I've Been Mugged Blog

Many consumers prefer to pay for products and services using methods other than cash. How secure are these non-cash payment methods? The Federal Reserve Board (FRB) analyzed the payments landscape within the United States. Its October 2018 report found good and bad news. The good news: non-cash payments fraud is small. The bad news:

• Overall, non-cash payments fraud is growing,
• Card payments fraud drove the growth

The FRB report included:

"... fraud totals and rates for payments processed over general-purpose credit and debit card networks, including non-prepaid and prepaid debit card networks, the automated clearinghouse (ACH) transfer system, and the check clearing system. These payment systems form the core of the noncash payment and settlement systems used to clear and settle everyday payments made by consumers and businesses in the United States. The fraud data were collected as part of Federal Reserve surveys of depository institutions in 2012 and 2015 and payment card networks in 2015 and 2016. The types of fraudulent payments covered in the study are those made by an unauthorized third party."

Data from the card network survey included general-purpose credit and debit (non-prepaid and prepaid) card payments, but did not include ATM withdrawals. The card networks include Visa, MasterCard, Discover and others. Additional findings:

"... the rate of card fraud, by value, was nearly flat from 2015 to 2016, with the rate of in-person card fraud decreasing notably and the rate of remote card fraud increasing significantly..."

The industry defines several categories of card fraud:

1. "Counterfeit card. Fraud is perpetrated using an altered or cloned card;
2. Lost or stolen card. Fraud is undertaken using a legitimate card, but without the cardholder’s consent;
3. Card issued but not received. A newly issued card sent to a cardholder is intercepted and used to commit fraud;
4. Fraudulent application. A new card is issued based on a fake identity or on someone else’s identity;
5. Fraudulent use of account number. Fraud is perpetrated without using a physical card. This type of fraud is typically remote, with the card number being provided through an online web form or a mailed paper form, or given orally over the telephone; and
6. Other. Fraud including fraud from account take-over and any other types of fraud not covered above."

The increase in fraudulent application suggests that criminals consider it easy to intercept pre-screened credit and card offers sent via postal mail. It is easy for consumers to opt out of pre-screened credit and card offers. There is also the National Do Not Call Registry. Do both today if you haven't.

The report also covered EMV chip cards, which were introduced to stop counterfeit card fraud. Card networks distributed both chip cards to consumers, and chip-reader terminals to retailers. The banking industry had set an October 1, 2015 deadline to switch to chip cards. The FRB report:

The FRB concluded:

"Card systems brought EMV processing online, and a liability shift, beginning in October 2015, created an incentive for merchants to accept chip cards. By value, the share of non-fraudulent in-person payments made with [chip cards] shifted dramatically between 2015 and 2016, with chip-authenticated payments increasing from 3.2 percent to 26.4 percent. The share of fraudulent in-person payments made with [chip cards] also increased from 4.1 percent in 2015 to 22.8 percent in 2016. As [chip cards] are more secure, this growth in the share of fraudulent in-person chip payments may seem counter-intuitive; however, it reflects the overall increase in use. Note that in 2015, the share of fraudulent in-person payments with [chip cards] (4.1 percent) was greater than the share of non-fraudulent in-person payments with [chip cards] (3.2 percent), a relationship that reversed in 2016."

Beware, phone scams are more sophisticated. The pitches are so slick that even some technology experts who know better were tricked into disclosing sensitive personal and payment information. Some phone scams include human callers (called "phishing"), while others include a mix of humans and computer automation (called "vishing").

The Krebs On Security blog listed several examples. Here's one:

"Matt Haughey is the creator of the community Weblog MetaFilter... Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses. Actually, he got three calls from the same number in rapid succession. He ignored the first two, letting them both go to voicemail. But he picked up on the third call, thinking it must be something urgent and important. After all, his credit union had rarely ever called him.

Haughey said he was greeted by a female voice who explained that the credit union had blocked two phony-looking charges in Ohio made to his debit/ATM card. She proceeded to then read him the last four digits of the card that was currently in his wallet. It checked out. Haughey told the lady that he would need a replacement card immediately... Without missing a beat, the caller said he could keep his card and that the credit union would simply block any future charges that weren’t made in either Oregon or California. This struck Haughey as a bit off. Why would the bank say they were freezing his card but then say they could keep it open for his upcoming trip?"

Maybe that struck you as odd, too. Against his better judgment, Haughey continued the phone call and didn't hang up. The caller knew his home address and asked him to verify his mother's maiden name, the 3-digit security code on the back of his card, and his PIN number. Those requests were more clues, too. The bank should know this information.

Like most people, Haughey thought that it was his bank trying to be helpful. Finally, he hung up and called his bank directly. That's when he learned it was a scam. His bank hadn't called.

This example provides several lessons for consumers:

1. Scam artists are persistent. They will keep calling hoping you'll give in and answer the phone calls.
2. Scam artists are well armed. Thanks to the recent multitude of massive corporate data breaches (like this one, this one, this one, this one, and/or this one), the bad guys have probably acquired plenty of stolen personal and payment information about consumers. Criminals also buy, sell, and trade stolen data on the dark web. Using the same technologies (e.g., artificial intelligence, open-source online tools) which the good guys use, the bad guys will "spoof" or fake valid phone numbers to pretend to be your bank or financial institution.
3. A bit of skepticism is healthy. We've all been taught to be polite and to answer the phone when it rings. Scam artists try to exploit this habit. Experts advise consumers to hang up on robocalls. Even if the Caller ID feature on your phone displays a familiar number, hang up and call your bank or financial institution directly. Their phone number is conveniently listed on the back of your credit/debit card. Ask your bank if they called. They probably didn't.
4. Learn how to spot robocalls acting like humans. If you're curious and have the time, ask a simple question like, "How's the weather where you live?" If the caller ignores your question or provides a canned response, like "I don't have that information" or "I'm sorry. Can you repeat that," then it's probably a robocall. Hang up.
5. Know scam artists' pitch. It's all about money. They will pretend to be your bank, financial institution, phone company, and/or computer company. (Yes, online scammers have a profile.) Similar to phishing emails, phone scams often include a sense of urgency. They want you to act now... in the moment. Wise consumers do product research and comparison shop before making purchase decisions. The "haste makes waste" advice your parents told you as a youth still applies.

You now know more, so you won't get duped by phone scams.

USA Today reported that Citigroup:

"... will boost job compensation for women and minorities in a bid to close pay gaps in the U.S., United Kingdom, and Germany, becoming the first U.S. bank to respond to shareholder pressure about the inequalities. The New York-based financial company announced the effort Monday, saying it came after a Citigroup compensation assessment in the three countries found that women on average were paid 99% of what men got and minorities on average received 99% of what non-minorities were paid... Citigroup's action prompted investment advisory company Arjuna Capital to withdraw the 2018 gender pay shareholder proposal it had filed in an effort to force an investor vote that would require the bank to address pay inequality."

So, the bank made changes only after a major investor forced it to. The news report cited other banks (text links added):

"No other U.S. bank has taken similar action, Arjuna said. Along with Citigroup, Arjuna said it had filed gender pay shareholder proposals this year with U.S. banks JPMorgan Chase, Wells Fargo, Bank of America and Bank of New York Mellon. The investment adviser said it had filed similar proposals with American Express, Mastercard, Reinsurance Group, and Progressive Insurance. If approved by shareholders, the proposals would require the companies to publish their policies and goals to reduce gender pay gaps."

JP Morgan Chase promised in 2016 to raise the pay of 18,000 tellers and branch workers. It seems that the banking industry, kicking and screaming, has been forced to confront its pay-gap issues for employees. What do you think?

For better or worse, the type of smart device you use can identify you in ways you may not expect. First, a report by London-based Privacy International highlighted the changes within the financial services industry:

"Financial services are changing, with technology being a key driver. It is affecting the nature of financial services from credit and lending through to insurance and even the future of money itself. The field known as “fintech” is where the attention and investment is flowing. Within it, new sources of data are being used by existing institutions and new entrants. They are using new forms of data analysis. These changes are significant to this sector and the lives of the people it serves. We are seeing dramatic changes in the ways that financial products make decisions. The nature of the decision-making is changing, transforming the products in the market and impacting on end results and bottom lines. However, this also means that treatment of individuals will change. This changing terrain of finance has implications for human rights, privacy and identity... Data that people would consider as having nothing to do with the financial sphere, such as their text-messages, is being used at an increasing rate by the financial sector...  Yet protections are weak or absent... It is essential that these innovations are subject to scrutiny... Fintech covers a broad array of sectors and technologies. A non-exhaustive list includes:

• Alternative credit scoring (new data sources for credit scoring)
• Payments (new ways of paying for goods and services that often have implications for the data generated)
• Insurtech (the use of technology in the insurance sector)
• Regtech (the use of technology to meet regulatory requirements)."

"Similarly, a breadth of technologies are used in the sector, including: Artificial Intelligence; Blockchain; the Internet of Things; Telematics and connected cars..."

While the study focused upon India and Kenya, it has implications for consumers worldwide. More observations and concerns:

"Social media is another source of data for companies in the fintech space. However, decisions are made not on just on the content of posts, but rather social media is being used in other ways: to authenticate customers via facial recognition, for instance... blockchain, or distributed ledger technology, is still best known for cryptocurrencies like BitCoin. However, the technology is being used more broadly, such as the World Bank-backed initiative in Kenya for blockchain-backed bonds¹⁰. Yet it is also used in other fields, like the push in digital identities¹¹. A controversial example of this was a very small-scale scheme in the UK to pay benefits using blockchain technology, via an app developed by the fintech GovCoin¹² (since renamed DISC). The trial raised concerns, with the BBC reporting a former member of the Government Digital Service describing this as "a potentially efficient way for Department of Work and Pensions to restrict, audit and control exactly what each benefits payment is actually spent on, without the government being perceived as a big brother¹³..."

Many consumers know that you can buy a wide variety of internet-connected devices for your home. That includes both devices you'd expect (e.g., televisions, printers, smart speakers and assistants, security systems, door locks and cameras, utility meters, hot water heaters, thermostats, refrigerators, robotic vacuum cleaners, lawn mowers) and devices you might not expect (e.g., sex toys, smart watches for children, mouse traps, wine bottles, crock pots, toy dolls, and trash/recycle bins). Add your car or truck to the list:

"With an increasing number of sensors being built into cars, they are increasingly “connected” and communicating with actors including manufacturers, insurers and other vehicles¹⁵. Insurers are making use of this data to make decisions about the pricing of insurance, looking for features like sharp acceleration and braking and time of day¹⁶. This raises privacy concerns: movements can be tracked, and much about the driver’s life derived from their car use patterns..."

And, there are hidden prices for the convenience of making payments with your favorite smart device:

"The payments sector is a key area of growth in the fintech sector: in 2016, this sector received 40% of the total investment in fintech²². Transactions paid by most electronic means can be tracked, even those in physical shops. In the US, Google has access to 70% of credit and debit card transactions—through Google’s "third-party partnerships", the details of which have not been confirmed²³. The growth of alternatives to cash can be seen all over the world... There is a concerted effort against cash from elements of the development community... A disturbing aspect of the cashless debate is the emphasis on the immorality of cash—and, by extension, the immorality of anonymity. A UK Treasury minister, in 2012, said that paying tradesman by cash was "morally wrong"²⁶, as it facilitated tax avoidance... MasterCard states: "Contrary to transactions made with a MasterCard product, the anonymity of digital currency transactions enables any party to facilitate the purchase of illegal goods or services; to launder money or finance terrorism; and to pursue other activity that introduces consumer and social harm without detection by regulatory or police authority."²⁷"

The report cited a loss of control by consumers over their personal information. Going forward, the report included general and actor-specific recommendations. General recommendations:

• "Protecting the human right to privacy should be an essential element of fintech.
• Current national and international privacy regulations should be applicable to fintech.
• Customers should be at the centre of fintech, not their product.
• Fintech is not a single technology or business model. Any attempt to implement or regulate fintech should take these differences into account, and be based on the type activities they perform, rather than the type of institutions involved."

Want to learn more? Follow Privacy International on Facebook, on Twitter, or read about 10 ways of "Invisible Manipulation" of consumers.

Earlier this month, Discover sent me a replacement credit card. The letter with the replacement card stated:

"Notice of Data Breach
What happened: we recently learned your Discover card account might have been part of a data breach. Please know, this breach did not involve Discover card systems.
What we are doing to resolve: we are issuing you a new card with a new account number, security code, and expiration date to reduce the possibility of fraud on your account... So as a safety precaution, we are issuing you a new card to protect your Discover card account information from being misused"

Good. I like the proactive protection, and hope that the retailer absorbed the costs of replacement cards for all affected consumers like me. However, the letter from Discover didn't identify the retailer. I called Discover's customer service hotline. The phone representative wouldn't identify the retailer, either. I'd shopped at four retail stores during the past month, and assumed it was one of them. It wasn't.

On Saturday, I received via postal mail a breach notification letter from Equifax dated October 23, 2017:

"We are writing with regard to the cybersecurity incident Equifax announced on September 7, 2017. At Equifax, our priorities with regard to this incident are transparency and continuing to provide timely, reassuring support to every consumer. You are receiving this letter because the credit or debit card number used to pay for a freeze service, credit score, or disclosure of your Equifax credit file was accessed. We have no evidence that your credit file itself was accessed."

So, confirmation that it was Equifax's fault. What to make of this? Keep reading.

First, thanks Equifax for the postal mail notice. However, this isn't timely communication. Why? Equifax considers it's September 7th press release timely communication. How many consumers read Equifax press releases? Did you? My guess, most don't.

Thankfully, I read online newspapers and was aware of the breach soon after Equifax's September 7th announcement. Yet, my postal letter from Equifax arrived seven weeks after its September 7th press release (and almost three months after it first discovered the breach on July 29).  This incident is a reminder for consumers not to rely upon postal mail for breach notices. Many states' breach notice laws allow for companies to post public notices online in websites and/or in newspaper advertisements. This allows companies to skip (the expense of) mailing individual breach notices via postal mail.

The October 23rd Equifax breach letter also stated:

"On September 7, 2017, Equifax notified U.S. customers of the data security incident, including that 143 million U.S. consumers were impacted. On October 2, 2017, following the completion of the forensic portion of the investigation of the incident, Equifax announced that the review determined that approximately 2.5 million additional U.S. consumers were potentially impacted. Equifax also announced that credit card numbers for approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182, 000 consumers were accessed."

So, I am one of the "lucky" 209,000 consumers in the United States whose payment information was exposed stolen in addition to other sensitive personal information. Thanks Equifax for failing to protect my sensitive personal -- and payment -- information you are entrusted to protect.

Second, to upgrade earlier this year from slow, antiquated DSL to fiber broadband from Verizon, I used my credit card to pay for a temporary lift of the security freeze on my Equifax credit report. Why did Equifax retain my payment information for this transaction? Why did it retain that payment information in a complete and UN-encrypted format?

Discover's Frequently Asked Questions page for merchants advises merchants to do the following to protect consumers' highly sensitive payment card information:

"Tips for protecting customer information: a) Truncate all credit card information; b) Avoid storing CID data in your records or within sales data; c) Secure your site; d) Store data securely; e) Protect your data with firewalls; f) Limit authorized use and require passwords; g) Avoid storing customer or credit card information on your web server
Refer to your Merchant Operating Regulations for further card-not-present (CNP) requirements for the submission of sales."

So, it seems that Equifax failed to follow Discover's data security guidelines for merchants. (Browse privacy guidelines for merchants by other card issuers.) I do not have any ongoing services or subscriptions with Equifax, so there seems to be no need for it to retain my full credit card payment information. Not good. I called the Equifax customer service hotline. The phone representative could not explain why Equifax retained my payment information. Not good.

Third, Equifax failed to customize the letter for my situation. In 2008, I placed security freezes on my credit reports at Equifax, Experian, and TransUnion. So, Equifax already knows I have a security freeze in place, and failed to customize the letter accordingly. Rather than explain what applies to customers in my situation, instead the letter repeated the same general fraud-prevention advice for all consumers: how to contact the FTC, visit annualcreditreport.com for free copies of credit reports, file a police report if a victim of identity theft, place a fraud alert or security freeze on my credit reports for protections, and how to lift/remove an existing security freeze. Not good.

This was fast becoming a crappy customer experience.

Fourth, while on the phone with Equifax's customer service I asked if the TrustedID Premier credit monitoring service it ofered would work with the security freezes in place at all three credit reporting agencies. The phone representative said yes, but that the "credit file lock feature" would not work. What's that? According to the Equifax FAQ page:

"What is the difference between a credit file lock and a security freeze?
At their most basic level, both prevent new creditors from accessing your Equifax credit report, unless you give permission or take an action such as removing, unlocking or lifting the freeze or lock. Both a security freeze and a credit file lock help prevent a lender or other creditor from accessing a consumer’s credit report to open unauthorized new accounts.

• Security freezes were created in the early 2000’s, are subject to regulation by each state and use a PIN based system for authentication.
• Credit file locks were created more recently, are mobile-enabled and use modern authentication techniques, such as username and passwords and one-time passcodes for better user experience."

So, the "credit file lock" feature is new and different from a security freeze. The new feature allows mobile users to easily and quickly unlock/lock your Equifax credit reports. That seems beneficial for consumers needing frequent and quick access to credit. According to the FAQ page, the new feature will be "free, for life." The above description gives the impression that security freezes are antiquated.

To further understand this new feature, I visited the TrustedID Premier Privacy Policy page, which stated:

"The types of personal information we collect and share depend on the product or service you have with us. This information can include: Social Security number and credit card information; Payment history and transaction history; Credit scores and credit history"

The "depend on the product or service you have" seems vague and broad. Just tell me! Plus, "transaction history" could include geo-location: where you bought something since some purchases are made at brick-and-mortar retail stores. It could also include when and where you use the "credit file lock" feature. So, even though the policy doesn't explicitly mention geo-location data collection, it seems wise to assume that it does. For the new "credit file lock" feature to work on your phone, it probably needs to know your location -- where you and your phone are.

So, this new feature seems to be a slick way for Equifax to collect (and archive) location data about when, where, the duration, and frequency of consumers' travels in the physical world -- something it couldn't get previously through the traditional security freeze process. Remember, any app on your smartphone can collect location data.

Plus, the "credit file lock" feature won't work with a security freeze in place. According to the customer service representative, consumers need to remove a security freeze for the credit file lock feature to work. This is a new, important wrinkle which consumers must understand in order to make informed decisions.

The representative said it would be free to remove the security freeze on my Equifax credit report in order to use the new feature. I asked if the TrustedID Premier service Equifax offers would work with credit reports from Innovis. The rep said no. The duration of my phone call was long since the representative needed to place me on hold and check with others in order to answer my questions. This did not instill confidence.

Plus, this lengthy question-and-answer page about Equifax's services indicates that many consumers (and perhaps some Equifax customer service representatives) don't fully understand the differences between security freezes, credit file locks, and other service features.

Fifth, the letter from Equifax did not mention any of the new threats nor the additional protection steps consumers must take, both of which you can read about in this October 10th blog post. Even though I've written about privacy, data breaches and credit monitor for the past 10+ years, like you there are new things to learn. It seems that Equifax is hoping that breach victims will take the easy route: enroll in TrustedID Premier -- which is free for now, but will likely cost you later.

Overall, for me it was a crappy post-breach customer experience with Equifax. I expected better -- better data security and a better post-breach support. Plenty of news articles have documented the security problems, failures, and post-breach problems with Equifax's breach site.

What are your opinions? What do you think of the new credit file lock feature? If you've used it, share your experience in the comments section below the image.

The Office of the Attorney General (AG) for the Commonwealth of Massachusetts announced on Wednesday that the state will receive $625,000 as part of the settlement agreement with Target Corporation. The settlement agreement, which includes 47 states plus the District of Colombia, resolves claims by states about the retailer's massive data breach in 2013.

Card issuers had also sued the retailer. Target settled with Visa in August, 2015 to resolve claims in which 110 million consumers' records were stolen, including 40 million credit- and debit-card numbers. Also, debit card PIN numbers were stolen.

The announcement by Massachusetts AG Maura Healey explained:

"The investigation found that the stolen credentials were used to exploit weaknesses in Target’s system, which allowed the attackers to access a customer service database, install malware on the system and then capture data from credit or debit card transactions at Target stores (including stores in Massachusetts) from Nov. 27, 2013 to Dec. 15, 2013. The stolen data included consumers’ full names, telephone numbers, email addresses, mailing addresses, payment card numbers, expiration dates, security codes, and encrypted debit PINs... The breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers nationwide. In Massachusetts, the breach compromised information from approximately 947,000 customer payment card accounts and other personally-identifying information of about 1.5 million Massachusetts residents."

Terms of the settlement require Target:

"... to develop, implement and maintain a comprehensive information security program and to employ an executive or officer who is responsible for executing the plan. The company is required to hire an independent, qualified third-party to conduct a comprehensive security assessment... to maintain and support software on its network; to maintain appropriate encryption policies, particularly as pertains to cardholder and personal information data; to segment its cardholder data environment from the rest of its computer network; and to undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts."

California will receive $1.4 million from the settlement. New York AG Eric T. Schneiderman said about the settlement agreement:

"New Yorkers need to know that when they shop, their data will be protected... This settlement marks an important win for New Yorkers – bringing over $635,000 into the state, in addition to the free credit monitoring services for those impacted by the data breach, and key security improvements to help protect Target consumers moving forward."

Yes, indeed. Shoppers everywhere need to know their data will be protected.

Besides Massachusetts, New York and California, the other states participating in this settlement include Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, and the District of Columbia.

AL.com reported:

"Alabama won't be cashing in on the largest multi-state data breach settlement in history, however. The reason, according to the Alabama Attorney General's Office, is the absence of a state law that requires entities to notify customers whose information could have been exposed in a breach and then take steps to remediate any injuries.

"Alabama is one of the few states in the nation that is not a party to the recent Target settlement because our state does not have data breach notification law," said Mike Lewis, Communications Director for the Office of the Alabama Attorney General."

Connecticut and Illinois led the states' investigation. The participating states have not yet announced how the settlement money will be distributed.

[Editor's Note: a prior version of this blog post did not include the report by AL.com.]

After encountering unresolved issues with financial services, many consumers file complaints with the Consumer Financial Protection Bureau (CFPB). After each complain, the CFP works hard to get each consumer a reply within 15 days. This process allows the CFPB to track which issues affect most consumers, and to identify emerging problems.

According to its April Monthly Complaint Report, debt collection issues generated the most complaints on average, and complaints about student loans grew the fastest:

"As of April 1, 2017, the CFPB has handled approximately 1,163,200 complaints, including approximately 28,000 complaints in March 2017... Student loan complaints showed the greatest percentage increase from January - March 2016 (773 complaints) to January - March 2017 (3,284 complaints), representing about a 325 percent increase. Part of this year-to-year increase can be attributed to the CFPB updating its student loan complaint form to accept complaints about Federal student loan servicing in late February 2016. The CFPB also initiated an enforcement action against a student loan servicer during this time period."

The top five categories of complaints about during March, 2017:

1. Debt collection: 8,711
2. Credit reporting: 5,498
3. Mortgages: 3,965
4. Credit cards: 2,522
5. Bank account or service: 2,476

Also during March: debt collection complaints represented about 31 percent of complaints; debt collection, credit reporting and mortgage were the top three most-complained-about consumer financial products and services. Together, these three categories represented 65 percent of complaints during March.

The top five categories of complaints since the CFPB began:

1. Debt collection: 316,810
2. Mortgages: 272,153
3. Credit reporting: 195,826
4. Credit cards: 118,732
5. Bank account or service: 115,055

The CFPB began accepting complaints for different products and services at different times:

• July 21, 2011: credit card complaints
• December 1, 2011: mortgage complaints
• March 1, 2012: bank accounts and services, private student loans, and consumer loans
• October 22, 2012: credit reporting
• April 4, 2013: money transfers
• July 10, 2013: debt collection
• November 6, 2013: payday loans
• July 19, 2014: prepaid cards, credit repair, debt settlement, and pawn and title loans
• August 11, 2014: virtual currency
• February 26, 2016: Federal student loan servicing

There were regional differences in complaint volume:

"Montana (54 percent), Georgia (46 percent), and Wyoming (45 percent) experienced the greatest complaint volume percentage increase from January - March 2016 to January - March 2017. New Mexico (-20 percent), Iowa (-5 percent), and Kansas (-0.7 percent) experienced the greatest complaint volume percentage decrease... Of the five most populated states, Texas (35 percent) experienced the greatest complaint volume percentage increase and Florida (8 percent) experienced the least complaint volume percentage increase from January - March 2016 to January - March 2017."

The report also tracks complaints by company:

The CFPB reported additional details about student loan complaints:

"Approximately 32,700 (or 74 percent) of all student loan complaints handled by the CFPB from July 21, 2011 through March 31, 2017 were sent by the CFPB to companies for review and response. The remaining complaints have been found to be incomplete (7 percent), referred to other regulatory agencies (19 percent), or are pending with the CFPB or the consumer (0.5 percent and 0.4 percent, respectively)... The most common issues identified by consumers are problems dealing with their lenders or servicers (64 percent) and being unable to repay their loans (33 percent)."

"Federal student loan borrowers reported that when contacting their loan servicers regarding financial distress, servicers provided them with information on hardship forbearance or deferment, instead of potentially more beneficial repayment options like income-driven repayment plans... loan borrowers complained of difficulty enrolling in income-driven repayment plans. Borrowers reported lost documentation, extended application processing times, and unclear guidance when seeking to switch from one income-driven repayment plan to another."

Federal student loan borrowers described their experiences when trying to obtain guidance in completing annual income recertification for their income-driven repayment plan. Borrowers reported receiving insufficient information from their servicers to meet recertification deadlines and lengthy processing times. Some federal student loan borrowers stated their payments were misapplied. Borrowers reported overpayments were not applied to specified accounts but rather applied to all accounts managed by the servicer. Additionally, some borrowers’ overpayments—intended to reduce principal balance—were credited to the account as an early payment, resulting in their ac count reflecting a paid ahead status..."

To read more, download the full "April 2017: CFPB Monthly Complaint Report: Vol. 22" (Adobe PDF).

Americans still love to use the plastic in their wallets and purses. Just before the holidays, the Federal Reserve Board (FRB) released the results of its study about how Americans use non-cash payment methods: debit cards, credit cards, prepaid cards, ACH payments, and checks. The study included the total number and value of non-cash payments by consumers and businesses through 2015.

The total number of U.S. non-cash payments was more than 144 billion payments with a value of almost $178 trillion in 2015. That represented an increase of almost 21 billion payments or about $17 trillion since 2012. Other key findings from the study:

"The number of debit card payments (including payments with prepaid and non-prepaid cards) grew to 69.5 billion in 2015 with a value of $2.56 trillion, up 13.0 billion or $0.46 trillion since 2012. This was the largest increase in number of payments among the payment types considered. Debit card payments grew at an annual rate of 7.1 percent by number or 6.8 percent by value from 2012 to 2015 with most of the growth occurring in non-prepaid debit card payments. The number of credit card payments reached 33.8 billion in 2015 with a value of $3.16 trillion, up 6.9 billion or $0.61 trillion since 2012. Credit card payments grew at an annual rate of 8.0 percent by number or 7.4 percent by value from 2012 to 2015, the largest growth rates among the payment types considered... The number of check payments fell to 17.3 billion with a value of $26.83 trillion, down 2.5 billion or $0.38 trillion since 2012. Check payments fell at an annual rate of 4.4 percent by number or 0.5 percent by value from 2012 to 2015. The decline of checks over the period was slower than previous studies had shown for prior periods since 2003."

Prepaid cards typically include gift cards and payroll cards which consumers load money onto and which aren't linked to bank accounts (e.g., checking, savings). Past studies have documented numerous fees with prepaid cards while some consumers use prepaid cards instead of traditional bank accounts. "Non-prepaid debit cards" refer to debit cards linked to traditional bank accounts.

There are significant differences between the volume and value for each non-cash payment type. For example, debit cards generated the largest share of payment volume and the smallest share by value:

Another way of looking at the variety of non-cash payment types is the volume of payments over time:

Additional findings about prepaid cards:

"The number of prepaid debit card payments reached 9.9 billion with a value of $0.27 trillion in 2015, up 0.6 billion or $0.04 trillion since 2012. Almost all of the growth in prepaid debit card payments by number and value came from general-purpose prepaid cards, which can be used over the same general-purpose networks as non-prepaid debit cards. General-purpose prepaid card payments increased to 3.7 billion in 2015 by number, up 0.6 billion from 2012 to 2015, which was much less than the growth of 1.8 billion from 2009 to 2012... The average value of payments using these types of cards dropped slightly from $35 in 2012 to $34 in 2015.

Private-label prepaid card payments declined slightly by number, but rose somewhat by value from 2012 to 2015. In 2012, such payments totaled 3.7 billion by number or $0.05 trillion by value, while, in 2015, they totaled 3.6 billion by number or $0.07 trillion by value. Private-label prepaid card payments dropped at an annual rate of 0.3 percent by number but rose 15.0 percent by value. Hence, the average value of these payments rose from $13 to $20.

Payments made by prepaid EBT cards increased slightly from 2.5 billion in 2012 to 2.6 billion in 2015, or 1.7 percent per year, while the value of these payments also increased slightly from $0.07 trillion to $0.08 trillion, or 0.20 percent per year. The average value of prepaid EBT card payments declined slightly, from $30 to $29.

In 2015, non-prepaid debit and general-purpose prepaid cards were used in 5.8 billion cash withdrawals at ATMs, virtually the same level as in 2012, after dropping from 6.0 billion ATM cash withdrawals in 2009. The average value of ATM cash withdrawals rose from $118 to $122 between 2012 and 2015, continuing an upward trend in average value since 2003."

To minimize fraud and waste, banks and retailers began the migration to chip cards in the United States in 2015. The FRB study included findings about fraud:

"Payments with general-purpose cards using embedded microchips, which improve the security of in-person payments to help prevent fraud, have grown by 230 percent per year since 2012. But payments with the chip-based cards amounted to only about 2 percent share of total in-person general-purpose card payments in 2015, reflecting the early stages of a broad industry effort to roll out chip card technology. In 2015, the proportion of total general-purpose card fraud by value attributed to counterfeiting, the most prevalent type of in-person card fraud in the United States, was substantially greater than in countries where chip technology has been more widely adopted."

The United States was one of the last developed countries to switch to chip cards. So, chip card usage in the United States still has a long way to go. The types of fraud with debit/credit/prepaid cards:

• Counterfeit card: Fraud is perpetrated using an altered or cloned card.
• Lost or stolen card: Fraud is undertaken using a lost or stolen card.
• Card issued but not received: A newly issued card sent via postal mail to a cardholder is intercepted and used to commit fraud.
• Fraudulent application: A new card is issued based on a fake identity or on someone else’s identity.
• Other: “Other” fraud includes account takeover and other types of fraud not covered above.
• Fraudulent use of account number: Fraud is perpetrated without using a physical card.

Fraud is perpetrated via two channels: 1) in-person when the cardholder has their card, and 2) remote when the cardholder is not present (e.g., postal mail, online, telephone). To learn more, download the "2016 Federal Reserve Payments Study" (Adobe PDF) and/or read the FRB announcement.

On Thursday, the Federal Reserve Board (FRB) issued a warning for consumers to do two things to protect themselves and their finances:

1. Monitor online accounts for unauthorized transactions, and
2. Learn where to find help should you find unauthorized transactions in your financial accounts

The FRB's warning also stated:

"Signs of potential problems may include a notice, bill, or debit card for an account that was not activated or authorized, as well as a notice of fees for unsolicited products or services tied to an existing account. Consumers who see questionable activity should contact their financial institution immediately. Consumers who continue to experience issues may also submit a complaint to the Federal Reserve. The Federal Reserve maintains the Federal Reserve Consumer Help (FRCH) website, which offers an online complaint form and information on filing complaints by fax and phone for consumers. The FRCH website also provides consumer alerts, frequently asked questions, and information about other government agencies. While the Federal Reserve does not have the authority to resolve every problem, it will refer complaints to the relevant federal or state agency. Consumers can contact FRCH at 1-888-851-1920, or at www.federalreserveconsumerhelp.gov."

Other relevant federal agencies may include the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and the Securities & Exchange Commission (SEC).

On Friday, Hei Hotels and Resorts (HEI) announced data breaches that affected 20 properties in 11 states. According to the company's breach notice, hackers installed malware within the company's payment processing systems to collect customers' payment data.

The payment information stolen included the names, payment card account numbers, card expiration dates, and verification codes of customers who used their payment cards at point-of-sale terminals. The list of hotels by state:

The exact date of the breaches varied by property. Some breaches occurred as early as March, 2015 while others continued until as recent as June 17, 2016. A card processor notified HEI of the breach. The HEI breach notice stated:

"We are treating this matter as a top priority, and took steps to address and contain this incident promptly after it was discovered, including engaging outside data forensic experts to assist us in investigating and re mediating the situation and promptly transitioning payment card processing to a stand-alone system that is completely separated from the rest of our network. In addition, we have disabled the malware and are in the process of re configuring various components of our network and payment systems to enhance the security of these systems. We have contacted law enforcement and will continue to cooperate with their investigation. We are also coordinating with the banks and payment card companies. While we are continuing to review and enhance our security measures, the incident has now been contained and customers can safely use payment cards at all HEI properties."

HEI is notifying affected customers and consumers that may have been affected:

"... We recommend that customers review credit and debit card account statements as soon as possible in order to determine if there are any discrepancies or unusual activity listed. We urge customers to remain vigilant and continue to monitor statements for unusual activity going forward. If they see anything they do not understand or that looks suspicious, or if they suspect that any fraudulent transactions have taken place, customers should immediately notify the issuer of the credit or debit card. In instances of payment card fraud, it is important to note that federal laws and cardholder policies may limit cardholders’ responsibility for fraudulent activity; we therefore recommend reporting any suspicious activity in a timely fashion to the bank that issued the card..."

The HEI breach notice contains more information for affected consumers to review their credit reports, place Fraud Alerts, and place Credit Freezes.

HEI appears to have been caught unprepared. It did not detect the intrusion, and its breach notice did not arrange for any free credit monitoring for affected consumers. Hopefully, more information is forthcoming.

If you received a breach notice from HEI, what are your opinions of the breach? Of HEI's response so far?

The Consumer Financial Protection Bureau (CFPB) recently released a report about debt collection scams. The report is based upon more than 834,00 complaints filed by consumers nationally with the CFPB about financial products and services: checking and savings accounts, mortgages, credit cards, prepaid cards, consumer loans, student loans, money transfers, payday loans, debt settlement, credit repair, and credit reports. Complaints about debt collection scams accounted for 26 percent of all complaints.

The most frequent scam are attempts to collect money from consumers for debts they don't owe. This accounted for 38 percent of all debt-collection-scam complaints submitted. This included harassment:

"Consumers complained about receiving multiple calls weekly and sometimes daily from debt collectors. Consumers often complained that the collector continued to call even after being repeatedly told that the alleged debtor could not be contacted at the dialed number. Consumers also complained about debt collectors calling their places of employment... Consumers complained that they were not given enough information to verify whether or not they owed the debt that someone was attempting to collect. "

The two companies with the most complaints:

"... were Encore Capital Group and Portfolio Recovery Associates, Inc. Both companies, which are among the largest debt buyers in the country, averaged over 100 complaints submitted to the Bureau each month between October and December 2015. In 2015, the CFPB took enforcement actions against these two large debt buyers for using deceptive tactics to collect bad debts."

Compared to a year ago, debt collection complaints increased the most in Indiana (38 percent), Arizona (27 percent), and New Hampshire (26 percent) during December 2015 through February 2016. Debt collection complaints decreased the most in Maine (-34 percent), Wyoming (-26 percent), and North Dakota (-23 percent). And:

"Of the five most populated states, California (10 percent) experienced the greatest percentage increase and Illinois (-4 percent) experienced the greatest percentage decrease in debt collection complaints..."

The report lists 20 companies with the most debt-collection complaints during October through December 2015. The top five companies with with average monthly complaints about debt collection are Encore Capital Group (139.3), Portfolio Recovery Associates, Inc. (112.3), Enhanced recovery Company, LLC (65.7), Transworld Systems Inc. (63.7), and Citibank (54.7). This top-20 list also includes several banks: Synchrony Bank, Capital One, JPMorgan Chase, Bank of America, and Wells Fargo.

While the March Monthly Complaint Report by the CFPB focused upon debt collection complaints, it also provides plenty of detailed information about all categories of complaints. From December 2015 through February 2016, the CFPB received on average every month about 6,856 debt collection complaints, 4,211 mortgage complaints, 3,556 credit reporting complaints, 2,021 complaints about bank accounts or services, and 1,995 complaints about credit cards. Most categories showed increased complaint volumes compared to the same period a year ago. Only two categories showed a decline in average monthly complaints: credit reporting and payday loans. Debt collection complaints were up 6 percent.

Compared to a year ago, average monthly complaint volume (all categories) increased in 40 states and decreased in 11 states. The top five states with the largest increases (all categories) included Connecticut (31 percent), Kansas (30 percent), Georgia (25 percent), Louisiana (25 percent), and Indiana (24 percent). The top five states with the largest decreases (all categories) included Hawaii (-25 percent), Maine (-19 percent), South Dakota (-14 percent), District of Columbia (-8 percent), and Idaho (-6 percent). Also:

"Of the five most populated states, New York (12 percent) experienced the greatest complaint volume percentage increase, and Texas (-8 percent) experienced the greatest complaint volume percentage decrease from December 2014 to February 2015 to December 2015 to February 2016."

The chart below lists the 10 companies with the most complaints (all categories) during October through December, 2015:

The "Other" category includes consumer loans, student loans, prepaid cards, payday loans, prepaid cards, money transfers, and more. During this three-month period, complaints about these companies totaled 46 percent of all complaints. Consumers submit complaints about the national big banks covering several categories. According to the CFPB March complaints report (links added):

"By average monthly complaint volume, Equifax (988), Experian (841), and TransUnion (810) were the most-complained-about companies for October - December 2015. Equifax experienced the greatest percentage increase in average monthly complaint volume (32 percent)... Ocwen experienced the greatest percentage decrease in average monthly complaint volume (-18 percent)... Empowerment Ventures (parent company of RushCard) debuted as the 10th most-complained-about company..."

To learn more about the CFPB, there are plenty of posts in this blog. Simply enter "CFPB" in the search box in the right column.

The Consumer Financial Protection Bureau (CFPB) helps consumers in many ways. To learn more, read:

• CFPB Considers Proposal To Ban Some Arbitration Clauses
• The CFPB Consumer Complaints Database Does What It Was Designed To Do
• To Learn More About Prepaid Cards, Try The 'Ask CFPB' Service
• CFPB Accepts Complaints From Consumers About Money Transfers
• CFPB Begins Supervision of Credit Reporting Industry
• CFPB Accepts Complaints From Consumers About Checking And Savings Accounts
• CFPB Reports List Of Complaints From Consumers About financial Products

Tying some loose ends: Target settled with Visa in August to resolve claims from the retailer's massive 2013 data breach in which 110 million consumers' records were stolen, including 40 million credit- and debit-card numbers. The value of that settlement was up to $67 million, depending upon how many card issuers worldwide accept that deal. A $19 million settlement with MasterCard fell through.

In March, the retailer agreed to pay $10 million to settle lawsuits by consumers. While the July 31, 2015 deadline has passed for affected shoppers to submit claims, the Target Settlement website listed the next important date is a November 10, 2015 hearing for the Court to approve the settlement. Payments to consumers will happen after the Court approves the settlement.

Today, October 1, 2015 is the date banks and card issuers set to transition to the new EMV chip cards. The transition was to reduce card fraud. EMV is the name of the technology jointly developed by Europay, MasterCard, and Visa. Was the transition completed? The American Banker reported:

"Most credit cards (about 70%) will have chips on them. But most of these cards will be chip-and-signature cards, not chip-and-PIN... Many small merchants won't be ready. Depending on which study you believe, somewhere between 20% and 30% of merchants have purchased and deployed the EMV-capable point-of-sale terminals and software they will need to handle EMV chip cards. Big-box stores like Target that have suffered data breaches have done this work. But most small stores and restaurants have not. New EMV equipment is expensive and sometimes difficult to implement, and many seem unaware of the dangers of not adapting."

So, the transition is incomplete. In Europe, the United Kingdom transitioned to chip-and-PIN in 2006, and saw store-related card fraud drop 70 percent. The PIN is a short number the cardholder enters at the terminal to authorize their purchase. Chip-and-signature refers to new chip cards when the cardholder signs at the terminal to authorize their purchase.

It' is troubling that many retailers in the USA haven't upgraded to the new terminals. The result: consumers will encounter a frustrating mix of stores with and without the new chip card terminals. Cardholders will have to insert their chip cards at stores with the new terminals, and swipe the swipe the magnetic stripe on the back of their chip cards at stores without the new terminals.

The new chip cards contain both a chip that encrypts and stores your sensitive payment information, plus the obsolete magnetic stripe on the back of the card, which fraudsters have used to clone cards. Some experts have criticized this approach, arguing that the less-secure magnetic stripes should have been eliminated. The counter argument:

"Duplicating the chip on a chip card is difficult if not impossible [for ciminals]. Most new cards are being issued with both a magnetic stripe and a chip and the new EMV terminals accept both the chip and the stripe. So theoretically [criminals] could duplicate just the magnetic stripe on the chip card, create a new magnetic stripe card and try to use that. However, if an EMV card is swiped on an EMV-compliant merchant terminal, the system will reject the transaction and force the consumer to insert the chip."

Time will tell which experts are correct. Some cite two statistics. First, 37 percent of total card fraud is from criminals using cloned cards in stores. Second, the bulk of card fraud is online:

"Online card fraud is expected to rise. So-called "card not present" fraud — where someone uses a card but does not physically present the card (this could be over the phone, over a fax machine, on a mobile device or a computer, but most people equate "card not present" with using a card on a website) — represents the bulk of card fraud in the U.S.: 45%, according to Aite Group. The analyst group expects online card fraud to more than double from $3.1 billion in 2015 to $6.4 billion in 2018."

To help consumers, the Consumer Financial Protection Bureau (CFPB) provides easy answers about the new chip cards. The CFPB is a great resource for consumers to learn about their rights and to get help. The CFPB enforces rules that financial institutions must follow when marketing financial products to consumers. For unresolved problems with credit/debit/prepaid cards, student loans, debt collection agencies, or other financial products, you can submit online a complaint to the CFPB for assistance.

Discover notified its credit card customers in July about the transition. Its notice provided helpful images of the new terminals, the new chip card, and how cardholders insert chip cards into the new terminals. As I wrote then, before traveling in Europe, Discover cardholders should set up a PIN number, since Europe requires chip-and-pin authorizations.

What are your opinions of the new chip cards? Of the partial transition? If you have experienced problems with a new chip card, please share below.

Readers of this blog are aware of the various versions of check scams criminal use to trick consumers. A new scam has emerged with social travel sites.

After paying for a valid stay, an Airbnb customer was tricked by criminals using an wire transfer scam. The Telegraph UK described how an Airbnb customer was tricked. After paying for for their valid rental with a valid credit card, the guest:

"... received an email from Airbnb saying that the card payment had been declined and I needed to arrange an international bank transfer within the next 24 hours to secure the apartment. Stupidly, I did as asked. I transferred the money straight away to someone I assumed was the host as they had all the details of my reservation."

Formed in 2008, Airbnb now operates in 34,000 cities in 190 countries.

After checking with their bank, the guest determined that the credit card payment had been processed correctly. So, the guest paid twice, with the second payment to the criminal. The guest believes that Airbnb experienced a data breach. According to one security expert:

"The fraud works by sending an email to a host that appears to come from Airbnb asking them to verify their account details. The host foolishly responds thus giving the fraudster access to their account and all the bookings correspondence. Even though the addresses are anonymised the fraudster can still send emails to the customers via Airbnb to try to extract a second payment by bank transfer."

What can consumers make of this? First, hosts should learn to recognize phishing e-mails. Don't respond to them. Second, guests need to remember that inattentive hosts can compromise their identity information. Third, guests should never make payments outside of Airbnb's system.

Criminals are creative, persistent, and knowledgeable. Consumers need to be, too. Read the Scams/Threats section of this blog.

On Friday, CVS and Wal-mart Canada announced investigations into possible data breaches at their photo centers. On Monday, Costco announced a similar investigation about a possible data breach. Costco has also suspended operations of its photo centers. The number of credit card customers affected is unknown at all three retailers.

The outsourcing vendor involved is PNI Digital Media, with offices in Vancouver, British Columbia (Canada) and England. According to its website, PNI Digital Media operates 19,000 retail locations and 8,000 in-store kiosks. The New York Times reported:

"... the breaches highlighted the importance of more rigorously vetting I.T. vendors at a time when companies outsource more and more of their technology operations. Vendors have often proved to be the weakest link..."

Staples acquired PNI Digital Media in July, 2014. At press time, the vendor's latest tweet was May 20, two months ago. That tweet announced that hiring was underway for several positions, including front and back-end developers.

Until the retailers announce more about their breaches, experts advise customers of the above retail stores to closely monitor their bank and card statements for fraudulent charges.

This month, Discover Bank began to ship upgraded credit cards for its cardholders. The new "smart" credit card includes an embedded EMV chip that offers far more security. The chip stores and transmits encrypted data with a unique identifier for each transaction. The EMV chip technology was developed jointly by Europay, MasterCard, and Visa.

In the United States, cardholders will use the new cards the same way they used the old cards with the obsolete magnetic strip technology. At retail stores with older terminals, cardholders will continue to swipe their cards to make purchases. At retail stores with the chip-enabled terminals, cardholders will instead insert their card into the new terminals. To withdraw cash at bank ATM machines, a PIN number is required.

Like other new credit cards in the United States, the new Discover credit cards use "chip and signature" technology. I asked a Discover customer service if their new credit cards could be used in Europe, where cards use the "chip and PIN" technology. (When the United Kingdom switched to EMV chip cards years ago, fraud in stores there decreased 70 percent.) The customer service rep stated that the new cards could be used in Europe, provided the cardholder sets up a PIN number before their trip.

Wise readers note the limitations. The new chip cards won't stop hacks and data breaches at companies, employers, and banks that archive consumers' payment information. The new chip cards won't offer any more security or payment protections until retail stores upgrade their terminals. Credit Card Forum described the method being used to encourage retailers to upgrade by October 2015:

"... the card networks (Visa, MasterCard, AmEx and Discover) are giving both [retail merchants] and card-issuing banks an incentive (both a carrot and a stick) to upgrade by October 2015. At that point, the networks will institute a “fraud liability shift.” That’s a fancy way of saying “adapt or pay.” If a consumer’s card is involved in fraud, whichever party involved in the transaction (the bank that issued the card or the merchant that accepted it) that didn’t upgrade to EMV will be held accountable."

Retailers see the situation differently. CNBC published a retail spokesperson's commentary about the new "chip and signature" credit cards:

"Retailers are also asking card issuers to take more than a half step, and issue "chip and PIN" cards to American consumers. As it currently stands, banks are only issuing "chip and signature" cards in the United States, a less secure standard as signatures can easily be forged. It has been reported by the Federal Reserve that including a PIN makes a transaction up to 700 percent more secure, yet to date, banks are not issuing these cards to American customers... The fastest, easiest and smartest thing we can do to make transactions more secure in the near term is to upgrade credit cards with Chip and PIN technology. Retailers are making the investments needed to accept them, but we need the financial industry to make the same commitment."

Several banks and card issuers in the United States offer EMV-chip credit cards:

• American Express Premier Rewards Gold
• Bank of America Travel Rewards
• Capital One VentureOne Rewards
• Chase Freedom
• Chase Sapphire Preferred
• Citi Diamond Preferred
• Marriott Rewards Premier
• Plenti Credit Card from Amex
• USAA Preferred Cash Rewards World MasterCard

Browse a longer list of EMV-chip cards available in the United States. Both cardholders and non-cardholders can learn more about the new chip credit cards at the Discover site.

Why go part of the way and introduce EMV chips with signature instead of with PIN numbers? Seems to me, the banks seem mare more interested in shifting the liability of data breaches from them to retailers, rather than provide cardholders with state-of-the-art EMV security that's already available in most other parts of the world.

What are your opinions of the new "chip and signature" credit cards in the United States?

Smart phone are popular and versatile devices. About 60 percent of adults in the USA have smart phones. Many consumers want to ditch the plastic in their wallets and pay with their smart phones instead. To do this, the Federal Deposit Insurance Corporations (FDIC) issued several warnings for consumers in the Winter 2015 issue of its quarterly newsletter.

The FDIC is an independent agency created by the U.S. Congress to maintain stability and public confidence in the nation's financial system. The FDIC does this by insuring deposits in banks, and examining and supervising banks for soundness. The FDIC's quarterly newsletter contains valuable tips for consumers. The winter issue of its newsletter contains advice about telephone scams, tips when buying or refinancing a home, how to submit a complaint about a bank, tips to save more of your money, and more.

Here's what you need to know to pay with your phone:

1. Contact-less or NFC-capable phone. The computer chip in your smart phone must support Near Field Communications (NFC). This allows you to swipe your phone near the payment terminal in the retailer's store to make purchases. If you are buying a new phone, ask the sales person if the phone has an NFC chip. If you want to use your current phone, check the Settings menus to see if it has an option to enable NFC.

2. Where you shop matters. The large, national retail chains support contact-less payments with your phone, but many smaller, independent retailers don't -- yet.

3. Digital wallet. You need a digital wallet, the app or software to store payment information on your smart phone. Newer phones may already have this feature. If so, then you can load the payment information onto your phone for your debit- and credit cards.

4. Security matters. You need to protect your phone, both with anti-virus software, and lock your phone with a password. Make sure that your phone re-locks itself when not in use. Back up the list of contacts in your phone. According to the FDIC:

"Many security experts believe that mobile payments are more secure than swiping your magnetic stripe credit card because the mobile service keeps your credit number in encrypted form and does not transmit it to the merchant. But you still should make sure your phone is protected, such as with a password, so it cannot be accessed by a thief. Some of the newest smartphones use fingerprint readers to control access, which can be secure and convenient."

5. Lost or stolen phones. When your phone is lost or stolen, you still need to report your payment information as stolen to your bank or the issuer of your credit card(s). A stolen phone with debit card payment information enabled would give thieves direct access to your checking account. Experts say that consumers get the same protections from the underlying payment type (e.g., debit-, credit) wehn paying with their smart phone.

Earlier today, I visited a Bank of America office to clean out and surrender my safe deposit box. While there, I asked the representative who else received the announcement letter about the price increase for checking customers. The representative explained that letters were sent to checking customers across New England, and the bank plans to extend that later nationwide.

So, there it is. You heard it first on the I've Been Mugged blog.

During the past few days, I have had some interesting discussions about this on social networking sites. One person commented:

"I'm not understanding the controversy here. You can always change banks, right? And small accounts are probably money losers for them. They clearly have decided that they don't want certain business, so why stay with them?"

I am sure that others think the same. Here's why Sunday's blog post was important:

First, consumers can always change banks. That's not the point. Context matters. This isn't the first attempt by the bank to raise prices for checking customers (or develop new revenue streams from its point-of-view). One must look at the price increase in context of that and the bank's history.

Second, a major part of the bank's history included massive settlement payments for wrongdoing. That money has to be replaced, otherwise the bank's profits go down. So, who pays for that wrongdoing? Customers or bank executives? I think that the latter should pay, but the price increase suggests the former are paying.

Third, those massive settlement payments are usually partially tax deductible. That means, the bank can write off the payment to reduce their income taxes. That means, all of us taxpayers are subsidizing or partially paying the settlement payment for the bank's wrongdoing. Do you want to pay for another person's (or corporation's) wrongdoing? I don't, and doubt that you want to either. I find this infuriating, and hope that it infuriates you, too. The whole situation makes one wonder if the price increase for checking customers is to replace the money the bank paid for massive settlement payments. If so, the bank should have said so. Its price increase letter was silent on the topic.

Fourth, as a customer (soon to be ex-customer) of the bank, I want to know that it has done all cost cutting possible before raising prices. The notice I received failed to explain that, too. The bank's $25 monthly fee is a huge price increase; especially for low-wage or minimum wage workers. For a worker making $10 per hour, the $25 monthly fee equals two-and-a-half hours of work; probably three hours of work on an after tax basis. That is expensive banking.

Fifth, I also wrote Sunday's blog post to highlight another little-known fact by consumers: the partnership between BofA and First Data, where they share in the revenues from processing debit transactions. So, BofA makes money at both ends of the transaction... what I call double dipping. That didn't pass the smell test in 2011, nor does it pass today. I wrote about that so more consumers would know how their banks operate, since other big banks do it, too. Shady business practice, in my opinion.

Sixth: my main point is this: I want the bank I do business with to reflect my values. BofA no longer does. And, I don't trust it. I don't trust it to stop with the latest price increase. There probably will be more and higher fees. Hence, I am switching banks and wrote Sunday's blog post to explain why.

Seventh, while this may not be controversial to some people, it is important to BofA checking account customers. And, it was important in 2012 to the hundreds of thousands of people who participated in Bank Transfer Day by switching banks.

What are your opinions?

Bank of America (BofA) has decided to move forward with charging large monthly maintenance fees to its checking account customers. Yesterday, I received a notice via postal mail from BofA dated March 6, 2015:

"We're updating our checking products and, as a result, the existing checking account listed above will become an Advantage Regular Checking account...

What's not changing
Your account information, including your account number, checks, and debit card all remain the same. Your account features, such as direct deposit, Online and Mobile banking. Bill Pay, as well as accounts linked for overdraft protection, will also remain the same.

What's Changing
Monthly maintenance fee: You can avoid the monthly fee on this account when you meet any ONE of the requirements shown below during each monthly statement cycle. Otherwise, the $25 monthly fee will be deducted from your account. This change takes effect on your first statement cycle that starts on May 15."

I checked the BofA website for any press releases about its price increase. I saw nothing. Not good.

A $25 monthly maintenance fee equals $300 yearly. That's a big price increase. You may remember Bank Transfer Day in 2012, when many consumers moved their money from the big banks to smaller, regional banks and credit unions. Several banks and BofA had tried to raise prices in 2011 by applying monthly maintenance fees, but then reversed their decisions after considerable push-back by consumers.

BofA tried to justify its 2011 price increase by saying their transaction costs had gone up and the, "economics of debit cards have changed," After some research in 2011 (see image on right), I found that BofA partnered with another company, First Data, to create a separate company that actually processes the bank's debit-card transactions, and both share in those debit-card transaction revenues.

That partnership continues today. The 2015 Hoovers profile states:

"The next time you swipe your card and it clears, you might thank Banc of America Merchant Services. A 2009 joint venture between Bank of America and First Data, it is one of the largest processors of electronic payments in the US. The firm handles more than 7 billion check and credit, debit, stored value, payroll, and electronic benefits transfer card transactions (worth a total of some $250 billion) annually. Its clients are small businesses and large corporations including retailers, restaurants, hotels, supermarkets, utilities, gas stations, convenience stores, and government entities. First Data owns 51% of Banc of America Merchant Services, while Bank of America owns 49%."

I'll bet you didn't know this. Most people don't. Most of the big banks have similar arrangements with First Data. So, the big banks make money off your money by investing it (what you'd expect), but also by both charging customers monthly maintenance fees and from collecting revenues from their debit-transaction processing partnership (not what you'd expect). Some people might call making money at both ends of the transaction double-dipping. I do. That didn't pass the smell test in 2011, nor today.

Fast-forward four years, and the transaction cost reason has been replaced with the "updated our checking products" excuse. It's still lame. A price increase is a price increase. Plus, the notice I received from BofA failed to mention any cost cutting done before passing along a huge price increase to its checking customers. That's just bad.

Moreover, the bank's latest price increase couldn't be more confusing. The bank's notice explained how checking customers can avoid the large monthly maintenance fees:

"Keep an average daily balance of $5,000 or more in your checking account or linked Regular Savings account, or

Keep an average daily combined balance of $10,000 or more in checking with linked savings, money market savings, CDs or IRAs, or

Keep an outstanding balance of $15,000 or more in an eligible linked installment loan or line of credit, or

Have $15,000 in total combined assets in your eligible Merrill Edge and Merrill Lynch investment accounts that are linked to your checking account, or

Have a linked Bank of America first mortgage loan that we service."

This reads like legalese written by lawyers. Why not keep it simple and say: keep $5,000 in an account to avoid the monthly maintenance fees. Simplicity matters.

Let's review some more of BofA's history. In August 2014, the bank agreed to a massive settlement with the U.S. Justice Department and several states' attorney generals. The $16.65 billion settlement agreement resolved both federal and state civil investigations into activities by the bank's former and current subsidiaries, including Countrywide Financial Corporation and Merrill Lynch, related to the packaging, marketing, sale, and issuance of residential mortgage-backed securities (RMBS). The bank acquired Merrill Lynch in 2009, and Countrywide in 2008.

To be fair, other big banks have paid massive settlement amounts during the past few years: Bank of America, $61.1 billion; JPMorgan, $31.4 billion; Citigroup, $10 billion; and Wells Fargo, $5.8 billion. A 2012 survey found that junior bank executives view wrongdoing as necessary to advance their careers. Based upon all of this, there clearly seems to be an ethics problem in banking.

I find BofA's reason (e.g., updated their checking products) for its price increase disingenuous. More likely, the price increase was driven profitability concerns given the massive settlement payments. Why not reduce senior executive compensation and bonuses instead (e.g., especially those executives that committed the wrongdoing that led to the massive settlement payments)? Why put the burden on customers?

That BofA decided to place the burden on its customers speaks volumes. Banks can clearly raise prices if they want. They are free to do that. Customers are free to move their money to a bank (or credit union) with lower or no monthly maintenance fees.

I'll make it easy for BofA checking customers to avoid the price increase: move your money to a small, regional bank or credit union. It's easier than you think, and there are a lot of benefits. Last month, Bankrate compared checking account fees between banks and credit unions:

"You're twice as likely to find free checking at a credit union than a bank, according to a new study by Bankrate.com. Nearly three quarters of credit union checking accounts -- 72 percent -- come with no balance requirements or monthly maintenance fees. That's in sharp contrast to banks, where only 38 percent of checking accounts are free... Most of the time, when you encounter dramatically lower prices for the same product, you assume that the cheaper product is somehow inferior. But that's not the case with credit unions, which typically offer services comparable to similarly sized banks. Instead, it comes down to the way credit unions are organized, says Jon Jeffreys, managing partner at Callahan & Associates, a management consultancy that works with credit unions..."

Thankfully, I had already begun to move my money. BofA's latest price-increase notice just accelerated my schedule. While I have sufficient account balances to avoid BofA's new monthly maintenance fees, I simply dislike the way the bank operates. For me, it goes to values.

If you are looking for a small bank or credit union to move your money to, a good resource is the Move Your Money Project. Some consumers have tried to move their money to prepaid cards instead. I believe that is a poor decision, because there usually are many fees with prepaid cards. Plus, experts have advised consumers to be wary of prepaid card protections.

What are your opinions of Bank of America? Of its latest price increase? Has your bank increased prices?