
Millions of Target shoppers face new debit card limits - ibsathish
http://in.reuters.com/article/2013/12/22/target-jpmorgan-idINDEE9BL00N20131222
======
bilalq
I really like the way Simple handled this situation. Their notification to me
was actually the first I heard about this happening. They even suggested
leveraging the feature to temporary block the card as an added security
measure.

An excerpt from their message:

 _Due to a recent data security breach at a large national chain, we’re
sending you a new Simple card. No worries: your current card will continue to
work as normal until you receive and activate the new card in about 5-7
business days. And of course, there’s no fee to replace this card._

 _We have no evidence to suggest that your specific card was compromised. We
are taking this step as a precaution, since you shopped at the store in
question during the time of the compromise._

------
j79
Not sure if it's related, but today, at 12:45PM (on a Sunday), I went to the
local Chase branch (in San Jose) to withdraw some cash from the ATM. The
branch was open and staffed, with tellers assisting those customers who needed
to withdraw more than $100. I thought that was pretty cool.

~~~
jbigelow76
Yeah, it's related. I got an email yesterday about the new limits until my new
debit card arrives in the mail (I didn't request it). It re-iterated that I
wouldn't be responsible for any fraudulent transactions and that branches
would have more staff on hand to accommodate withdrawals beyond the
temporarily imposed limits.

------
morgante
This is why nobody should ever use a debit card... just get credit cards.

~~~
valleyer
Huh? What's to stop them from doing this to credit cards?

Edit: To clarify, I understood the parent comment to mean that this lowering
of limits was why I should use credit cards over debit cards.

~~~
cynwoody
Nothing.

The difference is that, when fraudsters hit your credit card, you're not out
any money, _ab initio_. You call the card company and make them take the
fraudulent charge off your bill. If they refuse, they have to sue to get your
money. But if the bad boys nail your debit card, your account is dinged
immediately, and you have to deal with the bank to get your funds restored.

Therefore, you should use ATM cards at ATMs only and only use credit cards to
shop and travel and dine out (and enjoy the float and the points and pay in
full every month). If your ATM card has a credit card logo (called a "check
card"), call your bank and complain, and they'll issue you one that is _only_
an ATM card and _cannot_ be used to shop without a PIN.

It's worth noting that the Target case is confined to credit cards, not debit
cards. To hack a debit card, the attacker must intercept both the mag stripes
and the PIN that goes with them. That's hard to do, given the way PIN pads
work. Reportedly, in the Target case, they did not succeed in doing that.

~~~
rm999
There are a few inaccuracies in your comment.

>If they refuse, they have to sue to get your money

First, they wouldn't refuse (at least in the USA) because Visa and Mastercard
contractually require issuers to cover debit cards at the same level as they
do for credit cards, which is complete protection from all liability.

Second, with credit cards you can't just decide what to pay off and what not
to. If the issuer refuses fraud protection to you for whatever reason your
credit rating is on the line if you don't pay off the balance. They may sue
you, and they may damage your ability to get credit for a long time.

In other words, the situation between debit and credit card protection is
basically the same: in both cases the issuer will almost certainly protect
you, and you're screwed if they don't.

> To hack a debit card, the attacker must intercept both the mag stripes and
> the PIN that goes with them.

This is not true in the USA. Debit cards can be used in non-point of sale
transactions (e.g. phone or internet) and point of sale non-PIN "signature"
transactions where you use your debit card like a credit card.

~~~
cynwoody
> _Debit cards can be used in non-point of sale transactions (e.g. phone or
> internet) and point of sale non-PIN "signature" transactions where you use
> your debit card like a credit card._

That's true of most debit cards, namely the ones that sport a Visa or
MasterCard logo. They are called "check cards" and can be used in either debit
mode (enter PIN on PINpad, no signature) or credit mode (sign if over the
merchant-defined limit). Either way, the charge goes against your bank account
as soon as the bank receives it.

The difference between credit and debit mode is in who processes the charge.
For PIN-less signature mode, the credit card network handles the transaction.
For PIN debit mode, the debit network (e.g. NYCE) handles it. The debit
networks are immediate: the money comes right out of your account. The credit
card networks are slower. It may take a day or two for a transaction to hit
your account.

I remember fifteen or twenty years ago when my bank introduced check cards. I
called them and asked if the new MC logo meant the card could be used without
entering a PIN. They said yes, and I said I didn't want it. A replacement
minus the logo (and with a different PAN) arrived a day or two later.

------
code_duck
Why not just issue new cards?

I recently received a new debit card from my bank... Claiming they had
'detected a problem with my magnetic strip', which seemed spurious as I had
never detected any problem with using the card. When this happened before, my
old card continued to be okay until I activated the unsolicited replacement.
This time, I was denied use of the card at two stores before I called my bank,
who told me the card had been suspended - by the 'anti-fraud unit'. They
didn't wait for me to confirm I received the new one by activating it.

I had indeed used that card at Target in the past three months.

~~~
lachyg
Chase is issuing new cards -- the limits are temporary, and until the new
cards arrive.

"Watch for your new card. We plan to reissue all affected debit cards and
Chase Liquid Cards automatically over the coming weeks. Until then, you can
use your debit or Liquid card with the temporary limits."

------
JoshGlazebrook
I originally was going to sign up for a debit red card, but they wanted a
voided cheque for my account. I don't even have any cheques for my checking
account so thankfully I opted for the credit option and got a decent limit.

Going forward, I doubt I will ever decide to link my actual bank account to
any retailer cards in the future. It's safer, in my opinion, to just use
credit for everything since if that card is compromised it's the bank's money
that is being taken and not the actual money directly from my bank account.
Which results in less consumer inconvenience at least for me.

~~~
derefr
> but they wanted a voided cheque for my account

Any time an institution asks for a voided cheque, all they're going to do with
it is copy the bank, branch, and account numbers off the bottom of it. You can
just give them a piece of paper with those three numbers on it instead and
they'll take it.

------
ericcumbee
it seems like a reasonable move. limit the amount of damage, without
completely cutting people off from there money.

------
johansch
Why don't they replace (and invalidate the old) cards for everyone affected
instead?

~~~
ProAm
I think the sheer number makes that logistical impossibility in the short
term. It's in inconvenience for Chase members, but I think they are taking the
right actions here to make things as easy as possible for all parties
involved.

~~~
johansch
The right course of action would of course be a combination of

a) reduced withdrawal limits

b) replaced cards, ASAP

------
xorgar831
I still don't get how they had the mag stripe, the PCI compliance [1]
documentation is pretty clear about that:

 _Sensitive data on the magnetic stripe or chip must never be stored. Only the
PAN, expiration date, service code, or cardholder name may be stored, and
merchants must use technical precautions for safe storage (see back of this
fact sheet for a summary)_

[1]
[https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storag...](https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf)

~~~
politician
A helpful comment from "Paul C" posted on krebsonsecurity.com:

"Speaking as a developer with 9 years of POS application experience, and 8
years POS support experience at a major OEM who’s hardware isn’t in Target
stores anymore …

re: end to end encryption There’s a financial difference to the retailer
between authorising a transaction with a card #, name and expiry date and
authorising one where the retailer has the full track info. The card processor
historically charges the retailer a smaller %age of the transaction total if
they can supply the full track info, since that implies the retailer
physically saw the card and so cuts down on ‘card not present’ fraud. Ironic,
isn’t it?

Historically the pinpad has given the unencrypted data to the POS terminal,
where the application is responsible for authorising the card (either over
dial up line or internet connection) with the card processor. Note that the
POS application typically does not do this itself – it hands it off to a
dedicated application on the POS terminal to do that. So in this case we’ve
already got unencrypted data going from the pinpad to the POS application to
the processing application. Whether the processing application encrypts the
data is between it and the bank, but most of the ones I’m aware of don’t (or
at least didn’t when I dealt with them). Now, modern pinpads have the abilty
to authorise themselves directly with the processor without even giving the
card info to the POS terminal, but that then requires a pinpad have internet
access, with all the headaches that entails …

re: storing of card numbers by retailers Consumers are lazy. We like being
able to return a gift without a receipt, and have the retailer look up the
transaction based on the card we used to make the purchase. We also like being
able to log in to our favourite website and make a purchase, billing it to the
card we used last time. In both cases the retailer has to store the card # &
expiry date in order to make this work. Sure, the retailer can not do this,
but how many customers are they likely to lose to the store next door which
does offer this functionality? It’s only when something goes wrong that we
start complaining about it.

re: writing “Check ID” on the signature line of the card The signature on a
credit card is not to prove you are the cardholder, it’s to say you agree to
the terms and conditions of the card. If the card isn’t signed then the
retailer has no way to know that once they give you the goods you will
actually pay the card company – obviously you can still not do that (hence all
the people in credit card debt), but there’s a difference between not paying
the card company when you are legally obligated to, and not even having the
obligation. In the first the card company will come after you for lack of
payment, in the second the retailer is effectively giving you the product with
no recourse to anyone if you don’t pay. The reason most people get away with
it is because (a) most people don’t know the rules and (b) most store managers
and cashiers don’t want to be the one to enforce it. See
[http://usa.visa.com/merchants/risk_management/card_present.h...](http://usa.visa.com/merchants/risk_management/card_present.html)
for more details.

The retailer could quite easily mandate to their staff that all card purchases
in store require a check of photo ID, but that takes longer (who wants their
checkout time to take even longer?) and puts the onus on the cashier to verify
the identity (and the retailer probably wouldn’t want that either)."

------
sifarat
We cant prevent credit card credentials theft. what we can do is, opt for 2
factor authentication, one of my credit card companies does that. It's a
little pain but it worths it.

------
chatmasta
I wonder: What information does Palantir have about this situation?

------
wmf
So much for "you aren't liable for fraudulent activity".

~~~
pandemicsyn
I think you may have missed this part: "Chase and other banks say they will
cover unauthorized transactions that customers report."

~~~
sliverstorm
I think your parent misunderstood, thinking there was an implicit promise that
you won't even be _inconvenienced_ by fraud.

~~~
wmf
They're inconveniencing you for potential fraud that may not even happen. It
seems like a high price to pay for what is ultimately someone else's problem.

