I received a curious text message the other day.
“Did you purchase $205.95 at a grocery store or supermarket on 10-23-2011?” it asked.
I hadn’t. The message included my bank’s name. Still, I ignored it, figuring somebody was trying to get me to call some 1-800 number promising instant fortune.
Then I received a voice mail identifying itself as my bank’s debit card fraud department. The voice mail left a phone number and urged me to call, which I did.
Turned out, somebody in San Dimas, Calif., 2,000 miles from where I live, had gotten his hands on my debit card number and attempted various purchases. Fortunately for me, my bank warded off every attempt.
Consumer advocates no doubt considered me a fraud victim waiting to happen. I used my debit card for everything. I used it for coffee. I used it for lunch. I used it for haircuts. I used it for brunch. I used it so often, I didn’t keep it in my wallet. I kept it in my right front pocket and whipped it out faster than you could say, “That’ll be 79 cents, please.”
I had been warned. I had read that debit card information, like credit card information, could be stolen by any retail clerk or by “skimmer” devices that collect account information from cards used at ATMs, gas stations, grocery stores, restaurants and more.
And I understood the risk of using a debit card. I knew that debit cards offered fewer federal protections than credit cards. I knew that theft of my debit card number would mean theft from my checking account. I knew that it could take banks days, even weeks, to restore the funds.
After my bout with debit card fraud, I heard it all again.
“We have put out the message loud and clear that individuals shouldn’t be using debit cards for a number of reasons,” said Beth Givens, director of the Privacy Rights Clearinghouse, a nonprofit consumer organization. “We recommend that people stick with true credit cards.
“First of all, with a debit card, it directly affects your checking account, so your checking account could be wiped out. We have talked with several individuals who have had to wait quite a long time before their checking account has been replenished. In the meantime, they have to pay the rent, pay the utilities and any other bills that come along.”
Half a continent away
I wondered how somebody half a continent away could have gotten my card number. My wife and I a month earlier had visited San Francisco, but that’s 400 miles north of San Dimas. Was my number thief on the move? Had he gotten the number from friends or fellow thieves who lived in San Francisco? Had he somehow gotten my number from a gas station or grocery store in my own neighborhood?
“It could have been anywhere,” Givens said. “It could be you used your card at a place where they don’t have very good security, and their computers were hacked.”
Givens recently fell victim to credit card cloning. She suspects that she swiped her card and that a skimmer took her account information. Then, she suspects, the underground market turned her account information into a physically cloned credit card that a buyer used as his own.
That further piqued my curiosity. I wondered if a card identical to mine, because I hadn’t lost it, had been swiped, or if somebody had tried to make purchases with just my card number. I called my bank back, and the representative told me that somebody had swiped a card bearing my account number at an Albertson’s grocery store in San Dimas. The representative reaffirmed several other attempted purchases.
This wouldn’t surprise many.
“There’s a very large underground credit card account information market,” Givens said.
So my debit card number or information became part of an underground market?
“I think it would be hard to know how your information got into the hands of crooks,” Givens said. “It could be from hacking. It could be from skimming. It could be organized crime. Or it could be … a petty criminal who’s just very savvy about how all this works.”
Nikki Junker, social media coordinator at the nonprofit Identity Theft Resource Center, said identity thieves usually work in networks. After talking with Givens and Junker, I considered these scenarios: A local convenience store clerk installed a skimmer device on a gas pump that I used. Or maybe a server at a San Francisco restaurant skimmed my debit card. The clerk or the server harnessed my debit card information and sold it to somebody in the underground market, who sold my information, perhaps for as little as $5, to somebody who lives or works or plays in southern California.
That person might have bought it on an underground website. Or maybe not. “It’s like drugs. How do you know where to get drugs?” Junker said. “They’re able to point you to a guy who knows a guy who knows a guy.”
To catch a crook
I also wondered how my bank knew to deny these transactions. I often had left town, even the country, without informing my bank (I know — a no-no). Yet in this case, my bank knew that somebody other than me repeatedly tried to make purchases.
“Each bank has a different algorithm that they will follow that will point out potential fraud to them,” Junker said, pointing out that it’s in every bank’s best interest to invest “tons of money” in this. “So that is something that’s up to the bank … whether it be tracking locations, or some go as far as asking ‘Why would a 60-year-old woman be buying tickets to a Metallica concert?'”
I asked my bank representative how it knew somebody other than me was trying to make purchases on my account. He hesitated, saying the bank “wouldn’t want to tell everybody” how it goes about catching crooks.
When I pressed him, he said the bank “didn’t see any airfare to California or any previous activity in San Dimas. That’s two clues right there.”
My bank canceled my card and promptly sent me a new one. I put that one in my wallet — and, this time, I’ll keep it there.
For lunch, coffee and chewing gum, I’ll use cash.
Pete Reinwald edits consumer content for Tribune Newspapers. Email him at preinwald@tribune.com
Credit or debit?
The law: The Federal Trade Commission says your maximum liability for unauthorized use of your credit card is $50. For ATM or debit cards, your liability under federal law for unauthorized use depends on how quickly you report the loss. You won’t be responsible for more than $50 for unauthorized use if you report the loss within two business days after you realize your card is missing. You could lose up to $500 if you don’t report the loss within two business days after you discover the loss. LowCards.com says that some banks reimburse you for any unauthorized debit card transactions up to the amount of the loss when you report the loss within 60 days from the statement date.
Not all bad: “The biggest advantage of a debit card is that it limits the amount you can spend to what’s in your account,” said Bill Hardekopf of LowCards.com. “There’s a discipline in spending what you can afford to spend and also a discipline in paying it off when it comes to credit cards. A lot of people lack that discipline.” If you lack that discipline, “a debit card is probably a favored financial tool for you to use.”
More resources: For more information about laws on credit cards and debit cards, visit the FTC’s “Facts for Consumers” page at tinyurl.com/6lx7dt3. For cautions on debit cards from the Privacy Rights Clearinghouse, visit tinyurl.com/6kepapb.
