How Did My Information Get Stolen?

What would $8 at a motel in Idaho even get you?

I received a call from my bank on Sunday afternoon informing me that my debit card information had been stolen. Someone made an $8 purchase in a motel in Idaho using my card.

Unless, the teller wanted to know, that was me.

For a second, just because, I wondered if it was me. You know, like who am I really? Has my consciousness split in two unknowable halves? Was I just in Idaho? Am I in Idaho right now? Is his name Robert Paulso — no, no, that’s insane.

“No,” I responded, “I’m in Pennsylvania.”

The teller told me I’d have to call the local branch tomorrow when they were open to initiate getting a new card, a process that would take seven to ten business days.

“That’s pretty inconvenient,” I said.

“Yep.”

How did this even happen, I wondered. My card wasn’t physically stolen. I don’t think I was phished, as in I didn’t give any information to someone online posing as though from a legitimate company. It turns out there are a few other ways it might’ve, though. The database of a website with my card number may have been hacked, which is both the most boring and perhaps least unlikely possibility — most companies, regardless of their size or value, are vulnerable to hacking. Alternatively, a more thrilling, more disturbing possibility: someone scanned the radio frequency ID tag on my card through my pocket. It’s also possible I swiped my card through a skimming device at either a gas pump or an ATM. According to the New York Times, the threat of this final possibility has recently surged.

Skimming involves stealing debit card numbers by putting an illegal card reading device on an A.T.M. Criminals use the devices in tandem with hidden cameras that record personal identification numbers entered onto the keypad. They then make duplicate cards using the information and drain cash from bank accounts.

A man from San Diego was recently arrested for creating nearly 4,900 counterfeit cards skimming this way.

I’m not liable for the $8 charge thanks to the Fair Credit Billing Act. Were my debit card to have been physically stolen, on the other hand, and I reported it immediately, I could be liable for $50 in damages. If I did not report it for two business days, I could owe as much as $500. And if I did not report in 60 calendar days time, I could be responsible for my entire account being drained.

Sometimes, the issue is more nuanced. It was easy for my bank to pick up on the fraud in my case because the charge took place in Idaho, where I obviously was not. Here’s a claim made my someone whose card information was reportedly used, according to a representative from TD bank, “in places and for amounts that did not stand out as unusual.”

Our family’s au pair, Anna, was a victim of debit card fraud. Her card was used to buy about $900 worth of goods, mostly in grocery stores she’s never set foot in. She has disputed the charges three times now, and all three times her claim has been denied. This despite the fact that the bank has a signed letter from me stating that she was with our family on a day when some of the charges were made. Other days, she was caring for our 1- and 3-year-olds, who were home napping. We’ve called the bank about a dozen times. After two months of doing everything that we can, I have nowhere else to turn.

For some time, TD didn’t “buy” the idea that the card had been skimmed, but eventually reimbursed her. I suppose that if banks were often oppositional like this, considering nearly 13 million Americans were victims of identity fraud in 2014, consumers would be more inclined to hide their money under their mattresses. More often than not, though, I would think the process runs smoothly.

One question does remain in my head: what does $8 at a motel in Idaho even get you?

Yoni Blumberg is an Awl network intern this summer, and a senior at the University of Delaware

Support The Billfold

The Billfold continues to exist thanks to support from our readers. Help us continue to do our work by making a monthly pledge on Patreon or a one-time-only contribution through PayPal.