Bank of America security alert....

[Shopaholic]

Quote:

Originally Posted by taustin

Quote:
Originally Posted by Shopaholic What you fail to recognize is that there is a world of difference between confirming purchases on your card and telling you that your card was compromised at XYZ store. The fact remains that they will NOT tell you where the card was compromised. They cannot legally do so.

Cite?

Common sense. Your credit card issuer confirming the last number of purchases - date, amount, location, is not the same them telling you your card was compromised at store XYZ. They do not do that. They cannot do that. You can choose to believe it or not but that's just the way it is.

And my employer's training on how to deal with compromised bank & credit cards tells me. Which for reasons that should be obvious to most, I cannot post here. It's also called slander to the merchant that's been victimized. They themself didn't skim your card. Someone else used their equipment to do that.

Again, as I've already said, the person you speak to on the phone or even in person does not know where the compromise took place. You can go yell at the bank manager if you so desire but even he/she doesn't know. We don't see that information. We don't even see when it happened. Only someone highup in the fraud department knows and that information does not flow downward.

[ScalyFreak]

Quote:

Originally Posted by Shopaholic

Common sense. Your credit card issuer confirming the last number of purchases - date, amount, location, is not the same them telling you your card was compromised at store XYZ. They do not do that. They cannot do that. You can choose to believe it or not but that's just the way it is.

And my employer's training on how to deal with compromised bank & credit cards tells me. Which for reasons that should be obvious to most, I cannot post here. It's also called slander to the merchant that's been victimized. They themself didn't skim your card. Someone else used their equipment to do that.

Again, as I've already said, the person you speak to on the phone or even in person does not know where the compromise took place. You can go yell at the bank manager if you so desire but even he/she doesn't know. We don't see that information. We don't even see when it happened. Only someone highup in the fraud department knows and that information does not flow downward.

All of the above applies to the training my employer gave me on how to handle compromised credit cards as well, and I work for a completely different company than Shopoholic does.

Credit card information is radioactive, and information about fraud even more so. Only people who absolutely have to have access get access, but no one else. The fewer you tell, the smaller the risk of leaks.

[carpetmojo]

Having started this thing off, I would like to mention the apparent opportunities there are for card dodginess before they even reach us - those envelopes that arrive with your new/replacement cards, that are plainly carrying new/replacement cards ? The address on the rear, the type of envelope, the fact you can feel them inside .....

Is this a security risk, or is the system so good it wouldn't matter if someone helped themselves to some ?

[murraypaul]

Quote:

Originally Posted by carpetmojo

Having started this thing off, I would like to mention the apparent opportunities there are for card dodginess before they even reach us - those envelopes that arrive with your new/replacement cards, that are plainly carrying new/replacement cards ? The address on the rear, the type of envelope, the fact you can feel them inside .....

Is this a security risk, or is the system so good it wouldn't matter if someone helped themselves to some ?

I think they rely on two things:
a) The PIN is always sent separately
b) You need to phone to activate the card, using some pre-established password or other identification method
So just having the un-activated cards shouldn't be hugely useful.
(This is a lot more secure in chip-and-PIN countries, rather than those that routinely accept swipe-and-sign.)

[HarryT]

Quote:

Originally Posted by carpetmojo

Having started this thing off, I would like to mention the apparent opportunities there are for card dodginess before they even reach us - those envelopes that arrive with your new/replacement cards, that are plainly carrying new/replacement cards ? The address on the rear, the type of envelope, the fact you can feel them inside .....

Is this a security risk, or is the system so good it wouldn't matter if someone helped themselves to some ?

The card is useless without the PIN, and the PIN is never sent with the card. Not like the old days when you could just use a signature.

[taustin]

Quote:

Originally Posted by Shopaholic

Common sense.

So you do not, in fact, know of a law which prohibits your bank from telling you where your credit card was used?

Quote:

Originally Posted by Shopaholic

Your credit card issuer confirming the last number of purchases - date, amount, location, is not the same them telling you your card was compromised at store XYZ. They do not do that. They cannot do that. You can choose to believe it or not but that's just the way it is.

I know that any credit card company that won't tell its customers where their card was used is going to get sued out of existence pretty quickly.

And until you can cite a specific law (or banking regulation, which is effectively the same thing) that prohibits it, you're talking out your ass.

Quote:

Originally Posted by Shopaholic

And my employer's training on how to deal with compromised bank & credit cards tells me.

Do you work for a bank that issues credit cards? If so, why should I believe that a) you have been trained in the law rather than in their policy, and b) they know what they're talking about? (I've had banks try all kinds of blatently illegal crap on one of my credit cards, so don't try to convince me they always know, or follow, the law.) If not, then your personal experience has no bearing on talking to your bank.

Quote:

Originally Posted by Shopaholic

Which for reasons that should be obvious to most, I cannot post here. It's also called slander to the merchant that's been victimized. They themself didn't skim your card. Someone else used their equipment to do that.

Saying that the merchant tried to rip you off might, possibly, be slander. Saying that someone did so at a particular place would not, unless it was not true. And I certainly have the right to see the records associated with my own account, especially if I'm up for the $50 I'm responsible for if the card is stolen. (And the most likely scenario of "someone using their equipment" to rip off a credit card is that it's an employee, which the merchant most certainly is responsible for, morally and legally.)

Quote:

Originally Posted by Shopaholic

Again, as I've already said, the person you speak to on the phone or even in person does not know where the compromise took place.

When I talk to the bank that issued a credit card to me, I am talking to someone who has the account records - all of them - on a computer screen in front of them. They most certainly do have that information available to them. I've had that conversation. More than once.

Quote:

Originally Posted by Shopaholic

You can go yell at the bank manager if you so desire but even he/she doesn't know. We don't see that information. We don't even see when it happened. Only someone highup in the fraud department knows and that information does not flow downward.

Not my personal experience. And again, I've had that conversation. It sounds to me like your employer is more concerned with making it impossible for customers to talk to someone who can actually help them resolve an issue than anything else. But I could be wrong.

[taustin]

Quote:

Originally Posted by ScalyFreak

All of the above applies to the training my employer gave me on how to handle compromised credit cards as well, and I work for a completely different company than Shopoholic does.

Credit card information is radioactive, and information about fraud even more so. Only people who absolutely have to have access get access, but no one else. The fewer you tell, the smaller the risk of leaks.

What you describe sounds more like you work for someone who takes credit cards, not someone who issues them.

In any event, when I call the bank that issued me a card to talk to them about the account, they have to have access to account information. They cannot even tell me they can't help me until they've brought up the account information.

I've had this conversation. More than once. What you describe simply isn't true for the situation I'm talking about.

[taustin]

Quote:

Originally Posted by carpetmojo

Having started this thing off, I would like to mention the apparent opportunities there are for card dodginess before they even reach us - those envelopes that arrive with your new/replacement cards, that are plainly carrying new/replacement cards ? The address on the rear, the type of envelope, the fact you can feel them inside .....

Is this a security risk, or is the system so good it wouldn't matter if someone helped themselves to some ?

Generally speaking, the only people with ready access to that mail are the post office employees, who are, generally speaking, not going to risk years in prison for a credit card. (And they'd get far more years of prison for stealing mail than they would for stealing the credit card.) Postal inspectors have a fearsome reputation[1], and it seems to help.

Plus, the card generally has to be activated before it can be used. This is usually done by phone, and when you call in to do so, they can tell what number you're calling from. Not by caller ID (which is trivial to fake), but by AIN, which is billing information that is very difficult to fake. If you call from your home phone, it's usually pretty simple. If you call from somewhere else, there's generally an elaborate verification process involving questions that in theory only you would know the answer to.

In practice, it does happen, but not often enough that the banks have considered it a problem. So far.

[taustin]

Quote:

Originally Posted by HarryT

The card is useless without the PIN, and the PIN is never sent with the card. Not like the old days when you could just use a signature.

US credit cards do not have PIN. Debit cards do, but credit cards do not. (I gather actual credit cards are far less common outside the US, and that they do actually have a PIN of some sort when they do exist.)

This is becoming more of an issue, and either Visa or Mastercard is currently implementing a chip-and-pin system on all their cards, but it will take a decade or more before they can do away with the old system entirely.

[HarryT]

Quote:

Originally Posted by taustin

US credit cards do not have PIN. Debit cards do, but credit cards do not. (I gather actual credit cards are far less common outside the US, and that they do actually have a PIN of some sort when they do exist.)

This is becoming more of an issue, and either Visa or Mastercard is currently implementing a chip-and-pin system on all their cards, but it will take a decade or more before they can do away with the old system entirely.

Both credit and debit cards in the UK and, I believe, in most Western European countries, have been "chip and pin" for many years; I don't know how many years it is since I last signed for a card transaction - quite a few, certainly!

Any idea why it's not been implemented in the US thus far? I don't think it's the doing of MasterCard or Visa, since both of those are chip and pin elsewhere.

[Bilbo1967]

Quote:

Originally Posted by taustin

US credit cards do not have PIN. Debit cards do, but credit cards do not. (I gather actual credit cards are far less common outside the US, and that they do actually have a PIN of some sort when they do exist.)

This is becoming more of an issue, and either Visa or Mastercard is currently implementing a chip-and-pin system on all their cards, but it will take a decade or more before they can do away with the old system entirely.

So do you still have to sign something for a credit card in the US?

I remember watching American programs years ago and not understanding how kids seemed to be using their parents credit cards. Since pin numbers came in, I'd always assumed that the US had had that first and that was how it worked.

[ScalyFreak]

Quote:

Originally Posted by taustin

What you describe sounds more like you work for someone who takes credit cards, not someone who issues them.

I do. I've never claimed otherwise.

Quote:

Originally Posted by taustin

I've had this conversation. More than once. What you describe simply isn't true for the situation I'm talking about.

That's because I'm not talking about calling the bank that issued the card. I'm talking about calling the company that charged the card and asking for information. I thought I had made that clear; obviously not.

[ScalyFreak]

Quote:

Originally Posted by HarryT

Any idea why it's not been implemented in the US thus far? I don't think it's the doing of MasterCard or Visa, since both of those are chip and pin elsewhere.

Lack of desire to do so, is my guess. No one wants to be the first one to do it, and lose a very large number of customers who prefer to have lesser security on their cards, rather than be inconvenienced by making the card impossible to use if they lose it.

[taustin]

Quote:

Originally Posted by HarryT

Both credit and debit cards in the UK and, I believe, in most Western European countries, have been "chip and pin" for many years; I don't know how many years it is since I last signed for a card transaction - quite a few, certainly!

Any idea why it's not been implemented in the US thus far? I don't think it's the doing of MasterCard or Visa, since both of those are chip and pin elsewhere.

Mastercard and Visa aren't a single entity, for practical purposes, in the US. There are probably thousands (certainly hundreds) of different banks that issue the cards, and hundreds of merchant services that process them. That means a lot of coordination (which means extensive, and expensive, software rewrites to handle it all).

On the merchant end, there are expensive equipment upgrades to consider. Current credit card processing machines are magnetic strip readers only. To do chip-and-pin, you need a different pad entirely, and they aren't all that cheap. (My employer has nearly a hundred units, which cost about $1,000 each. More sophisticated chip-and-pin pads would, presumably, be more. We could upgrade them, and it wouldn't put us out of business, but it wouldn't be a trivial expense.) Many merchants still use the old, dumb machines that dial out over a phone line.

And then there's just inertia. If the current system works, and it has for many years, why spend billions to change it? But one of the two big companies (Mastercard, IIRC) is currently in the planning stages of implementing chip-and-pin, and the other (and Discover) is expected to follow suit soon. I believe American Express already has a chip-and-pin solution out there, but it won't be commonly used until merchants have incentive (which Mastercard and Visa will give them) to upgrade their equipment.

The current plan is that it will take about a decade before there's any real chance of getting rid of the old mag strip only system.

[taustin]

[QUOTE=Bilbo1967;1923349]So do you still have to sign something for a credit card in the US?It depends. Generally speaking, yes. The latest fad is that for small transactions (under $25 or $50, depending on the store and their bank), you don't. But that's only been the last few years. Note that it's still the same old magnetic strip system, though.

Quote:

Originally Posted by Bilbo1967

I remember watching American programs years ago and not understanding how kids seemed to be using their parents credit cards. Since pin numbers came in, I'd always assumed that the US had had that first and that was how it worked.

Debit cards have always used PINs, but credit cards no. Kids need to be added to the list of people authorised to sign, and in many states is kind of a gray area (because minors can't sign contracts), but as a practical matter, it's not an issue because if the parents dispute a transaction on that basis, they open the kid up for criminal prosecution.

Adding a PIN to the credit card system would be, from a techincal standpoint, fairly simple, because most of the processing equipment for credit cards also handles debits. But the banks seem to want to go to chip-and-pin systems instead, in the theory that it's more secure than PIN (though the technology that's out there really isn't - the system used in Europe has been broken nearly as thoroughly as most 802.11 encryption). And that requires hardware upgrades at the merchant level, and that's millions of merchants at hundreds or thousands of dollars per cash register.