Debit Card Disasters

Last week I shopped at Wegmans. My bill was over $300 and I paid with my debit card. My debit card was rejected. So I wrote a check on the same account since I knew there was money in it. But I thought about that on the way home and decided I’d better look at my account online.

It was a good thing I did, because someone had cleaned it out! There was over $1,300 in transactions originating in Miami, Florida. There was nothing left to cover the check that I had just written at Wegmans and a couple other checks that I had mailed the day before.

I called my bank. They cancelled my debit card. I went to the bank and met with a banker to fill out paperwork for the transactions that were not mine. That money would be returned to my account in 5 business days. I moved money from another account to cover the checks I’d written in the meantime.

No harm, no foul, right? That scenario has played out hundreds of times over the last few months in our region. Much of it has been due to the security breach at Aldi stores. Some victims had no money until the bank refunded the stolen amount. It’s a major inconvenience at the very least. I had no debit card for about a week and I’m accustomed to using it for everything. I need to think about that too.

At the bank they told me my case looked exactly like other cases where the security breach at Aldi caused the problem. I never shop at Aldi so I’m not sure where my problem started. Fraudsters got my debit card number and the pin number. How did they do that?

On October 1, 2010 discount grocer Aldi, Inc. disclosed a data security breach that compromised debit card data across 11 states from June 1 to August 31, 2010. This type of theft is usually localized because the thief must physically access each payment terminal. The geographic breadth of this case suggests a very organized network of criminals. Rogue pin pads were retrofitted so that payment card data could be captured wirelessly from inside the store or from the parking lot.

Aldi, Inc. is a large recent case but plenty of other retailers have had a data security breach. Is it ever safe to use your debit card? It’s probably never completely safe, but there are ways to minimize your risk.

1. Experts say gas stations are the most likely to have rogue pin pads. If you use your debit card at a gas station, use it as a credit card. Never use your pin when pumping gas.
2. Street-side ATMs are also high risk. They’re very accessible to fraudsters for the installation of fake equipment. If an ATM machine keeps your debit card report it to your bank immediately. Your card may be in the hands of thieves if the equipment was altered.
3. Restaurants, hotels and other businesses where an employee takes your card and walks away with it so that you can’t see if they copy the information for themselves are also risky.
4. Whenever you have the choice of using the card as debit or credit, choose credit. Very small cameras are sometimes installed to capture it when the consumer enters the PIN number. When you do enter your PIN cover the pad with your other hand.
5. Check your bank account regularly. Don’t keep significant amounts of cash in any account with a debit card. Don’t tie such accounts to large savings accounts for overdraft. Both accounts could be drained.
6. Never, ever keep your PIN number written down and especially not in the same place as the card. Never give out your PIN number.
7. Monitor your credit report.

Generally you aren’t liable for fraud unless you were careless. You must report stolen or lost cards within a reasonable amount of time. Report any suspicious activity in your account immediately.

I use my card at Wegmans all the time. A Wegmans spokesperson told me, "We have software, network and other security measures in place that greatly minimize the risk of a data security breach at Wegmans. These information security systems are monitored throughout all of our stores 24/7."

Just to be safe I’m going to start using my debit card as credit. There’s no such thing as completely safe but I’ll feel a little better.

Gina Bliss, CPA, CFE, is a senior manager at EFP Rotenberg, LLP, Certified Public Accountants and Business Consultants, who specializes in internal audit, fraud audit, and forensic accounting. She may be reached at (585)295-0536 or by e-mail at gblissefprotenberg [dot] com