I have set up my acct such that if there is an access made more than a certain amount of money and/or out of my local area, they call me/text me to call them and verify the transaction. I am not a frequent traveller, so this works out for me. Look up if such a facility is available with your bank too. Another thing, see if they offer some sort of fraud protection mechanism. Some banks do that. That takes off some of the time-delay/processing worries too. If you choose to use your debit card and not credit card mostly, also, move your money from checking to some savings account and keep very little ( subjective) money in checking. That may help too.

Only use a credit card

[cortesoft]

Debit cards are functionally useless, since they give you nothing that using credit card which you pay off every month wouldn't while costing you quite a bit.

If you have a credit card you pay off every month, you get an interest free loan for a month. You earn points for rewards. You get protection against fraud. You often get warranties on things you wouldn't normally get.

You get NONE of this with a debit card. The only reason a debit card is preferable is if you don't have the self control to spend an amount you can pay off every month, or you have such a bad credit rating you can't get a credit card with a grace period.

Re:Only use a credit card

[symbolic]

Actually, I view debit cards as just the opposite - for people who aren't inclined to spend money they don't have. Credit cards are a trap that get people into a lot of trouble, quite frequently.

Re:Only use a credit card

[cortesoft]

Only if you let it. I have had credit cards for all my adult life and never once paid any interest. If you are the type of person who controls their spending, it doesn't have to trap you into spending money you don't have.

Re:Only use a credit card

[KPexEA]

According to my credit card merchant agreement (for Visa and Mastercard) I am not allowed to offer a discount for cash or other forms of payment, I am also not allowed to charge a surcharge for their cards and I am also not allowed to ask for any extra Identification. I am surprised that Visa and MC are not enforcing that in all countries (we are in Canada).

What to do? Tell you're bank they're full of it

[oasisbob]

IAABG (I am a banking geek).

The rules for provisional credit on debit cards is very well established. They fall under Regulation E, section 205.11. The bank has ten days to get you a provisional refund, and can take up to 45 days in certain circumstances to complete their investigation and finalize the credit.

Make sure you get them a notice in writing! Once you do, they have ten days to credit you, and many banks will do it much faster. If the bank drags their feet, just tell them "I want provisional credit within the mandated timeline per Regualtion E".

Here's more on this topic:
http://www.bankersonline.com/technology/guru2008/gurus_tech022508c.html
http://usa.visa.com/personal/security/visa_security_program/zero_liability.html
http://finsolinc.com/Reg%20E%20EFTA%20Error%20Resolution%20Flowchart.pdf

The protection for misuse of debit cards is strong, you just need to know what to do. If your bank isn't responsive, Move Your Money to a smaller institution that cares.

Re:What to do? Tell you're bank they're full of it

I work in banking, and this is absolutely correct. In fact, the Reg-E clock starts ticking even before a written notice. It begins as soon as you report, in any capacity, unauthorized charges.

Re:What to do? Tell you're bank they're full of it

Absolutely correct; however, without a paper trail, the bank can just claim they weren't notified.

Protection

[arizwebfoot]

I have a separate account with debit card that stays zero. When I know I'm going to pay a bill online or use for some other purchase, I move just however much I need into that account to cover the purchases or debits. In this way, if some one gets ahold of the number, there isn't a lot they can do with it.

Also I don't have overdraft protection on that specific account so that again, if someone gets my number(s), there isn't much they can do about it. Sure I may get nailed for a hundred bucks - if they catch it at the right time - otherwise, they just don't get my money.

Re:Protection

[olsmeister]

The point is, you shouldn't have to do all that.

Only a matter of time

[KevMar]

It is no longer a question of if your card will get stolen, but when will it get stolen.

I keep my daily limit low on my debit card. Around $250-$300 is my daily max. When I want to purchase something over that I call the number on the back of the card and have it raised. After the purchase, I call back and lower it again. The few times I need to make that call are worth it.

Once I was calling back to get it lowered and the lady was so confused as to why anyone would want such a low daily limit. Once I explained it to her, she thought it was a good idea.

I use this card every day. So if someone runs it to its max, I will find out about at lunch time. If I am out that 300, its a manageable loss.

What if you could get back every dollar that they take from your account from the bank (or some type of insurance)? Lets just say you have a high daily limit and they are able clean out your account in 1-4 days. How long can you survive while you wait to get it back. Thats the scariest thing about it comming directly out of your account. It is money you are missing while you try to get it recovered. When it is on a normal credit card, you can still make your house payment. There is no way they could get that back to you over night. It would take days or months while they investigate.

The most common theft of credit card numbers are from family members or someone you know. When charges are local to you, the investigations require more time and take more work.

Network effects

[sjbe]

On the flip side of that argument, someone stands to make a lot of money by entering the market and challenging Visa with the selling point of increased security.

Theoretically true but it would take someone with VERY deep pockets. Visa and the other large credit card vendors have a the very powerful asset of network effects on their side. Virtually every merchant takes Visa and Mastercard. Somewhat fewer take Discover and Amex. Very few merchants have the equipment to handle more secure cards. This means that even though there are safer cards available, there is no network to handle them and it would cost a sizable fortune to get enough merchants to carry them. From the consumer's point of view there is little incentive to carry a card that is not widely accepted especially if they are protected against loss anyway. Visa can simply promise to cover any losses which makes it uneconomical for someone to build a more secure network. In other words, ain't gonna happen.

Only way I can see a secure card network being installed in the US is if it is mandated by Congress. I've seen some efforts by Amex and some others but unless somehow we can convince Congress to get involved (unlikely in my opinion) I just don't see it happening any time soon.

Re:Wow...

[snowraver1]

Want to know why you can't get a credit card? Because you don't have a bank. Seriously, stop using those ghetto check cashing shops and get a bank account. Wasn't it embarrassing to tell you employer that your bank is "ACE Check Cashing"?

Banks don't want security

[straponego]

They encourage the use of signature cards instead of PIN cards, even though PIN cards cost them much less to process. That's because they can add their cut on top of that price, and pass the cost on to you.

Signature debt card fraud is about 15 times as high as PIN debt fraud. When was the last time somebody checked your signature on a card?

So, it's more wasteful, and enables vastly more fraud, but the banks love it. But I guess that makes sense; bankers are, after all, parasites and crooks under the protection of law.

Let me give another example of how they don't care about real security. USbank's online banking service now interrupts the standard username/password entry process by asking you a "security question." These questions are things that you could find about most people in a couple of minutes, by looking at Facebook/google, knowing them casually, guessing, etc etc. The answers are shown in the clear. So where, on every other site you've ever used (including, until recently, this one) you'd expect to be typing your password into an obscured field (********), you instead are typing into a box that anybody near you can read. Awesome. And in exchange, the security you get is... a trivial question, and a picture from a handful of pictures you're allowed to set as your "security image". Which anybody within 50 feet can see.

[Reviews comment in case caffeine has led to unfortunate or controversial comments. Nope, looks good!]

This is EXACTLY why I don't carry one

[sirwired]

This is EXACTLY why I refuse to carry a debit card. With one swipe, your account is empty and your mortgage bouncing.

With a credit card, you argue with the bank about THEIR money.

With a debit card, you argue with the bank about YOUR money.

Guess which sort of inquiry receives more attention?

SirWired

Not trying to be mean...

[billsayswow]

But this feels a bit much like an overreaction. I do feel bad for you, but... This is like saying I'm going to buy a car, and the window sticker says that, since I run the risk of, even if I roll up the windows and use the locks, that my vehicle could be stolen. It then says that I should not keep anything of any noteworthy value in the car, that all CDs I have inside should be a second copy purchased for my car, and that I should inject quick-set cement in the keyholes and take out the battery when I park it. Or... well, there are plenty of metaphors for it. The truth is, even with some of the most clever ideas in the world, bad things happen, one way or another. And most people are willing to run the risk of not having certain precautions in place in order to enjoy the convenience of not having those bogging things down. Having a separate account just for your debit card would be one of those obtrusive precautions, and still puts you in a lame spot if you encounter an emergency expense.

Re:It was a horrible idea then AND now

[oasisbob]

I have been telling people for YEARS how unwise it is to have or use a "debit" card with a Visa/MC logo on it. My bank kept INSISTING that I use one, and I would have to send it back and tell them to please send me a regular debit/ATM card. Many of the same people that thought I was "paranoid" and "obsessive" or just plain strange don't think so anymore.

You are paranoid. And ignorant. As long as you report the theft to your financial institution as soon as you learn about it, there are strong protections in place. It's simply not true that it's up to YOU to track down your money. It's up to your financial institution. They are required by law to credit you in the case of errors or unauthorized purchases, and are even required to issue a provisional credit in many cases before the investigation is complete.

A Visa Debit card carries the same protections as a Visa Credit card for signature based-transactions. PIN based transactions are still covered by Regulation E, which protects the consumer.

And there's no such thing as a perfectly good ATM card: with a skimmer, a fraudster can clone your ATM card and have your PIN. Fraudulent PIN based transactions are MUCH harder to refute. People call up all the time and say, "I have no idea how that person got my PIN number, I've never given it to ANYONE!" We (my bank) pull the ATM video, and sure enough it's their son/daughter. The consumer sheepishly admits, "Oh, well, I just told them my PIN once, months ago..." Given the choice between turning the video over to the police or rescinding the claim of unauthorized use, many people will choose the latter.

We've lost sight of something important here...

[JonathanX]

The whole point of a bank (at least originally) was to keep money safe by making it difficult to access. Through the years we have demanded that banks make it easier and more convenient to access our money, and now we are paying the price. Security and convenience are inversely proportional to one another. It is a mystery to me why we, as a civilization can't seem to grasp this basic concept.

Doesn't happen like that in AU

[double07]

Banks must roll differently stateside, here in Australia my visa debit card has been compromised twice. Both times I was contacted by the bank (different banks in each case) before I even knew what was going on. They had a new card and number out to me in 3 days and the dodgy charges were refunded by the time I logged on to my internet banking to check.

Another time I was on my honeymoon and the resort we were staying at put a rather large hold of funds on my visa debit card. My bank rang me and said they had a large charge on my card and asked if it was ok.

Impressive all round.

Account Alerts

[TheMeuge]

All of my accounts will alert me by text and/or email of any transactions exceeding $500, or if the monthly transactions exceed $2000. I don't need to monitor my accounts daily, because the most anyone can take without triggering an alert is usually $500.

That being said, I check my accounts on a weekly basis, which is a good habit to get into. I get my balance and recent transaction history emailed to me on monday mornings, again using the banks' own systems.

Account alerts are wonderful tools. Use them!

Interesting, cos a bank account isn't your money

[Colin+Smith]

Legally.

In most countries a bank account is legally a loan to the bank. Legally it isn't a safety deposit box where they store your money for you.

This means the money is theirs to do with as they please and they are graciously allowing you to use their credit instead, with the attached terms and conditions.
 

Regulation E Dispute

[sysgeek01]

http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=635f26c4af3e2fe4327fd25ef4cb5638&tpl=/ecfrbrowse/Title12/12cfr205_main_02.tpl

The bank HAS to refund your money.....

[JoeBanker]

I work IT in a community bank. I work very closely with our Operations and Fraud department. Here is what I can tell you about VISA debit card fraud. If you are a consumer, you are totally protected IF you report your debit card being lost, stolen, or compromised within 3 days that you became aware of it being lost, stolen, or compromised. The bank will also have a hard time proving when you found out you had a problem with your card. The bank HAS to give you your money back. VISA and Washington D.C. make all of these rules. The little known secret is that banks take huge losses on debit card fraud because the regulation coming from Washington D.C. totally protects the consumer. Most of the time in a fraud case, the bank isn't able to recover the money from the merchant and they have to refund the money to the consumer. Therefore, the banks lose money on VISA debit card fraud. As consumers, you really have nothing to worry about when it comes to VISA debit card fraud. You are totally covered. If you have a VISA business debit card though, you are not covered by the regulation and you are subject to taking losses in a fraud case. If you are a business owner, you better be REALLY CAREFUL when it comes to who has business debit cards tied to your accounts. In your case when the bank said 3 - 5 weeks to return your money, you should change banks. Go to a good community bank or credit union in your area. Somewhere that will recognize you as a person and not a number. Stay away from the large nationwide banks and regional banks. Especially the ones that are having loan trouble. They are trying to stay afloat by sticking all of their good customers with lots of account fees. I use my VISA debit card everywhere and never worry about fraud. You should do the same. I do suggest that you be careful using it on the Internet. As a computer security professional, I do recommend that you practice good computer security.... AV, Web Filtering, OpenDNS, Patching, etc....

Verbal checks

[bjs555]

I'm wondering what the risks are in using verbal checks (paperless ACH transfers). I pay my monthly electricity bill that way since my power company adds a "convenience charge" for using a credit card. As far as I know, the only thing needed for a verbal check is the account number and bank routing number. What's to stop anyone who knows the account number from issuing a verbal check to themself? The routing number for any bank is available online or by calling the bank. If I dispute a verbal check is the bank required to reverse the charge?

Who would use a debit card off primary checking?

[bwave]

This is what an American Express card is for, you use it for your daily purchases, and you pay it off at the end of the month, no interest or fees. (other than annual fee). You get up to 20 days of float on your money also if you were to keep a money market account that you write just your mortgage payment out of etc, and use your Amex to pay everything else. If place doesn't accept Amex, then I'd recommend Paypal's Mastercard debit card, you transfer money into it, so you're never going to overdraft it, and their fraud dept is really good, and they are prompt on their security investigations. Plus again, it pays you interest on any balance, and cash back on (credit) purchases. For my business I made my merchant account (credit card processing) account a totally seperate account than my primary checking, I siphon money off every morning to the business account. But, that way if someone does a chargeback for a a large purchase and they put an investigatory hold on my account, I don't have vendor, payroll, mortgage checks bouncing... then again, I don't anyway, because I deal with a local regional bank (only 10 branches) that calls me anytime there is any problem, and gives me a few hours to make it right. This is why you don't deal with the bank of america's of the world. With a small bank all money deposited (including checks for anywhere) are available for withdrawl immediately, any overdrafts are recorded at night, and you have until 11am the next morning to make them good without paying any sort of fee, should you overdraft, they will go ahead and pay the item, and nearly all the time refund your overdraft fee if you talk to them. This is one way to get small loans, as they will let you overdraft your account and pay it back a couple days later for just a $30 fee... yes $30 might be alot on a $2500 loan but comes in handy in an emergency. This is why you get off your lazy a$$ and go to the bank and make deposits, INSIDE the branch, not the drive through. You get to know your bankers, and they get to know you. My bank offers free remote deposit capture, including they will give you all the hardware, but I still go into the bank about 4 times a week, just to make myself known.

a nice low tech fix

[smagdali]

My South African bank has a nice, highly effective, easy to implement, widely available, cheap, and easily solution that doesn't eliminate fraud, but certainly minimises its effects. Whenever I use my (VISA) debit card, I get an SMS with the date, time, amount and location. I, maybe, in a week, make 20 card transactions, so the cost is 50c/week max to the bank buying in bulk. If I see a transaction I don't recognise, I phone the bank. compared to all the mostly wasted investment in PCI (including all the requirements that weaken rather than strengthen your website's security), the phishing friendly bullshit of Verified by VISA etc, it works like a dream.

BofAmerica

[jDeepbeep]

For Bank of America customers, this service is available as well.

The Credit Card Tax

[dpilot]

There's another perspective on this, and another reason to do as you do - the credit card tax.

Everyone is up in arms about taxes these days - longer than just that really. People give up their days to protest taxes in various places. But I'll be that those very same people think nothing of using their credit cards to pay for that day's expenses. Or even if they don't, they don't realize that they're paying for the privilege of others using their credit cards.

The credit cards get a transaction fee - typically somewhere in the 3-4 % range. Years ago, I remember some places used to charge a slight premium for using a credit card. I'm not sure if it was through legislation or other pressure, but that practice stopped, in favor of "same price, cash or credit." What that really means is that EVERYONE is paying for the credit card transaction fee, whether you're paying cash or credit.

What do you call it when there's an extra percentage fee tacked onto your purchases? One word might be "tax", except this one isn't collected by any government, but by private agencies. Nor is it voluntary, like a "free market" thing, because it's tacked onto your purchases, whether you use credit or not.

I have a lot of sympathy for small, local businesses. I try to have a premium I will pay to buy locally, knowing that that money stays in my area, though I can't always do it, and I have my limits. But one thing I try even harder to do is avoid using my credit card with local businesses. They have to set their prices to account for the transaction fees, or else they go out of business. But by paying them in cash or check instead of credit, that piece of transaction fee goes to them instead of to some far-off bank. I can't get the "tax" back for myself, but at least I can give it to a local business.