82 posts categorized "Debit Cards" Feed

Federal Reserve Released Its Non-cash Payments Fraud Report. Have Chip Cards Helped?

Many consumers prefer to pay for products and services using methods other than cash. How secure are these non-cash payment methods? The Federal Reserve Board (FRB) analyzed the payments landscape within the United States. Its October 2018 report found good and bad news. The good news: non-cash payments fraud is small. The bad news:

  • Overall, non-cash payments fraud is growing,
  • Card payments fraud drove the growth
Non-Cash Payment Activity And Fraud
Payment Type 2012 2015 Increase (Decrease)
Card payments & ATM withdrawal fraud $4 billion $6.5 billion 62.5 percent
Check fraud $1.1 billion $710 million (35) percent
Non-cash payments fraud $6.1 billion $8.3 billion 37 percent
Total Non-cash payments $161.2 trillion $180.3 trillion 12 percent

The FRB report included:

"... fraud totals and rates for payments processed over general-purpose credit and debit card networks, including non-prepaid and prepaid debit card networks, the automated clearinghouse (ACH) transfer system, and the check clearing system. These payment systems form the core of the noncash payment and settlement systems used to clear and settle everyday payments made by consumers and businesses in the United States. The fraud data were collected as part of Federal Reserve surveys of depository institutions in 2012 and 2015 and payment card networks in 2015 and 2016. The types of fraudulent payments covered in the study are those made by an unauthorized third party."

Data from the card network survey included general-purpose credit and debit (non-prepaid and prepaid) card payments, but did not include ATM withdrawals. The card networks include Visa, MasterCard, Discover and others. Additional findings:

"... the rate of card fraud, by value, was nearly flat from 2015 to 2016, with the rate of in-person card fraud decreasing notably and the rate of remote card fraud increasing significantly..."

The industry defines several categories of card fraud:

  1. "Counterfeit card. Fraud is perpetrated using an altered or cloned card;
  2. Lost or stolen card. Fraud is undertaken using a legitimate card, but without the cardholder’s consent;
  3. Card issued but not received. A newly issued card sent to a cardholder is intercepted and used to commit fraud;
  4. Fraudulent application. A new card is issued based on a fake identity or on someone else’s identity;
  5. Fraudulent use of account number. Fraud is perpetrated without using a physical card. This type of fraud is typically remote, with the card number being provided through an online web form or a mailed paper form, or given orally over the telephone; and
  6. Other. Fraud including fraud from account take-over and any other types of fraud not covered above."
Card Fraud By Category
Fraud Category 2015 2016 Increase/(Decrease)
Fraudulent use of account number $2.88 billion $3.46 billion 20 percent
Counterfeit card fraud $3.05 billion $2.62 billion (14) percent
Lost or stolen card fraud $730 million $810 million 11 percent
Fraudulent application $210 million $360 million 71 percent

The increase in fraudulent application suggests that criminals consider it easy to intercept pre-screened credit and card offers sent via postal mail. It is easy for consumers to opt out of pre-screened credit and card offers. There is also the National Do Not Call Registry. Do both today if you haven't.

The report also covered EMV chip cards, which were introduced to stop counterfeit card fraud. Card networks distributed both chip cards to consumers, and chip-reader terminals to retailers. The banking industry had set an October 1, 2015 deadline to switch to chip cards. The FRB report:

EMV Chip card fraud and payments. Federal Reserve Board. October 2018

The FRB concluded:

"Card systems brought EMV processing online, and a liability shift, beginning in October 2015, created an incentive for merchants to accept chip cards. By value, the share of non-fraudulent in-person payments made with [chip cards] shifted dramatically between 2015 and 2016, with chip-authenticated payments increasing from 3.2 percent to 26.4 percent. The share of fraudulent in-person payments made with [chip cards] also increased from 4.1 percent in 2015 to 22.8 percent in 2016. As [chip cards] are more secure, this growth in the share of fraudulent in-person chip payments may seem counter-intuitive; however, it reflects the overall increase in use. Note that in 2015, the share of fraudulent in-person payments with [chip cards] (4.1 percent) was greater than the share of non-fraudulent in-person payments with [chip cards] (3.2 percent), a relationship that reversed in 2016."


New Phone-Based Phishing Scams Can Trick Even Experts. How You Can Avoid Getting Duped

Beware, phone scams are more sophisticated. The pitches are so slick that even some technology experts who know better were tricked into disclosing sensitive personal and payment information. Some phone scams include human callers (called "phishing"), while others include a mix of humans and computer automation (called "vishing").

The Krebs On Security blog listed several examples. Here's one:

"Matt Haughey is the creator of the community Weblog MetaFilter... Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses. Actually, he got three calls from the same number in rapid succession. He ignored the first two, letting them both go to voicemail. But he picked up on the third call, thinking it must be something urgent and important. After all, his credit union had rarely ever called him.

Haughey said he was greeted by a female voice who explained that the credit union had blocked two phony-looking charges in Ohio made to his debit/ATM card. She proceeded to then read him the last four digits of the card that was currently in his wallet. It checked out. Haughey told the lady that he would need a replacement card immediately... Without missing a beat, the caller said he could keep his card and that the credit union would simply block any future charges that weren’t made in either Oregon or California. This struck Haughey as a bit off. Why would the bank say they were freezing his card but then say they could keep it open for his upcoming trip?"

Maybe that struck you as odd, too. Against his better judgment, Haughey continued the phone call and didn't hang up. The caller knew his home address and asked him to verify his mother's maiden name, the 3-digit security code on the back of his card, and his PIN number. Those requests were more clues, too. The bank should know this information.

Like most people, Haughey thought that it was his bank trying to be helpful. Finally, he hung up and called his bank directly. That's when he learned it was a scam. His bank hadn't called.

This example provides several lessons for consumers:

  1. Scam artists are persistent. They will keep calling hoping you'll give in and answer the phone calls.
  2. Scam artists are well armed. Thanks to the recent multitude of massive corporate data breaches (like this one, this one, this one, this one, and/or this one), the bad guys have probably acquired plenty of stolen personal and payment information about consumers. Criminals also buy, sell, and trade stolen data on the dark web. Using the same technologies (e.g., artificial intelligence, open-source online tools) which the good guys use, the bad guys will "spoof" or fake valid phone numbers to pretend to be your bank or financial institution.
  3. A bit of skepticism is healthy. We've all been taught to be polite and to answer the phone when it rings. Scam artists try to exploit this habit. Experts advise consumers to hang up on robocalls. Even if the Caller ID feature on your phone displays a familiar number, hang up and call your bank or financial institution directly. Their phone number is conveniently listed on the back of your credit/debit card. Ask your bank if they called. They probably didn't.
  4. Learn how to spot robocalls acting like humans. If you're curious and have the time, ask a simple question like, "How's the weather where you live?" If the caller ignores your question or provides a canned response, like "I don't have that information" or "I'm sorry. Can you repeat that," then it's probably a robocall. Hang up.
  5. Know scam artists' pitch. It's all about money. They will pretend to be your bank, financial institution, phone company, and/or computer company. (Yes, online scammers have a profile.) Similar to phishing emails, phone scams often include a sense of urgency. They want you to act now... in the moment. Wise consumers do product research and comparison shop before making purchase decisions. The "haste makes waste" advice your parents told you as a youth still applies.

You now know more, so you won't get duped by phone scams.


Report: Several Impacts From Technology Changes Within The Financial Services Industry

For better or worse, the type of smart device you use can identify you in ways you may not expect. First, a report by London-based Privacy International highlighted the changes within the financial services industry:

"Financial services are changing, with technology being a key driver. It is affecting the nature of financial services from credit and lending through to insurance and even the future of money itself. The field known as “fintech” is where the attention and investment is flowing. Within it, new sources of data are being used by existing institutions and new entrants. They are using new forms of data analysis. These changes are significant to this sector and the lives of the people it serves. We are seeing dramatic changes in the ways that financial products make decisions. The nature of the decision-making is changing, transforming the products in the market and impacting on end results and bottom lines. However, this also means that treatment of individuals will change. This changing terrain of finance has implications for human rights, privacy and identity... Data that people would consider as having nothing to do with the financial sphere, such as their text-messages, is being used at an increasing rate by the financial sector...  Yet protections are weak or absent... It is essential that these innovations are subject to scrutiny... Fintech covers a broad array of sectors and technologies. A non-exhaustive list includes:

  • Alternative credit scoring (new data sources for credit scoring)
  • Payments (new ways of paying for goods and services that often have implications for the data generated)
  • Insurtech (the use of technology in the insurance sector)
  • Regtech (the use of technology to meet regulatory requirements)."

"Similarly, a breadth of technologies are used in the sector, including: Artificial Intelligence; Blockchain; the Internet of Things; Telematics and connected cars..."

While the study focused upon India and Kenya, it has implications for consumers worldwide. More observations and concerns:

"Social media is another source of data for companies in the fintech space. However, decisions are made not on just on the content of posts, but rather social media is being used in other ways: to authenticate customers via facial recognition, for instance... blockchain, or distributed ledger technology, is still best known for cryptocurrencies like BitCoin. However, the technology is being used more broadly, such as the World Bank-backed initiative in Kenya for blockchain-backed bonds10. Yet it is also used in other fields, like the push in digital identities11. A controversial example of this was a very small-scale scheme in the UK to pay benefits using blockchain technology, via an app developed by the fintech GovCoin12 (since renamed DISC). The trial raised concerns, with the BBC reporting a former member of the Government Digital Service describing this as "a potentially efficient way for Department of Work and Pensions to restrict, audit and control exactly what each benefits payment is actually spent on, without the government being perceived as a big brother13..."

Many consumers know that you can buy a wide variety of internet-connected devices for your home. That includes both devices you'd expect (e.g., televisions, printers, smart speakers and assistants, security systems, door locks and cameras, utility meters, hot water heaters, thermostats, refrigerators, robotic vacuum cleaners, lawn mowers) and devices you might not expect (e.g., sex toys, smart watches for children, mouse traps, wine bottlescrock pots, toy dolls, and trash/recycle bins). Add your car or truck to the list:

"With an increasing number of sensors being built into cars, they are increasingly “connected” and communicating with actors including manufacturers, insurers and other vehicles15. Insurers are making use of this data to make decisions about the pricing of insurance, looking for features like sharp acceleration and braking and time of day16. This raises privacy concerns: movements can be tracked, and much about the driver’s life derived from their car use patterns..."

And, there are hidden prices for the convenience of making payments with your favorite smart device:

"The payments sector is a key area of growth in the fintech sector: in 2016, this sector received 40% of the total investment in fintech22. Transactions paid by most electronic means can be tracked, even those in physical shops. In the US, Google has access to 70% of credit and debit card transactions—through Google’s "third-party partnerships", the details of which have not been confirmed23. The growth of alternatives to cash can be seen all over the world... There is a concerted effort against cash from elements of the development community... A disturbing aspect of the cashless debate is the emphasis on the immorality of cash—and, by extension, the immorality of anonymity. A UK Treasury minister, in 2012, said that paying tradesman by cash was "morally wrong"26, as it facilitated tax avoidance... MasterCard states: "Contrary to transactions made with a MasterCard product, the anonymity of digital currency transactions enables any party to facilitate the purchase of illegal goods or services; to launder money or finance terrorism; and to pursue other activity that introduces consumer and social harm without detection by regulatory or police authority."27"

The report cited a loss of control by consumers over their personal information. Going forward, the report included general and actor-specific recommendations. General recommendations:

  • "Protecting the human right to privacy should be an essential element of fintech.
  • Current national and international privacy regulations should be applicable to fintech.
  • Customers should be at the centre of fintech, not their product.
  • Fintech is not a single technology or business model. Any attempt to implement or regulate fintech should take these differences into account, and be based on the type activities they perform, rather than the type of institutions involved."

Want to learn more? Follow Privacy International on Facebook, on Twitter, or read about 10 ways of "Invisible Manipulation" of consumers.


Considerations For Consumers Affected By The Equifax Breach

Earlier this month, Discover sent me a replacement credit card. The letter with the replacement card stated:

"Notice of Data Breach
What happened: we recently learned your Discover card account might have been part of a data breach. Please know, this breach did not involve Discover card systems.
What we are doing to resolve: we are issuing you a new card with a new account number, security code, and expiration date to reduce the possibility of fraud on your account... So as a safety precaution, we are issuing you a new card to protect your Discover card account information from being misused"

Good. I like the proactive protection, and hope that the retailer absorbed the costs of replacement cards for all affected consumers like me. However, the letter from Discover didn't identify the retailer. I called Discover's customer service hotline. The phone representative wouldn't identify the retailer, either. I'd shopped at four retail stores during the past month, and assumed it was one of them. It wasn't.

Equifax logo On Saturday, I received via postal mail a breach notification letter from Equifax dated October 23, 2017:

"We are writing with regard to the cybersecurity incident Equifax announced on September 7, 2017. At Equifax, our priorities with regard to this incident are transparency and continuing to provide timely, reassuring support to every consumer. You are receiving this letter because the credit or debit card number used to pay for a freeze service, credit score, or disclosure of your Equifax credit file was accessed. We have no evidence that your credit file itself was accessed."

So, confirmation that it was Equifax's fault. What to make of this? Keep reading.

First, thanks Equifax for the postal mail notice. However, this isn't timely communication. Why? Equifax considers it's September 7th press release timely communication. How many consumers read Equifax press releases? Did you? My guess, most don't.

Thankfully, I read online newspapers and was aware of the breach soon after Equifax's September 7th announcement. Yet, my postal letter from Equifax arrived seven weeks after its September 7th press release (and almost three months after it first discovered the breach on July 29).  This incident is a reminder for consumers not to rely upon postal mail for breach notices. Many states' breach notice laws allow for companies to post public notices online in websites and/or in newspaper advertisements. This allows companies to skip (the expense of) mailing individual breach notices via postal mail.

The October 23rd Equifax breach letter also stated:

"On September 7, 2017, Equifax notified U.S. customers of the data security incident, including that 143 million U.S. consumers were impacted. On October 2, 2017, following the completion of the forensic portion of the investigation of the incident, Equifax announced that the review determined that approximately 2.5 million additional U.S. consumers were potentially impacted. Equifax also announced that credit card numbers for approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182, 000 consumers were accessed."

So, I am one of the "lucky" 209,000 consumers in the United States whose payment information was exposed stolen in addition to other sensitive personal information. Thanks Equifax for failing to protect my sensitive personal -- and payment -- information you are entrusted to protect.

Second, to upgrade earlier this year from slow, antiquated DSL to fiber broadband from Verizon, I used my credit card to pay for a temporary lift of the security freeze on my Equifax credit report. Why did Equifax retain my payment information for this transaction? Why did it retain that payment information in a complete and UN-encrypted format?

Discover's Frequently Asked Questions page for merchants advises merchants to do the following to protect consumers' highly sensitive payment card information:

"Tips for protecting customer information: a) Truncate all credit card information; b) Avoid storing CID data in your records or within sales data; c) Secure your site; d) Store data securely; e) Protect your data with firewalls; f) Limit authorized use and require passwords; g) Avoid storing customer or credit card information on your web server
Refer to your Merchant Operating Regulations for further card-not-present (CNP) requirements for the submission of sales."

So, it seems that Equifax failed to follow Discover's data security guidelines for merchants. (Browse privacy guidelines for merchants by other card issuers.) I do not have any ongoing services or subscriptions with Equifax, so there seems to be no need for it to retain my full credit card payment information. Not good. I called the Equifax customer service hotline. The phone representative could not explain why Equifax retained my payment information. Not good.

Third, Equifax failed to customize the letter for my situation. In 2008, I placed security freezes on my credit reports at Equifax, Experian, and TransUnion. So, Equifax already knows I have a security freeze in place, and failed to customize the letter accordingly. Rather than explain what applies to customers in my situation, instead the letter repeated the same general fraud-prevention advice for all consumers: how to contact the FTC, visit annualcreditreport.com for free copies of credit reports, file a police report if a victim of identity theft, place a fraud alert or security freeze on my credit reports for protections, and how to lift/remove an existing security freeze. Not good.

This was fast becoming a crappy customer experience.

Fourth, while on the phone with Equifax's customer service I asked if the TrustedID Premier credit monitoring service it ofered would work with the security freezes in place at all three credit reporting agencies. The phone representative said yes, but that the "credit file lock feature" would not work. What's that? According to the Equifax FAQ page:

"What is the difference between a credit file lock and a security freeze?
At their most basic level, both prevent new creditors from accessing your Equifax credit report, unless you give permission or take an action such as removing, unlocking or lifting the freeze or lock. Both a security freeze and a credit file lock help prevent a lender or other creditor from accessing a consumer’s credit report to open unauthorized new accounts.

  • Security freezes were created in the early 2000’s, are subject to regulation by each state and use a PIN based system for authentication.
  • Credit file locks were created more recently, are mobile-enabled and use modern authentication techniques, such as username and passwords and one-time passcodes for better user experience."

So, the "credit file lock" feature is new and different from a security freeze. The new feature allows mobile users to easily and quickly unlock/lock your Equifax credit reports. That seems beneficial for consumers needing frequent and quick access to credit. According to the FAQ page, the new feature will be "free, for life." The above description gives the impression that security freezes are antiquated.

To further understand this new feature, I visited the TrustedID Premier Privacy Policy page, which stated:

"The types of personal information we collect and share depend on the product or service you have with us. This information can include: Social Security number and credit card information; Payment history and transaction history; Credit scores and credit history"

The "depend on the product or service you have" seems vague and broad. Just tell me! Plus, "transaction history" could include geo-location: where you bought something since some purchases are made at brick-and-mortar retail stores. It could also include when and where you use the "credit file lock" feature. So, even though the policy doesn't explicitly mention geo-location data collection, it seems wise to assume that it does. For the new "credit file lock" feature to work on your phone, it probably needs to know your location -- where you and your phone are.

So, this new feature seems to be a slick way for Equifax to collect (and archive) location data about when, where, the duration, and frequency of consumers' travels in the physical world -- something it couldn't get previously through the traditional security freeze process. Remember, any app on your smartphone can collect location data.

Plus, the "credit file lock" feature won't work with a security freeze in place. According to the customer service representative, consumers need to remove a security freeze for the credit file lock feature to work. This is a new, important wrinkle which consumers must understand in order to make informed decisions.

The representative said it would be free to remove the security freeze on my Equifax credit report in order to use the new feature. I asked if the TrustedID Premier service Equifax offers would work with credit reports from Innovis. The rep said no. The duration of my phone call was long since the representative needed to place me on hold and check with others in order to answer my questions. This did not instill confidence.

Plus, this lengthy question-and-answer page about Equifax's services indicates that many consumers (and perhaps some Equifax customer service representatives) don't fully understand the differences between security freezes, credit file locks, and other service features.

Fifth, the letter from Equifax did not mention any of the new threats nor the additional protection steps consumers must take, both of which you can read about in this October 10th blog post. Even though I've written about privacy, data breaches and credit monitor for the past 10+ years, like you there are new things to learn. It seems that Equifax is hoping that breach victims will take the easy route: enroll in TrustedID Premier -- which is free for now, but will likely cost you later.

Overall, for me it was a crappy post-breach customer experience with Equifax. I expected better -- better data security and a better post-breach support. Plenty of news articles have documented the security problems, failures, and post-breach problems with Equifax's breach site.

What are your opinions? What do you think of the new credit file lock feature? If you've used it, share your experience in the comments section below the image.

Overview of features. TrustedID Premier service. Click to view larger version


Attorneys General In Several States Announce Settlement Agreements With Target

Target Bullseye logo The Office of the Attorney General (AG) for the Commonwealth of Massachusetts announced on Wednesday that the state will receive $625,000 as part of the settlement agreement with Target Corporation. The settlement agreement, which includes 47 states plus the District of Colombia, resolves claims by states about the retailer's massive data breach in 2013.

Card issuers had also sued the retailer. Target settled with Visa in August, 2015 to resolve claims in which 110 million consumers' records were stolen, including 40 million credit- and debit-card numbers. Also, debit card PIN numbers were stolen.

The announcement by Massachusetts AG Maura Healey explained:

"The investigation found that the stolen credentials were used to exploit weaknesses in Target’s system, which allowed the attackers to access a customer service database, install malware on the system and then capture data from credit or debit card transactions at Target stores (including stores in Massachusetts) from Nov. 27, 2013 to Dec. 15, 2013. The stolen data included consumers’ full names, telephone numbers, email addresses, mailing addresses, payment card numbers, expiration dates, security codes, and encrypted debit PINs... The breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers nationwide. In Massachusetts, the breach compromised information from approximately 947,000 customer payment card accounts and other personally-identifying information of about 1.5 million Massachusetts residents."

Terms of the settlement require Target:

"... to develop, implement and maintain a comprehensive information security program and to employ an executive or officer who is responsible for executing the plan. The company is required to hire an independent, qualified third-party to conduct a comprehensive security assessment... to maintain and support software on its network; to maintain appropriate encryption policies, particularly as pertains to cardholder and personal information data; to segment its cardholder data environment from the rest of its computer network; and to undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts."

California will receive $1.4 million from the settlement. New York AG Eric T. Schneiderman said about the settlement agreement:

"New Yorkers need to know that when they shop, their data will be protected... This settlement marks an important win for New Yorkers – bringing over $635,000 into the state, in addition to the free credit monitoring services for those impacted by the data breach, and key security improvements to help protect Target consumers moving forward."

Yes, indeed. Shoppers everywhere need to know their data will be protected.

Besides Massachusetts, New York and California, the other states participating in this settlement include Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, and the District of Columbia.

AL.com reported:

"Alabama won't be cashing in on the largest multi-state data breach settlement in history, however. The reason, according to the Alabama Attorney General's Office, is the absence of a state law that requires entities to notify customers whose information could have been exposed in a breach and then take steps to remediate any injuries.

"Alabama is one of the few states in the nation that is not a party to the recent Target settlement because our state does not have data breach notification law," said Mike Lewis, Communications Director for the Office of the Alabama Attorney General."

Connecticut and Illinois led the states' investigation. The participating states have not yet announced how the settlement money will be distributed.

[Editor's Note: a prior version of this blog post did not include the report by AL.com.]


The Top Complaints About Financial Services. One Complaint Type Grew 325 Percent

Logo for Consumer Financial Protection Bureau After encountering unresolved issues with financial services, many consumers file complaints with the Consumer Financial Protection Bureau (CFPB). After each complain, the CFP works hard to get each consumer a reply within 15 days. This process allows the CFPB to track which issues affect most consumers, and to identify emerging problems.

According to its April Monthly Complaint Report, debt collection issues generated the most complaints on average, and complaints about student loans grew the fastest:

"As of April 1, 2017, the CFPB has handled approximately 1,163,200 complaints, including approximately 28,000 complaints in March 2017... Student loan complaints showed the greatest percentage increase from January - March 2016 (773 complaints) to January - March 2017 (3,284 complaints), representing about a 325 percent increase. Part of this year-to-year increase can be attributed to the CFPB updating its student loan complaint form to accept complaints about Federal student loan servicing in late February 2016. The CFPB also initiated an enforcement action against a student loan servicer during this time period."

CFPB Monthly Compalint Report. April, 2017. Table 1. Click to view larger version

The top five categories of complaints about during March, 2017:

  1. Debt collection: 8,711
  2. Credit reporting: 5,498
  3. Mortgages: 3,965
  4. Credit cards: 2,522
  5. Bank account or service: 2,476

Also during March: debt collection complaints represented about 31 percent of complaints; debt collection, credit reporting and mortgage were the top three most-complained-about consumer financial products and services. Together, these three categories represented 65 percent of complaints during March.

The top five categories of complaints since the CFPB began:

  1. Debt collection: 316,810
  2. Mortgages: 272,153
  3. Credit reporting: 195,826
  4. Credit cards: 118,732
  5. Bank account or service: 115,055

The CFPB began accepting complaints for different products and services at different times:

There were regional differences in complaint volume:

"Montana (54 percent), Georgia (46 percent), and Wyoming (45 percent) experienced the greatest complaint volume percentage increase from January - March 2016 to January - March 2017. New Mexico (-20 percent), Iowa (-5 percent), and Kansas (-0.7 percent) experienced the greatest complaint volume percentage decrease... Of the five most populated states, Texas (35 percent) experienced the greatest complaint volume percentage increase and Florida (8 percent) experienced the least complaint volume percentage increase from January - March 2016 to January - March 2017."

The report also tracks complaints by company:

CFPB Monthly Complaint Report. April, 2017. Figure 1. Click to view larger version

The CFPB reported additional details about student loan complaints:

"Approximately 32,700 (or 74 percent) of all student loan complaints handled by the CFPB from July 21, 2011 through March 31, 2017 were sent by the CFPB to companies for review and response. The remaining complaints have been found to be incomplete (7 percent), referred to other regulatory agencies (19 percent), or are pending with the CFPB or the consumer (0.5 percent and 0.4 percent, respectively)... The most common issues identified by consumers are problems dealing with their lenders or servicers (64 percent) and being unable to repay their loans (33 percent)."

"Federal student loan borrowers reported that when contacting their loan servicers regarding financial distress, servicers provided them with information on hardship forbearance or deferment, instead of potentially more beneficial repayment options like income-driven repayment plans... loan borrowers complained of difficulty enrolling in income-driven repayment plans. Borrowers reported lost documentation, extended application processing times, and unclear guidance when seeking to switch from one income-driven repayment plan to another."

Federal student loan borrowers described their experiences when trying to obtain guidance in completing annual income recertification for their income-driven repayment plan. Borrowers reported receiving insufficient information from their servicers to meet recertification deadlines and lengthy processing times. Some federal student loan borrowers stated their payments were misapplied. Borrowers reported overpayments were not applied to specified accounts but rather applied to all accounts managed by the servicer. Additionally, some borrowers’ overpayments—intended to reduce principal balance—were credited to the account as an early payment, resulting in their ac count reflecting a paid ahead status..."

To read more, download the full "April 2017: CFPB Monthly Complaint Report: Vol. 22" (Adobe PDF).


Federal Reserve Study: Noncash Payments In The United States

Americans still love to use the plastic in their wallets and purses. Just before the holidays, the Federal Reserve Board (FRB) released the results of its study about how Americans use non-cash payment methods: debit cards, credit cards, prepaid cards, ACH payments, and checks. The study included the total number and value of non-cash payments by consumers and businesses through 2015.

The total number of U.S. non-cash payments was more than 144 billion payments with a value of almost $178 trillion in 2015. That represented an increase of almost 21 billion payments or about $17 trillion since 2012. Other key findings from the study:

"The number of debit card payments (including payments with prepaid and non-prepaid cards) grew to 69.5 billion in 2015 with a value of $2.56 trillion, up 13.0 billion or $0.46 trillion since 2012. This was the largest increase in number of payments among the payment types considered. Debit card payments grew at an annual rate of 7.1 percent by number or 6.8 percent by value from 2012 to 2015 with most of the growth occurring in non-prepaid debit card payments. The number of credit card payments reached 33.8 billion in 2015 with a value of $3.16 trillion, up 6.9 billion or $0.61 trillion since 2012. Credit card payments grew at an annual rate of 8.0 percent by number or 7.4 percent by value from 2012 to 2015, the largest growth rates among the payment types considered... The number of check payments fell to 17.3 billion with a value of $26.83 trillion, down 2.5 billion or $0.38 trillion since 2012. Check payments fell at an annual rate of 4.4 percent by number or 0.5 percent by value from 2012 to 2015. The decline of checks over the period was slower than previous studies had shown for prior periods since 2003."

Prepaid cards typically include gift cards and payroll cards which consumers load money onto and which aren't linked to bank accounts (e.g., checking, savings). Past studies have documented numerous fees with prepaid cards while some consumers use prepaid cards instead of traditional bank accounts. "Non-prepaid debit cards" refer to debit cards linked to traditional bank accounts.

There are significant differences between the volume and value for each non-cash payment type. For example, debit cards generated the largest share of payment volume and the smallest share by value:

Figure 1: Distribution of noncash payments by type, volume and value in 2015. FRB Study 2016. Click to view larger version

Another way of looking at the variety of non-cash payment types is the volume of payments over time:

Figure 2: Volume of noncash payments from 2000 to 2015. FRB Study 2016. Click to view larger version

Additional findings about prepaid cards:

"The number of prepaid debit card payments reached 9.9 billion with a value of $0.27 trillion in 2015, up 0.6 billion or $0.04 trillion since 2012. Almost all of the growth in prepaid debit card payments by number and value came from general-purpose prepaid cards, which can be used over the same general-purpose networks as non-prepaid debit cards. General-purpose prepaid card payments increased to 3.7 billion in 2015 by number, up 0.6 billion from 2012 to 2015, which was much less than the growth of 1.8 billion from 2009 to 2012... The average value of payments using these types of cards dropped slightly from $35 in 2012 to $34 in 2015.

Private-label prepaid card payments declined slightly by number, but rose somewhat by value from 2012 to 2015. In 2012, such payments totaled 3.7 billion by number or $0.05 trillion by value, while, in 2015, they totaled 3.6 billion by number or $0.07 trillion by value. Private-label prepaid card payments dropped at an annual rate of 0.3 percent by number but rose 15.0 percent by value. Hence, the average value of these payments rose from $13 to $20.

Payments made by prepaid EBT cards increased slightly from 2.5 billion in 2012 to 2.6 billion in 2015, or 1.7 percent per year, while the value of these payments also increased slightly from $0.07 trillion to $0.08 trillion, or 0.20 percent per year. The average value of prepaid EBT card payments declined slightly, from $30 to $29.

In 2015, non-prepaid debit and general-purpose prepaid cards were used in 5.8 billion cash withdrawals at ATMs, virtually the same level as in 2012, after dropping from 6.0 billion ATM cash withdrawals in 2009. The average value of ATM cash withdrawals rose from $118 to $122 between 2012 and 2015, continuing an upward trend in average value since 2003."

To minimize fraud and waste, banks and retailers began the migration to chip cards in the United States in 2015. The FRB study included findings about fraud:

"Payments with general-purpose cards using embedded microchips, which improve the security of in-person payments to help prevent fraud, have grown by 230 percent per year since 2012. But payments with the chip-based cards amounted to only about 2 percent share of total in-person general-purpose card payments in 2015, reflecting the early stages of a broad industry effort to roll out chip card technology. In 2015, the proportion of total general-purpose card fraud by value attributed to counterfeiting, the most prevalent type of in-person card fraud in the United States, was substantially greater than in countries where chip technology has been more widely adopted."

The United States was one of the last developed countries to switch to chip cards. So, chip card usage in the United States still has a long way to go. The types of fraud with debit/credit/prepaid cards:

  • Counterfeit card: Fraud is perpetrated using an altered or cloned card.
  • Lost or stolen card: Fraud is undertaken using a lost or stolen card.
  • Card issued but not received: A newly issued card sent via postal mail to a cardholder is intercepted and used to commit fraud.
  • Fraudulent application: A new card is issued based on a fake identity or on someone else’s identity.
  • Other: “Other” fraud includes account takeover and other types of fraud not covered above.
  • Fraudulent use of account number: Fraud is perpetrated without using a physical card.

Fraud is perpetrated via two channels: 1) in-person when the cardholder has their card, and 2) remote when the cardholder is not present (e.g., postal mail, online, telephone). To learn more, download the "2016 Federal Reserve Payments Study" (Adobe PDF) and/or read the FRB announcement.


Federal Reserve: Monitor Your Bank Accounts For Fraud And Know Where To Get Help

On Thursday, the Federal Reserve Board (FRB) issued a warning for consumers to do two things to protect themselves and their finances:

  1. Monitor online accounts for unauthorized transactions, and
  2. Learn where to find help should you find unauthorized transactions in your financial accounts

The FRB's warning also stated:

"Signs of potential problems may include a notice, bill, or debit card for an account that was not activated or authorized, as well as a notice of fees for unsolicited products or services tied to an existing account. Consumers who see questionable activity should contact their financial institution immediately. Consumers who continue to experience issues may also submit a complaint to the Federal Reserve. The Federal Reserve maintains the Federal Reserve Consumer Help (FRCH) website, which offers an online complaint form and information on filing complaints by fax and phone for consumers. The FRCH website also provides consumer alerts, frequently asked questions, and information about other government agencies. While the Federal Reserve does not have the authority to resolve every problem, it will refer complaints to the relevant federal or state agency. Consumers can contact FRCH at 1-888-851-1920, or at www.federalreserveconsumerhelp.gov."

Other relevant federal agencies may include the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and the Securities & Exchange Commission (SEC).


Data Breaches At HEI Hotels & Resorts Affects 20 Properties In At Least 10 States

HEI Hotels and Resorts logo On Friday, Hei Hotels and Resorts (HEI) announced data breaches that affected 20 properties in 11 states. According to the company's breach notice, hackers installed malware within the company's payment processing systems to collect customers' payment data.

The payment information stolen included the names, payment card account numbers, card expiration dates, and verification codes of customers who used their payment cards at point-of-sale terminals. The list of hotels by state:

State City & Property
California La Jolla: San Diego Marriott La Jolla
Pasadena: The Westin Pasadena
San Diego: Renaissance San Diego Downtown Hotel
San Francisco: Le Meridien San Francisco
Santa Barbara: Hyatt Centri Santa Barbara
Colorado Snowmass Village: The Westin Snowmass Resort
District of Columbia Washington: The Westin Washington DC City Center
Florida Boca Raton: Boca Raton Marriott at Boca Center
Fort Lauderdale: The Westin Fort Lauderdale
Miami: Royal Palm South Beach Miami
Tampa: InterContinental Tampa Bay
Illinois Chicago: Hotel Chicago Downtown
Minnesota Minneapolis: The Hotel Minneapolis Autograph Collection
Minneapolis: The Westin Minneapolis
Pennsylvania Philadelphia: The Westin Philadelphia
Tennessee Nashville: Sheraton Music City Hotel
Texas Fort Worth: Dallas Fort Worth Marriott Hotel & Golf Club
Vermont Manchester Village; Equinox Resort Golf Resort & Spa
Virginia Arlington: Le Meridien Arlington
Arlington: Sheraton Pentagon City

The exact date of the breaches varied by property. Some breaches occurred as early as March, 2015 while others continued until as recent as June 17, 2016. A card processor notified HEI of the breach. The HEI breach notice stated:

"We are treating this matter as a top priority, and took steps to address and contain this incident promptly after it was discovered, including engaging outside data forensic experts to assist us in investigating and re mediating the situation and promptly transitioning payment card processing to a stand-alone system that is completely separated from the rest of our network. In addition, we have disabled the malware and are in the process of re configuring various components of our network and payment systems to enhance the security of these systems. We have contacted law enforcement and will continue to cooperate with their investigation. We are also coordinating with the banks and payment card companies. While we are continuing to review and enhance our security measures, the incident has now been contained and customers can safely use payment cards at all HEI properties."

HEI is notifying affected customers and consumers that may have been affected:

"... We recommend that customers review credit and debit card account statements as soon as possible in order to determine if there are any discrepancies or unusual activity listed. We urge customers to remain vigilant and continue to monitor statements for unusual activity going forward. If they see anything they do not understand or that looks suspicious, or if they suspect that any fraudulent transactions have taken place, customers should immediately notify the issuer of the credit or debit card. In instances of payment card fraud, it is important to note that federal laws and cardholder policies may limit cardholders’ responsibility for fraudulent activity; we therefore recommend reporting any suspicious activity in a timely fashion to the bank that issued the card..."

The HEI breach notice contains more information for affected consumers to review their credit reports, place Fraud Alerts, and place Credit Freezes.

HEI appears to have been caught unprepared. It did not detect the intrusion, and its breach notice did not arrange for any free credit monitoring for affected consumers. Hopefully, more information is forthcoming.

If you received a breach notice from HEI, what are your opinions of the breach? Of HEI's response so far?


Facts About Debt Collection Scams And Other Consumer Complaints

Logo for Consumer Financial Protection Bureau The Consumer Financial Protection Bureau (CFPB) recently released a report about debt collection scams. The report is based upon more than 834,00 complaints filed by consumers nationally with the CFPB about financial products and services: checking and savings accounts, mortgages, credit cards, prepaid cards, consumer loans, student loans, money transfers, payday loans, debt settlement, credit repair, and credit reports. Complaints about debt collection scams accounted for 26 percent of all complaints.

The most frequent scam are attempts to collect money from consumers for debts they don't owe. This accounted for 38 percent of all debt-collection-scam complaints submitted. This included harassment:

"Consumers complained about receiving multiple calls weekly and sometimes daily from debt collectors. Consumers often complained that the collector continued to call even after being repeatedly told that the alleged debtor could not be contacted at the dialed number. Consumers also complained about debt collectors calling their places of employment... Consumers complained that they were not given enough information to verify whether or not they owed the debt that someone was attempting to collect. "

The two companies with the most complaints:

"... were Encore Capital Group and Portfolio Recovery Associates, Inc. Both companies, which are among the largest debt buyers in the country, averaged over 100 complaints submitted to the Bureau each month between October and December 2015. In 2015, the CFPB took enforcement actions against these two large debt buyers for using deceptive tactics to collect bad debts."

Compared to a year ago, debt collection complaints increased the most in Indiana (38 percent), Arizona (27 percent), and New Hampshire (26 percent) during December 2015 through February 2016. Debt collection complaints decreased the most in Maine (-34 percent), Wyoming (-26 percent), and North Dakota (-23 percent). And:

"Of the five most populated states, California (10 percent) experienced the greatest percentage increase and Illinois (-4 percent) experienced the greatest percentage decrease in debt collection complaints..."

The report lists 20 companies with the most debt-collection complaints during October through December 2015. The top five companies with with average monthly complaints about debt collection are Encore Capital Group (139.3), Portfolio Recovery Associates, Inc. (112.3), Enhanced recovery Company, LLC (65.7), Transworld Systems Inc. (63.7), and Citibank (54.7). This top-20 list also includes several banks: Synchrony Bank, Capital One, JPMorgan Chase, Bank of America, and Wells Fargo.

While the March Monthly Complaint Report by the CFPB focused upon debt collection complaints, it also provides plenty of detailed information about all categories of complaints. From December 2015 through February 2016, the CFPB received on average every month about 6,856 debt collection complaints, 4,211 mortgage complaints, 3,556 credit reporting complaints, 2,021 complaints about bank accounts or services, and 1,995 complaints about credit cards. Most categories showed increased complaint volumes compared to the same period a year ago. Only two categories showed a decline in average monthly complaints: credit reporting and payday loans. Debt collection complaints were up 6 percent.

Compared to a year ago, average monthly complaint volume (all categories) increased in 40 states and decreased in 11 states. The top five states with the largest increases (all categories) included Connecticut (31 percent), Kansas (30 percent), Georgia (25 percent), Louisiana (25 percent), and Indiana (24 percent). The top five states with the largest decreases (all categories) included Hawaii (-25 percent), Maine (-19 percent), South Dakota (-14 percent), District of Columbia (-8 percent), and Idaho (-6 percent). Also:

"Of the five most populated states, New York (12 percent) experienced the greatest complaint volume percentage increase, and Texas (-8 percent) experienced the greatest complaint volume percentage decrease from December 2014 to February 2015 to December 2015 to February 2016."

The chart below lists the 10 companies with the most complaints (all categories) during October through December, 2015:

Companies with the most complaints. CFPB March 2016 Monthly Complaints Report. Click to view larger image

The "Other" category includes consumer loans, student loans, prepaid cards, payday loans, prepaid cards, money transfers, and more. During this three-month period, complaints about these companies totaled 46 percent of all complaints. Consumers submit complaints about the national big banks covering several categories. According to the CFPB March complaints report (links added):

"By average monthly complaint volume, Equifax (988), Experian (841), and TransUnion (810) were the most-complained-about companies for October - December 2015. Equifax experienced the greatest percentage increase in average monthly complaint volume (32 percent)... Ocwen experienced the greatest percentage decrease in average monthly complaint volume (-18 percent)... Empowerment Ventures (parent company of RushCard) debuted as the 10th most-complained-about company..."

To learn more about the CFPB, there are plenty of posts in this blog. Simply enter "CFPB" in the search box in the right column.


The CFPB Helps Consumers

The Consumer Financial Protection Bureau (CFPB) helps consumers in many ways. To learn more, read:


Update: Target Breach Settlements And Pending Court Action

Target Bullseye logo Tying some loose ends: Target settled with Visa in August to resolve claims from the retailer's massive 2013 data breach in which 110 million consumers' records were stolen, including 40 million credit- and debit-card numbers. The value of that settlement was up to $67 million, depending upon how many card issuers worldwide accept that deal. A $19 million settlement with MasterCard fell through.

In March, the retailer agreed to pay $10 million to settle lawsuits by consumers. While the July 31, 2015 deadline has passed for affected shoppers to submit claims, the Target Settlement website listed the next important date is a November 10, 2015 hearing for the Court to approve the settlement. Payments to consumers will happen after the Court approves the settlement.


Today is The Date Banks Set To Transition To New Chip Cards. Are We There Yet?

Today, October 1, 2015 is the date banks and card issuers set to transition to the new EMV chip cards. The transition was to reduce card fraud. EMV is the name of the technology jointly developed by Europay, MasterCard, and Visa. Was the transition completed? The American Banker reported:

"Most credit cards (about 70%) will have chips on them. But most of these cards will be chip-and-signature cards, not chip-and-PIN... Many small merchants won't be ready. Depending on which study you believe, somewhere between 20% and 30% of merchants have purchased and deployed the EMV-capable point-of-sale terminals and software they will need to handle EMV chip cards. Big-box stores like Target that have suffered data breaches have done this work. But most small stores and restaurants have not. New EMV equipment is expensive and sometimes difficult to implement, and many seem unaware of the dangers of not adapting."

So, the transition is incomplete. In Europe, the United Kingdom transitioned to chip-and-PIN in 2006, and saw store-related card fraud drop 70 percent. The PIN is a short number the cardholder enters at the terminal to authorize their purchase. Chip-and-signature refers to new chip cards when the cardholder signs at the terminal to authorize their purchase.

It' is troubling that many retailers in the USA haven't upgraded to the new terminals. The result: consumers will encounter a frustrating mix of stores with and without the new chip card terminals. Cardholders will have to insert their chip cards at stores with the new terminals, and swipe the swipe the magnetic stripe on the back of their chip cards at stores without the new terminals.

The new chip cards contain both a chip that encrypts and stores your sensitive payment information, plus the obsolete magnetic stripe on the back of the card, which fraudsters have used to clone cards. Some experts have criticized this approach, arguing that the less-secure magnetic stripes should have been eliminated. The counter argument:

"Duplicating the chip on a chip card is difficult if not impossible [for ciminals]. Most new cards are being issued with both a magnetic stripe and a chip and the new EMV terminals accept both the chip and the stripe. So theoretically [criminals] could duplicate just the magnetic stripe on the chip card, create a new magnetic stripe card and try to use that. However, if an EMV card is swiped on an EMV-compliant merchant terminal, the system will reject the transaction and force the consumer to insert the chip."

Time will tell which experts are correct. Some cite two statistics. First, 37 percent of total card fraud is from criminals using cloned cards in stores. Second, the bulk of card fraud is online:

"Online card fraud is expected to rise. So-called "card not present" fraud — where someone uses a card but does not physically present the card (this could be over the phone, over a fax machine, on a mobile device or a computer, but most people equate "card not present" with using a card on a website) — represents the bulk of card fraud in the U.S.: 45%, according to Aite Group. The analyst group expects online card fraud to more than double from $3.1 billion in 2015 to $6.4 billion in 2018."

To help consumers, the Consumer Financial Protection Bureau (CFPB) provides easy answers about the new chip cards. The CFPB is a great resource for consumers to learn about their rights and to get help. The CFPB enforces rules that financial institutions must follow when marketing financial products to consumers. For unresolved problems with credit/debit/prepaid cards, student loans, debt collection agencies, or other financial products, you can submit online a complaint to the CFPB for assistance.

Discover notified its credit card customers in July about the transition. Its notice provided helpful images of the new terminals, the new chip card, and how cardholders insert chip cards into the new terminals. As I wrote then, before traveling in Europe, Discover cardholders should set up a PIN number, since Europe requires chip-and-pin authorizations.

What are your opinions of the new chip cards? Of the partial transition? If you have experienced problems with a new chip card, please share below.


Survey: 6 Reasons Why Consumers Switch Banks. What You Need To Know When Switching

A reader shared the link to a good article at Kiplinger about switching banks. The article lists six reasons why consumers switch banks, based upon a survey by Harris Polls for Kasasa, a service that offers free checking accounts.

As you probably guessed, the number one reason why consumers switch banks is the monthly service fee. And, the cost of banks seems to be going up. Recently, Bank of America announced a new $25 monthly service for its checking accounts. The new fee was announced in New England with plans to go nationwide later this year.

The fifth reason why consumers switch banks are low rates in interest bearing accounts. I thought that this would have rated higher on the list. Read the Kiplinger article to browse the full list of ranked six reasons why consumers switch banks.

If you are thinking about switching banks, Kiplinger offered this advice:

"If you don't like the service you're getting [at your current bank], vote with your feet and take your business elsewhere... It's not as hard as you might think. Of those polled on behalf of Kasasa who switched financial institutions, 81 percent said it wasn't difficult..."

You can move your money from a big bank to a smaller, regional bank or to a credit union. If you are thinking about switching to a credit union:

"... you're twice as likely to find free checking at a credit union than at a commercial bank, according to a study by Bankrate... 72 percent of credit union checking accounts don't have balance requirements. Unlike commercial banks, which are usually for-profit institutions, credit unions are membership-based nonprofit organizations. Member are eligible to join because of a common bond, such as a place of employment, place of worship, school, geographic location... You can find and research credit unions at CUlookup.com and ASmarterChoice.org."

There are more resources. You might try Find A Better Bank (FBB), MyCreditUnion.gov, the Credit Union Locator tool at the National Credit Union Administration (NCUA) site, and the Move Your Money Project website. I switched banks recently. if you switched banks or plan to, share below your reasons for switching. Did you find the switching process easy? I did.


What You Need To Know To Pay With Your Phone And Ditch The Plastic In Your Wallet

FDIC logo Smart phone are popular and versatile devices. About 60 percent of adults in the USA have smart phones. Many consumers want to ditch the plastic in their wallets and pay with their smart phones instead. To do this, the Federal Deposit Insurance Corporations (FDIC) issued several warnings for consumers in the Winter 2015 issue of its quarterly newsletter.

The FDIC is an independent agency created by the U.S. Congress to maintain stability and public confidence in the nation's financial system. The FDIC does this by insuring deposits in banks, and examining and supervising banks for soundness. The FDIC's quarterly newsletter contains valuable tips for consumers. The winter issue of its newsletter contains advice about telephone scams, tips when buying or refinancing a home, how to submit a complaint about a bank, tips to save more of your money, and more.

Here's what you need to know to pay with your phone:

1. Contact-less or NFC-capable phone. The computer chip in your smart phone must support Near Field Communications (NFC). This allows you to swipe your phone near the payment terminal in the retailer's store to make purchases. If you are buying a new phone, ask the sales person if the phone has an NFC chip. If you want to use your current phone, check the Settings menus to see if it has an option to enable NFC.

2. Where you shop matters. The large, national retail chains support contact-less payments with your phone, but many smaller, independent retailers don't -- yet.

3. Digital wallet. You need a digital wallet, the app or software to store payment information on your smart phone. Newer phones may already have this feature. If so, then you can load the payment information onto your phone for your debit- and credit cards.

4. Security matters. You need to protect your phone, both with anti-virus software, and lock your phone with a password. Make sure that your phone re-locks itself when not in use. Back up the list of contacts in your phone. According to the FDIC:

"Many security experts believe that mobile payments are more secure than swiping your magnetic stripe credit card because the mobile service keeps your credit number in encrypted form and does not transmit it to the merchant. But you still should make sure your phone is protected, such as with a password, so it cannot be accessed by a thief. Some of the newest smartphones use fingerprint readers to control access, which can be secure and convenient."

5. Lost or stolen phones. When your phone is lost or stolen, you still need to report your payment information as stolen to your bank or the issuer of your credit card(s). A stolen phone with debit card payment information enabled would give thieves direct access to your checking account. Experts say that consumers get the same protections from the underlying payment type (e.g., debit-, credit) wehn paying with their smart phone.


Bank of America Raises Prices For Its Checking Customers. What You Need To Know And How To Avoid The New Fees

Bank of America (BofA) has decided to move forward with charging large monthly maintenance fees to its checking account customers. Yesterday, I received a notice via postal mail from BofA dated March 6, 2015:

Bank of America logo "We're updating our checking products and, as a result, the existing checking account listed above will become an Advantage Regular Checking account...

What's not changing
Your account information, including your account number, checks, and debit card all remain the same. Your account features, such as direct deposit, Online and Mobile banking. Bill Pay, as well as accounts linked for overdraft protection, will also remain the same.

What's Changing
Monthly maintenance fee: You can avoid the monthly fee on this account when you meet any ONE of the requirements shown below during each monthly statement cycle. Otherwise, the $25 monthly fee will be deducted from your account. This change takes effect on your first statement cycle that starts on May 15."

I checked the BofA website for any press releases about its price increase. I saw nothing. Not good.

A $25 monthly maintenance fee equals $300 yearly. That's a big price increase. You may remember Bank Transfer Day in 2012, when many consumers moved their money from the big banks to smaller, regional banks and credit unions. Several banks and BofA had tried to raise prices in 2011 by applying monthly maintenance fees, but then reversed their decisions after considerable push-back by consumers.

Banc of America Merchant Services 2011 profile. Click to view larger image BofA tried to justify its 2011 price increase by saying their transaction costs had gone up and the, "economics of debit cards have changed," After some research in 2011 (see image on right), I found that BofA partnered with another company, First Data, to create a separate company that actually processes the bank's debit-card transactions, and both share in those debit-card transaction revenues.

That partnership continues today. The 2015 Hoovers profile states:

"The next time you swipe your card and it clears, you might thank Banc of America Merchant Services. A 2009 joint venture between Bank of America and First Data, it is one of the largest processors of electronic payments in the US. The firm handles more than 7 billion check and credit, debit, stored value, payroll, and electronic benefits transfer card transactions (worth a total of some $250 billion) annually. Its clients are small businesses and large corporations including retailers, restaurants, hotels, supermarkets, utilities, gas stations, convenience stores, and government entities. First Data owns 51% of Banc of America Merchant Services, while Bank of America owns 49%."

I'll bet you didn't know this. Most people don't. Most of the big banks have similar arrangements with First Data. So, the big banks make money off your money by investing it (what you'd expect), but also by both charging customers monthly maintenance fees and from collecting revenues from their debit-transaction processing partnership (not what you'd expect). Some people might call making money at both ends of the transaction double-dipping. I do. That didn't pass the smell test in 2011, nor today.

Fast-forward four years, and the transaction cost reason has been replaced with the "updated our checking products" excuse. It's still lame. A price increase is a price increase. Plus, the notice I received from BofA failed to mention any cost cutting done before passing along a huge price increase to its checking customers. That's just bad.

Moreover, the bank's latest price increase couldn't be more confusing. The bank's notice explained how checking customers can avoid the large monthly maintenance fees:

"Keep an average daily balance of $5,000 or more in your checking account or linked Regular Savings account, or

Keep an average daily combined balance of $10,000 or more in checking with linked savings, money market savings, CDs or IRAs, or

Keep an outstanding balance of $15,000 or more in an eligible linked installment loan or line of credit, or

Have $15,000 in total combined assets in your eligible Merrill Edge and Merrill Lynch investment accounts that are linked to your checking account, or

Have a linked Bank of America first mortgage loan that we service."

This reads like legalese written by lawyers. Why not keep it simple and say: keep $5,000 in an account to avoid the monthly maintenance fees. Simplicity matters.

Let's review some more of BofA's history. In August 2014, the bank agreed to a massive settlement with the U.S. Justice Department and several states' attorney generals. The $16.65 billion settlement agreement resolved both federal and state civil investigations into activities by the bank's former and current subsidiaries, including Countrywide Financial Corporation and Merrill Lynch, related to the packaging, marketing, sale, and issuance of residential mortgage-backed securities (RMBS). The bank acquired Merrill Lynch in 2009, and Countrywide in 2008.

To be fair, other big banks have paid massive settlement amounts during the past few years: Bank of America, $61.1 billion; JPMorgan, $31.4 billion; Citigroup, $10 billion; and Wells Fargo, $5.8 billion. A 2012 survey found that junior bank executives view wrongdoing as necessary to advance their careers. Based upon all of this, there clearly seems to be an ethics problem in banking.

I find BofA's reason (e.g., updated their checking products) for its price increase disingenuous. More likely, the price increase was driven profitability concerns given the massive settlement payments. Why not reduce senior executive compensation and bonuses instead (e.g., especially those executives that committed the wrongdoing that led to the massive settlement payments)? Why put the burden on customers?

That BofA decided to place the burden on its customers speaks volumes. Banks can clearly raise prices if they want. They are free to do that. Customers are free to move their money to a bank (or credit union) with lower or no monthly maintenance fees.

I'll make it easy for BofA checking customers to avoid the price increase: move your money to a small, regional bank or credit union. It's easier than you think, and there are a lot of benefits. Last month, Bankrate compared checking account fees between banks and credit unions:

"You're twice as likely to find free checking at a credit union than a bank, according to a new study by Bankrate.com. Nearly three quarters of credit union checking accounts -- 72 percent -- come with no balance requirements or monthly maintenance fees. That's in sharp contrast to banks, where only 38 percent of checking accounts are free... Most of the time, when you encounter dramatically lower prices for the same product, you assume that the cheaper product is somehow inferior. But that's not the case with credit unions, which typically offer services comparable to similarly sized banks. Instead, it comes down to the way credit unions are organized, says Jon Jeffreys, managing partner at Callahan & Associates, a management consultancy that works with credit unions..."

Thankfully, I had already begun to move my money. BofA's latest price-increase notice just accelerated my schedule. While I have sufficient account balances to avoid BofA's new monthly maintenance fees, I simply dislike the way the bank operates. For me, it goes to values.

If you are looking for a small bank or credit union to move your money to, a good resource is the Move Your Money Project. Some consumers have tried to move their money to prepaid cards instead. I believe that is a poor decision, because there usually are many fees with prepaid cards. Plus, experts have advised consumers to be wary of prepaid card protections.

What are your opinions of Bank of America? Of its latest price increase? Has your bank increased prices?


10 Ways To Avoid Identity Theft During Vacation Travel

As summer approaches, many people travel on vacation. Stolen cash or payment cards (e.g., debit cards, credit cards, bank ATM cards) can wreck a relaxing, carefree vacation. Below are 10 tips  the Better Business Bureau (BBB) provided in 2013 that are effective and worthy of repeating:

"1. Don’t announce your travel plans on social media. This invites identity thieves to target your house while you’re away.

2. Place a hold on your mail. When criminals see an overflowing mailbox, they see an easy way to steal personal information.

3. Carry only necessities in your wallet when traveling. Go through your wallet and leave at home your library card and other cards with your name on them.

4. Set up a travel alert on your credit card accounts, and freeze your credit with the three credit bureaus.

5. Leave your laptop computer at home if you can. If you must travel with a laptop, update your anti-virus and anti-spyware programs. Do not access bank accounts from your laptop while in a hotel room or at a coffee shop or other public location.

6. While staying at a hotel, lock important documents such as your passport in a safe.

7. Use only ATMs located in banks.

8. Protect your smartphone. Create a password for access, and use an application with a GPS locator to find your phone if it is lost or stolen.”

9. Don’t put your full name and address on luggage tags. Include just your last name and phone number.

10. Tear up and discard used boarding passes. Many travelers leave boarding passes behind in airplanes or hotels. They often contain full names and other personal information.

With tip #4, I inform my bank about the dates and countries where my credit-card purchases during vacation will be valid. Some of these tips (e.g., 1, 4, 7) I practice year-round. Some of these tips (e.g., 9, 10) I use for both business and vacation travel. During cruise ship vacations, I lock my wallet, important documents, and my smart phone in the safe in my stateroom.

What do you do to avoid identity theft during vacation travel?


Massachusetts And Several States Attorney Generals Investigate Breach At Experian

I apologize to readers. I am almost caught up with blog posts after the DDoS attack last week against Typepad, the blogging service I use.

Last week, the Office of the Attorney General of Massachusetts announced an investigation, along with several other states' attorney generals, of the Experian credit reporting agency after criminals were able to obtain consumers' sensitive financial data. The statement said:

"On March 3, Hieu Ngo, a Vietnamese national, pleaded guilty to federal charges in New Hampshire federal court involving his operation of a website that offered his clients access to sensitive personal information for more than 200 million U.S. citizens, including social security numbers, which could be used to commit identity theft or financial fraud... Ngo gained access to the personal information when he obtained an account with a U.S. company known as Court Ventures by posing as a private investigator from Singapore. Due to a reciprocal data sharing agreement between Court Ventures and U.S. Info Search, LLC of Columbus, Ohio, Ngo’s account allowed him access to a database that allegedly contained names, addresses, dates of births, and social security numbers of more than 200 million U.S. citizens."

Ngo may have already resold stolen credit reports, since about 1,300 persons accessed his online account:

"For at least an 18-month period, more than 3.1 million queries were made to the database using Ngo’s account. According to Experian, it purchased Court Ventures’ assets in March 2012, and continued to honor Ngo as a customer until December 2012."

Experian and Court Ventures have sued each other about indemnification: who will pay the costs for this breach. Regardless of who pays in the end, it is bad. Very bad. With 200 million consumers affected, the breach will victimize consumers in most, if not all, states. Massachusetts AG Martha Coakley said:

"We are especially concerned about allegations that the companies may have known of this incident for over a year, while not reporting it so consumer could protect themselves. We will actively investigate this matter and in the meantime, we remind consumers to take proactive steps to protect their personal information.”

The Massachusetts Attorney General advised consumers:

  1. Order copies of your credit reports from the three major credit-reporting agencies (e.g., Experian, Equifax, and TransUnion) and review them for fraudulent entries.
  2. If you notice fraudulent entries on your credit reports, place a Fraud Alert on them.
  3. Review your credit card and debit card statements for fraudulent entries.
  4. Contact the fraud departments at your bank or card issuer to report fraudulent charges.
  5. File a police report with local police if you are a victim of fraud.
  6. Consider placing a Security Freeze on your credit reports for stronger protection.

Consumers that don't have a credit monitoring service can visit AnnualCreditReport.com to order their free credit report once each year from the three major credit reporting agencies (e.g., Equifax, Experian, and TransUnion). Consumers that experience fraud can also submit complaints to the Federal Trade Commission, which tracks fraud affecting consumers.

Consumers who experience problems (e.g., poor customer service, failure to fix fraudulent charges you reported, etc.) with a credit reporting agency, can submit complaints to the Consumer Financial Protection Bureau, (CFPB). At the CFPB site, click on "the Submit A Complaint" link. The CFPB began overseeing credit reporting agencies in 2012.

Expect to hear more news about this breach investigation.


Michaels Stores Confirmed 3 Million Debit And Credit Card Customers Affected By Breach

Michaels Stores confirmed on Thursday that 3 million credit card and debit card users were affected by its recent data breach. The retailer's statement read in part:

"After weeks of analysis, we have discovered evidence confirming that systems of Michaels stores in the United States and our subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware... we have identified and fully contained the incident, and we can assure you the malware no longer presents a threat to customers... the attack targeted a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014."

In some Michaels stores, the attack lasted for a short duration. Michaels announced its data breach in January. The attack lasted about the same duration, eight months, at Aaron Brothers stores:

"Regarding Aaron Brothers, the Company has confirmed that between June 26, 2013 and February 27, 2014, 54 Aaron Brothers stores were affected by this malware. The Company estimates that approximately 400,000 cards were potentially impacted during this period."

The retailer's statement did not explain what security steps were taken so that a breach like this does not happen again. In its statement, Michaels seemed to try to minimize the breach impacts by emphasizing the portion of customers affected:

"Regarding Michaels stores, the attack targeted a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014. Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue. he analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period."

If you were one of the affected customers, there is no minimizing the hassles and disruption you experienced to get a replacement card from your card issuer, reset online billing and automatic payments for your new card account, and report fraudulent charges and/or money stolen to your card issuer for reimbursement.

Affected Michaels stores (Adobe PDF) are in 49 states, excluding Hawaii. Affected Aaron Brothers stores (Adobe PDF) are in Arizona, California, Colorado, Nevada, Oregon, Texas, and Washington.