Should You Switch To Online Statements For Your Credit Card?

A coworker, Lisa, recently sent an e-mail asking me:

"Should I have all my credit card bills (I don’t even use them, only pay them) sent via email ONLY and stop receiving the mailed paper versions?"

What Lisa meant: should she pay her credit card statements online or not? The credit card issuers never send statements via e-mail because e-mail is not secure. (Consumers should assume that everything you send via e-mail is open to the public.) Credit card issuers will send an e-mail notice that the card-holder's monthly statement is ready for viewing and payment.

Experts advise consumers to switch to online statements. Online statements eliminate the risk of an identity thieves stealing paper credit card statements from your snail-mail mailbox. An unlocked snail-mail mailbox makes it easy for criminals to steal your sensitive snail mail. Similarly, consumers should mail credit card payments by dropping the letter in a secure U.S.P.S. mailbox. Don't attach the payment letter to your snail-mail mailbox with a clothes pin.

Experts say that online statements are somewhat more secure than paper statements. This relies upon the consumer to keep the anti-virus software updated on their home computer. Of course, the company wants you to switch to online statements since it is cheaper for them to administer your account.

And, consumers that do online shopping should use additional safety measures beyond online statements.

Of course, you should opt-out of pre-approved credit offers sent via snail mail. These are tempting letters for identity thieves to steal from unlocked snail-mail mailboxes. (See this prior post for resources to opt-out of telemarketing and junk mail.)

Several months ago, I switched to monthly online statements for my bank. I’m happy with that. Some credit card issuers still print the entire credit card number on consumers’ paper statements. Another reason to switch to online statements is that you'll have fewer documents to shred.

And there are more reasons to switch to online statements. One, you can set up alerts via e-mail or text message to monitor activity on your credit card account. Experts have found that the sooner a consumers notice fraudulent items on their bill, the less money lost or stolen. Some credit card issuers also provide high-yield interest savings accounts. So, that may be another reason to switch to online statements.

What did Lisa think of these suggestions?

"Many thanks. You have answered ALL of the questions that I had about this and it makes total sense. I monitor my accounts online and pay online, so what would I possibly be missing (except having someone steal my statements, hence my number) from losing the paper? Sounds like a win-win. Thank you George!!!"

A word of caution: if your credit card issuer performs outsourcing, they are going to do that regardless of whether you receive paper or online statements. In my opinion, offshore outsourcing presents some data security issues which online statements can't solve.

Want to learn more about how to safeguard your sensitive personal data? See the List Of Lists page, or the Advice / Tips / Solutions section of this blog.

Credit Card Truncation, Identity Theft, and Class Action Lawsuits

At the Credit Slips blog, contributing author Adam Levitin wrote an interesting post about retailers' responsibility to truncate credit card and debit card account numbers on consumers' bills:

"In 2003, Congress enacted the federal credit card truncation statute, 15 U.S.C. § 1681c(g), as part of the Fair and Accurate Credit Transaction Act (FACTA). This law, which was intended to help prevent identity theft, forbids anyone who accepts credit or debit cards from printing more than the last 5 digits of the card number or expiration date on any electronically printed receipt given to the cardholder at point of sale. The law became effective for all new cash registers as of Jan. 1, 2005, and for those registers already in use, as of Dec. 4, 2006."

Adam's post drives home the point about retailers' liability:

"If the merchant was negligent, then the merchant is liable for actual damages and attorneys’ fees/costs. But if the violation was willful—and this is key—meaning—meaning knowing or intentional, not malicious—then the merchant is subject to statutory damages of a minimum of $100 violates, plus punitive damages, and costs/attorneys fees. $100 doesn’t sound like a lot, but multiply that by every transaction made at that register since the truncation statute’s effective date and potential damages are huge."

The Clausen Miller law firm confirmed this in a November 2007 post to their corporate clients:

"Whether large or small, all businesses that are not in compliance with FACTA are potential targets of this litigation. The driving force behind this flurry of class action litigation is financial. Statutory damages for a willful violation of FACTA are between $100 and $1,000 per violation, regardless of whether any actual damages were incurred or whether an individual’s identity was stolen."

The Clausen Miller article also highlighted the resulting class-action lawsuits:

"Entities such as Victoria’s Secret, Toys “R” Us, The Gymboree Corporation, California Pizza Kitchen, In-N-Out Burgers, Adidas Promotional Retail Operators, El Pollo Loco, Costco, and IKEA have all been involved in this litigation."

Want to learn more? Similarly, the Jones Day law firm advises their corporate clients to comply with the FACTA.

So, the next time you go shopping, check to make sure that the retailer's receipts display only a portion of your credit card or debit card number. And, shred any unneeded receipts which contain your personal information.

Online Privacy Concerns Increase

The Associated Press news services reported the results of a new survey by the University of Southern California's Center for the Digital Future:

"Privacy concerns stemming from online shopping rose in 2007, a new study finds, as the loss or theft of credit card information and other personal data soared to unprecedented levels. Sixty-one percent of adult Americans said they were very or extremely concerned about the privacy of personal information when buying online, an increase from 47 percent in 2006. Before last year, that figure had largely been dropping since 2001.  People who do not shop online tend to be more worried, as are newer Internet users, regardless of whether they buy things on the Internet..."

In 2007, about 57% of survey respondents were very or extremely concerned about credit card security. In 2006, the same number was 53 percent. In 2007, about two-thirds of adult Internet users shop online, compared with just 50 percent in 2006. Most spend $100 or less a month, and two-thirds of online shoppers have reduced buying at brick-and-mortar stores. The survey included a random selection of 2,021 Americans contacted from Feb. 28 to Aug. 6, 2007.

More survey results about online usage:

"... online parents are more likely than ever to withhold Internet use as punishment — 62 percent in 2007, compared with 47 percent a year earlier and 32 percent in 2000... Nearly two-thirds of parents, meanwhile, worry about kids participating in online communities and about half believe online predators to be a threat..."

Capital One: What's In Your Database? (Part 2)

I wrote a December 20, 2007 post about Capital One database corruption reported by Justin James in his TechRepublic Programming and Development blog. Since that post, I checked my Capital One credit card statements for erroneous charges. Fortunately I didn't see any.

To be safe, i wrote a letter to Capital One asking for clarification. It seemed to me that their database corruption could have resulted from a data breach. And, since I live in a state where data breach notification is required by law, I would have expect a notice from Capital One. My e-mail message to Capital One:

To: <webinfo@capitalone.com>
Sent: Thursday, December 20, 2007 7:26 PM
Subject: Capital One's credit card database corruption

Dear Sir/Miss:
Please see this TechRepublic blog which reported database corruption within your company's customers' credit card files:
Capital One: What's In Your Database?

This is very scary given the current identity theft situation in the USA. I am a Capital One Visa credit card customer. I am wondering why I have not received a breach notification from Capital One due to this database corruption. Data corruption like this just doesn't happen by itself. I look forward to a prompt reply and explanation from your company. If I do not hear from you soon, I will likely cancel my Visa card with you and do business elsewhere.

Sincerely,
George Jenkins

The first e-mail reply I received from Capital One was a form letter which confirmed receipt of my inquiry, provided a Case ID number, and explained that Capital One tries to reply to e-mail inquiries within 3 days (72 hours). So far, okay. Not great, but okay. To me, it's important to communicate in writing about very important issues, and Capital One's database corruption seemed to be one of those issues.

Capital One finally replied on January 4, 2008 -- far after the 3-day promise. The content of the reply was quite a disappointment:

From: "Capital One Web Information" <webinfo@capitalone.com>

Sent: Friday, January 04, 2008 12:10 PM

Subject: Re: Capital One's credit card database corruption

Hello George Jenkins,
Thanks for your message regarding our online security practices. Protecting customers’ credit and personal information is a top priority for Capital One. For this reason, account information is displayed on secured pages. A secured page is any Web document sent from a server to a browser in an encrypted form.

Encryption is a process for turning plain text or other information into an unrecognizable pattern of data. The type of encryption used by Capital One is 128-bit encryption, which is the strongest form commonly available for use on the Internet. It provides a high level of security and privacy for our customers when they use our Online Account Service. Capital One requires that our customers use 128-bit encryption when using our site.

Please visit our security pages on our Web site at http://www.capitalone.com/protection, for additional information about the steps we take to protect customers’ privacy and the security of their account.

Since regular electronic correspondence is not a secure method of contacting us and we wish to protect the integrity of account information, Capital One prefers to discuss personal and account-specific questions by telephone rather than by e-mail. We assure you that all other electronic contact with us such as viewing statements and making payments is secure.

Thank you for contacting Capital One.

Regards,
Capital One Online Banking

Wow! A lot of words but nothing related to my question. Encryption is not database corruption. Is their customer database corrupt? Was that the result of a data breach? The letter seems to suggest that there was no problem since all data is encrypted. That seems to me to be a gross over-simplification.

It seems that Capital One prefers phone correspondence and considers their database corruption to be an account-specific problem. And, nobody at Capital One had the courtesy to sign the letter making follow-up easy.

For Credit Card Purchases, Are Retailers' Demands For More Personal Information Legal?

In the MSNBC Red Tape Chronicles blog, Bob Sullivan has raised some interesting questions about what questions, if any, by retail cashiers are appropriate during a purchase with a credit card. Bob wrote:

" 'Can I see your driver's license'? 'Can I have your phone number'? 'Do you have another form of ID'? But how do you answer? It seems that to shop is to be interviewed. Everywhere you go, you are asked invasive questions. And every time you look at the news, you see another company is losing consumers' data. So you would probably rather not answer those kinds of questions, but can you say '€œno'€? Yes, say legal experts."

Bob has raised several important issues. First, it's a great idea for consumers to know their rights. Second, it makes good sense for consumers to not disclose more personal data than required. Third, consumers have a choice about whether or not to shop at a retailer that asks more questions than they feel comfortable asking.

Fourth, Bob Sullivan highlighted the Visa merchant agreement policy. This gives consumers an option to complain about retailers than violate Visa's policy:

"Complaining is simple. Call your credit card issuer (your bank) and tell them. They will in turn pass the complaint along to the acquiring bank (the store's bank). That might sound like a meaningless paper trail exercise, but it isn’t. Violation of Visa terms can actually get a merchant knocked off the credit card network, which is nearly the death penalty in today's retail world.

For consumers who are interested, see page 2-21 of the MasterCard Merchant Rules document (PDF).

Also, I checked the Privacy Rights Clearinghouse Web site and merchant laws vary by state. This is important both for consumers to know their rights, and for consumers considering a lawsuit of a retailer that requested too much personal data. For example, in Massachusetts consumers are encourage to, "notify the office of consumer affairs and business regulation or the office of the attorney general."

Data Security Gaps At Retail Stores Where you Shop

This past Sunday evening, the 60 Minutes television show presented an excellent segment on identity theft, titled "Hi-Tech Heist." The segment explained the poor data security use by many of the retail stores and chains we shop at. More importantly, the segment showed how identity thieves steal consumers' credit card (and debit card) data via the retail stores' wireless data connections:

"When you swipe your credit card, your data is often transmitted through a wireless router either to a bank for approval or to the store's main computer. But the signal carrying your information bleeds easily through the walls."

The segment did a good job explaining how identity thieves steal data:

"[60 Minutes Correspondent] Stahl got her first lesson in something called "war driving" from Kris Harms, a computer forensic investigator for Mandiant, a computer security company, who showed her how hackers, outside in a van, can grab the stores' wireless data."

When retail stores use unsecure or poorly protected wireless connections, stealing data is easier than you think:

"We can just pluck it, is what you're saying, right through the wall," Stahl remarked. "Absolutely," Harms replied. All you need, he says, is a regular computer; the software he got for free. Within moments, Stahl and Harms started getting results. "Right now, we're right in front of Best Buy," Stahl remarked. "Right so, Best Buy has a wireless network," Harms explained. The computer identified which stores have wireless signals. Some stores hide their identities, others don't. Besides Best Buy, Staples popped up, and Home Depot -- with its signature color -- wasn't hard to identify either.

What I found most irritating was the segment reported that many retail stores still refuse to invest in effective and current data security methods, while being fully aware of the TJX/TJ Maxx data breach debacle. In an attempt to cut costs and save money, retail companies still install and use obsolete encryption methods for their wireless transmission of your (and mine) credit card information:

"WEP was encryption code developed in 1999, just as big chains started going wireless. But within a couple of years, hackers had cracked WEP, rendering it obsolete. If you go on YouTube today, you can learn how to disable it in minutes. Now, there's much better encryption code called WPA. In fact, credit card companies urge retailers to upgrade to WPA. But that's expensive, so many stores resist it even though hackers can tell who hasn't upgraded."

More about TJX / TJ Maxx:

"At the time of its break-in in 2005, TJX did have a security system. The problem was it was the outdated encryption code WEP. "Was TJX aware that they were using a system that was pretty much useless? Did they know that?" Stahl asks Jennifer Stoddart...  TJX did know, but in a letter told 60 Minutes - in their defense, that they believe 'our security was comparable to many major retailers.' "

So, the retail chain with the largest data breach in USA history admits that their wireless security was no better (or worse) than other retailers! That's pretty damning evidence about the retail industry, which seem more interested in making money that providing secure transactions for consumers.

To me, this is a clear reminder that you should never use a debit card at a retail store. It's best to shop with cash until retailers improve their data security. If you haven't seen this 60 Minutes show, you can watch the 60 Minutes video online.

Chase Harasses A Credit Card Fraud Victim

This post at the Consumerist blog is a worthwhile read. Brandon's story highlights how a company can harass an identity theft victim instead of working with the victim to resolve the fraud. Brandon's story:

"In January 2007, I was traveling in Mexico and was mugged, having my wallet and passport stolen. By the time I got back to the hotel and began calling my credit card companies to cancel, the criminal had charged close to $3,000 on my CHASE Circuit City Visa card. I explained to CHASE that the charges were fraud, and they sent me a fraudulent charge affidavit to complete and have notarized. As I couldn't take care of this until I returned from my trip, and had more important things like a passport to worry about, I waited a few weeks before completing the paperwork and during those weeks received those weeks received about 2 calls a day from CHASE urging me to send the documents."

According to the post, Brandon did a lot of things correctly. He completed the necessary documents and communicated with Chase in writing. The post includes a copy of Brandon's correspondence. But, Chase continued harass him for payment.

The best advice (from the Consumerist) is at the end of the post:

"You called and reported the fraud the day of, and yet they're still trying to collect. Under federal law, you have no responsibility for unauthorized charges after reporting loss or theft of a credit card. That you waited a few weeks to send in the papers doesn't matter. Worst case scenario, your maximum liability is $50. Have you sent them a "drop-dead" letter? Or a letter of dispute? Include the information in the preceding paragraph in your letter. You could also try kicking it up to Chase executive customer service: 1-888-622-7547 - extension 4350 or 847-488-6833, or 888-622-7547 x 6833."

Unfortunately, Your Average Joe's Data Breach (Part 2)

Over at his Mostly Harmless blog, Dave Owczarwk provides a good summary of the restaurant chain's data breach, plus a solution for consumers who want to continue eating at the restaurant:

"Anyway, this is a tough break for Joe's, but what is the consumer to do? My recommendation, if you like the place, is to continue to patronize it and just use cash."

That's good advice I recommend for any other retail stores consumers want to shop but and are worried about the security of their credit card information. Definitely don't use your debit card! Read this post why credit is better debit.

Governator Terminates New California Identity-Theft Bill

From the Sunday Oct. 14 Orange County Register:

"An ID theft protection bill that would have made businesses that take credit cards for purchases more accountable to consumers and card issuers was vetoed Saturday by Gov. Arnold Schwarzenegger. In a message explaining his veto of AB779, the governor claimed the marketplace already provides the necessary protections for consumers and that the state bill might conflict with private security standards."

This is sad news, since:

"The bill would have required businesses to follow new guidelines for the handling and storage of sensitive material; to notify consumers with a detailed protocol of how to address identity theft; and to incur out-of-pocket costs to provide restitution to consumers and share the burden of card issuers. Currently, when a security breach is suspected or detected, businesses only must notify card issuers, but have no liability themselves. AB779 would have made the business (or any other entity that utilized cards for payment) share responsibility."

According to the news report, the California Governor's reasons included the bill was vague and conflicted with existing identity=theft laws. To learn more, see my prior post and the California Progress Report.

Governator To Decide On California's New Identity Theft Bill

From the October 2, 2007 Los Angeles Times:

"The bill, recently approved by lawmakers on bipartisan votes, now goes to Gov. Arnold Schwarzenegger for his signature or veto. The bill would require banks, credit unions and credit card companies to tell people the name of the retailer where the hackers grabbed their confidential information, including Social Security numbers, account numbers and personal identification numbers, or PINs."

Assemblyman Dave Jones (D-Sacramento), author of the new bill, asserts that, "about 40% of retailers and other organizations that accept credit card payments were complying with security guidelines developed by major credit card companies."

The new bill, Jones' AB 779, also allows:

"... banks and credit card companies to sue allegedly negligent retailers for the cost of closing accounts and issuing new cards. Schwarzenegger, who is being lobbied heavily on the identity theft issue, has not taken a position and has until Oct. 14 to make up his mind."

It's important to watch California, which was the first state with a bill requiring data breach notification and a credit report freeze option (often called a Security Free).This newest bill is good because it affirms the need for all companies to get serious about data security. It is good if it also ensures that accountability lies with the company with the lax data security, regardless if that company is the credit card issuer or the retailer. This is bad if it encourages credit card issuers to push all liability to retailers.

According to the newspaper article, credit unions support the bill and large business trade groups oppose it. I look forward to hearing what Governor Schwarzenegger says during the coming days.

Which is Better: Debit or Credit Cards?

In the MSNBC Red Tape Chronicles blog, Bob Sullivan provides complete answers to this question. His answers cover two important points -- prevention and recovery -- related to fraud and identity theft:

"Fraud protection. Federal law affords credit card consumers better protection than debit card users. Credit users' obligation is capped at $50. Debit users can be on the hook for $500 if they don't report fraud within two days of learning about it and face unlimited liability if they wait more than 60 days. In practice, both debit and credit users generally enjoy zero liability guarantees from their banks, but those generous debit policies can be changed at any time. Consumer protection under the law is a safer bet."

And:

"Fraud recovery. Getting money back in the event of fraud is much easier for credit customers than for debit users. When a criminal uses your credit card, all you have to do is refuse to pay for the fraudulent purchases. When a debit card is stolen, the money disappears from your account, and the burden is on the consumer to call the bank and get that money replaced. Anyone who's ever logged online to see a zero balance or been denied cash at an ATM after an incident like this will tell you that is no small distinction."

And perhaps most importantly for consumers burned by data breaches at retailers like TJ Maxx:

"When there's a big data theft, such as in the TJ Maxx case, you'll really wish you used your credit card. Even though the criminals don't have your PIN, they can still perform signature-based debit transactions with your card and drain your account."

Me? I use my debit card only at my bank's ATM machines and grocery shopping. All other times, I use cash or occasionally a credit card. In restaurants with table service, I use cash because the waiter/waitress takes your credit card out of your eyesight.

Fraud Verification Phone Calls: Good or Bad?

In the Javelin Strategy blog, Heather Peters questions whether calls from your credit card issuer to verify purchases are stress or reassurance:

"I was recently on a vacation abroad. I failed to mention to my bank that I would be traveling. After a few transactions in Italy my HOME phone number was called and asked to validate the transactions. Now luckily I had family staying at the house and when I called to check-in they let me know the bank had called and needed me to call and verify use of the card for international transactions."

Heather wondered what would have happened if she hadn't called her credit card issuer:
1.What if I did not have someone at home – would they have frozen my card and left me in the cold?
2.The There was not an international number to call on the back of my card so it was really difficult and frustrating trying to contact them and let them know that yes I was traveling

I'm glad that Heather wrote about this. I agree. It is a good security habit for credit card issuers to contact cardholders when they see purchases outside of normal pattern. I don't worry about it because, a) I can check my home voice-mail remotely, and b) while traveling internationally, I always have Internet access and can lookup credit phone numbers at my credit-card issuer's web site.

I had a similar experience in 2004. I live in Boston. My employer sent me to London for a month-long business trip. Immediately, after that trip, I planned a cruise vacation around the Hawaiian islands. I sent a letter in advance to my credit card issuer informing them of my travel itinerary (and pre-paid part of my bill). I had no problems during both trips.

Before my trip, I'd also contacted my bank to verify ATM availability in London. My bank advised me that ATMs in London required a shorter PIN entered than the PIN I used in the USA. So, I modified my PIN accordingly.

All of this may seem like a hassle, but I look at it this way: this preparation is far less hassle than being stranded in a country without cash and without credit cards.

How Safe Is Your Credit Card Company?

After IBM notified me about their data breach, I have started evaluating the data protection measures by the companies I do business with. Like you, I have credit cards. A recent ComputerWorld article discussed the security situation with credit card issuers (e.g., banks and companies) and how well they protect consumers before and after fraud:

"A new study of credit cards from 25 of the largest issuers found that many still fall short of protecting users from fraud. The report, released by Javelin Strategy & Research, a Pleasanton, Calif.-based financial services research firm, found that while almost all card issuers do well in helping their customers after fraud or theft occurs, many need to upgrade their identity fraud detection tools."

What I found most important in the article:

"56% of the 25 card issuers surveyed continue to require full Social Security numbers to help identify their customers, whether by phone, online or by mail. "This is a risky practice that unnecessarily increases the customer's exposure to identity fraud," the report states."

The Javelin Strategy press release lists the top ranked credit card companies by 4 categories:

• Overall: Safest card issuers
• Fraud Prevention: Top card issuers
• Fraud Detection: Top card issuers
• Fraud Resolution: Top card issuers

I suggest that you read the Javelin Strategy press release to see where your credit card is ranked in the above 4 categories. I feel good that my Discover card ranked highly across most categories.

If you expect to apply for a new credit card or switch to a different credit card issuer, it seems wise to pick an issuer that doesn't require you to disclose your Social Security number. Simply, you reduce your risk. The fewer companies that have your SS#, the better. And if a company doesn't need your SS#, you shouldn't disclose it; and that company shouldn't have it.

What do you think?

Next entry: in the news