X

Banks scramble on debit card theft

Several large banks and credit unions are canceling cards because of a security breach--here's what you need to know.

Greg Sandoval Former Staff writer
Greg Sandoval covers media and digital entertainment for CNET News. Based in New York, Sandoval is a former reporter for The Washington Post and the Los Angeles Times. E-mail Greg, or follow him on Twitter at @sandoCNET.
See full bio
Greg Sandoval
3 min read
Several large banks and credit unions have replaced about 200,000 debit cards in the wake of a security breach at an unidentified retail chain and Sam's Stores, owned by Wal-Mart Stores.

Multiple law enforcement and banking sources have told CNET News.com that unauthorized charges have shown up on the accounts of many OfficeMax customers, but the company has denied suffering any security breach.

Readers have asked about whether they're liable if they're victimized by hackers. Here's what we found.

Q: Can I ever be held responsible for unauthorized charges on my account?
Yes, you most certainly can be. Consumers must report fraudulent charges within 60 days after receiving their bank statement. The law makes allowances in certain situations, such as a trip abroad or an illness. Save receipts and review your statements often and carefully as soon as they arrive. The government also requires consumers to notify their banks within two business days after discovering an unauthorized charge in some way other than through a statement (if, for instance, they find out by accessing their account online, or if they know their card or PIN has been stolen).

Q: If I'm held liable, how much would I have to pay?
Actually, you can be held accountable even if you notify your bank within 60 days. The law allows you to be on the hook for a maximum of $50. If you fail to give notice within 60 days, you may be responsible for any theft that occurs between the end of the 60-day period and the time you notify the bank, as long as it doesn't exceed $500. The bank must prove that the charges wouldn't have occurred had it been notified.

The same process works for the two-day period. Consumers can be held accountable for unauthorized charges in the period that begins two days after they find out about the problem and before they notify the bank.

Q: Does every financial institution follow these rules?
No. Some banks may choose not to hold an account holder responsible for any unauthorized charges. For more information, see the federal regulations for electronic-fund transfers.

Q: Why would anyone steal my debit card number? Don't they need the PIN?
Crooks buy their own ATMs, some of which are available on eBay for less than $1,500. Others set them up around gas stations or retail outlets. They are used to steal debit card information including PINs. Thieves also rig card readers onto legitimate ATMs to grab data while training cameras on the ATM's keypad to learn PINs, a technique known as "skimming." Another way to pilfer PINs and debit card information is to buy them from unscrupulous retail store employees.

To protect yourself, cover the keypad as much as possible when punching in your PIN. Try to limit your use of iffy-looking standalone ATMs, and never use one that has funny wiring or cameras attached. Use common sense, says Gary Kishner, a spokesman for Washington Mutual. "If your gut tells you the place doesn't feel right, go to another ATM," he said.

Q: Is it safer to use my credit card rather than my debit card?
No. Both are safe, according to representatives from many financial institutions. The amount of fraud committed using a debit card is a tiny fraction compared with the overall number of times you use the card yourself or compared to other payment forms. "A criminal will always find a way to commit fraud," Kishner said. "It's up to the banks, customers and law enforcement to work together to stop the criminals."