Companies need to start thinking of this less in the lens of "evil" and more principle of least astonishment. Would users be surprised and angry to learn you do this? Then don't.
Is there a collection of the sort of unusual / unexpected things that companies do / can do.
Not Google does X, but there is a market that sells X, and X can be linked to you personally by Y, Z
So
* A market exists for reselling credit card transaction data. Your card provider (ie Barclaycard) sells to companies such as $FOO who will aggregate same data from different providers and sells it for marketing purposes. The size of the market is $Billions
* Google can link the purchase history to you personally by multiple means including - reading your gmail, and looking for purchase confirmations using last 4 digits
* There is a market for reselling your mobile location and call history. your cell
provider ...
I would love to see this - I honestly need reminding of this and it seems like a great press expose.
> Google buys your credit card data for advertising purposes
How do they connect my credit card data to my Google activity? My Google account isn't connected to my personally identifiable information in any way. I.e. they don't have my phone number, nor do I use Google Pay.
> How do they connect my credit card data to my Google activity?
Most people have a phone number with google for gmail (you didn't need one in the beginning, but do now). There's also their wallet, app store, voice, broadband, phone plan, etc.
Some people will dodge all of that, but most won't.
Even if they do (for Android users only), how would they connect location data to my credit card history? Are you claiming that Google reverse engineers PII by correlating Android location data with credit card purchase location history?
This doesn't quite say they do exactly that, but they do tie location data to offline purchases.
> Since 2014, Google has flagged for advertisers when someone who clicked an ad visits a physical store, using the Location History feature in Google Maps. Still, the advertiser didn’t know if the shopper made a purchase. So Google added more. A tool, introduced the following year, let advertisers upload email addresses of customers they’ve collected into Google’s ad-buying system, which then encrypted them. Additionally, Google layered on inputs from third-party data brokers, such as Experian Plc and Acxiom Corp., which draw in demographic and financial information for marketers.
They know your approximate location when you conduct an offline credit card transaction, and the approximate time and location of the store where the transaction occurred.
And while one such data point pair isn't conclusive, getting, say, a dozen matching pairs might identify a user with high enough correlation to be useful.
>My Google account isn't connected to my personally identifiable information in any way.
Which personally identifiable information?
The time of day you use your devices?
Which languages you use?
Which websites you visit?
The type of medical conditions you search for?
Information being PII or non PII isn't binary. It's relative shades of how shannon entropic it is. You need about 33 bits to identify someone, you likely have leaked 33 bits of entropy.
So can’t I put Bill Gates in the same contact as my own phone number?
I guess I would need enough people to do a sybil attack on Google.
I bet this is how Places data and other stuff is hacked. How does one prevent a coordinated attack like this? Machine learning ensuring voting rings can only be used once or twice?
They associate the phone number used for 2FA with the account or the contact details has an e-mail address entry and it's filled up with a gmail address.
Have you used Google from home wifi? Use google maps to get travel directions from home to other locations consistently on the same device? Used that same device/home wifi to access your credit card's website?
Consider N shopping locations with time stamp and N phone locations with time stamp. The N required to uniquely identify a person with high probability can be just 2-5.
I feel like it would be pretty easy to link together an online purchase with the confirmation email to my Gmail account using purchase location / time of purchase / price.
If you bought things online, couldn't they make guesses based on internet activity and things showing on a statement? e.g., maybe thousands bought x on a specific day, but how many bought x on that day, y on another, and z on a third day, all with corresponding research/signals when browsing?
There are lots of suggestions here of how it's done but it's essentially really really simple.
There are 2 pieces of information that need to be joined.Google have your cookie and email and MasterCard have your address and probably email. If both sides have your email then job done. If not then they can use your physical address via a data broker. All it needs is some e-commerce sites that allow cookie syncing and have a privacy policy that allow them to sell that part of your data.
I'll hazard a guess that it takes less than 4 other data points, gathered without your knowledge or consent (but very commonly gathered nonetheless), to associate your credit card with your google activity.
And 4 data points would be a lot more than usually required.
On Google Opinion Rewards most of my survey are about whether I did go to a specific shop, which would make sense if theses shops pay Google to know that information, but then ask how I paid.
I'm pretty sure they use that to feed their models.
As long as they're weak enough regulations, or they keep staying on the horizon, why would they care?
We'll eventually have regulations cracking down on the privacy shitshow the web is today. But how many billions of dollars were made on the abuse to date, and how many more will be made still?
Moreso: How many surveillance systems have been bootstrapped using the full take, but will now happily function with a few unregulated breadcrumbs here and there.
That caught my eye as well, it's odd that they chose such a wording and they use it consistently on their notice page [1]:
> Depending on your country, you may have the right or choice to: Opt out of some collection or uses of your Personal Information, including the use of cookies and similar technologies, the use of your Personal Information for marketing purposes, and the anonymization of your Personal Information for data analyses.
YouTube keeps offering YouTubeTV and their other services with pop-up boxes where the two choices are "yes", or "skip trial", which sounds like they're offering a yes/yes choice: yes sign up for the trial, or skip the trial and go straight to buying the service. Keeps annoying me.
I'm pretty sure that's a good way to get the endpoint flagged as a target of abuse, and the page pulled until they can figure out what's going on, resulting in anyone who wants to opt-out after that point either running into a temporary or permanent problem, depending if they ever bother to put it back online.
How about instead of fraudulently providing someone else's credit card because "we know best", we just make sure to spread the pages as much as possible where appropriate, and let people make their own educated choices (and hopefully it opens their eyes to other places in their lives they can do so as well).
I understand the impetus to help, but it's important to consider that what one person views as helping another might view as terribly invasive in itself.
> I understand the impetus to help, but it's important to consider that what one person views as helping another might view as terribly invasive in itself.
This is a sense of decency that the surveillance companies didn't share. People didn't make any sort of educated choice to be surveilled - the surveillance companies arrogantly "opted" them in. Opting them out is much lesser transgression onto their will.
I do agree from the practical perspective - surveillance companies will parry any legible bulk activity into an excuse to continue surveilling. Fine point white text at the bottom of the homepage: "Due to an attack from scary hackers, all opt out requests from 2019 have had to be discarded. If you had submitted a request during that time, please resubmit your request. To protect yourself in the future, buy our nonsensical "identity insurance" for only $10/mo."
> Opting them out is much lesser transgression onto their will.
So, that makes it okay? They've been abused before, so what what's the big deal if we do it too? That's a troubling perspective to me. Two wrongs don't necessarily make a right.
I think this is very straightforward. You, as a third party, have no place making decisions for me without my consent in this case. If I have a relationship with Visa or MasterCard, please stay out of it. The appropriate way for this to change is for a) me or someone I've authorized to request it, b) the company in question deciding not to do it anymore, or c) a legislative body with jurisdiction mandating a change through law or regulation.
If you have access to my credit card number and I haven't given it to you, the only appropriate things you should do with it are to notify me, the company providing it, or the authorities that it's been exposed and should probably be changed. If I have given it to you to authorize a payment, you are authorized to use it for that payment (and possibly later payments that I agree to), not to keep it to use as you see fit later on without my consent.
If you have my card because I've given it to you and you show me a dialog letting me know you can opt me out and give me the choice, that's acceptable. But I view any action taken on my behalf without my consent with regard to this as a violation of my trust, privacy, and personal information. We are in a very scary place if we as random third partied think we're allowed to make decisions for people just because we think it's better for them.
My main assertion was merely "This is a sense of decency that the surveillance companies didn't share".
It's okay to acknowledge this as a vulnerability of your personal paradigm but still hold yourself to it. Just don't act like it's the only permissible way to interpret the situation, when the present state of affairs has been created by the surveillance companies not following the same moral requirement - already "[making] decisions for [everyone] without [our] consent".
More generally, a sense of right and wrong cannot mean simply following low level axiomatic rules, but rather requires judging constructive behavior. I'd say an action that mainly undoes a wrong is a lot closer to being right than another wrong.
The person in question has a relationship with the credit card company, in that they have requested and use the credit card (and if they aren't using it, nothing is being collected). I agree that opting into collection automatically is less than ideal, and I don't want it to happen, but this isn't some third party getting between some other nefarious third party and myself, it's them injecting themselves into an ongoing business relationship between two parties.
You can label them surveillance companies all you want, and in some contexts it might be the most fitting description. In this context, I would say it's more fitting to say they are contractual partners abusing the looseness of the contract for their own benefit.
Just in case you missed where this particular thread started, the top level comment is about the opt out forms for data collection at Visa and MasterCard, and the reply's (possibly somewhat in jest) suggestion that since the CAPTCHA is so simple, someone just use whatever card numbers they have access to to opt people out automatically. All my comments are specifically in that context, which is one of random third parties using card numbers they shouldn't have direct access to anyway to alter the business relationship of others without authorization.
Due to the constraints on understanding, I believe "fine print" in contracts carries zero moral weight. In order for Visa and Mastercard to credibly claim people have opted in, there needs to be an overt choice (no default already-checked option) as part of the direct card relationship, as well as specific consideration for that specific aspect of the relationship to remove any incentive to downplay the choice.
Furthermore, I do not view a person's associating with Visa/MC in today's society to be in any way voluntary - opting out is only possible at significant personal expense. So the mere existence of a business relationship also cannot be a basis for general consent. (As an aside: people generally do not contract with Visa/MC directly)
Taken together, these put "abuse" of a "business relationship" is in the exact same category as interjected actions by "third" parties - unwanted transgressions. They only feel different because we've become fatigued to accepting these transgressions when they pad someone else's bottom line.
And yes I am aware of the context of the discussion. I wouldn't personally do such a thing, but that doesn't mean I wouldn't applaud someone who did.
> Furthermore, I do not view a person's associating with Visa/MC in today's society to be in any way voluntary - opting out is only possible at significant personal expense.
Hardly. There are other creditors, and if you aren't worried about credit at all (and there are other ways to build credit), then you can use cash, buy gift card variants of their products which don't link to you, use some other provider (paypal), or some other form of payment entirely in some cases (e.g. cryptocurrency). There are more choices now than ever before.
> Taken together, these put "abuse" of a "business relationship" is in the exact same category as interjected actions by "third" parties - unwanted transgressions.
> I wouldn't personally do such a thing, but that doesn't mean I wouldn't applaud someone who did.
The only way I can read this is as you condoning additional violations of someone's privacy just because you think it's for the best this time. As I've noted, I don't think your value judgements have any place in my life, nor my interactions with other parties.
This has nothing to do with whether the whether the credit card company was justified in doing what they did, it has to do with people minding their own business and not violating other people's privacy. If you think the credit card companies are going too far, then calk to the authorities for legal action or legislative remedy. I applaud that action, but I don't want your vigilante activism, and I don't condone breaking the law by people that think they're more special than other people because they're doing it for "a good reason" or because "it's really just helping people".
I guess it's nice that you wouldn't do it yourself, but why would you applaud someone doing something that you wouldn't do yourself? It's real simple, if you can't or don't want to ask for permission to do something for someone else, then you shouldn't be doing that thing.
The issue isn't credit, but payment processors. Add Paypal and ACH to Visa/MC and you rule out basically every web retailer. If Monero/Zcash get to the point where they are well-adopted practical choices this judgement can change, but we are nowhere near that state of affairs.
> additional violations of someone's privacy
I've agreed that flipping that surveillance preference flag is a type of violation, just of territory that has already been trodden on. It's like if someone breaks into your house while you're away, then a neighbor comes along to put a tarp over your window before it rains, and you're complaining that the neighbor has trespassed. In a sense you'd be technically correct, but most people would consider that action to have been reasonable.
There is also the aspect where someone leaving this preference flag unmaintained is contributing to a larger attractive nuisance.
> why would you applaud someone doing something that you wouldn't do yourself?
Because I simply wouldn't want to take on the legal risk.
Sometimes when I get debt collector calls or car warranty scams I find their website and they usually have an opt out form, never seen a captcha. I have been really tempted to just hammer the endpoint with every valid phone number. Probably won’t accomplish anything but will give someone a fun surprise.
>"We don't sell your data, we share it." -all the companies involved
Am I the only one thinking there might be some Clapper-level double-speak going on here? Why would these company share admittedly valuable data without being compensated?
A question for contract lawyers: can I sell something (say an API or quarterly report) that "incidentally" includes customer data and get away with saying I'm not "selling customer data"?
Your transaction data is never exposed to anyone outside of $corp.
$corp provides it's marketing partners with insights gleaned from aggregated transaction data. And allows select partners to query an api for derived information about $corp's cardholders using a marketing identifier that tracks across multiple agencies including credit reporting, social media monitoring and customer intelligence analytics.
Additionally $corp uses it's transaction stream to feed information about aggregated spending per retailer to both their internal trading desk and to select financial markets partner firms.
Your personal transaction information is never exposed to anyone outside of $corp.
Definitely not a lawyer, but "sell" to me implies you lose ownership afterward, so as long as they're not doing that, they're not selling. Easy to see how they can give someone your data without doing that.
Are you saying that every single SaaS startup is selling anything because they don’t lose ownership when they provide a service in return for money? I think typically the exchange of money for a good or service is what we refer to as “selling” even if the seller doesn’t lose said service after selling it.
No, I was merely referring to "selling" as it pertains to products, not services. Your data would be a product, not a service. They may build services around your data that use it in some way, but it'd be the service they'd be selling, not your data. Just like how Uber would be selling a ridesharing service, not your car.
If I sell to you the knowledge that the derivative of ln(x) is 1/x, I still have that knowledge.
No different than if I sell to you knowledge of the fact that cardholder XYZ lives at 123 Main St, has phone number 555-867-5309, and shopped at Giant Dildos, LLC 3 times in the summer of 2019.
It is very different. It's literally impossible for you to dispossess yourself of that derivative. So clearly you will still have it. It's not impossible for you to dispossess yourself of users' data. They're not the same thing.
Software, music, movies and many other products are sold through different media — physical or over the network — those are also referred to as selling, but what they sell is a license to use for specific purposes, without losing ownership, copyright, IP, patents, etc.
Not really but third party processors get a lot of info too. And it's not anonymous. They might share actually anonymous data but it can be picked up for a dime or just easily hacked before dealing with high level Visa or MasterCard level
Plaid is the most terrifying company in SV. The fact so many people are comfortable sharing their online banking creds with a third party, and in turn authorizing Plaid to share years of transaction data, your balances, emails, phone numbers, addresses etc scraped from your bank account is insane.
The worst part is that certain banks won't let you link an account that Plaid claims is supported based upon the routing number/account number.
So for example when I attempted to link based upon routing/account number at Simple, it told me I can't continue because I should hand over my account information for the other bank to Plaid instead.
I've done it, and then immediately changed my account info. So yes, technically Plaid has my historical data, but at least they won't get it going forward. It really sucks though, because it locks my money into a singular bank otherwise.
I'm not arguing against the general idiocy of this, but the net effect should be to keep money away from such banks.
My understanding of the ACH system is that it's best used in a "pull" manner, as if you're writing a check. Link your Simple account from another bank and initiate the pull from there. (Then work on transitioning your activity to the better bank while you're at it).
While I do love me some privacy.com, unfortunately they only allow you to tie payments to bank accounts, not credit cards.
So, it's a virtual debit card, not a virtual credit card.
Now, they do let you set transaction limits, and daily/weekly/monthly limits, as well as either locking the card to the first merchant to use it or to make it a "burner" one-time only card.
So, there's lots of additional controls there.
They don't give you a good way to export any of that financial information, so if you want to use a budgeting program to try to help you track what is going where, then privacy.com doesn't help you there.
Overall, I like privacy.com very much. I do want to be able to tie in multiple back-end payment sources, including credit cards, and I'd be fine taking the 2% or whatever fee on my end. And I do want more transparency in terms of being able to easily export my data where I want to use it. But those are both relatively minor problems, compared to the ones they do help you solve.
privacy.com comes up on HN a lot, and every time they do I try to take the time to point out they require a binding arbitration agreement with no opt-out.
Arbitration agreements are bad in general, but not necessarily uncommon. What makes privacy.com different is that they have access to your bank account. They're in a position where they have direct access to your funds, and you can't bring them to court if they wrong you.
I've had people suggest that I link privacy.com to a limited bank account and manually transfer money. That's a good suggestion, I'd probably do that no matter how they were set up. But that's not going to help if privacy.com takes you to arbitration over a bogus overdraft charge, or if they leak your credit card numbers, or if they start selling data behind your back. My bank doesn't have an arbitration agreement tied to my checking or savings account. I don't think it's justifiable for privacy.com to claim that they have more customer risk than my bank does.
If a business includes an arbitration agreement in your terms of service, I immediately assume that they don't respect their customers. There are some businesses where I tolerate that, but I need a heck of a good reason -- especially if that business is going to be managing my bank account.
Binding arbitration agreements are underhanded. The only reason to have one is because you want to make sure right from the start that you're not accountable to your customers.
> What makes privacy.com different is that they have access to your bank account.
In my understanding, they have the account numbers and can do ACH withdrawals - just like someone who has your debit card number (but against a checking account, not a card). So I believe it's like every other transaction (or check) - there's an intentional (as I get it) processing period for a day or two, and you can always call your bank and request to not honor it. I could be wrong though.
And actually, they can be associated with a debit card instead of a bank account - they've failed to associate with my bank, so I have had to go this route (and there's no way to switch it afterwards).
Oh, and I totally agree that arbitration clauses without a way to opt out are disrespectful to say the least.
One can't use the technical situation to escape the legal situation. If you dispute the ACH transaction, privacy.com could still claim you owe them that debt.
They likely won't, being still subject to the court of public opinion. But it doesn't bode well that they're trying to escape the more direct avenue of accountability.
(IMO the FAA is blatantly illogical and should be judicially nullified. But until that happens, we're stuck being on guard for these offensive customer-hostile terms)
In regards to privacy.com in my opinion, it would be very, very unwise to trust any venture capital funded startup to protect your privacy. What happens when their investors decide they aren't monetizing fast enough. They are sitting on a lot a private data that other companies would love to get their hands on. What is the downside to them of selling your information, and making a big exit, that left the founders wealthy?
I would trust Apple a lot more since they already make money, and their reputation is something that they would be more likely to value more than a startup would be.
The privacy.com business promise is privacy, but their privacy policy (as of several years ago) did not actually promise much. I emailed them about it and they said they were surprised by the oversight. I wonder if they changed it
> We may share data that is not personally identifiable with third parties
> Cookies and Tracking Technologies:
We and our partners use cookies or similar technologies to analyze trends, administer the website, track users’ movements around the website, and gather information about our user base, such as location information based on IP addresses
They also transfer data in the case of a query about a sale.
This would be a bit less awkward if the name of the company wasn’t “privacy”
I know, I know, the editorial staff is separate from the advertising/sales staff etc, but still find it funny that when I try to access the article in incognito mode, as I habitually do (for privacy), I get
> We noticed you’re browsing in private mode.
Private browsing is permitted exclusively for our subscribers. Turn off private browsing to keep reading this story, or subscribe to use this feature, plus get unlimited digital access.
But what they're saying is: We won't let you read our stuff unless we can track you (and see exactly what you read how long from where using which device, etc.)
Would you really trust them to not track you even if you pay? Do they even have the technical ability to not serve the tracking shit based on whether you're a paying subscriber or not?
I don't want to volunteer personal & payment details (which is more info than their tracking can get, considering I block it all) to find out.
I've always wondered: is the data the reason why credit card companies are willing to give cash back as high as 5% even to customers who carefully operate them at a clear loss for them?
The reason credit card companies are willing to give customers rewards/cashback is that they’re competing, primarily for interchange revenue. Most cards are guaranteed to be profitable for the issuer (ex-credit risk); some models (5% rolling category up to $75 back, etc) are not strictly guaranteed to be profitable, but they’re running a portfolio strategy.
You don’t need to make money on every account. You need to make money on every pool of, say, 100,000 accounts. One could conceive of rebate schemes poorly designed enough to not do that, but the industry broadly doesn’t ship them.
There are people who make hobbies off of attempting to get the financial industry’s sweet sweet marketing dollars. The financial industry can afford an infinite number of business analysts and geeks. The marketing dollars are still on offer. What does this suggest to you as to the portfolio-wide impact of hobbyists who exploit the offers?
Credit card issuers don't pay for the cash back, it's the merchant. The merchant's are charged a credit card transaction fee that includes a fixed/percent fee determined by the negotiated contract with their bank (the acquirer), a small fixed/percent interchange fee that goes to the credit card payment networks (Visa, MasterCard, etc.), and finally a fee to the credit card issuer that provided the credit card to the consumer.
The credit card issuer fees can be the worst because of these high reward credit cards.
I'm very aware of this when shopping at a local small business. I'll pay either in cash or with my debit card, because the credit card fees are seriously squeezing small merchants.
Citation? It seems pretty crazy to me that every merchant would have to pay the difference when a customer decides to use a 5% cash back card. They can't even know the full list of cards out in circulation, and I doubt their contract says "the fee is whatever portion of the card's cash back we can't pay for" or something like that. It could work for a closed subset of cards they know about and might want to negotate separately, but I don't see how it can work for every card out there.
They do not pay the whole cash back, but they do pay more for "premium" cards (that they cannot refuse, also). See for instance this https://www.cfib-fcei.ca/sites/default/files/pdf/5513.pdf (in Canada, but the same thing applies to the US)
Right, these are just Visa/MC/etc. card classes, which don't determine the cash back on them. And so if that doesn't make up the difference, then the card companies paying the rest, right? My point is that for high-cash-back cards there are easily customers who consistently make more in cash back than whatever fees these folks get and who don't rack up interest, meaning they're costing money, so why should they still be kept as customers?
A neat little hack with some cards can make it effectively almost across-the-board.
Some rewards cards let you select "online shopping" as your high rewards category. You can extend that to in-store shopping at Walmart by enrolling that card in Walmart Pay and then paying in-store via that.
For a lot of people, "online shopping" and Walmart together will cover 95+% of their credit card use.
BofA has a card that is 3% in your selected category, which can be boosted to 5.25% if you have a large enough total in your accounts at BofA and Merrill Lynch.
The base card is 3% in your selected category (online shopping; gas; dinning; travel; drug stores; or home improvement and furnishing), 2% in grocery and wholesale clubs, 1% everything else. The 3% and 2% are limited to $2500 per quarter.
The base rate is multiplied by 1.25, 1.5, or 1.75 if your total at BofA and Merrill Lynch is at least $20k, $50k, or $100k, respectively.
> Enough of them wind up over-extending and paying interest to make it lucrative.
Yes. I understand this. I'm asking, why do they keep the others' accounts open?
> I'm also not aware of any across-the-board 5% rewards cards
I'm not either, but many people just rotate to a different card instead of using the same card for less cash back. And who never miss a payment or rack up interest. Meaning they always use those cards at a loss for the company. I'm asking why do these peoples' accounts get kept open.
I suspect you're underestimating? A lot of people (around half of Americans if not more) don't carry a balance. I don't know what fraction of them try to extract the most from their cards, but judging from the sheer number of websites that explain what card you should get to maximize which reward and bonus, I'm skeptical that the number of people who pay attention to this is negligible enough that it'd cost companies more to simply close their accounts than to let them go on.
The only thing Mint's lacking is the geolocation of the individual merchants - something they can garner in a lot of cases from the merchant name. The grocery store I frequent includes a store number in the transaction name, for example. (Mint definitely has the "how much" bit - they've got each transaction individually, including the amount.)
On the flip side, Mint has all the rest of the credit card data for the person (across potentially many different cards and card networks), savings and checking accounts, brokerage accounts, mortgages, car loans, student loans, and tax returns if you use TurboTax.
I think that balances out the equation pretty handily - that amount of linked, collated data should easily be worth more than a single CC can garner.
Ohh, sorry, you're talking about Mint -- somehow I confused it with Credit Karma. Yes, they have transaction history and all that from across cards. I agree, it should be pretty valuable for Intuit. What indicates to you that it's not (or not as much as you expect)?
> What indicates to you that it's not (or not as much as you expect)?
Intuit's a public company, making both their revenue and the number of Mint users publicly available. They're not making anywhere near what they'd need to make off their extensive data holdings to make your theory work.
What I meant was, could you cite the numbers and math you are arriving at that tell you this? The 10-K I'm seeing says they make around $200M/year from desktop TurboTax and $2.2B from Mint and other services, and that's just with 20 million Mint users. That seems plenty to me.
Debit cards with PINs are lower risk than credit cards, so they typically have a lower interchange rate. And rewards cards (travel, triple points, etc.) and business cards typically have have higher interchange rates."
I used to do this in the UK brought my monthly season ticket using a 3% cashback used to make just under £20 a month.
Of course the badly implemented EU changes which in theory should have benefited the consumer did not - the merchants just took the reduction in interchange fees and didn't cut prices at all for the end consumers
The amount they need to pay can sometimes be deduced from the card itself. For MasterCard for example they will pay more if it is marked World Elite than if it is marked World. And for VISA, they pay more for Infinite than for Signature.
But that's only like 2%. Why still keep around people who are clearly taking advantage of higher rates of cash back like 5% and not paying anything in interest though? What's the benefit of keeping them as customers?
I’m not aware of any card that gives flat out unconditional 5% cash back. You sometimes have these elevated award rates but for very specific merchant partners, limited periods of time, with some cap on the total amount received, or limits on how the reward can be redeemed. The base cash back on reward cards hovers between 1 and 2 percent, even ones with high yearly fees (another area where the margin for the issuer is further elevated). The high yearly fee incentivizes card holders to “get their money’s worth” by using the card more.
Nobody said unconditional. You just rotate the cards in your wallet and use whatever 5% category fits your purchase. You might not do this, but there are people who do, and never pay interest. They clearly operate at a loss for the company year after year. I'm asking why their accounts aren't closed.
Because for every person who signs up and causes them a loss, there’s dozens of others enticed by the same rewards programs who make them a profit. Credit card companies aren’t having any problems being profitable.
I would imagine the number of people who only purchase things that are in the 5% category on their card is extremely small.
I dont understand the confusion, its called a 'loss leader."
These companies have very, very smart people working for them, analyzing all the data they have to come up with a product and its limits. They know x% will not be profitable, and they include that in the profit calculations.
Why dont they simply cut off the non-profitable customers? Because people don't like this and they'll quickly tell their friends "Don't sign up for Discover, they cancel your account if you don't make them money." It wound be all over Slickdeals and blogs. No credit card is going to survive cancelling accounts for using their credit line in totally normal ways.
Just like a store could say "for every 10 sale priced items you buy you must buy a full priced item" - but then nobody would shop there.
It may simply not be legal for them to decide to drop customers just because they are, taken individually, unprofitable.
Think about an all-you-can-eat buffet. Some poor soul is gonna starve themselves so they can splurge and have a "good deal" on a lot of food. Most people will not, and the business would be in trouble otherwise. They still have to serve the patron who's eating a lot, because what kind of buffet would it be if it was "all you can eat, until you're eating so much that we're no longer making enough money"?
Or, some retailers sell items at a very low price, just to get people into the store in hope of them starting to buy more. Nothing stops you from getting into the store, getting the deal on those items and not buying anything else. The store may be losing money on you but they can't stop you from purchasing the item at the advertised price.
People who choose to spend their time and energy chasing deals to hyper-optimize the benefits on their credit card savings are entitled to their savings. Companies (credit cards or otherwise) are just interested in the total outcome of their operations anyway, not on making money off of every single customer. (Besides, even just defining what is a "profitable customer" is a hairy problem.)
1. Because those people who were enticed by that program might no be enticed to sign up in the first place if it says “5% cash back (unless you take advantage of this in which case we cancel your account)”
2. I bet government regulators might be a bit peeved by a company that systematically cancels customer accounts for behavior which is within the advertised terms of the agreement. Usually regulators frown upon luring customers in with an advertisement for a product/service and then purposefully sidestepping said product/service.
3. It’s probably such a small number of customers that’s it’s just not even worth their time.
1. Possible, but seems unlikely as the explanation? How many people would read that fine print and care? So many other contracts already have provisions like this and nobody blinks an eye.
2. It need not be against their terms though? They could easily specify hyper-optimized usage in their agreements as something that might result in account closure. This is already done in a lot of other cases; they could do the same here.
3. I don't know about that. Just look at the sheer number of sites that explain how to maximize your credit card rewards/cash back/bonuses. They wouldn't seem to be there if the audience for them was so vanishingly small?
I’m fairly certain that it is not worth their efforts to cancel those accounts, evidenced by the fact that they either don’t do it, or the number of customers it affects is so vanishingly small that neither of us are aware of the practice.
If you believe so strongly that it is worthwhile for them to do this, then perhaps you have an idea for a lucrative career.
But as long as credit card fraud in the US is measured in billions, I’m going to guess that any manpower which can be assigned there is way more lucrative than any manpower assigned to demonizing their honest customers.
Those merchants likely have a special contract with the card issuer to be a partner with the card issuer. Travel brands lock in repeat brand-loyal customers with mileage rewards. Some of those cards have hundreds of dollars of yearly fees, and the cardholders are spending more overall to negate the impact of the fee. Even so with rotating cards it’s easy to end up in a place where you don’t get your money’s worth or just barely beat the fee. If your card gets you 5% rewards and costs $400 a year, and you come out of the year with $600 in rewards, you’re up $200 overall while the issuer got $400 from you and $300 out of a 2.5% merchant fee, so they’re still up $100. That’s all assuming every one of your purchases was a 5% reward purchase. The issuers margin goes up every time you use their “Shop With CardCo” shopping portal where merchants pay more money to advertise through, or take advantage of other partner deals.
The people churning enough to actually cost the issuer money are extremely rare and there are a lot of people making sure it stays that way.
And then there are folks who get hit with interest and late fees that subsidize the big churners.
Because, churners, are a very small portion of the 20B in revenue Visa generated last year, of which it generated a ~50% profit margin.
The system works so well already, why rock the boat by closing the accounts of a few thousand individuals? It would probably cost more to enforce any such rule than they lose in revenue.
Why wouldn’t it be massive? Infinitely scalable business getting a % of each and every transaction at no marginal cost. It’s basically a tax, there isn’t a better business model out there.
They don’t even take any risk lending money, just a % fee for owning the network, that one has to be on to do business with most people with money nowadays.
It's closer to 3%, and I don't think there's a way to beat that on the cash back except on a per category basis.
Also, a lot of folks end up carrying a balance in spite of their best intentions.
I suspect this happens relatively often even for folks with a long history of not doing so - e.g. maybe you get fired for the first time and start running up a balance, not long before you've run up some significant interest charges.
And then there's huge credit card bonuses like $150 for Chase Freedom which is like $7.5k of spending's worth...
But again, that doesn't really answer my question. I very much realize lots of people do pay interest. But there are also people who don't, and possibly never have, for many years. I'm asking why do they keep those people around as customers if they're literally losing money on them? To me the obvious answer is they're still bringing value, and the only realistic form that can take as I see it seems to be their transaction data.
It looks like most 5% cash back cards have a hard limit ($1500/quarter seems to be common limit) to the amount you can get back and offer an "unlimited" cash back at a rate at or lower than 2%.
This way they'll make money after the limit takes effect. My assumption is that they are hoping the consumer will forget there's a hard limit to the amount they can save and always go with their "5% cash back card" when making purchases.
> This way they'll make money after the limit takes effect. My assumption is that they are hoping the consumer will forget there's a hard limit to the amount they can save and always go with their "5% cash back card" when making purchases.
And that assumption is exactly what I'm saying isn't universally true. My entire point is there are customers who just rotate cards instead of still using it for lower cash back. Who do this for years. Without racking up any interest. Why do those customers' accounts get kept open?
What I was saying above is that I wouldn't be surprised if a high enough percentage of even the customers who "beat the system" so to speak for many years eventually slip up that it makes up for the rest.
If that's the case, and you can't predict who exactly that subset is going to be, you keep all of them around.
Even a lot of the unlimited 2%-3% cards rate limit you by delaying how often you can pay the bill, so essentially your credit limit limits the amount of reward you can get.
Fun fact: you can pay your US tax return with a credit card for a ~1.5% fee.
So, by encouraging the use of credit cards for smaller and smaller transactions, the credit card companies take a bigger and bigger bite from the merchant.
That's all on top of any annual fees and interest charges that the credit card companies hit the customer with.
> When merchants accept payment via credit card, they are required to pay a percentage of the transaction amount as a fee to the credit card company. If the cardholder has a participating cash back rewards program, the credit card issuer simply shares some of the merchant fees with the consumer
And some is paid by interest being paid by other customers
> Because credit card spending and rewards are positively correlated with household income, the payment instrument transfer also induces a regressive transfer from low-income to high-income households in general. On average, and after accounting for rewards paid to households by banks, the lowest-income household ($20,000 or less annually) pays $21 and the highest-income household ($150,000 or more annually) receives $750 every year
I'm sure this is a great article that highlights an real issue but without executing JS the page doesn't show anything besides the logo and upon inspection of the HTML delivered by the server you can see that it's almost exclusively tracking scripts (at least in the EU).
I've discovered this problem by finding out that you can sign up for additional cash back on apps like Yelp and Dosh. When you make a purchase these companies will automatically determine whether this purchase is eligible for cash back. I'm guessing they must be buying the data for all my transactions for the purpose of figuring out whether they would give me cash back. It immediately made me suspicious since I'm getting cash back from a third party instead of from a bank.
+1. I’ve often wondered how these cashback services like the ones you mentioned, or, for example, the restaurant ones like aadvantage dining work. Do the affiliates get all your transactions? (I really hope not). Or, do the affiliates have agreements with the cc processors to flag transactions on their side?
> +1. I’ve often wondered how these cashback services like the ones you mentioned, or, for example, the restaurant ones like aadvantage dining work. Do the affiliates get all your transactions? (I really hope not). Or, do the affiliates have agreements with the cc processors to flag transactions on their side?
Banks and lenders are heavily regulated in this area and often times the financial institution has absolutely no insight into the line-item level of the purchase. That data is at the prerogative of the merchant to disclose.
If $RESTAURANT offers cash back on certain purchases made with them on a certain card, the merchant already has the data of the purchase and can determine if purchase qualifies for some cash back and notify the lender (at the expense of $RESTAURANT). Cards also follow patterns in the number scheme which would allow a merchant to determine card type and map that to current incentive offerings. By card type I mean more than just credit provider, down to the specific type of card (i.e. Sapphire Reserved vs Sapphire Preferred, etc).
I dont personally care that some marketer knowns I purchased toilet paper then went to the tacorita on Tuesday; I'll gladly give that information away for $4.
I wish Mondex would try again. Mondex was a MasterCard idea tried in the UK that was basically 'digitized cash in a wallet which has the form of a smart card'.
Approach ATM, insert Mondex card. Feed ATM bills and coins, Mondex card gets loaded. Spend card, swipe as normal. Works offline, no connection to a bank account necessary, the money is deducted from your local card's 'account' to the 'account' on the POS/business. Your card records a transaction date/time/merchant for debits, theirs records the same for a credits.
You can transfer funds from one card to another, cash out the card offline at supporting ATMs, be used for building access/RFID cards, hold up to 5 digital wallets on one card, and more.
It was tried in the UK back in the 90s and NYC right in 2000 and worked about as well as you'd imagine in that world. But today, it would probably work much better. HK has the Octopus card which is conceptually similar and works well.
I'd certainly give either a shot so I don't have to carry physical cash but also aren't worried about having my money in someone else's hands who can lose it all due to bank fraud or have IT issues preventing payment processing.
I would guess that the money laundering potential is why it isn't around now - most stores don't let you buy a gift card with another gift card for the same reason (I've implemented this restriction in an e-comm site before). I might be wrong, but that's a potentially big legal hurdle.
Purchase data has been around for years. Marketers want to know if their ad dollars worked. “How did you hear about us?” provides scant and mostly unusable data. By matching purchase data with ad campaign data there can be more quantitative evaluation of an ad campaign’s performance.
Additionally I imagine this data is available for marketers to target buyers of Product X with Accessory Y.
Finally, marketers may use purchase data to build suppression lists; ie. Stop retargeting people that already purchased Product X. I don’t know if this happens very often in practice. It’s very hard to do well in general, and generally cheaper to spam people than buy data to shrink your list.
None of this is well-disclosed to consumers, not one bit of it is right. It just is, and it has been for going on for 8+ years.
Headline not proven. He claimed to do an experiment and didn't find any security hole or any real results, but then blathered on about what might have happened. I can read privacy policies and make up scenarios and so can you, but so what?
And more generally, credit cards have been around a long time. Shouldn't there be more evidence by now if anyone is being harmed by sharing data about consumer purchases?
Credit cards work a little different in Denmark because we have a national debit card called the Dankort which allows for cheap credit and can be combined with other cards like visa or MasterCard.
Anyway, some years ago banks opened for the possibility to get your receipts electronically. I opted into that, not thinking about privacy at the time, and they certainly have the data to track us in ways we that make Facebook look harmless, because Facebook doesn’t know your pharmacy purchase history.
I’ve never seen an impact of this that I was aware of, so maybe banks don’t actually use the data. It’s certainly not their business model to sell advertising, but who knows.
Every single purchase line by line is recorded by many companies. And the security is absolutely terrible over all. If you don't care if your spending habits are shared that is fine. I don't want my data hacked further
This article is severely deficient and written to draw clicks.
It doesn't go far enough (or at all, really) to explain that the credit card issuer doesn't see the data. They see a transaction amount. There's no banana.
The current top comment about Google linking online to B&M purchases isn't a leak of privacy: it's strictly private both to Google and the merchant. You are being tracked, but not in a privacy-revealing way, just in an uber-annoying I'm-still-being-targetted so-it's-creepy-and-annoying way.
That retail merchants are tracking you is a huge, huge problem. The CC facilitates this by linking all your purchases into a single history, but it isn't the CC per se that is the problem. eg the store's own rewards card specifically does this. They don't even care if you give your actual PII up to signup for the rewards card, all they care about is that they can [even anonymously] identify the purchase stream tied to an individual.
They should go to length to better distinguish this problem because then they can get to the fact that every Apple Pay transaction is tokenized and not linkable to prior or future Apple Pay transactions.
Companies need to start thinking of this less in the lens of "evil" and more principle of least astonishment. Would users be surprised and angry to learn you do this? Then don't.