Check, Debit or Credit?

The FTC is requesting comments on strengthening the Free Credit Report regulations. Among other things they would require clear disclosures for companies that advertise Free Credit Reports but are actually selling a product, often with hidden fees that consumers don't find out about until they've signed up. They will also restrict the ads that the bureaus are currently putting on their sites as you work your way through the signup for the legitimate free reports. The comment period opened on Nov. 7, 2009 and will close on Nov. 30, 2009. See this FTC page for more details. Click on the Text of the Federal Register Notice link in the right side column to download a PDF file. That file contains a link to a comment form.

I wrote this page after researching what type of payments offered me the best protection from fraud and/or theft. This applies to purchases in person and online, as well as bill payments. Cash isn't really a consideration in a lot of cases, but when it is, it's certainly a good protection from fraud. However if cash is stolen, your chances of recovering anything are approximately none. With the other three you can almost certainly get something back, the question is how easily, how soon, and how much.

I was raised not to spend money I didn't have. At the same time I don't like carrying a bunch of cash because if you lose it or it's stolen, it's gone. So for many years I wrote checks. I also liked writing a check because I just have to record it in my check register to keep track of it, and it's easy to reconcile my statement because it shows up with a check number. I've written over 10,500 checks out of my current account over the years.

Then several years ago a lot of small businesses stopped taking checks due to fraud. So I started using my debit card because it was like a check in that the money came out of my account PDQ and I still couldn't spend money that I didn't have. Now relatively few places take checks anymore, and many that do run it through as a debit card and hand the voided check back to you. My primary irritations with that are that I have to save the receipts to enter into my register, and when I get my bank statement, there's no check number for the transaction. So if I've made a bunch of purchases at Bob's Hardware that were handled like that I have to reconcile by date and amount, just like I do with a debit transaction. But in my opinion at the time, debit was still better than credit.

The Banks insisted that the fraud protection was the same for debit and credit cards, so that I was no more at risk of loss with a debit card than a credit card, even though only the credit card protection is mandated by law. As far as I can tell banks are honoring that. If my debit card is stolen, I have the same risk that I do with a credit card, usually [in the United States] something in the range of $50 or less depending on the circumstances. But even when that's true, there's one critical difference: With a credit card I don't have to pay for the purchases until the bill comes. With a debit card the money is removed [or at least locked] from my checking account almost immediately in most cases. This isn't normally an issue, unless there's a problem.

I'd heard stories about people having problems, but a few months ago I got a wake up call when a friend had her wallet and checkbook stolen. Within a couple of hours the thief had been to her bank and used the debit/ATM card at a teller station and took most of her money. By going to a teller she avoided the need for the PIN, and for some reason the teller didn't bother to check ID. The bank also helpfully transferred money from Savings to Checking for her, and also gave the thief some of that, apparently as part of the 'overdraft protection' where they take money from savings to cover overdrafts. For a fee of course. Then the thief hit a couple of other banks and made some other withdrawals that resulted in [a day or so later] overdrafts. She also made some sort of telephone transfer to spend some money. My friend realized within a few hours that her stuff had been stolen and called the bank to close the account, but it was too late, she was out of money. She opened a new account with a small balance, and when another charge on the old account came through, the bank very helpfully transferred it over to the new account and cleaned that out too. She changed banks. After completing their investigation, the bank refunded all the fraudulent charges and resulting fees. But the real problem was that for about 5 days she had no money. And things like her car insurance payment which auto-drafts out of her account bounced. If it had been her credit card that was stolen she'd have still had all of her money while it was investigated. The thief never actually cashed a check, but she did use a couple to guarantee a cash withdrawal somewhere. In this case the effects of using a debit card or a check were the same, the money was gone from the account right away.

An even worse example, admittedly extreme, is the case of at least 26 people in Norway in December of 2007 who used their debit cards to pay for parking. The computer that processed the payments mistakenly multiplied the amount of the sticker by 10,000 resulting in bills between $37,000 and $148,000, Needless to say that cleaned out the bank accounts of people who thought they were going Christmas shopping until their cards were declined. Fraud isn't even required, all it takes is a mistake.

While the banks are (at least so far) providing the same protection for debit cards as they do for credit cards, it's purely voluntary on their part because they don't have to. According to the FTC under some circumstances your liability, even for fraudulent charges, on a debit card can go as high as the line of credit established for overdraft protection on the checking account.

If your credit card is stolen, it's not your money that the thief is spending since you have until the end of the billing cycle to pay it off. And you can refuse to pay a fraudulent charge while it's in dispute. But with a debit card the thief is spending your money and when you dispute the charges the money is already gone, you have to wait for the bank to give it back.

Because of that risk, for the most part I quit using my debit card [and checks] and started using my credit card. I just make sure I pay it off each month (or even twice a month) so that I don't pay any interest. By law your maximum liability for credit card fraud is $50, (unless you fail to report it within 60 days of the statement date showing fraudulent charges). If you report the theft before any charges are made, or if only the card number (and not the card itself) are stolen you have no liability. There are a few things you need to do to minimize your liability, so read the rules. There are additional relevant links at the bottom of the page.

There are several things you can do to minimize your risks and protect your checking account information. The best protection is to not use it. But if you do use checks (or your debit card) be careful about where you use them. Always reconcile your bank statement to verify that all charges are valid. If you can safely check your account online, you can keep a closer eye on it. But if you do use online banking, make sure that you only do it from a computer and connection that you can trust. And please use a good password.

By law in the United States you're entitled to one free credit report from each of the three big Credit Agencies each year. To meet the FTC requirements the agencies have set up a joint site at www.annualcreditreport.com. You can get them all at once to compare them, or get one every 4 months so that they're more frequent. This is the only legitimate free credit report site.

Never give out sensitive information to someone who calls you to ask for it. There are lots of scam artists out there and they have some very smooth lines to get you to give up the information they want. If you didn't initiate the call and aren't certain who you're talking to, don't give out the information.

Mail theft is a major source of information leading to identity theft. Never mail a check from the mailbox in front of your house, take it to a drop box. And then only if that box will be picked up the same day. Also make sure that your incoming mail is as secure as possible, don't let it sit in the box for days, or even overnight. Keep the box itself as secure as you can: lock it if it's an option, have the boxes in a clearly visible area, and watch for suspicious activity around them.

You can register at www.optoutprescreen.com to get off those lists that generate unsolicited Credit Card and insurance offers. The site is sponsored by the four credit agencies. If you opt-out online it's good for 5 years, if you want to do it permanently you'll have to send them a letter. Instructions are on the site.

If your bank sends you "checks" that can be used to get money from your credit card, ask them to stop. You don't know they're coming, you won't know if someone steals them, and they give someone access to your accounts.

Readers Digest has a good article about the need to protect your Health Insurance card, that has become a target for identity thieves as well. A good health insurance card could actually be worth more money than your credit card.

Use a cross cut shredder on anything that has any personal information on it. A strip cut shredder is not good enough.

Don't carry more personal information than necessary. I never carry my Social Security card.

In addition to all the above, be careful where your information is stored. If someone asks you for sensitive information (like your Social Security Number) and you don't think they need it, don't give it to them. There are relatively few places that really need it, mostly related to income taxes in one way or another. Unfortunately the laws regulating use of your Social Security Number are not clear. There is no law preventing some businesses from requesting it. And they can refuse to provide service if you don't give it to them. I had a doctor refuse to treat a broken finger unless I gave them my Social Security Number.

If someone steals your identity, they might not do anything obvious like steal from your existing accounts. They may just open new accounts in your name, with a new address. You won't know anything about it until (or unless) you check your credit report and start seeing unexplained activity in your name.

Be careful about Rewards cards. Studies have shown that spending goes up when people think they're getting more rewards for doing it. The bills still have to be paid though. And of course you're giving a lot of information to the card issuer. Ostensibly in return for lower prices, but the benefits are really for the store and their partners.

The best way to protect your credit rating is to lock it up. There are two degrees of lock, and the differences are significant.

Keep in mind that this is a hot issue and laws are changing all the time, so this information may be outdated soon. Laws also vary from State to State, and Federal laws could change everything. The credit bureaus seem to be becoming more interested in providing these options voluntarily, possibly to avoid being forced to do even more. Each credit bureau is providing State specific information so that you can see the process and the costs. In most States if you've been the victim of identity theft where the compromised information was actually used, some or all of the freezes could be free. Consumers Union has a page that details Credit Freeze laws and procedures by State so that you can see what you are entitled to. They also link to the specific laws and agencies in each State.

In November 2008 while getting my free Credit Report from Transunion I found out that they were providing Free Freezes for everyone. I created a PIN number that would allow me to lift or modify the freeze at no charge. The EULA stated that they could change the conditions at any time. All three agencies allow free Freezes for ID theft victims and people age 65 or older [these may vary by State]. Transunion now lets you set it up on line if you have an existing account, the others still require that you send in paperwork.

In November 2009 that had changed again. When I logged into my TransUnion account (and after pressing Continue a few times to get past a series of Special Offers) I found this notice:

That's a good example of what can happen when there are no regulations about Fraud Alerts and Freezes, the rules change without warning and may leave you at risk of unexpected expenses.

Remember that to place a freeze on your account you have to do it individually with each agency. The requirements and fees vary depending on which State you live in and your reason for placing a freeze on your account. All the bureaus have a way to find out what the their procedure is for your State.

In late October 2009 when I was checking my credit card balance online I noticed a duplicate transaction. A triplicate actually. I had bought something and that showed up. Then the next day another copy showed up, and a credit for the same amount. I thought that the store had mistakenly put my transaction through a second time, then given me a credit. But when two more showed up the next day I called my bank. I was told that a company who experienced a data breach had notified VISA, and gave VISA a list of credit card numbers that were involved. VISA sorted them by bank, then sent them to the appropriate banks telling them to replace those cards. My bank wasn't told where the breach occurred, so they couldn't tell me. But the triplicate transactions were part of the process of transferring transactions to the new card number, and a new card was on the way to me in the mail. Sure enough it showed up a couple of days later, followed a few days later by a letter telling me that a new card was on the way due to a compromise at an undisclosed third party location. So that part was all good.

But I thought it would be good to know where the breach occurred and what sort of trouble I was in, including what other information of mine might be at risk. Only a few places should have my card number on file, and some of them would have at most my card number and my address. Others might have my birth date, my mother's maiden name, perhaps my Social Security Number, and more. Most of those places shouldn't have my card number on file, but they might have. My bank says they don't know and I'm inclined to believe them. VISA [or at least their Call Center in India] insists that the only thing they know about my account is the card number and which bank is responsible for it, only the bank would know anything more. The supervisor even volunteered to call the bank for me and find out. But it turns out all he did was transfer me to the bank, who knew nothing.

Apparently (at least in this state] I have no right to know what happened and how much of my data is at risk. Some states have laws requiring that customers affected by a data breach be notified, but mine doesn't. Even in the states that do, I suspect that the generic notification and replacement of cards may be sufficient unless a lot more data is comprised. Check the laws where you live to see what you're entitled to know. According to this USA Today article there are data-loss disclosure laws in more than 30 states. I don't even know when it happened, so it's possible it was just last week, in which case fraudulent activity may not show up for many months yet. Or it might have been part of the Heartland data breach that was revealed in January and had been going on for an unknown amount of time, exposing tens of millions of card numbers, perhaps as many as 130 million credit and debit card numbers. Heartland is a credit card processor who deals with a lot of businesses, but theoretically don't store the data once it's confirmed. I suspect that was the case, and in a sense that would be good news because all Heartland would have had is my credit card number.

Since the bank had already replaced my card, I did what any victim should do, I placed a Fraud Alert on my credit bureau accounts. For the basic Fraud Alert you can call any of the 3 major bureaus using an automated system, they'll notify the other two. I got a letter from each of them telling me that the notification was in place, and that it would expire in approximately 90 days. Because of the Alert I'm entitled to one free credit report from each bureau, the timing varies by bureau, so read your letter. You have anywhere from 90 days to 12 months to request the report, depending on the bureau. A Fraud Alert doesn't prevent anyone from accessing your credit report, it will just include a notification that the company should verify the applicant before giving them credit. The notice that's on my Experian report reads [all in caps]:

The phone number is the one I provided when I placed the Alert, I've replaced the numbers with X's. I can call again after 60 days to extend the Alert another 90 days, and I may be able to just keep renewing it until I get a better option.

Doing anything more permanent or severe gets complicated and/or expensive. I can place a Security Freeze at each bureau, but there's a fee to place it, and another fee to lift it temporarily if I want to apply for credit. And I have to do each bureau independently, so it adds up. A few states mandate free Security Freezes, the bureaus have a list you can check to see what you're entitled to. If I'm an ID theft victim I can get an Extended Fraud Alert that's good for 5 years. Or a free Security Freeze. But to prove I'm a victim I've got present them with a police report of some kind. And it turns out that my local police won't take a report just because my data has been compromised, there has to be an actual loss to me before they're interested. Never mind the cost to VISA and the bank to get me a new card, the time I spent on the phone getting what details I could, the time to notify a few vendors of my new card number, and the time I've spent and will spend checking my credit reports looking for problems. Made worse by the fact that I don't know if more than my card number was compromised, so I'll need to keep checking for a while. There are two bits of good news related to this though. Because of talking to my bank about the new card I found out that I can now get temporary single use credit card numbers for online or telephone transactions, greatly reducing my [and the bank's) risk. I can also create a number that is good for recurring payments of a set amount, good for up to a year. So I've done that for the three vendors who bill my card monthly. And the Fraud Alert entitles me to one free credit report per bureau, in addition to the free reports I can get through www.annualcreditreport.com, so this year I get a total of 6 instead of 3. At least one of the letters says that extending the Alert will entitle me to another free report.

Your Rights: Credit Reporting including information about and links to the only official and legitimate Free Credit Report site. This is a good place to start. The FTC page includes this warning, which is worth repeating here:

The FTC has a page that is specifically about the Free Credit Reports including more warnings about making sure you're on the right site. You have to give them the information that you're concerned about protecting, you don't want to give it to a look alike site. Or pay for something you can get for free.

Another page from the FTC about Free Credit Reports has additional information. Read both.

Fair Credit Billing has information about your rights under the Fair Credit Billing Act.

Consumer Sentinel is the unique investigative cyber tool that provides members of the Consumer Sentinel Network with access to millions of consumer complaints regarding ID Theft, online scams and more. It's open to Law Enforcement Agencies, but there are some reports available to the public. The Summary report for 2008 says that they received over 1.2 million complaints that year. Identity theft complaints increased from 31,140 in 2000 to 313,982 in 2008. Credit cards accounted for 30-35% of the fraud complaints in 2006-2008 while debit cards were targeted in 19% of the cases in those years. You can download the Sentinel CY-2008 - (PDF) from the Reports page. The following is quoted from the report.

Free Credit Reports from the only site where it really is free, see the warnings above about making sure that you're on the correct site. You get one free report from each of the major Bureaus each year. Get them from one site every 4 months to spread them out, or get them all at once so you can compare them. But keep in mind that in most cases you then have to wait a year to get any more free ones.

The Clark Howard Show Notes include a good page about Credit Freezes, including links to a page at each of the three main bureaus that you can use to place a Security Freeze on your account. Doing it that will cost you money in most circumstances.

www.ultimatecoupons.com has a page about choosing credit cards which includes good explanations about the different methods that banks use to calculate interest.

idtheftawareness.com is a site put together by Danny Lents, who was an ID Theft victim several years ago and now lectures on the subject. He's got loads of information available.

The Phoenix New Times has a cautionary article about companies that want to help you protect (or repair) your credit rating. There's always someone willing to take money to solve the latest problems to hit the news. And don't forget that for them to do what they're supposed to (if honest) you have to give them all the information that you want to protect. And they don't do anything you can't do yourself. The founder of the company in the first article resigned a couple of months after the article was printed.

redtape.msnbc.com has an article about the risks of unsolicited credit card applications, and recommends getting off the lists.

KeePass is a free, open source Password Safe. You can use it to store those really good passwords that you can't possibly remember. It will also generate them for you if you want, and tell you how strong they are. And you can carry it on a Thumb Drive and use it on any computer without installing it. You only need to know the one password to get into KeePass, just be sure that's a good one.

Keep in mind that I am not responsible for any external sites linked to from my pages. They may look different to you, or even have effects on your browser or computer that are different than what I see due to different security settings and browsers. They could have also changed since I looked at them. To the best of my knowledge, they are all safe. But you surf at your own risk.

This document reflects the opinions of the author. This document is provided "as is" without any express or implied warranties. While every effort has been taken to ensure the accuracy of the information contained in this article, the author/maintainer and/or contributors assume(s) no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

The only information that I collect is page hit counts. My web host Penguinhost.net keeps track of lots of things and makes the information available to me in pretty graphs and logs. I look at them occasionally, but there is no personally identifiable information there.

Front Page \| Information \| Computer \| Router setup tips \| XP setup tips \| Address munging for newsgroups \| Junkware \| Alternate Data Streams \| Check, Credit or Debit?
Do you seem to be getting spam from my domain? Please see this note If you find a dead link, a typo or have a suggestion, there's a link at the bottom of the page that you can use to send me an Email.	I like and use Firefox. Which ever browser you use, make sure you keep it updated. That goes for all critical software. Date format is MM/DD/YYYY