Ask Slashdot: How Safe, Really, Is Paying For Things Online?

An anonymous reader writes: Due to the rash of intrusions into electronic payment systems lately, I've decided to go back to paying cash for everyday purchases, groceries, fuel, and anything else I pay for in person (which also has the positive effect of making balacing my checkbook every month that much easier). The question I have is: For the monthly bills it's just not practical to pay in person (utilities, for instance), how safe are those?

Five minutes of research is telling me that mailing paper checks isn't any more secure than online electronic payments and in fact may be even less secure, but short of literally showing up at the electric company, phone company, ISP, and so on, and paying them cash in person, I can't see any other way to pay them. So how safe is it right now, honestly?
I'm always interested in how Slashdot readers secure their own personal finances -- but how high is the danger that a remote malefactor will hijack and then drain your bank account? Leave your best answers in the comments. How safe, really, is paying for things online?

ad absudium

[SuiteSisterMary]

Well, how safe is it to be walking around with a pocket full of cash? What if you get robbed? What if you drop your wallet? What if you go to the bank machine and it dispenses too few bills, but thinks it dispensed them all? What if you go to a teller to withdraw cash and watch them count it, but the bank gets robbed?

At least with credit card payments, there's a known and tested dispute process in place.

Re:ad absudium

[swillden]

I'll put up a fight before I hand over anything, assuming anyone wants to try me.

I mean this in the kindest possible way, but your'e a damned fool.

I don't care how big you are, or that you have a knife (I carry a gun, myself), the risks involved in getting into a fight are far greater than the value of a few hundred bucks. If you lose the fight, it may be worth your life. Carrying a deadly weapon actually increases that risk in some ways. (Aside: If you carry a lethal weapon, I recommend carrying a less lethal weapon as well, such as OC spray; this is to provide you with an option that allows you to maintain some distance in the event the situation doesn't justify deadly force. You don't want to get into a wrestling mach while carrying a deadly weapon.)

But even if you win the fight, it may still cost you your life, not because you die but because you end up having to defend your actions in court, creating an incredibly stressful situation for yourself, likely destroying your savings, and possibly landing you in prison. Whether your use of deadly force to defend yourself is legal depends on a host of factors, some of them subtle and hard to judge in the heat of the moment, and that's assuming that the actual facts are provable and not something else entirely.

There's also a psychological risk. Killing someone, even if fully justified, seriously messes some people up. Unless you've killed someone before, you do not -- and cannot -- know how it will affect you.

I carry a gun. I'm a concealed weapons permit instructor, so I teach and certify other people to carry guns. I strongly believe in the importance and value of being armed. But if handing over some cash and my cell phone will end the encounter peacefully, I'll hand it over in a heartbeat. A few hundred bucks isn't worth my life. For that matter, it's not worth the life of the mugger, even if the fool is asking for it.

The only way my gun is coming out of concealment is if I have a real belief that my life, or the life of someone else, is at serious risk if I do not. I practice, and teach, a "balance of fears" decision making process, because in a potentially-violent encounter there isn't time to determine the details of justification of force. Instead, I assume that if I draw my gun (or knife; I usually have one of those, too), I will go to prison for it. So, I will only introduce deadly force if I believe that whatever will happen if I don't is worse than going to prison. This makes it fairly certain that I will only use deadly force when it is very easy to justify... and if through a quirk of the situation or the system I end up going to prison for it, well, I believed based on what I knew at the time that that was the better choice.

Clearly, I'm not willing to go to prison over a few hundred dollars, so there's no way I'm using deadly force if I'm pretty certain that just handing over the cash will end it.

Re:ad absudium

[Harlequin80]

I know this is totally off topic. But it is so fucking depressing that you feel that you need to carry a gun or a knife to be safe.

The risks to my person are so low where i live that the hassle factor of carrying a weapon (as in the picking it up part) far exceed any benefit.

Re:ad absudium

[Harlequin80]

I live in the most multicultural country in the world.

Risk has nothing to do with race.

... okay

[starblazer]

everything has a risk. Personally, I use online billpay from my bank to send the utilities a check. My bank doesn't just cut a check using my account information, they transfer the money out, cut a check on their own account number, and then send it. Some smaller banks and credit unions will just print a check using your account information, so, send yourself a bill pay for a buck and see if it's your information on the bottom.

Most major utilities use bank lockboxes or if they are large enough... their own. Mail fraud in those instances is very, very low because typically the mail goes out in large automated trays to those addresses vs the one or two letters that you and I are used to getting.

But you ask... sometimes it's an ACH payment using the Billpay... well.. you're right, sometimes it is. However, life is all about risk. Personally, I find it riskier to carry cash on me and drive to 10 different places to pay bills than it is to just go online, have the bank cut a couple checks, and ride it out. I also do not use the bank debit card for anything other than ATM transactions and a few places that will accept debit, but not credit. Sure, let some kiddie get my credit card number and go to town... it takes a phone call and a "um, not me" and I've got a new card on the way with no liability.

Do What Cheap Folks Have Always Done

[JimSadler]

First many banks pay to open accounts so open an account at a bank that is paying those rewards, Every month simply transfer enough to pay your bills to your new PAY OUT ACCOUNTS. For example you can have an account just to pay your electric bill. Leave the required residual in the account so it is not closed. This way if the account is hijacked all you can lose is the electric bill payment. i also use PayPal a lot. So imagine that you set up ten accounts at banks offering sign on bonuses. Mine pay anywhere from $50 to $500 to open an account. Assuming your are all $50. reward accounts you will still quickly and easily earn $500 for a few minutes work. Meanwhile your funds earn interest in your regular account and you never, ever, pay bills from that account so you earn more interest. On most accounts with rewards you are free to change at the $90 day mark. So you can do this many times a year. Also you can earn referral fees for steering others to open accounts so work with a friend and refer each other frequently. Currently some people can actually earn a living simply opening and closing bank accounts.

Re:How safe?

[MangoCats]

Your CC# has always been vulnerable at the endpoints, whether or not it gets trawled up with a million others in a hacking scheme is a much smaller risk.

Chill

[fahrbot-bot]

There is risk in everything. Understand the type and extent of those risks. For example, you could get hit by a car while trying to pay a bill in person and die or end up in the with hospital with thousands of $$ in bills. Paying by check or online looks pretty safe by comparison.

Furthermore, paying with a credit card limits your risk to $50 for fraudulent charges - just check your statement every month. If you're really paranoid, get a Bank of America MasterCard. They have a feature called ShopSafe whereby you can create multiple virtual credit cards (linked to your real CC) for use online. You simple specify the amount and duration and new CC and CVV/CVC numbers are generated. As a bonus, only the first vendor to use a virtual card can use that card. You can bump the limit and/or expiration date and "delete" the virtual card at any time.

Re:False assumption

[swillden]

You only need to use electronic payments, such as a credit card, not necessarily online. Many thefts used compromised readers during a regular in person transaction, though newer cards make this less likely. Ultimately your retailer will typically store your payment information in a database, along with other personally identifying information. This is even more likely with over the phone purchases. Many companies store it in plain text while few properly hash/encrypt it.

The above isn't actually all that true; PCI requirements demand encryption at rest (encryption, not hashing, there's no point in hashing a credit card number). But let's assume that it's true.

Meh. I don't care.

By federal law, my liability for any fraud is limited to $50. In practice, no credit card issuer I've ever met in the US (and I used to do security consulting for credit card issuers, so I've met a lot of them) charges cardholders a penny. If you claim that a transaction is fraudulent, and they can't prove it wasn't, you won't pay a penny. If they're pretty sure you're the fraudster, they'll just cancel your card, and refuse to do business with you any more.

Credit card payment is the safest form of payment, online or in meatspace. Cash is the least safe form of payment.

Note that I'm talking about safety, not privacy. That's a separate issue, and on the privacy axis cash is king and credit cards are awful (though personal checks are significantly worse, assuming you can find someone still willing to accept one).

Note also that debit card transactions (when processed through the debit networks, not as credit cards) do not provide the same protections that credit cards do. Many banks do handle fraud similarly, but you need to get your bank's policy to know. With credit cards, the $50 liability limit is guaranteed by law.

Re:its not

[avandesande]

Heck even the police will take it from you if you have enough of it