Ask Slashdot: How Safe, Really, Is Paying For Things Online?

An anonymous reader writes: Due to the rash of intrusions into electronic payment systems lately, I've decided to go back to paying cash for everyday purchases, groceries, fuel, and anything else I pay for in person (which also has the positive effect of making balacing my checkbook every month that much easier). The question I have is: For the monthly bills it's just not practical to pay in person (utilities, for instance), how safe are those?

Five minutes of research is telling me that mailing paper checks isn't any more secure than online electronic payments and in fact may be even less secure, but short of literally showing up at the electric company, phone company, ISP, and so on, and paying them cash in person, I can't see any other way to pay them. So how safe is it right now, honestly?
I'm always interested in how Slashdot readers secure their own personal finances -- but how high is the danger that a remote malefactor will hijack and then drain your bank account? Leave your best answers in the comments. How safe, really, is paying for things online?

old movie

[turkeydance]

"Is It Safe?" https://en.wikipedia.org/wiki/...

Re:old movie

[MangoCats]

Been paying for stuff online since 1999, frequency of CC number changes is about the same pre and post... occasional bogus charge shows up, call the company, charge is reversed and we get new card numbers... no drama, minor hassle, way better than mailing checks.

Re:old movie

I don't know why anybody in the US even cares about credit card theft at all. Unless you're with a downright crappy bank, you aren't liable for even one cent worth of fraudulent charges. You get people who fret over buying those ultimately useless contactless credit card shields and trying to go back to checks (seriously?) for nothing.

In the EU I could see avoiding it because they have no concept of zero fraud liability and the banks are allowed to stick it up your ass. But EU is so poor that restaurants charge money for water and don't even give free refills, so this behavior is expected.

Re: old movie

[Gay+Boner+Sex]

Or do the obvious.

First many banks pay to open accounts so open an account at a bank that is paying those rewards, Every month simply transfer enough to pay your bills to your new PAY OUT ACCOUNTS. For example you can have an account just to pay your electric bill. Leave the required residual in the account so it is not closed. This way if the account is hijacked all you can lose is the electric bill payment. i also use PayPal a lot. So imagine that you set up ten accounts at banks offering sign on bonuses. Mine pay anywhere from $50 to $500 to open an account. Assuming your are all $50. reward accounts you will still quickly and easily earn $500 for a few minutes work. Meanwhile your funds earn interest in your regular account and you never, ever, pay bills from that account so you earn more interest. On most accounts with rewards you are free to change at the $90 day mark. So you can do this many times a year. Also you can earn referral fees for steering others to open accounts so work with a friend and refer each other frequently. Currently some people can actually earn a living simply opening and closing bank accounts.

Re: old movie

[Khyber]

" i also use PayPal a lot."

Ha! Hahahahaha! HAHAHAHAHAHAHAHA!

They're one of the worst.

Re: old movie

[John.Banister]

Paypal may suck for receiving money. They're great for hiding my plastic when I'm spending it.

Re: old movie

[BlackPignouf]

Paypal can suck a lot if you're the developer of a suddenly well-known game and receive too much money in a short time. It can suck if you're responsible for a charity whose goals don't fit Paypal's.

But for the average Joe (including myself), it's pretty much perfect, easy to use and free.

ApplePay FTW.

[jcr]

One-shot accounts work for me. I go to a site, hit the Applepay button, my phone asks for my thumbprint, and i'm good to go.

-jcr

ad absudium

[SuiteSisterMary]

Well, how safe is it to be walking around with a pocket full of cash? What if you get robbed? What if you drop your wallet? What if you go to the bank machine and it dispenses too few bills, but thinks it dispensed them all? What if you go to a teller to withdraw cash and watch them count it, but the bank gets robbed?

At least with credit card payments, there's a known and tested dispute process in place.

Re:ad absudium

[swillden]

I'll put up a fight before I hand over anything, assuming anyone wants to try me.

I mean this in the kindest possible way, but your'e a damned fool.

I don't care how big you are, or that you have a knife (I carry a gun, myself), the risks involved in getting into a fight are far greater than the value of a few hundred bucks. If you lose the fight, it may be worth your life. Carrying a deadly weapon actually increases that risk in some ways. (Aside: If you carry a lethal weapon, I recommend carrying a less lethal weapon as well, such as OC spray; this is to provide you with an option that allows you to maintain some distance in the event the situation doesn't justify deadly force. You don't want to get into a wrestling mach while carrying a deadly weapon.)

But even if you win the fight, it may still cost you your life, not because you die but because you end up having to defend your actions in court, creating an incredibly stressful situation for yourself, likely destroying your savings, and possibly landing you in prison. Whether your use of deadly force to defend yourself is legal depends on a host of factors, some of them subtle and hard to judge in the heat of the moment, and that's assuming that the actual facts are provable and not something else entirely.

There's also a psychological risk. Killing someone, even if fully justified, seriously messes some people up. Unless you've killed someone before, you do not -- and cannot -- know how it will affect you.

I carry a gun. I'm a concealed weapons permit instructor, so I teach and certify other people to carry guns. I strongly believe in the importance and value of being armed. But if handing over some cash and my cell phone will end the encounter peacefully, I'll hand it over in a heartbeat. A few hundred bucks isn't worth my life. For that matter, it's not worth the life of the mugger, even if the fool is asking for it.

The only way my gun is coming out of concealment is if I have a real belief that my life, or the life of someone else, is at serious risk if I do not. I practice, and teach, a "balance of fears" decision making process, because in a potentially-violent encounter there isn't time to determine the details of justification of force. Instead, I assume that if I draw my gun (or knife; I usually have one of those, too), I will go to prison for it. So, I will only introduce deadly force if I believe that whatever will happen if I don't is worse than going to prison. This makes it fairly certain that I will only use deadly force when it is very easy to justify... and if through a quirk of the situation or the system I end up going to prison for it, well, I believed based on what I knew at the time that that was the better choice.

Clearly, I'm not willing to go to prison over a few hundred dollars, so there's no way I'm using deadly force if I'm pretty certain that just handing over the cash will end it.

Re:ad absudium

[Harlequin80]

I know this is totally off topic. But it is so fucking depressing that you feel that you need to carry a gun or a knife to be safe.

The risks to my person are so low where i live that the hassle factor of carrying a weapon (as in the picking it up part) far exceed any benefit.

Re:ad absudium

[blindseer]

I imagine the university I attend is a lot like many others. I've seen a few and it's pretty typical. On one side you have the dormitories, frat houses, apartments, and old houses that are often rented to students. On another side you have city offices, dentists, lawyers, churches, and other such things. On another side is the restaurants, bars, T-shirt shops, bookstores, and music shops.

Then there is the one side that faces the low rent housing, porn shops, light industrial shops, and so on. Every town seems to have an area like this, where no one goes unless they really really have to. The troublemakers in there usually stay clear of the campus since the cops keep an eye on this corner of campus. Once in a while though the troublemakers wander onto campus and, well, make trouble. This is not typical in the daytime but in the past I've had to be on campus late and I can see them spread out onto campus to beg for change and cigarettes.

Once in a while the school sends an e-mail to everyone warning them about an assault, robbery, abuse, or other crime. It's typically one of two things, a student has had a run in with one of these troublemakers where they got away with someone's wallet, or a report of a sexual assault in the dorms. Then there's the once in a great while report of someone getting shot, beat up to the point of going to the hospital, or other case of a troublemaker making the atypical trouble. I'd rather not be one of those people if I can help it.

Carrying a knife isn't much of a big deal. On my table is my hat and in it there's my keys, wallet, sunglasses, handkerchief, pill bottle, belt, and knife. In the morning I put on my belt, empty the hat into my pockets, put on the hat, and go out the door. When I get home, hat comes off, gets filled with what's in my pockets, and I take off my belt and put it in the hat. It's routine and I don't even think about it.

I don't even consider the knife a weapon really, it's a tool that can be put to use as a weapon. I use it most to open envelopes and punch a hole in the top of those plastic lids they put on my coffee. The hole is to let the air in so the coffee flows freely. And the coffee must flow.

Re:ad absudium

[Harlequin80]

I live in the most multicultural country in the world.

Risk has nothing to do with race.

... okay

[starblazer]

everything has a risk. Personally, I use online billpay from my bank to send the utilities a check. My bank doesn't just cut a check using my account information, they transfer the money out, cut a check on their own account number, and then send it. Some smaller banks and credit unions will just print a check using your account information, so, send yourself a bill pay for a buck and see if it's your information on the bottom.

Most major utilities use bank lockboxes or if they are large enough... their own. Mail fraud in those instances is very, very low because typically the mail goes out in large automated trays to those addresses vs the one or two letters that you and I are used to getting.

But you ask... sometimes it's an ACH payment using the Billpay... well.. you're right, sometimes it is. However, life is all about risk. Personally, I find it riskier to carry cash on me and drive to 10 different places to pay bills than it is to just go online, have the bank cut a couple checks, and ride it out. I also do not use the bank debit card for anything other than ATM transactions and a few places that will accept debit, but not credit. Sure, let some kiddie get my credit card number and go to town... it takes a phone call and a "um, not me" and I've got a new card on the way with no liability.

False assumption

[burtosis]

You only need to use electronic payments, such as a credit card, not necessarily online. Many thefts used compromised readers during a regular in person transaction, though newer cards make this less likely. Ultimately your retailer will typically store your payment information in a database, along with other personally identifying information. This is even more likely with over the phone purchases. Many companies store it in plain text while few properly hash/encrypt it.

Re:False assumption

[swillden]

You only need to use electronic payments, such as a credit card, not necessarily online. Many thefts used compromised readers during a regular in person transaction, though newer cards make this less likely. Ultimately your retailer will typically store your payment information in a database, along with other personally identifying information. This is even more likely with over the phone purchases. Many companies store it in plain text while few properly hash/encrypt it.

The above isn't actually all that true; PCI requirements demand encryption at rest (encryption, not hashing, there's no point in hashing a credit card number). But let's assume that it's true.

Meh. I don't care.

By federal law, my liability for any fraud is limited to $50. In practice, no credit card issuer I've ever met in the US (and I used to do security consulting for credit card issuers, so I've met a lot of them) charges cardholders a penny. If you claim that a transaction is fraudulent, and they can't prove it wasn't, you won't pay a penny. If they're pretty sure you're the fraudster, they'll just cancel your card, and refuse to do business with you any more.

Credit card payment is the safest form of payment, online or in meatspace. Cash is the least safe form of payment.

Note that I'm talking about safety, not privacy. That's a separate issue, and on the privacy axis cash is king and credit cards are awful (though personal checks are significantly worse, assuming you can find someone still willing to accept one).

Note also that debit card transactions (when processed through the debit networks, not as credit cards) do not provide the same protections that credit cards do. Many banks do handle fraud similarly, but you need to get your bank's policy to know. With credit cards, the $50 liability limit is guaranteed by law.

Re:False assumption

[pakar]

FYI - https://www.rt.com/usa/354657-...

The presentation-slides you can find here:
https://www.blackhat.com/docs/...

Perhaps not Canadian?

[SirCowMan]

At least around here, most of the utilities can be paid by bringing the bill into the bank. Nothwithstanding, those payments are electronically settled by the bank, so I'm not sure it's any different than posting a payment through a banks web portal.

Re:How safe?

[MangoCats]

Your CC# has always been vulnerable at the endpoints, whether or not it gets trawled up with a million others in a hacking scheme is a much smaller risk.

No real answer.

[glitch!]

I have several checking accounts, and I got tired of paying the check printing companies for... printing my checks. So I bought check stock cheap and I print my own. Apparently, the world has gone from magnetic ink to OCR, so I am home free. If I can print my own checks, so can anyone else print anything they want. I could easily print checks from any other business once I have their account number.

What reduces check fraud is enforcement. Or so I think.

Re: No real answer.

[GrumpySteen]

Yes, but balances died a few elections back.

Wait, a check book?

[glenebob]

You have a check book? You pay for checks? And you balance it? Like, on the little paper balance sheet that comes with the checks, with a pen? Why why why?

I pay for virtually everything with credit cards. Like, everything but food from the local taco truck and private purchases, like used cars or used furniture, etc. I certainly don't use a debit card tied to a bank account for online purchases.

The only thing I do online with my actual bank accounts is pay off my credit cards and my mortgage (they won't accept a credit card, but it's a bank, so I feel reasonably safe - and the account I pay it out of is used almost exclusively for that, and nearly always has a zero balance), and transfer money between banks.

If I want to know what's in my bank account, I check it online. I don't ever need to read statements, because I check all my accounts multiple times per month. And paper statements via snail mail? Please.

Now, I'd prefer to have a tokenizing credit account for online purchases with not-so-major vendors, where each payment uses a single-use or limited-use token, but I don't know if that exists in a convenient form. That's how mobile payments work, but that wouldn't currently work for online payments. I'm also not that worried about it, since credit cards do a nice job of protecting customers from fraud, and I've never had a CC number stolen.

And one last thing. If you pay with cash, you are subsidizing the rewards I get by paying with a credit card. Thanks :)

Chill

[fahrbot-bot]

There is risk in everything. Understand the type and extent of those risks. For example, you could get hit by a car while trying to pay a bill in person and die or end up in the with hospital with thousands of $$ in bills. Paying by check or online looks pretty safe by comparison.

Furthermore, paying with a credit card limits your risk to $50 for fraudulent charges - just check your statement every month. If you're really paranoid, get a Bank of America MasterCard. They have a feature called ShopSafe whereby you can create multiple virtual credit cards (linked to your real CC) for use online. You simple specify the amount and duration and new CC and CVV/CVC numbers are generated. As a bonus, only the first vendor to use a virtual card can use that card. You can bump the limit and/or expiration date and "delete" the virtual card at any time.

Money Order?

[sottitron]

Go to 7-11 and get a money order to pay those bills.

Does it matter?

[heypete]

Although somewhat snarky, the subject line sums up my opinion pretty succinctly: as an individual, does it really matter much?

If my credit card gets compromised, by law the most I'm liable for is $50 (and my bank's policy is that I have $0 liability for fraudulent charges). On the few occasions, when my card information has been misused, the transactions were reversed and a new card in my wallet within a day or two. All I had to do was fill out a form saying "I didn't make these charges.", sign it, and send it to the bank. A mild irritation, to be sure, but hardly a big deal. With chip cards now commonplace in the US, simple cloning of cards is less of an issue than it was.

Legally, I seem to recall that debit cards have somewhat less protection, but banks often extend their $0 liability policy to them as well, so long as you report it being lost or stolen within a reasonable time. Still, I dislike these since one is not merely disputing whether or not one owes money to the bank, but rather if one should get one's own money back.

As for bank transfers and the like, I'd like it if the US would add "push" transfers like European banks do, rather than the "payee pull" system it currently has. Still, my understanding is that one is still protected from unauthorized withdraws from one's bank account.

In short: I'm not terribly concerned about my financial information being abused by criminals, as the law and bank policies offer significant legal protections from fraudulent activity. Any such issues are a minor inconvenience. Of course, one should take reasonable precautions, but in general it's not a big deal. I'm a lot more concerned about criminals gaining access to difficult-to-change/cancel things like one's social security number, with which they could apply for new, unknown-to-you accounts in your name. That's much more of a hassle to resolve than simply having a credit card stolen or a bad guy making an unauthorized debit from one's account.

Safety, risk, and liability

[thecombatwombat]

My answer may not apply to people outside of the US. The rules vary.

The better question, with regard to going all cash, is how liable are you in the event of compromise?

Are online payment systems "safe" in the sense that they are unlikely to be compromised? No, not really.

But if they are compromised, so what? If you use a major credit card, and your number gets compromised, it's really not that big of a deal. Most all of the liability is on the merchant and the card issuer, not you. The worst case scenario I've dealt with is the card being inactive for a few days. If you stick to using credit online, no debit or ACH, this can pretty much be the worst you have to deal with.

This is one reason bitcoin and other digital currencies have difficulty going mainstream. Sure my hardware bitcoin wallet might be 100x more secure than my credit card, but if it gets compromised, I'm screwed. If my credit card gets compromised, I'm merely inconvenienced.

Rather than going to cash, I recommend people try to:

1) Keep at least two major credit cards open at all times with two different banks. Use one regularly, the other is a backup.
2) Avoid using debit or ACH, especially online.
3) Use a system like Mint so that you can easily monitor activity on your cards. If you see any activity that isn't you, be proactive.
4) Use a service like PayPal whenever possible. A lot of my bills are paid via PayPal. If a card is compromised, expired, whatever, I only have to update one place. Plus it gives me yet another entity to share liability in the event of fraud.

If you do these things, you're liable for virtually nothing, and the security of your payments is less of a concern. Let the credit card companies deal with it.

My debit card got around...

[__aaclcg7560]

A teenager in London got a hold off my debit card number, ordered makeup and bling from a small company in Texas, used a San Francisco storage facility for the billing address, and her actual street address for shipping. The transactions didn't get far as the safeguards came into play with the credit union on my end and PayPal on the vendor's end. I even filed a complaint with London PD. The credit union issued a new debit card and that was that.

Reducing Online Transaction Risk

Limit your financial and inconvenience exposure by
(1) Closing inactive (i.e., unused 6months) accounts
(2) Initiating a freeze on new credit applications or existing credit reporting
(3) Request a Personal Identification Number (PIN) from the IRS to prevent bad guys from filing a fraudulent tax return in your name
(4) Request your bank to limit the amount of money which can be withdrawn electronically from checking and savings accounts
(5) Don't use debit cards for electronic transactions
(6) Always challenge organizations which request your SSN when establishing an account
(7) Immediately validate/reconcile your financial statements/transaction reports
(8) Use challenge questions with responses that few, if anyone, would know the answer
(9) Take advantage of online businesses which give you the opportunity to receive a separate code on your smart phone, to complete a transaction
(10) Never respond to an initial online request to provide your identifiers or authenticators

Re:Reducing Online Transaction Risk

[lucm]

Limit your financial and inconvenience exposure by
(1) Closing inactive (i.e., unused 6months) accounts
(2) Initiating a freeze on new credit applications or existing credit reporting
(3) Request a Personal Identification Number (PIN) from the IRS to prevent bad guys from filing a fraudulent tax return in your name
(4) Request your bank to limit the amount of money which can be withdrawn electronically from checking and savings accounts
(5) Don't use debit cards for electronic transactions
(6) Always challenge organizations which request your SSN when establishing an account
(7) Immediately validate/reconcile your financial statements/transaction reports
(8) Use challenge questions with responses that few, if anyone, would know the answer
(9) Take advantage of online businesses which give you the opportunity to receive a separate code on your smart phone, to complete a transaction
(10) Never respond to an initial online request to provide your identifiers or authenticators

I don't think you understand what "limiting inconvenience" really means.

Re:its not

[MachDelta]

3. Cash for in-person transactions.

Unfortunately, I find that this is steadily becoming more of a hassle. I tried to pay for something with cash at Best Buy recently, and the poor young teller looked at me like I had just asked her what color her underwear was. Instead, I had to go to customer service to pay with cash like some kind of paleontology museum escapee... which was fine with me because the girl working at customer service was downright gorgeous. But next time when Bill the balding floor manager is on shift, then it's going to be an inconvenience.

FREELOADER ALERT

[lucm]

The only thing I do online with my actual bank accounts is pay off my credit cards and my mortgage

How dare you! If everyone was doing like you, the credit card companies would make no money and we would still have to pay things with cash and debit cards, paying obscene transaction fees every time.

People who pay their credit card on time are the modern equivalent of the tragedy of the commons. Start carrying your weight today! Just pay the minimum and slowly build a mountain of debt. That's the American way.

Many banks offer credit card temp numbers

[perpenso]

ApplePay FTW. One-shot accounts work for me.

Nothing against ApplePay, I occasionally use it. However many banks allow you to create temporary account numbers linked to your real number. In addition to letting you set the max amount chargeable and expiration date for this number the number may also lock to the first vendor to charge it. So if that vendor gets hacked a second entity will be denied if they attempt to use the temporary number.

Re:Many banks offer credit card temp numbers

[aaarrrgggh]

Lot more work with bank systems compared to Apple Pay...

Re:Many banks offer credit card temp numbers

[93+Escort+Wagon]

You can just use your nice high-def camera on your phone to capture someone's Apple Pay screen, say while you're behind them in line and they're getting ready to pay. Free access to ApplePay account with just a picture, no hacking required.

Without that person's specific hardware device (e.g. the iPhone whose screen you photographed), you're not going to be able to use that data you just captured.

Re:its not

[skids]

Watch those change-in-term notices from your bank and CC provider. Recently mine reduced the standard of liability on debit card transactions. And online bill pay has less protection than the cards do... though supposedly they are limited as to how hard they can shaft you by Federal Reserve Regulation E. At least until the Fed gets seeded with cleptocrats.

I actually sacrificed a bunch of interest income to deactivate online banking, as it cannot be deactivated while keeping electronic statements, and you don't get the better rate if you are getting paper statements. That and the upside-down rate structure of that checking account has me occasionally browsing around for a different bank, but they all pretty much suck with what appears to be the same re-branded package deals from some upstream providers.

Re:its not

[Applehu+Akbar]

Walking around with cash is statistically more dangerous than using credit cards for everything, in the same way that the most dangerous part of a flight is the drive to the airport.

Re:PayPal when possible.

[vtcodger]

Make that WHEN someone hacks them. Which will almost certainly happen sooner or later. If it's a broad breach instead of just a few accounts, it's a safe bet that in the US neither PayPal nor your money will be anywhere to be found. In the EU where PayPal is subject to banking laws, you may have recourse. Not so in the US where PayPal operates as an unregulated bank. (Why would any sane person give an unregulated bank access to their money?)

Re:its not

[avandesande]

Heck even the police will take it from you if you have enough of it

Euro Experience

[stereoroid]

Euro-peon here (Ireland). I use a debit card linked to my current (checking) account for small purchases, and a credit card for online and larger purchases, which I can usually pay off every month unless it's very large. The debit card is touch-enabled, which has some security features built in. Touch purchases are limited to €30 and after three of those you'll be asked to insert the card and enter the PIN - so if the touch system is compromised there's a "stop" on that. As far as I can tell those touch purchases are authorised without checking your current balance, and might not hit your account until days later.

I have heard of "walk-by" attacks on touch cards here - e.g. one lady I know had €11 taken off her card that was apparently billed to a pay email service on an ISP in New Zealand. Small, one-off charges that the payee might not even notice if they are a heavy user of that card. There are things you can do to avoid that, such as not keeping the card on you in an obvious place such as handbag or back pocket. Or tin foil.