Ask Slashdot: How Safe, Really, Is Paying For Things Online?

An anonymous reader writes: Due to the rash of intrusions into electronic payment systems lately, I've decided to go back to paying cash for everyday purchases, groceries, fuel, and anything else I pay for in person (which also has the positive effect of making balacing my checkbook every month that much easier). The question I have is: For the monthly bills it's just not practical to pay in person (utilities, for instance), how safe are those?

Five minutes of research is telling me that mailing paper checks isn't any more secure than online electronic payments and in fact may be even less secure, but short of literally showing up at the electric company, phone company, ISP, and so on, and paying them cash in person, I can't see any other way to pay them. So how safe is it right now, honestly?
I'm always interested in how Slashdot readers secure their own personal finances -- but how high is the danger that a remote malefactor will hijack and then drain your bank account? Leave your best answers in the comments. How safe, really, is paying for things online?

old movie

[turkeydance]

"Is It Safe?" https://en.wikipedia.org/wiki/...

Re:old movie

[MangoCats]

Been paying for stuff online since 1999, frequency of CC number changes is about the same pre and post... occasional bogus charge shows up, call the company, charge is reversed and we get new card numbers... no drama, minor hassle, way better than mailing checks.

Re: old movie

[Gay+Boner+Sex]

Or do the obvious.

First many banks pay to open accounts so open an account at a bank that is paying those rewards, Every month simply transfer enough to pay your bills to your new PAY OUT ACCOUNTS. For example you can have an account just to pay your electric bill. Leave the required residual in the account so it is not closed. This way if the account is hijacked all you can lose is the electric bill payment. i also use PayPal a lot. So imagine that you set up ten accounts at banks offering sign on bonuses. Mine pay anywhere from $50 to $500 to open an account. Assuming your are all $50. reward accounts you will still quickly and easily earn $500 for a few minutes work. Meanwhile your funds earn interest in your regular account and you never, ever, pay bills from that account so you earn more interest. On most accounts with rewards you are free to change at the $90 day mark. So you can do this many times a year. Also you can earn referral fees for steering others to open accounts so work with a friend and refer each other frequently. Currently some people can actually earn a living simply opening and closing bank accounts.

Re: old movie

[John.Banister]

Paypal may suck for receiving money. They're great for hiding my plastic when I'm spending it.

ad absudium

[SuiteSisterMary]

Well, how safe is it to be walking around with a pocket full of cash? What if you get robbed? What if you drop your wallet? What if you go to the bank machine and it dispenses too few bills, but thinks it dispensed them all? What if you go to a teller to withdraw cash and watch them count it, but the bank gets robbed?

At least with credit card payments, there's a known and tested dispute process in place.

Re:ad absudium

[swillden]

I'll put up a fight before I hand over anything, assuming anyone wants to try me.

I mean this in the kindest possible way, but your'e a damned fool.

I don't care how big you are, or that you have a knife (I carry a gun, myself), the risks involved in getting into a fight are far greater than the value of a few hundred bucks. If you lose the fight, it may be worth your life. Carrying a deadly weapon actually increases that risk in some ways. (Aside: If you carry a lethal weapon, I recommend carrying a less lethal weapon as well, such as OC spray; this is to provide you with an option that allows you to maintain some distance in the event the situation doesn't justify deadly force. You don't want to get into a wrestling mach while carrying a deadly weapon.)

But even if you win the fight, it may still cost you your life, not because you die but because you end up having to defend your actions in court, creating an incredibly stressful situation for yourself, likely destroying your savings, and possibly landing you in prison. Whether your use of deadly force to defend yourself is legal depends on a host of factors, some of them subtle and hard to judge in the heat of the moment, and that's assuming that the actual facts are provable and not something else entirely.

There's also a psychological risk. Killing someone, even if fully justified, seriously messes some people up. Unless you've killed someone before, you do not -- and cannot -- know how it will affect you.

I carry a gun. I'm a concealed weapons permit instructor, so I teach and certify other people to carry guns. I strongly believe in the importance and value of being armed. But if handing over some cash and my cell phone will end the encounter peacefully, I'll hand it over in a heartbeat. A few hundred bucks isn't worth my life. For that matter, it's not worth the life of the mugger, even if the fool is asking for it.

The only way my gun is coming out of concealment is if I have a real belief that my life, or the life of someone else, is at serious risk if I do not. I practice, and teach, a "balance of fears" decision making process, because in a potentially-violent encounter there isn't time to determine the details of justification of force. Instead, I assume that if I draw my gun (or knife; I usually have one of those, too), I will go to prison for it. So, I will only introduce deadly force if I believe that whatever will happen if I don't is worse than going to prison. This makes it fairly certain that I will only use deadly force when it is very easy to justify... and if through a quirk of the situation or the system I end up going to prison for it, well, I believed based on what I knew at the time that that was the better choice.

Clearly, I'm not willing to go to prison over a few hundred dollars, so there's no way I'm using deadly force if I'm pretty certain that just handing over the cash will end it.

Re:ad absudium

[Harlequin80]

I know this is totally off topic. But it is so fucking depressing that you feel that you need to carry a gun or a knife to be safe.

The risks to my person are so low where i live that the hassle factor of carrying a weapon (as in the picking it up part) far exceed any benefit.

Re:ad absudium

[Harlequin80]

I live in the most multicultural country in the world.

Risk has nothing to do with race.

... okay

[starblazer]

everything has a risk. Personally, I use online billpay from my bank to send the utilities a check. My bank doesn't just cut a check using my account information, they transfer the money out, cut a check on their own account number, and then send it. Some smaller banks and credit unions will just print a check using your account information, so, send yourself a bill pay for a buck and see if it's your information on the bottom.

Most major utilities use bank lockboxes or if they are large enough... their own. Mail fraud in those instances is very, very low because typically the mail goes out in large automated trays to those addresses vs the one or two letters that you and I are used to getting.

But you ask... sometimes it's an ACH payment using the Billpay... well.. you're right, sometimes it is. However, life is all about risk. Personally, I find it riskier to carry cash on me and drive to 10 different places to pay bills than it is to just go online, have the bank cut a couple checks, and ride it out. I also do not use the bank debit card for anything other than ATM transactions and a few places that will accept debit, but not credit. Sure, let some kiddie get my credit card number and go to town... it takes a phone call and a "um, not me" and I've got a new card on the way with no liability.

False assumption

[burtosis]

You only need to use electronic payments, such as a credit card, not necessarily online. Many thefts used compromised readers during a regular in person transaction, though newer cards make this less likely. Ultimately your retailer will typically store your payment information in a database, along with other personally identifying information. This is even more likely with over the phone purchases. Many companies store it in plain text while few properly hash/encrypt it.

Re:False assumption

[swillden]

You only need to use electronic payments, such as a credit card, not necessarily online. Many thefts used compromised readers during a regular in person transaction, though newer cards make this less likely. Ultimately your retailer will typically store your payment information in a database, along with other personally identifying information. This is even more likely with over the phone purchases. Many companies store it in plain text while few properly hash/encrypt it.

The above isn't actually all that true; PCI requirements demand encryption at rest (encryption, not hashing, there's no point in hashing a credit card number). But let's assume that it's true.

Meh. I don't care.

By federal law, my liability for any fraud is limited to $50. In practice, no credit card issuer I've ever met in the US (and I used to do security consulting for credit card issuers, so I've met a lot of them) charges cardholders a penny. If you claim that a transaction is fraudulent, and they can't prove it wasn't, you won't pay a penny. If they're pretty sure you're the fraudster, they'll just cancel your card, and refuse to do business with you any more.

Credit card payment is the safest form of payment, online or in meatspace. Cash is the least safe form of payment.

Note that I'm talking about safety, not privacy. That's a separate issue, and on the privacy axis cash is king and credit cards are awful (though personal checks are significantly worse, assuming you can find someone still willing to accept one).

Note also that debit card transactions (when processed through the debit networks, not as credit cards) do not provide the same protections that credit cards do. Many banks do handle fraud similarly, but you need to get your bank's policy to know. With credit cards, the $50 liability limit is guaranteed by law.

Re:How safe?

[MangoCats]

Your CC# has always been vulnerable at the endpoints, whether or not it gets trawled up with a million others in a hacking scheme is a much smaller risk.

No real answer.

[glitch!]

I have several checking accounts, and I got tired of paying the check printing companies for... printing my checks. So I bought check stock cheap and I print my own. Apparently, the world has gone from magnetic ink to OCR, so I am home free. If I can print my own checks, so can anyone else print anything they want. I could easily print checks from any other business once I have their account number.

What reduces check fraud is enforcement. Or so I think.

Chill

[fahrbot-bot]

There is risk in everything. Understand the type and extent of those risks. For example, you could get hit by a car while trying to pay a bill in person and die or end up in the with hospital with thousands of $$ in bills. Paying by check or online looks pretty safe by comparison.

Furthermore, paying with a credit card limits your risk to $50 for fraudulent charges - just check your statement every month. If you're really paranoid, get a Bank of America MasterCard. They have a feature called ShopSafe whereby you can create multiple virtual credit cards (linked to your real CC) for use online. You simple specify the amount and duration and new CC and CVV/CVC numbers are generated. As a bonus, only the first vendor to use a virtual card can use that card. You can bump the limit and/or expiration date and "delete" the virtual card at any time.

My debit card got around...

[__aaclcg7560]

A teenager in London got a hold off my debit card number, ordered makeup and bling from a small company in Texas, used a San Francisco storage facility for the billing address, and her actual street address for shipping. The transactions didn't get far as the safeguards came into play with the credit union on my end and PayPal on the vendor's end. I even filed a complaint with London PD. The credit union issued a new debit card and that was that.

Re:its not

[MachDelta]

3. Cash for in-person transactions.

Unfortunately, I find that this is steadily becoming more of a hassle. I tried to pay for something with cash at Best Buy recently, and the poor young teller looked at me like I had just asked her what color her underwear was. Instead, I had to go to customer service to pay with cash like some kind of paleontology museum escapee... which was fine with me because the girl working at customer service was downright gorgeous. But next time when Bill the balding floor manager is on shift, then it's going to be an inconvenience.

FREELOADER ALERT

[lucm]

The only thing I do online with my actual bank accounts is pay off my credit cards and my mortgage

How dare you! If everyone was doing like you, the credit card companies would make no money and we would still have to pay things with cash and debit cards, paying obscene transaction fees every time.

People who pay their credit card on time are the modern equivalent of the tragedy of the commons. Start carrying your weight today! Just pay the minimum and slowly build a mountain of debt. That's the American way.

Many banks offer credit card temp numbers

[perpenso]

ApplePay FTW. One-shot accounts work for me.

Nothing against ApplePay, I occasionally use it. However many banks allow you to create temporary account numbers linked to your real number. In addition to letting you set the max amount chargeable and expiration date for this number the number may also lock to the first vendor to charge it. So if that vendor gets hacked a second entity will be denied if they attempt to use the temporary number.

Re:Many banks offer credit card temp numbers

[93+Escort+Wagon]

You can just use your nice high-def camera on your phone to capture someone's Apple Pay screen, say while you're behind them in line and they're getting ready to pay. Free access to ApplePay account with just a picture, no hacking required.

Without that person's specific hardware device (e.g. the iPhone whose screen you photographed), you're not going to be able to use that data you just captured.

Re:its not

[Applehu+Akbar]

Walking around with cash is statistically more dangerous than using credit cards for everything, in the same way that the most dangerous part of a flight is the drive to the airport.

Re:PayPal when possible.

[vtcodger]

Make that WHEN someone hacks them. Which will almost certainly happen sooner or later. If it's a broad breach instead of just a few accounts, it's a safe bet that in the US neither PayPal nor your money will be anywhere to be found. In the EU where PayPal is subject to banking laws, you may have recourse. Not so in the US where PayPal operates as an unregulated bank. (Why would any sane person give an unregulated bank access to their money?)

Re:its not

[avandesande]

Heck even the police will take it from you if you have enough of it