Dear Bank of America: Stop Protecting Merchants Who Lose My Credit Card Data

Twice in the last week I have had Bank of American credit or debit cards that have had to be replaced due to (accord to BofA) data breaches at merchants.  I (and I assume most others) find these episodes annoying, not the least because I can expect a month or so of warnings and notices from merchants, hosting companies, cable companies, etc that my automatic payment did not go through and I need to immediately tell them my new card number.

So in each case I asked Bank of America to tell me which merchant lost my credit card data.  I don't think this is an unreasonable request -- if a merchant through some sort of data carelessness causes me a bunch of hassle, and endangers my financial privacy, I would like to know who it was so I can consider shifting my business to someone else.  But Bank of America will not tell me.  I think Target initiated a lot of reforms when they suffered through the public backlash from their data breach a while back -- while many merchants have their chip card readers turned off, you can bet they are not turned off at Target.

24 Comments

  1. Daublin:

    The problem is that many more companies lose your data and just don't realize it. Think of there being three tiers of merchants:

    1. Totally secure merchants who are extraordinarily careful with your credit card info.

    2. Merchants who are not so secure, but who do have sufficient network monitoring software that they can detect an unrecognized login.

    3. Merchants who just don't worry about security, and plan to just roll with events from day to day.

    I believe by far most merchants are in category 3. Furthermore, any decent society is going to have most merchants in category 3. To draw an analogy to physical security, is it really desirable for every store in the world to hire armed guards to protect their property? Something seems unhealthy about it.

    Anyway, whatever the ratios, the ones that BofA knows about are the ones in category 2. If they end up facing repurcussions for detecting the intrusions, then they'll have a strong incentive to stop monitoring, and thus move to category 3.

  2. Evan Sparks:

    I believe there are limitations from the card networks on what banks/issuers can say about the source of a breach. See, e.g., Visa rules here (https://usa.visa.com/dam/VCOM/download/about-visa/15-April-2015-Visa-Rules-Public.pdf). A data security alert that has been posted publicly (http://krebsonsecurity.com/wp-content/uploads/2013/01/DataSecurityAlert_ATM-CashOut_Jan2013_v1.pdf) includes a confidentiality notice, meaning that issuers would be forbidden to disclose details about it.

    There's also legal risk of making statements about companies, as you've experienced.

    It's annoying, and letting breached merchants avoid the public eye for their security lapses weakens market incentives, but I hope this explains why your bank does what it does.

  3. Matthew Slyfield:

    I bank with Chase. I've had my debit card replaced for similar breaches a couple of times. Both times the Chase fraud department proactively notified me of who suffered the data breaches (Target both times, which I why I no longer shop there).

    As to the chip readers. In my area, a majority of merchants haven't yet gotten around to activating them in the first place.

  4. Matthew Slyfield:

    Both of your links are broken. I get 404 errors on both.

    I bank with Chase. Every time my card has been replaced due to a data breach, the initial notice that my card was being replaced included the information on who suffered the data breach.

  5. Matthew Slyfield:

    Actually, for most merchants that have fraud issues, it's not outside data breaches, but insider theft of CC numbers by POS employees.

  6. Mr. Generic:

    If you have Bank of America, you can go to their web site and under Services for your credit card and have it generate a Shop Safe number. This is a unique credit card number that can be setup to expire up to 1 year later, and you get to set the total limit on spending for the card over it's lifetime. I use this all the time for online services and payments. It's kind of nice.

  7. Maximum Liberty:

    Here is something I would switch banks to get. The back-story is that I bank with BofA, and their fraud detection has been very effective, but that means I get a new card about once very six months. That, in turn, means that I have to keep a list of every merchant where I've given them permission to pay for things regularly with my credit card. That eats up a full day once every six months and I inevitably miss something.

    So here's what I want. I'm on BofA's banking portal. I want to be able to navigate to my credit card and ask for a one-merchant credit card number linked to my account. The site would generate a new, valid number, which I then give to the merchant. The first merchant to charge against it would be the only merchant that can charge against it; if any other merchant uses it, the system should reject it. ( So if Amazon gets hacked and they lose my credit card number, it's worthless.) Most important, this credit card number would NOT change whenever my main credit card does, and vice versa. That means I don't have to change my credit card number with Amazon every time some restaurant employee steals my credit card number.

    The banks have something you can use now, which generates a one-use credit card number. The idea is that you use it whenever you do something especially risky on the internet. But that's upside down, so seems useless to me. I can identify the transactions that are very low risk: Amazon, my cell phone provider, my utility bill, and so on. It's the other places that I can't evaluate: the restaurant I eat at, the online retailer I buy from, and so on. And I would be very unmotivated to go to my banking site to get a new credit card number every time I want to charge something. Getting about 30 or so for all the places that regularly charge me would be much easier, because it would mean I'd never have to do it again.

    Like I said, I would switch banks to get this.

  8. marque2:

    The chip readers don't really help in the USA much because we developed very sophisticated techniques to I'd ntify card stripes. Each one has a unique pattern of random noise on the strip that can be used to detect copies. What happened is that Europe merchants often were not online and this chip system allows them to authenticate cards without needing to be online but then some government dopes thought we should copy Europe because everything from the continent must be better.

    Now we have these butt slow readers which are not offering any extra protection.

  9. mesocyclone:

    The technique exists. I think it would not be hard to copy.

    Do you know that it is in practice or just that the technique is around and has been patented?

  10. mesocyclone:

    Every time that I have had to get a new number (about once a year), it has not been because an unidentified merchant was known to let it loose. It was either the card number was used by a fraudster at a merchant I am told about (and the date and amount), or an *identified* source had a security breach. This is with Chase Visa cards.

  11. Matthew Slyfield:

    "Now we have these butt slow readers which are not offering any extra protection."

    Probably true, but I am highly skeptical that they add any new vulnerability. These aren't RFID chip that can be read from a distance. These are exposed microchips that are dependent on physical contact between the chip itself and the reader.

  12. ErikTheRed:

    Depends. For smaller merchants, I would blame the point-of-sales system resellers. These companies generally get contracts to maintain the equipment and software, and they mostly do more or less the world's worst possible work securing them. Literally, you could take the worst GeekSquad rejects and have them do a better job. These merchants have no clue, and have no way of auditing what is done. Larger companies like Target and Home Depot do have in-house CIOs and IT departments and should know better.

  13. MB:

    > The chip readers don't really help in the USA much because we developed very sophisticated techniques to I'd ntify card stripes.
    MagnePrint? Nobody was using that, and it would've required new readers so the transition costs would've been just as high anyway. There were numerous news reports on card skimming over the last 10 years - did you really not notice an issue?

    > Each one has a unique pattern of random noise on the strip that can be used to detect copies.
    That is true - though, see above, it's largely irrelevant.

    > What happened is that Europe merchants often were not online and this chip system allows them to authenticate cards.
    EMV does offer more offline authentication (well, it'd be kind of hard to offer less), though you might be surprised at just how many USA merchants aren't connected full time as well and simply store the data for batch processing later. I don't know the relative rates of USA vs. Europe online vs. offline merchants, but I'm not convinced it has much to do with EMV adoption.

    > Some government dopes thought we should copy Europe because everything from the continent must be better.
    Visa pushed for EMV, MasterCard agreed. I don't know of any particular government involvement other than enforcing contracts shifting liability between issuers and merchants who don't make the transition.

    > Now we have these butt slow readers which are not offering any extra protection.
    There's a world of difference in cloning protection, if for no other reason than it's newer technology and harder/more expensive to source the needed equipment. There are (of course) hacks, but mag stripe technology was basically security through obscurity...and it wasn't that obscure.

    EMV doesn't offer much to prevent CC number theft (eg., used online) - but not really designed for that problem.

  14. Orion Henderson:

    Could it be one of two things: 1. It's some BOA subsidiary that's doing the losing and BOA doesn't want to let on. Or 2: The big merchants are too important to the banks-so they cover for them as much as possible. Target being a notable exception.

  15. Orion Henderson:

    Small merchants approach to PCI (merchant security standards) is to pay and pray. Even merchants who make every reasonable safeguard and are PCI compliant will be held liable for a breach. I am sure that many, maybe most, try their best to protect the card info. But the rules are so difficult to follow, and don't protect you anyway, disregarding even simple procedures will be tempting. Particularly to businesses that have a lot of one time customers-no relationship to burn.

  16. ErikTheRed:

    As a practical matter, it's probably impossible for them to determine *definitively* who lost your card, which creates a liability can of worms for them. Also, it's reasonably likely that a card would be exposed in multiple breaches. Most retailers are a hot mess when it comes to security - large retailers because vanishingly few people really care enough to change their spending habits (if Target or Home Depot lost your information, how much are you really willing to figure out who else has what, drive further, pay more, etc.?), and small retailers because they have no clue and can't afford one, and their POS (point of sale) providers have no clue and don't care because... pretty much all POS providers are POS (pieces of shit) when it comes to security and it's not a competitive differentiator.

  17. Rick C:

    In fact, in Dallas, Target was one of the first retailers to turn _on_ the chip card readers. Wal-Mart didn't do it for months, and grocery stores are just starting to do it now.

  18. Rick C:

    Have you personally verified that those limits are obeyed? I had a coworker once who told me his credit card offered a similar feature, with single-use cc numbers and spending caps, but he found out they weren't actually enforced, and when he called the bank, they confirmed that they're not really enforced. (This was ten years ago and he didn't tell me which bank, so things may be btter now.)

  19. Mr. Generic:

    I believe I hit the limit using it for Steam and iTunes. But that was a few years ago, so I'm not 100% sure. The ShopSafe page will show you the remaining balance on the card numbers, so it looks like they're keeping track of it.

  20. jdgalt:

    Start reading krebsonsecurity.com ; they report most compromised retail chains pretty quickly.

    You might also want to visit haveibeenpwned.com and set it to notify you of any future breaches posted there.

  21. jdgalt:

    Does category 1 even exist? I've never seen one.

  22. Russell:

    I just dropped BofA. They were too big to succeed for me!!! Credit unions are much more responsive to their customers/members needs. We should all send them a message. If the government won't slow them down, we can - one account at a time.

  23. jdgalt:

    It won't matter. The Fed is owned by the same people, and it will print whatever bills are needed to bail out BofA forever. The same for Chase, Citi, and the other biggest.

  24. Sophie:

    Sad that they are NOT BEING HELD ACCOUNTABLE for DAMAGE to CUSTOMERS' LIVES, SECURITY and livelihoods!!!

    Shame on the government for allowing criminals to roam free!!! There are traitors in our midst ... and they need be be contained, permanently!