Debit Card Security Threat for Consumers – Could You Lose Everything?

Paying with credit cards is a whole lot safer today thanks to sweeping Federal reforms to the credit card industry over the past few years. As a result of the 2009 Credit Accountability, Reporting and Disclosure (CARD) Act, new regulations safeguard today’s consumers from both fraud and the historically predatory practices of credit card issuers themselves. However, in the whirlwind of credit legislation that accompanied the start of the Obama administration, someone – somehow – forgot to mention the debit card.

While owning and using a credit card might be safer today than ever before, the security regulations for its counterpart, the debit card, are about as serious as a child-proof cap. Poorly encrypted processing programs, an outdated PIN system and almost nonexistent victim liability protections have driven the total losses from debit card fraud to nearly $1 billion, a number that will keep increasing, over time, until something is done to stop it. More shocking is that even though concerns about debit card security have been talked about in the media since at least 1997, nearly 80% of American consumers continue to keep a debit card open in their name.

Because of the security risks, it’s time for the country to seriously consider how valuable a form of currency these pieces of plastic really are.

It Started So Innocently

The story begins roughly 40 years ago when debit cards were introduced to American consumers. Marketed as an alternative to the credit cards Americans had been using since the early 1950’s, these new cards used technology pioneered by the automated teller machine (ATM) to automatically debit a cardholder’s checking account every time a transaction was made rather than tallying up purchases on a monthly tab. The major selling point? By directly accessing a cardholder’s savings or checking account, debit cards allowed consumers to make purchases without the risk of carrying a balance. As an added bonus, people could even use the cards to withdraw cash from an ATM when they needed it.

Cirrus NetworkAfter a few months of localized testing, Seattle’s First National Bank issued the first official round of cards to a handful of business executives in 1978. Though lauded for their inventiveness, the cards remained relatively unpopular until the mid-eighties when Visa and MasterCard decided to upgrade their national ATM networks – PLUS and CIRRUS – to a national debit program. Since most banks in the country used these networks to manage their ATMs, debit cards became standard for all customers with open checking accounts, and the number of debit cards in America skyrocketed. In 2012, a projected 190 million people will be using them – that’s 30 million more than the projected number of credit card users in 2012.

Today, the debit card exists in three forms: online, prepaid and offline. Online debit cards – far and away the most popular type – are issued by a local bank or credit union and use a special processing machine to debit a cardholder’s account as soon as a transaction is made. To secure the open line between their card and their bank account, cardholders are required to enter a four digit personal identification number (PIN) every time the card is used. Prepaid debit cards function in the same way, except that instead of debiting the cardholder’s bank account, they subtract funds from a unique, pre-loaded account that has to be replenished every time it’s drained. Because these cards only work with a limited amount of funds, they’re often marketed as a way for consumers with bad credit to improve their score through “limited” spending.

The third type of debit card – the offline card – is a different story. These cards are typically issued by credit card companies that are affiliated with a bank (rather than by the bank itself), and they can be identified by the Visa or MasterCard logos they bear. Though they can be processed as PIN-secured online debit cards, offline debit cards can also be processed as credit cards. When the “credit” option is selected during a transaction, an offline card will debit a cardholder’s account instantly, but there’s a two- to three-day wait before the funds actually change hands. A signature is also required when the customer opts for credit. Offline debit cards might be versatile, but because of that signature option, they’re downright dangerous too.

Early Warnings Ignored

Because of the option to bypass the PIN code in favor of a forge-able signature, thieves who obtain a MasterCard or Visa debit card number – not even the card itself – have open access to a cardholder’s personal savings. These cards are so insecure that some banks flat out refuse to issue them. As Richard Bowman, the chief financial officer of First Virginia Banks explained to the Washington Post, “I think that offline debit cards can be really dangerous. Once someone loses a debit card or it is stolen, someone can clean them out.”

Huge Security Flaw IgnoredThis huge security flaw isn’t a secret. In 1997, the Consumers Union advocacy group testified to Congress’s Committee for Financial Services about the risks these “unsecured” debit cards pose to consumers. That same year, David Balto, an assistant director of the Federal Trade Commission, predicted in an article for The Business Lawyer that this outdated system would prove to be costly to Americans. “Debit cards,” he said, “pose new consumer protection risks and may result in a high rate of fraud.” Despite these obvious risks, banks have continued to issue “unsecured” debit cards by the truckload. Predictably, keeping such an unsafe form of currency alive has caused major problems for consumers and businesses.

At first, mass debit card data theft was a relatively isolated occurrence. Every so often, starting around the year 2000, authorities would discover hidden “skimmers” mounted on ATMs, gas pumps and other card-reading machines. These unobtrusive machines read every credit and debit card that passed through them and sent the skimmed information to a thief who could then sell that data overseas. While these devices were costing American cardholders around $300,000 a day on average, their limited memory prevented any one unit from storing more than 100 different account numbers at a time, significantly reducing the damage they could do in any one location.

The Biggest Scam to Date

However, everything changed in 2006, when hackers devised a way to bypass point-of-sale thefts and steal card information directly from merchant databases themselves. Early that year, over 200,000 account numbers from cardholders around the country were stolen from the servers of office retailer OfficeMax in what Gartner financial analyst Avivah Litan called “the biggest scam to date.” Litan reported that OfficeMax was unaware they were storing consumer information and had no security measures in place to prevent hackers from making off with consumer debit card numbers. As a result, consumers from Pennsylvania to Florida reported fraudulent charges of up to $1,500 made on their accounts from various European countries.

These mass thefts aren’t an isolated incident, either. This May, national craft supply store Michael’s reported losing tens of thousands of dollars of customer money due to account information thefts just days after Sony Online Entertainment revealed that over 10,700 debit card numbers had been stolen from its network databases. A month after that, financial giant and credit card issuer Citibank announced that hackers had stolen over 200,000 customer debit card numbers. A week later, Citi spokesman James Griffiths raised the number of affected customers to 21 million. Although Citi hasn’t released the final amount of money stolen from their customers, they did acknowledge that $2.7 million was missing when the head count was only 360,000, so you can get a general idea of the total damage done.

A Systemic Failure

Flawed Debit Card SystemsThe incredibly high volume of mass information theft confirms that every part of the debit card system is flawed. At one end, 60 million off-line credit cards are still in circulation across the country while thieves continue to develop new techniques – such as thermal imaging – to steal the PIN numbers from debit cards considered “secure.” At the other, merchants continue to unintentionally store PINs and other customer information behind flimsy security walls. They should be purging that information instead. Combined, these two flaws have effectively turned debit cards, which were once hailed as the most secure method of payment on the market, into an open invitation for fraud. And that’s not even the worst part about owning one.

According to the Electronic Fund Transfer Act, the victim’s liability in cases of credit card fraud is limited to $50. In cases of debit card fraud, however, there’s a $50 liability only if the victim notices and reports the false charges within two days of their occurrence. After that, liability jumps up to $500 – until 60 days have passed. After the 60-day period is over, the victim is entitled to no liability protection whatsoever.

A thief who steals a debit card isn’t just racking up a balance like they would with a credit card, either. They’re taking the victim’s own money from his or her bank account. As a result, victims of debit card theft can and have found themselves unable to pay their rent, bills and medical expenses while they seek a resolution to their case.

Speaking of resolutions, another thing that separates debit cards from credit cards is that when a consumer’s money is stolen via fraud, there’s no guarantee they’ll ever get it back. Legally, banks are allowed to launch a 10-day investigation into any claim of debit card fraud, and if a victim can’t prove that the charges on their debit card are a result of information theft, the bank isn’t required to reimburse them.

What’s Best for the Banks is Good Enough for You?

So why, if they’re so utterly dangerous, do debit cards continue to be the most used non-cash form of payment in the country? Well, they’re a highly versatile form of currency – especially the offline cards that can be processed as credit. They give consumers access to their checking and savings accounts at all times, and they can also be used to make transactions at an ATM. The main reason debit cards continue to be so popular, though, is that they make a whole lot of money for the banks that issue them.

This summer, the banking industry entered into an all-out brawl with the government over a new federal regulation that reduces the cap on the transaction fees that banks charge merchants. According to lobbyists, capping the fee at 20 cents instead of 40 cents will cut banking industry profits by $16 billion dollars this year. On top of that, national banks like Sovereign and Bank of America have started allowing debit cardholders to overdraft their accounts as an excuse to charge a $35 fee on every transaction made while the account is in the red. If that sounds like a cheap trick to you, you’re right, but it’s not the only one. Up until this month, Bank of America planned to charge their customers a $5 dollar monthly fee just for keeping a debit card open. When the backlash hit, the bank relented.

When push comes to shove, the banking industry won’t let the debit card die because it’s in their best interest to keep it alive. But that doesn’t mean Americans should continue to accept debit cards as they are now. Reform is necessary. As Robert Siciliano, CEO of says, “We’re [still] functioning under a flawed system,” and it’s a system that costs consumers millions of dollars every year in fraudulent charges. Although legislation has been introduced that will force merchants to handle consumer data more responsibly, Verizon’s 2011 Payment Card Industry Compliance report discovered that only 21% of businesses which process debit cards are in compliance with these new data-disposal protocols, a finding Verizon considers “disappointing.” That’s a good word for it … “disappointing.”

“Security Breaches Happen”

When Paul Galant, Citigroup’s global enterprise payments head, was questioned about his company’s massive information compromise, he simply said, “Security breaches happen and they’re going to continue to happen.” That’s exactly the sort of explanation you’d expect from a company that allowed hackers to compromise millions of customer accounts by simply changing a few numbers in their browser’s URL. If you don’t have a lot of computer experience, you might not realize how easy a technique this is, so let Consumerist writer Ben Popken explain:

As someone who has been on the Internet for a few years, this is a dead simple and common hack and Citi should have seen it and prevented against it. Seriously, this is kindergarten level stuff. Really, really stupid.

In a twisted way, Galant is right. Realistically, there’s very little we can do to make debit cards completely safe to use. Security breaches will continue to happen because, as the Verizon study shows, large companies like Citigroup will continue to do the absolute minimum to secure the personal information of their customers. Tech bloggers and members of Congress have been testifying for years that digital identity theft will remain an unfortunate side effect of society’s technological evolution, but the lack of effort these companies are putting towards disposing of compromising information is disappointing nonetheless.

Luckily, new type of debit and credit card is already being issued in the United States that will provide consumers with increased information security via embedded radio chips. These cards, known as “RFiD” or “Chip and PIN” cards, have been used for years throughout Europe, Asia and Canada. By storing their information on signal-emitting chips rather than magnetic strips and replacing all signatures with PIN codes, the cards will make it nearly impossible for thieves to fraudulently spend your hard-earned money. For a while, anyway.

Europe has already learned that it’s only a matter of time before criminals figure out how to crack these cards as well. The same can be said about the new wave of credit card “apps” for mobile phones that are slated to replace plastic altogether in the next decade. Digital security has been, and will remain, a perpetual arms race between corporate developers and tech-savvy hackers. We need to stop worrying about how we’re going to prevent the fall and focus instead on building a big enough cushion at the bottom.

Put simply, Americans must demand that debit card liability laws be reformed. Consumers have already pushed legislation to make charging overdraft fees on debit accounts illegal as of this summer, but there is more work to be done. Instead of enjoying the same rights and protections that credit card holders do under the Electronic Funds Transfer Act, Americans with debit cards are being victimized in greater numbers than ever before. Debit card holders are still being fleeced by their card issuers, by computer hackers and by everyone in between. If anything, victims of debit card fraud have a stronger case for limited liability than do victims of credit card fraud since it’s their own personal savings, their own money, that’s being pilfered.

Amending the EFTA wouldn’t even require much effort on Congress’s part. No special considerations need to be made for debit card users. All our elected officials would have to do is to add “including debit cards” to the first article of section 903, and with that, victims of debit card fraud would be able to enjoy the security net they deserve as American citizens.

In a world where personal information safeguards and the tools used to steal them grow ever more complex by the minute, revising our protective legislature is the one sure thing that modern consumers can do to protect their hard-earned assets. More than that, it’s the one thing we have to do. Because as long as we stand by and allow ourselves to be victimized by a failed system, things will only get worse.

Leave a Reply

Your email address will not be published. Required fields are marked *