Back in 2000 my wallet, including my Visa check card and other credit cards, was stolen in Paris. I called the bank right away, got cards canceled, had new ones ordered and all that.
I get my checking account statement and see several charges that the thief made before I was able to get the card canceled. My bank cheerfully reversed those and I thought nothing of it.
Four months later, I see a charge on my statement from one of the same merchants as before. I called my bank, and they said that the merchant had authorized my card, but did not proceed to capture the payment until then. I asked why this happened on a canceled card, and was told the authorization happened before the card was reported stolen so they had to honor it. They told me the merchant had six months to capture the payment, and it basically was as if I had written them a check and they sat on it for months.
Clearly the thief had some buddy with a merchant account, and they were trying to see if they could sneak a charge in later without me noticing it.
I asked my bank if there was a way for them to see if there were more of these charges in the pipeline, because I had written some checks and it would be highly inconvenient to me if they bounced. They said they had no way of knowing. The only way to stop these from going through was to close the checking account, which would also mean the checks I've written were going to bounce anyway. So I just had to wait out two more months and hope nothing more happened.
One of the several reasons Debit cards are much worse and anti-consumer than Credit cards.
People think that because it has a Visa logo and their bank has a limited fraud liability policy that they're safe. That their debit cards have the same consumer protections as credit cards. That's just not the case.
Moreover, if you swipe-and-sign for anything you should be getting rewards or cash-back. Very few debit cards offer rewards, and the ones that do are often less lucrative than those offered on credit cards.
In Switzerland, almost everybody uses debit cards, and you can't use debit cards (Maestro) online. You use credit cards for online payments, but that's about it.
With debit cards, you have to enter a 6-number pin to withdraw cash or pay with them.
I have a hard time seeing how debit cards are worse than credit cards.
There is skimming, but banks reverse fraudulent withdrawals. The protection is the same as with credit cards.
There is an upper monthly limit on your payments / withdrawals with debit cards. You can even lower that limit if you want to.
You can overdraw your account within a certain boundary and with this your debit card is also a poor man's credit card.
> "I have a hard time seeing how debit cards are worse than credit cards."
In the US, debit cards are generally also credit cards. They can be processed exactly like a credit card, without a pin number, without a second glance at the signature usually, and the money comes out of the associated checking account.
So instead of a fraudulent charge just being a line item on a statement until your card issuer can prove that it isn't fraudulent - it represents actual missing money from your checking account, until you can convince the bank that the charges are fraudulent
I had a debit card compromised in one of the regional card processer hackings and had $1500 [1] of my money tied up until the bank reversed the charges and gave it back. They took 12 business days. That was not cool.
[1] Three $500 purchases of flowers, 10 states away from where I live, each 1 hour apart. How does that not look suspicious? I get a phone call from the same bank almost every time I travel after the first time I use my credit card for a nontrivial purchase. They sanity-check that I really am halfway across the country. That is awesome. That also represents their money being protected from fraud. Apparently, when it comes to protecting my money from fraud, they're not so motivated.
I don't know how debit cards work in the US, but I need a PIN to use my debit card, so short of being forced to withdraw money at gunpoint, you won't get any access to my bank account.
I had a co-worker once who used his debit card at an ATM at a coffee shop nearby our office. Somehow, some genius had installed a mechanism in the ATM to read the stripe and the PIN. So they were able to take that info and create a fake debit card that replicated my co-worker's debit card. The next week, his bank account got cleaned out. He was absolutely broke and went through a few weeks of hell trying to get it all sorted out. Fortunately, the bank was able to help him out. I don't know what happened with the police investigation, but basically none of us used cards at that coffee shop again. The coffee shop was still operational, and I think the police were somehow able to determine that it wasn't the coffee shop at fault (maybe only a single employee or an ATM maintenance guy, not sure).
I think this is why a lot of debit cards have chips nowadays. The chips are harder to counterfeit (I think). But I think we still have to grandfather all the old debit cards without chips. :(
Wow, I thought everybody had heard of ATM card skinners by now. Be very careful at any ATM you use, don't think you are safe because you avoid that cafe's. And cover your hand when you enter a pin.
That was in 2010, hadn't heard of them back then. Not sure if they were actually common back then, although I'm sure they're certainly more common now. Yes, careful, careful. :(
I usually have to do the Verified by Visa stuff too, but my understanding is that it's almost entirely optional for a merchant to require the extra information. Payment can still be made even without a CVV.
And even if verified by visa were compulsory, it would still be possible to create a Direct Debit payment using the account details, which are frequently written on the card, and the address.
(American) I experienced something like this the first time in my life yesterday when buying Skype credit. After entering my info at Skype, I was redirected to a "Verified by Visa"[0] page that made me type in my bank credentials.
I'm in a dodgy internet cafe with a key logger somewhere in Thailand.
I need to book a flight and the airline insists on my "Verified By Visa" credentials.
Who do you think my bank blames (even though they state that they won't) when somebody goes on a shopping spree with not only my CC # and my security code, but also my VbV password?
As another poster mentioned: It's offloading the risk to the card holder.
Something like a token, or two factor authentication would be a lot better.
Verified by Visa has a pretty bad design flaw: the recommended implementation uses an iframe to load the page that prompts for your password, so it's not obvious if that iframe is legitimate or a phishing attack.
Verified by Visa (AKA '3D Secure') is a huge pain, and in all bank implementations that I've used in the UK it's trivial to reset the password.
My current account is with LloydsTSB and they now don't bother asking for your 3D Secure credentials and just go straight to the 'accepted' callback, because it pissed off so many of their customers.
At least in Sweden, most debit cards now require Verified By Visa/MasterCard SecureCode for online purchases, which means the theif would need either my bank RSA fob or a password.
The things you say only apply to the U.S.; in most of Europe, debit cards are significantly more secure. And since debit cards are the most common payment method, the sort of crazy behavior that was described in the linked article is actually pretty much non-existent.
It's similar in Australia, but Visa and MasterCard debit cards are rapidly becoming far more common (mostly due to the fact that you can use them online, I guess).
Between the fact that those cards can be used without a pin (or even without a signature for purchases under $100), and regular EFTPOS debit cards with a pin can be hijacked by skimmers if you're not careful, I think the best solution is to keep as small an amount of money in those accounts as you can. I rarely have more than $250 in any of my card accessible accounts unless I'm making a large purchase (although annoyingly this isn't much of an option when travelling since you can't rely on having an Internet connection to shift funds).
Depends on the issuing bank. My credit union offers the same fraud liability protection on their debit cards as credit cards. That said, with debit cards your money is (temporarily) gone until you notice and complain. Depending on the amount, this could cause problems with your balance.
Here's your test -- because I used to believe that, too.
Call their fraud line -- not the tellers, the real deal. Say that suppose you ordered a laptop on eBay. You paid using your debit card. You received a package, signed for it via UPS, but when you opened the package, it was an old, obsolete, broken laptop. Can they reverse the charge?
My credit card companies will. They will immediately grant me back the additional credit. Some banks have 24h policies to get you back your cash that's in dispute, but I'm positive that debit card protection does not extend this far. If yours miraculously does, tell all you friends to buy shares in the credit union. But I will be surprised.
(Yes I know you could probably dispute via eBay, not the point of course.)
Even with credit cards, if you accidentally pay a fraudelent charge before reporting it, you lose many rights. When the money is already out of your account, you are hopelessly at their mercy.
Edit:
Not to mention, I also get 2% cashback, the bank doubles the manufacturers warranty on items I purchase with the card, rental car insurance coverage, etc. And aside from the cashback, those are pretty normal CC perks. And things like car rental-- some rental companies will actually do a credit check (!!) if you try to use a debit card to secure a car rental.
With credit cards, your money is also (temporarily) gone until you notice and complain: you have less credit available. This can be an equally big problem.
I get my checking account statement and see several charges that the thief made before I was able to get the card canceled. My bank cheerfully reversed those and I thought nothing of it.
Four months later, I see a charge on my statement from one of the same merchants as before. I called my bank, and they said that the merchant had authorized my card, but did not proceed to capture the payment until then. I asked why this happened on a canceled card, and was told the authorization happened before the card was reported stolen so they had to honor it. They told me the merchant had six months to capture the payment, and it basically was as if I had written them a check and they sat on it for months.
Clearly the thief had some buddy with a merchant account, and they were trying to see if they could sneak a charge in later without me noticing it.
I asked my bank if there was a way for them to see if there were more of these charges in the pipeline, because I had written some checks and it would be highly inconvenient to me if they bounced. They said they had no way of knowing. The only way to stop these from going through was to close the checking account, which would also mean the checks I've written were going to bounce anyway. So I just had to wait out two more months and hope nothing more happened.
Luckily, that was the only instance.