82 posts categorized "Debit Cards" Feed

Neiman Marcus Discloses Some Details About Its Data Breach

Neiman Marcus logo The Neiman Marcus Group disclosed some detail about its recent data breach. In a letter to its customers, Karen Kay the President and CEO, stated that malware had been secretly installed in its systems, and stole shoppers' payment information from July 16, 2013 to October 30, 2013. As many as 1.1 million shoppers were affected. The letter also said:

"... Visa, MasterCard and Discover have notified us that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently."

The retailer notified thiese 2,400 breach victims on January 10. So far, only shopper's debit/credit card payment information has been stolen: card numbers, expiraton dates, and cardholders' names:

"Social security numbers and birth dates were not compromised. Our Neiman Marcus and Bergdorf Goodman cards have not seen any fraudulent activity. Customers that shopped online do not appear to have been impacted. PINs were never at risk because we do not use PIN pads in our stores."

Several state governments require companies to notify them about data breaches affecting their residents. In a breach notification letter (Adobe PDF) to the New Hampshire Department of Justice, the retailer provided more details about the breach:

"As a result of the investigation we initiated, using two of the leading computer forensice investigative firms, we learned for the first time on January 1, 2014 (preliminarily), and then more concretely on January 2 and 3, that sophisticated, self-concealing malware that can "scrape" (copy from temporary memory during execution of payment) payment card information ("the scraping malware") had been clandestinely inserted into our system. We later learned that this malware had been inserted in our system as early as July 2013... it appears that the scraping malware was active between July 16, 2013 and October 30, 2013... it appears that the scraping malware was not operating at all Neiman Marcus Group stores..."

So, the malware affected shoppers in several of the retailer's store chains. The usage of the term "system" seems to suggest that the retailer's network was infected with malware, not just point-of-sale (PoS) computers. It seems that multiple types of malware were involved in the breach:

"Separate, related malware that allows this scraping malware to function appears to have been clandestinely inserted earlier in 2013. Neiman Marcus was not aware of any of this hidden malware until it was discovered this month by our investigative experts..."

The retailer said it has postal (street) address information for only 31% of the 1.1 million shoppers, and it has identified 822 New Hampshire residents (with street addresses) affected by the breach. The Neiman Marcus Web site contains the breach letter and frequently-asked-questions; basic content for shoppers that have never experienced a data breach before.


RSA Announced "ChewBacca" Malware Attacked Retailers In 11 Countries

Global security firm RSA announced the discovery of "ChewBacca" malware attacks which targeted point-of-sale (PoS) systems in retail stores. The malware attacked and stole shoppers' credit card payment information in 11 countries, including the United States, Australia, Canada, and Russia:

"While the malware used in the operation is not new, RSA researchers discovered that, beginning October 25th, it had logged track 1 and 2 data of payment cards it had scraped from infected PoS systems."

Tracks 1 and 2, developed by the banking industry, on the magnetic stripe on your credit cards typically include the following payment information:

  • Cardholder's full name
  • Credit card number
  • Credit card expiration date
  • Country code

Track 3 of the magnetic stripe is used to store PIN, currency, authorized amounts, and other payment data for debit card transactions. It appears that a different malware version targetd both credit and debit cards via infected PoS terminals during the Target data breach. Neiman Marcus has disclosed a few details about its data breach, while Michaels Stores hase not -- so far.

The malware copied payment information from the PoS terminal's memory when the shopper's payment data was unencrypted. The malware then sent the stolen payment information to a  hidden Internet-connected server.

The Trojan was named "ChewBacca" because the sign-in page for malware users features an image of the popular character from the Star Wars films. To protect shoppers' payment data against malware like ChewBacca, RSA suggested:

"Retailers have a few choices against these attackers. They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers (comprehensive monitoring and incident response), or they can encrypt or tokenize data at the point of capture and ensure that it is not in plaintext view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors."

So, doing nothing is not an option. Business-as-usual is not an option.


Target Data Breach: The Math Says That Crime Pays Well

If you haven't read it, there is an excellent article at Finextra Research about the Target breach; specifically the value of stolen shoppers' information. The article explains how your location information makes consumers' stolen payment information more valuable to thieves:

"... Target hackers have undertaken to selling location usage data alongside the card data, and can charge a premium for such data. Value added service to the fraudsters and clearly a strategy that is paying off. Fraudsters are paying anything between $20 and $100+ for a skimmed Target payment card – location data has added a premium to what the fraudsters charge. That’s puts the “value” on the 40million+ payment cards stolen from Target at between $800million and $4billion! If we assume that their ROI is a minimum of 10 times their “investment” then we are looking at a fraud value of between $8bn and $40bn."

Plus, the numbers are much worse. Why? First, Target increased the size of its data breach to 70 million from 40 million. Second, this math is based upon what we know so far. The breach news is far from over. Third, news reports have mentioned three other retailers impacted besides the Target and Neiman Marcus breaches.

This math is important because any risk-analysis systems used by retailers (and banks) use data elements (e.g., location data) that thieves have stolen... and will continue to steal. The thieves are upping their game, and industry needs to respond. It is long past time for the U.S. retail and banking industries to upgrade from obsolete credit/debit card technology to smart payment cards.

The math is important to consumers. Why? You now know how valuable your location information is for thieves. Don't be so quick to give up your location data to social networking websites, banks, and retailers without getting something substantial in return.


Did Target Executives Know Their Systems Were Vulnerable And A Breach Was Likely?

Target Bullseye logo The National Association of Convenience Stores (NACS) reported this week:

"The Star Tribune reports that several years before Target incurred its massive loss of credit card data last month, it was well aware that a theft risk existed and it had unsuccessfully pursued “innovative solutions” to counter such threats... In the early 2000s, Target had installed “smart card” technology at all of its U.S. stores, an effort to thwart the very theft that the retailer suffered. The company said it abandoned the three-year pilot because few other retailers adopted the technology, which put Target at a disadvantage because the emerging technology slowed checkout times..."

The breach has jeopardized Target's REDcard program. The Star Tribune reported:

"In fiscal 2012, REDcard purchases made up 13.6 percent of Target’s sales, compared to 5.9 percent two years before... Target’s REDcard program, which offers 5 percent off each purchase and free Internet shipping, is a crucial component to the retailer’s strategy of getting consumers to frequently shop at Target stores and buy more stuff. It also collects enormous amounts of consumer data..."

So, consumers are to believe that a retailer followed the herd and rejected a newer, safer technology only because it wanted to avoid long checkout lines. Are you willing to trade security for shorter checkout lines? Target shoppers: were you even asked about this?

It seems to me that Target executives failed to recognize security as a benefit for consumers. Consumers already choose between regular and express checkout lanes in supermarkets nationwide. It's not a  stretch to offer checkout lanes dedicated to shoppers with smart REDcards; at least market test or survey the concept. My point is: give shoppers the choice. Given the large number of data breaches during the past decade, I'll bet the many shoppers wil pick security. Breach victims experiencing the hassles of fraud, changed PINs, changed bank accounts, and related damage would gladly move to a smart REDcard.

Ironically, the data breach has forced Target to now pitch security as a benefit. The retailer's REDcard page:

"It is safe for you to use your REDcard debit and credit card. If you would like additional peace of mind, you can always change your PIN number on your Target Debit Card and set up alerts for your REDcard through Manage My REDcard..."

Europe has already moved to smart credit/debit cards with EMV chips. Why does the United States lag in this area? Why would banks and retailers in the United States continue to use credit/debit cards with antiquated magnetic-strip technology? Read this blog post to learn a few reasons why.


Target Confirms Debit Card PIN Payment Information Stolen During Breach. Lawsuits Filed

Target Bullseye logo Almost immediately after its data breach, Target said that debit card PIN numbers were not stolen. You may remember this December 20, 2013 statement by Target CEO Gregg Steinhafel:

"There is no indication that PIN numbers have been compromised on affected bank issued PIN debit cards or Target debit cards. Someone cannot visit an ATM with a fraudulent debit card and withdraw cash."

In an updated December 27, 2013 breach notice (Adobe PDF), the retailer admitted that debit card PIN numbers had indeed been stolen during the data breach:

"... our ongoing investigation determined that strongly encrypted PIN data was removed from our system during the data breach incident..."

Then, its latest statement attempted to reassure shoppers:

"... These [PIN data] files are protected by triple DES encryption, the most secure standard... We never had access to the encryption key required to open or read the PIN files..."

Shoppers are supposed to be comforted by the disclosure that even though PIN payment data was stolen, the encryption was strong and the encryption keys were stored in a different place than the encrypted debit payment information. This assumes that the hackers didn't also breach the location with the stored encryption keys during the breach or previously. C/Net reported:

"However, one major U.S. bank is worried that the hackers might be able to crack the encryption code, giving [thieves] the ability to withdraw money from bank accounts..."

While writing this blog for the past 6+ years (including posts about the massive TJX Companies/T.J. Maxx data breach), I have learned that hackers are smart, persistent, and study their targets (no pun intended) before an attack. All of that seems to apply to the Target breach. Hackers use computers just like you do. And that includes software to break or decode encrypted data. It may take time, but hackers have time. That's one reason for long-term credit monitoring services for breach victims.

Breach victims are angry, and some are not buying the company's assurances. Some consumers have filed lawsuits against Target. ABC News reported:

"Angry shoppers are lashing out at Target, filing lawsuits in California and Oregon against the retailer, alleging the store "failed to implement and maintain reasonable security procedures" when credit and debit card data for about 40 million customers... On Thursday, Target customer Jennifer Kirk filed a lawsuit in San Francisco in the hopes of being certified as part of a class action..."

These lawsuits are not a surprise given the huge size of the breach, and that the U.S. banking system uses obsolete technology for debit/credit cards. The rest of the planet uses newer technology in their debit and credit cards.

That Target first denied PIN payment data was stolen, and then reversed itself by admitting that PIN data was stolen demonstrates the risk of executives making hasty statements before a forensic breach investigation is completed. A company can't really know until after the investigation is completed:

  1. Exactly what data elements (e.g., name, address, card numbers, PIN numbers, 3-digit security codes, etc.) were accessed and stolen,
  2. The specific computer sserver(s) and/or networks hacked,
  3. The technology(ies) the thieves used, and
  4. The duration of the attack and breach

While I am not a computer systems security expert, I have seen many data breaches since I started writing this blog over six years ago. History has taught me that a company can't reliably claim what was (or wasn't) stolen and that a breach is fixed until the investigation is completed, the extent of the attack and the damage are known, and then the appropriate technical solutions are implemented on the affected servers and networks -- and ideally, are hardened. Often, that fix also includes training employees to avoid risky behaviors that introduce malware and computer viruses.

At least 2,000 shoppers visiting from Europe were affected by the breach, and, the U.S. Secret Service is also investigating the Target breach. The findings from that agency's investigation may also affect the retailer's fixes.

The company's early statements, before all the facts were in, are why I have very little faith in what Target says. Shop at its stores, but use cash or credit cards. Breach victims should change their debit card PIN information; ideally, and replace affected bank accounts with new ones. Like other breach incidents, Target will likely pay for the costs banks incur to switch bank accounts for breach victims.

The whole incident is a reminder for consumers of the risks of shopping with their debit cards. Despite what the banking industry and retailers claim, the U.S. banking system uses obsolete technology for debit/credit cards. Plus, when you shop with your debit card, you are betting that criminals have not hacked:

  • The point-of-sale terminals (e.g., payment terminals) in the stores,
  • The wireless transmissions between the retail stores, and/or
  • The retail company's centralized databases and networks.

Plus, stolen debit card payment information provides thieves direct access to your checking accounts. Stay tuned. We will hear a lot more about the Target data breach during the coming weeks and months.


You Gave JPMorgan Bank A Whale Of A Christmas Gift

JPMorgan Chase bank received a whale of a Christmas present in 2013, after paying a record amount of fines. I think that the bank's executives should thank American taxpayers for this gift. They probably will never thank us, though.

What was the Christmas gift? Christopher Brauchli wrote an excellent summary at CounterPunch. First, some background about the bank (links added for reference):

"Between June 2010 and November 2012 JPMorgan Chase paid more than $3 billion in fines and settlements... overcharging active-duty service members on their mortgages, misleading investors about a collateralized debt obligation it marketed, rigging at least 93 municipal bond transactions in 31 states... In August 2012 alone it paid a fine of $1.2 billion to resolve a lawsuit that alleged it and other institutions conspired to set the price of credit and debit card interchange fees... February 2012 it paid $1.8 billion to settle claims that it and other financial institutions improperly carried out home foreclosures after the housing crisis..."

Remember, all of that was before 2013. Here's the tally for 2013 (links added for reference):

"In July 2013 it paid $410 million for alleged bidding manipulation of California and Midwest electricity markets. In September 2013 it paid $389 million for unfair billing practices, in September it paid $920 million for actions of the “London Whale” disaster, and in October 2013 another $100 million with respect to the same fiasco... November 19, 2013 it was reported that JPMorgan Chase was going to pay $13 billion to settle what in non-legal terms would be described as a whole bunch of claims that had to do with the mortgage crisis... December 13 it was announced that the bank was entering into a $2 billion deferred prosecution agreement with the government because of its role in the Bernie Madoff Ponzi scheme."

That is a record amount of fines, folks. Plus, the 2013 tally didn't include a data breach, and alleged bribing of Chinese officials to win lucrative contracts. What a corporate history.

Mr. Brauchli explained what your whale of a 2013 Christmas gift was to the bank:

"... Marianne Lake, the Chief Financial Officer of the bank explained that taxpayers will help the bank pay the fine. She explained that of the $13 billion, $7 billion is tax deductible..."

Aren't you thrilled?! It's not like the USA has a federal debt problem to worry about. We have this cash just lying around waiting to be used. Not!

Viewed another way: politicians in Congress believe that the USA can afford to give a $7 billion tax break to an already highly profitable bank, but can't afford unemployment checks for the unemployed, and food stamps for the poor? Our current Congress seems to be Robin-Hood-in-reverse: take from the poor and give to the rich.

This wasn't the first gift by taxpayers to JPMorgan. JPMorgan bank received a $25 billion bailout in 2008. You might think that a bank that had been treated so well by taxpayers would not engage in the abuses of taxpayers Mr. Brauchli listed in the CounterPunch article.

Clearly, fines are not enough. Bank executives must be prosecuted. About the effectiveness of fines to prevent banking abuses, former Secretary of Labor Robert Reich said in September 2013 on Twitter.com:

"Fines effective only if risk of being caught x probability of being prosecuted x amount of fine > profits to be made."

I'm not holding my breath waiting for a thank-you card from the bank. By its actions, it treats both consumers and taxpayers like chumps. A bit of embarrassment definitely beats jail time.

Season's greetings!


JPMorgan Chase Bank Limits Debit Card Purchases By Its Cardholders Affected By The Target Breach

The Chicago Tribune newspaper reported that JPMorgan Chase bank has placed limits on debit card purchases for its customers that have been affected by the Target data breach. The new, lower limits are $100 per day for cash withdrawals and $300 per day for purchases.

Reportedly, the limits affect about 2 million debit card customers, about 10 percent of Chase's total debit card customers. The limits come at a bad time: holiday shopping before the Christmas holiday.

Also, Chase bank announced several changes due to the Target breach. The changes affect customers with either Chase debit cards and Chase Liquid Cards. Chase credit card customers are not affected. The bank said that it will contact directly debit card customers that have been affected by the breach. the bank also said:

"Customers whose Chase debit cards or Chase Liquid Cards are at risk by the Target breach will experience some temporary limits on cash and purchases until we can replace their cards. If you need cash beyond these limits please visit a branch. With proper identification, you can access your available funds."

Shoppers at Target stores in the USA were affected by the data breach. The company said that shoppers at stores in Canada were not affected. DNB, Norway's largest bank, confirmed that at least 2,000 shoppers visiting from Europe were also affected.

I fully expect more banks to announce similar precautions. The threat is real and ongoing, since the payment information about debit cards stolen during the Target breach is already being resold online.


Data Breach At Target Stores In USA. How Affected Shoppers Can Protect Themselves

Target Bullseye logo Yesterday, Target stores announced a data breach affecting customers who purchased items in stores with their credit card or debit cards from November 27 to December 15, 2013. The specific payment information stolen included customers' names, card numbers, expiration dates, and the three-digit CVV security numbers.

While the Target breach announcement did not disclose the total number of shoppers affected, Mashable and TechCrunch reported that 40 million consumers were affected by the breach. That is a massive breach. Target has 1,797 stores in the USA and 124 in Canada. Shoppers at stores in Canada were not affected. DNB, Norway's largest bank, confirmed that at least 2,000 shoppers visiting from Europe were also affected.

Several media sources have reported that the Target breach is the second biggest in the USA to the TJX/TJ Maxx breach, but it is probably third biggest if you consider the Heartland breach. These size comparisons are useless because many companies don't disclose the number of breach victims affected.

TechCrunch also reported:

"The company moved quite slowly on this breach. On December 12 Brian Krebs reported the first rumors of the attack, suggesting it consisted of a wholesale scraping of “track data,” the data found on each credit card magnetic track. Krebs suggests that the thieves may have broken into the stores’ wireless networks and grabbed the card information as it was transferred from the cash registers."

The New York Times reported:

"By breaching point-of-sale systems, cybercriminals can create counterfeit cards. If they were able to intercept the PIN information, as well, it is also possible that thieves could withdraw money from a customer’s account through an A.T.M. A similar breach affected Barnes & Noble stores last year. In that case, customers at 63 Barnes & Noble stores across the country, including New York City, San Diego, Miami and Chicago, were affected."

The Target breach announcement did not disclose details about how the retailer's systems were hacked. The retailer's announcement included the usual comments: a forensics firm is helping it investigate the breach incident; it is working with local law enforcement, and it has notified banks financial institutions. The U.S. Secret Service is also investigating the Target breach.

Target listed several questions in its breach announcement. One claimed that the breach has been resolved:

"Has the issue been resolved?
Yes, Target moved swiftly to address this issue so guests can shop with confidence. We have identified and resolved the issue of unauthorized access to payment card data..."

I find this claim about resolution premature and difficult to believe, since the breach investigation is still ongoing. The hackers may have accessed Target's systems through several methods, not just the first method identified and closed.

The Target breach announcement advised affected shoppers to do the following to protect themselves and their payment information:

  • Read the breach notice closely,
  • Monitor your bank accounts and card statements for fraudulent transactions,
  • Watch your credit reports for fraudulent transactions,
  • Visit the official Annual Credit Report website to obtain your free credit reports,
  • Contact the major credit reporting agencies to learn more about credit reports and how to place a fraud alert on your credit files,
  • Contact the U.S. Federal Trade Commission (FTC) to learn more about identity theft and how to protect yourself

The Target breach announcement included additional information for consumers to contact the FTC, plus specific instructions for shoppers who live in Iowa, Maryland, Massachusetts, or North Carolina.

After writing this blog for over six years, I have learned a fair amount about data breaches. Affected shoppers should proactively monitor their financial accounts for the next couple years, because identity thieves usually resell stolen payment information to other thieves. So, the thieves that hacked Target's systems won't necessarily be the ones to attempt fraud with shoppers' stolen payment information. While thieves are in no hurry to use the stolen payment information, payment information stolen from the Target breach is already being sold online.

Usually, companies provide free credit monitoring services to breach victims, but Target has not offered that. After its data breach, IBM provided me and other affected breach victims with one year of free credit monitoring.

Consumers that shopped at Target during the above period with a debit card PIN number should change their PIN number, so theives cannot drain their bank accounts through ATM withdrawals. Wise shoppers will also change the passwords on their bank accounts. Shoppers that experience actual fraud (e.g., stolen money from their financial accounts, new accounts opened in their names) will probably want to request a fraud alert (or a security freeze for more protection) on their credit reports and have their banks issue replacement accounts (and cards).

Do I use a debit card to pay for purchases in retail stores? No. It is simply too risky. There have been many breaches at retail stores. When you use your debit card to pay for purchases, you are betting that identity thieves have not hacked:

  • The point-of-sale terminals (e.g., payment terminals) in the stores, and/or
  • The wireless transmissions between the retail stores, any centralized databases the store operates, and the banks.

Plus, stolen debit card payment information provides thieves direct access to your checking accounts.

And, it is especially risky at gas station pumps, which are also point-of-sale terminals due to pay-at-the-pump payment options. The problem: the gas pumps are unattended and accessible by the public for long hours when gas stations are closed. That makes it easy for identity thieves to tamper with gas pumps and insert skimming devices. And many have.

I expect much more news during the coming days or weeks as Target and the U.S. Secret Service share the results of their investigations. If the banks issue replacement debit cards and checking accounts to breach victims, then somebody will have to pay for the replacement cards: the banks or Target.

[Update Dec. 21: In a letter to its shoppers published on its website, Target CEO Gregg Steinhafel mentioned that the retailer will offer, in a future correspondence to affected shoppers, free credit monitoring services.]


7 Interesting Statistics About Trust From The Latest AP Survey Of Americans

Recently, the Associated Press (AP) released the results of its latest survey about selected institutions Americans trust, or don't trust. The Associated Press-GfK survey was conducted October 3-7, 2013 by GfK Public Affairs & Corporate Communications, a division of GfK Custom Research North America. The poll included a national, representative sample of 1,227 persona ages 18 or older.

If you use social networking websites (e.g., Facebook, Pinterest, Google+, Twitter, Instagram, Linkedin, SnapChat, etc.), you will want to pay special attention to item #5 below. The survey asked participants to state how much they trust other people in certain situations. That trust level could be "a great deal," "quite a bit," "not too much, and "not at all." Key survey results:

  1. 81 percent of survey respondents trust only some of the time the government in Washington, DC to do what is right only some of the time. Only 2 percent trust Washington all of the time.
  2. 50 percent of survey respondents trust "a great deal" or "quite a bit" people who handle their medical records at a hospital or doctor's office
  3. 47 percent of survey respondents trust "a great deal" or "quite a bit" people who prepare their food when they eat out in restaurants
  4. 41 percent of survey respondents trust "a great deal" or "quite a bit" people they hired to come into their homes to do work
  5. 38 percent of survey respondents trust "a great deal" or "quite a bit" people who they have shared photos, videos, and other information with at social networking websites
  6. 30 percent of survey respondents trust "a great deal" or "quite a bit" people who swiped their debit/credit cards when making a purchase in retail stores
  7. 21 percent of survey respondents trust "a great deal" or "quite a bit" other automobile drivers when they are driving, walking, or bicycling

Item number five makes one wonder why so many people use social networking websites when so few trust the "friends" they are connected with. Very interesting. Maybe, Americans are just a mistrustful and wary bunch. Or maybe, we've been burned previously by people or companies that abused their trust.

Some descriptive information about the survey participants:

  • 46 percent live in the suburbs, 26 percent in urban areas, and 25 percent in rural areas
  • 83 percent reported that they have health care insurance: private or public. Of those that have health care insurance, 54 percent have it through an employer, 21 percent through Medicare, 7 percent through Medicaid, 6 percent through private insurance they purchased on their own, and 11 percent through "something else"
  • 34 percent reported that somebody in their household owns a gun
  • 49 percent reported that they work as employees, 18 percent are retired, 9 percent are unemployed and looking for work, 7 percent are self-employed, 6 percent are disabled, and 1 percent are temporarily laid off from a job

Trust questions the survey didn't ask which I wish it had asked:

  • How much would you trust other people at banks to protect your financial information and provide unbiased answers to your questions?
  • How much would you trust other people at Internet service providers (ISP's) to protect your personal information?
  • How much would you trust other people at credit monitoring agencies to protect your credit reports and provide accurate information?
  • How much would you trust other people at software companies to provide effective anti-virus solutions that protect your computers and mobile devices?
  • How much would you trust other people at telephone and telecommunications companies to protect your sensitive phone call and geo-location information?
  • How much would you trust other people at companies to provide complete and accurate policy statements (e.g., terms of usage, privacy) about their websites or mobile apps?
  • How much do you trust other people to use wearable computers (e.g., Google Glass) with maturity and respect for your privacy?
  • How much would you trust other people at retail websites to deliver your purchases via drones to your home?

Learn more about AP-GfK surveys, or download the AP-GfK survey results (Adobe PDF).


The Google Wallet Prepaid Card. Is It a Good Deal?

Recently, Google launched the Google Wallet Card, a new, physical prepaid card you can use in addition to using your smart phone to pay for purchases via the Google Wallet service. Readers of this blog know that I've discussed prepaid cards at length in this blog.

So, the appropriate question: is the Google Wallet Card a good deal?

To answer this, first I read the card announcement at the Google Commerce blog. The Google Wallet Card is structured like any other prepaid card. You add money to it, and then use the available balance on your card to make purchases in retail stores and/or to withdraw cash at ATM machines. You must have a Google Wallet account, first. The blog post announcement said that the Google Wallet Card can be used at "millions of MasterCard(R) locations." That seems partly true. Keep reading.

Google Wallet Card users also need the Google Wallet app running on their smart phone. The app provides notifications about purchases with the Card, and allows Card users to check their available card balances, add money to their Wallet/Card, and perform related tasks. Right now, Google Wallet users can order the Google Wallet Card for free.

Then, I visited the Google Wallet Card FAQ page, which is buried within the Google Wallet website. The page clearly stated that the Google Wallet Card can only be used within the United States. So, the announcement in the Google Commerce blog is a little misleading, and not quite accurate.

Also, there are transaction limits with the Google Wallet Card:

  • The maximum you can spend is your Google Wallet balance or $5,000.00 per 24 hours
  • The maximum you can withdraw from an ATM machine is $300.00 per 24 hours

There seem to be fewer fees with the Google Wallet Card. Google does not charge the following fees to Google Wallet Card users:

  • Retail store purchases with the Google Wallet Card
  • An annual or a monthly fee
  • A card activation fee
  • Cash withdrawals at ATM machines
  • Checking balances at ATM machines

There are fees if you add money from a debit/credit card, but no no fees if you add money from a checking account. So, how you use the Card matters. I found it extremely helpful to read the page listing fees for both the Google Wallet and the Google Wallet Card. The fee-listing page is a site page Card users will probably want to refer to frequently, since fees can change.

More importantly, this page provides the warnings that the bank or ATM network (e.g., NYCE, Cirrus, Plus, etc.) may charge fees for cash withdrawals and checking balances at ATM mchines. The fee-listing page doesn't list the specific fees banks or ATM networks might charge. It just gives the general warning.

I found this general warning a disappointment. It would be more helpful if the fee-listing page included these additional fees, so Google Wallet Card users would know in advance what fees they will likely encounter at ATM machines.

At the Google Wallet Card FAQ page, I looked for links to the fee schedule or Card agreement. I've learned that these documents specify all relevant details. I did not see links prominently in the Google Wallet Card FAQ page. This was a disappointment. Users should not have to hunt for these links, as I did.

The page footer at the Google Wallet site contains a link to the Google Wallet Terms of Service agreement. This agreement contains important information about the Google Wallet Card:

"6.5 Google Wallet Card - (a) Issuance of the Google Wallet Card. GPC may arrange for Bancorp to provide you with access to a MasterCard branded physical debit payment card, the Google Wallet Card. By using the Google Wallet Card, you also agree to the Google Wallet Card Terms of Use, which may be updated from time to time. For avoidance of doubt, the Google Wallet Card Terms of Use are between you and Bancorp, not Google or GPC..."

So, the Terms of Servce identifies the bank Google Wallet Card users do business with. And, it confirms that the site does contain an agreement (or contract) specifically for Google Wallet Card users. You just have to hunt a little to find it. That agreement/contract is between the Card user and Bancorp. The Google Wallet Card Terms of Use contains some important terms, including but not limited to:

"If you use your [Google Wallet Card] at an automated fuel dispenser (“pay at the pump”), the merchant may preauthorize the transaction amount up to $100.00 or more. If your Card is declined, even though you have sufficient funds available, pay for your purchase inside with the cashier. If you use your Card at a restaurant, a hotel, for a car rental purchase, or for similar purchases, the merchant may preauthorize the transaction amount for the purchase amount plus up to 20% or more to ensure there are sufficient funds available to cover tips or incidental expenses incurred. Any preauthorization amount will place a “hold” on your available funds until the merchant sends us the final payment amount of your purchase. Once the final payment amount is received, the preauthorization amount on hold will be removed. It may take up to seven (7) days for the hold to be removed. During the hold period, you will not have access to the preauthorized amount."

For security reasons, I almost never use a debit/credit/prepaid card at gas station pumps becasue it is extremely easy for identity theives to tamper with gas station pumps. When gas stations are closed, the pumps are usually unattended and left out in the open where anyone can access them.

So, is the Google Wallet Card a good deal? Only you can decide for yourself as you know your financial situation best. The above transaction limits may or may not fit with your lifestyle and financial needs. Your current debit- or prepaid card may offer fewer or no fees for ATM machine usage. Hopefully, I have highlighted the issues and terms to consider to make an informed decision.

The Google Wallet Card is not for me because I avoid using any prepaid cards due to many fees and fewer consumer protections. My current mix of credit cards and a debit card with my bank fulfill my banking needs.

If you already use Google Wallet, then the Google Wallet card may be a useful option at retail stores that don't accept the smart phone payment method. CNN Money said this about why Google introduced a prepaid card:

"[Google Wallet] hasn't really taken off, however -- iPhones haven't adopted the technology necessary to use the in-store payment feature, and many retailers don't have the appropriate point-of-sale equipment to process the transactions."

What's your opinion of the Google Wallet prepaid card?


Coin: A New Service Combines Several Payment Cards On A Single Card. Is It a Good Deal?

Coin, a new credit-card like payment device, has received a fair amount of press coverage recently. If you haven't heard about Coin, which will debut in 2014, it is a new service that allows you to store payment information for up to eight credit-, debit-, and prepaid cards on a single card-like device. You can use the Coin service to lighten your wallet or purse by leaving at home all of your physical plastic cards. And, Coin has some nifty features that work with your smart phone. If you pre-order Coin now, it'll cost you either $50 or $100.

So, the next appropriate question: is Coin a good deal?

Many technophiles I know will pre-order Coin now and start using it when it becomes available next summer. They like to use the next new, shiny, mobile device or service. Nothing wrong with that. I prefer to look a little deeper first.

We've all experienced products, services, and social networking websites that promote convenience while the cost, or price we pay, has usually been our privacy and personal information. So, when a new financial payment device promotes convenience, I'm inclined to investigate first.

To answer this question, I first read the Coin Master Terms of Service (CMTOS) dated October 1, 2013; which you should, too. It helps you understand more about the service, what you get, and what your responsibilities are. After reading this document, I quickly learned that the Coin card includes software embedded on it:

"1. USE OF THE SERVICE. You are solely responsible for the use of the Service. By using the service you acknowledge that your use of the Service is solely at your own risk... Subject to the Terms, Coin grants you a limited, non-exclusive, non-transferable, revocable license to use any software that is provided by Coin that is pre-installed on, embedded in or incorporated into the Coin Card (“Embedded Software”)..."

Okay. That is good to know as a starting point. Section 9 of the CMTOS says that users aren't allowed to:

"... Access or use the Site for any comparative or competitive research purposes;"

Huh? Part of deciding whether or not to use any financial product or service is to research it and compare it against alternatives. This term struck me as most odd and curious. Maybe the lawyers at Coin rule.

With any new service or new product, i want to know exactly what I am getting for my money. That includes what happens when things go wrong. Nothing in life is is perfect. Good customer service includes help when things go wrong. Section 4 of the CMTOS:

"... If you have any reason to believe that your account information has been compromised or that your account has been accessed by a third party, you agree to immediately notify Coin by e-mail security@onlycoin.com. You are solely responsible for your own losses or losses incurred by Coin and others due to any unauthorized use of your account."

That seems pretty clear. And if your Coin card is lost or stolen:

"... you should immediately contact the customer service department of your credit card company and/or bank to suspend access to the financial accounts associated with your Coin Card. Additionally, you should use the App to disable your Coin Card until the Coin Card is recovered or replaced. If your Coin Card is lost, damaged or stolen you may purchase a replacement card..."

That seems pretty clear, too. I was hoping that the folks at Coin might help with notifying banks and card issuers of lost/stolen credit/debit/prepaid cards since they would already have all of my information for each debit/credit/prepaid card loaded on my Coin card. I guess not. If your account or Coin card are hacked and your money is stolen, then you are on your own to notify each card issuer, and to absorb any financial losses. Maybe your bank or financial institution will help and reimburse your for any stolen funds... or maybe they won't.

Perhaps most importantly, CNN Money reported that Coin doesn't have the approval of the credit card issuers and networks. That approval seems critical to me before ordering (or pre-ordering) Coin. It seems wise for consumers to check the terms of service or contract for any credit card to make sure a device like Coin isn't prohibited.

Sections 13 and 14 both seem to reinforce the you're-on-your-own theme:

"13. WARRANTY DISCLAIMER. THE SERVICE IS PROVIDED ON AN “AS IS” BASIS, WITHOUT WARRANTY OF ANY KIND."

If the Coin site, mobile app, or Coin card are hacked or contain malware, you still are on your own. In my opinion, any site that compiles financial payment information for users is a high-value target by hackers. Hackers go where the money and salable user information are.

So, not only are you on your own but you give up certain rights. See section 16 of the CMTOS:

"... In the interest of resolving disputes between you and Coin in the most expedient and cost effective manner, you and Coin agree that any and all disputes arising in connection with this Agreement shall be resolved by binding arbitration... Arbitration uses a neutral arbitrator instead of a judge or jury, may allow for more limited discovery than in court, and can be subject to very limited review by courts... You understand and agree that, by entering into these Terms, you and Coin are each waiving the right to a trial by jury or to participate in a class action... No Class Actions. YOU AND COIN AGREE THAT EACH MAY BRING CLAIMS AGAINST THE OTHER ONLY IN YOUR OR ITS INDIVIDUAL CAPACITY, AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS OR REPRESENTATIVE PROCEEDING. Further, unless both you and Coin agree otherwise, the arbitrator may not consolidate more than one person’s claims..."

Maybe these rights (e.g., to sue, to join with other consumers) aren't important to you, or maybe they are important. I mention this so you know what rights you may give up. And, Coin uses are liable for certain fees should you pursue arbitration. In my opinion, companies have introduced this into their policies to limit their financial exposure. To me, it is the loss of important rights for consumers. Since technology moves forward far faster than federal, state, and local laws, differences of opinion are likely... and hence, disputes.

Keep reading. There's more.

Next, I read the Coin Privacy Policy (also dated Oct. 1, 2013), because privacy policies often indicate what specific personal information is collected and shared. That sensitive, personal information the policy refers to as "Personally Identifiable Information" (PII). The policy doesn't list all data elements, but provides some examples:

"Examples of personal information include name, email address, mailing address, mobile phone number, and credit card or other billing information. Personal information also includes other information, such as date of birth, geographic area, or preferences, when any such information is linked to information that identifies a specific individual..."

Anytime I see the words "examples" and " such as" in this context, I assume that much more personal information will be collected. The Coin service collects personal information (PII) you directly provide and information you indirectly provide through your usage:

"... we may automatically record certain information from your device by using various types of technology, including “clear gifs” or “web beacons.” This "automatically collected" information may include your IP address or other device address or ID, web browser and/or device type, the web pages or sites that you visit just before or just after you use the Service, the pages or other content you view or otherwise interact with on the Service, and the dates and times that you visit, access, or use the Service. We also may use these technologies to collect information regarding your interaction with email messages, such as whether you opened, clicked on, or forwarded a message."

So, like most other social networking sites, you are the product and Coin will collect an extensive amount about both you and your activities through the Coin card, mobile app, and website.

When I read both policies I looked for language that stated whether or not Coin collects my purchase or transaction information (e.g., amount, store, location, items). That is where the value is. Banks know this and already collect consumers' purchase information. To me, it is reasonable to assume that Coin will collect this purchase information also.

The policy mentions third-party vendors, but doesn't state what information is shared with these vendors. So, information may be shared or not. It's hard to tell from the policy language. Just because the policy is silent about whther certain data is collected and/or shared, doesn't mean it won't. So, I assume some information is collected and shared to make it attractive for third-party vendors to participate. Perhaps, a future privacy policy version will be more precise.

Next, the privacy policy addressed data security:

"We cannot, however, ensure or warrant the security of any information you transmit to us or store on the Service, and you do so at your own risk. We also cannot guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards."

Next, Coin has a security feature that CNN Money reported could also be problematic: it relies upon your smart phone being on and nearby. The security feature deactivates the Coin device if it is far from your smart phone (with the Coin app loaded). So, if your smart phone battery has died or your phone is broken, then your Coin card won't work. Nightmare scenario #1: you are at the phone store to buy a replacement battery for your dead smart phone, but you can't because the credit/debit credentials on your Coin card are locked. Only you know how often you fail to charge your smart phone and/or been stranded somewhere with a dead smart phone. Nightmare scenario #2: while you wait for your smart phone insurer to send a replacement smart phone for the one you lost/damaged/dropped, you can't use your Coin card.

last, Coin's convenience is limited. You can load an unlimited number of cards into your Coin account, but only up to eight (8) cards onto your coin device. So, a certain amount of shuffling is required for those who are heavy shoppers with lots of plastic in your wallet/purse.

So, is Coin a good deal? Only you can decide for yourself. Hopefully, I've highlighted some of the issues to consider. As a wise person once said: the devil is in the details.

Coin is not for me. I do not want to include yet another vendor in my purchases, as there are already many vendors involved in consumers' payment transactions -- all who want my purchase information for their own "big data" or data-mining purposes. Thanks to NSA surveillance, we've learned that metadata is extremely valuable, too. To me, convenience alone is not enough for a vendor to gain access to my purchase transactions.

Plus, the executives at Coin seem to have done, what appears to me to be, a masterful job at crafting online policies that effectively limit their liabilities, limit rights, and place a burden on Coin users that I find unacceptable.

If you have and use eight credit cards, one could argue you have bigger issues to address with credit. Me? My wallet is already light enough -- intentionally. I use only one credit card when shopping, avoid using prepaid cards (due to many fees and fewer consumer protections), and use my debit card only at my bank's ATM machines once weekly. Some membership cards have optional prepaid features, which I don't use for purchases because of the many fees on prepaid cards. Plus, the supermarket chain I shop at discontinued its loyalty-card program. So that card has already been destroyed. Plus, more retailers will replace their loyalty-card programs with newer, more comprehensive tracking technologies (e.g., smart shopping carts, video-camera-enabled mannequins, wristbands, WiFi hotspots, smart trash bins, etc.) in physical stores.

What's your view of the Coin service?


Credit Unions Outperform Banks On Customer Loyalty, And Banks Lobby To End Credit Unions' Tax-Exempt Status

The Bankrate Banking blog reported the results from a recent survey about customer loyalty:

"According to the 2013-2014 National Member and Nonmember Survey from the Credit Union National Association, 57 percent of credit union members indicate they are extremely likely to recommend their credit union to friends. In contrast, just 40 percent of members who also use banks say they're equally as likely to recommend that institution to friends."

A 2012 survey found that 11% of customers were ready to leave their bank. To improve their performance, you'd think that banks would focus on better customer service, and cut costs to improve profitability. The big banks have focused on lobbying legislators in Washington to end the tax-exempt status of credit unions, which are non-profits:

"... Frank Keating, president of the American Bankers Association (ABA) wrote, "Many tax-exempt credit unions have morphed from serving 'people of small means' to become full-service, financially sophisticated institutions. The time has come to abolish this exemption." "

Another claim the banking industry likes to make is that repealing the credit unions' tax-exemption would create a level playing field. Earlier this year, the American Banking Association trade group released a flyer (Adobe PDF) which claimed:

"Today credit unions are a $1 trillion industry that pays no income tax. That’s nearly $2 BILLION every year that could help shrink the federal deficit. Now, credit unions want even more perks. It’s time to end credit unions’ indefensible and outdated special treatment. Enough is enough."

I agree. Enough is enough. And, enough with the spin and misleading statements. Let's start with some facts from the U.S. Statistical Abstract:

  • The average bank is about 14 times larger than the average credit union. In 2010, the average bank had $1,739.7 billion (or $1.7 trillion) in assets while the average credit union had $124.6 billion in assets.
  • Banks still control a whopping 94% of the market, based on assets. In 2010, FDIC-insured banks (commercial and savings) had over $13.3 trillion in assets, compared to $914 billion in assets at credit unions (federal- and state-insured).
  • Banks are far bigger with more branch offices and ATM retail booths. Also in 2010, the 7,657 FDIC-insured banks (commercial banks and savings institutions) had 95,527 offices (main office and branches). That is about 12 offices per institution. In the same year, there were 7,339 credit unions; most with a couple offices (that rely on others' ATM networks to service their members).
  • In 1990, the average bank was about 20 times larger than the average credit union. In 1990, the average bank had $306.6 billion in assets while the average credit union had $15 billion in assets.
  • From 1990 to 2010, the number of banks decreased (e.g., consolidations, failures) by about 50%, the number of offices increased by 45%, and assets increased 186%. So, the big banks got a lot bigger.
  • During the same period, the number of credit unions decreased (e.g., consolidations, failures) by about 43%, and assets increased by 361%. So, small organizations did get bigger.
  • In 1990, banks controlled about 96% of the market; based on assets. So, credit unions have captured 2% of the market in 20 years. That is miniscule annual growth in market share.

Some additional facts worth noting:

The trade group representing credit unions has completed its own analysis which totally debunks the level playing field claim by banks. Read this 2011 report: Commercial Banks and Credit Unions: Facts, Fallacies, and Recent Trends:

  • The claims by bankers imply that credit unions have captured a larger share of the market. This is false. In 1992, credit unions had 6% of the market -- the same share as in 2010.
  • In 2011, half of credit unions had less than $19 million in assets while less than 2% of commercial banks were this small. During the same period, two-thirds of banks had $100 million or more in assets, while only 20% of credit unions were this big.
  • The claims by bankers that credit unions don't paying their fair share of taxes is misleading and dishonest. Many banks use the SubS tax status to pay less taxes. According to CUNA, the number of banks using the SubS tax status has grown from 6% in 1997 to 31% in 2011. Both small and big banks use this tax dodge. Again in 2011, 61 banks with $1 billion or more in assets used the SubS lower-tax status, which was originally created for small businesses. It would seem that the banks are gaming the system tax wise.

What's really going on here? I began to wonder why an industry that controls 94% of the market would complain about its competition.

As I see it, this lobbying by banks is another slick attempt to focus attention away from themeselves and to limit consumer freedoms and banking choices. By limiting or eliminating choices (e.g., credit unions), banks reduce competition that keeps banking prices down. Without credit unions, it would be easier for banks to raise prices (e.g., fees, loan interest rates, decrease savings interest rates). Consumers would not have an option to move their money to from banks. I can think of no other reason why an industry would complain about competition that has only 6% of the market.

Remember, raising prices was what the banks wanted to do in 2011, but couldn't when consumers rejected higher monthly checking and debit fees proposed by the Bank of America and other big banks. Raising banking prices has several benefits for banks:

  1. Increases banks' revenues and profits
  2. Encourages some current account-holders to move to underbanked status: a checking or a savings account, but not both
  3. Encourages some current account-holders to move to unbanked status: neither a checking nor a savings account
  4. Allows banks to service both underbanked and unbanked customers with highly-profitable prepaid cards, instead of with traditional checking and savings accounts. Prepaid cards aren't as tightly regulated as debit cards, credit cards, checking accounts, and savings accounts. Prepaid cards have fewer or no disclosure requirements and few to no limits on the number or amount of fees the banks can charge. Prepaid card users have greater liability should the bank that issued their prepaid card fail.

In 2011, about 8% of U.S. households were unbanked and 20% were underbanked. The average prepaid card charges about $300 per year in basic fees. That's a huge revenue source for banks. Do you want to pay $300 per year, or more, in banking fees? I doubt it. I don't.

This blog discussed the long list of fees charged on many prepaid payroll cards. The goal should be to decrease unbanked and underbanked households. The St. Louis Federal Reserve said it well in 2010:

"Encouraging the unbanked to handle payments through the financial mainstream is important for a number of reasons. Having a checking and savings account is an important first step in establishing that the consumer has the financial acumen to apply for credit for a car or home... the key advantage to consumers having bank accounts is avoiding costly alternative financial services and enabling families to build and protect their wealth. Unbanked consumers spend approximately 2.5 to 3 percent of a government benefits check and between 4 percent and 5 percent of payroll check just to cash them. Additional dollars are spent to purchase money orders to pay routine monthly expenses. When you consider the cost for cashing a bi-weekly payroll check and buying about six money orders each month, a household with a net income of $20,000 may pay as much as $1,200 annually for alternative service fees—substantially more than the expense of a monthly checking account fee."

So, traditional checking and savings accounts are ways for consumers (e.g., the poor and lower middle-income people) to move up the economic ladder in society to achieve the American dream. If one wants the poor and middle-income classes to succeed, one should encourage them to open traditional checking and savings accounts with the lowest-cost financial products possible, usually available at credit unions.

Without credit unions (or with severly hampered credit unions), a rise in banking prices by banks would likely result and cost consumers dearly. The Los Angeles Times reported:

"The tax exemption is crucial to credit unions, which by law can't raise capital through public stock offerings the way that banks can, said Fred R. Becker Jr., president of the National Assn. of Federal Credit Unions, a trade group with about 3,800 federally chartered members... A 2012 economic study commissioned by the trade group found that removing the tax exemption would cost consumers about $10 billion a year through higher fees and interest rates on loans, as well as lower interest rates on savings."

The Los Angeles Times article also provided some good background information:

"Under a 1934 law, Congress exempted credit unions from federal income taxes as long as they were nonprofit businesses, organized without capital stock and operated for the benefit of their members. For decades, most credit unions were small operations, usually serving employees of individual businesses and government agencies. The industry has grown significantly since the 2008 financial crisis, boosted by outrage over Bank of America's 2011 plan to impose a $5 monthly fee for debit card use."

So, the big banks have only themselves to blame for the rise in credit unions. I think that it is important to remember the history of banks and credit unions described in this Federal Credit Union handbook (Adobe PDF):

"In the early twentieth century, credit needs of the urban working classes in the United States were largely neglected by established financial institutions. For the most part, the average worker had nowhere to turn except to the usurious money lenders of the day. This growing dependency complicated the economic life of the average consumer and gave rise to the development and formation of a cooperative credit system in the United States, an idea originating in Europe and imported to North America in 1900. In 1908, the first legally chartered cooperative credit society was established in Manchester, New Hampshire by a special act of the state’s legislature. The following year, the first complete credit union act, the Massachusetts Credit Union Act, became law in Massachusetts. By 1933, enactment of state laws permitting formation of credit unions had been largely accomplished. In 1934, the Federal Credit Union Act was signed into law..."

A reminder: usurious = very high or unlimited interest rates. So, a world without credit unions would eliminate the need for the Credit Union Act. It would also eliminate several freedoms citizens have, including the right to gather as a group and form a credit union. It would also set conditions for a return to the high interest-rate times of the 1800's. Do you want to return to banking practices of the 1800s? I doubt it. I don't.

What to do next. First, contact your elected officials and tell them what you think of the banks' lobbying against the tax-exempt status of credit unions. Second, move your money to a local, community bank or to a credit union. Third, join the Don't Tax My Credit Union movement.


Hackers Arrested In Large Identity Theft Ring That Stole 160 Million Cards

Yesterday, the U.S. Attorney's Office in New Jersey announced the indictment of five persons for operating a worldwide and data breach and hacking ring that stole information about more than 160 million credit- and debit-cards, resulted in losses of hundreds of millions of dollars. The theft and fraud ring targeted financial institutions and companies, including alleged:

"... attacks on NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard."

How the theft ring operated:

"The five men each served particular roles in the scheme. Vladimir Drinkman, 32, of Syktyykar and Moscow, Russia, and Alexandr Kalinin, 26, of St. Petersburg, Russia, each specialized in penetrating network security and gaining access to the corporate victims’ systems. Roman Kotov, 32, of Moscow, also a hacker, specialized in mining the networks... The hackers hid their activities using anonymous web-hosting services provided by Mikhail Rytikov, 26, of Odessa, Ukraine.  Dmitriy Smilianets, 29, of Moscow, sold the information stolen by the other conspirators and distributed the proceeds of the scheme to the participants. Kalinin and Drinkman were previously charged in New Jersey as “Hacker 1” and “Hacker 2” in a 2009 indictment charging Albert Gonzalez, 32, of Miami, in connection with five corporate data breaches – including the breach of Heartland Payment Systems Inc.,..."

Drinkman and Smilianets were arrested in the Netherlands on June 28, 2012. Smilianets was extradited to the USA on Sept. 7, 2012, The other three defendants are still at large. Four defendants are Russian citizens. Rytikov is a citizen of Ukraine. The number of 160 million cards stolen is an estimate, and could be higher.

Addition information from the announcement:

"The five defendants conspired with others to penetrate the computer networks of several of the largest payment processing companies, retailers and financial institutions in the world, stealing the personal identifying information of individuals. They took user names and passwords, means of identification, credit and debit card numbers and other corresponding personal identification information of cardholders."

Thanks to the several federal agencies involved in pursuing and capturing these defendants.

To me, this case is another example that identity-theft thieves and fraudsters are smart, creative, organized, and persistent. The days of the lone hacker are gone. Identity thieves target firms they believe are vulnerable. Identity thieves go where the money is.

I find this case highly interesting, as both Global Payments and Heartland experienced massive breaches previously. That the hackers targeted these and other payments processors means that all of these firms' computer systems are still vulnerable, despite executives' claims otherwise.


7 Tips To Avoid A Rejected Credit Card During Vacation Travel

Today, banks are more vigilant than ever about spotting potential fraud. One way banks spot potential fraud includes charges outside of the cardholder's normal usage pattern -- the area where you live, work, and use your credit card. Often, when consumers go on vacation you intentionally travel outside of your area. Nobody wants a credit card purchase denied while traveling, especially when you don't have the cash with you.

So, what can consumers do to avoid having your credit card denied while shopping during vacation? Banks and credit card issuers advise consumers to:

1. Understand where your credit card is accepted outside of the United States. You can visit the customer service section of your bank's or credit card issuer's website. For example: the Help Center in the Discover site lists the regions where that credit card is accepted, including an international Country Acceptance Map. This is also helpful to understand any exchange rates used, and/or any fees or surcharges that might apply for purchases in different currencies. The Visa Travel Preparation Page provides similar information for cardholders traveling internationally.

2. Decide which credit cards you will bring. You may decided to leave at home the credit cards with high foreign transaction fees, don't offer purchase protection insurance, doesn't offer frequent-flyer mileage, and/or aren't accepted in the countries which you will visit. Experts advise consumers to bring at least two credit cards, and use one as a back-up in case your primary card doesn't work.

3. Notify your bank or credit card issuer of your upcoming travel, and the specific locatons where you will use your credit card. For example, Capital One directs its Visa cardholders to call its Customer Service department (1-800-955-7070) before their trip to provide the following information:

  • Credit card number
  • Travel destination(s): states and/or countries
  • Travel start and stop dates
  • Which cardholders will be traveling (if multiple people have accounts)

In Capital One's automated voice system, cardholders speak to enter and select voice prompt options. Say "More Options" and then "Report Upcoming Travel" to access the relevant option. Then, you can enter all of the necessary information, or you can speak with a human representative.

Obviously, if your vacation travel itinerary includes several cities and/or countries, you will want to have all of that information ready. When you contact your bank or credit card issuer, they will provide an international customer service phone number you can call while traveling outside the United States, should you have any problems. Last month before my vacation, I used Capital One's automated voice system. My travel itinerary included about six countries, and I found the system pretty easy to use to enter the necessary information.

4. Watch out for PINs. In some regions, automated kiosks require credit cards with smart chips. If your credit card doesn't have this new technology, it may not work.

5. If you want to use your debit card instead, first contact your bank, credit union, or card issuer to report your travel itinerary. Visit their website to find their office and ATM locations in the states or countries you will visit, any other banks they have partnerships with, any fees (e.g., conversion, foreign transaction) that apply, and any PIN number limitations (e.g., fewer digits). Generally, in-network ATM machines have lower fees than out-of-network ATM machines.

Experts advise consumers to keep sufficient cash with you for smaller purchases. The fewer times you use your debit card, the less you expose it to identity theft and fraud risks. If you read this blog regularly, then you already know that I use my debit card only at my bank's ATM machines. To me, it is too risky to use a debit card in a local retail store or gas station, especially in another country. There is no way to know if the card entry pads (or gas station pumps) has been compromised with skimming devices.

6. If you want to use a prepaid card instead, CardHub advises consumers:

"As long as your prepaid card bears the MasterCard or Visa logo and you notify your issuer of your travel plans, you should be able to use it abroad...”

Wise consumers will still check with their card issuer to get a copy of their prepaid card agreement, to find ATM locations in the states or countries you will visit, any other banks they have partnerships with, and any fees (e.g., conversion, foreign transaction) that apply. Again, in-network ATM machines generally have lower/fewer fees than out-of-network ATM machines. Compare the fees for your prepaid card against fees for your credit/debit cards. Understand your rights, protections, and the differences between credi, debit, and prepaid cards. If decided to use a prepaid card, make sure you load enough money onto it before you leave for your trip.

If you are unsure about whether prepaid cards are for you or not, there are plenty of online resources to help you decide. You can learn more by browsing the Prepaid Cards section of this blog. The posts in this blog section contain plenty of links to external sites and resources.

7. Check for foreign travel advisories. These may suggest additional precautions you should take in the countries you will visit.

Having done all of this, you can then travel with peace of mind.


Visa Survey Claims Consumers Lose $1 A Day In Cash

Visa logo While surfing the web recently, I ran across a news item at Talking Payments, a website for people and companies (e.g., banks, retailers, card issuers, payment processors, etc.) interested in digital payments. The TP news item mentioned a study by Visa that consumers lose, on average, about $1.00 a day.

To learn more about the Visa study, I next visited the Visa Viewpoints website. The August 2012 survey included 5,641 people in Australia, India, Indonesia, Japan, Russia, Singapore, South Africa, South Korea, Taiwan, Thailand, the UAE, and the USA. View the infographic about the study (Adobe PDF). The survey tries to document the "cost" to consumers of using cash by adding cash lost plus idle cash. Some findings:

  • In the US: $365 lost cash = $285 in lost foreign currencies after trips + $80 in idle cash lying around your home, office and/or car.
  • In the US: men ($331) lose more than women ($245). And, younger people ($165) lose more than older people ($135).
  • Lost cash varies across countries: Singapore ($656), Australia ($361), Japan ($349), and Russia ($137)

At first read, this seems very interesting. The implication of this study is that consumers who use payment cards (e.g., credit, debit, or prepaid) won't lose cash daily. Losing $1.00 a day in cash equals about $30 a month, or $365 a year.

Do you lose $1.00 a day in cash? I don't. I know this as I check the cash in my pocket at the end of the day -- everyday. When I receive change in the form of bills, I place that change in my wallet immediately. And, I don't consider idle cash as "lost." Maybe you do, but I don't. So, I am wondering exactly what consumers really lose $1.00 a day cash, and if people really lose that much cash daily.

One of the footnotes in the Visa inforgraphic reads:

"2. Foreign currencies given as tips given away in airports and/or misplaced."

What? So, a portion of the supposedly lost foreign currencies includes tips. I don't consider tips as lost money. When traveling, I tip bellhops, taxi drivers, and others who help me with my luggage. That's not lost money, That is paying for services received. Sometimes, I have foreign currencies left over from a trip, but that amount is nowhere near $285. It's under $5.

What's really going on here?

In my view, several things. First, banks really want to capture usage from consumers who don't have traditional bank accounts, or have only one account (e.g., checking or savings). Second, banks really want consumers to migrate to prepaid cards where there are fewer regulations for them; which means fewer or weaker consumer protections and consumer rights. That includes banks working with employers to provide payroll cards and banking services via prepaid cards, and/or health care spending accounts via prepaid cards. To learn more, read the list of prepaid card fees in this blog post, the payroll cards from Bank of America, and the Walmart MoneyCard.

To me, the study methodology compiled numbers in a way to inflate the amounts lost to justify these business goals.

Third, even if you lose as much as $1.00 a day in cash, a fair comparison is to consider the fees associated with prepaid cards, and if those those fees are greater than the cash you really lose. CNN Money found that basic prepaid card fees are about an average of $300 per year. That is almost as much as the supposed cash lost by consumers in the US, Australia, and Japan. Those average prepaid fees exceed the cash lost by consumers in several countries.

Both CNN Money and Consumer Reports found a wide variety of fees when it investigated prepaid cards: activation fees, monthly fees, reload fees, cash withdrawal fees, inactivity fees, online payment fees, paper statement fees, customer service phone call fees, and more.

What do you think of the Visa lost cash study?


Chicago Theft Ring Received Sentences For Card Skimming Crimes

In a Chicago court, several defendants were sentenced for card skimming thefts and fraud. The sentences ranged from six years of prison time for the ringleader to two years of probation for other members of the theft ring.

The thieves, working with employees at several fast-food restaurants in Chicago, had allegedly swiped consumers' debit/credit cards through small portable readers to obtain their card numbers. The theft ring then allegedly created fake cards with the stolen card numbers and purchased about $200,000 in merchandise.

Affected consumers had accounts at several banks: Chase, Citibank, Fifth Third Bank Harris Bank, U.S. Bank, Bank of America, and American Express. Reportedly, the banks assisted local law enforcement with the investigations. The seven defendants included:

  • Joseph Woods, 33 (the ringleader)
  • William Washington, 31
  • Alex Houston, 23
  • Britain Woods, 34
  • Jenette Farrar, 35
  • Essence Houston, 29
  • Kenyetta Davis, 33,
Congratulations to both local law enforcement and the judicial system.

Update: Schnucks Data Breach Exposed 2.4 Million Cards

Back in March 2013, this blog reported about the Schnucks supermarket data breach. On Monday, the St. Louis Business Journal reported:

"Over a three-month period, up to 2.4 million credit and debit cards used at 79 Schnucks stores may have been compromised..."

Two civiil lawsuits have been filed against the company. Now we know more than we did in March. Still, not good.


Data Breach At Schnucks Supermarkets Affects Customers And Their Banks

St. Louis-based KSDK television reported a data breach at Schuncks supermarkets. The supermarket chain isn't yet sure exactly where (e.g., which stores) and how the breach occurred (e.g., in the store or with a debit/credit card processor). The breach occurred about a week ago.

Schnucks operates stores in Missouri, Illinos, Iowa, and Indiana. Customers have already seen unauthorized charges on their debit/credit cards. A representative from Montgomery Bank reported that about 600 of their accountholders have already filed fraud claims. Some customers wonder why the store has not posted alerts in its stores, so shoppers can use cash instead:

“They’re just letting people use their cards and not saying anything.”

Reportedly, the retailer has hired a forensics technology firm to assist it with a breach investigation. It sounds to me like the company' was caught unprepared and its post-breach response needs improvement. Customers need to be notified prompty to take appropriate action to avoid or minimize identity theft and fraud.


Payment Processors: A New I've Been Mugged Topic

When consumers purchase a product or service with some form of plastic (e.g., credit cards, debit cards, prepaid cards) and their mobile device, usually several companies are involved in completing that transaction: getting the money to the retailer (online or brick-and-mortar). While many consumers may believe that only their bank is involved in processing the transaction, the reality is that more companies are often involved.

One type of company involved are payment processors, companies that process these financial transactions. Sometimes these payment processor companies experience data breaches where sensitive customer information is lost or stolen. With recent events in the banking industry, and the spread of prepaid debit cards, this new topic can help you more easily read about and understand what is happening within the banking and retail industries.

I have tagged this new topic retroactively to archived blog posts, so you read and understand the types of information available. See the new "Payment Processors" topic. I hope that you find it useful.


The Companies Involved In Payment Transactions When Consumers Buy Items

When consumers pay for products and services, today they have a wide variety of options. To make these options work, a variety of companies are involved behind the scenes in the payment transactions: the companies money and information flow through after a consumer purchases something at the checkout register. Consumers may not realize the wide variety of different companies involved.

Companies involved in the payment transactions flow often have their onw privacy policy, and data collection of consumers' sensitive information -- driven by their agreement with the retailer or bank. And, each company involved may experience data breaches where consumers' sensitive information is exposed or stolen:

  Payment Method
Company Type
CashCredit CardDebit CardRetailer's Prepaid Card (1)
Bank Prepaid Card (2)
Prepaid Card: FSA (3)
Smart Phone
Brick-&-mortar retail store No Yes Yes Yes Yes Yes Yes
Online retail website n/a Yes Yes Yes Yes Yes n/a
Retailer's partners &/or affiliates (4)
n/a Yes Yes Yes Yes Yes Yes
Your bank n/a Yes Yes n/a Yes Yes Yes
Retailer's bank n/a Yes Yes Yes Yes Yes Yes
Payments Processor (5) No Yes Yes Yes Yes (6)
Yes Yes
Your Employer n/a n/a n/a n/a Yes Yes Yes
Healthcare Vendor (7)
n/a n/a n/a n/a No Yes n/a
Wireless Provider n/a n/a n/a n/a n/a n/a Yes
Mobile Device Manufacturer n/a n/a n/a n/a n/a n/a Yes
Mobile Device Operating System Developer (8) n/a n/a n/a n/a n/a n/a Yes
Mobile App Developer (8) n/a n/a n/a n/a n/a n/a Yes
App Store
n/a n/a n/a n/a n/a n/a Yes

Footnotes:

  1. Includes gift cards offered by retailers that are good only at that retailer's stores.
  2. Includes general-purpose prepaid cards usually offered by banks
  3. Includes prepaid cards used by employers to adminster healthcare Flexible Spending Accounts
  4. Includes outsourced vendors that administer a retailer's email marketing programs, cloud-based storage services, customer relationship management databases, mobile marketing services, product fulfillment, and/or data mining services; plus companies that perform co-marketing campaigns
  5. The bank and/or company that processes the debit/credit card transactions
  6. Applies to employers that pay employees via a payroll debit cards
  7. Some employers outsource the administration of their healthcare Flexible Spending Account (FSA) program to an external vendor, and issue participating employees a special prepaid card
  8. The company that develops and maintains this software mobile devices

What do you think about the above chart?