
The Problems With Debit And Credit Cards Are Deeper Than We Thought - Cbasedlifeform
http://readwrite.com/2013/12/31/atm-cards-debit-cards-credit-cards-hackers-skimmers#awesm=~orHPsFpK3uryNs
======
coin
This is why I use credit card instead of debit cards. With a debit card the
funds are drawn directly out of our account. With a credit card, there's a
third party in between. The funds are initially paid by the bank, and only
when I approve the purchase do I forward my funds.

For unauthorized transactions, credit cards are a piece of cake. I have
several options - dispute or flat out not pay. The right to dispute is
protected by law (in the US). Debit cards are a different story. When funds
are fraudulently withdrawn, they are already gone. Now the burden is on me to
convince the bank to reimburse me. I have to make my case to the bank and hope
they side with me.

I really don't see what all the uproar with CC fraud is about. Use CC instead
of debit cards, review your statement before making payment, dispute all
fraudulent charges and stop worry about fraud - that's the bank's job.

Also, -1 for disabling pinchzoom on mobile devices. What valid could this
possibly add?

~~~
viraptor
Can't say it was a bad experience for me with the debit card. I've been
charged ~10 times for the same plane ticket once (most likely charged until
the bank refused more overdraft). Got a message about an overdraft straight-
away on my mobile, called the bank, said only "that's a mistake, there should
be only one" and the transactions were reverted immediately. (then the airline
refunded them on their end again and reverted the refund when they realised
the bank was faster, but in the end the balance was ok)

So yeah, in theory it's easier to get the credit card charge disputed. In
practice, it probably depends on your bank a lot. This happened in the UK btw.

~~~
Locke1689
I think one should be able to easily see the difference in your situation to
every fraudulent situation, namely that the balance was OK in the end.

~~~
viraptor
The balance was not ok when I reported it. The bank reverted the transactions
immediately, without contacting the merchant. It was while I was still ~2k
below.

------
crazygringo
> _ATM cards with their current security are too dangerous to use... We no
> longer use ours. They stay in a secure place in our home._

Um... how does he get cash out of the bank then? Does he wait 10 min in line
and write himself a check at the cashier's every time? Can you even do that
anymore, without using your ATM card and PIN to verify your identity?

And are people ever on the hook for fraud? I get that debit/credit cards have
problems, but I don't see why any individual person would stop using them. Is
anyone ever not reimbursed for fraud?

Occasional fraud is like the occasional car accident -- sometimes somebody
will hit your car, and you'll have to file an insurance claim, and it might
take a few weeks to resolve. Sure it's annoying, but that doesn't mean you
decide never to drive a car again.

~~~
lukeschlather
> Um... how does he get cash out of the bank then? Does he wait 10 min in line
> and write himself a check at the cashier's every time? Can you even do that
> anymore, without using your ATM card and PIN to verify your identity?

I go to the credit union around the corner from my office, most of the time is
spent walking to and from the CU. The line never takes more than 3 minutes.
Usually there's no one in line.

~~~
Groxx
My bank is essentially only online, no offices, certainly not just around the
corner (I think the closest is >100 miles away). What then?

~~~
ivanca
Many options:

1) Paypal check (can be used directly at Walmart and other places).

2) Pay-online-&-pick-in-store services.

3) Online buying; Amazon, ebay, etc.

4) Online groceries: Safeway, Walmart and others have this service.

5) You can buy a prepaid credit card so they can't steal more than the amount
you charge in it but still can use it in ATMs and stores.

------
paul9290
Damn it I want the same two way verification option Google provides that
allows me to approve or deny a charge over X amount either via a phone call or
text message.

The X amount would be set by myself, but the amount set would have to be
something like $300 & over.

The cost and time to implement this option for US bank customers would be nil
compared to implementing Europe's chip and pin system.

US banks have no current incentive to implement the European system as it's
too costly comparative to the fraud that's happening. Thus we need a less
costly & quick solution. This is one anyone have others?

~~~
jahewson
> the European system [is] too costly comparative to the fraud that's
> happening

Citation needed

~~~
MatthewWilkes
FWIW, I've been with 5 european banks and never had a single instance of
fraud.

~~~
simoncion
FWIW, I've been with three US banks and have had zero instances of fraud. :)

------
amalag
The industry just needs a kick in the pants to move to one time generated cc
numbers. There are companies making such cards that are physically compatible
with existing card readers. I had read about it, but cannot find the company
name, I believe they had some sort of patent but were struggling.

The company said they had a credit card which provided one time numbers when
swiped so was immune to skimming. I think the industry should move to such
smart cards and there are different methods to secure transactions online.

~~~
amalag
I will also comment that they don't have the kick in the pants because they
mostly shift the risk. If a merchant accepts a stolen credit card, they simply
reverse the charge and the merchant is left holding the bag. They just ship
out a new card and reverse charges. They do not have a financial incentive to
fix this problem because it doesn't affect them much. If it does they will
probably just collude with each and raise rates across the board. It may take
outside incentive (regulations) to make them fix it.

------
44Aman
How are chip and pin cards "completely unsuitable for ecommerce and mobile
payments"? I can manage both of these fine in the UK.

~~~
danpalmer
Yeah, Chip and PIN (EMV) in the UK is much better for security, we have a lot
lower rates of card fraud here than in the US. In fact most of the world has
now switched to EMV, the US is the only major country that I can think of
which is still on swipe payments.

The problem goes further than the cards themselves though, I think the big
problem with them is that you have to give companies all of the details needed
to make a charge when you buy things online, and those details are stored.
Other comments here are right, the main way to deal with this is single use
card numbers that can be revoked individually.

I think a good way would be to implement something similar to what OAuth does.
When you want to make a payment to Amazon for example, you tell your bank who
you are and after authenticating you, they would provide a token to Amazon who
can store that to use for purchases. If at some point in the future Amazon
were 'hacked', the bank could revoke charging authorization for all tokens
given to Amazon, immediately protecting all of their customers.

~~~
cnorthwood
Isn't that kind of what Verified By Visa/MasterCard SecureCode tries to do
(but implemented amazingly badly)

~~~
rwmj
Although there are some problems with the implementation, I've come to like it
for a couple of reasons:

(1) It authenticates features of your browser (like user-agent, IP address) to
score the transaction. These are somewhat hard for an attacker to duplicate.

(2) With some UK banks, it is combined with a hardware one-time password
generator to form a reasonably robust two-factor authentication.

Now there are certainly problems, such as it appearing in a frame, and not
appearing as a subdomain of your bank, and those should be fixed.

~~~
vitd
The main problem with Verified By Visa (and whatever MasterCard calls it) is
that in using it, you agree to be liable for it as if it were a card-present
transaction, which is ludicrous for online purchases. Whenever I'm stopped to
sign my card up for "Verified By Visa," I immediately switch to a different
card because of the reduced protection I would have to agree to with
"Verified" transactions. It's simply a way to shift responsibility onto the
purchaser with no additional protection.

~~~
jamesbritt
I used to run into the VBV screen when ordering from NewwEgg. It's been a
while so I don't know if things are the same. I refused to consent to the
terms for the reasons you gave. Instead, I just closed the browser. The funny
part is that my purchase would still go through.

------
gexla
Prepaid cards are another option. It seems that carrying an ATM card that can
clean out all your cash is a bit crazy. The problem with prepaid credit cards
is that as with anything else in your financial world, it costs you money. As
they become more popular they also get more competitive on their costs though.
I believe my Paypal card also has an option to set daily limits. I imagine
other cards can do the same. Just set a limit based on your daily budget and
then maybe carry another prepaid card as a backup.

------
quattrofan
Interesting, but regarding ChipNPin cards, the assertion that they are
"unsuitable for e-commerce " is not correct, I've used mine quite a lot.

~~~
nraynaud
there is another system for e-commerce, where the card generates a new credit
card number on the fly for each transaction (I know Visa Electron is this kind
of system).

edit: I got it wrong. Visa Electron is a systematic checking card (the shop
has to call the bank to get the authorization every time), the short validity
disposable card numbers has another name.

------
lgleason
The chip and pin system would help. Credit Card issues in the US haven't
gotten on board yet because the amount of losses prevented by chip and pin
aren't high enough to offset the cost of a rollout. Using a debit card is just
asking for trouble...ATM's should be used in rare circumstances at reputable
banks etc.. I can remember hearing about ATM skimming scams over 7 years ago
in the US. This is nothing new.

Consumer advocates such as Clark Howard
[http://www.clarkhoward.com/news/clark-howard/personal-
financ...](http://www.clarkhoward.com/news/clark-howard/personal-finance-
credit/4-places-never-use-debit-card/nC3Nz/) have been talking about this for
years. I won't even get into the security risks or using a check to pay for
something....and the sad thing is that I know people who will carry around
their checkbook and still use them way too often. Once someone has your
checking account number it is really easy to do all sorts of bad things. That
is why I prefer online bill pay services etc..

~~~
mgkimsal
"because the amount of losses prevented by chip and pin aren't high enough to
offset the cost of a rollout"

Over what time period? Sure, there's a high cost over a short rollout (6-12
months?) The savings in prevented losses go on for years.

~~~
lgleason
If it was bad enough now, I'm sure they would be pushing for it sooner rather
than later. With that being said if this article is to be believed then it
will be coming in the next few years.

[http://www.creditcards.com/credit-card-news/us-slowly-
rolls-...](http://www.creditcards.com/credit-card-news/us-slowly-rolls-out-
emv_chip-technology-1276.php)

------
jakub_g
Been living in a couple of European countries in last few years, luckily I
never fell prey to any fraudulent operations (I pay online sparingly, mostly
for air tickets; paying by card and using ATMs quite often).

There are multiple ways to minimize the risks in very simple ways, and it's
strange the banks/card companies do not care about it.

1\. Have separate cards for ATM+payments and separate for just online
transactions. As simple as that. In Poland many banks offer "virtual cards"
i.e. just CC number + CVV for internet-only transactions. But it's usually
extra paid (though rather cheap).

2\. Suppose 1. is impossible, then why on earth CVV is printed on the back of
the CC?

3\. Being a geek, I'd love to have a superuser panel in my online banking
interface where there would be on/off switches like: enable this card for
particular regions/countries, enable for internet transactions, etc etc. I'd
turn them on if I plan to go to Indonesia or Colombia; for 90% of people
random transaction in a remote country is a fraud.

4\. In one of my banks I can't change PIN to my debit card in the ATM. WTF?
Well maybe it's a security feature, otherwise people will put 1111 and be
happy [1]

5\. In one of my online banks, my login is publicly known (part of account
number) and password is max 6 digits (0-9) <sigh>

IMO the best always-available precautions are to

1) keep just a bare minimum on the primary account and put the rest on a
savings account, which can't be accessed via card outside the issuer bank's
ATMs,

2) monitor transactions via online bank at least weekly.

[1]
[http://www.datagenetics.com/blog/september32012/index.html](http://www.datagenetics.com/blog/september32012/index.html)

~~~
filbertkm
Deutsche Bank online banking allows authorizing bank card use in foreign
countries. The feature is only available on the German version of their
website. I can also set daily / weekly limits for my bank card. For online
transactions, I think 2 factor authorization is used. (e.g. enter a TAN)

For my bank account in US, I am not aware of any option for authorizing
foreign transactions online (only calling the bank), nor setting usage limits.
I can set alerts to be notified for transactions, but only $100+ transactions.

The one time I did get "hacked", it was with another card where I got notified
immediately by email each time it was used. So found out quickly when
thousands of dollars were being spent on iTunes! I think those were in a rapid
series of smaller transactions (can't remember, less than $100 or more, but
maybe less). The notifications allowed me to promptly get my card cancelled to
at least limit the damage and then was able to get my money back. Lesson is
for stuff like iTunes (well, I don't like to use them anymore), but generally
to buy gift cards, when possible, for online shopping/services and put the
credit onto my account. For more popular places like Amazon or iTunes, gift
cards can be bought in many brick and mortar places with cash. Then I don't
have to give them my credit card or bank info.

~~~
jakub_g
The issue with transaction limits (while they're good in general) is exactly
what you've mentioned, lots of small transactions quickly after each other do
not get blocked.

Actually this is now one of the most popular card frauds in Poland right now:
majority of newly issues cards are paypass/paywave-enabled and moreover,
offline (not checking the balance while paying, and usually there's also no
limit imposed on number of consecutive operations without PIN - though
technically it would be trivial to implement).

I.e. you can even make someone a _negative balance_ on his account with a
series of rapid small (<12€) touch transactions, and many people are not aware
of this, while banks keep telling people that everything's super secured.

~~~
filbertkm
well, I can set a limit of say 500 euros (or whatever I need) per day. So even
with a lot of smaller transactions, there is a point where they would stop.

Damage can still be done, though and I'm not aware if/how I can get alerts for
transactions. So I need to remember to check my account often.

------
ChuckMcM
One of the challenges of not having debit cards is you can't get cash "for
free" with a credit card, basically if they don't charge a cash advance fee,
they do charge finance charges from the moment of the advance to the payment
landing.

One strategy might be to use a 'pay as you go' debit card where you can put
money on it using a banking service, but leave it normally with less than a
$20 balance. Then using your smart device you add cash and then get it, in the
event you need cash, but if the card is compromised you don't put any
additional cash at risk.

It is pretty broken. I'm really surprised the banks are willingly eating those
losses.

~~~
pavel_lishin
How much are the finance charges? Many ATMs charge anywhere from a buck to
three dollars for a withdrawal, unless you go to your "home bank".

~~~
saryant
By finance charges, he means interest, not a fee. In the US, cash advances on
a credit card typically incur interest immediately rather than after the
billing cycle ends (barring some sort of promo).

~~~
pavel_lishin
Sure, but how much is the instant-interest on the amount withdrawn compared to
a $3 ATM fee?

~~~
saryant
Cash advance APR by whatever you withdrew by however long it takes for you to
pay it.

There's no single answer to that question.

------
thomasfedb
I find it odd that in a world where people can configure two-factor
authentication for their email, we're not doing it universally for money.

My Australian debit card requires a PIN for anything over AUD 100 at a store,
and if I'm buying online I get an SMS from my bank to provide a confirmation
code. Seems sensible.

Additionally, even though it's a debit card, transactions are generally left
pending for 4-or-so days during which I can call the bank and have them
blocked.

------
bediger4000
The banking system took the easy way out at every step of the process that
lead to our current electronic money system. No surprises there, banks are
immoral corporations. The emergent system is utterly insecure. Again, no
surprises, people have been saying that the credit card system is totally
compromised for years.

So, we have to look at the root causes of this insecure emergent system:

1\. Almost completely unencrypted. The USA's (also possibly emergent) policy
on cryptography is to keep it out of general use. Clearly, the NSA knew enough
about cryptography in the 70s and 80s that they could have guided the US
banking system in a more secure direction. But they didn't, apparently for
fear of giving away secrets. Or something.

2\. Letting corporations develop de facto electronic money. Crappy security is
just one aspect of this problem, others are ridiculously high interest rates,
and the fact that it's cheaper for corporations to take checks than than to
take credit card payments, as the US Fededral Government runs the check
clearing houses for free or almost free.

------
jgalt212
Mag stripe fingerprinting, if widely implemented, can prevent a lot of offline
fraud. It seems all the fraudulent transactions cited in the article were of
the off line variety.

[http://blogs.creditcards.com/2013/04/cards-mag-stripe-
finger...](http://blogs.creditcards.com/2013/04/cards-mag-stripe-fingerprint-
foils-thieves.php)

------
vxNsr
I don't understand people who use debit cards to purchase things, it just
doesn't make much sense to provide anyone, with a direct line to your bank
account...

Not to mention using your CC will build your credit score making it easier to
buy a house/car/big purchase.

------
natch
He keeps saying "ATM card" but is he really talking about a debit card? They
are different. But he never makes it clear he gets the distinction. They are
both vulnerable, but this lack of clarity throws his credibility into question
for me.

------
adrr
I don't see how credit card fraud is the customers' problem. Max exposure is
$50. When you file a chargeback, you get the money credited back on CNP
transactions. Merchants are the ones who get nailed. Not only for the lost
product but also the fees associated with chargebacks. As an e-commerce
merchant, i would love to have more protections against fraud especially the
increase in friendly fraud(customer defrauding us by use of chargebacks). As
customer, i would fear burden of proof shifted to me instead of the merchant
when dealing fraud. This is why i don't use 3-D Secure(verified by visa)
online or PIN based transactions at stores.

------
neil_s
The problem as I see it is very simple. When you hand over cash, that's it,
that's the end of the transaction. The 'seller' can't use this cash to access
any more of your money. On the other hand, using any of these systems, you
don't hand over a fixed amount of money, you hand over the keys to your
account, and allow them to take out as much money as you want.

I don't know why the system hasn't been designed in a way where you only
authorise 1 payment at a time, and the combination of information provided
goes stale after that transaction so it can't be used again.

------
dopkew
Credit cards are more secure than Debit cards, but they lack one important
feature: protection from overdrawing more than the amount in the account
(overspending). Why don't banks offer this type of credit cards?

~~~
sliverstorm
I could have sworn credit cards will be rejected if you hit your credit limit.

~~~
viraptor
If you try to get some "unreasonable" amount of money from them - probably.
Anything that you're remotely likely to pay off in penalty charges is unlikely
to get blocked. That means an unauthorized overdraft of $1k that you don't
have is a good deal for the bank.

~~~
sliverstorm
Hmm. I guess I don't really know for sure, my credit limits have always been
much, much higher than my spending.

------
viraptor
Reading the comments, I feel like I'm the only one more worried about someone
physically stealing the money from me than about a dispute I cannot complete.
In the first case I can't do anything about it. In the second I have good
experience with reverting debit card transactions without any problems...

------
tomasien
Working on fixing this -
[http://www.youtube.com/watch?v=QR5UTLxe5zA&feature=youtu.be](http://www.youtube.com/watch?v=QR5UTLxe5zA&feature=youtu.be)

~~~
nraynaud
the relevant technical solutions have all been deployed in Europe for decades,
the problem is not technical.

~~~
tomasien
Agreed, but they are technical in that right now they're really hard to use.
We're fixing that.

