Identity Theft Hysteria Overblown, Watch Your Debit Card Instead
If you need the straight story on issues of credit card, debit, and banking fraud and security, something more than "we're taking it seriously," Avivah Litan, VP and distinguished analyst at Gartner research is your go-to-gal. I recently interviewed her over the phone about consumers can protect themselves in an era where just keeping your mother's maiden name a secret doesn't cut the mustard. I learned that you can buy a credit card number for a few cents, losing your Social Security Number is NOT the most dangerous fraud that is likely to happen to you, and how Obama's helicopter plans got stolen thanks to P2P music-sharing software...
BEN POPKEN: Your name pops up a lot in articles. You seem to be one of the few people with an insider perspective willing to go on record about these issues.
AVIVAH LITAN: That's because I work for a third-party unbiased research firm.
BEN POPKEN: That always helps. (both laugh)
AVIVAH LITAN: Yeah, it does. That's what we're paid to be, third party unbiased observers. That makes it easier to talk.
BEN POPKEN: So, what are the five pieces of personal information you should never give out?
AVIVAH LITAN: My bank account number, my password to anything, my debit, check card number and my PIN. After that, almost everything's public anyways. The politically correct thing to say is your SSN but we'll get to that one later.
BEN POPKEN: I notice you didn't say mother's maiden name.
AVIVAH LITAN: It's so public anyways, people can find it out or they've stolen it, they've phished for it. I would've gotten to mother's maiden name after SSN. PINs and debit card numbers and bank accounts and passwords sell for a lot more on the black market than social security numbers and date of birth mother's maiden name, what we call full identity records. A bank account you can get $100, or sometimes up to $1000, depending on volume and what kind of information you have, and how wealthy the individual is. An identity record is like $10-$20 depending on volume. Credit card numbers are a few cents now, up to ten cents. The market price reflects the danger to the consumer.
BEN POPKEN: Paint me a worst case scenario. Your wallet gets stolen, and it had your social security card in it along with driver's license and your debit card. If I'm a dedicated thief, what could happen?
AVIVAH LITAN: The thief could use that info to apply for a new credit card, or a new loan. The thing is, the chances of your bank account getting raided are much higher. Though, it's much worse when someone takes out a new loan in your name. So, they could steal social security number and all that wallet info and apply for a new credit card, change the address, and start racking up the charges and get away with it for at least a month. That is a terrible thing to have happen. But it's even worse is someone steals your debit card and your PIN and raids your bank account. They're not buying on credit, they're raiding your bank account. Then you need to prove to the authorities that you were not negligent that it wasn't you and it's a real hassle to get your money back with debit. To me, that's the worst case scenario.
BEN POPKEN: Why is it that much more dangerous if it's your debit card?
AVIVAH LITAN: There's two kinds of debit, just step back a minute, there's signature debit when you sign the piece of paper at the register and then there's PIN debit, you use that at the register or ATM, and then there's credit cards which are always signature in this country. The reason why signature credit is the least worrisome is because it's protected by something called Regulation Z. It's a federal regulation that limits your liability to $50. Most of the credit card companies won't even hold you liable for $50. They passed that regulation a long time ago, I think in the 80s to get people to you know not be worried and spend a lot on their credit cards. (both laugh) They also have these rules that if there is fraud it generally goes back to the merchant so the bank doesn't eat the fraud.
BEN POPKEN: Right.
AVIVAH LITAN: The consumer doesn't eat it, the bank doesn't eat it, the retailer eats it. So it's pretty easy for the banks to just shift the reliability back to the merchant, and then pay you back, plus you're covered by Regulation Z. When it comes to debit cards, those are protected by regulation E. The rules on regulation E are not so consumer friendly. You have to report the theft generally within 30 days of getting your bank statement. Sometimes up to 60 days. And then there's limits on how much they'll pay you back. Like you have much more, like a $500 liability in some cases.
Now, signature debit is usually protected by VISA/Mastercard rules. If you use your signature debit you have the same kind of protections as under Regulation Z. If you use a PIN then you're not protected by VISA/MasterCard rules. Then you're protected by Regulation E. If you're using the signature debit card the banks get more revenue than they do with PIN debit, so they always want you to use signature. Secondly, there's typically always another party involved. You can't use signature at an ATM so they just shift the liability back to the retailer like they do with credit cards. When you use PIN debit it's typically at an ATM or to get cash back. That money's out the door to the bank and they cant' get it back once it leaves the ATM. They don't have anyone to shift the liability to. (laughs) So when they can't shift the liability to a retailer, they absorb it, and so the rules aren't as consumer-friendly because they don't want to pay for the loss.
And if someone cleans your bank account out with PIN debit , you'll get late fees, NSF fees, it's a mess to straighten out. You may have your mortgage going against it, your health club, a number of bills, and they'll keep charging you NSF fees and late fees. It's a spiraling effect. And you've lost your money too. I've heard many nightmare stories about that.
BEN POPKEN: You have to get it back from the crooks, and then you have to get it back from the thieves.
BEN POPKEN: Was the Social Security Number really ever designed to do all the work we're asking it to do these days?
AVIVAH LITAN: No, not at all. It was designed to register you in the Social Security office. It was never designed to be your identifier. But it's turned out to be the best identifier that these systems have. Because it's unique for each individual. It's not as valuable as you think is because criminals can make up their own SSNs. They know the numbering protocols and what state and date of birth they're associated with. You just have to assume, frankly, that your SSN ssn is out there already. The black market's full of SSNs. What I do, is I have a fraud alert on my credit report. If you're not in the need for credit, then you put a fraud alert on your file.
The truth is the value of a SSN is overrated altogether. I see the data from the banks. If they want to create a new credit record they just make up an identity. It happens at least 50% of the time. It's a lot of trouble to steal someone's identity and turn it into cash. You have to go and apply for the loans, and then get the credit, and then change the addresses, and then buy things that you can sell for cash. Sure, people do that, and it happens in 4% of the American adult population. But it's a lot easier to just steal their bank account and get the money out.
BEN POPKEN: Sounds scary…all of a sudden it sounds like we're standing out there naked on the street. What can you do to protect yourself against all this?
AVIVAH LITAN: The best thing that they can do in that case is bank somewhere that has a zero liability policy in online banking for example. As a precautionary measure I never use my PIN unless I'm at a bank ATM. I check my balances frequentl because if you report something right away you have a much better chance of getting it back. I keep my PC as secure as possible. The best thing you can do is you can use a locked-down browser, meaning that criminals can't get spyware into it.
I don't give anything out to people. If someone calls you and says they're your bank or anyone like that asking you anything at all that's sensitive I hang up on them. Or you could say I'll call you back and call the registered phone number. Don't ever call a number they give you, because there's systems now where they call the criminal's number and they'll route right through to the real bank but they'll be listening in on there cause it's routing through them.
BEN POPKEN: Whoa.
AVIVAH LITAN: It's like called the "vishing attack." You call their 800 number and they route it right through to the bank. So you're talking to the bank but they're listening to the whole thing. And they get your PIN when you type it in.
BEN POPKEN: Basically if someone starts asking for sensitive information you don't want to dilly-dally and feel them out.
AVIVAH LITAN: Just hang up on them. No legitimate company would…if they're smart, I mean they may do that I've seen some really, some good legitimate companies do really stupid things but that's their problem you know you should just I hang up on people like that immediately and I'll call the bank back, you know? It's not like you can't call your bank back. Don't believe anyone that calls you, basically. I'm not kidding! I have had a couple of attacks. "We're from Yeshiva Hospital in Jerusalem and we're a charity and we need your money..." Some of them are so obvious.
Don't fall for anything. A lot of these attacks are delivered through advertising and Google searches. Say you want to buy a lawn mower. And then something will come out in the sponsored links and if you click on it it downloads malware. Don't ever download anything unless you're 100% sure. Another big area is P2P file sharing, like if you share a local network with your kids and they're always downloading music or videos. A lot of sensitive data is stolen that way.
BEN POPKEN: Because the kid will download what they think is the latest Lady Gaga track and it turns out it's actually a Trojan. And then you grab it...
AVIVAH LITAN: That's one reason. The other reason is, the kid opens all your storage files on your hard drive to the crooks.
BEN POPKEN: Oh, right.
AVIVAH LITAN: They can see everything on your hard drive. Actually, I wrote a little note that got a lot of publicity that didn't get attributed to Gartner, which was fine, I didn't want it to, but did you read about the Obama helicopter plans being revealed? That was all through P2P software file transfers. These guys can get sensitive military information because contractors' PCs are compromised by these home networks, tax returns, business plans on corporations... Anything on a hard drive that's been exposed to a P2P network is fair game.
Post a comment
Comments:
The whole "debit cards are just as safe as credit cards" crap is a myth that makes me nuts, I have had to explain to family over and over why debit (especially PIN transactions) are far more risky than credit transactions. Then there are those on a travel board that I frequent that think that it is safe to use their debit all over the world including third world countries where fraud runs rampant.
Credit vs Debit in the eyes of the bank.
Credit = Fighting to keep their money.
Debit = Fighting to get your money back.
Wonder which is going to motivate them more?
Ms. Litan says the banks push the fraud liability back to the retailer. I'm not so sure about this. As Consumerist has pointed out in the past, part of the retailer agreement with the credit card company is that no ID is required (never show an ID for a credit card transaction). So how is the retailer supposed to prevent fraud? It seems that in practice, there is sufficient motivation with Regulation Z for the banks to do sophisticated fraud detection.
Was this article edited at all before it was published? Run-on sentences, lack of punctuation... It's fine for an interview subject to speak informally, but translate that into something people can read.
@pax: "The truth is the value of a SSN is overrated altogether I see the data from the banks, and, you know, if they want to create a new credit record they just make up an identity it happens like at least 50% of the time."
OR
"The truth is, the value of a SSN is overrated altogether. I see data from the banks that suggests that if identity thieves want to create a new credit record, they just make up an identity. That happens at least 50% of the time."
Which reads more easily and makes better sense?
I try not to be overly picky with blog posts, I really do. But letting this piece run as it is was very irresponsible and sloppy.
@pax: "So that's what debit that's what guards debit card protection now signature debit is usually protected by visa/mc rules so if you use your sd and you have the same kind of protections under their rules that you do under cc reg Z and cc rules that the cc companies have in addition to that so you'll usually get your money back except for $50 and sometimes they'll waive that-if you use a signature."
SERIOUSLY???
I agree w/ what you talk about on the financial side of this totally. What concerns me is how people are not informed about the types of identity theft that will cause the consumer much more difficulty. Medical identity theft, when they get your med. ins. info and gets medical care intheir name. A drivers lis. in their name, and get warrants in your name, commiting a crime inyour name, gets a job w/ your ss # and don't pay taxes. These are the areas the experts should be putting out. These are the ones that can really hurt and a monitoring service wil lnot help you.
@aznjoker: Well, technically it's
Credit = Giving you the retailer's money.
Debit = Giving you the bank's money.
Yeah, so there's a conflict of interest in Debit Cards.
Both laugh
@pax: As a professional wordsmith (proofreader/editor/writer), I agree with you. Once you transpose spoken word into something to be read, there is more responsibility for what's written.
@bornonbord: I mean that I overlook a great deal of error in reading this blog and others. But when the writing is so poor that it hinders comprehension, I think we've crossed the line that separates "informal" from "unprofessional."
@Logical Extremes: The retailer is required by that same merchant agreement to check the signature on the back of your card and match it to the receipt (or digital display) you sign. If the card isn't signed, they're supposed to deny the transaction. If your signature doesn't match, they're supposed to deny the transaction. However, very few retailers ever actually follow protocol.
@bornonbord: I understand the nature of "not by the book" writing of blogs - I work in advertising where they make and break their own rules. However, one still has to take a certain level of care with what appears and how it appears - ESPECIALLY when being owned by a larger entity.
So - your comment to STFU after expressing my own personal opinion? Unnecessary and officially ignored. We try to keep it civil 'round these parts. Thanks and have a nice day. :)
@pax: This is a transcript of an interview where the words are directly attributed to a specific person. If the transcriber took it upon themselves to pretty it up, then if they messed up and ended up changing the meaning of something that was said and still attributed it, then that would not be good.
"Don't give out your bank account number?" Sure, I'm unlikely to give it out over the phone, but I just thought I would point out that it's printed at the bottom of every check. This is even easier than a skimming attack, as a unscrupulous cashier can take all the time they want to copy down account numbers while counting out their drawer. Or use their cell phone camera, or... And mailed out bills you put in your curbside mailbox are just begging to be stolen.
Moral of the story: Cash, credit cards, or no sale for retail transactions. Debit cards are evil and have little reason to exist. Use checks as sparingly as possible.
@Megalomania: I beg to differ. Interviews are edited all the time--for clarity, brevity, continuity, and other concerns. There is absolutely no reason why this piece had to go live looking the way it did.
I maintain my own blog, guestblog for another, and read a variety of blogs related to politics, education, and consumer issues. All of these are no-budget or low-budget affairs. None of them would have allowed a piece to run looking like this--including an interview.
UGH, deeeebit? The word PIN scares me. I ALWAYS use credit and if I NEED cash, I can get Discover CashOver.
When I visit Canada I use a Desjardins ATM along with my credit union credit card. Yes, it uses a PIN but the ATM does not charge me and my CU doesn't have any silly cash fees.
@sirwired: I worked for a third party center that processed donations to police departments and other charitable organizations that they recieved from telemarketing. I worked with about 13 people and 5 of those people worked there from the safe house. Some people even sent in checks with their drivers licenses or socials on them. How easy would it had been for someone to work there to steal copy or take a picture of that info for later use. I'm sure it probably happened a lot.
So people with classified military and national security information on their computers are also running Kazaa? Lovely.
@baquwards: "The whole "debit cards are just as safe as credit cards" crap is a myth that makes me nuts, I have had to explain to family over and over why debit (especially PIN transactions) are far more risky than credit transactions."
I use my debit cards everywhere. I refuse to use credit cards any more and NOTHING will change my mind. I've had mountains of problems with credit cards in the past, including full identity theft to the point they were changing my logins on CC sites daily and setting up new lines of credit in my name with CC companies I never did business with, and re-routing my mail, that took over a year to finally have resolved 100% and shut down, and exactly ZERO problems with debit cards and paper checks.
@wgrune:
That's not even the beginning. A lot of agencies and organizations have put everything from DVR's for their camera systems to security hardware on public IP's. That allows people to look at their cameras and if you had the right software, to control their doors and gates.
\\the stupid: it hurts.
@baquwards: But we've got experts arguing the opposite! Who am I to believe? I even went so far as to ask my bank. I was told by an account manager that my debit card was just as protected from identity theft as any credit card.
Explain to me again why the PIN transactions are so unsafe. (Yes, I read the article, but I sorta skimmed that part. I'll go back and look at it again.)
@Fist-oâ„¢: "Explain to me again why the PIN transactions are so unsafe."
I'd love to know the answer to that too. I use PIN transactions every day on my debit, and never a problem. But I don't give out my PIN to other people either or carry it on a Post-It note in my wallet. If they were so insecure, you'd think the banks would change them to 8-digits or something, but no, 4-digits seems to be standard. And of course, you can change it at any time. And what about PIN numbers on credit cards?
Good lord, this interview was a mess. Lots of good info but have the pride to do a decent job of editing and checking before just throwing something online. It's not like this was time-sensitive information after all.
This is why I don't donate money to any charity or accept anything over the phone that requires a number. I'd rather donate physical goods (to shelters) or time if I really believe in a cause, otherwise I'm not giving any money that may be fraudulent or mispent for something else.
@Logical Extremes: "Ms. Litan says the banks push the fraud liability back to the retailer. I'm not so sure about this. As Consumerist has pointed out in the past, part of the retailer agreement with the credit card company is that no ID is required (never show an ID for a credit card transaction). So how is the retailer supposed to prevent fraud?"
The banks charge it back to the retailer, even if all procedures are followed correctly and a valid approval was received.
As a former retailer of 3 decades standing, I can testify that this is true and correct.
@pax: I'll admit, "ATM Machine" got me twitchy. Other than that, I assumed he posted the notes quickly to avoid the "this is old news" crowd. It was a bit rough, but perfectly readable and very informative.
@BZMedia: Besides what was mentioned in the article about consumer protections, I think the answer to your question would be all of the retailers that had their systems hacked, sucking millions of debit numbers + PINs out last year. It was widely covered on Consumerist and the mass media.
Can the swarm help me out with some links?
Speaking to PC security: 1) If you can afford multiple PCs, have one that is ONLY for financial transactions. No browsing except to your bank and companies with which you have an established financial relationship.
2) She didn't mention setting up PC user accounts to run as USER rather than Administrator, which is the Windows default. That should be at least as important as a "locked-down" browser. Speaking of which, she didn't elabaorate on what "locked down" means...Running NoScript? treating every site as untrusted?
@BZMedia: I work at a bank, so I can try to explain a little. The reason you're better off using a credit card is because if there IS any fraud, you can simply call up a credit card company and have them void out the transaction in a matter of minutes. With the bank, you have to fill out affidavits stating exactly what happened (to the best of your knowledge), and then wait, sometimes up to a couple of weeks, to get your money back. If your card is stolen and a thief goes on a spending spree, all of your money can be drained from the account, and it can take awhile to rectify the situation. In the meantime, you can't pay your bills, and you're stuck without any recourse. I've seen this happen on multiple occasions, and it's never a pretty situation. One of my customers had this happen two days before he was to pay his property bill, and there was nothing we could do for him.
Additionally (like they mentioned in the interview), there is a limited amount of time for you to report fraudulent transactions. At my bank it's 60 days, so if somebody notices fraud that happened 2 1/2 months ago, there's nothing we can do for them. People scoff sometimes, thinking there's no way they wouldn't notice fraud for so long, but for people who solely use their debit cards, I see this kind of stuff pretty often. Scammers are adept at taking such small increments out of the account that the customer thinks it's something they did authorize. By the time they notice, it's sometimes too late to do anything about it. Once again, you don't have this problem with a credit card.
PIN transactions aren't unsafe, per say, but there are times when you're better off using a credit card. For instance, never, never, never use your debit card online. That's where the vast majority of fraud takes place (not from cards being physically stolen, but from card numbers being intercepted online). Online fraud happens all the time, and happens to really smart, internet savvy people. It's unfortunately very common, so you're just better off using a credit card, because if something DOES happen, your cash isn't held up.
@corinthos: I've had retailers (i.e. grocery store) REQUIRE a driver's license number on a check. Especially if we had just been relocated again, and for some reason the VISA card was not acceptable (i.e. system down and no cash).
@bwcbwc: Poor-man's way of having separate PCs for financial transactions: use virtualization software such as VMWare to make a special image that you use only for financial stuff. If you don't want to pay for another copy of Windows or whatever, a free Linux distro will do just fine and probably be more secure anyway. VMWare even gives away a free version of their software, so you don't have to spend a dime. It's probably not QUITE as good as having completely separate computers, but it's a lot better than nothing.
You should also use strong encryption software such as Truecrypt to control access to all financial records, etc that you store on your own hard drive. But don't assume that you're protected just because you use encryption; malware on your machine can still compromise something like that, which is why it's a strategy best combined with the VM or physical isolation strategy.
@BZMedia:
Signature transactions are more secure because they are covered under Reg Z instead of Reg E. Reg Z limits your liability to $50. Reg E does not.
Instead with Reg E, you have to prove that you didn't conduct the transaction (i.e. you didn't enter the PIN number or weren't negligent in protecting the privacy of your PIN number). There is also no $50 cap on liability and you have a considerably shorter period of time to notify them of fraudulent transactions.
Then, after your account is raided and you are left unable to pay your bills while the fraud/security department at the bank investigates the charges.
So, you could be out $500 instead of $50 with the bank. Then you have late payments on your mortgage, utilities,etc. and potentially can't purchase other necessities for a couple weeks.
Or you could end up like my friends that got hit by a skimming operation in Brazil and have to fill out police reports and everything and communicate with their banks in the US. The bills that were set on auto-pay lapsed, they had no access to cash in Brazil (so they could only go places that accepted credit cards), wait for the bank to do something (which took 3 weeks) and then wait for a new card (which the bank won't mail to Brazil). Not too bad if you are coming back in a few days. But when it's the first day of a month long trip, it's a big hassle.
Whereas, when someone stole (or skimmed) my AMEX number down there, AMEX flagged the transactions (why would I be getting auto repair done in Brazil they were considerate enough to ask me), reversed the charges immediately and overnighted me a new card with a new number.
That's an extreme example, but it's also the reason I refuse to type my PIN into anything other than trusted ATMs.
Why is it that these kind of people NEVER bring up the Privacy Act of 1974? You cannot be denied services (except in rare circumstances like the banks) b/c you fail to disclose your SSN. Also if you *write* the SSA and ask them to conspicuously identify what law says a person born in the US must have a SSN they will tell you there is no such law. So yes, there are laws that say how you have to disclose that number *if you have one*, but you don't have to disclose what you don't have. Please don't take my word for it. Look into it.
@HalseyTydeus: I see. Thank you all. You're really making swiss cheese out of my previous, "CREDIT CARDS ARE EVIL AND SHOULD NEVER BE USED EVER" rule. :( I feel like a ... well, like somebody who is fighting a losing argument.
um, I'm fairly certain that the act only pertains to government organizations and has no restrictions on private companies and their activities. You can't be denied service from a government (federal, local, etc)organization unless there is a specific federal statue stating why you need to.
@secret_curse: I put "Ask for ID" on the back of my credit card over my signiture. Over the last 50 transactions, two people have asked me for my ID (most never even bothered to ask me for my card as I'm sure most people also experience). While the retailers aren't necessarily asking for it, they certainly are not doing much to prevent fraud.
Credit Freeze
and Cash FTW!
@BZMedia: haleytydues, and Chocolate1234 have it right.
Long story short, PIN transactions are not protected by VISA/Mastercard fraud protection, they are approved though other channels.
So if I have a choice of trying to get my money back in my account to pay my bills (and any funds in my overdraft protection account) along with affidavits pleading my case that I didn't make the purchases, or calling the credit card company and letting them deal with it and not having my money in limbo, I will choose the credit card.
With that said, I treat my credit card like a debit card and don't spend money that I don't have, just pay it off, avoid all interest and get free stuff from them.
If I didn't trust myself with a credit card or was a Dave Ramsey follower (some good ideas and some horrible ones) I would have my bill money linked to a different debit card than my day to day money.
@statgrad: Just make sure that your signature is present on the back of the card. It is part of the agreement that you sign the card or it is technically invalid. If your card is stolen and it says "see ID" or something similar, and is recovered, this is the bank's loophole to not cover the fraudulent transactions, because you did not sign the card, yes this actually happens.
And as said before, the retailers are not allowed to request ID unless the card is not signed.
Just a note. You can have your bank lower your daily authorization limit. I lowered mine to $1,000 this way you can still use it on weekends. Also, another tip is find a bank that has instant capture, so you can see the preauthorizations online. I caught fraud that way. Got my money back and no overdraft charge. Just to clarify, debit cards are protected by Regulation E and by the EFTA. They key is reporting you card lost, stolen or compromised fast. Not all banks or merchant charge you a pin transaction fee.
"[...] your Social Security Number is NOT the most dangerous fraud that is likely to happen to you, and how Obama's helicopter plans got stolen thanks to P2P music-sharing software..."
That kids, is why you never start reading a blurb mid-sentence, especially without reading the title.
I almost spit the water out when I first read that, and my mind struggled to understand how the two things are even related.