I’d recommend ditching the debit card for an ATM card, which does always require a PIN. I can use it to pay for things at grocery stores (although I only do that when I want cash back). A separate credit card is used for most real life and online purchases.
My experience is that while you’re probably going to get your money back either way if someone fraudently uses your card (or a copy of it), it’s less of a pain when it’s the credit card company’s money on the line.
I don’t do air miles, so I can’t comment on that, but as far as security is concerned (and they may have a frequent flyer program) you may want to look into American Express. They’re really on top of security and they have IME* the best customer service.
You could, of course, get another card to use as your daily card and just stop using the BOA card. You’ll always have it if you need it, but without being used on a regular basis the likelihood of the number being stolen will go way down. Amex, OTOH, will probably shut off your card before you even know something is wrong. Or at least send you a text/call you to confirm a strange charge before letting it through.
*and I say that as both a card holder AND a merchant. I don’t think I’ve ever hung up the phone and said ‘wait what? I’m still confused’ or ‘I really should just get rid of this card’. It’s like talking to a teacher, they’ll calmly go over something with you until it makes sense.
One risk of debit card fraud is that they steal a lot of money from your bank account and you end up bouncing your legitimate charges while things are getting straightened out. The bank will work to get your money back, but they won’t fix problems with automatic payments which got denied from insufficient funds from credit cards, mortgage, rent, insurance, etc. So even if you eventually get the stolen money back in your account, you may have a bunch of other headaches if other payments bounce.
It does seem like the CC companies have gotten much better at detecting fraud. It’s happened to me a few times in the past year and the CC company contacted me the same day it happened.
I’ve read that a common way they get your number is from the gas station scanners. Crooks open up the pump and install their own card reader next to the real one. They copy all the CC numbers used at that pump and then make their own cards with those numbers. I wonder when they’ll have chip readers at the pump?
Unfortunately, AmEx is one of the least accepted credit cards. My wife’s business card is AmEx and she often has to use our personal account to pay for business stuff (and get reimbursed later) because the vendor would not accept AmEx.
It sounds to me like they did try, realized that the costs of the switch were too high, and gave up.
Note that the primary costs aren’t the labor of the stores, it’s the waiting of the customers or, even worse, the customer who can’t buy something because they can’t make their payment method work.
This is the exact issue. Preventing credit card fraud is trivially easy. Preventing it without complicating the transaction is not so easy, especially if you also want to pretend credit cards still have a function.
The simplest way of doing it is exactly what has been done in europe - universal chip & PIN for transactions where you are present. Takes 2 seconds per transaction and reduces fraud to nearly nothing. But people might figure out that with an identical process and pretty solid security, using debit cards for essentially everything becomes feasible. Couldn’t have that because it would eliminate billions in credit card revenue.
Similarly for online purchases - two-factor authentication via smartphone app can reduce fraud to virtually nothing. But if people get used to that, then they may as well use the 2FA app to trigger a direct payment from their bank account, and eliminate not just the credit card income, but the debit card income as well.
^ And that is one reason we’ve pulled back from automatic payments in my household. We can’t afford having the regular monthly bills bounce.
We have one main checking account, and we have a separate savings account that could be used as backup if the main one is hacked or otherwise compromised.
In the past 30 years I’ve had a problem with a card transaction exactly twice. In both instances the conversation with the back was maybe 10 minutes at most. I find even that rate of problems annoying, but given the number of transactions I’ve had over the years, and how well/quickly they were resolved, it’s actually a small problem from my viewpoint. At least so far.
That also has the problem that not everyone these days has a smartphone. Really. Millions of Americans don’t have a smartphone. Also sucks when your smartphone dies, or there’s some problem with the network it uses.
There’s a reason my employer, a store, accepts several different forms of payment.
IME two-factor usually means SMS, no smartphone required. But yes, not everyone has even an old flip phone, and some plans still charge for text messages. There’s usually an option for direct phone call, which only works if you’re home in that case.
Two-factor is a scheme developed by people who don’t understand how the other half lives.
It’s like those idiot “security question” lists on web site account setups. (“What street did you grow up on?”, etc. Like as in only one?) I went thru one list yesterday and none of the 7 options were remotely applicable to me. Not a one. And this is very common.
Just because you find it easy and natural to do X doesn’t remotely mean that there aren’t millions of people who can’t remotely do that at all.
I think you mean “other eight percent” as far as cell phones are concerned, and even that datum is a year or two old. And this was in the context of online purchases. Two-factor for online purchases can be done by voice robocall over a home landline. How many* millions* of people making online purchases can’t remotely do that at all?
Yes, if requiring it for in-person purchases we’d need to be sensitive to technology access, disability, etc. My RSA token doesn’t require a phone, so there are options if we wanted to go that route.
There is nothing requiring that you give true answers to these questions, only that be able to give back the same answer when asked. They aren’t checking your answers against your history.
I personally thing that one of the reasons that cards are so easy to hack, is because the banks pass on most of the costs of a fraudulent purchase to the vendors. If the banks had to pay more of it, they would be spending more money on security.
Is that really the case? I thought as long as the merchant gathers the correct (and in some cases even the incorrect) verification data, they don’t need to be as worried about carrying the costs of a fraudulent charge. For a swiped card, as long as the signatures are a reasonable match (or the PIN is correct) the merchant never has to concerned about it. This is, of course, working on the assumption that the merchant isn’t in on the fraud. If the processor suspected that or if there was a lot of fraudulent charges at one location, I’m sure they have a policy for that. It may even be in the merchant agreement.
If the banks passed on all the fraudulent charges to the merchants, many merchants wouldn’t be able to accept them. Just think about how much a busy gas station must lose in a year to people using stolen cards. It’s bad enough that if someone writes me a bad check I not only have to eat that I also get dinged $35 by my bank for it. [side question, if I run someone’s debit card and it says they don’t have enough money or otherwise declines, should I let them write a check? Often times, if the owner is there he won’t, I’ve never been sure about that one]
Having said that, with the move to chipped cards there was a “Liability Shift” that stated that certain types of fraudulent charges on a chipped card that is swiped instead if dipped will be the responsibility of the merchant. This was our incentive to upgrade our equipment. The shift happened on Oct 15, 2015.
Chip and Pin would start to help, but it is blocked in the US due to how tips and table service payment work.
To move to chip and pin, the tipping process would need to change because consumers have to be present when a card run to enter their PINs to complete the transaction.
Tips tips be added to bills before processing the card, as the addition of a PIN finalizes a transaction.
One day the table pay model will allow the entire transaction including the tip to be finalized all at once.
The primary customers of Visa are issuers and acquirers.
The primary customers of acquirers “the companies providing the readers and network” are merchants
The primary customers of issuers (banks) is you.
So there is an incentive to error towards convenience vs security.
Here are the rules around the above liability shift.
http://www.emv-connection.com/downloads/2015/05/EMF-Liability-Shift-Document-FINAL5-052715.pdf
Note how most of the risk is on the issuing bank, as the Acquirer and payment networks make their money by keeping merchants happy and increasing transactions there is little to no incentive to really prevent fraud. Their liability is tiny and the risk to their income is from angering merchants or
annoying consumers to the point where they use cash or other payment methods.
In European countries where tips or or pay at table are not as critical the chip + pin model is a bit better at preventing fraud.
I am confused?
My debit card is chip, it also requires you to enter a PIN with the chip
and then it requires you respond to the 2 part auth
So technically 3 things
Your bank does not have this?
As mentioned, in the US because of the huge legacy base of installed old-style credit/debit transaction systems (soft and hardware) and of old-style swipe cards in people’s hands, the costs both tangible and intangible to go universally to Chip+PIN/2-factor were high enough, including the potential cost in market goodwill from customers inconvenienced by no longer being able to handle things instantaneously, that the banksn and merchants felt they had to keep everything backward-compatible and move only a slow creep, not even switching to chip+PIN but to chip-and-signature instead. To this day my branded debit card from my bank is still unchipped because it was so when issued and it does not expire for some time yet. (OTOH it has worked perfectly in multiple states and countries)
As for the table tips, yeah, the system has to change and it needs to be moved up front. Really, everyone else I tip in the service industry, I’m standing right there in front to them when I tip them (bartender, barber, cabbie) or they know who I am (doorman), why should it be my waitperson can’t know what I tipped until I’m out the door and gone.
How do you think I get past these screens??? Sheesh.
The problem then is I have to store the fake answer somewhere. I have a “family” of fake answers for these questions but then I have to keep a log of them. Which obviously reduces security rather than enhances it.
Again, sheesh.
In the restaurants I frequent (note that I am in Canada where we do have chip&pin) the entire transaction plus tip IS finalized at once, at the table. The gizmo that you stick your card in to pay for your meal prompts for whether you want to tip and if so, how much (and usually you have a choice between specifying a % or an actual value for a tip; handy for people lousy at arithmetic).
That was, as I recall, another part of the issue. Not even with Chip & Pin, but with EMV in general. Here (the US) at bars and restaurants, the server/bartender, runs your card and hands you the slip. You write in the amount you want to tip, sign it and hand it back to them. At some point after that. Be it immediately, later that night or even the next morning, your transaction is edited to add the tip.
With EMV, bar and restaurant owners very quickly found out that the total could not be adjusted after the fact. Many of them either rolled back their software or went back to their old machine.
The “solutions” I heard were to move their credit card machines closer to the bar (instead of on the back wall) so the customers could reach them. Most of them didn’t want to do that since it involved adding power, network/phone lines and a real possibility of liquid getting spilled on them. It would also mean customers would have to go to the machine to use their card. The next option was to get a long cord for their pin pad and leave the machine where it was. But most owners weren’t interested in having a cord running all over the bar all night. It’s only a matter of time before it gets broken*. The last one I heard was to get a $700 wireless EMV enabled pin pad. On the one hand, probably the best option. OTOH, most of them didn’t want to hand a $700 pin pad around the bar all night.
*fun fact. Unplugging a powered up pin pad can (and will) ruin it. Tripping over the cord enough times can cause the connections to become weak and intermittent and when they’re intermittent it’s only a matter of time before the pin pad is shot.
turns out this is wrong. The US has an unusually high rate of CC fraud compared to Europe. I am pretty sure I read that in some CC fraud category the US was low compared to Europe, but I can’t remember what-it wasn’t the general class of CC fraud.