Financial Security/responsibility is getting wayyy too complex for the layperson:
* Find a decent bank with 2FA. None of the big banks are decent, they have minimum balances, piles of fees. Credit unions are good, but you want one that isn't too local, which can limit you to credit unions specific to military/veterans/families
* Have multiple checking accounts. Only one of these checking accounts has a debit card attached, or exposed account number anywhere. Never ever hold a balance in this account. Keep the balance in the other account.
* Never use that debit card for anything but the ATM and bank teller authentication. In fact, don't even carry it with you, in case you lose your wallet or somebody tries to take it. Not every bank makes it easy to turn debit card off.
* Only use ACH for rent and loan payments. Never hold a balance in the account used for this. Many rent companies and loan providers are not properly securing that number. Your account number can't easily be changed.
* Keep the bank you use a secret from everybody including friends and family. Only the few payees and your payroll provider need to know.
* For sending money to friends if everybody has iPhones, Apple's Cash functionality is good enough.
* Get a respectable credit card with zero fraud liability. Use it for everything. Have a backup at home. Now your bank is insulated from the outside world. If somebody tries to take your wallet, just give it to them. It's easier to get a card reissued and transactions overturned in that scenario than it is to get drivers licence replaced.
* Don't move outside the country or do a USPS address change to a PO Box. Banks have been known to just shut people's accounts down and mail the balance as a check in these scenarios. Patriot act something something.
This is banking in USA. It was designed for a trust-based society 70 years ago that's still mostly trustful but needs to consider the culture has changed a bit. If the Fed would require member banks implement secure 2FA and the option to disable external ACH from accounts upon request, we wouldn't need to do all this.
But the problem is really downgrade attacks. There are multiple payment systems (bank wire, check, credit card ) and if there is one insecure way to make payments, then the whole system is broken.
Limited support hours, lack of access when out of town, having to depend on ATM networks which can change (I guess these also apply to local banks too and not just credit unions)
What do you mean by "ATM networks which can change?" I've never found it difficult to find a credit union that participates in shared branching with a public ATM (this basically means free ATM withdrawals in most cities in the US.)
I don't know what parent meant, but my credit union a while back decided they no longer wanted to participate in whatever shared branch network they used to be part of, so the branch availability near me went to effectively zero.
The US has five or six different ATM networks, and many banks are part of more than one of them, but a small credit union may be only part of one, and they may change which one that is.
Depending on how they have it setup, it may mean that the ATM near you suddenly no longer works for you for free and you have to switch up with another one.
There are limitations, it's not always just like your home credit union. One of the reasons one might go to a bank branch when we have ATMs and online banking is to get a cashier's check, which can't be done through co-op. My online credit union can FedEx them overnight so it's not too bad, but I switched away from a local credit union when I moved because they weren't able to do services like that except at a branch.
In my experience accessing my account after moving has been a huge issue with conventional banks; I've never had a problem with my credit union accounts.
Yeah, I should have been clear - accessing it at a local branch. Not that many people need to do that anymore; in fact it's so easy to do everything online you may forget to update addresses, etc. And with no paper statements, you might not even notice until one day your bank decides it needs to mail you something important.
No, I can access my remote credit union account through most credit unions through shared branching. It's more convenient than banks which have less cooperation.
Years ago, a largish bank (boa) had given me a pre-printed visa debit card for a new account I'd opened. They had a small stack of them, ready to activate against new accounts. Better than "we'll mail it to you in a week".
Yeah, I was surprised on this one because it was a machine that just printed the front on a blank card - the name wasn't embossed, but otherwise it was a normal card.
Still using it, it's how they do cards now; they never sent an "embossed" one.
Right. The point is that credit unions come in a variety of different qualities. Some are good. Some are crap. "Always use a local credit union instead of a bank" is not always good advice.
One advantage to smaller banks is the personal relationship when you need them. It's a trade-off for features. I've found significant value in having a small local bank where it's a bit harder to do anything digitally. They also may catch strange transactions. During Covid, having a relationship with a bank also meant it was easier to get assistance when other banks were putting you on hold or not responding.
They often won't process foreign transaction and either can't or won't sell you foreign currency (like Canadian dollars if you are planning a trip to Winnipeg).
It can be a problem when you are out of town and need banking services. My credit union is in CA but after my move to New Mexico I had to open an account at Chase just to get a special signature notarizing that only banks can do.
> Find a decent bank with 2FA. None of the big banks are decent, they have minimum balances, piles of fees.
Can you clarify this. Are big banks not secure enough or are they not decent because of the minimum balance and "piles of fees"? I would rather pay something for security.
TD Canada Trust didn't let me use more than 8 alphanumeric characters in my password until about 2015. The only let you use call or SMS for 2FA to this day.
They are charging $16.95/mo for a chequing account right now.
I believe Scotia/Tangerine are still 6-digits only for passwords. Really. And I have yet to see any Canadian financial institution (whether bank, brokerage, credit union, etc) that supports anything else than SMS for 2FA.
Hard 8 character limits are often a side-effect of old COBOL "databases" in the backend somewhere.
Hard 16 character limits are sometimes a side-effect of old versions of Active Directory in the backend somewhere or new versions of Active Directory in certain backward compatibility operation modes/certain group policies.
Hard character limits in general are often a sign that someone is storing the plaintext somewhere they shouldn't be.
(Soft character limits today are mostly to avoid possible hash function DDoS.)
The 14 character password limit in some versions of Windows is a side effect of using LM and NTLM (original "flavor", not NTLMv2) hashes used in Windows NT domains and maintaining compatibility therewith. It's not related to Active Directory, per se.
Nobody should be using LM or NTLM hashes anymore today, for all that that means... >sigh<
Impossible to _never_ hold a balance, since every employer wants to do direct deposit... your only hope is that you can get your money out of there before some scammer gets it. The chances of that happening are low, but not zero.
i have one bank account to receive my salary, one (or more) to make regular payments and one for day to day expenses. the latter has just enough balance to cover my average spending and gets refilled as needed.
> if everybody has iPhones, Apple's Cash functionality is good
and google pay? this may surprise you but in my immediate family only 1 (out of 6) has an iphone. we basically use zelle to transfer cash around. I personally will not use paypal or venmo, but I do use google pay.
Venmo doesn't offer 2fa with an authenticator app. Only text message 2fa. Leaves you open to sim swap attacks, which are common and the carriers are doing nothing to prevent.
PayPal has a long shiny history of screwing people over and Venmo is now not only owned by PayPal but the app is hot garbage and gets worse with every update (probably due to the aforementioned ownership).
I use PayPal, not as heavily as I have in the past, but I have been scammed by about a dozen sellers, and in all cases, PayPal refunded my money. I've never heard of PayPal screwing over customers, only that it being owned by eBay is annoying because eBay gets two sets of fees on payments for sellers.
I don't care enough to find the biggest stories over the last 15+ years but here are two articles from January 2022 referencing a class action lawsuit over freezing of funds without explanation:
PayPal is known for keeping your money at length or indefinitely with no explanation or recourse.
Venmo is a mindbogglingly stupid thing that requires you to take active steps just to keep it from broadcasting your financial activity to the world, and last I checked there was no way to keep your "friend list" from being public at all.
On top of that there was a period where they disabled transfer functionality on their website altogether and the only way you could send money was through their proprietary mobile app. Seems they eventually reversed course on this, but I have no idea how long it took.
Not sure what your issue is with PayPal (philosophical objection to it seems to be popular), but at least PayPal will refund your money if you are scammed. Zelle will not and never has, and I suspect that is why banks won't cover Zelle scams. I personally consider Zelle itself a scam, and it boggles the mind why so many banks have partnerships with it. Automatic Zelle accounts when opening a bank account? Oh my God that is an astoundingly bad idea.
Zell3 itself does not store any money. It's just an interface, a glue between accounts by supporting banks.
Instead of asking the user their bank account number, routing number; you simply ask their zelle email or phone number (either of which can be with any bank, no info leaked). You send money.
Zelle ask for phone or email of other party, then it shows their registered name in Bold. If one still confirms to send, its on them.
Zelle options like check options, imagine if people said Oh my God auto check honor system??
Don't forget about preemptive security freezes at credit bureaus, which you have to do for each one individually. /r/personalfinance recommends 7 by default [0], but there are many more [1].
When I did it, all it meant was anyone offering a line of credit to me if I'm not present right in front of them is supposed to call me to verify I want it. It's not even really any inconvenience to have "frozen" credit.
Why the everloving fuck that's not the default, but something you have to request, I have no idea.
> Credit unions are good, but you want one that isn't too local, which can limit you to credit unions specific to military/veterans/families
Having seen a bit of the inside: Local credit unions are generally pure trash at security. Hell, a local one had an internal meltdown from the HR person looking up prior employee's personal account to harass them with a LIST OF THEIR PERSONAL PURCHASES. (WTAF)
> * Never use that debit card for anything but the ATM and bank teller authentication. In fact, don't even carry it with you, in case you lose your wallet or somebody tries to take it. Not every bank makes it easy to turn debit card off.
I take this one a step farther and don't even have a debit card, just an atm/cash card. It cannot be used to make purchases anywhere, only to get cash from an ATM. Any and all purchases I make are either cash, or with a credit card.
Some banks may look at you weird when you request such a card, or act like they don't do them (anymore), but my credit unions have accommodated me.
> I take this one a step farther and don't even have a debit card, just an atm/cash card
I did this too, unfortunately I went through multiple banks as they rolled out debit cards for all accounts and stopped offering ATM cards, until now I unfortunately have a debit card. It seems this isn't really an option anymore.
The fewer entities that have it, the better. Banks probably aren’t giving it out freely. Any ACH charge attempted against it will deduct balance, and fraud liability repayments (if the bank agrees to help) will take as long as the bank takes to recover funds
>fraud liability repayments (if the bank agrees to help) will take as long as the bank takes to recover funds
What's your source on that? As far as I know, Regulation E generally requires banks to make good on errors in electronic fund transfers (including ACH transfers for which the customer is not liable) within 10 days of being notified. That can be in the form of a provisional credit while an investigation is ongoing, though.
Is regulation E new (in the past decade)? I had a fraud related issue on Simple.com about 10 years back where Kroger decided to keep erratically billing my debit card up until it hit $1000 (I went in and spent probably $20 and their payments system seemed to just go haywire) and I asked their support for help. It took a month to get money back. That was my final straw with debit cards.
No; it's originally from the late 70s - I don't know exactly when the various provisions relating to error handling got introduced, to be honest; it's possible it was somewhat different back then.
> * Never use that debit card for anything but the ATM and bank teller authentication. In fact, don't even carry it with you, in case you lose your wallet or somebody tries to take it. Not every bank makes it easy to turn debit card off.
Some businesses only accept debit cards (like WinCo [0]). :-/ I guess you can just not do business with them.
> * For sending money to friends if everybody has iPhones, Apple's Cash functionality is good enough.
I wish... but how do you transfer money internationally? I don't think Apple Cash is adopted abroad yet.
> I wish... but how do you transfer money internationally?
Wise.com. I lived abroad for a bit and relied entirely on Wise (well, they were called transferwise then). Could send money abroad faster than I could send funds to anybody in USA.
Of course, any international financial service is very KYC heavy and can suspend access to you/lock your funds at any time so always have a backup plan ready as wire transfers are really scary (foreign banks don't want to release funds? no recourse for you!)
The article and headline are somewhat in disagreement. Or at least, the headline is an over simplification. From the article, most rejected fraud claims are for cases where the victim was deceived (social engineering) into sending a Zelle transfer to a fraudster, rather than in cases of account takeover. In fact, the majority of the article is about Zelle, rather than takeovers.
Banks should obviously do their best to prevent and revert fraudulent behavior, but there are points past which they can't do anything without just refunding out of the goodness of their (perhaps cold and small) hearts.
If I convince you to withdraw thousands of dollars in cash and then skip town with it, do we expect the bank to make you whole?
I think the issue is that without regulations forcing banks to serve customers better, they will simply abandon all responsibility completely because it's cheaper for them. And since we see that with Zelle, banks will collude to all hose customers in the same way, the free market is not a solution.
It would be trivial for banks to give customers better fraud protection tools and enable better recovery, but they clearly don't care.
* For one, since you can't have a bank account anonymously the receiving bank knows exactly who stole the money. They should at least be able to refer them for criminal investigation.
* Two, since they own the machinery of transferring the money, yes they can easily reverse fraudulent transactions -- the bank doesn't have to take a loss since the fraudster has to have an account with them. They know who to take it back from.
* The fraudster withdrew the money and ran? ACH transfers have always taken up to 15 days to "clear" -- banks wouldn't let you withdraw money you just deposited exactly for this reason, to verify that the sending bank actually has the funds and there are no issues. Why can't Zelle let the sender specify a "hold" period so there is time to dispute the transfer and the funds can be recovered?
Basically is seems to me that a modern digital payment systems must have a kind of escrow service built in. IMHO this is what we need the law to require banks to do. In combination there needs to be a payment dispute resolution system which would probably take the form of a kind of arbitration system not unlike the role small claims court plays. This is something the banks should lobby the government to provide since doing it themselves would clearly get complicated and expensive.
Deep down you have the dichotomy between "instant payment" and "refundable payment".
If I'm selling you a car, I don't want a Zelle transfer for the money that I know you could claim was fraud and claw back from me - then I'm out the money AND the car; I'll demand cash in that case.
Right, which is why you can't do this without impartial arbitration.
Essentially each transaction that is "refundable" is an implied contract between parties and it should be verifiable. Such as in the case of a car sale it is pretty easy for a third party to check if the car was received.
Or somehow have a notary to witness and verify the transaction.
This is the basic problem is that you can't have instant transfers with fraud prevention. It's impossible to claim that banks don't understand this and IMHO it should be considered criminal negligence that they pushed this product on consumers knowing that it just exposes them to easy fraud.
Incorrect. You only deserved one, not both. You don't get the money AND the car. It's either your car and someone else's money, or someone else's car and your money.
Exactly – we can't expect banks to pay when their customers get themselves scammed.
I think the solution is escrow. I am biased, because I work for an escrow company, but I've never seen a more effective approach. Hold the money until the buyer has what they paid for, and only then release the money to the seller. (To be fair, escrow does tend to be more expensive than simple money transfer, so it's not all upside.)
Yeah, and we do escrow for large value things (houses). Other than that, since it's not well known, people don't bother with it for smaller things. Would you trust me if I told you I was the "escrow account" manager, heh?
Chase at least is popping up a bold social engineering warning whenever you’re attempting to send a Zelle payment to a new contact, or the underlying account has changed for an existing contact.
There are table stakes (security and financial controls, prudent IAM and MFA, etc), and then there are folks who will fail even with the most robust guardrails attempting to protect them.
The "Zelle transfer" examples seem to be a US equivalent of Push Fraud, which was big in the UK. In the UK's Push Fraud there's no third party (Zelle) involved, victims are persuaded they should send money from their account to an account controlled by the bad guys, using Faster Payments, which just moves money (up to £1M) from one UK bank account to another UK bank account, in theory within one business day in practice typically instantly.
Push Fraud was significantly hampered (~solved?) by requiring that the recipient name field, rather than just being for your own note of who you sent money to (so e.g. "Jenny birthday" or "Fucking Landlord") must closely match the recipient's account name, which as a result of Know Your Customer checks should be a legal name of some sort.
There's a back-and-forth mechanism, so it was at first (presumably got better with practice) harder to pay companies with hard to spell or weirdly punctuated names, but hey, better I can't send money to "Pat Smith" (nope, his name is Matthew and that's Smythe not Smith) than that my £800 000 for a house goes to a crook who sent me an email pretending to be from my lawyers.
Because Faster Payments was a legal requirement, operated by a regulated entity that's ultimately paid for by the banks, it was presumably easier to write a law saying how it needs to be secured, whereas Zelle is a third party unrelated to the banks.
Do you think? What I see is that it's a useful way to move money and, as expected, crooks wanted to use it to steal money.
It's more remarkable when we invent things that move money and don't get used for crime.
For example the UK's Direct Debit turns out to be almost useless for crime, because it can be unwound, so, if you use it to steal money you run into two closely related problems:
1. When the victim realises they just undo the transaction, and get their money back
2. Because the bank doesn't want to be on the hook for that, their capital requirements to allow Direct Debit are eye watering. Out of reach of ordinary crooks.
Because it's intended only to pay large outfits who are owed money, this just isn't a problem. It's as though you woke up one day and discovered the customer didn't pay last month's bill - even though in reality they did pay but then unwound it.
The vast majority of your customers are legitimate, so there's usually going to be a reason why they unwound the payment. You can of course pursue them for payment as you would have if they were overdue on 30-day terms or whatever, but you definitely want to try to figure out why the unwind happened before you kick that off or you may waste a lot of money on a fruitless process.
Lets take a real example where I had my bank unwind bill payments. Water utility keeps billing me for more water than I'm using. I read my meter, I see I used 2.5 cubic metres of water, they bill me for 8 cubic meters, and the meter number they've listed is wrong. So I call, they send an engineer, the engineer looks at the meters, tries some things, declares that yeah, whoever installed these meters fucked up. No worries, we'll fix it, your next bill will be correct. But the next bill is wrong too. Call utility, engineer comes out, same diagnosis, same lack of consequences. Rinse, repeat. OK, I see the pattern, unwind payments.
Now obviously the water utility's lawyers threatened to take me to court for non-payment - I didn't pay them any money for the water they've incorrectly billed me for. But they won't actually go to court because lawyers don't want to get disciplinary hearings for their employer's incompetence. They still have personal responsibility (the employer can pay for their liability insurance but it is personal liability, "But my company ..." doesn't work on judges) for these proceedings. So a human lawyer will take five minutes to look at the paperwork, see the company fucked up and not file.
But you can't just have customers who don't pay you indefinitely, these are for-profit companies, so a few months later I get a phone call. They can't fix their records apparently, it's just such a tangled mess, so, new plan, delete my customer account, make a new customer account with a zero balance, attach the correct meter to the account, get a fresh reading and start from there. Is that OK by me? Yes it is.
I think in the end this meant instead of paying for water I didn't use, I saved about six months on water I did use, which seems fair.
Zelle is essentially the same as Faster Payments here; the legal structure of it being a third party seems more or less irrelevant. I don’t think regulating it will be a problem for the CFPB or other US regulators.
It seems that many people don't really understand the process that is happening. Push or bank transfers are kinda like putting money in envelope and sending it to other person. You better be sure that address, name and amount are right...
And still many people have also gotten scammed to send money in envelope...
Yeah, its not like the bank gave access to your account to the wrong person and now they're not paying you back. You did something with stuff you legitimately own and control and now you regret it. That's a big difference to me.
A lot of people (and small businesses) share their Zelle accounts and different name shows up when sending money. Whenever I am sending a big amount via Zelle, I send $1 first. Then check with recipient to verify.
> When U.S. consumers have their online bank accounts hijacked and plundered by hackers, U.S. financial institutions are legally obligated to reverse any unauthorized transactions as long as the victim reports the fraud in a timely manner. But new data released this week suggests that for some of the nation’s largest banks, reimbursing account takeover victims has become more the exception than the rule.
I always knew that some of the pro arguments for centralized systems were suspect, but it's good to have some evidence for it now.
Now I wonder how many other cases that are touted as arguments for centralized systems don't hold up to any scrutiny.
The banks aren't going to make you whole when withdraw a thousand bucks from the ATM and send it to someone. These denied refunds follow the same principle. There are warnings all over every zelle implementation I've used saying that using zelle is like using cash, don't send it to someone you don't know, etc. But people still do it anyways.
Btw crypto is worse on this in every way and there is no system that actually solves this problem. I wonder if it is even possible to solve.
Is Zelle really like using cash? It seems closer to an electronic transfer than withdrawing dollar bills. With cash they have no way to know what I'm doing with the money but with a transfer, they know a little bit more and so they have more responsibilities (IMHO).
It is the intentional decision of zelle to be like using cash in terms of rollback guarantees. This is so that payees can accept it like cash. There's no way to balance the scales -- the payment system that can be rolled back has its own issues.
We have other payment systems like credit cards which work that way. The inevitable consequences are that permissions to receive payments are tightly locked down, and the network charges fees to help cover the cost of fraudulent transactions.
That decision is as exactly as legally binding as the signs on trucks disavowing liability for falling debris.
Banks might be trying to pretend Zelle isn't covered by Regulation E, but I haven't heard any good argument for why it doesn't apply, other than arguments similar to yours that they simply don't want it to.
People are welcome to challenge the banks in court. It will be no skin off my back if they win. But I guess the banks have good reason that believe that they can defend their practices successfully. If not it will be the end of Venmo, cash app, and zelle -- or at least the free transfer features of those apps.
The "good reason" is that it's an extension of how banks have always treated fraudulent debits until you show knowledge of the Reg E dispute process, so it makes it outside of first-level customer support.
And it won't be the end of free electronic transfers, it'll just mean acknowledging that those transfers aren't any more final than writing a check.
Banks are not arguing that Zelle isn't covered by Regulation E.
Regulation E talks about liability for "unauthorized transactions". Those are transfers "from a consumer's account initiated by a person other than the consumer without actual authority to initiate the transfer".
If you initiated the transfer but were misled into doing so or provided the wrong payment information or whatever, it's still an authorized transaction from Regulation E's perspective; so you are still liable for it. The only exception is if you were induced by force to initiate the transfer.
For large transactions this is somewhat solved by escrow companies.
In the end it all has to come down to trust. If all transactions were easy to reverse, we would see the opposite problem: scammers who pay people money and the. demand it back, claiming fraud.
Yep. Happens in the credit card world all the time. Porn is a good example of a business that has a lot of trouble functioning due to fraudulent chargebacks.
That is in fact the real reason some credit card companies won't let you pay for porn. Amex was preventing it for years before it was a PR/wokeness issue.
The scenario is, someone pays for porn, their spouse sees it on the bill and gets really angry, and the other person says it wasn't me, it must have been fraud! So they file a chargeback.
In a technical sense you're correct; in both cases the transactions are effectively irreversible. That said, I think there is an important difference:
Everyone (well, kinda) knows that a crypto transaction is irreversible; that's basically the point. Because of this, it is expected and normal to layer on extra systems to cope with the risk of not having an authority to dispute stuff to. Consider darknet markets: they use escrow and reputation systems to protect both parties.
But everyone (well, kinda, in the same sense as the above) also knows traditional financial institutions are "safe" and that transactions are reversible. That false sense of security means other security/resolution methods aren't considered, so when the centralized authority has a bad day the end user is out of luck.
But isn't an escrow system just another centralized authority? Sure, but at least I can choose what escrow system I want to interact with. The banking cartel behind Zelle doesn't afford me the same degree of choice, and using small credit unions isn't a panacea either because they farm out everything complicated to one or another of the payment cartels. Quality of escrow system is an important discriminator when choosing a DNM; I wish I could assess various traditional financial institutions' likeliness to rip me off as effectively.
If centralized financial institutions want to act like crypto in terms of irreversibility, fine, but I think the scale of the problem described in TFA indicates that some "are you suuuuuuuuuuuuure you want to send money to Joe Blow" popups in the app aren't enough to overcome that aegis of "this is a safe institution" floating around in the public consciousness. I see it as more a problem of false advertising than anything else, really. Copy from the landing page of their site:
> Zelle® works between U.S.-based banks. Which means, even if you bank somewhere different than your friends and family do,1 you can still use Zelle® to safely send and receive money straight from your banking app.
> safely
Obviously it's not a legal doc or anything, but I'd argue the service is both explicitly and implicitly casting itself as akin to a bank-provided service like a credit card, not something as wild west as cash.
Even if the bank is not offering recourse, there is at least a mechanism for recourse. Decentralized banking just has no recourse at all, so it really just seems strictly worse here.
I would argue that a system claiming to have recourse that doesn't actually work (taking this article for its word), is slightly worse than a system without recourse that explicitly states there is not recourse. People will be much more reckless and thus likely to be victims of fraud if they are told fraud is reversible.
Having crypto w/ absolutely no recourse has allowed me to save money on buying silver vs say a credit card and faster clearing than wire or ACH. Recourse means the seller has to bear a risk you may find a way to yank the money back, and at least with precious metals "yuh pay extra for dat."
As a seller, or a buyer dealing with someone I trust, recourse is a serious hazard I want to avoid. For this reason I demand cash or crypto when selling items.
This only seems like it started in 2021. Up until then, those arguments were sound. It's worth reconsideration if this is now the trend, but can you really defend the position that you thought those arguments were suspect because you knew banks were going to stop fraud corrections? While simultaneously preferring systems that never had it at all?
I doubt that it only started in 2021, unless you have evidence for it.
>but can you really defend the position that you thought those arguments were suspect because you knew banks were going to stop fraud corrections?
I knew those arguments were suspect, because the very same thing that makes such an intervention possible is the very same thing that makes it unreliable: a central authority, that first and foremost acts in its own best interest and is prone to corruption, abuse of power and what have you.
> While simultaneously preferring systems that never had it at all?
You can still build such a system on top of a decentralized system and put your trust in random 3rd parties, if for whatever reason that happens to float your boat.
For any of the types of people who are against taxes and regulation, that type of policy results in a world where outcomes of disputes are able to be dictated solely on the basis of who has more power or resources.
I'd rather live in a world where banks are solely responsible for fraudulent withdrawals than one where banks can shirk responsibility to their patrons. That is only possible through regulation.
That's why it's important to vote for people who aren't afraid to create regulations, and that's why it's important to question people who claim that "the free market will eventually result in reasonable outcomes."
I imagine it's been said before but I recently had the thought that murder being illegal is a regulation of the market.
The point being that even the most staunch proponent of "free markets" is probably going to draw the line somewhere that defines a "not completely free market" which opens the door to questioning where the line should be drawn. I think that's always been the case but then you'll encounter arguments that something should not be regulated because the market should be free.
Killing someone is not illegal; it's just illegal for folks like you an I. There's a whole school of thought that asserts that The State holds a Monopoly on Violence [0] (which includes killing). It's been discussed here on HN periodically. [1]. But you're totally right: it's a sort of regulation of the market.
(Note: 'Murder' is killing someone WITHOUT legal justification. With legal justification, killing someone is not murder, by definition. By definition, something that is illegal is illegal).
It turns out that the organizations with a local monopoly on killing have managed to leverage their market position to gain a foothold in the regulation of basically every other market. We might call this anticompetitive, but looking at places where the market for killing-services is highly competitive, having a single entity responsible for this is probably in consumer interest.
Yes. I agree. I grew up in a household that was extremely "Free Market is the Best Market; Regulation is for commies and baddies". It's taken me a long time to heal from that. I still prefer as much free market as is reasonable, but my sense for what is and is not reasonable has shifted a ton. I'm now a big advocate for sensible regulation. (Most is sensible in intent, but sometimes non-SME write huge swaths and it gets botched). These days, my biggest complaint about regulation is that the right people (SMEs) aren't consulted as much as they should be.
Here's the thing about fraud, though: It's next to impossible to prove.
There is NO visible difference between "I sent my new friend thousands of dollars because she's trying to start a new business and I'm investing...but now the business has gone under and I regret investing so I'm just going to tell the bank it was unauthorized," and, "I just sent my new friend thousands of dollars because she's trying to start a business and I'm investing...but now I've realized she was really a liar and there was no business."
Proving account takeover (ATO) is easier. There's some new IP (unless you gave someone remote access to your own device), new mouse behavior (yes this is a thing some institutions track), whatever.
But when you're the one who signed into your own bank account and sent your own money, you have every right to do that, even if you're sending it somewhere stupid that you later regret.
It's not up to the bank to protect you from your own stupidity. They just hold the money for you that you want to keep. Telling you that you can't send it somewhere you explicitly want to send it because they don't think it's a good idea isn't their job.
That's what they're calling "fraud" or "scams" here, and there's no reason your bank should be on the hook because you did something dumb with your own money.
Exactly, as systems get more secure, indirect/third-party fraud decreases and direct fraud becomes caught more.
How many people "chargeback" porn that they actually paid for because they got "caught"? As systems get better and better at preventing fraud, those chargebacks become harder and harder to believe.
What types of entities are in a position to be most able to prevent fraud?
What kinds of interventions can mitigate fraud?
> That's what they're calling "fraud" or "scams" here, and there's no reason your bank should be on the hook because you did something dumb with your own money.
On this point we disagree. My viewpoint is one of "what entity has the most ability to do something about the problem". Yours is one of individual responsibility.
I would prefer the bank do something to protect my vulnerable grandma from doing something wrong to one where her mental decline and therefore her inability to comprehend her impending mistake is her responsibility.
How do you propose your bank tell the two situations apart that I mentioned?
Your bank should not be considered the owner of your money. If you want to send your money somewhere, you should be able to do so because it belongs to you.
If you later regret that decision, for any reason, you should certainly be able to request your money back from whomever received it, but why should the bank be the one to pay you back?
> It's not up to the bank to protect you from your own stupidity.
It is their legal obligation to reverse illegitimate transfers. Explicitly for ACH, and there's no good reason they should be exempt from this obligation just because the transfer was via Zelle instead of ACH. Which includes a mistaken recipient or amount, even without any fraud.
>I'd rather live in a world where banks are solely responsible for fraudulent withdrawals than one where banks can shirk responsibility to their patrons. That is only possible through regulation.
I'd rather live in a world in which effective security measures prevent fraud than a world in which there are weak security measures and endless debates as to who should be blamed when they fail. Regardless of your political stance, I think we can agree that the system is more technicially-broken than it is socially-broken.
I think understanding the problem in solely in terms of more/less regulation is a bone-headed thing to do.
I think what we have isn't a free market but a duopoly of mastercard/visa each with control over their respective domain. You can't upgrade the security, privacy, or efficiency of the network because the big players benefit from the insecurity, surveilance, and inefficiency.
Decreased regulation will probably increase their stranglehold on the industry, as you've noted. Increased regulation will cement current ineffective practices and make different buisness models impossible.
People turn to cryptocurrency, not because it's more private/secure/etc but because it is the most private/secure/etc system that works without the permission of the big rent-seekers.
> I'd rather live in a world in which effective security measures prevent fraud than a world in which there are weak security measures and endless debates as to who should be blamed when they fail. Regardless of your political stance, I think we can agree that the system is more technicially-broken than it is socially-broken.
But this is a problem of responsibility. Customer responsibility is an O(people) security problem. Bank responsibility is an O(banks) problem. In terms of alignment to fraud mitigation, bank responsibility leads to better technical security because they become the implementers of it to protect their own interests.
From an outcome based perspective banks must be accountable.
> I think understanding the problem in solely in terms of more/less regulation is a bone-headed thing to do.
I don't have a more/less regulation perspective. I have a correct/incorrect regulation perspective.
> People turn to cryptocurrency, not because it's more private/secure/etc but because it is the most private/secure/etc system that works without the permission of the big rent-seekers.
But it isn't. It might be more secure because the average crypto holder is more savvy, but in terms of security properties, I wouldn't let my mom have a crypto wallet, and without a direct wallet, I don't see how crypto has different properties than a bank (an entity making transactions on your behalf), the interface is the same, but the implementation details are different. No?
I'd say that crypto personally held in a hardware wallet is less secure against the sort of frauds described in the article, where the victim personally authorizes a transaction, because there's nobody you can even ask for a refund.
But hardware-secured crypto is much more secure against unauthorized access (e.g. a SIM swap without the user's involvement). After getting familiar with crypto, it boggles my mind that we handle so many payments by giving full credentials to the payee and just trusting them not to abuse it or be careless with it. Public keys have been around since the 1970s. Why don't we give retailers a digital signature authorizing a specific transaction? Why are we still using insecure 2FA and user-supplied passwords for bank website access?
Ideally, we'd put secure elements and social recovery wallets in all our phones, and use them for everything. It's what we need for crypto, but we could use the same tech as access control for banking systems.
>But it isn't. It might be more secure because the average crypto holder is more savvy, but in terms of security properties, I wouldn't let my mom have a crypto wallet, and without a direct wallet, I don't see how crypto has different properties than a bank (an entity making transactions on your behalf), the interface is the same, but the implementation details are different. No?
It's true to some extent that crypto users are more savvy than most, but I think cryptocurrency also has obviously superior security properties to the conventional banking system, technically speaking. In the conventional banking system, there are no "savvy" users because everyone is equally insecure no matter what. In the conventional banking systems it's all based on trust. Trust that the bank obeys the law, trust that law enforcement is not corrupt, etc. The security mechanisms of cryptocurrency are at most a superset of what you can do with the conventional banking systems. If you want to have a third party supervising transactions, you use 2-of-3 multisig for example (https://en.bitcoinwiki.org/wiki/Multisignature). If don't trust your family member to authorize payments without you, you use 2-of-2 multisig. If you don't trust yourself to not lose your keys, you back them up. If you want to limit your risk, you keep a small amount of cryptocurrency in a "hot" wallet.
Secondly, I don't think that the idea of a keypair is beyond the understanding of an average person. They effectively already know how to manage secrets in the current system: passwords, bank routing numbers, etc. It's just that the keypair is superior to these systems of authentication which often require you to reveal the secret itself to authenticate (credit card number), do not have enough entropy (4-digit-pin), are open source (E.g. security questions like "what's your mother's maiden name?"), or rely on other centralized systems (SMS-based 2FA). Even if you implemented some sort of "custodial keypair" that allowed you to transparently sign transactions without revealing your secret, that would be a major improvement over the current system which is based on (typically bad) secrets.
In many ways, the conventional banking system is more complicated than cryptocurrency, because the failures of cryptocurrencies are "solid" and well-defined (e.g. 51% attacks, MITM attacks, etc.) while the failures of the conventional banking system are "soft and fuzzy". For example, I was reading about a scam the other day wherein the attacker sends the victim a fake check, and asks them to cash out the money- this scam works because banks generally accept checks before validating them, allowing you to spend money that hasn't been validated yet and then charging you later. You might think this is obvious as a boomer, but as a zoomer who has never cashed a check before, this is not obvious at all.
And I'm not necessarily saying that cryptocurrency is the end-all-be-all of payment systems. There are superior systems like chaumian cash (https://taler.net/en/) but they require the permission of the existing banking system (which generally profits off providing services that surveil users and """fix""" the existing insecurity), so they haven't taken off.
I get the impression that regulation will never fix this because the nuances at hand will go over the head of any lawmaker who has merely accepted the insecurity of the status quo. I think that even if you get some libertarian or pro-cryptocurrency person in office which doesn't accept the current system, I highly doubt that they would make the right decision needed- it's more likely that any pro-cryptocurrency candidate is just going act in a way that ben...
I am pretty crypto naive. My understanding is that a wallet is effectively a `private key => balance` and you can use the private key to sign transactions which are sent to a block chain where they are executed. So when I said "direct wallet" I meant the private key.
My understanding is that many of the people who own crypto do so through a third party, so there is a layer of indirection. It's the difference between me having cash in hand (money in my pocket I can directly use) and me having cash in the bank (I tell my bank to send money to someone else and they execute the transaction on my behalf).
My mom has downloaded ransomeware before, so from that perspective, I think crypto has worse security properties. If transactions are executed indirectly, the security properties are theoretically the same as executing transactions through a bank and you are back in a system of trust. Furthermore if a "cryptobank" gets hacked, that money is not retrievable, while theoretically in a system of pure fiat, the money might not be retrievable, but the value could be refunded at the cost of devaluing the currency as a whole.
As far as behind the scenes implementation details go, a cryptographicly signed ledger with immutable history makes sense, but I also generally trust banks, much less so investment banks, and significantly less so the stock market.
>My understanding is that many of the people who own crypto do so through a third party, so there is a layer of indirection. It's the difference between me having cash in hand (money in my pocket I can directly use) and me having cash in the bank (I tell my bank to send money to someone else and they execute the transaction on my behalf).
This is quite true, and it is likely the largest problem facing cryptocurrency today is this custodial use of it (besides all of the get-rich-quick schemes). But at its worst like this, cryptocurrency is a non-proprietary inter-bank payment method that prevents double-spending between banks. It is still superior to something like zelle, paypal, or SWIFT so long as the fees are lower. If cryptocurrency was the primary means of inter-bank transfer, then it would be trivial for anyone to start a new bank that could inter-network with the rest of the banking system, so I expect banks would be a lot more competitive (including on matters of privacy and security).
>My mom has downloaded ransomeware before, so from that perspective, I think crypto has worse security properties. If transactions are executed indirectly, the security properties are theoretically the same as executing transactions through a bank and you are back in a system of trust. Furthermore if a "cryptobank" gets hacked, that money is not retrievable, while theoretically in a system of pure fiat, the money might not be retrievable, but
Hmm. yes this is sort of a complicated subject. But I'll just re-iterate a point here which I may not have made as clear earlier: that cryptocurrency allows you to establish different levels of trust/risk through the means by which you manage your keys. A lot of older cryptocurrency users who don't practice good opsec will use a hardware token to sign transactions. Another example of what you could do is use a multi-signature system that would make it so that multiple keys are needed to move your funds (for example, they would have to hack at least X of Y devices in order to move funds), or simply have multiple wallets and limit the amount that you have in each one.
And secondly, there are non-cryptocurrency ways of implementing different levels of trust/risk that you could integrate into the existing banking system, like chaumian cash or even just using cryptographic keypairs to authenticate transactions.
In other words, losses of cryptocurrency due to theft or fraud are not always all-or-nothing. The difference between cryptocurrency and the conventional banking system is that you can decide your level of trust/risk you want to take before you do a transaction, which includes the use of a "cryptobank" (which could be secure but have historically been very scammy compared to conventional banks, see Mt Gox, Celcius, etc.).
>the value could be refunded at the cost of devaluing the currency as a whole.
I am not sure that it's a desirable property that the rest of society can bail out banks like you're describing. I think in an ideal situation you would have some sort of free-market-ish sort of way to balance the risk vs reward of different security practices, whether that's users voting with their dollar or with a middleman like rating agencies or insurance. And those incentives basically require the bank and its customers to lose money when they get robbed (maybe through some middleman like insurance).
If you look at serious cryptocurrency exchanges like Kraken or Binance, there is a massive gap between "cryptobank gets hacked and loses some of their funds" and "cryptobank gets hacked and loses everything". They keep a lot of their funds on separate, air-gapped, offline systems, with the keys distributed between multiple people. Those aren't funds that you can steal with a normal cyber-attack: it would take pretty persistent social engineering akin to widespread corruption.
> I think what we have isn't a free market but a duopoly of mastercard/visa each with control over their respective domain. You can't upgrade the security, privacy, or efficiency of the network because the big players benefit from the insecurity, surveilance, and inefficiency.
What does that have to do with the article? Neither MasterCard nor Visa is involved with Zelle, are they? The article says it's controlled by a group of banks. Presumably they've set up a new system, so they could make it as secure as they'd like.
It's just another proprietary network with its own gatekeepers. I don't see what the fundamental change is here over something like SWIFT.
It may only be temporarily competitive as it tries to penetrate the market. Once it reaches a sufficient enough market share, they will be able to hike up fees and disregard users like the systems that came before it.
> For any of the types of people who are against taxes and regulation
Please don't introduce this kind of barely-related, politically biased, emotionally-charged, tribalistic tangent into HN. Virtually nobody here (either in this thread, or on HN in general) is arguing that taxes should be abolished or that financial stuff should be deregulated. You're just invoking tribalism where there was none previously.
Regulations aren’t some magic want that don’t come with side effects, though. IMO, they tend to not address the root problems and only add layers of abstraction.
One of the best examples of this is how Sweden irrevocably killed their financial markets by trying to just squeeze out a bit more tax revenue and limit speculation. The cost of that mistake has to be in the billions and IMO, we’ll see the end of Sweden as a nation before we see it “recover” its markets.
Man I hate this. I'm terrified of Zelle (and, even worse, Venmo). There's no reason at all to use these things - except that everybody around me insists on using them. My kids Venmo with their friends all the time. My wife and her friends Venmo constantly. More and more services won't even take a check, they'll only take Zelle or Venmo. And every time I use these fragile services I'm opening myself to having my entire bank account wiped out with little recourse. (And, of course, the people I owe money to like the lienholder on my car and my mortgage broker will sure as hell still expect their money).
How do I lock down my "real" account? For instance, I want to disable the ability for anybody to pull money, and I must manually push into a billing account which only maintains limited funds.
I briefly looked into this at one point and as best as I could tell, Chase would only let you disable ACH on business accounts.
You should know that your entire account can be wiped out with the information that's on one of your checks. It's time to leave that archaic technology in the past like the rest of the world.
Huh? As long as you don't participate in a scam and use basic security, what are you worried about?
I have no idea what you mean about the services being fragile or how your "entire bank account" would be wiped out.
This article is talking almost entirely about scams. Presumably you're smart enough not to send your whole bank account's contents to a random person who calls you.
And if you're not, well, it doesn't really matter if you're being scammed via Zelle/Venmo, or via paper check, or via wire transfer, or via ACH.
> it doesn't really matter if you're being scammed via Zelle/Venmo, or via paper check, or via wire transfer, or via ACH.
It does, though. If scammers scam via paper check, wire transfer or ACH, the full force of the government comes down on them and they actually get put in jail if they get caught. If they scam via Zelle or Venmo, too bad, so sad.
The article basically disagrees with your concerns. You’re fine unless you yourself make a payment using Zelle to someone else. Which is no different than you mailing a check to a fraudster. Not sure why the bank should protect you from yourself to that degree.
My sympathies. I am fortunate in that my wife and I are in agreement that we want to stay far away from Venmo, Zelle and similar services. Our kids deal in cash or nothing. As for services: cash, check, CC or GTFO.
I also (so far) have been unwilling to trust Plaid. Plain old crappy wire or ACH transfers for me, thanks.
Yes. We really let creditors hoodwink us when we let them invent the idea of "identity theft" instead of what it is: "You trusted some fraudster's claim they were who they said they were."
One puts the onus on the defrauded company to fix their house; the other puts it on a third-party with no involvement in the transaction to... Make it harder? For strangers to lie and tell other strangers they are the person with the "stolen identity?"
We could have drastically changed the landscape on this if the first time a company came after someone whose identity was stolen for money not paid the government had responded with not only a "no" but a fine for using the law to harass a stranger.
>We really let creditors hoodwink us when we let them invent the idea of "identity theft" instead of what it is: "You trusted some fraudster's claim they were who they said they were."
This pissed me off so much. Victim blaming and they get away with it.
To be fair, from the creditor's perspective it is often unclear whether the transaction was really illegitimate. Fraud in which the consumer falsely claims they were the victim of identity theft is a real phenomenon, in the same way that there is real insurance fraud where consumers falsely claim to be victims of physical theft.
That is because creditor's have every incentive to make sure they only barely perform identity verification. It's not at all uncommon to find out about people who discover someone else took out a loan in their name, but is actually making payments on it. It happens when someone is wanted for criminal investigations, an illegal immigrant, or just has crap credit.
Crappy identity verification basically widens their customer base.
As someone who works in a consumer loan-related field, I know from experience that this is not correct. With very few exceptions, creditors do not have incentives to barely perform identity verification. Even if 90% of identity thieves paid back their loans, the losses on the remaining 10% would swamp any profits -- and of course far fewer than 90% of identity thieves pay back their loans. Industry losses due to incorrect identity verification are in the tens of billions annually. There are many vendors that financial institutions pay big bucks to in order to improve their ability to correctly perform identity verification. However, like everything else, there are tradeoffs involved, and it is rarely if ever optimal to try to push identity fraud to nil.
I guess I should have specified "loan originators". You're right, creditors don't have any incentive to do this. But that salesman at the used car dealership doesn't really have anything to lose.
Banking access is not actually very particularly secure. The only thing that keeps banking practically secure is the banks reversing fraud when it's discovered and the government sending fraudsters to jail.
If the banks don't hold up their end of the bargain, the system begins to collapse because they certainly aren't technologically secure enough to guarantee security of customers' money, which is one of the primary functions of a bank.
That's the story of society in general. You can easily walk into many (most) people's houses between 10a-3pm weekdays and just take their shit. I'm sure one could make 6 figures doing that. Of course most of us don't because we don't want to harm others, and because of the consequences.
You really just have to make it enough of a hassle for thieves that they pick the next easier thing to do. Not create Ft. Knox.
I suspect it’s hard to actually consistently make 500$/day breaking into peoples homes. Most used things aren’t worth much and would be difficult to sell in bulk at anything close to what they cost.
I bet it's easy to make $500/day briefly, and hard to sustain it. Catalytic converters have the benefit of not requiring you to break into someone's house where risk of being caught or harmed is way higher.
> I suspect it’s hard to actually consistently make 500$/day breaking into peoples homes
IMO the cheapening of technology has made a difference with this. When my (then not yet) ex-wife was burglarized, Just her laptop and a camera gave the criminal 900$ at a pawn shop [0].
[0] - which BTW, fun thing about this, if your insurance covers 'replacement cost' you are better off not finding your items at a pawn shop. Most state laws are written such that as long as the pawn shop collects fingerprints/ID, the person who was stolen from can get their items back, but must pay the pawn shop back what they paid the thief for it. Insurance will happily pay that instead but still take your deductible out. (It worked out OK for me, the wedding ring was among the stolen items, never got pawned and that covered the deductible and then some... eventually helped pay for the lawyer lol)
You need to develop a market for things of course. There are plenty of things worth $500/day in everyone's house. Figure out where things sell and for how much. 50 keys toys for $10 each are easy to sell in most cities. The days of taking a 19 inch color TV are long gone (most of your are not old enough to remember when a 19 inch color TV was a big deal, but back then there was a market for them used), but there is plenty of other opportunities.
This needs to be a full time job to make the $500/day though. Some houses are as you say now worth the bother, but others have things that can be sold. The key is you need to know what you can sell and for how much before you take it.
As the other poster said, the hard part is not getting caught. The easy places to sell these things (pawn shops, scrap yards) tend to ask for id - and the ones that accept a fake id will only take so much before they have to recognize you.
Sure, I suspect you could clear 3k from picking the right house and taking a week to sell stuff. But what about the 50th hours?
Without someone to take the risk and a sizable cut your best bet might be a few fake ID’s and a multi city spree of pawn shops. Though if you have access to high quality fake ID’s banks are probably a much better option.
Prima facie it is wrong because it's victim blaming.
But using weak and/or compromised passwords is a bad idea in exactly the same way that it's a bad idea to leave your front door unlocked.
Legally, we do assign fault for negligence. If absentmindedly leave your kitchen tap open with the drain stopped and then go on vacation, your flood insurance is probably not going to pay for repairs, even if you didn't deserve to have your house destroyed.
From a policy perspective, I think the most appropriate thing would be a middle ground. It is good for everyone's peace of mind to be sure that your entire bank balance won't vanish without recourse, but if you leave your banking "front door" unlocked, the bank covers 90% of the actual unrecoverable loss, but you're on the hook for the other 10%. That eliminates perverse incentives to use weak passwords without being cruel to victims.
> But using weak and/or compromised passwords is a bad idea in exactly the same way that it's a bad idea to leave your front door unlocked.
I'd argue it's not quite the same... using weak passwords is more like using a lock that can be 'raked'; your security is just lax.
Re-using passwords is like using the same key for your front door, back door, garage, car... If someone finds it and makes a copy of it, they have full access.
Compromised passwords, it's when you know a key is lost or stolen and you don't re-key.
> From a policy perspective, I think the most appropriate thing would be a middle ground. It is good for everyone's peace of mind to be sure that your entire bank balance won't vanish without recourse, but if you leave your banking "front door" unlocked, the bank covers 90% of the actual unrecoverable loss, but you're on the hook for the other 10%. That eliminates perverse incentives to use weak passwords without being cruel to victims.
Both of my main financial institutions have 'pretty dang good' security measures on one level or another. One, has forced password changes at 6 month intervals (not as good as 90 days, but better than many!) The other does not have forced password changes but I know their internal security is... pretty crazy. Losing your badge 3 times is enough to get you fired, and any contractors who do work must be under a very specific specification of video surveillance while working with their clients.
> One, has forced password changes at 6 month intervals (not as good as 90 days, but better than many!)
Forcing password changes reduces overall security, especially for infrequently accessed services. It only normalizes the reset workflow, and enables easier social engineering.
The NIST standard (800-53?) was updated to reflect this reality, and it no longer requires periodic password rotation.
> Legally, we do assign fault for negligence. If absentmindedly leave your kitchen tap open with the drain stopped and then go on vacation, your flood insurance is probably not going to pay for repairs, even if you didn't deserve to have your house destroyed.
This is not generally true. Insurers are forbidden to pay out claims for intentional bad acts, or fraud, but ordinary negligence is usually covered:
> The good thing is your homeowner's policy usually covers you and your family's negligent behavior no matter where it happens.
It becomes a question of negligence / due diligence.
If a bank has zero physical security measures and leaves the money out in the open, that is negligent.
But, even if a bank has all the state of the art, "best practices" physical security measures, they can still be robbed. No bank is going to stop a nation-state army attacking them, for example.
I think the same is true of cyber security. Nothing will ever be 100% secure. The question is whether the company has followed reasonable best practices and due diligence. Everything else is up to the government to maintain law and order.
> companies that cannot keep data safe shouldn't be storing my data in the first place.
If you're expecting absolute safety, either physically or electronically, there is nowhere in the universe you could deposit your money. Otherwise, the FDIC already has regulations in place to make sure banks are reasonably secure.
Most banks are borderline negligent in cyber security. Using 2fa via text is less secure in many ways than using a regular old password.
At least it’s my fault if I compromised my bank password. A Sim swap attack can’t really be protected against
Ever been to a bad neighborhood? Notice all the stores have iron bars on the windows?
Sure it isn't your fault if your house gets broken in, but you should still lock your door. The more risk you are of your house being broken in the more precaution you should take.
Right now odds are very high that someone will attempt some form of cyber crime against you. As such you should be taking precautions to prevent it. It won't be your fault if it happens, but it will still ruin you day, and may cost you a lot anyway.
On the old 'net, people had to take personal responsibility for their own data-house because neither law nor enforcement had caught up yet to the notion of having a system intruded upon. Remember, we had to pass laws to make "unauthorized access" illegal in the same sense trespassing is; before that, it was just "some signals a stranger beeps at your machine could cause it to malfunction or to send signals back they could interpret as your bank account number. If you don't want that, harden your system against malfunction."
Nowadays, society has caught up but some people with an old-guard mindset still see someone get their stuff stolen and go "Well, should have locked your doors; only way to guarantee your stuff is safe."
These people aren't being hacked though. They're being scammed. They chose to give their money and mfa codes to a stranger who promised them nothing in exchange, and ended up regretting it. It makes things more of a grey area because banks should do what what we tell them to do with our money, and it's really not their job to take a paternalistic stance and judge if your authorized financial choices are stupid or not. How do you draw the line? What if someone wants to buy penny stocks? Should the bank reimburse them?
Also there is an element of friendly fraud. You say you were scammed in fact when you were justing laundering the money through your friend. The bank pays you back for “fraud” and now you have doubled your money.
“Our research suggests that friendly fraud will represent 61% of all chargebacks by 2023.”
Definitely, my experience and opinion doesn't boil down to all HN, but here is my take. A lot of hacks, the reports after suggest they were ignoring industry best practices that were relatively easy to implement and cheap. Here, I would point the blame. But for sure, if the hack was routed in some crazy new route to exploit software, you just can't protect against, so I wouldnt be so quick to assign blame. But I think another key different is, infrastructure is owned by companies who have engineers and IT whose job it is to run it securely. I think the proper equivalent for the home analogy is, you have an alarm system that was turned on, but didn't alarm when someone broke in. But then we would place the fault on ADT or Simplisafe or whoever.
I recently hired a contractor to do landscaping. We’re talking multiple trees to take down, redoing multiple flower beds, mulch, rock and some sod. I was quoted at ~9k$. I paid half (4500$) via Square using my platinum credit card issued by my CU.
I took a picture of his business license, insurance, and I ended up getting pics of trucks when I took before pictures.
The crew came and worked one day. Maybe completed 30% of the work. For the next two weeks my calls and texts were dodged/unanswered/sent directly to voicemail.
Finally I had enough. I called the police, did a police report. Called the CU explained what happened and was sent an email on how to open a fraud report. I submitted all the before pictures and the “after 30% of work” pictures. I sent the police report, and social media posts of people who claimed to have their money stolen by the same person / company.
3 weeks later I get an email that my claim was denied due to “lack of information.” I spent a total of 31 hours on the phone attempting to get someone to tell me what information I needed to send them or what information they found lacking. I got absolutely no where. No answers. No one from fraud department. No one cared at all. Just denied.
So I went the other route, filed a claim in small claims court. I provided the judge everything I sent to the credit union. Judgement was in my favor. Now he owes me the $4500. How do I collect? I probably will never see the money. I can’t legally garnish any wages. So I’m out 4500. I couldn’t really do anything else to protect myself more.
Navy Federal Credit Union. I’ve been a member since 1991. 30 years with a credit union. I am a military veteran. Hundreds of thousands of dollars worth of transactions have passed through my account. I’ve had multiple home, auto and personal loans.
>So I went the other route, filed a claim in small claims court. I provided the judge everything I sent to the credit union. Judgement was in my favor. Now he owes me the $4500. How do I collect? I can’t legally garnish any wages.
Where I live, after 30 days of the debtor failing to pay the judgment, you'd make an appointment with the sheriff, bring a check for $35 and they'd attempt to enforce it for you; including garnishing wages, seizing property (real or personal) etc etc.
I'm not surprised you didn't get far with police reports and fraud filings: breach of contract is not necessarily fraud.
A similar thing happened to me where a contractor bait and switched me. Put down a 50% deposit and he said it was non refundable. I wrote it off thinking I’d never get it back. I got extremely lucky though in that a detective in a nearby city emailed me and said this contractor had ripped off a lot of people and he was investigating. A few weeks later, they refunded my deposit.
It seems like once the police got involved, they were willing to play ball. Somehow, you’ve got to find the contractor and get the police on your side. You’ve got his business addresses and even insurances, maybe the insurance company is your way in?
> The police just look at my slip of paper from the glovebox.
They already know if you have insurance typically. Their in-car computers can typically reference insurance accounts (or at least in my technologically backwards state they can).
Are you in the USA? I just did some googling on this as I was unaware of laws regarding the garnishment of wages. I have subordinates that have wages garnished for Child Support every paycheck. At least in my state, you can most certainly garnish wages/property for a judgement in your favor. It will probably take a bit more time, but I would stick it out to get my money back. If the contractor has nice Stihl saws, I would remand some $$$ to get one of them from him. Possibly even the truck as the contractor has probably depreciated the asset for tax reasons.
How far off of 50% of the work was the work they performed? Could it have been a simple case of they did about half the work for the pay you gave?
Maybe that'd be how I'd square it with myself. (But still probably never working with people who ghost again.) You paid 50% and got less than 50% of the work done, but work was still done - somewhere between 25% and 50% it sounds like.
It'd also help the personal re-framing if the next people I hired quoted less for the remaining work and it was done in a day. Granted, this is work with plants and things which change/increase in entropy by the day.
The possible life lesson here is to not let perception or preconception sour an otherwise sort of alright outcome. And sometimes outright re-framing a sour situation can diminish the sting. (Along the lines of "breakups hurt, but enjoy the good times and memories for what they were.") There's also not letting sunk costs steer decisions towards still worse outcomes.
1 tons of river rock, 1800 sqft of mulch, and 2 pallets of sod were never delivered or installed/spread. 2 of the 5 trees were completely cut down and cut into pieces but not removed. Stumps were not ground down on the two trees that were taken down. Some of the branches were removed from the other trees and just left there. As soon as it hit 5pm the team gathered their tools and left. I was on the hook for clean up.
How big were the trees? But yeah just trying to pass along a mental trick that helps me sometimes accept painful outcomes. It’s not great though clearly.
I'm not sure what state you're in, but when something similar happened to a friend I found that Connecticut has a Home Improvement Guaranty Fund (https://portal.ct.gov/DCP/Common-Elements/Consumer-Facts-and...) which exists to satisfy an unpaid judgment for up to $25,000. I don't know about most states, but I know at least Maryland has a similar fund.
I'd recommend checking to see if your state has a similar program.
This part I could have been more thorough with. Facebook and Google business pages had high, aged reviews including pictures. Googling the company name didn’t come up with any open BBB claims even though BBB is a joke.
It wasn’t until I started joining and searching through all of the local Facebook groups to find others swindled.
Yeah, I guess that's about the optimal amount of checking for most things. I recently had some work done and did a decent amount of checking but it still felt like a 50/50 chance of getting taken for a ride...
I'm not too surprised the fraud claim was denied. You definitely made the payment, you paid a [technically] legitimate business, and they completed some of the work, i.e. it's hard to say they accepted the payment with intent to defraud you. The fact that they didn't fully complete the agreed work isn't really a matter for the bank's fraud department to resolve. Dunno why NFCU couldn't just communicate that though. Sounds like a shamefully poor support experience on their part.
So sorry to hear this. Makes my blood boil… can’t stand fraudsters. Can’t stand how they’re basically able to do this because some bureaucracy going on behind the scenes.
I see so many horror stories about contractors pulling stuff like this on FB. yes, even when they are licensed (admittedly a lot more unlicensed tough). Does anyone know how/why this is so prevalent?
Blame the police and judicial system. In efficient system they would be in jail. Maybe it is fault of the voters they haven't voted enough politicians who invest in the system and laws to sufficiently punish these people.
Did you consider making a claim against his insurance? Or taking up matters with your state's corporation commission? Or talk to your attorney general or your consumer protection department?
I prefer NCUA insured credit unions. Banks have been historically bad in so many ways to me personally as a young person just starting out in life. I am sure there are many that hit the famous $25.00 service fee that magically gets charged the day your account goes to $30.00, causing subsequent charges to hit your "overdraft protection" that allows the bank to penalize you $25 for every transaction that drops you below a zero balance for that day. You now owe hundreds of dollars.
I also had a horrible experience with Citizens Bank, of which they allowed $5000 to be fraudulently withdrawn from my account in two days. The second $5000 was withdrawn after I was told it shouldn't happen again. That day I learned an ACH hold request is just that. A request that takes 3 days. I should have been smart enough to know that the support agent really meant for me to drop everything and immediately get to a physical branch where they could put an all hold on my accounts instantly, because I cannot do that over the phone.
I don't mean to say credit unions are always better, but I will say, I have been getting 2% interest earnings on my savings and 1.05% on my checking account. Most banks typically give you only a percentage of a percentage point in interest for either...
This is why, in the US, you want to use a credit card, not Zelle, for anything which might require reversal. The terms for credit cards are set by Federal law, and they favor the cardholder. Terms for debit systems such as Zelle are more like handing cash to someone.
I have an Amex Platinum card and the few times I've disputed a charge they've usually found in favor of the merchant (particularly if the merchant is a large company).
The one notable time they actually found in my favor and refunded me was a recurring charge I'd repeatedly tried to cancel with the merchant and eventually I threatened to close my account with Amex.
"Oh, really? Alright, I want to close my account."
Amex went down the tubes about 10 or so years ago. Their CS is terrible now. Prices went up, perks went down. The only card even worth entertaining is their blue cash, for 6% grocery.
I actually sent a payment via Zelle yesterday and saw something new. This was a small payment to a family member that I send payments to regularly for some work they're doing for me. When I was choosing the recipient, it said something like "Money transfers that happen in seconds," implying they'd have the money almost instantly (and that does appear to have been the case in the past). After completing the transfer, it had a note below the resulting screen that said, "This transfer will take 1-3 days to complete." It did complete the next day, but it was the first time I've seen this sort of thing happen. I wonder if it was due to some new security check or something else? Anyone else see anything like this?
I feel like screen-sharing apps on phones are a part of this problem.
Apple goes out of their way to make sure you can't record video off the Netflix app or other apps that play copyrighted media. However, as far as I can tell, they do not make similar safeguards available (optionally) for financial apps.
For as bad as education is (talking mostly about the US), cybersecurity education is so much worse.
Also, since our lawmakers are so far behind the curve on technology which impacts daily life (also talking mostly about the US), if you are not proactively learning about and defending yourself against cyber threats, absolutely nobody else is going to do that for you.
Cybersecurity experts have failed to educate at least three solid generations of human life on earth. We can bitch and moan about this post all day long, but the root problem is the societal education problem.
269 comments
[ 2.8 ms ] story [ 303 ms ] thread* Find a decent bank with 2FA. None of the big banks are decent, they have minimum balances, piles of fees. Credit unions are good, but you want one that isn't too local, which can limit you to credit unions specific to military/veterans/families
* Have multiple checking accounts. Only one of these checking accounts has a debit card attached, or exposed account number anywhere. Never ever hold a balance in this account. Keep the balance in the other account.
* Never use that debit card for anything but the ATM and bank teller authentication. In fact, don't even carry it with you, in case you lose your wallet or somebody tries to take it. Not every bank makes it easy to turn debit card off.
* Only use ACH for rent and loan payments. Never hold a balance in the account used for this. Many rent companies and loan providers are not properly securing that number. Your account number can't easily be changed.
* Keep the bank you use a secret from everybody including friends and family. Only the few payees and your payroll provider need to know.
* For sending money to friends if everybody has iPhones, Apple's Cash functionality is good enough.
* Get a respectable credit card with zero fraud liability. Use it for everything. Have a backup at home. Now your bank is insulated from the outside world. If somebody tries to take your wallet, just give it to them. It's easier to get a card reissued and transactions overturned in that scenario than it is to get drivers licence replaced.
* Don't move outside the country or do a USPS address change to a PO Box. Banks have been known to just shut people's accounts down and mail the balance as a check in these scenarios. Patriot act something something.
This is banking in USA. It was designed for a trust-based society 70 years ago that's still mostly trustful but needs to consider the culture has changed a bit. If the Fed would require member banks implement secure 2FA and the option to disable external ACH from accounts upon request, we wouldn't need to do all this.
But the problem is really downgrade attacks. There are multiple payment systems (bank wire, check, credit card ) and if there is one insecure way to make payments, then the whole system is broken.
What's the problem with local credit unions?
Depending on how they have it setup, it may mean that the ATM near you suddenly no longer works for you for free and you have to switch up with another one.
The vast majority of credit unions in the U.S. are, and you can use any co-op branch or ATMs just like your home credit union's branches or ATMs.
It's brilliant, and in my experience, so much more accessible than the giant banks who are often regionally concentrated.
I don't know why it didn't work for you, but it was no trouble for her.
Still using it, it's how they do cards now; they never sent an "embossed" one.
Can you clarify this. Are big banks not secure enough or are they not decent because of the minimum balance and "piles of fees"? I would rather pay something for security.
TD Canada Trust didn't let me use more than 8 alphanumeric characters in my password until about 2015. The only let you use call or SMS for 2FA to this day.
They are charging $16.95/mo for a chequing account right now.
This is pretty standard across the big banks.
The situation is quite rough indeed.
I'm not arguing it's necessarily more secure. I haven't audited it or looked into how it works.
Hard 8 character limits are often a side-effect of old COBOL "databases" in the backend somewhere.
Hard 16 character limits are sometimes a side-effect of old versions of Active Directory in the backend somewhere or new versions of Active Directory in certain backward compatibility operation modes/certain group policies.
Hard character limits in general are often a sign that someone is storing the plaintext somewhere they shouldn't be.
(Soft character limits today are mostly to avoid possible hash function DDoS.)
Nobody should be using LM or NTLM hashes anymore today, for all that that means... >sigh<
Impossible to _never_ hold a balance, since every employer wants to do direct deposit... your only hope is that you can get your money out of there before some scammer gets it. The chances of that happening are low, but not zero.
One account for holding money. Nobody knows it except you.
One account for all money outgoing. Only payees knoq about it.
You transfer all incoming from above first account to second asap.
You transfer money from second to third only on per need basis.
Capital One, Discover offers free multiple checking accounts.
and google pay? this may surprise you but in my immediate family only 1 (out of 6) has an iphone. we basically use zelle to transfer cash around. I personally will not use paypal or venmo, but I do use google pay.
https://arstechnica.com/tech-policy/2022/01/paypal-stole-use...
https://www.engadget.com/paypal-lawsuit-freezing-customer-ac...
And to be clear, this is not an isolated event.
Venmo is a mindbogglingly stupid thing that requires you to take active steps just to keep it from broadcasting your financial activity to the world, and last I checked there was no way to keep your "friend list" from being public at all.
On top of that there was a period where they disabled transfer functionality on their website altogether and the only way you could send money was through their proprietary mobile app. Seems they eventually reversed course on this, but I have no idea how long it took.
Instead of asking the user their bank account number, routing number; you simply ask their zelle email or phone number (either of which can be with any bank, no info leaked). You send money.
Zelle ask for phone or email of other party, then it shows their registered name in Bold. If one still confirms to send, its on them.
Zelle options like check options, imagine if people said Oh my God auto check honor system??
[0]: https://www.reddit.com/r/personalfinance/wiki/identity_theft...
[1]: https://files.consumerfinance.gov/f/documents/cfpb_consumer-...
Why the everloving fuck that's not the default, but something you have to request, I have no idea.
Having seen a bit of the inside: Local credit unions are generally pure trash at security. Hell, a local one had an internal meltdown from the HR person looking up prior employee's personal account to harass them with a LIST OF THEIR PERSONAL PURCHASES. (WTAF)
I take this one a step farther and don't even have a debit card, just an atm/cash card. It cannot be used to make purchases anywhere, only to get cash from an ATM. Any and all purchases I make are either cash, or with a credit card.
Some banks may look at you weird when you request such a card, or act like they don't do them (anymore), but my credit unions have accommodated me.
I did this too, unfortunately I went through multiple banks as they rolled out debit cards for all accounts and stopped offering ATM cards, until now I unfortunately have a debit card. It seems this isn't really an option anymore.
The numbers on the bottom are the routing number and account number of the payer. Anyone can make and sell them, and anyone can buy them.
https://www.costcochecks.com/home
What's your source on that? As far as I know, Regulation E generally requires banks to make good on errors in electronic fund transfers (including ACH transfers for which the customer is not liable) within 10 days of being notified. That can be in the form of a provisional credit while an investigation is ongoing, though.
It's not a complete guard, but it does prevent ACH attacks.
Some businesses only accept debit cards (like WinCo [0]). :-/ I guess you can just not do business with them.
> * For sending money to friends if everybody has iPhones, Apple's Cash functionality is good enough.
I wish... but how do you transfer money internationally? I don't think Apple Cash is adopted abroad yet.
[0] - https://www.wincofoods.com/customer-service/faqs/
Wise.com. I lived abroad for a bit and relied entirely on Wise (well, they were called transferwise then). Could send money abroad faster than I could send funds to anybody in USA.
Of course, any international financial service is very KYC heavy and can suspend access to you/lock your funds at any time so always have a backup plan ready as wire transfers are really scary (foreign banks don't want to release funds? no recourse for you!)
To add, use special emails for zelle, not your regular phone number or regular email.
If I convince you to withdraw thousands of dollars in cash and then skip town with it, do we expect the bank to make you whole?
It would be trivial for banks to give customers better fraud protection tools and enable better recovery, but they clearly don't care. * For one, since you can't have a bank account anonymously the receiving bank knows exactly who stole the money. They should at least be able to refer them for criminal investigation. * Two, since they own the machinery of transferring the money, yes they can easily reverse fraudulent transactions -- the bank doesn't have to take a loss since the fraudster has to have an account with them. They know who to take it back from. * The fraudster withdrew the money and ran? ACH transfers have always taken up to 15 days to "clear" -- banks wouldn't let you withdraw money you just deposited exactly for this reason, to verify that the sending bank actually has the funds and there are no issues. Why can't Zelle let the sender specify a "hold" period so there is time to dispute the transfer and the funds can be recovered?
Basically is seems to me that a modern digital payment systems must have a kind of escrow service built in. IMHO this is what we need the law to require banks to do. In combination there needs to be a payment dispute resolution system which would probably take the form of a kind of arbitration system not unlike the role small claims court plays. This is something the banks should lobby the government to provide since doing it themselves would clearly get complicated and expensive.
If I'm selling you a car, I don't want a Zelle transfer for the money that I know you could claim was fraud and claw back from me - then I'm out the money AND the car; I'll demand cash in that case.
Essentially each transaction that is "refundable" is an implied contract between parties and it should be verifiable. Such as in the case of a car sale it is pretty easy for a third party to check if the car was received.
Or somehow have a notary to witness and verify the transaction.
This is the basic problem is that you can't have instant transfers with fraud prevention. It's impossible to claim that banks don't understand this and IMHO it should be considered criminal negligence that they pushed this product on consumers knowing that it just exposes them to easy fraud.
Incorrect. You only deserved one, not both. You don't get the money AND the car. It's either your car and someone else's money, or someone else's car and your money.
I think the solution is escrow. I am biased, because I work for an escrow company, but I've never seen a more effective approach. Hold the money until the buyer has what they paid for, and only then release the money to the seller. (To be fair, escrow does tend to be more expensive than simple money transfer, so it's not all upside.)
Banks are given a monopoly over an unavoidable, and very lucrative, aspect of modern life. No reason to give them that for free.
There are table stakes (security and financial controls, prudent IAM and MFA, etc), and then there are folks who will fail even with the most robust guardrails attempting to protect them.
Push Fraud was significantly hampered (~solved?) by requiring that the recipient name field, rather than just being for your own note of who you sent money to (so e.g. "Jenny birthday" or "Fucking Landlord") must closely match the recipient's account name, which as a result of Know Your Customer checks should be a legal name of some sort.
There's a back-and-forth mechanism, so it was at first (presumably got better with practice) harder to pay companies with hard to spell or weirdly punctuated names, but hey, better I can't send money to "Pat Smith" (nope, his name is Matthew and that's Smythe not Smith) than that my £800 000 for a house goes to a crook who sent me an email pretending to be from my lawyers.
Because Faster Payments was a legal requirement, operated by a regulated entity that's ultimately paid for by the banks, it was presumably easier to write a law saying how it needs to be secured, whereas Zelle is a third party unrelated to the banks.
It's more remarkable when we invent things that move money and don't get used for crime.
For example the UK's Direct Debit turns out to be almost useless for crime, because it can be unwound, so, if you use it to steal money you run into two closely related problems:
1. When the victim realises they just undo the transaction, and get their money back
2. Because the bank doesn't want to be on the hook for that, their capital requirements to allow Direct Debit are eye watering. Out of reach of ordinary crooks.
The vast majority of your customers are legitimate, so there's usually going to be a reason why they unwound the payment. You can of course pursue them for payment as you would have if they were overdue on 30-day terms or whatever, but you definitely want to try to figure out why the unwind happened before you kick that off or you may waste a lot of money on a fruitless process.
Lets take a real example where I had my bank unwind bill payments. Water utility keeps billing me for more water than I'm using. I read my meter, I see I used 2.5 cubic metres of water, they bill me for 8 cubic meters, and the meter number they've listed is wrong. So I call, they send an engineer, the engineer looks at the meters, tries some things, declares that yeah, whoever installed these meters fucked up. No worries, we'll fix it, your next bill will be correct. But the next bill is wrong too. Call utility, engineer comes out, same diagnosis, same lack of consequences. Rinse, repeat. OK, I see the pattern, unwind payments.
Now obviously the water utility's lawyers threatened to take me to court for non-payment - I didn't pay them any money for the water they've incorrectly billed me for. But they won't actually go to court because lawyers don't want to get disciplinary hearings for their employer's incompetence. They still have personal responsibility (the employer can pay for their liability insurance but it is personal liability, "But my company ..." doesn't work on judges) for these proceedings. So a human lawyer will take five minutes to look at the paperwork, see the company fucked up and not file.
But you can't just have customers who don't pay you indefinitely, these are for-profit companies, so a few months later I get a phone call. They can't fix their records apparently, it's just such a tangled mess, so, new plan, delete my customer account, make a new customer account with a zero balance, attach the correct meter to the account, get a fresh reading and start from there. Is that OK by me? Yes it is.
I think in the end this meant instead of paying for water I didn't use, I saved about six months on water I did use, which seems fair.
And still many people have also gotten scammed to send money in envelope...
I always knew that some of the pro arguments for centralized systems were suspect, but it's good to have some evidence for it now.
Now I wonder how many other cases that are touted as arguments for centralized systems don't hold up to any scrutiny.
Btw crypto is worse on this in every way and there is no system that actually solves this problem. I wonder if it is even possible to solve.
I don't see a problem with that. If fraud is rare, the fee would be small. If fraud is not rare, then there's a problem they should fix.
For every 100 Zelle transactions, how many are due to fraud or scams? Maybe three or four? Then the fee should be 3-4%.
Banks might be trying to pretend Zelle isn't covered by Regulation E, but I haven't heard any good argument for why it doesn't apply, other than arguments similar to yours that they simply don't want it to.
And it won't be the end of free electronic transfers, it'll just mean acknowledging that those transfers aren't any more final than writing a check.
Regulation E talks about liability for "unauthorized transactions". Those are transfers "from a consumer's account initiated by a person other than the consumer without actual authority to initiate the transfer".
If you initiated the transfer but were misled into doing so or provided the wrong payment information or whatever, it's still an authorized transaction from Regulation E's perspective; so you are still liable for it. The only exception is if you were induced by force to initiate the transfer.
Errors under Reg E include any instance where Party Y is not who receives the funds, including wrong payment info.
In the end it all has to come down to trust. If all transactions were easy to reverse, we would see the opposite problem: scammers who pay people money and the. demand it back, claiming fraud.
The scenario is, someone pays for porn, their spouse sees it on the bill and gets really angry, and the other person says it wasn't me, it must have been fraud! So they file a chargeback.
In a technical sense you're correct; in both cases the transactions are effectively irreversible. That said, I think there is an important difference:
Everyone (well, kinda) knows that a crypto transaction is irreversible; that's basically the point. Because of this, it is expected and normal to layer on extra systems to cope with the risk of not having an authority to dispute stuff to. Consider darknet markets: they use escrow and reputation systems to protect both parties.
But everyone (well, kinda, in the same sense as the above) also knows traditional financial institutions are "safe" and that transactions are reversible. That false sense of security means other security/resolution methods aren't considered, so when the centralized authority has a bad day the end user is out of luck.
But isn't an escrow system just another centralized authority? Sure, but at least I can choose what escrow system I want to interact with. The banking cartel behind Zelle doesn't afford me the same degree of choice, and using small credit unions isn't a panacea either because they farm out everything complicated to one or another of the payment cartels. Quality of escrow system is an important discriminator when choosing a DNM; I wish I could assess various traditional financial institutions' likeliness to rip me off as effectively.
If centralized financial institutions want to act like crypto in terms of irreversibility, fine, but I think the scale of the problem described in TFA indicates that some "are you suuuuuuuuuuuuure you want to send money to Joe Blow" popups in the app aren't enough to overcome that aegis of "this is a safe institution" floating around in the public consciousness. I see it as more a problem of false advertising than anything else, really. Copy from the landing page of their site:
> Zelle® works between U.S.-based banks. Which means, even if you bank somewhere different than your friends and family do,1 you can still use Zelle® to safely send and receive money straight from your banking app.
> safely
Obviously it's not a legal doc or anything, but I'd argue the service is both explicitly and implicitly casting itself as akin to a bank-provided service like a credit card, not something as wild west as cash.
As a seller, or a buyer dealing with someone I trust, recourse is a serious hazard I want to avoid. For this reason I demand cash or crypto when selling items.
>but can you really defend the position that you thought those arguments were suspect because you knew banks were going to stop fraud corrections?
I knew those arguments were suspect, because the very same thing that makes such an intervention possible is the very same thing that makes it unreliable: a central authority, that first and foremost acts in its own best interest and is prone to corruption, abuse of power and what have you.
> While simultaneously preferring systems that never had it at all?
You can still build such a system on top of a decentralized system and put your trust in random 3rd parties, if for whatever reason that happens to float your boat.
I'd rather live in a world where banks are solely responsible for fraudulent withdrawals than one where banks can shirk responsibility to their patrons. That is only possible through regulation.
That's why it's important to vote for people who aren't afraid to create regulations, and that's why it's important to question people who claim that "the free market will eventually result in reasonable outcomes."
I imagine it's been said before but I recently had the thought that murder being illegal is a regulation of the market.
The point being that even the most staunch proponent of "free markets" is probably going to draw the line somewhere that defines a "not completely free market" which opens the door to questioning where the line should be drawn. I think that's always been the case but then you'll encounter arguments that something should not be regulated because the market should be free.
(Note: 'Murder' is killing someone WITHOUT legal justification. With legal justification, killing someone is not murder, by definition. By definition, something that is illegal is illegal).
[0] https://en.wikipedia.org/wiki/Monopoly_on_violence
[1] https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...
There is NO visible difference between "I sent my new friend thousands of dollars because she's trying to start a new business and I'm investing...but now the business has gone under and I regret investing so I'm just going to tell the bank it was unauthorized," and, "I just sent my new friend thousands of dollars because she's trying to start a business and I'm investing...but now I've realized she was really a liar and there was no business."
Proving account takeover (ATO) is easier. There's some new IP (unless you gave someone remote access to your own device), new mouse behavior (yes this is a thing some institutions track), whatever.
But when you're the one who signed into your own bank account and sent your own money, you have every right to do that, even if you're sending it somewhere stupid that you later regret.
It's not up to the bank to protect you from your own stupidity. They just hold the money for you that you want to keep. Telling you that you can't send it somewhere you explicitly want to send it because they don't think it's a good idea isn't their job.
That's what they're calling "fraud" or "scams" here, and there's no reason your bank should be on the hook because you did something dumb with your own money.
How many people "chargeback" porn that they actually paid for because they got "caught"? As systems get better and better at preventing fraud, those chargebacks become harder and harder to believe.
The number of exactly these cases he dealt with all the time is absolutely staggering.
Is it impossible to prevent?
What types of entities are in a position to be most able to prevent fraud?
What kinds of interventions can mitigate fraud?
> That's what they're calling "fraud" or "scams" here, and there's no reason your bank should be on the hook because you did something dumb with your own money.
On this point we disagree. My viewpoint is one of "what entity has the most ability to do something about the problem". Yours is one of individual responsibility.
I would prefer the bank do something to protect my vulnerable grandma from doing something wrong to one where her mental decline and therefore her inability to comprehend her impending mistake is her responsibility.
Your bank should not be considered the owner of your money. If you want to send your money somewhere, you should be able to do so because it belongs to you.
If you later regret that decision, for any reason, you should certainly be able to request your money back from whomever received it, but why should the bank be the one to pay you back?
It is their legal obligation to reverse illegitimate transfers. Explicitly for ACH, and there's no good reason they should be exempt from this obligation just because the transfer was via Zelle instead of ACH. Which includes a mistaken recipient or amount, even without any fraud.
You keep saying that; but that's not what Regulation E says.
The transfer is legitimate if the owner of the account made it, even if they later realize they were stupid to have done so.
I'd rather live in a world in which effective security measures prevent fraud than a world in which there are weak security measures and endless debates as to who should be blamed when they fail. Regardless of your political stance, I think we can agree that the system is more technicially-broken than it is socially-broken.
I think understanding the problem in solely in terms of more/less regulation is a bone-headed thing to do.
I think what we have isn't a free market but a duopoly of mastercard/visa each with control over their respective domain. You can't upgrade the security, privacy, or efficiency of the network because the big players benefit from the insecurity, surveilance, and inefficiency.
Decreased regulation will probably increase their stranglehold on the industry, as you've noted. Increased regulation will cement current ineffective practices and make different buisness models impossible.
People turn to cryptocurrency, not because it's more private/secure/etc but because it is the most private/secure/etc system that works without the permission of the big rent-seekers.
But this is a problem of responsibility. Customer responsibility is an O(people) security problem. Bank responsibility is an O(banks) problem. In terms of alignment to fraud mitigation, bank responsibility leads to better technical security because they become the implementers of it to protect their own interests.
From an outcome based perspective banks must be accountable.
> I think understanding the problem in solely in terms of more/less regulation is a bone-headed thing to do.
I don't have a more/less regulation perspective. I have a correct/incorrect regulation perspective.
> People turn to cryptocurrency, not because it's more private/secure/etc but because it is the most private/secure/etc system that works without the permission of the big rent-seekers.
But it isn't. It might be more secure because the average crypto holder is more savvy, but in terms of security properties, I wouldn't let my mom have a crypto wallet, and without a direct wallet, I don't see how crypto has different properties than a bank (an entity making transactions on your behalf), the interface is the same, but the implementation details are different. No?
But hardware-secured crypto is much more secure against unauthorized access (e.g. a SIM swap without the user's involvement). After getting familiar with crypto, it boggles my mind that we handle so many payments by giving full credentials to the payee and just trusting them not to abuse it or be careless with it. Public keys have been around since the 1970s. Why don't we give retailers a digital signature authorizing a specific transaction? Why are we still using insecure 2FA and user-supplied passwords for bank website access?
Ideally, we'd put secure elements and social recovery wallets in all our phones, and use them for everything. It's what we need for crypto, but we could use the same tech as access control for banking systems.
It's true to some extent that crypto users are more savvy than most, but I think cryptocurrency also has obviously superior security properties to the conventional banking system, technically speaking. In the conventional banking system, there are no "savvy" users because everyone is equally insecure no matter what. In the conventional banking systems it's all based on trust. Trust that the bank obeys the law, trust that law enforcement is not corrupt, etc. The security mechanisms of cryptocurrency are at most a superset of what you can do with the conventional banking systems. If you want to have a third party supervising transactions, you use 2-of-3 multisig for example (https://en.bitcoinwiki.org/wiki/Multisignature). If don't trust your family member to authorize payments without you, you use 2-of-2 multisig. If you don't trust yourself to not lose your keys, you back them up. If you want to limit your risk, you keep a small amount of cryptocurrency in a "hot" wallet.
Secondly, I don't think that the idea of a keypair is beyond the understanding of an average person. They effectively already know how to manage secrets in the current system: passwords, bank routing numbers, etc. It's just that the keypair is superior to these systems of authentication which often require you to reveal the secret itself to authenticate (credit card number), do not have enough entropy (4-digit-pin), are open source (E.g. security questions like "what's your mother's maiden name?"), or rely on other centralized systems (SMS-based 2FA). Even if you implemented some sort of "custodial keypair" that allowed you to transparently sign transactions without revealing your secret, that would be a major improvement over the current system which is based on (typically bad) secrets.
In many ways, the conventional banking system is more complicated than cryptocurrency, because the failures of cryptocurrencies are "solid" and well-defined (e.g. 51% attacks, MITM attacks, etc.) while the failures of the conventional banking system are "soft and fuzzy". For example, I was reading about a scam the other day wherein the attacker sends the victim a fake check, and asks them to cash out the money- this scam works because banks generally accept checks before validating them, allowing you to spend money that hasn't been validated yet and then charging you later. You might think this is obvious as a boomer, but as a zoomer who has never cashed a check before, this is not obvious at all.
And I'm not necessarily saying that cryptocurrency is the end-all-be-all of payment systems. There are superior systems like chaumian cash (https://taler.net/en/) but they require the permission of the existing banking system (which generally profits off providing services that surveil users and """fix""" the existing insecurity), so they haven't taken off.
I get the impression that regulation will never fix this because the nuances at hand will go over the head of any lawmaker who has merely accepted the insecurity of the status quo. I think that even if you get some libertarian or pro-cryptocurrency person in office which doesn't accept the current system, I highly doubt that they would make the right decision needed- it's more likely that any pro-cryptocurrency candidate is just going act in a way that ben...
My understanding is that many of the people who own crypto do so through a third party, so there is a layer of indirection. It's the difference between me having cash in hand (money in my pocket I can directly use) and me having cash in the bank (I tell my bank to send money to someone else and they execute the transaction on my behalf).
My mom has downloaded ransomeware before, so from that perspective, I think crypto has worse security properties. If transactions are executed indirectly, the security properties are theoretically the same as executing transactions through a bank and you are back in a system of trust. Furthermore if a "cryptobank" gets hacked, that money is not retrievable, while theoretically in a system of pure fiat, the money might not be retrievable, but the value could be refunded at the cost of devaluing the currency as a whole.
As far as behind the scenes implementation details go, a cryptographicly signed ledger with immutable history makes sense, but I also generally trust banks, much less so investment banks, and significantly less so the stock market.
This is quite true, and it is likely the largest problem facing cryptocurrency today is this custodial use of it (besides all of the get-rich-quick schemes). But at its worst like this, cryptocurrency is a non-proprietary inter-bank payment method that prevents double-spending between banks. It is still superior to something like zelle, paypal, or SWIFT so long as the fees are lower. If cryptocurrency was the primary means of inter-bank transfer, then it would be trivial for anyone to start a new bank that could inter-network with the rest of the banking system, so I expect banks would be a lot more competitive (including on matters of privacy and security).
>My mom has downloaded ransomeware before, so from that perspective, I think crypto has worse security properties. If transactions are executed indirectly, the security properties are theoretically the same as executing transactions through a bank and you are back in a system of trust. Furthermore if a "cryptobank" gets hacked, that money is not retrievable, while theoretically in a system of pure fiat, the money might not be retrievable, but
Hmm. yes this is sort of a complicated subject. But I'll just re-iterate a point here which I may not have made as clear earlier: that cryptocurrency allows you to establish different levels of trust/risk through the means by which you manage your keys. A lot of older cryptocurrency users who don't practice good opsec will use a hardware token to sign transactions. Another example of what you could do is use a multi-signature system that would make it so that multiple keys are needed to move your funds (for example, they would have to hack at least X of Y devices in order to move funds), or simply have multiple wallets and limit the amount that you have in each one.
And secondly, there are non-cryptocurrency ways of implementing different levels of trust/risk that you could integrate into the existing banking system, like chaumian cash or even just using cryptographic keypairs to authenticate transactions.
In other words, losses of cryptocurrency due to theft or fraud are not always all-or-nothing. The difference between cryptocurrency and the conventional banking system is that you can decide your level of trust/risk you want to take before you do a transaction, which includes the use of a "cryptobank" (which could be secure but have historically been very scammy compared to conventional banks, see Mt Gox, Celcius, etc.).
>the value could be refunded at the cost of devaluing the currency as a whole.
I am not sure that it's a desirable property that the rest of society can bail out banks like you're describing. I think in an ideal situation you would have some sort of free-market-ish sort of way to balance the risk vs reward of different security practices, whether that's users voting with their dollar or with a middleman like rating agencies or insurance. And those incentives basically require the bank and its customers to lose money when they get robbed (maybe through some middleman like insurance).
If you look at serious cryptocurrency exchanges like Kraken or Binance, there is a massive gap between "cryptobank gets hacked and loses some of their funds" and "cryptobank gets hacked and loses everything". They keep a lot of their funds on separate, air-gapped, offline systems, with the keys distributed between multiple people. Those aren't funds that you can steal with a normal cyber-attack: it would take pretty persistent social engineering akin to widespread corruption.
Furthermore, if the bank don't suffer from faud, they have no incentive to fight it. So there will be no effective securiry
That doesn't necessarily require a third party like a bank to surveil and supervise every transaction.
What does that have to do with the article? Neither MasterCard nor Visa is involved with Zelle, are they? The article says it's controlled by a group of banks. Presumably they've set up a new system, so they could make it as secure as they'd like.
It may only be temporarily competitive as it tries to penetrate the market. Once it reaches a sufficient enough market share, they will be able to hike up fees and disregard users like the systems that came before it.
Please don't introduce this kind of barely-related, politically biased, emotionally-charged, tribalistic tangent into HN. Virtually nobody here (either in this thread, or on HN in general) is arguing that taxes should be abolished or that financial stuff should be deregulated. You're just invoking tribalism where there was none previously.
We already live in that world. There's just an intermediary in the form of the state.
One of the best examples of this is how Sweden irrevocably killed their financial markets by trying to just squeeze out a bit more tax revenue and limit speculation. The cost of that mistake has to be in the billions and IMO, we’ll see the end of Sweden as a nation before we see it “recover” its markets.
Then at worst you're out the play money. Make sure it's set so the real money can only push into the play money account.
I briefly looked into this at one point and as best as I could tell, Chase would only let you disable ACH on business accounts.
But ACH has much more defenses against someone pulling money than Zelle and friends do.
No. Sending money with Zelle does not expose you to having your account wiped out.
Receiving money, there is a minute chance a transfer might be reversed. But that’s all. Don’t use Zelle to accept payment for goods/services.
I have no idea what you mean about the services being fragile or how your "entire bank account" would be wiped out.
This article is talking almost entirely about scams. Presumably you're smart enough not to send your whole bank account's contents to a random person who calls you.
And if you're not, well, it doesn't really matter if you're being scammed via Zelle/Venmo, or via paper check, or via wire transfer, or via ACH.
It does, though. If scammers scam via paper check, wire transfer or ACH, the full force of the government comes down on them and they actually get put in jail if they get caught. If they scam via Zelle or Venmo, too bad, so sad.
I also (so far) have been unwilling to trust Plaid. Plain old crappy wire or ACH transfers for me, thanks.
No way I'd send a large sum of a money to a stranger / new company over Venmo.
It's useful for replacing small change in your wallet, not for replacing credit card and proper purchase protections.
https://www.youtube.com/watch?v=CS9ptA3Ya9E
One puts the onus on the defrauded company to fix their house; the other puts it on a third-party with no involvement in the transaction to... Make it harder? For strangers to lie and tell other strangers they are the person with the "stolen identity?"
We could have drastically changed the landscape on this if the first time a company came after someone whose identity was stolen for money not paid the government had responded with not only a "no" but a fine for using the law to harass a stranger.
This pissed me off so much. Victim blaming and they get away with it.
Crappy identity verification basically widens their customer base.
If the bank lends me money and I lose it, they expect to be paid back.
But if I lend them money, and they lose it, this is...my fault?
Banking access is not actually very particularly secure. The only thing that keeps banking practically secure is the banks reversing fraud when it's discovered and the government sending fraudsters to jail.
If the banks don't hold up their end of the bargain, the system begins to collapse because they certainly aren't technologically secure enough to guarantee security of customers' money, which is one of the primary functions of a bank.
You really just have to make it enough of a hassle for thieves that they pick the next easier thing to do. Not create Ft. Knox.
That’s why people steal catalytic converters etc.
IMO the cheapening of technology has made a difference with this. When my (then not yet) ex-wife was burglarized, Just her laptop and a camera gave the criminal 900$ at a pawn shop [0].
[0] - which BTW, fun thing about this, if your insurance covers 'replacement cost' you are better off not finding your items at a pawn shop. Most state laws are written such that as long as the pawn shop collects fingerprints/ID, the person who was stolen from can get their items back, but must pay the pawn shop back what they paid the thief for it. Insurance will happily pay that instead but still take your deductible out. (It worked out OK for me, the wedding ring was among the stolen items, never got pawned and that covered the deductible and then some... eventually helped pay for the lawyer lol)
This needs to be a full time job to make the $500/day though. Some houses are as you say now worth the bother, but others have things that can be sold. The key is you need to know what you can sell and for how much before you take it.
As the other poster said, the hard part is not getting caught. The easy places to sell these things (pawn shops, scrap yards) tend to ask for id - and the ones that accept a fake id will only take so much before they have to recognize you.
Without someone to take the risk and a sizable cut your best bet might be a few fake ID’s and a multi city spree of pawn shops. Though if you have access to high quality fake ID’s banks are probably a much better option.
It's not my fault if my house gets broken in. I have no obligation to meticulously lock all my doors and windows when I leave.
But if I get hacked, it's my fault. The onus is on the individual / company to maintain law and order themselves when online.
That feels wrong to me.
But using weak and/or compromised passwords is a bad idea in exactly the same way that it's a bad idea to leave your front door unlocked.
Legally, we do assign fault for negligence. If absentmindedly leave your kitchen tap open with the drain stopped and then go on vacation, your flood insurance is probably not going to pay for repairs, even if you didn't deserve to have your house destroyed.
From a policy perspective, I think the most appropriate thing would be a middle ground. It is good for everyone's peace of mind to be sure that your entire bank balance won't vanish without recourse, but if you leave your banking "front door" unlocked, the bank covers 90% of the actual unrecoverable loss, but you're on the hook for the other 10%. That eliminates perverse incentives to use weak passwords without being cruel to victims.
I'd argue it's not quite the same... using weak passwords is more like using a lock that can be 'raked'; your security is just lax.
Re-using passwords is like using the same key for your front door, back door, garage, car... If someone finds it and makes a copy of it, they have full access.
Compromised passwords, it's when you know a key is lost or stolen and you don't re-key.
> From a policy perspective, I think the most appropriate thing would be a middle ground. It is good for everyone's peace of mind to be sure that your entire bank balance won't vanish without recourse, but if you leave your banking "front door" unlocked, the bank covers 90% of the actual unrecoverable loss, but you're on the hook for the other 10%. That eliminates perverse incentives to use weak passwords without being cruel to victims.
Both of my main financial institutions have 'pretty dang good' security measures on one level or another. One, has forced password changes at 6 month intervals (not as good as 90 days, but better than many!) The other does not have forced password changes but I know their internal security is... pretty crazy. Losing your badge 3 times is enough to get you fired, and any contractors who do work must be under a very specific specification of video surveillance while working with their clients.
Forcing password changes reduces overall security, especially for infrequently accessed services. It only normalizes the reset workflow, and enables easier social engineering.
The NIST standard (800-53?) was updated to reflect this reality, and it no longer requires periodic password rotation.
This is not generally true. Insurers are forbidden to pay out claims for intentional bad acts, or fraud, but ordinary negligence is usually covered:
> The good thing is your homeowner's policy usually covers you and your family's negligent behavior no matter where it happens.
https://www.nolo.com/legal-encyclopedia/does-my-homeowners-i...
I know I might get robbed at any time, maybe I don't lock my door, thats why I put my money in a bank.
The bank has one job - to keep my money safe. If they have no guards andleave the door open, yes, it is their fault.
If you are not prepared to keep armed guards money safe, then you shouldn't be taking other people's money.
Similarly, companies that cannot keep data safe shouldn't be storing my data in the first place.
If a bank has zero physical security measures and leaves the money out in the open, that is negligent.
But, even if a bank has all the state of the art, "best practices" physical security measures, they can still be robbed. No bank is going to stop a nation-state army attacking them, for example.
I think the same is true of cyber security. Nothing will ever be 100% secure. The question is whether the company has followed reasonable best practices and due diligence. Everything else is up to the government to maintain law and order.
> companies that cannot keep data safe shouldn't be storing my data in the first place.
If you're expecting absolute safety, either physically or electronically, there is nowhere in the universe you could deposit your money. Otherwise, the FDIC already has regulations in place to make sure banks are reasonably secure.
Sure it isn't your fault if your house gets broken in, but you should still lock your door. The more risk you are of your house being broken in the more precaution you should take.
Right now odds are very high that someone will attempt some form of cyber crime against you. As such you should be taking precautions to prevent it. It won't be your fault if it happens, but it will still ruin you day, and may cost you a lot anyway.
On the old 'net, people had to take personal responsibility for their own data-house because neither law nor enforcement had caught up yet to the notion of having a system intruded upon. Remember, we had to pass laws to make "unauthorized access" illegal in the same sense trespassing is; before that, it was just "some signals a stranger beeps at your machine could cause it to malfunction or to send signals back they could interpret as your bank account number. If you don't want that, harden your system against malfunction."
Nowadays, society has caught up but some people with an old-guard mindset still see someone get their stuff stolen and go "Well, should have locked your doors; only way to guarantee your stuff is safe."
“Our research suggests that friendly fraud will represent 61% of all chargebacks by 2023.”
If everyone could wormhole between countries, first world houses would be ransacked pretty damn quickly.
I took a picture of his business license, insurance, and I ended up getting pics of trucks when I took before pictures.
The crew came and worked one day. Maybe completed 30% of the work. For the next two weeks my calls and texts were dodged/unanswered/sent directly to voicemail.
Finally I had enough. I called the police, did a police report. Called the CU explained what happened and was sent an email on how to open a fraud report. I submitted all the before pictures and the “after 30% of work” pictures. I sent the police report, and social media posts of people who claimed to have their money stolen by the same person / company.
3 weeks later I get an email that my claim was denied due to “lack of information.” I spent a total of 31 hours on the phone attempting to get someone to tell me what information I needed to send them or what information they found lacking. I got absolutely no where. No answers. No one from fraud department. No one cared at all. Just denied.
So I went the other route, filed a claim in small claims court. I provided the judge everything I sent to the credit union. Judgement was in my favor. Now he owes me the $4500. How do I collect? I probably will never see the money. I can’t legally garnish any wages. So I’m out 4500. I couldn’t really do anything else to protect myself more.
Navy Federal Credit Union. I’ve been a member since 1991. 30 years with a credit union. I am a military veteran. Hundreds of thousands of dollars worth of transactions have passed through my account. I’ve had multiple home, auto and personal loans.
I’m still trying to get over it.
Where I live, after 30 days of the debtor failing to pay the judgment, you'd make an appointment with the sheriff, bring a check for $35 and they'd attempt to enforce it for you; including garnishing wages, seizing property (real or personal) etc etc.
I'm not surprised you didn't get far with police reports and fraud filings: breach of contract is not necessarily fraud.
It seems like once the police got involved, they were willing to play ball. Somehow, you’ve got to find the contractor and get the police on your side. You’ve got his business addresses and even insurances, maybe the insurance company is your way in?
Good luck.
When I looked at the insurance and took a picture the policy dates were valid.
When I attempted to call the insurance company the policy was started then canceled due to lack of payment so he probably only made the first payment.
Lesson learned is to call to verify on the spot. Never thought of it. The police just look at my slip of paper from the glovebox.
They already know if you have insurance typically. Their in-car computers can typically reference insurance accounts (or at least in my technologically backwards state they can).
If he does ever call or text I’ll be sure to buy him a beer to see if we can resolve the situation.
In general I've found a good rule of thumb with people is: Flight or "flight".
Why not?
You have a judgment in your favor.
Send it to collections.
[0]https://www.azcourts.gov/selfservicecenter/Garnishment/Garni...
Maybe that'd be how I'd square it with myself. (But still probably never working with people who ghost again.) You paid 50% and got less than 50% of the work done, but work was still done - somewhere between 25% and 50% it sounds like.
It'd also help the personal re-framing if the next people I hired quoted less for the remaining work and it was done in a day. Granted, this is work with plants and things which change/increase in entropy by the day.
The possible life lesson here is to not let perception or preconception sour an otherwise sort of alright outcome. And sometimes outright re-framing a sour situation can diminish the sting. (Along the lines of "breakups hurt, but enjoy the good times and memories for what they were.") There's also not letting sunk costs steer decisions towards still worse outcomes.
I'd recommend checking to see if your state has a similar program.
It wasn’t until I started joining and searching through all of the local Facebook groups to find others swindled.
I see so many horror stories about contractors pulling stuff like this on FB. yes, even when they are licensed (admittedly a lot more unlicensed tough). Does anyone know how/why this is so prevalent?
It seems if OP was able to just have their re-payments enforced, things would be set right.
You have options.
I also had a horrible experience with Citizens Bank, of which they allowed $5000 to be fraudulently withdrawn from my account in two days. The second $5000 was withdrawn after I was told it shouldn't happen again. That day I learned an ACH hold request is just that. A request that takes 3 days. I should have been smart enough to know that the support agent really meant for me to drop everything and immediately get to a physical branch where they could put an all hold on my accounts instantly, because I cannot do that over the phone.
I don't mean to say credit unions are always better, but I will say, I have been getting 2% interest earnings on my savings and 1.05% on my checking account. Most banks typically give you only a percentage of a percentage point in interest for either...
This is exactly why banks are so eager to come up with payment systems that go directly to/from bank accounts, as opposed to credit cards.
It's also why I don't use Zelle or Venmo.
The one notable time they actually found in my favor and refunded me was a recurring charge I'd repeatedly tried to cancel with the merchant and eventually I threatened to close my account with Amex.
"Oh, really? Alright, I want to close my account."
"Oh, hold on sir, let me try again..."
Effing $800/year in annual fees for this crap.
Apple goes out of their way to make sure you can't record video off the Netflix app or other apps that play copyrighted media. However, as far as I can tell, they do not make similar safeguards available (optionally) for financial apps.
Out of curiosity what apps are those?
Also, since our lawmakers are so far behind the curve on technology which impacts daily life (also talking mostly about the US), if you are not proactively learning about and defending yourself against cyber threats, absolutely nobody else is going to do that for you.
Cybersecurity experts have failed to educate at least three solid generations of human life on earth. We can bitch and moan about this post all day long, but the root problem is the societal education problem.