Denise Stanco was desperate.
Trying to stop a theft from her checking account in progress, the 54-year-old information technology specialist frantically e-mailed her last hope - in the Kingdom of Bahrain.
In three e-mail messages, the Catonsville resident explained that someone swiped her debit-card number, faked a passport in her name and purchased two tickets worth $1,201 on Bahrain's Gulf Air. Stanco pleaded with someone, anyone to help her.
Everyone she turned to thus far had disappointed her, since she'd learned from a credit-monitoring service that someone had used her debit-card number to purchase Gulf Air tickets, Birkenstocks and Asian Air tickets.
Securityplus Federal Credit Union said its hands were tied, even though the fraudulent charges had not been deducted from her checking account yet. The local police said they couldn't investigate without knowing where the bad guy was located. So e-mailing Gulf Air, in an effort to overturn the charge, was a last resort.
It brought the only real help she got.
The carrier investigated, discovered faked passports and then refunded Stanco's money - all except $24 due to the fluctuation in the value of the dollar.
"In this particular case, it was not a big issue as the contacts given in the booking were all fake and no response was received by phone/over e-mail," Lars Denlew, head of distribution and e-commerce for Gulf Air, said in an e-mail interview.
Investigating fraud, Denlew said, "is not always easy and is very tiresome. ... We are not fraud investigation specialists and do not have any interest of being that either!"
Meanwhile, closer to home, Securityplus dinged her $30 for a bounced-check fee. Since it was holding her money to pay the bogus Birkenstock charge, there were insufficient funds to pay a legitimate check she had written to her lawn service company. This all happened before the credit union let her close the compromised account.
By the time she e-mailed me, she was still out $54 ($24 for the depreciating dollar and $30 for the bounced check). But mostly, she was just whomperjawed.
Can't blame her. As much as I'd like to give Securityplus a big stink-eye for the way they handled this situation, I can't.
They were just complying with regulations.
"The problem is that the credit union approved those charges," said Robert Rutkowski, a partner at Weltman, Weinberg & Reis Co. in Ohio who also writes That Credit Union Blog. "Since they didn't decline those charges at the point of sale, they're responsible for it. Somebody has to bear the loss. The problem is that blind authorization."
Electronic transactions take place in two parts: the authorization and then the posting. At the point of sale, authorization doesn't mean someone has taken the time to make sure the sale is legitimate. It merely means that the financial institution has informed the merchant that there's enough money in an account to cover the charge. Posting is the amount of time it takes for the bank or credit union to release the funds after it's authorized.
The federal regulation that governs debit-card transactions, called Regulation E, was written to make debit-card transactions instantaneous, said John J. McKechnie III, director of public and congressional affairs at the National Credit Union Administration, the federal regulator that oversees most credit unions in the United States.
"Under Reg E, as soon as a card is used, the money is already, technically, gone," McKechnie said. "That's why there's no way to stop it. Reg E and Visa and MasterCard rules - because credit-card issuers have contracts with different financial institutions - require that the charge goes through."
Visa confirmed this statement.
"Visa's rules require that card-issuing financial institutions attempt to honor a transaction after it has been authorized," said Rosetta Jones, vice president of Visa USA.
What that means is that the use of a debit card equates to an immediate transfer of money, as if the thief had lifted cash out of Stanco's wallet.
Despite ads that promote zero percent liability when using debit cards, consumers need to be aware that under Reg E, you must report fraud within two days of discovering the loss. Within two days, you can be held liable for no more than $50. Wait longer, you could be liable for up to $500.
Consumers also need to know that if you report fraud on a credit card, you're automatically credited the money back to your account while the company investigates. When using a debit card, you're out the money until the fraud is investigated, McKechnie said.
So why not try to stop fraud at the point of sale? Easier said than done.
If you've ever written "Please Ask For I.D." on the back of your plastic, you'll know many merchants never even check for a signature - let alone your identification - before swiping your card.
Like consumers, merchants aren't held responsible for fraud. Unless negligence can be proven on the part of the merchant, the sale will be paid. That's the way the system is designed. That's why more and more merchants allow the use of debit and credit cards instead of demanding cash - they know they're protected.
Fraudsters aren't allowed to continue unabated, of course. Credit unions often limit the amount of money and the number of transactions allowed per day on debit cards, so that swindlers can't drain an account.
Some financial institutions require secret PIN numbers and some use biometrics (using fingerprints, etc. to secure sales). Most use monitoring services.
But, as Rutkowski noted, "Monitoring services stops future fraud on that account, but the fraud that has already started is irreversible."
"The solution is to lock down the charge at the point of sale," Rutkowski said. "But let's face it. The loss that financial institutions experience from fraud is still less than the cost of implementing tools to stop fraud."
In other words, the system is reactive, not proactive.
This is not to say that Securityplus did everything right. It's a mystery to me why it let Stanco close the compromised account before the Birkenstock charge was paid, but wouldn't let her do it before the Gulf Air tickets were paid. It doesn't track.
"We are going to look into this member's problems," McKechnie said. "We'll check to make sure [Securityplus] handled this properly."
Does this mean the bad guys got away with it? Not necessarily. Baltimore County police, after first saying they couldn't get involved, not only wrote up a report but launched an investigation into what Stanco has been told "could be part of a bigger crime."
To Securityplus' credit, it did reimburse Stanco the remaining $54 that she lost. It's also important to note that Securityplus likely would have made Stanco financially whole after it investigated, especially if she had not met with success in contacting Gulf Air.
But the bigger point in Stanco's spectacularly infuriating experience is that the whole system failed her.
Stanco's glad she got her money back. She's happy that she wouldn't have been held liable. But, the whole experience was a royal pain for her to sort out. And what really got her goat is discovering that someone always ends up losing because there's no system set up to stop a fraud in progress.
You've probably seen that irritating commercial where the guy paying with cash annoys the long line of debit-card payers because he slows down their ability to zip through checkout. Should we really trade security for convenience?
We also understand it is hard to stop fraud. That does not mean we shouldn't try. And that is the real shame of it all. As Ed Campbell, assistant vice president of marketing at Securityplus, said to explain the credit union's powerlessness, "In a macro sense, we all end up paying for it."
Reach Consuming Interests by e-mail at consuminginterests @baltsun.com or by phone at 410-332-6151. Find an archive of Consuming Interest columns at baltimoresun.com/consuming.