From: John De Armond
Newsgroups: rec.outdoors.rv-travel
Subject: Re: What's best--travelers checks vs credit cards vs debit cards 
	vscash?
Date: Mon, 17 Jul 2000 01:02:02 -0400

retireminn@my-deja.com wrote:

> I am not sure how you think a perp can get my password when I never use
> it with my debit card. How is that?? you ask. I use it just like a
> credit card. When the machine ask is this a debit or credit card, I
> always key in credit card. Next, there is no visable tie in to my
> checking account, so no one can get those numbers from my debit card.
> I tend to agree that there are more liabilities using the debit card but
>  it has one advantage that I like (but others don't), and that is I
> don't have a VISA bill to pay each month as the money comes out right
> now. Therefore, I can have my mail held and not worry about paying bills
> each month. Of course there are many different ways to handle this.

I used to write the transaction processing software that implements
this "wonderful" stuff for a couple of different major financial
institutes and a long distance phone company.  As such, I had to
become fairly familiar with their business models. Perhaps I could
toss out a few interesting tidbits.

First and foremost, you have NO, repeat NO protection under the Fair
Credit Act (where the $50 limit on credit card fraud comes from) on
debit card transactions simply because the transaction does not
involve credit.  As far as federal law goes, you bend over and
spread 'em every time you use that debit card.  As a courtesy, most
banks offer essentially the same protections to their debit card
users as credit card users have, but that it THEIR choice to do so.
My credit union couches this courtesy in such language as "may be
revoked at any time."  If you're a blue collar,
live-from-one-paycheck-to-the-next sort of customer, you're probably
very protected.  If you have ten or fifteen thousand in your account
and THAT gets cleaned out, your bank might not be so courteous.
Might not hurt to find out BEFORE spreading that debit card number
around.

Understand that there are two types of transactions possible with
these Visa or Mastercard branded "debit cards"/ATM cards.  These use
separate networks and different data from the card swipe.  The first
is the one most debit card users are familiar with.  The merchant
swipes the card and an authorization code is returned just like a
credit card transaction.  This is the most dangerous because it is
processed over the same very insecure and "leaky" (in the fraud
sense) network as credit card transaction except that you have NO
federal protection against fraud.  If someone gets ahold of that
number on the front of your card and has access to a terminal, he
CAN clean out your checking account and your bank controls whatever
recourse you might have.

The other transaction is an EFT transaction over a banking network.
IN this transaction, you swipe your card and then enter a PIN on the
terminal.  Though there is still no federal protection against
fraud, this transaction is a bit safer because it requires a PIN and
cannot be initiated without a valid strip read.  A clerk cannot
generate a transaction in the absence of a valid swipe.

Mastercard and Visa and the big banks like to blur the difference
between these two types of transactions because they make big
commissions from the credit card network but not on the EFT one.
The mondo stores such as Wal*Mart confuse things further by
including both types on their checkout terminals.  If you just swipe
your card on these terminals, you initiate a credit card network
transaction.  Only if you select "debit" before swiping and enter a
PIN are you doing a direct EFT transaction.

Very few people know it but the credit card transaction can be
disabled on a debit/ATM card.  All you have to do is go to your bank
and request that your card be programmed for "ATM only".  They'll
program your card on the spot so that credit card transactions are
disabled.  Then the only transactions you can do are those from ATMs
and from terminals that allow entering PINs.  If you must carry a
non-credit card, this is the safest.

Even the PIN system isn't completely safe.  The PIN is encrypted on
the magcard stripe.  False security.  I have a program that I wrote
to aid my programming that will brute force crack any encrypted PIN
in minutes.  Mine is a hacked-together utility that is fairly slow;
a hacker-optimized program could do it in seconds.

What this means is that if you lose your card (or surrender control
of it, say to a waiter) and the wrong person get ahold of it, all
the data on the magstripe is compromised.  The perp may and probably
will return your card so that you won't close the account but he has
everything that he needs to write a new card with YOUR data on it
and then use YOUR PIN (or just change it to something he likes) to
clean out your account.  The equipment to write new magstripes is
readily available and is not expensive.

IF you think this kind of fraud is rare, you ought to listen to WSB
AM in Atlanta (750 khz or on the net) for the Clark Howard show from
1 to 6 PM EDT.  His is a consumer assistance show.  At least a
couple of people call in EVERY SINGLE DAY with tales of woe from
debit card fraud.  Clark recommends to just say "HELL NO" to debit
cards.  I agree but I don't use credit cards so I carry one for
emergencies, never use it otherwise and have it on a separate
account from my main checking account. If I have to use it, I can go
to an ATM and move cash from my main account to this one in a
second.

Worse than having your checking account cleaned out is the fact that
with the data contained on the magstripe on a debit card, a perp has
a mile wide opening into your personal life.  This opening is
commonly used for identity fraud.  As bad as identity fraud is for
most folks, it's death to RVers.  Think about traveling around the
country knowing that not only is your "name" listed on all the fraud
databases but also, that it is likely that there are warrants for
your arrest at police agencies all over the country.  There are
people who call in to Clark's show who tell about 3 years hence,
having to carry around copies of court orders absolving them of the
fraud committed under their names and still being arrested and held
until their documents can be verified.  After all, a person who
would steal one's identity would also be capable of forging court
documents.

I would like to think that someday the law would protect debit card
users to the same extent as credit card users but with Congress
being bought and paid for, I doubt it happening until some major
disaster happens - like some congressman having his identity stolen.

> I am curious about gas stations printing the card number. I have never
> seen that in 3 years of using my cards. (I haven't paid cash or gas for
> years.) I have been all over the Western US and haven't run into this
> yet. Maybe its that I don't buy certain brands or something. Can you
> give me info on which gas companies do this printing?  thanks

I don't use cards so I'm not really up on this but I can report that
I saw it last week on my vacation.  I pulled up to the Flying J pump
in Bumfuck Oklahoma and noticed the receipt hanging from the
pay-at-the-pump device.  I pulled it out, intending to do the idiot
who left it a favor and destroy it.  Before I did, I took a look.
Yep, there it was in black and white - his card number.

I should point out something else.  The ubiquitous Tranz credit card
terminals (those square gray swipe readers with the blue fluorescent
screens and detached printers) that most small and medium sized
merchants use present another risk.  It can be commanded to print a
detail transaction report at any time prior to or during daily
closeout.  This detail transaction report contains the credit card
number, the amount of the transaction, the tip (restaurant package),
authorization code and some other stuff.  Any  unscrupulous person
who gains access to this tape (say, a waitress who closes out the
machine each night at a restaurant), has a ready-made list of known
valid numbers.  We recently tossed out credit card terminal but
before we did, I was the only one who printed any reports and those
reports were stored in a DOE-surplus nuclear grade fireproof high
security file cabinet and were burned after the need to keep them
expired.  I've never seen anyone else take that kind of care.  Most
merchants don't even password-protect the report generation function
so anyone who knows the keystrokes can print a report.  And unlike
the old manual system where you could ask for your carbons and
destroy them, you have NO control of access to this information.  I
suppose that it is an acceptable risk for a credit card user because
of the federal limit to liability but it is a wide open exposure for
debit card users.

At the risk of sounding like a neo-luddite, I suggest just saying
"NO" to these fancy conveniences until the law catches up a bit with
the technology.  Cash still works extremely well.  I try to take
along all the cash I expect to need, keeping the bulk of it in a
small, high security safe welded to my MH's frame (through the floor
steel rods).  I have the ATM card if I run short.  If I need a lot
of cash for some reason, I can walk into any credit union and most
banks and clean out my checking account using my debit card.

John

From: John De Armond
Newsgroups: rec.outdoors.rv-travel
Subject: Re: What's best--travelers checks vs credit cards vs debit cards 
	vscash?
Date: Mon, 17 Jul 2000 15:01:59 -0400

glock wrote:

> Thanks, John, for "sounding like a neo-luddite."
>
> I've never used my bank card for consumer purchases (I
> occasionally listen to Clark Howard's show, as well), but after
> reading your post detailing the dangers of using debit cards, I
> telephoned my bank and asked to have my ATM card "programmed for
> ATM use only."
>
> You'd think that banks would warn their customers of the
> potential pitfalls inherent in ATM/debit cards.

They don't want you to know.  Consider the numbers.  On debit/credit
cards, they get anywhere from .5 to 5% of the transaction from the
merchant, usually plus a transaction fee of $.35 or so.  Then for
credit cards, they get people to pay up to 24% interest, usually for
the rest of their lives or until they stagger into bankruptcy
court.  The "up to 5% leakage", that is, fraudulent card
transactions that is reported in the press is a mere drop in the
bucket compared to this revenue river.

In terms of personal harm, again, they could care less.  If you pay
on time and never carry a balance, you're the enemy.  If, through
identity theft, your life and finances are ruined and perhaps you
have to take bankruptcy, why then the banks have another program for
you - secured cards requiring low interest deposits and 24% interest
plus all sorts of fees.  The banks win either way.

My rising concern with how this racket works combined with
ever-increasing fees prompted me to toss out my credit card terminal
in my restaurant about a month ago.  So far, no problems.  I've had
a couple of customers not have the cash or check to pay where,
whereupon I allow them to write their name and address and signature
on the check with the promise to come back and pay later.  So far
everyone has.  Even if I get beaten out of a check every so often,
I'm still ahead of the several hundred $$$ I was paying in credit
card fees each month. (actually my customers are $$$ ahead since
they pay the fees - I postponed a general price increase based on
what I will save on fees and the labor of dealing with credit cards
when I tossed them out.)

I'm really worried at where this situation is headed.  If somehow
Americans are duped into using e-cash, smart cards and the like, and
considering the government's current move to welfare everyone with
incomes under $100k, it is entirely conceivable that in a few years
the average citizen will pay more in financial fees than in income
taxes.  Frightening, eh?

John

From: John De Armond
Newsgroups: rec.outdoors.rv-travel
Subject: Re: What's best--travelers checks vs credit cards vs debit cards 
	vscash?
Date: Tue, 18 Jul 2000 00:36:25 -0400

retireminn@my-deja.com wrote:

> >  If someone gets ahold of that
> > number on the front of your card and has access to a terminal, he
> > CAN clean out your checking account and your bank controls whatever
> > recourse you might have.
>
> I am curious (I understand and agree with what you have said) if someone
> gets my number but they don't have the experation date can they fake the
> date and use the card?  The reason I ask is that I ran a small store and
> sometime we had to key in the card info into the CC reader and we had to
> key in the expire date also. Never tried keying in any date.

If they physically get your card, they have your expiry.  If they
swipe your card, they have your expiry (It's on the magstripe)  I
just dug a CC slip out of the file to look at.  The Tranz 330
terminal we used in the restaurant prints the customer's name, CC
number and expiry on the receipt - the receipt that a lot of people
just toss in the trash on the way out.  It also prints our merchant
name AND merchant number.  Frankly, this is the first time I've
closely examined the receipt that we issued for years.  I'm not at
all happy to find my merchant number on the receipt.  If the data
host was down, all I had to do was call an 800 number and using the
TT pad on the phone, enter my merchant number, the CC number, the
expiry and the dollar amount.  Using the receipt our machine
printed, anyone who knew the 800 # (which was printed in large type
on the terminal) could initiate a transaction. They couldn't
(easily) steal money using my merchant number but they could have
made me jump through hoops.  Perfect weapon for a disgruntled
customer or someone mad at a particular customer.  Remember too,
that there are a lot of people out there ("crackers") who love to
disrupt such systems just for the mayhem it causes.

One other thing I might mention.  The "restaurant package" is
another source of fraud.  If you charge a meal and your receipt has
a place to fill in the tip, then the restaurant is using the
restaurant package.  When I closed out the machine at the end of the
day, I have to manually fill in the tip amounts at the terminal.
There are no bounds-checks or limits.  I have applied a (legitimate)
$150 tip on a $20 check (guy was in love with the  waitress :-) with
nary a question.  Not even an "are you sure?"  I think that there is
a 4 digit limit but that's about it.  A dishonest server or barkeep
could clean you out pretty good using the tip feature.  Most
restaurants pay out CC tips either on the spot or at the close of
business so the money's gone.  If you have a CC, you're protected as
usual.  If you use a debit card, wellllllll.......

>
> > IN this transaction, you swipe your card and then enter a PIN on the
> > terminal.
>
> Just as a fun thought. Did you know that if you use your CC card in any
> Sears store, the clerk is under instructions to take and keep your card.
> I know this is so, because on the Clerks screen it says "Swipe customers
> card". I now only use cash at Sears. <g>

We're (merchants) all supposed to do that.  Most don't.  The
terminal can return a "call operator" response instead of
"approved".  That almost always means that the Company wants that
card confiscated. They pay a reward for doing so.  I never got one
of those codes but the paperwork that came with my account described
the procedure.

I don't know but I'd anticipate at places like Wal*mart where the
customer swipes the card, that they have a procedure to gain
possession of the card when that result code is returned.  You may
not notice it but on the IBM POS terminals at Wal*Mart, the operator
has a little LCD panel that you can't see.  I anticipate that they
get a message asking them to request the card for manual processing
or whatever.  Knowing Wal*mart, the computer probably also calls
security and the cops all at once :-)

John