The lack of security on an American bank account is simply appalling. A while back, I had an anomalous charge come out of my account via an instrument known as a "demand draft," or "remotely created check." [0, 1] Essentially, this was a check drawn on my account, without a signature of any kind, and without my knowledge. All that would have been necessary to create such an instrument was my account number and routing number.
I was able to catch the charge and dispute it in time to get my money back, but the money wasn't a big deal. It was only $40, but I wasted more than that in the value of the time [2] I spent to get it all straightened out.
You see, it turns out that my bank can't just block these remotely created checks, or even block them from this one single, known, fraudulent [3] source that tried to steal my $40. Instead, they had to close my account and reopen another one. I protested that I knew this was going to either cause a late fee, or I'd miss some random thing that only charged my account infrequently, but the best they could do was keep the account number temporarily active and redirected to my new account number, giving me time to switch things over. And, I ultimately did miss one account when I did my switchovers. Fortunately, I was able to call the company and get it straightened out right away, with no harm done.
[2]: I used this incident as the basis for my claim in the Equifax settlement, which I fully expect to never see a dime from, because big corporations don't suffer consequences when they fail to protect peoples' personal data.
[3]: I was actually able to conclusively prove the entity named on the instrument was completely fraudulent. Law enforcement isn't all that interested in $40 worth of fraud, though, so I'm pretty sure they're out there still doing it.
A good reason to not use your checking or debit cards. I only use my credit cards, then pay them off every month before incurring interest. Makes scanning your checking account for fraudulent charges easy. I report my credit cards lost once a year and get new ones in case those have been unknowingly compromised, kinda like changing my password.
Very true. I use my debit card for the sole purpose of making sure I can meet requirements to get the 2% interest rate on my checking account (one of the requirements is $300 in purchases linked to a card with the bank, of which my debit card is the only one). Other than that, I have PG&E linked directly to the account, because they're so far behind the times they either can't accept credit cards or charge a fee for doing it (I forget which). The only other things that touch the account directly are my actual credit cards, and the site I use to pay my rent.
I wouldn't personally go so far as reporting my cards stolen once a year, but I could increase the security of my setup by having a checking account that all the things I just named access, and then having a second account that holds all my excess reserves, and transfer from the real account to the public account when things need to get paid.
Unfortunately, that negates most of the benefit of having things on autopay, like I do now. Besides, my bank actually treats my debit card the same way as the law treats credit cards (it's either max of $0 or $50 liability, I forget which), so it's entirely not worth it for me to go to these lengths.
> I report my credit cards lost once a year and get new ones in case those have been unknowingly compromised, kinda like changing my password.
I do this with most of my cards every quarter, staggering each card by about 2-3 weeks. Even ten years ago this level of opsec was practically impossible but nowadays I just log into the bank's app, tap a few buttons, and my digital wallets are updated with the new credit card instantly. I've got the process automated for 2/3s of my cards and worst case scenario, I have to walk from a store that doesn't support tap to pay to an ATM or major retailer for cash back.
Combined with Privacy.com linked to a secondary bank account for digital transactions, I'm feeling secure for the first time since I discovered online shopping.
They don't care as long as my chargebacks are legitimate. I imagine it would be an issue if my cards really were stolen and used without authorization on a regular basis instead of at the bottom of a paper shredder basket.
Afaik CC companies notify companies about CC number changes. I don't know what the criteria is but the last time my CC got replaced because of suspected fraud by my bank, nearly all companies I gave my CC number to had the new number automatically in the respective accounts.
If anybody can register themselves to that service, getting a new number isn't really a security improvement. Maybe somebody else knows more about that.
I'm surprised the FBI doesn't care about this. Maybe they do. Sure, $40.00 is nothing but that is an amount that scales very well. How many other $40.00 charges are the same people running?
You'd be surprised how little law enforcement cares about even a few thousand dollars worth of fraud. My girlfriend was scammed out of a couple thousand dollars by someone a few years ago. She filed a complaint in San Francisco, because that's where the fraud took place, and even managed to track down a ton of other people who were defrauded by the same person. A couple of the other victims were taken to the tune of $15-20K each. The detective she'd been working with has been trying to push a request for a warrant through the SF DA's office for years, and they just don't do anything.
It's interesting that this works seamlessly and without issues in Germany. With an account number basically anyone can draw money from the account here. But the account owner can return the money for 6 weeks without limitation. The bank issuing the initial request is responsible and liable. So they are highly incentivized to ensure it's all legitimate.
> “It’s not a best practice to share that information publicly,” said Eva Velasquez, the president and chief executive of the Identity Theft Resource Center. “If you don’t have protections in place, there are sophisticated schemes and ways someone could access those funds knowing the account and routing number and the individual person it belongs to.”
Ah yes, identity theft. Otherwise known as bank robbery. [0]
I was able to catch the charge and dispute it in time to get my money back, but the money wasn't a big deal. It was only $40, but I wasted more than that in the value of the time [2] I spent to get it all straightened out.
You see, it turns out that my bank can't just block these remotely created checks, or even block them from this one single, known, fraudulent [3] source that tried to steal my $40. Instead, they had to close my account and reopen another one. I protested that I knew this was going to either cause a late fee, or I'd miss some random thing that only charged my account infrequently, but the best they could do was keep the account number temporarily active and redirected to my new account number, giving me time to switch things over. And, I ultimately did miss one account when I did my switchovers. Fortunately, I was able to call the company and get it straightened out right away, with no harm done.
---
[0]: https://en.wikipedia.org/wiki/Demand_draft
[1]: https://en.wikipedia.org/wiki/Remotely_created_check
[2]: I used this incident as the basis for my claim in the Equifax settlement, which I fully expect to never see a dime from, because big corporations don't suffer consequences when they fail to protect peoples' personal data.
[3]: I was actually able to conclusively prove the entity named on the instrument was completely fraudulent. Law enforcement isn't all that interested in $40 worth of fraud, though, so I'm pretty sure they're out there still doing it.