Debit cards, credit cards and the Target hack

[porthole]

This is a bit long winded, but it may save you some real grief.

Debit cards, credit cards and the Target hack

Do you know the difference? Have you been following the Target scandal?

Do you know your rights?

Do you really know what “Zero liability” means?


A Sunday in May 2013 I saw unrecognized charges on my checking account when looking online.
Went to the bank Monday morning, we saw a few things that were not valid. The debit cards were canceled immediately and the bank fraud procedures started. The 3 transactions were for $920.

My bank, Wells Fargo, has unwritten thresholds, under $1000 and under $2500.
Since this was a low fraud alert, the transactions were allowed to post to my account, and a provisional credit was issued immediately for the $920. A letter a few days later stating the facts and that it was under investigation and a letter 8-10 days later closing the case as resolved.
I was out zero $$$ and just one trip to my local branch.

In August my wife had an issue with a check at the local A&P for groceries. Same A&P we have been using with the same bank account since 1998. She had to keep getting her checks approved at the courtesy window. Since we were in “travel mode” at the time and not around much, it was not until the end of October we found out why.

A&P recently switched to an instant check reading system (those numbers on the bottom of your check are printed with magnetic ink, so they can be read like a credit-debit card). The company that processed the checks was denying the transactions, which took 2 trips back to A&P to find out that the transactions were not going through because our account was “blocked”.

Back to my bank. Turns out in August there was an “attempted account takeover” of our checking account, probably related to the debit card fraud back in May.

My bank, in my best interest decided to block my account, of course they forget to notify us!

And it was only blocked for checks that were being processed through 3rd party systems like Telecheck. Not for debit cards, personal checks, online debit or direct checking account withdrawals or payments etc.

At the banks recommendation we closed all our accounts and opened new accounts. What a royal pain in the butt. Direct deposits, mortgages, automatic payments, automatic withdrawals, online bill paying new checks, debit and credit cards. The bank moved all of our checking account money to the new account, blocked the old account completely and did not leave in the amount needed for the bill pays),
9 trips to the bank to get all that straightened out.

January 9th at 4:30pm I get an automated call from Wells Fargo fraud department. At 5:00pm I call back and find out that there are some “questionable” charges on my debit card. After a 20 minute conversation we cancel my debit card again and determine that there are $4900 in fraud charges against my debit card that took place from 4:09pm to 4:29pm, both stateside and in Europe.

At this time none of the transactions have posted, all are pending. The bank’s automated system automatically moves $3800 from an equity account to cover the pending transactions (2 transactions at a fee of $12.50 each). Everything from a $1.00 test charge in Brooklyn to pizza at a Dominos in Southern California, $1900 at an Apple store, cross country train ticket in Germany multiple online games (wargames and minecraft) in Cypress and Sweden, Best Buy etc etc. Every international charge has an international charge transaction fee.

Debit or credit here is where there is a real difference.

With the debit card the bank does nothing until the charges post to your account.
So I effectively have the $4800 showing out of my account.
Within a day about $2000 is effectively blocked and removed from my online view.
Another week and the bank gives me a “provisional credit” of $1500, couple more transactions get reversal, another day another provisional credit of $500.

Since there was now an extra $2000 in the account the bank decides, without my authorization, to reverse the two overdraft transfers that were made. That could have been a real issue with all my bill paying (through the banks website) had I not caught it.
As of today, January 25, most of the fraud has either, not posted, posted and reversed or provisional credits issued waiting for an outcome.

Because a dozen or so of the transactions were international there are exchange rate differences. Apparently the value of our dollar has dropped enough in the past week that in the international reversals I am now short about $26

A police report was filed, although I seriously doubt anything will come of that.

Continued

 

[porthole]

Part 2

So I would suggest that if you have online access to your accounts you check them frequently. Set up alerts that get texted to your phone.
I never had alerts turned on. I now get an alert almost immediately when the cards are used with varying thresholds. I get a text message at gas stations before the attendant sticks the nozzle in the truck now.

Check your limits on the cards. My debit card had a $10,000 daily limit assigned to it.

If you are subject to this kind of fraud, I would suggest you check online multiple times per day during the investigation. I have seen credits and debits pop up and disappear the same day. My online statement was literally changing every couple of hours.
Debit card rules are not the same as credit card rules.
Your credit cards come under federal regulations that are very strict. If you report a theft promptly, the disputed amount is not posted on your account until it is settled. With credit cards, you are limited to a max of $50 for fraud reported promptly. Prompt in this case is up to 60 days from receiving your statement.

With Debit cards you could be liable for up to $500 of the charges if reported promptly and in this case prompt could mean as little as 2 days from the transaction.

Another FYI, Visa and MasterCard have different ways of handing fraud. For the consumer, Visa is a better option. With MC it is incumbent on you to contact the retailer-vendor.

The biggest difference is your funds. Most banks will not start the fraud investigation until after the transactions post to your account. This means you are out the funds until settled or a provisional credit is issued. Credit cards you don’t have anything removed until you actually pay your bill.

Do your own research. Debit cards are bad news for consumers and ripe for fraud. In the end banks lose little. The consumer and the vendors are the losers. The banks get to keep that disputed money for the ten days the claims are investigated.

I have used debit cards since they first came out, use them for everything. I like not having to carry cash (always a pain since the start of direct deposit). I also like that the money for my transactions comes out right away from our bank account, no surprises when the statement comes in.

Did you know that the average consumer spends at least 30 hours of time rectifying debit card fraud? I’m already past that number.

The most common place for debit card fraud is restaurants and gas stations. Here in New Jersey we can’t pump our own gas, so every station is attended. Stations without attendants are frequently hit with card scanners, cameras etc. Wells Fargo requires branch managers to physically check the ATM machines at least once per day for tampering.

The new way for debit and credit card fraud is random computer number generators. CC numbers generated using the 16 numbers on the front, the 3 digit CCV code on the back and zip codes. Then, potential numbers are zipped around the net trying online point of sales until a transaction goes through. In my case the $1.00 charge in Brooklyn was the first charge. Keep in mind; the first 6 numbers on your credit only identify the issuing bank. So, number generators have a head start.

I thought the idea of random number generators was a bit far fetched. We have 16 numbers on the front, 3 on the back and the 5 digit zip. But I have since learned during some “password security” searches that there are programs currently available that can search random passwords at the rate of 300,000 times a minute.

 

[porthole]

The Target debacle.

No doubt you are all aware of the Target fraud. Estimates put it up over 100 million ID’s now.

Did you know that anyone can go online and buy stolen credit card information? All you need to do is set up an account and fund it. BTW, you cannot fund it with credit cards or checks.

And, the numbers are searchable. No reason to buy a card from a South Dakota bank when you live in New Jersey. No, just search for a local bank you like with the “BIN”, Bank Identification Number, which are the first 6 digits on your card.
Example, Citibank Mastercards start with 4147 09

All of Target’s hacked information is searchable with the code name Tortuga (Tortuga, Tortuga 2, Tortuga 3 etc).

This screen shot is from an account Krebs Security set up while researching the breach.
This web site even guarantees the numbers you buy will be valid. If not, you automatically get a new number to use.

BTW, I have never even been in a Target or Neiman Marcus.

 

[porthole]

From one of my other forums:

****. So after all you've been through since last year. What are you doing to avoid any possible repeat issues? My wife always uses her debit card as a charge card to avoid using the PIN. Now I'm not so sure if it's safer to use the debit card as a debit or is it safer to use as a charge card.
I know my credit union has a $500 a day limit on charges and if I need to use it for anything more than that I have to call them first.
I know on a few of my cards I have a $50 alert set so I get an email once a transaction hits over that amount.

We no longer use a debit card. I carry it only to get cash at a bank ATM.
A debit card is a debit card, whether you sign or use the PIN, no matter what the clerk says when they ask you "credit or debit". The problem arises with fraud.

You should verify the limit with your credit union. With Wells Fargo, that daily limit is on POS sales, "point of sale", you are at the register. There is no limit with online or phone transactions.

As to your alert messages, keep in mind with the fraud transactions on my account, the rate the transactions were posting prevented any "fast" notification.
25 of the transactions that hit my account were under $50.

*************************************

Duane, not sure if you have, but go onto ftc.gov and file id theft report. It does help with the grand scheme. When completed drop a copy to your local precinct for their case file. They forward it to computer crimes.

Learned something else today with Wells Fargo fraud investigations. They are only concerned with ONE aspect - Wells Fargo.

All of the fraud that was reversed? it is up to the vendor to pursue

*************************************

It can help you in the future, even if Wells Fargo doesn't give a care

http://www.consumer.ftc.gov/articles/0277-create-identity-theft-report


Fortunately, my debit card hack was not the result of ID theft, so I have nothing to file to complete the report.

But for those that have never looked at the website, there are several useful links within it.

 

[TomSt]

I would disagree with your statement that with MC you have to contact the vendor. It might depend upon which bank issued the card. Bank of America in a recent case for me did all the leg work on a $32 charge. But then again I have been with them since 1987 and have complained only about half a dozen times.

 

[HornedToad]

I can always count on a "porthole" post to be an interesting and informative read.

Especially this post since I received an email from Target.

Thanks for taking the time to share.

 

[JohnDar]

I have a Capital One MasterCard that I use for almost everything. When there have been attempts to use it illegally, they have stopped them and notified me immediately. Haven't been stuck for any slime bags doings.

 

[porthole]

I would disagree with your statement that with MC you have to contact the vendor. It might depend upon which bank issued the card. Bank of America in a recent case for me did all the leg work on a $32 charge. But then again I have been with them since 1987 and have complained only about half a dozen times.

It may have been one of the banks, I did so much searching last month I was going nuts. But it was a bank issued MC that was giving consumers some grief

And an FYI for those that do not know, Visa-Mastercard do not tissue cards, promotions, special interest rates etc. They are strictly the network that handles the transactions for whichever bank - financial outfit you get your card from.

 

[donr827]

Our bank is always asking us to sign up for a debit card. Always tell them NO because of the rules covering debit cards. We do have a card that allows us to obtain cash from a machine when needed outside of the grocery store we use. Limited to one use per day and $200. So far we have not had a problem.
Don

 

[wdk450]

I used a Master Card (I think) in Target just before Christmas. My first visit there in a LONG time. I got an E-mail from them on January 17th with a link to start free credit monitoring. Here is a quote from that e-mail:

"I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you. Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian’s® ProtectMyID® product which includes identity theft insurance where available. To receive your unique activation code for this service, please go tocreditmonitoring.target.com and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014."

I immediately responded to the included link, but as of yet have not received the activation codes promised. The complete sender address is copied here: TargetNews@target.bfi0.com

Since I have heard no reply I wonder if this was a legitimate Target communication? Have any of you received the same e-mail and have you gotten the activation codes?
I have seen no suspicious activitiy on my accounts (so far).

 

[JohnD]

I used a Master Card (I think) in Target just before Christmas. My first visit there in a LONG time. I got an E-mail from them on January 17th with a link to start free credit monitoring. Here is a quote from that e-mail:

"I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you. Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian’s® ProtectMyID® product which includes identity theft insurance where available. To receive your unique activation code for this service, please go tocreditmonitoring.target.com and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014."

I immediately responded to the included link, but as of yet have not received the activation codes promised. The complete sender address is copied here: TargetNews@target.bfi0.com

Since I have heard no reply I wonder if this was a legitimate Target communication? Have any of you received the same e-mail and have you gotten the activation codes?
I have seen no suspicious activitiy on my accounts (so far).

I used a Visa debit card in a Target store during the dates of the hack . . .

Of course, I couldn't get an email from them as I never gave them my email address as there was no need to do so at the time of purchase.

I wonder if I can qualify for the free credit report?

 

[HornedToad]

Since I have heard no reply I wonder if this was a legitimate Target communication? Have any of you received the same e-mail and have you gotten the activation codes? I have seen no suspicious activitiy on my accounts (so far).

As I mentioned... I received that exact same email around that date. I wondered how Target got my email address so I verified the email was legit @ https://corporate.target.com/_media/TargetCorp/global/PDF/GreggEmailToGuests-1-15-14.pdf. I ignored their credit monitoring offer because I already have a plan thru my home insurance and had not seen any suspicious activity on my card. I did call BOA to cancel and reissue me a new debit card.

Since ancient times there have always been crooks and thieves...
our debit cards are now the currency of the day.

 

[pegmikef]

My wife happened to use her Visa card in Target during the scam period. The card issuer picked up on it, sent me a letter stating the card may have been exposed to a vulnerability, and issued me a new card. No action was required on my part, but I had been monitoring the charges to that account.

 

[NWILSON]

I used a Master Card (I think) in Target just before Christmas. My first visit there in a LONG time. I got an E-mail from them on January 17th with a link to start free credit monitoring. Here is a quote from that e-mail:

"I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you. Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian’s® ProtectMyID® product which includes identity theft insurance where available. To receive your unique activation code for this service, please go tocreditmonitoring.target.com and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014."

I immediately responded to the included link, but as of yet have not received the activation codes promised. The complete sender address is copied here: TargetNews@target.bfi0.com

Since I have heard no reply I wonder if this was a legitimate Target communication? Have any of you received the same e-mail and have you gotten the activation codes?
I have seen no suspicious activitiy on my accounts (so far).

I make it a point to NEVER open a link from an email that I can't verify the source of. In this case I would contact Target directly and inquire if this is a valid offer. If so, they will likely direct you to their site (not the link in the email) where you can fill in the needed information.
Emails like the one you received are frequently bogus and referred to as "PHISHING" emails. They will often use graphics from the authentic site to look convincing but they are trying to dupe you into going to a site that has no connection to the one they say they are from. They are hoping the unsuspecting recipient will divulge some personal information they can use later.

 

[wdk450]

I make it a point to NEVER open a link from an email that I can't verify the source of. In this case I would contact Target directly and inquire if this is a valid offer. If so, they will likely direct you to their site (not the link in the email) where you can fill in the needed information.
Emails like the one you received are frequently bogus and referred to as "PHISHING" emails. They will often use graphics from the authentic site to look convincing but they are trying to dupe you into going to a site that has no connection to the one they say they are from. They are hoping the unsuspecting recipient will divulge some personal information they can use later.

I went DIRECTLY to the Target website, and to the area about the hacking, and found the exact same letter. You are supposed to wait up to 72 hours to get the access codes. I have previously free credit monitoring due to a Healtcare system's exposure (which has notified me when I established new accounts), and just got notification that I am getting more credit monitoring from a Healthcare system I left over 10 years ago!!! That last notification came through the U.S. mail.