Francis Porretto over there at Liberty’s Torch (I read them every day, don’t you?) asks a great question about the security of checks versus the security of credit cards. Since I do stories on information security, I thought it would make a good topic for a post here. Let me start by saying that I ran this by my wife, who actually teaches banking and finance, which was the topic of her Masters degree. She’s way smarter than I am on this topic. Here is our take:
Check Security
Those numbers that are on the bottom of your check are the routing and account numbers that tell the check processing companies (called the automated clearing house, or ACH) where to go in order to get paid. When a scammer has your bank account and routing numbers, they could set up bill payments for services you’re not using or transfer money out of your bank account. Getting those numbers is easy, because they are printed right there on your check, and most companies store that information on their computers, you know- the same computers that keep having data breaches. Scammers can create fake checks using your numbers and then use those fake checks to pay for purchases — or simply cash them. Know, too, that with technology scammers could digitally scan the check (called a “demand draft”) and deposit the amount into their bank account. Many banks now allow you to deposit a picture of a check. How and why does this happen?
It used to be that physical, paper checks had to be exchanged in order for banks to get paid. Shipping paper checks all over the country was costing them quite a bit of money, so they lobbied the government for a solution. Enter the Check Clearing for the 21st Century Act (Check 21 Act), which became effective on October 28, 2004. The Check 21 Act authorizes a new negotiable instrument called a “substitute check,” which is a reproduction of an original check, is the legal equivalent of an original check. In other words, all someone must do is have those numbers on the bottom of your check, and they now have access to your money. There is no way to password protect your account from this sort of scam, because Check 21 doesn’t mandate that the banks secure you from this sort of scam. Some banks will for PR reasons, but they mostly do not. It’s expensive to monitor fraud, and there is no real financial incentive for banks to do so with this sort of scam.
So a thief gets ahold of your checking and routing numbers, what next? The only defense is closing your bank account and getting another one. That’s a inconvenience, for sure. The bank may or may not be able to reverse the fraudulent transactions, but don’t count on it. Check 21 doesn’t say that they have to. While it doesn’t happen often, when scammers get those numbers, you frequently lose everything, and there is nothing that the bank can do. One charity I found fell victim to this and lost over $10,000.
Credit Card Security
Credit cards have a bit more legal protection. The law here is called the Fair Credit Billing Act, which requires creditors to give consumers 60 days to challenge certain disputed charges over $50 such as wrong amounts, inaccurate statements, undelivered or unacceptable goods, and transactions by unauthorized users. Also, the Act limits liability of consumers for transactions by unauthorized users to $50. Since this law forces banks to absorb losses for fraudulent charges over $50, banks have a financial incentive to monitor for fraud, and they do. In fact, if you report fraud, most banks don’t even worry about the $50.
Note that this law only applies to credit cards, not debit cards. Debit cards are treated the same as checks from the perspective of the law. I don’t EVER use my debit cards to pay for anything. I use them at bank owned ATMs only, and I keep my debit cards locked in the safe most of the time.
I myself have had my credit card numbers compromised on a few occasions. The last time was over two years ago, when someone was using my Barclay’s card to make unauthorized charges. The bank was telling me that the charges were legit because IMO, they didn’t want to eat the cost. The $845 that was stolen from me wasn’t worth the cost to hire a lawyer, but luckily the bank finally saw it my way and reversed the charges. I no longer use that card because Barclays was too difficult to deal with in the matter. I shouldn’t have to fight that hard to get a bank to follow the law.
Still, it was easier to switch credit cards than it would be to get a new checking account.
Conclusion
All forms of payment are vulnerable to electronic fraud, even though it’s relatively rare. You have more legal protections, and banks have a more robust fraud detection plan, when you use credit cards than when you use checks. Whenever possible, use credit cards to do business online. In fact, I have a couple of cashback cards that give me great benefits. One that I have gives me 5% cashback on all Amazon purchases, and another gives me 2% cashback on all purchases. I pay for everything with them, and pay them off at the end of each month. Stay disciplined and don’t spend more in a month than you can pay, and it’s a great way to give yourself a 2% raise and keep your money secure.
9 Comments
oldvet50 · September 5, 2023 at 2:18 pm
I used to pay some bills by credit card, but some companies have eliminated that ability (T-Mobile) due to the surcharge added by the credit card company. They want direct access to your checking account to pull the money out instead. I allow no one that ability since mistakes can be made and it may take weeks to get it straightened out – all the while I may have no money left in my account. So I pay by paper check mailed to that business. After reading your experience, I may switch over to the ‘Pay Bill’ feature offered by my bank, which is how most of my bills are paid.
D · September 5, 2023 at 2:24 pm
Good write-up. After going nearly 30 years without a card number being stolen, I had one get lifted through some online service that got breached.
After that, I made a few changes. I started carrying enough cash on hand to buy food or fuel should I be out and about…no more possibility to card skimmers…and for every online service, I started getting “virtual card numbers” issued. I signed up with privacy.com and linked it to my bank account. They let me issue virtual card numbers with a number of parameters….like “one time use” or “once per month” or “lifetime total” and then I can set an amount. For example, I could create a virtual card for Netflix and set the limit to $20/mo. If Netflix (or someone else) tried to spend more than $20/mo, it would decline the card and alert me. If I’m purchasing something online, I create a “one time” card for…say $150 and buy it. After they charge the card, it gets closed and can’t ever be used again.
Super handy service. I think it’s something like $8/mo. Additionally, it saved my bacon when the accountants transferred payroll from the wrong account. They basically left my main operating account with $50 instead of taking payroll out of the “payroll account”. The next day a bunch of regular business bills tried to charge (internet, phones, etc…)…and every single one of those charges would have dropped the main account below $0 and incurred a $30 overdraft fee….privacy.com noticed the balance before approving the transaction and automatically declined it. I got notified, checked things, yelled at the accountants, and got money shuffled around properly. Everyone retried billing the next day and everything went through. No $100s of dollars in overdraft fees.
Super handy service.
Skid Marx · September 5, 2023 at 2:54 pm
Finance is a construct of the white male patriarchy.
As part of the Great Reset Leap Forward Fundamental Transformation all comrades of the glorious New Civility unity hive collective will get the same UBI on CBDC plantation credits that can be revoked at any time.
Human Nature is also a construct of the white male patriarchy and everyone will be happy with the same amount and never try to get more, we’re all in this together, comrade.
Forward, si se puede, yes we can!
Zeek · September 5, 2023 at 6:25 pm
I pay cash for all in person purchases whenever possible. Private and untraceable, use it or lose it. Once cash is gone you can be locked out of the economy by the whim of the government or large corporations, as happened when the Canadian truckers dared to defy Adolf Trudeau. Also kiss privacy goodbye, your credit card company knows more about you than your mom and they sell that info.
Spiffy Dog · September 5, 2023 at 8:56 pm
As some credit card companies offer the option of a “temp fake” cc number, some banks do the same thing on ACH payments, my credit union does. They “pay” one day before the due date by extracting the funds from my account 24 hours early and sending the e-payment on the payment day I specified from a generic CU outpay account. Same for those recipients who cannot process an ACH payment and require a paper check, in both cases the CU requires a full recipient name, address, contact info and account number before they will process anything.
I backstop that for myself by having created a “non-checking checking account” (NCCA) that has no overdraft protection and no links to my savings, regular checking, or “input checking” accounts; I do have paper checks for that account but never use any. All e-payments are made from the NCCA, covered by funds I transfer into it from my regular checking account. If someone ever raids the NCCA all they’ll get is whatever funds are there to cover payments for the next 5-7 days, plus the $100 it takes to keep the account open and active.
My direct deposits come in the same way, to a dummy account – the “input checking acount” I mentioned above – that also has no other connections. I know the dates funds are due to arrive so the next day I manually transfer them out to the “storage account”, leaving, again, the $100 to maintain “open and active.” The storage account, again, has no connections or overdraft protection, and I leave only what funds are necessary to cover outbound payments until the next direct deposit arrives, plus the $100 “open and active” amount” in that account. I withdraw everything else as cash and bury it in a mayonnaise jar under the big rock in my backyard, if the jar is full the money goes into various investment accounts so it keeps generating income (my dogs sleep behind the big rock so I know the money in the jar is safe…).
Four times a year I have to mail paper checks for tax payments. I drive the three miles to the CU, fill out a form, e-transfer funds to the CU, and leave with a bank check from the CU that has my name on it but does not have any of my CU account numbers on it. It’s kind of a PITA, but I’ve got the time and I’d rather invest 20 minutes 4X/year than a large pile of hours or days fixing a problem. I’ve been doing it long enough that if I go to the same clerk it’s only about 5 minutes, and they have “free” coffee.
Routine purchases are done with cc or cash, I get the same cc cash-backs you do. I have several credit cards, use only one regularly. The others I keep in a “locked” condition, unlock each quarterly, use the card to buy something, re-lock, e-pay the total when the bill cycles. The moderately frequent use/pay in full/zero balance cycle helps the credit rating high. I seem to have the primary cc card hacked about every 18 months, always from online purchases. Each time I’ve tracked down the where and who, but neither the bank nor the local cops where the offender is located have any interest in pursuing it; seems like the San Francisco Disease is spreading everywhere.
There are two sides to an ATM/debit card – one handles ATM work, the other debit. Some issuers – very, very, very few, though – can modify your account to turn off the debit side so that any attempted debit transaction is automatically denied. My CU cannot/will not do that (no idea which), so I do not carry the ATM/debit card and opt instead to use the CC plus maintain sufficient cash on hand to avoid “mad ATM runs.” It seems dumb and stupid to cc a $3 amount, but it’s faster than paying a cashier with a $5 bill and they’re not giving me a discount for paying cash, so…
I have a “covers everything from soup to nuts” insurance policy with three payment options: pay in full annually with a discount; pay quarterly with a small fee; allow them to do an ACH-out extract monthly from an account with the same discount as the annual payment. I’m considering establishing a single isolated account with a completely different local CU for that purpose and transferring funds CU-to-CU monthly for payments. I need to see what expenses there might be on it at the other CU’s end before I decide, and figure the interest gain I’d get on funds retention, but I would never, ever, no-how allow auto-debit from any of my “home CU” accounts. One computer barf and it’s a multi-month catastrophe to correct.
I figure pretty soon we’ll be ditching dollars for bartering with cans of beans, bandoliers of 5.56X45 and Mardi Gras beads or something so none of this will matter for much longer.
nones · September 6, 2023 at 5:57 am
The only time I have ever used a debit card was when I was traveling in Italy. On 2 or 3 occasions I used an ATM. Even then before I left the states i drew down the balance on my checking account so that if someone hacked it there wasn’t a lot of $$ for them to steal. Also when we travel the wife and I each carry different credit cards so that if a wallet is lost or stolen we still have access to credit. My business checking account was compromised once, the perp even misspelled the name of the bank on their printed checks. They spent more than a grand and when I caught it my bank reversed the charges and closed the account. That was a PITA but I only lost some time over it. I had a Discover card hacked 3 times on a couple years, Discover was great to deal with, still had to change account numbers where I had recurring monthly charges. Une a credit card on as many purchases as possible, pay the bill in full even if it hurts.
Noway2 · September 6, 2023 at 7:27 am
Read your Barclay’s story. Infuriating how little protection there is from theft and fraud, but until the banks lose enough money, they won’t bear the costs to secure the system.
One option, don’t know if you considered it, might have been the option of small claims court through the long arm statute. Clearly Barclays was engaged in business in FL and you were harmed by fraudulent activity they failed to flag.
Here’s FL’s statute: https://www.sweeneylawpa.com/floridas-long-arm-statute/
Matthew W · September 6, 2023 at 8:18 am
21st century
Literally ZERO reason to use/have checks.
Writing a check is advertising your data.
Anony · September 8, 2023 at 10:33 pm
Soooo, from my viewpoint, there are four systems for moving money:ACH, checks, debit cards/credit cards, and wires.
ACH is an excellent system for having money removed from your account by whomever you are paying. (ACH is NOT where checks or their substitute images clear. Checks clear through the Federal Reserve check 21 program.) With ACH, you give out your account number and routing number to only people/companies you trust. Those companies can ONLY access this system through a bank or registered Originator. You can return ANY charge through ACH if it’s not authorized by you. Your bank is reimbursed for you, and credits your account. NO PROBLEM. Banks with high counts of returns (meaning they are enabling fraud to be initiated) can be penalized. It is in their best interest to only do business with valid companies initiating valid charges.
Checks are similar to ACH, and can be converted to ACH by some merchants. Yup, everything is out there: your name, address, account number, routing number, *and* your signature. Due to time-frames between when you notice a problem, and when the check cleared your account, you may not get your money back. Check fraud requires a bit of exposure for a criminal. (They usually are writing and passing the check to a merchant, although mobile deposit is making check fraud significantly easier) So checks are not terrific, but check fraud is fairly rare, as checks themselves are becoming fairly rare.
Debit cards are a huuuuge problem. Fraud must be reported in a fairly timely manner, and it is scary how people swipe that card and pay their account no attention. Skimmers can be anywhere, overlayed on POS machines like a tight skin. Some skimmers can even be inside machines (like gas pumps). You never know they’re there. Companies who store your card number are targets for thieves, too. By the time you notice an unauthorized charge, it’s a problem. Maybe not for you, but your local small town bank you’re using has to take it in the shorts on your behalf. Banks are hamstrung with a ton of liability for making you right and refunding your money. Maybe you don’t care about big banks, but this is killing small banks.
The thing is, it wouldn’t have to be. You have to show id to write a check, but not to swipe a card. Merchants could be held accountable for large amounts of fraud occuring at their registers, but they’re not, so why should they care?
Comments are closed.