What Can Be Done About Security of Debit Cards?

JumpDrive writes "I have been the victim of (Visa) debit card theft. I do not know where they stole or got the number, but it was used one day on the other side of the country and the next day it was used in Europe until they cleaned out my account. I had been monitoring my account online and immediately went to the bank and filed a claim. I was told at that time it would be 3 to 5 weeks for them to investigate the claim before they could return my money. Recently I tried to make a purchase with a debit card and was told that they couldn't use the card since it wasn't a Visa or MasterCard check card; this led to a discussion of why I no longer have a Visa or MasterCard check card. Which then led to the question of 'What can be done about it?' Currently I have a separate account for debit usage for my personal safety. But I also think that those producing these check cards should be required to advertise the hazards of having one of these cards (not in small print and maybe required in advertisement of these cards, similar to what is required with pharmaceutical drugs on television) and/or that if a debit or check card is issued a separate account should be required for its use, and users informed of the issues of placing all of their money in the same account that their debit card has access to. What other precautionary measures should be required or taken?"

What can be done? Nothing.

[plover]

The short answer? The banks will do nothing for you today.

The long answer: Nobody will do anything for you tomorrow, either.

Why? Because Visa does two things, only one of which makes money. First, they are in charge of defining financial card security through the PCI council, and they own and operate the secure network VisaNet, which carries authorizations from retailers to banks. Guess which one makes them money?

If Visa were to design and offer a cryptographically secure solution, one based only on smart cards for the customers and Hardware Security Modules (HSMs) at the banks, then I could safely route my charge authorizations over the plain ol' Internet. I wouldn't need to use the charge-per-transaction VisaNet. Visa would stop making money.

So instead of offering a secure solution, Visa and the PCI council say, "Merchants must lock down their systems, protect this data, follow these 12 steps, acknowledge that you are powerless over alcohol (oh wait, wrong 12 steps), and if you don't, we'll loudly blame you for allowing someone to see our non-existent security."

Visa owns the protocols used between merchants and banks. They could strengthen the protocols. They could prescribe encryption. They could require the deployment of chipped banking cards. But they do not, and have not for many, many years, despite a pathetic track record of security.

If you want the banks to be safe with your money, you ironically have to take charge of your own security. If you switch to using the green paper stuff, your losses will be finitely limited to what you carry on your person. If you want a more achievable answer in today's plastic world, DO NOT CARRY DEBIT CARDS. Debit cards do not offer you protection against loss. Credit cards are limited by U.S. law to a maximum of $50 liability to the cardholder. Debit cards losses are usually covered by the bank, but they are under no legal obligation to do so. For ATM access, most banks will honor your request for an ATM-only card instead of accepting their default ATM/Debit card. Of course, the use of credit cards requires personal discipline to always pay the debt on time, but otherwise you would see little difference.

Re:What can be done? Nothing.

[Master+Moose]

I suggest everyone reading this with a debit card transfer all of their money to my account. I do not have a debit card so it will be free from this sort of attack.

Re:What can be done? Nothing.

[stonewallred]

I hate to say this, but use cash. I have several credit cards, and I use some of them daily. But unless the interest rates are lower than what I can make by not paying them (seldom if ever) they get paid off monthly. I do not have a debit card. I have a paypal account tied to a bank account I use strictly for buying and selling on ebay(lego if you are interested). My bills I pay with check or cash, and sent via mail or delivered by hand (the HVAC/R supply houses, as it credits immediately to my accounts when paying at the store). If I want something off the internet, I get a buddy of mine to order it using his data, not mine. Plus with cash, there is never a question of bouncing a check or overdraft fees or charges. Will probably get modded down for suggesting such an anti-tech idea as using cash, but oh well. Karma is overrated anyway.

Re:What can be done? Nothing.

[RenQuanta]

Credit cards are limited by U.S. law to a maximum of $50 liability to the cardholder. Debit cards losses are usually covered by the bank, but they are under no legal obligation to do so.

(Emphasis mine).

Actually, I don't think the part about the lack of debit card consumer protections is factually accurate. Here's the blurb from The FTC's Facts for Consumers:

ATM or Debit Card Loss or Fraudulent Transfers (EFTA). Your liability under federal law for unauthorized use of your ATM or debit card depends on how quickly you report the loss. If you report an ATM or debit card missing before it's used without your permission, the EFTA says the card issuer cannot hold you responsible for any unauthorized transfers. If unauthorized use occurs before you report it, your liability under federal law depends on how quickly you report the loss.

For example, if you report the loss within two business days after you realize your card is missing, you will not be responsible for more than $50 for unauthorized use. However, if you don't report the loss within two business days after you discover the loss, you could lose up to $500 because of an unauthorized transfer. You also risk unlimited loss if you fail to report an unauthorized transfer within 60 days after your bank statement containing unauthorized use is mailed to you. That means you could lose all the money in your bank account and the unused portion of your line of credit established for overdrafts. However, for unauthorized transfers involving only your debit card number (not the loss of the card), you are liable only for transfers that occur after 60 days following the mailing of your bank statement containing the unauthorized use and before you report the loss.

If unauthorized transfers show up on your bank statement, report them to the card issuer as quickly as possible. Once you've reported the loss of your ATM or debit card, you cannot be held liable for additional unauthorized transfers that occur after that time.

Re:What can be done? Nothing.

[Gr8Apes]

Naah - no modding down. Everyone here should be smart enough to distrust debit cards immensely.

As for internet buys - use 1 time numbers. My main credit card has them available, although I'll admit it is a pain in the tukas to get to the screen that gives you one, and it's not exactly advertised. (read that as you have to know what you're looking for and what the specific verbage is on the menus, or you won't find it)

Re:What can be done? Nothing.

[RenQuanta]

In this day and age, with online banking so prevalent, checking your account every few days is only prudent. It's not unreasonable for the consumer to have some burden of identifying the loss, since each of us are the best and most efficient judge as to whether or not the transactions on our accounts are in fact ones we performed. Millions of dollars in software development and analyst training have been spent on helping banks to detect fraud, but those systems aren't fail proof.

In the end, there's no substitute for each of us keeping an eye on our own accounts' transactions.

If we don't take responsibility for our own financial affairs, should we really expect the banks to carry the whole burden on our behalf? No matter how good it is, any security measure can (and likely will, sooner or later) be defeated. (and let's not forget good old fashioned social engineering...)

In the end, the best protection against a breach is constant vigilance. (Or, said another way, prevention only goes so far, detection is still requried ;-)

Re:What can be done? Nothing.

[plover]

Did I say RF? No, I said "chipped", although once the security is done correctly RF might not matter as much as you might think.

The correct protocol is for the merchant to tally the merchandise, and present the customer's card with their merchant ID and the transaction amount. The cardholder then has to see and approve that amount by entering a PIN in order to generate an authorization. (The cardholder needs to enter that PIN into a trusted device, which is best met by a smart card with a built-in keyboard and tiny display, or alternately by a trusted keycard device issued by the bank.) The card uses the PIN to generate a one-time approval code, which is forwarded by any means to the bank, along with the card data (account number or whatever), the amount, and the merchant ID. The bank returns an approval code to the merchant, who gives the merchandise to the customer. All this is digitally signed, of course, and the protocols need to be well laid out to avoid potential problems with respect to money laundering, man in the middle attacks, etc.

Note that the customer's account number is only usable for identification. It's only the chip-generated authorization combined with the user entered PIN that carries the value. Something you have plus something you know.

The authorization data is carried by the merchant and delivered by whatever means to the bank. The Internet would work fine. The merchant can see your account number, but they cannot charge you anything other than the value included in your approval. The authorization code is accepted by the bank for one time only use, and they will pay only the merchant ID indicated in the transaction.

Note that in this case, the card is issued by the bank. The certificates and keys are created and injected in the card by the bank. That means it's 100% bank-owned-and-provided hardware from customer to bank and back again. The bank is 100% in charge of security. All you have to do as a customer is not to lose your chipped card AND keep your PIN secret.

An RF based card would make only a minor difference in security. Sure, someone could ping it, but they couldn't get it to emit an authorization token unless they had it in their hands and pushed the tiny buttons. Protections would have to be taken to prevent RF based man-in-the-middle attacks between the merchant and the customer's card, otherwise the merchant might not get paid. But the customer's money is never at risk except when they are entering their PIN, and are staring at the tiny screen that says "PAY WALMART AMT=$34.56".

Re:What can be done? Nothing.

[archmcd]

I work in bank security, and I just wanted to offer some clarification on your rant:

If you want a more achievable answer in today's plastic world, DO NOT CARRY DEBIT CARDS. Debit cards do not offer you protection against loss.

A debit card can be used in two ways. It can either be used with a PIN in what's commonly called a debit transaction (or at an ATM), or it can be used as a "credit" transaction and processed through the Visa or MasterCard network. There is little to no protection against loss for the former of these transaction types, except keeping your PIN secure. The "credit" style transaction, on the other hand, is protected by a zero liability guarantee (at least Visa cards... not sure about MasterCard). Yes, your bank account may get cleaned out (or depleted up to the daily spending limit of your debit card), and outstanding checks may bounce, and you may have a freeze on your account until it gets resolved. However, this zero liability guarantee means any transactions found to be fraudulent will be reimbursed by your bank. The bank then goes after the merchant that processed the transaction to recoup their own losses. If you have a good bank, they'll also refund your overdraft fees. Debit or ATM transactions, on the other hand, are not covered by the same guarantee, so having your card skimmed and PIN captured is far worse - UNLESS your bank offers a guarantee on these types of transactions as well.

See http://usa.visa.com/personal/cards/debit/visa_check_cards_faq.html

Credit cards are limited by U.S. law to a maximum of $50 liability to the cardholder. Debit cards losses are usually covered by the bank, but they are under no legal obligation to do so.

Losses due to fraudulent transactions processed through the Visa network are actually covered by the merchant that accepted the transaction, not your bank. Your bank only covers "Debit"-style losses they agree to cover if they offer protection against Debit or ATM transactions, but that's not a standard program.

For ATM access, most banks will honor your request for an ATM-only card instead of accepting their default ATM/Debit card.

An ATM-only card means you will have to use ATMs more frequently, thereby potentially exposing yourself to skimmers, as well as use of your PIN in public. Since there's no zero-liability coverage with most banks for skimmed ATM transactions, you're putting your money at greater risk by doing this. Oh, and by the way, the skimmers have this one figured out too. You no longer have to worry about the shady looking person loitering near the ATM watching you enter your PIN. They install a tiny camera painted to match the fascia of the ATM, and they aim it at the keypad.

Re:What can be done? Nothing.

[Recovery1]

Great idea. But my bank doesn't offer me such a system.

In its place though I have a credit card issued from the bank. It is linked to only one account and I have to transfer money into it before I use it for any transactions so otherwise it is mostly empty. Try to withdraw any more then is in it, the transaction is automatically rejected. Seems to work for me so far with online transactions quite well.

Re:What can be done? Nothing.

[Runaway1956]

GGP is on the mark, when he says "Use cash". But, in today's world, it seems a necessity that we are able to make purchases online. So, I have exactly what Recovery1 has - a plain debit card. I put money on the card, make my purchase, the card is dry, and no one can make any more withdrawals. Doesn't much matter if someone around the world gets my number, they can ONLY steal the money that I have put on the card that day, and if I've already made my purchases, the balance is zero, they can't steal anything at all.

But, their attempts to do so will trigger alarms, and the bank knows that security has been compromised!! In theory, the bank will contact me, and ask about those attempted purchases.

Re:What can be done? Nothing.

[rtb61]

One thing to watch out for is being fobbed off by banks. Standard law for credit or debit cards is the onus is upon the seller to prove that you made the purchase not upon you to prove you didn't. If your bank wants to take a few weeks to resolve it immediately complain to your regulatory authority, the bank can take a few weeks to resolve it with the seller, not with you. Once you have made the formal claim for a stop payment it should be resolved in a couple of days, if your bank does not support you in this, it is time to change banks.

The reality the person who used your credit or debit cards details, did not steal from you, the seller with the assistance of the credit or debit card company stole from you, they should be required by law to prove that charge in fact did occur, that they were defrauded and that they attempted to defraud you in error.

The lie being spread by mass media, to suit their advertisers the credit card companies and the merchants is a lie, that the money was stolen from your by the thief that used the card details. Your money was stolen by the merchant who claimed you made the purchase, once you have made the complaint, the police should pursue the merchant who by law should prove they did not just attempt to defraud you, that someone defrauded the merchant has absolutely nothing to do with you and at no time should be considered your problem.

Re:What can be done? Nothing.

[AegisFang]

I suggest everyone reading this with a debit card transfer all of their money to my account. I do not have a debit card so it will be free from this sort of attack.

Hello Sir, I currently have over 3000000$(3 million) US dollars in account from my late uncle (Nigerian Royalty). If I could, please, to be put this inheritance in your account for 1 month to avoid Nigerian Tax Liability, I would gladly pay 10 percent to you in 1 month time. Please to send me your account number as offered and PIN. I will deposit funds forthrightly. Thank you God Bless! Kindest regards, Eeaye Eeayeou

Re:What can be done? Nothing.

[nacturation]

Interestingly enough, your post highlights a potential risk in the way Slashdot shortens the square bracket preview of long URLs. Example of what I mean

Re:What can be done? Nothing.

[StormReaver]

Once you have made the formal claim for a stop payment it should be resolved in a couple of days, if your bank does not support you in this, it is time to change banks.

This is the most sensible advice I've seen on this thread. When my Commerce Bank debit card details were compromised, and several unauthorized charges started appearing on my bill, I called the number of the back of my debit card to report the losses. The bank immediately reversed all the charges and offered to send me a new card through overnight delivery.

I told them to cancel my compromised card, and to send me a new one. They told me I would be without access to my funds via debit card until I activated the new one, but that it should be here within 24 hours (it was at my house in less than 12 hours). I was responsible for $0 of the unauthorized amount, and life went on normally.

Bottom line: the debit card is only as risky as the bank with which you choose to do business. Get a bank that doesn't suck, and your debit card is a safe financial instrument.

Get a credit card

[HeavyD14]

If it gets stolen, it's not your money. Also, you got skimmed.

Re:Get a credit card

[Citizen+of+Earth]

Also, you got skimmed.

I saw a news show recently reporting that lots of crooks have been breaking in to stores to steal the hard drives out of the cash registers. Lots of the registers store your debit/credit card information unencrypted and criminals can recover and use tit. One more reason I always use cash for minor purchases.

Re:Get a credit card

[scdeimos]

A lot of the audit rolls in cash registers also record card numbers. And yet business is heard to say, "we only store card numbers in encrypted data marts." My ass.

Re:Get a credit card

[Alarindris]

I work at a gas station part time. We just got a new computer system and I was appalled to see that when we printed off the numbers for the day, the credit/debit card numbers for each transaction are listed with the name on the card and expiration date. Although we do hold on to them for 7 years and then they are sent to the main office for another 8, it seems pretty damn sloppy to me.

Use a credit card, duh

[QuantumG]

How the banks advertise it: "Use your own money to shop online!"
What it actually means: "Expose the cash you need to live on to fraud."

The banks like it because you're putting your money at risk, not theirs.

just use a CREDIT card

[CohibaVancouver]

Step 1: Cut DEBIT "check" card in half
Step 2: Just use a CREDIT card. You're protected. Problem solved.

In Canada you need an ATM PIN to use a debit card linked to a bank account, but the PINs can still be skimmed by compromised payment terminals. I only pay by credit card.

Get a new bank

[KalvinB]

Shop around for a bank that actually values you as a customer. I believe Bank of America will give you your money back within 24 hours. I'm not a fan of theirs but at least they do that for you. I personally use US Bank.

How about a real solution?

[John+Whitley]

But I also think that those producing these check cards should be required to advertise the hazards of having one of these cards

NO, NO, NO. No stupid, pointless warnings. Make the financial institutions solely liable for all identity theft. They're the only ones with the ability to stop it, and they should be the ones that bear the full economic incentive for managing fraud.

But I didn't say it first, Bruce Schneier did:

The actual problem to be solved is that of fraudulent transactions. Financial institutions make it too easy for a criminal to commit fraudulent transactions, and too difficult for the victims to clear their names.
[...]
It's not that financial institutions suffer no losses. Because of something called Regulation E, they already pay most of the direct costs of identity theft. But the costs in time, stress and hassle are entirely borne by the victims.

The whole article is +5 Insightful, well worth reading.

I had a better experience

[roc97007]

One day I found that my bank account had been cleaned out. There were a massive number of $50 charges from one vendor -- essentially they kept charging $50 until they got a decline. The charges had occurred after 11:00 PM and before 5:00 AM local time, which made me think that time zones were involved.

I called the bank immediately and reported it, had the card frozen but by that time there was only about $20 left.

I did some research from the transaction information -- the company had an address in California that appeared to be fake, an 800 number that was disconnected, and the domain was owned by a different company in Korea.

I printed all this out, took it to the credit union. They had me fill out some forms, and gave me access to some money (I was pretty much broke) while they worked on it.

Within 3 days all my money was returned to me. It's possible that the credit union fronted me the cash while they worked with the authorities -- they never said. But as far as I was concerned, the event was over in less than a week.

Maybe it makes a difference which bank you use. Or maybe it's the difference between a bank and a credit union. I dunno.

I never did figure out how they got my numbers.

Only use a credit card

[cortesoft]

Debit cards are functionally useless, since they give you nothing that using credit card which you pay off every month wouldn't while costing you quite a bit.

If you have a credit card you pay off every month, you get an interest free loan for a month. You earn points for rewards. You get protection against fraud. You often get warranties on things you wouldn't normally get.

You get NONE of this with a debit card. The only reason a debit card is preferable is if you don't have the self control to spend an amount you can pay off every month, or you have such a bad credit rating you can't get a credit card with a grace period.

Re:Only use a credit card

[cortesoft]

Only if you let it. I have had credit cards for all my adult life and never once paid any interest. If you are the type of person who controls their spending, it doesn't have to trap you into spending money you don't have.

What to do? Tell you're bank they're full of it

[oasisbob]

IAABG (I am a banking geek).

The rules for provisional credit on debit cards is very well established. They fall under Regulation E, section 205.11. The bank has ten days to get you a provisional refund, and can take up to 45 days in certain circumstances to complete their investigation and finalize the credit.

Make sure you get them a notice in writing! Once you do, they have ten days to credit you, and many banks will do it much faster. If the bank drags their feet, just tell them "I want provisional credit within the mandated timeline per Regualtion E".

Here's more on this topic:
http://www.bankersonline.com/technology/guru2008/gurus_tech022508c.html
http://usa.visa.com/personal/security/visa_security_program/zero_liability.html
http://finsolinc.com/Reg%20E%20EFTA%20Error%20Resolution%20Flowchart.pdf

The protection for misuse of debit cards is strong, you just need to know what to do. If your bank isn't responsive, Move Your Money to a smaller institution that cares.

Re:It was a horrible idea then AND now

[oasisbob]

I have been telling people for YEARS how unwise it is to have or use a "debit" card with a Visa/MC logo on it. My bank kept INSISTING that I use one, and I would have to send it back and tell them to please send me a regular debit/ATM card. Many of the same people that thought I was "paranoid" and "obsessive" or just plain strange don't think so anymore.

You are paranoid. And ignorant. As long as you report the theft to your financial institution as soon as you learn about it, there are strong protections in place. It's simply not true that it's up to YOU to track down your money. It's up to your financial institution. They are required by law to credit you in the case of errors or unauthorized purchases, and are even required to issue a provisional credit in many cases before the investigation is complete.

A Visa Debit card carries the same protections as a Visa Credit card for signature based-transactions. PIN based transactions are still covered by Regulation E, which protects the consumer.

And there's no such thing as a perfectly good ATM card: with a skimmer, a fraudster can clone your ATM card and have your PIN. Fraudulent PIN based transactions are MUCH harder to refute. People call up all the time and say, "I have no idea how that person got my PIN number, I've never given it to ANYONE!" We (my bank) pull the ATM video, and sure enough it's their son/daughter. The consumer sheepishly admits, "Oh, well, I just told them my PIN once, months ago..." Given the choice between turning the video over to the police or rescinding the claim of unauthorized use, many people will choose the latter.

The bank HAS to refund your money.....

[JoeBanker]

I work IT in a community bank. I work very closely with our Operations and Fraud department. Here is what I can tell you about VISA debit card fraud. If you are a consumer, you are totally protected IF you report your debit card being lost, stolen, or compromised within 3 days that you became aware of it being lost, stolen, or compromised. The bank will also have a hard time proving when you found out you had a problem with your card. The bank HAS to give you your money back. VISA and Washington D.C. make all of these rules. The little known secret is that banks take huge losses on debit card fraud because the regulation coming from Washington D.C. totally protects the consumer. Most of the time in a fraud case, the bank isn't able to recover the money from the merchant and they have to refund the money to the consumer. Therefore, the banks lose money on VISA debit card fraud. As consumers, you really have nothing to worry about when it comes to VISA debit card fraud. You are totally covered. If you have a VISA business debit card though, you are not covered by the regulation and you are subject to taking losses in a fraud case. If you are a business owner, you better be REALLY CAREFUL when it comes to who has business debit cards tied to your accounts. In your case when the bank said 3 - 5 weeks to return your money, you should change banks. Go to a good community bank or credit union in your area. Somewhere that will recognize you as a person and not a number. Stay away from the large nationwide banks and regional banks. Especially the ones that are having loan trouble. They are trying to stay afloat by sticking all of their good customers with lots of account fees. I use my VISA debit card everywhere and never worry about fraud. You should do the same. I do suggest that you be careful using it on the Internet. As a computer security professional, I do recommend that you practice good computer security.... AV, Web Filtering, OpenDNS, Patching, etc....