My Debit Card Was Hacked

It’s accepted wisdom that credit cards are more secure than debit cards. A credit card purchase is a loan – you’re not out any money until you pay your monthly bill. Therefore, fraudulent charges (if caught) have no financial impact. But with a debit card fraud, that money is already gone from your bank account. You have to argue with your bank to get it back. So my advice is to avoid debit cards and use credit cards. (I realize that not everyone can get a credit card, but there are other options to consider, which I’ll discuss below.)

So, how did I get hacked? I follow my own advice: I never use my debit card online. I barely use it at all. And yet, my debit card was still used to drain my checking account to zero (actually, below zero). Did someone steal my wallet? No. Did one of the retailers that had my debit card number get hacked? No. Did my card get cloned by a sneaky card skimming device? Nope. Near as I can tell, this required nothing on my part. I just had a bank account with a valid debit card attached.

Debit Card Brute Force Attack

So what happened? According to my credit union, somehow the bad guys were able to guess some actual debit card numbers based on knowing a valid range of card numbers. This is a “brute force” attack because they basically just kept guessing card numbers randomly (within the range) till something worked. And one of those numbers belonged to me.

Now, you may already be doing some math. Almost all credit cards have 16 digits, so you’d think there would be 10^16 possible card numbers – which is a LOT of possibilities. That’s enough for every living human on the planet (8 billion) to have over a million cards. Each.

However, you may have noticed that most cards begin with certain numbers. These correspond to the major players in the credit card industry: 3=AmEx, 4=Visa, 5=MasterCard and 6=Discover. But actually the first 6 digits represent the bank and not all of those values are used. And the last digit is actually a special checksum. While these factors greatly reduce the number of possible valid values, there are still nine digits to play with, or about a billion permutations. Maybe they had a way to narrow it down further. (Wanna know more about credit card numbers? Check this article.)

Clever Attack Planning

So, somehow they guessed my debit card number (and those of many other people, apparently). But they were also really smart about how they used these numbers to maximize their chances of success:

• First, they managed to avoid needing the 3-digit verification code. It appears that they used some sort of Google online payment system to make these charges – maybe it didn’t require the CVV/CVC code. But it’s probably also due to the amount charged (see next).
• Second, they avoided triggering my transaction amount alerts by keeping the amount small: $2.99. I have alerts for charges over $200. So, why do I care about three bucks? Because they charged me that amount one hundred times in a matter of minutes.
• Third, they did this at around 4am on a bank holiday. This meant that both my bank and I were “offline”.

To their credit, my bank sent me a text message asking about one of the fishy charges for $2.99, but I was asleep and didn’t get it for several hours – well after all 100 charges were made. And my bank was closed. Now, their third-party fraud support service was still open and I called them. But I still had to wait till the next business day to contest the charges and request a refund, giving the bad guys ample time to move that money around.

Mitigating Debit Card Fraud

I was lucky here. This happened to be a bank account with not much money in it (a couple hundred bucks) and an account that I rarely use. Again, with debit card or bank account fraud, your money is gone. You have to dispute the charges and wait for your bank to (hopefully) reimburse you while they investigate the alleged fraud. This can take 5-10 business days normally. However, in this case, due to the obvious and widespread fraud, my bank actually reimbursed my money by the end of the next day.

So, what do I recommend that you do to avoid this and similar scams?

Honestly, I’d get rid of any debit cards you have, if you can, and just use credit cards. If you need to use ATMs, most banks have the option to get an ATM card that is not also a debit card. If your credit is new or bad, you can get a secured credit card.

You should also set up account alerts with your bank to notify you of strange behavior, which you should be able to do online. You can usually set up spending limits on debit cards, too – either per transaction or per day or both. I would also make sure you disable overdraft protection. The overdraft fee is nothing compared to draining all the money out of the main account as well as the linked-to account.

[UPDATE: Since I posted there, there was an article in Techspot about this, which points to a broader study by NordVPN.]

Wild Card: Privacy.com

There’s one other interesting option that I’m personally investigating: Privacy.com. This company allows you to set up virtual credit cards basically at will. You can assign them to specific merchants, meaning that no one else can charge to it. You can limit the amount that can be charged, including limiting it to a single (one-time) charge. This is a great way to avoid being bitten by subscriptions that you only intend to use for a limited time. (Note that some credit card companies have this feature, but it’s not as flexible.)

Under the covers, it acts like a debit card (without being one). That is, it pulls directly and immediately from your bank account. You can set up the account connection using an actual debit card, but we’re trying to avoid that here. I would use ACH transfers, instead, which requires a special account verification process.

Unfortunately, the default ACH verification process used here requires you to give them your bank login credentials. Sigh. It utilizes a popular intermediary company called Plaid. They explain why this is secure, but it still bothers me. I would change my password immediately after setting this up and then maybe delete info from Plaid (jump to 6:11). Or supposedly you can use the old-school ACH micro-deposits verification method, too, but you have to call support to do this.

I’m honestly not 100% sold on the privacy aspects, though any help here is welcome. For example, if you’re shipping something, you’re still going to have to give the vendor your name and address. Also, your bank will still see the charges and I believe they will come with all the usual metadata (vendor name, date, time, amount).

Note that Privacy.com makes their money from the credit card fees built into the whole credit card purchasing system. These processing fees are usually 2-3% of the total amount (which is how Visa and MasterCard make their money, too). For “power users”, Privacy.com has a subscription option which gets you some other perks like 1% cash back.