New Debit Card Vulnerability

Your debit card could be stolen and used without the thieves even having to hack your PIN code.

Andrew reports that after reading advice here on The Consumerist, he swiped his debit card as a credit card at the cash register. He then tapped the “credit card” button. He received a prompt for his PIN code, even though he selected credit card. Then he hit cancel. After that, the transaction was completed.

Without signing a slip or entering a PIN code, he was able to walk away with his purchases after only swiping his debit card.

The stores were a CVS and a Brooks pharmacy.

Maybe we should just revert to carrying around wheels of cheese to barter with.

Comments

Edit Your Comment

  1. KevinQ says:

    I doubt that’s a vulnerability. Sounds like it was just running the card as a credit card.

    To check if it’s a vulnerability, he needs to check his statement to see if the transactions went through as a credit card or debit card transaction.

    Merchants have to pay if you use your card like a credit card, but you have to pay if you use it as a debit card. Therefore, it’s in their best interest to trick you into agreeing to use it as a debit card. Hence, asking you twice if you want to use it as a debit card. (Once explicitly, once implicitly by asking for your PIN.)

    If his transaction went through as a debit card transaction, then there’s a huge vulnerability. If it went through as a credit card transaction, then the register got lost in its own logic loop and just forgot to print up a signature receipt.

    Signature receipts are no longer required for most small credit card transactions.

    K

  2. Ben Popken says:

    Brian writes:

    “Stores, in the best interest of their bottom line, want to take every opportunity to convince you to use your debit card as a debit card instead of a credit card. I have frequently encountered the interface described in the post and when I do as the tipster describes he does, the card is charged as a credit card. If you say credit first and punch in your debit pin when it asks, it will be processed as a debit card (I love my credit card company, they cheerfully answer my strange questions about this type of thing).

    Futhermore, many (most I would say) of those swipe card interfaces are poorly setup and they ask if you want to use your card as a debit card even if the card is only a credit card. This is one of many reasons I use a credit card for everything electronic. My debit card is basically just for getting cash from an ATM machine.”

  3. Ben Popken says:

    Mary writes:

    “For many purchases under a certain threshold ($5? $10? not sure where it is), a signature slip is no longer required. CVS is one of the merchants who has put this into practice, along with fast-food and to-go type food places, like Starbucks, McDonalds, etc. They are absolutely still credit, not debit, transactions.

    Its definitely a vulnerability – now people can just swipe a stolen card for small purchases and not have to worry about a PIN OR a signature – but it also wasn’t a mistake on the merchant or register’s part. The PIN screen comes up twice, because they really do want you to run it as debit to avoid the VISA fee.

    Not sure if its the merchant’s policy to no longer require a signature, or VISA’s policy. Wonder who is accepting liability for small purchases without a signature that turn out to be fradulent, or is it assumed the consumer won’t care about a $5 hit?

    And here’s a thought – it’s only happened to me at places I’ve used my card at before. Any chance they’re somehow capturing card and signature data, and keeping on file, thus making future transactions “quicker”?”

  4. nweaver says:

    If it was a “Visa check card”, master card logo, etc, those can go through both the credit and debit card systems.

    It probably popped up the PIN pad because the merchant had it programmed to say “Hey, its really a debit card, lets try the debit card system first because it is cheaper to the merchant”.

  5. SeekBalance says:

    This doesn’t sound unusual at all. And anyone can forge your signature because no one, and I mean NO ONE, ever checks the back of the card to compare signatures. At least not in my area.

  6. SH475 says:

    Ever since the Soprano’s enlightening credit card scheme, I am fearful that some Alabanian hottie is ganking my numbers.

  7. Andrew W says:

    Update: based on KevinQ’s thoughts, I checked my card online, and it indeed looks to have been run through as debit. I have a charge of $7.54 from:

    CHECKCARD 04/23 CVS PHARMACY #0717 Q03 CAMBRIDGE MA

    Unless “CHECKCARD” doesn’t necessarily mean debit?

    When the PIN-entry prompt came up, I told the cashier, “I’m pushing cancel, I’d like to run this as a credit card.” But before he could do anything, the transaction was approved. Next time I’m in there, I’ll ask if they have a minimum purchase for needing to sign a charge slip.

  8. droppedD says:

    that’s not a vulnerability; that’s just running a Visa Check Card as a credit card, combined with a lot of big vendors not requiring signatures any more on purchases under $25-30 (Dunkin Donuts does this too, for example). If you don’t want your debit card to work as a normal credit card, then call your bank or switch to a bank that doesn’t allow debit-as-credit swipes. Way to cry wolf, guys. Come on. You really oughta correct the posting.

    It is sorta dumb that they ask you for your PIN even after you hit the credit card button, though. That’s just confusing, and downright bad UI design.

  9. KevinQ says:

    Andrew, based on other transactions, how does your statement describe a debit transaction, and how does it describe a credit transaction?

    droppeD, I don’t think it’s bad UI design, it’s bad merchant; they’ve designed their UI on purpose to be confusing.

    K

  10. RandomHookup says:

    CVS PHARMACY #0717 Q03 CAMBRIDGE MA

    Hey, that’s my CVS…

  11. ExVee says:

    Every major retailer I’ve used my debit card at, I run it as credit, and I either have to sign a receipt or the touchpad screen. I always have to do the Cancel move to make it go as credit, and I always have to sign. Those touchpad signatures at least appear to have some level of signature verification, since once the touchpad responded terribly, my signature got screwed up, and the transaction was rejected.

  12. Ben Popken says:

    Heather writes:

    “At CVS, or at least at my CVS in Boston, the policy is this: you can charge (with a credit card or a debit-as-credit card) up to $25 dollars without needing to sign the slip/screen. But if you are getting a perscription filled as part of that, you can charge up to $50 without a signature.”

  13. Andrew W says:

    CVS PHARMACY #0717 Q03 CAMBRIDGE MA

    Hey, that’s my CVS…

    Sweet, so when I’m at the Porter Sq. CVS, I can go up to people and ask, “RandomHookup?”

  14. RandomHookup says:

    I tried telling that to the cute assistant manager, but she wasn’t going for it.

  15. billhelm says:

    Both times my credit card number has been compromosed, it was used for purchases greater than $200 online.

    Plus, most stores long ago stopped checking signatures on credit cards with any sort of actual rigor.

    I also fail to see how this is even a major vulnerability…

    This is alarmist bs…

  16. Diane Ensey says:

    I printed in the signature area of my card – Please Ask for ID with no signature at all. Now about half of the time I am asked for ID. But, of course, if you swipe it yourself as a credit card, they never look at the card at all, just hand you the slip to sign.

    I’m especially peeved when the clerk pretends to really look at the signature and then at the signed charge slip.

  17. Ben Popken says:

    Terry writes:

    “I learned how to use a debit card as a credit card from a cashier at my Super KMart. She’d seen me several times, so I’m sure she felt l could be trusted. The really, really bad thing about her telling me the trick referred to in the article is that the debit card I used was not mine – it was my husband’s, and the cashier was aware of this. Had I been a different sort of person, with a stranger’s card, how easy it would have been for me to drain his bank account!”

  18. Ben Popken says:

    Aaron writes:

    “This is by no means a “new” vulnerability. In the late 90′s I had a debit card linked to my bank account and usually just used it as a credit card, since I didn’t like punching in my PIN in public. It always worked. Back in 2000, I had several thousand dollars stolen from my Washington Mutual bank account. Apparently someone in Cannes, France, bought $1,500 worth of stuff with my card. When I reported it, they said I must have been there because I’d have to punch in my PIN that went with my debit card. I knew that simply choosing to run it as a credit card doesn’t require a PIN number. I pointed that out to them, and they agreed and refunded my money fairly quickly.”