Why the Home Depot and Target breaches aren’t an argument for using credit cards


Another month, another major retailer announces that their internal records have been hacked, and their customer credit/debit card accounts stolen. This time it was 60 million accounts, making it the biggest breach ever.

I was at dinner the other night when the discussion of the latest breach at Home Depot came up. I was in the process of pulling out my debit card to pay for my meal, when a voice to my right said, “you’re using a debit card? Don’t do that. You should always use credit cards for purchases because they’re safer.”

My first thought was: them’s fightin’ words. But is there any truth in it?

Review: Pay with money

In case you’re new here (welcome!) I recommend that people pay for purchases using money. Paying with a credit card doesn’t count in this case, because you haven’t actually used money to pay for anything; you’ve used the bank’s money and have given the bank an IOU for payment later.

There are problems with this, namely that it looks to you like you have money that you don’t really have anymore (your account will show a higher balance, but some of that is earmarked elsewhere). And even if you keep an eagle eye on what you’ve put on a credit card, and make sure that you have enough money in your checking account to cover it, and make sure that you only spend money that’s not allocated for the credit card, you’re still performing duplicate, unnecessarily complicated work, buying something, and then having to pay for it later.

So I recommend using a debit card or cash. It’s simpler that way.

Once more unto the breach

If you’ve shopped at Home Depot recently and used a card of any sort there, that card has gone into a payment database. (I’m not sure why the company needs to keep this on file, but that’s a different issue.) This database was cracked, and the card numbers stolen.

Once someone has your card number, it is possible for this person to make a purchase with it. Not guaranteed, but possible. Debit card transactions require a PIN, and it’s unclear if the breach included PINs. Credit card transactions require signatures in theory, but not in practice; in person, all you need is a scribble on a receipt, which could be done by anyone, and when online you don’t even need that.

In short, it is frighteningly easy to purchase something using someone else’s card in the US.

Anatomy of a fraud

People believe that a credit card is safer than a debit card. Interestingly, the reason they give is the same reason as why I recommended above that people not use credit cards for purchases: because you haven’t really used your money.

Let’s say that some black hat gets your number and decides to buy a $5,000 trip to Tahiti. If this was a credit card, the $5k charge would appear on your account, but you haven’t really lost anything. You would call up the company, say that someone else is trying to have fun at your expense, and to please refund the charge, and close my account to further mayhem. This may even happen automatically. No problem.

But what if this $5,000 came out of your debit account? That’s your money! All gone! (Okay, $5,000 seems like a lot to have in a checking account to me, but this is only a thought exercise.) Even if you call the company to get the charge erased, it might take a few weeks to get that money back. During which time, you have no money and all of your bills will bounce.

Because of this, many suggest (even relatively reputable sites) that you should use a credit card because it’s “safer.”

I disagree.

How to be self-insured against fraud

Let’s say I find that my account has been drained.

(I know it’ll be no more than $500 taken, because I have a transaction limit of that amount, set up by my bank. But okay fine, let’s say that I didn’t have that transaction limit, and someone drains my account. What then?)

First off, I would notice it immediately, as I check my accounts every day, or thereabouts. I would immediately call the bank to freeze the account and start the process of reclaiming the stolen money.

But what would I do in the meantime?

I would use my emergency fund.

An emergency fund is a necessary tool for everyone to be financially successful. I recommend six months worth of expenses, but even if you have a few hundred in a savings account, that will still get you through. You are now self-insured against this type of emergency.

If this isn’t good enough, you could always diversify and open a second checking account. Or even link a card to your emergency fund, that way you don’t even need to wait the 2-3 days to have the money transfer into an account you can use. (But be sure to never use the account except in emergencies!)

But I don’t have an emergency fund!

Luckily, you can build one over time. Your first step is to uncover the secret life of your money so you have more control over what you have, and can give yourself a raise.

Don’t panic

Don’t get me wrong, having money stolen is frightening and awful, and I don’t wish it on anyone. And I won’t lie that if this happens to you, you will need to make some phone calls, and it won’t be fun, regardless of how it goes down.

Yet, I fail to see how the possibility for potential fraud should cause you to change your actual spending habits towards a method that is more risky for you and makes the banks big profits. That seems like a different kind of scam to me.

(Oh, and a note for US banks: can we get chip-and-PIN now please? Thanks.)

But enough about me? Were you affected by the recent breaches? has it changed your behavior?

Comments are closed.