On December 13, 2013 the security researcher, Brian Krebs, broke a story on his blog which turned in to an admission by Target that they had experienced a 40 million credit and debit card security breach which occurred from Black Friday through December 15th.
(Update from Krebs 12/20/13: Cards Stolen in Target Breach Flood Underground Markets)
In a KARE11/USA Today article released just after lunch today, apparently there is “no indication” that debit card personal information numbers (PIN) were part of the breach:
Stolen information from some 40 million credit and debit cards used in its stores from Black Friday through Dec. 15 included names, credit or debit card numbers, card expiration dates and the CVV data on the magnetic stripe on cards, the retailer said.
Target spokesman Eric Hausman confirmed, however, it has “no indication that debit card PINs were impacted.”
Target’s own credit card data, REDcard, was breached but so were all bank credit or debit cards used by shoppers. The big red flag for my family and me in early news reports was the realization that we almost exclusively use debit cards for our retail purchases. Though ours are backed by Visa and Wells Fargo policies (which dramatically limit our exposure) as you’ll see the personal risk and liability for using a debit card over a credit card is MUCH higher!
Though little is known about the exact nature of the Target breach as I write this post, Target’s statement about there being “no indication” that PIN numbers weren’t breached is weak assurance that we Target-shopper’s debit card PIN numbers were not stolen. Some commentary I’ve read suspect code was inserted in to the Target network and the crooks were able to intercept the data on the magnetic strip when shoppers used their cards at a Target point-of-sale (POS) terminal. Capturing this information would then enable crooks to place that data on a counterfeit card or use it for online shopping (Update: As Krebs points out in the last paragraph of his updated post, there are two CVV numbers: one on the magnetic strip and one printed on the back of the card itself. Online retailers use the “CVV2” printed number to verify that you are, in fact, most likely holding the card in your hand. Target has confirmed that the CVV1′s were stolen but the CVV2s were not).
“No indication” of a PIN breach or not, the big problem for we debit card users is that our PIN numbers could have been intercepted from that same POS terminal thus enabling thieves to use it for direct purchases or even ATM withdrawals, according to Krebs:
The type of data stolen — also known as “track data” — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs.
ABOUT DEBIT CARDS
Most of us know that it is simple to report fraud on a credit card, have your card reissued, and at most we’re at risk for $50 if we report it within 60 days. What most people do NOT know is that using a debit card could cause your bank account to be drained and end up with you needing to fight, potentially for months, to get your money returned in to your account.
Did you also know there are two types of debit cards? I didn’t and it turns out our debit cards from Wells Fargo can be used as either a credit or debit card (i.e., used with or without a PIN).
In February of this year ABC News had a good article on Why Using Debit Cards Can Be Dangerous which had these two key paragraphs that detailed the difference (my emphasis):
Unbeknownst to most people there are actually two different types of debit cards, deferred and direct. The deferred card – or signature-based – is similar to a credit card minus the credit. This card requires you to sign for the purchase and then the money will be debited from your checking account within two to three days. A direct – or PIN-based – debit card requires that you punch in your PIN number every time you buy something and the money is immediately withdrawn from your account.
When the consumer uses their personal identification number to make a purchase, the retailer usually pays a flat fee to the bank. However, when the purchaser opts to use their debit card as a credit card, which typically requires a signature, the retailer generally has to pay a percentage fee based on the amount of your purchase. Therefore, it is becoming more common for the retailers to encourage PIN-based transactions, and several are no longer accepting debit card purchases that require a signature at all.
Retailers pay billions in fees to credit card companies that back debit cards so they have a huge incentive to get us to use the direct (PIN-based) method at the register.
I stopped and thought about my own family’s debit card use and that many retailers we frequent do ask for a PIN to be entered in the terminal. Sometimes it is obvious how you can bypass this (so the retailer pays that fee and our PIN isn’t exposed), but sometimes it is not. Frankly I never paid much attention to it since I shop at reputable retailers (like, um, Target?) but I will in the future.
HOW TO PROTECT YOURSELF
Should you just cut up your debit card and exclusively use a credit card going forward? Probably if you consider this example of what happens if your debit card is breached and used fraudulently. An implied warning was laid out well in this BankRate.com article about why using a debit card is fraught with peril and risk (my emphasis):
Debit cards are different. Debit cards may look identical to credit cards, but there’s one key difference. With credit cards, users who spot fraudulent charges on their bill can simply decline the charges and not pay the bill. On the other hand, debit cards draw money directly from your checking account, rather than from an intermediary such as a credit card company.
Because of that, even clear-cut cases of fraud where victims are protected from liability by consumer protection laws can cause significant hardship, says Frank Abagnale, a secure-document consultant in Washington, D.C.
He cites the example of the The TJX Companies Inc.’s T.J. Maxx data breach that exposed the payment information of thousands of customers in 2007. The incident resulted in $150 million in fraud losses, and much of it was pulled directly from customers’ bank accounts. While credit card users got their accounts straightened out and new cards in the mail within a few days, the case created major problems for debit card holders who waited an average of two to three months to get reimbursed, Abagnale says.
If you are going to use, or have to use, a debit card, BankRate also provided four transaction points where you should use extreme caution (or never, ever use) a debit card. NOTE: I added #5 since we travel frequently on business and #6 because of my own personal investigation with our bank:
1) Independent ATMs – You run the risk of skimmers. While skimmers can be found on bank ATMs, they’re less likely because there are often security cameras in place.
2) Pay at the pump – Skimmers aren’t the only danger to your wallet. The gas station will put a big hold on your account that could cause your checks to bounce. If you must pay with debit at gas station, go inside and pay at the cashier.
3) When you’re buying online – Credit card is a much better option. If you don’t get your merchandise, you can do a chargeback during a 60-day window. Debit card amounts are immediately withdrawn from your account and you have to fight the merchant (and quite often your bank) to get your money back.
If it is a small or unknown merchant (e.g., on eBay or an Amazon affiliated merchant) good luck getting reimbursed. If someone has fraudulently used your credit card, you (or your credit card company) are likely to spot it before you get the statement. That means you are never out the money. You dispute the charge, subtract the disputed amount from your bill and let the credit card issuer worry about it. With a debit card, the stolen money may have already left your account. That means you have to dicker with your bank to get reimbursed. Some banks are quick and helpful in resolving these disputes. Others? Not so much.
4) At a restaurant – Because there is such high turnover of wait staff at restaurants, you don’t want a dishonest employee to get hold of your debit card or, hopefully, not run it through a pocket-sized credit card data skimmer (which stores your track data which can subsequently be used to counterfeit your card).
5) When traveling – Consider very seriously never using your debit card while traveling and specifically for booking and paying for your hotel or rental car. When using a debit card hotels and rental car companies place a “hold” on money in your account to ensure that you have sufficient funds to pay your bill when you check out. This held amount can typically be for double the amount of your stay (in case you stay longer or raid the minibar at the hotel) or some arbitrary amount in the thousands of dollars in the case of a rental car company (in case you damage the vehicle). Add to that the unknown number of merchants with which you will interact while traveling (and this varies by country, of course) and your risk could rise exponentially.
6) Discover your bank’s debit card policies – One would think our bank, Wells Fargo (which is the 4th largest in the U.S.) would clearly spell out their debit card policies and how they protect us, right? Nope. It was startlingly obtuse and caused me to dig around alot…and I still didn’t get all my questions answered.
Calling Wells Fargo customer debit card support on Friday morning to replace my wife and my debit cards (just in case they were breached at Target) was a lengthy but easy process, the hard part was trying to find out what our bank’s policy was about when fraud should be reported. Some online articles say things like “most banks want you to report within two days” and others say “within 60 days“. Does prompt mean two days? 30 days? 60 days?
Logging in to our Wells Fargo account I was partially relieved to discover that, even though the bank still doesn’t define “promptly”, it does have some good information about how we are protected:
Your Wells Fargo Debit Card comes with Zero Liability protection at no extra cost:
+ You won’t be liable for promptly reported unauthorized purchases or ATM transactions.
+ 24/7 monitoring: we help prevent unauthorized transactions by regularly reviewing your accounts for unusual activity.
+ Expert help is just a phone call away if your financial information is compromised or stolen. We’ll provide the information and assistance to help you get your account back on track.
+ Get real-time access to all transactions and balances to stay informed of all account activity. Your account information will not be shared with non-affiliated third-party marketers without your consent.
+ Alerts: When you sign up for ATM/debit card alerts, it’s easy to stay informed about unusual activity on your Wells Fargo card. You can set up alerts for any of the following types of activity that may occur:Your purchase or ATM withdrawal is made from an international location.
– Your card is used to make a purchase over the internet, by phone, or by mail order.
– Your purchases exceed an amount designated by you.
– Your daily ATM withdrawals exceed an amount designated by you.
What does your debit card issuing bank offer? I would heartily recommend that, if you have a debit card and use it, you find out what your bank does for you if it is lost, stolen or its data compromised and the card used fraudently. Also find out if they offer alerts like Wells Fargo does (which I’ve now set up on all cards) since it can quickly notify you of any aberrations with your debit card usage.
WILL THERE SOON BE HIGHER FEES FOR USING A DEBIT CARD?
Here is one last data point for your consideration about whether or not to consider using a debit card as you shop going forward: debit cards carry higher risks for everyone so fees are likely to go up.
In the 2013 LexisNexis® True Cost of Fraud Study (PDF) it is pretty clear to me that we shoppers using debit cards simply cost retailers and financial institutions too much money (my emphasis):
Nearly all of the FI interviewed (financial institution executives surveyed) report that credit and debit cards continue to represent both the highest volume of fraud among their product lines and their greatest area of exposure. Some attributed 30%-40% of their overall fraud losses to fraud associated with their credit card and debit card products. Among the types of issues that they are experiencing at the POS, skimming and counterfeit cards continue to be a major problem. Card-Not-Present fraud is on the rise, and as consumers continue to use online and mobile retail channels, issuers are faced with potential for growing fraud exposure.
Visa’s™ April 19th, 2013 chargeback rule change is negatively impacting the success rates of chargebacks among some issuers. By only requiring that merchants provide evidence that the card in question was presented to the cashier, issuers are losing what may have previously been successful chargebacks. They are experiencing a rise in debit card charge backs, particularly through online channels, with charge back recovery rates of about 70% to 85% for most card products. However, many issuers reported lower success rates with debit cards compared to that of credit cards.
Bottom line? We debit card-using shoppers cost retailers more if we don’t use our PIN numbers, fraud perpetrated with debit cards (and disputed charges causing chargebacks) are higher and that costs card-issuers more, and that the card-issuing companies are less successful recovering incorrectly disputed chargebacks so that costs them more too. The only likely outcome of this is higher fees for using debit cards.
Good luck and happy shopping!
FURTHER READING