Don’t bank on it, or the Case of the Deceitful Receipt
Don’t bank on it, or the Case of the Deceitful Receipt
Here’s a weird thing. On Wednesday afternoon, I withdrew some cash from an ATM at a branch of the big bank my account was flipped to during the Great Banking Shakedown of 2008. Earlier in the day, I had checked my balance online, so when the ATM receipt printed, I was shocked to see the new balance was half what I expected.
My first thought was that someone had hacked my account, but then I looked more closely at the receipt and saw that the last four digits of the card it was for weren’t the last four digits of my card. I went into the branch and showed the receipt and my card to an account manager. “Oh, we’re aware of that,” she said. “We’ve told them there’s a time lag in printing the receipts but they haven’t fixed it yet. Which ATM was it?”
When I described its location, she affirmed that was the errant machine. Then she logged into my account to show me that, in fact, the balance was exactly what I thought it was and that there were no fraudulent transactions. She gave me back my card, screwed up the receipt, and off I went.
Somewhat dumbfounded.
Firstly, at the blasé attitude. Secondly, that she didn’t apologize on behalf of the bank, and she didn’t suggest putting a lock or a fraud watch on my account, just to be on the safe side.
It wasn’t until the next day, when I was recounting the incident to workmates, that I realized I was also angry. Angry that the bank knew of the problem and hadn’t done the obvious immediately—taken the machine offline and put up an “out of order” message.
Angry at the thought that somebody, instead of me, might have been withdrawing what they thought was their last 20 bucks, and upon seeing a bigger balance than they expected surmised that their tax rebate had come through, and trotted off to spend up large on their debit card. Only to find their account dinged with overdraft penalty fees, and no way of proving they had used the card in good faith. Even if they had kept the receipt, what hope would they think they had of proving they hadn’t just picked the receipt up off the ground nearby?
Angry at the privacy issues. Let’s say two people were going out for a night on the town and lined up at the same ATM to make a withdrawal. Say the second person got the receipt for the first person’s transaction, and happened to know the last four digits of their account—then they’d know how much money their friend had in the bank.
OK, that’s a bit far-fetched. It you’re so palsy-walsy that you know the last four digits of your friend’s debit card, you probably know their bank balance anyway.
But while I’m being far-fetched, how about this: What if the reason they didn’t take the errant machine offline was that it wasn’t the only ATM in their banking network that was doing weird things? What if their system had been compromised to the point that an actual fraudulent transaction had indeed taken place—not on my account but on the account whose number appeared on the receipt?
The bank couldn’t put all of their ATMs “out of order” while they figured out the problem without bringing a large part of US commercial life to a halt, so they just left it to a case-by-case basis knowing that most people no longer ask for a paper receipt, and those that do probably don’t look at them too closely and rely on the bank to have gotten it right.
As serendipity would have it, two days later the news broke that millions of credit and debit cards might have been compromised. Initial news reports said the hackers had gained the information from parking buildings in New York (since NY is full of tourists, that might neatly explain how the fraud was happening all over the country). Then, as this later Reuters news story tells it, the breach had reportedly come about through a third-party card transaction processing company.
On a local news show, the station’s consumer reporter said that the breach concerned only credit cards. Credit card account holders, he said, are protected by a federal law that requires the c/c companies to take any supposedly fraudulent transaction off the account until it can be investigated and resolved. Debit cards, he said, are governed only by the rules set for themselves by the banks. It may be months, if at all, before money fraudulently taken from your account is reinstated.
But perhaps there is some good news for debit card holders.
Since March 1, the Consumer Financial Protection Bureau, has been taking complaints related to checking accounts, including the use of ATMs and debit cards. According to their press release at the time:
“The Bureau expects banks to respond to complaints within 15 days and seeks to close all complaints within 60 days. Consumers are given a tracking number after submitting a complaint. They are then able to log in to the CFPB website at any time and check the status of their case. Each complaint will be processed individually and consumers will have the option to dispute a bank’s resolution.”
Their website is http://www.consumerfinance.gov/
--PEACE—
rosalea.barker@gmail.com