Ed Foster's Gripelog || Shouldn't The CardSystems Victims Be Notified?

» All 33 InfoWorld Newsletters Technology & Business Daily

INFOWORLD GRIPE LINE BY ED FOSTER

Bookmark this page

Shouldn't The CardSystems Victims Be Notified?

By Ed Foster, Section Columns
Posted on Mon Jun 27, 2005 at 08:42:16 AM PDT

Since it appears most banks aren't going to notify customers whose credit card information was stolen in the CardSystems security breach, here's a suggestion. How about we all turn in our credit cards and get new ones?

A whole lot of disturbing things have come out the last few weeks in the unfolding story of the CardSystems credit card fiasco. Yet another company possessing millions of records of consumers who never even heard of the operation carelessly allows data thieves to pilfer them at will. Once again, the breach occurred in a space where privacy laws and government regulations don't seem to apply. And, of course, all the politicians promise that this time they really, really, really are going to do something about it, as soon as the big financial institutions tell them what.

I think, however, that one aspect of this situation deserves far more scrutiny -- the notification policies that have been adopted by the banks that entrusted our credit card numbers to CardSystems in the first place. Although 40 million of their customers were apparently exposed, and at least 200,000 credit card numbers are said to have been accessed by the identity thieves, many of the major banks are saying that they will only monitor those accounts closely. Only if there are signs of actual credit card fraud, rather than just the potential risk, will they take action.

The banks argue that, because they are good and getting better at detecting credit card fraud, it's best to leave it up to them to sniff out what's being done with the CardSystems data. "If we see fraud -- not just potential fraud -- we will notify the customer and secure the account," says David Chamberlin, a spokesman for Chase, the largest credit card issuer. "People should understand that (because only the card numbers and cardholder names were stolen), there is no threat of identity theft here. If anything comes of this, it will be fraud. And, at the end of the day, our incentives to protect our customers from credit card fraud are very great, because a lot of the liability for that is paid for by us. And the systems we have in place to detect that fraud are very sophisticated - we stop around 80 percent before it even happens."

But don't the tougher state privacy laws -- like the one in California that first led to the security breach revelations -- require the banks to notify their customers? Well, Chase doesn't think so. "Even the strictest of laws, like the one in California, require more identifying information like the individual's social security number or an account password be involved," Chamberlin told me. "None of those things were accessed in this case."

Others, however, believe that whatever the rules and regulations say, the banks have a responsibility to notify all those at risk. "Whatever the law actually says, we believe these companies should make a good faith effort to contact their customers," says Susanna Montezemolo, policy analyst with Consumers Union. "We fundamentally believe that when sensitive personal information like your credit card number has been stolen -- which is data that can do you a lot of harm -- you should be notified. It shouldn't be just up to the banks to decide what the probability of harm is. It's the consumer's information that was stolen, through no fault of their own, and it's the consumer who should decide."

Montezemolo believes the banks are being shortsighted in trying to avoid notifying their customers. "I think they are doing their customers a disservice, and ultimately they are doing themselves a disservice as well," she says. "Concerned consumers do have one way of acting in their own interests in this case. They can say, fine, if you're not going to tell me whether my data was stolen, give me a new card. It's too bad that we have to go through the inconvenience of getting a new card number, but that's the position the banks are putting us in if we want to protect ourselves."

It's true that the banks do have incentives to protect us from card fraud, but it's also true they have some incentives for keeping us in the dark. The banks say we can trust them to detect fraud, but they are the ones that entrusted our data to CardSystems and failed to detect how it was being misused. So perhaps the banks fear their liability here goes further than just reversing unauthorized charges.

To be fair, reports indicate that at least a few banks are coming clean with their customers. Perhaps, then, all we need to do is give the rest of them a little push by demanding we all be treated the same way. After all, those banks that weren't even using CardSystems should be more than happy to tell us so.

Changing credit cards numbers can be a royal pain, so I'm not advocating everyone necessarily do that just yet. If enough customers push by continuing to demand information from their banks, I believe our financial institutions will see the light. It just makes sense that every bank should inform every customer whether or not their credit card info was in the CardSystems files, and, if so, whether it's known to have been accessed by the thieves. But if ultimately your bank refuses to tell you anything, then you have to assume the worst. And then you should not just get a new credit card number -- you should get yourself a new bank.

--------------------

Post your comments about this column below or write me directly at Foster@gripe2ed.com. To receive this column every week in my free e-mail newsletter, please go to my subscription page and follow the instructions to opt-in for the EdFoster mailing list.

< Housing Contractor Contracts Filled With Sneakwrap, Too | Activation, "Shrink" and the Price of Software >

Shouldn't The CardSystems Victims Be Notified? | 66 comments (66 topical) | Post A Comment

Better solution, but not free[ Reply to This ] (none / 0) (#1)
by Anonymous User on Mon Jun 27, 2005 at 09:23:58 AM PDT

You can be passive, do nothing, and "hope" that the credit granting agencies (banks, financial institutions, etc.) will act upon and fix this problem.

You can be a little more aggressive and place a freeze on your credit information with the three major credit reporting agencies. See this report for more information. The drawback is that the freeze is free only to those who've suffered an identify theft, and even then, there are still fees involved for unfreezing the access.

Or, you can take a very aggressive stance and protection yourself in a most proactive manner. Visit this site to start you in the right direction of protecting your identity, your privacy, and yourself.

[ Reply to This ]

Security and ATM Debit Cards[ Reply to This ] (none / 0) (#2)
by BobS on Mon Jun 27, 2005 at 09:30:32 AM PDT

One of the things I try to do to keep my security risks down is to have the banks I deal with issue me ATM cards that are not debit cards when I don't need that functionality. All the banks I've ever dealt with are extremely cooperative on this issue except one -- Key Bank.

I recently found $1 deductions from my account every month for an ATM service fee. Since I have never used a Key Bank ATM I was a bit confused about this.

Upon inquiring I found out that they were charging me $1/per month for the privlege of NOT having an ATM Debit card, and the purpose of the fee was to encourage me to get one.

Interesting new tactic -- charge customers a fee for NOT using a bank service!!!!

Anyway, what they encouraged me to cancel my ATM card completely.

[ Reply to This ]

Just the ATM card?[ Parent | Reply to This ] (none / 0) (#3)
by Anonymous User on Mon Jun 27, 2005 at 09:40:30 AM PDT

Shouldn't that encourage you to cancel your account altogether? You are rewarding their policy by continuing to do business with them. It KeyBank all that great otherwise? (I don't know. I don't live in their service area. I use an Internet-only bank and am relatively satisfied with them. I live in a large Midwest metro area and have any number of branch-based banks I could use if I so chose.)

[ Parent | Reply to This ]

Just the ATM card[ Parent | Reply to This ] (none / 0) (#6)
by Anonymous User on Mon Jun 27, 2005 at 09:51:52 AM PDT

Sorry, that should have been "Is KeyBank...". But I do agree with you on the debit card issue. If your debit card security is compromised (stolen, whetever), you can kiss your bank account balance goodbye. I have never understood why people use debit cards. You have no protection as you do with a credit card. I know it's easier than writing a check, but for me the convenience doesn't outweigh the risk. I know why the banks promote them. It's cheaper for them.

(I don't write checks, either. I use credit cards, PAY THEM OFF EVERY MONTH [that's essential], and collect the rebates they offer. If I can't pay it at the end of the month, I don't buy it at the beginning of the month.)

[ Parent | Reply to This ]

debit vs credit correction[ Parent | Reply to This ] (none / 0) (#24)
by Anonymous User on Tue Jun 28, 2005 at 10:11:45 PM PDT

I work at a credit union and our contract with Visa requires that our users do not have any additional risk from using a debit card than they do using a credit card. The risk of fraud is assumed by the financial institution, not the card holder. If your account gets cleaned out, you will be made whole by the bank/credit union.

[ Parent | Reply to This ]

yes[ Parent | Reply to This ] (none / 0) (#336)
by maderikapapa on Fri Jun 27, 2008 at 09:53:39 PM PDT

出会い系出会い系サイト出会い喫茶出会い掲示板ナンパ出会いカフェ人妻出会い無 009;系サイト優良出会い系攻略完全無料。アダルトビデオアダルト動画アダルトアニメアダルト画像アダル 488;サイト無料DVDアダルト風俗サンプル無料風俗優良アダルトサイト比較海 806;。人妻画像人妻パラダイス知合い人妻援護会人妻コレクション風 439;告白。熟女画像東京熟女掲示板動画熟女ビデオおまんこオナニー。エロ画像エロフラッシュアニメ 456;ロ動画エロゲームエロ漫画無料エロサイト。エッチ画像エッチ動画エッチ小説写真エッチ 450;ニメエッチ0930。セックスアナルセックス画像セックス動画セックスフレンドスワッピング SEX写真セックスボランティセ 483;クス体位東京セックス仕方 SEX。おっぱい画像おっぱい村長おっぱい楽園掲示板お 387;ぱい命おっぱいゲーム。巨乳動画巨乳画像アイドル巨乳 522;示板風俗。セフレ募集セフレ掲示板セフレ画像掲示板セフレの作り方出会い無料素人セフレ。童貞狩りエロ漫画童貞狩り童貞喪失童貞オークション素人童貞逆援。不倫パートナー不倫出会い人妻不倫不倫を楽しみたい方にはお薦め 154;妻画像など満載出会いサイトを楽しむならココ無料出会いで一緒に遊ぼう出会いはLOVEｱｹﾞｲﾝで決まり

[ Parent | Reply to This ]

cancel account altogether[ Parent | Reply to This ] (none / 0) (#5)
by Anonymous User on Mon Jun 27, 2005 at 09:47:23 AM PDT

If I were you, and have a choice, I will cancel the account altogether. I have done that with some credit cards, some shopping cards. Sears keep failing to send me my account statements, so I canceled it. I was not happy with what Bank of America did with my account, so I canceled it altogether. I use a credit union now. Sometimes, things might be a little bit more inconvenient, but I value my privacy more than convenience. I'm thinking of reducing my credit lines also.

[ Parent | Reply to This ]

I need it spelled out for me[ Reply to This ] (none / 0) (#4)
by Anonymous User on Mon Jun 27, 2005 at 09:43:56 AM PDT

While I agree with the main point, that credit card holders should be informed when their personal information is stolen as a matter of principle, I don't fully understand the dangers of having my credit card number stolen. Many articles I've read on identity theft protection seem to focus on protecting credit card numbers. But consumer protection laws limit liability to $50, and even that is often waived as a "good will" loss. I've had fraudlent charges on a credit card twice, but did not have to pay any of it.

It's in my interest to protect the credit card company from losses that will cause them to have higher operating expenses or even to cancel me as a customer, but this is not up there with the devastating effect identity theft would have.

Could someone explain? I am talking specifically about CREDIT cards, not debit cards. I won't use a debit card. For a long time there was no protection against debit card fraud, and while the laws have caught up, I still feel uncomfortable with a card that ties in directly to my bank account. Thanks.

[ Reply to This ]

The credit card companies win[ Parent | Reply to This ] (none / 0) (#8)
by Anonymous User on Mon Jun 27, 2005 at 11:35:41 AM PDT

You are not protecting the credit card companies from anything. They are making a ton of money on fraudulent transactions; this is the reason they don't care about telling their customers when their info has been compromised.

You see, its not the credit card companies that take the loss, it's the merchant that accepted the card in the fraudulent transaction.(Even though the transaction was approved by the credit card company to begin with. YES APPROVED!) The merchant will not only lose the merchandise that was sold in the transaction, they will also get what is called a "charge back" in which the credit card company automatically deducts the amount of the original charge from the merchants bank account, they also charge the merchant a fee for this which ranges anywhere from $20-$50 per transaction. So imagine if 200,000 credit cards are charged fraudulently, the credit card companies just made $4-10 million on those transactions.

Now here's the part that affects you as a consumer.....
When merchants lose money due to fraudulent transactions, they have to raise prices to make up for the losses incurred. (Similar to raising prices due to shoplifting) What this means to you is that you just paid $5.00 for a $2.00 item and who got the profit??? Your credit card company. So when you think you have a great deal with a low interest rate on your cards, or travel rewards, or what ever, just remember, you are paying for them one way or another.

Merchants have been fighting the big credit card companies for years on this issue. Many companies are hoping that with the recent loss of info by Card Systems, it will bring this issue to light for consumers and the credit card companies will finally have to get their act together.

Keeping our fingers crossed.....

[ Parent | Reply to This ]

Not true unless things have changed[ Parent | Reply to This ] (none / 0) (#13)
by Anonymous User on Mon Jun 27, 2005 at 12:45:26 PM PDT

The comment, "... it's the merchant that accepted the card in the fraudulent transaction.(Even though the transaction was approved by the credit card company to begin with. YES APPROVED!) The merchant will not only lose the merchandise that was sold in the transaction, they will also get what is called a "charge back" in which the credit card company automatically deducts the amount of the original charge from the merchants bank account, they also charge the merchant a fee for this which ranges anywhere from $20-$50 per transaction."

Unless things have changed over the past several years, or unless this only applies to a certain class of merchant, the above is patently untrue. Why do you think that merchants prefer credit cards over checks? It is because as long as the merchant has gotten a transaction approval, the credit card company takes the loss, not the merchant. If the merchant doesn't get a transaction approved, then they do stand to lose the transaction amount. My father owned a retail jewelry business for a number of years; he preferred credit cards for exactly that reason and never had anything such as you describe happen (that's why he started accepting CC's, it was safer than accepting personal checks). The only requirement was that the merchant get a transaction approval number.

[ Parent | Reply to This ]

Things are different[ Parent | Reply to This ] (none / 0) (#15)
by Howling on Mon Jun 27, 2005 at 02:12:40 PM PDT

Things are different.

Those stolen cards will be used primarily or online transactions. When the customer questions a charge the credit card company will ask for proof of the transaction from the merchant. Proof meaning the card holder's signature and delivery confirmation to the card holders address.

Even with card holder's signed acknowledgement that they ordered and recieved the product it can be a challenge to get a chargeback reversed. Then after proving the charge is valid the merchant is still charged a chargeback fee of $25 or more.

[ Parent | Reply to This ]

yes[ Parent | Reply to This ] (none / 0) (#345)
by maderikapapa on Fri Jun 27, 2008 at 09:54:24 PM PDT

Your are in error ![ Parent | Reply to This ] (none / 0) (#16)
by Anonymous User on Mon Jun 27, 2005 at 02:34:45 PM PDT

Question from another merchant: How many merchants could stay in business for very long without accepting credit cards? Unfortunately, saying that what the above merchant stated is "patently untrue" just demonstrates a part of the problem - consumers really do not know how the credit card system works, and certainly not the hands-tied-behind-back agreements merchants must sign just to take credit cards so the business can be competitive. Like the merchant told you above, merchants are the ones who bear the cost of fraudulent transactions - NOT the ccard issuers/banks. The particularly unjust, absurd part of this situation is that the banks verify a transaction is "good" but then months later they just reverse their verification, and we must then reverse the transaction, still lose the original processing fee related thereto, plus get charged a very hefty chargeback fee for the transaction to boot. Further, the fraudulent transaction then goes againt the merchant's overall rating as to what risk catgeory they are placed in, resulting in even higher ongoing processing fees to the merchant as another add-on "penalty". Where's the justice in that? And it surely doesn't take a rocket scientist to figure out who is making money on fraudulent transactions. As long as there is money to be made this way, fraud is going to continue to be rampant because the wrong folks are in bed together and it's all about the bottom line. In the meantime a lot of small business are going under directly attributable to this situation. Small businesses simply cannot absorb the kinds of losses associated. Obviously the current processing procedures are by design meant to keep padding the pockets of those who benefit by NOT stepping up to the plate and dealing with fraud appropriately.)

[ Parent | Reply to This ]

yes[ Parent | Reply to This ] (none / 0) (#333)
by maderikapapa on Fri Jun 27, 2008 at 09:10:42 PM PDT

Sorry - merchants ARE victims[ Parent | Reply to This ] (none / 0) (#18)
by tmahoney on Mon Jun 27, 2005 at 03:52:51 PM PDT

Sir;

I don't know where you are from, but trust me, it ain't so. I've got 3000 merchants that will tell you tht they ARE the victims.

With all due respect, you need to do some homework.

An Authorization means: The account exists and the card holder has sufficient credit to cover the transaction. It means nothing about the validity of the sale. Any merchant that thinks otherwise is in big trouble.

Tom Mahoney, Director Merchant911.org
[ Parent | Reply to This ]

Things have changed then[ Parent | Reply to This ] (none / 0) (#22)
by Anonymous User on Tue Jun 28, 2005 at 04:34:50 PM PDT

Based upon your comments, then things *have* changed in the last 10 years. The only reason my father signed up to accept credit cards was because the transactions were protected. If they were not, he would not have given up the 5% transaction fee when he could have had the same results accepting checks with no transaction fees. There's a thought, maybe merchants should start offering a discount for payment by cash or check rather than credit card. From what you are describing, there is no more risk in accepting checks than credit cards, customer pays less, merchant pays less in CC fees -- everybody wins.

[ Parent | Reply to This ]

Things have changed then[ Parent | Reply to This ] (none / 0) (#27)
by tmahoney on Wed Jun 29, 2005 at 04:24:35 AM PDT

I'm talking aobut on-line commerce - Not brick and mortar. Things have NOT changed in the e-commerce world. Your Father may have thought he was protected - most of our member merchants thought that too when they first got burned. It is now, and always has been, that the on line merchant pays for the fraud.
Tom Mahoney, Director Merchant911.org
[ Parent | Reply to This ]

yes[ Parent | Reply to This ] (none / 0) (#346)
by maderikapapa on Fri Jun 27, 2008 at 09:54:28 PM PDT

Charging Less for Cash[ Parent | Reply to This ] (none / 0) (#32)
by Anonymous User on Wed Jun 29, 2005 at 10:50:14 PM PDT

The last time I talked to a merchant who accepted credit cards about it (about 4 years ago), I was told that his contract allowing him to accept credit cards forbid him from making the effective price contingent on the method of payment -- he'd be in breach of contract if he let us pay less for something because we paid with a check or cash, rather than a credit card.

This is, of course, to help encourage extensive use of credit cards.

[ Parent | Reply to This ]

Everything costs more too[ Parent | Reply to This ] (none / 0) (#36)
by tscoff on Fri Jul 01, 2005 at 02:33:55 AM PDT

It also results in the prices of everything going up slightly to pay the Credit Card companies fees.

[ Parent | Reply to This ]

yes[ Parent | Reply to This ] (none / 0) (#330)
by maderikapapa on Fri Jun 27, 2008 at 09:02:07 PM PDT

yes[ Parent | Reply to This ] (none / 0) (#340)
by maderikapapa on Fri Jun 27, 2008 at 09:54:09 PM PDT

yes[ Parent | Reply to This ] (none / 0) (#329)
by maderikapapa on Fri Jun 27, 2008 at 08:47:49 PM PDT

bank takes the loss[ Parent | Reply to This ] (none / 0) (#25)
by Anonymous User on Tue Jun 28, 2005 at 10:14:35 PM PDT

Visa does not take the loss. The issuing bank or credit union does.

[ Parent | Reply to This ]

Geez are you ever wrong![ Parent | Reply to This ] (none / 0) (#46)
by Anonymous User on Fri Aug 05, 2005 at 07:54:50 PM PDT

The amount of misinformation floating about this web site is mind boggling. Get it straight --- First, Visa IS the issuing bank- also the processor and the merchant bank. Visa is an ASSOCIATION comprised of the institutions and businesses in the payment industry that deals with Visa cards. Second, they do NOT take the losses in fraudulent e-commerce transactions. The merchants do - all of it. Every time. PERIOD. That's a fact. Tom Mahoney Director, Merchant911.org

[ Parent | Reply to This ]

yes[ Parent | Reply to This ] (none / 0) (#341)
by maderikapapa on Fri Jun 27, 2008 at 09:54:11 PM PDT

Credit Card numbers are just a start[ Parent | Reply to This ] (none / 0) (#39)
by Anonymous User on Tue Jul 05, 2005 at 05:57:07 AM PDT

Well, if someone gets your credit card number, they can charge lots of items in your name. Credit Card numbers can also be used to spring board the evil doers into opening other forms of credit in your name. Credit card companies, once convinced you are not scamming them, will do the necessary chargebacka (see other user's post) for the items. However, you will have to spend time & money to clear your credit of the mess and then monitor it. And if they somehow use your name with the police, you may then have police troubles that will take time to clear up.

[ Parent | Reply to This ]

yes[ Parent | Reply to This ] (none / 0) (#337)
by maderikapapa on Fri Jun 27, 2008 at 09:53:47 PM PDT

I Disagree - There is nothing to fear or do.[ Reply to This ] (none / 0) (#7)
by scottgny3 on Mon Jun 27, 2005 at 11:01:36 AM PDT

I'm all for privacy protection, but asumming that Chase/Card systems aren't lying and it was just credit card #'s and Names that were stolen, then I don't need to know if it was mine that was taken. You can't do a reverse lookup to get my identity from that info. So the only possibilty is that someone could use my credit card number for fraud - which as mentioned above is covered and paid for by the credit card company. And I'd love to see a credit card company TRY to charge me the $50.00 at this point! :) As Ed does point out, changing the card# is a hassle, so I won't do that. So what would I do even if I DID know? Keep a close eye on my statements? I'm already doing that now. No, there would be no change in behaviour if Chase came to me and said "You're on the list, buddy". It might make them seem more warm and fuzzy, but it will change nothing. I still have the choice. Change the card # or not. And I'd choose not because I'M not at risk... They are. Which is why, I too, will NEVER, NEVER, NEVER use a debit card

[ Reply to This ]

Consumers are NOT the victims[ Parent | Reply to This ] (none / 0) (#11)
by tmahoney on Mon Jun 27, 2005 at 12:20:31 PM PDT

My name is Tom Mahoney. I am the founder and director of Merchant911.org We are a growing group of almost 3,000 on line merchants that have united to protect ourselves against credit card fraud. We have to because WE are the victims.

Someone said, " I still have the choice. Change the card # or not. And I'd choose not because I'M not at risk... They are."

I hate to tell you this, but with all due respect, you are dead wrong. The banks are NOT at risk - the on-line merchants against whom these stolen numbers are used are the victims. They'll be out the merchantdise, the shipping fee, the money they made, and they'll be charged a hefty chargeback fee on top of it. Yep - we're charged a fee for being victims of a crime.

Make no mistake, folks, more than just your account numbers were stolen. Your account number and other information you enter for an on-line transaction were all stolen: Name, address, account number, and the security code from the card. More than e