Source
Automatically imported from: http://commons.somewhere.com:80/rre/1997/evils.of.debit.schemes.html
Content
This web service brought to you by Somewhere.Com, LLC.
evils of debit schemes
``` [Two articles about retail payment mechanisms, edited from the current issue of Privacy Forum. The first article is about those nasty debit cards. I've gone to great lengths to avoid owning any of these things, which offer many risks and few benefits. The second is about a payment scheme for gasoline that sounds wacky but is absolutely typical of the sort of thing we're about to see everywhere. I am sure that technologies like this can be used well, but it looks as if the first hundred of them will be badly thought out. So listen up! All leaves are cancelled. For the next few years, we will all be busting our lungs explaining what's wrong with an infinite variety of hare-brained schemes for retail payment, capture of personal information, and other such-like. That is all.]
---
This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help@weber.ucsd.edu
---
Date: Thu, 20 Nov 97 21:44 PST From: privacy@vortex.com (PRIVACY Forum) Subject: PRIVACY Forum Digest V06 #16
PRIVACY Forum Digest Thursday, 20 November 1997 Volume 06 : Issue 16
Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com
---
Date: Thu, 20 Nov 97 19:46 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: The ATM Debit Card Switcheroo
Greetings. Longtime readers of this digest know that I have rather mixed feelings about massive Wells Fargo Bank when it comes to security and privacy issues. When they were among the first to institute user-selected passcodes to control telephone access to accounts, I publicly applauded. On the other hand, I've condemned their moves to terminate neighborhood bank branches in favor of noisy, crowded, and privacy-unfriendly "supermarket branches". So it's been a mixed bag.
Unfortunately, that bag just got substantially more moldy. Wells is in the process at this time of the unsolicited replacing of apparently millions of current ATM cards with what they call "ATM and Check Cards". What these really are is combined ATM and debit cards (apparently Wells doesn't like using the word "debit"--it doesn't appear anywhere in the literature that accompanies the cards).
These cards, which are branded with the MC credit card logo, replace customers' current ATM cards, which customers are informed will "expire shortly". Customers need to call a toll-free number from their home phone (obviously for ANI phone number verification--which essentially is a non-blockable caller-ID) to activate their new cards. Also buried in the pile of material accompanying the card, is a number to call if for some reason the customer would prefer to keep using their old non-debit ATM card instead. (This second number is actually just the normal Wells toll-free customer service number--you need to work your way to an operator to "cancel" the new card.)
Wells Fargo customers (and customers of other banks) might well want to consider refusing these sorts of debit cards--or making sure you never use them except in an ATM. While the card seems to add convenience at first glance, in reality it is a big step backwards toward PIN-less access by others to your money, with a range of potential problems--it could actually be more dangerous than a conventional credit card!
A debit card of the kind Wells is distributing is used like a credit card. Anywhere a MC would be accepted, the new card can be used. The banks promote this as a major value of the card (along with some credit-card like "purchase protection" programs). But just like with a real credit card, no PIN is needed for purchases, only a signature. And not even the signature is required for telephone purchases, again, just like a conventional credit card.
But unlike credit cards, the debit card doesn't result in a bill mailed to you later, rather, it draws money immediately from your checking account. Banks love this--it's like instant money with no float (the merchant pays the same percentage for accepting the debit card as he or she would for a normal credit card purchase). But with a "real" credit card, you have a chance to go over your bill and search for erroneous purchases before paying. Sure, it's a hassle if someone uses your credit card number for unauthorized purchases, but a debit card usable without a PIN opens up a whole new dimension.
The problem of course is that since the debit card draws immediately from your checking account, without the protection of a PIN, anyone who has ever seen your debit card, and has the number and expiration date, could use it for purchases which will immediately draw down your checking account. When you get your monthly checking statement, these purchases will be itemized--but the money has already long since been pulled from your checking account by the time you get the statement. Folks who check their account status online every day will be in better shape, but most people don't do this and shouldn't need to.
Having your checking account suddenly go dropping down toward zero has an important side-effect. The legitimate checks you've written can start merrily bouncing, unless you're fortunate enough to have plenty of money in an associated "overdraft" account of some sort.
Wells suggests that there are protections built into their debit card system. You're not responsible for purchases made by unauthorized parties if you notify Wells what's going on. That's well and good, but hardly compensates for the hassle of bounced checks with potentially numerous entities that can result from misuse of your debit card numbers. Wells also points out that there is a daily limit on debit card activity. This is true, but as far as I can tell that limit has no obvious relationship to the amount of money in the checking account. In cases I've seen myself, the assigned daily limit was up to 10 times the average account balance!
PIN-less access of this sort to checking accounts is full of problems. The account can be accessed without a physical check, without a PIN, and without your immediate knowledge. For anyone who has "real" credit cards, ones which bill and are paid conventionally, there seems to be little benefit (for the customer!) to a debit card of this sort, at least compared with the negatives and potential hassles that could result. Even persons without real credit cards might wish to think long and hard about the wisdom of using a card that could so easily result in their checking account being drained and their checks being bounced.
The irony of all this is that at a time when what we really need is some form of PIN protection on conventional credit cards, the introduction (especially unsolicited) of a PIN-less financial instrument of this sort can only be viewed as a very bad idea. The losses that are certain to accrue will no doubt be handled like the untold millions in credit card losses each year, via higher costs and bank fees for merchants and other customers alike.
--Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com
---
Date: Wed, 12 Nov 1997 23:39:55 -0500 (EST)
From: Mike Gardiner
I stopped at a Mobil station the other day, and noticed a new assembly bolted to the pumps. Being a gadget-type, I asked the cashier what the new gear was for. I suppose by now I should learn to assume stupidity on the part of new technology, but I was still surprised and unsettled by the answer I got.
The new gear is an antenna assembly that interacts with a small transmitter that you carry in your car, they recommend that you stick it to your dash with velcro. When you pull up to the pump, it reads your transmitter (transponder?) and by the time you get out of the car to pump gas, all the approvals have been done, you just select your gas grade and go. The pump is active while you are there, and goes inactive when you pull away. You gas is charged to the credit card you selected when you applied for the transmitter.
The cashier couldn't understand why I thought this was frightening. My avoidance of credit cards and their Speedpass device (a small plastic tube that you wave past a sensor on the pump, proximity-card style, which also charges a credit card selected at signup time) was likewise a mystery. The question I got was "what could anyone do with that information?" Beyond my standard "You'd be amazed." I didn't even try to explain it.
I have taken to avoiding credit cards for gas unless I am tapped out of cash precisely because of the neat little travelog it leaves on your bill, and I'm making a point of using a small group of ATMs to avoid the same effect on my bank statements.
Aside from the privacy implications, if you forget about the transmitter when your car is stolen, you could get an incredible shock the following month when your credit card bill arrives in a crate, if your provider does not have fraud-spotting software (which is a whole 'nother can of worms) to limit the damage. A high credit limit in such a situation could be real nasty.
Then there's what low-tolerance fraud-spotting software could do to an out-of-pattern road trip.
Depending on the range and directionality of the transmitter, a sufficiently unscrupulous techie might be able to set up a personal spotting point to trigger the transmitters when cars pass by. Want to find someones car? Buzz the lot with a tranceiver and wait for your victims' gas pass to trigger, then you only have to look at a few cars to find it.
I can see cars getting smashed windsheilds just for the gas pass. Stick it in your pocket and you could fuel several cars in a few hours.
This is quite an opposite to their Go card, essentially a limited purpose cash card that I get when they have them. The cards are handy when I am in a hurry or the weather is rotten, and they preserve privacy in that I introduce the registration card to Mr. Shredder, so that the only useful information that can be found is the station that sold them, and I'm not sure about that. Drawback: the card is like cash in that if stolen, remaining value goes with it. The gas version of the pre-paid phone card, except that the value spends at actual cost of materials purchased. The fact that registration is not forced may be why the cards are not presently on sale.
The real sad thing is, I expect this to become very popular, in the grand tradition the public grabbing any small convenience without considering the price to be paid. I'll stick to cash and equivalents, thanks.
---
End of PRIVACY Forum Digest 06.16
--- ```
This web service brought to you by Somewhere.Com, LLC.