"Visa" Gift Cards - What should I be looking at?
(Not sure this should be under ~finance, but not sure where else to post?)
I've been de-googling and going more privacy-based for most anything I can lately, and I always love when my company gifts me a $100 Visa gift card for Christmas.
I find myself paying for a lot more of the booze in our lives (usually one shot at going out, and before additionally replenishing a few dollars on my TouchTunes account because I've only used gift cards on it) because now nothing's tracking my sinful habits. :)
Honestly, I mostly would like to use this card to do online things with apps I honestly don't want to be attached to (specifically Discord, and I'd like to recharge TouchTunes, but... that's more of a secondary option).
That being said, I'd like to get some sort of non-"traceable" type of card (that is, physical and not requiring an account or app), and I'd prefer to keep as much of my "investment" as I can (purchase charges, fees, or whatnot). I would like a rechargeable option, but I feel that would be too pinpoint-y. I could just go to my local store (in the US) and buy cards with cash, but while I have no problem with that, I'm also not that paranoid and I am a little lazy heh.
I asked my DDG search, and AI has highlighted "toasty choice" (at toastycard dot com) which looks sketch AF, probably because it appears you need an app. Maybe I'm paranoid, but it just looks too sketch for me.
So, I would like to hear folks' thoughts on this. Do you have a spot you'd recommend to purchase "gift" cards online, or a local spot (as I mentioned, US companies would be required), and any strings attached you'd highlight that may be avoidable?
https://www.privacy.com/ may do the trick. You'd still link your CC to it, but they generate virtual cards for you. I haven't used it myself but other folks including tilderinos have recommended it.
Be wary of using privacy.com.
In order to use privacy.com you have to link a bank account. Privacy.com talks a big game about security and how they don't store your bank credentials, only a token to access your account, but that's only half the story.
Privacy.com uses a service called Plaid as an intermediary with your bank. Plaid supports connecting with hundreds or thousands of banks and credit unions.
When you select your bank, Plaid shows you a login screen with your bank's logo and fields for your bank credentials. To an uncritical eye, it may look like you're just logging into your bank's site to grant Plaid access. However, if you look at the address bar, you'll see that you're on a page hosted by Plaid and your bank credentials are going not to your bank, but to Plaid. This is because Plaid works by storing your bank credentials and using them when necessary to directly access your bank account with full permissions as if they are you. With most banks there is no OAuth or API involved - Plaid just uses your credentials to log into your bank's web interface with automated tools.
Plaid may have the best intentions in mind but the fact of the matter is that in order to do what they do, they MUST have your credentials stored in a way that they can be decrypted and used in order to access your bank account.
Privacy.com is technically telling the truth when they say that they don't store your credentials but in my opinion, they are being almost maliciously deceptive in how they talk about it. Sure, they may not be storing the credentials but the service they require their users to use is storing them.
Plaid itself is a little shady to me in how they present the bank login screen to users. It feels as if it's designed to trick users into thinking they're on an official bank site when logging in.
I can't speak for every bank but I know that the ones I've used have said to never share your login credentials with anyone. I fear that if the day comes that Plaid is compromised and all of the credentials they have stored are leaked and peoples' accounts start getting cleaned out, the banks might just say customers have no recourse because they broke TOS by sharing their credentials.
I personally will not touch anything Plaid with a ten foot pole.
Note: This info is from roughly three years ago when I looked into Privacy.com and discovered Plaid. I haven't looked into it much since then but after a cursory google it looks like the situation is still the same. I am happy to be corrected if things have changed though.
Edit: I decided to look into Plaid again and it looks like they at least aren't hiding what's happening now but imo it's still a very bad idea to trust any third party with your bank credentials. There's just too much at risk with virtually no cover if something goes wrong. https://plaid.com/safety/
Edit 2: Since people are saying Plaid uses OAuth with more banks now, great! If you're going to use it just watch the login process to see if you're logging in on your bank's website or if you're giving your credentials to Plaid.
I don't think this is an accurate description; I've been using Plaid (and before that Mint) since close to the start, and I always thought the relationship was clear. The whole situation is entirely the banks' fault anyway, banks refused to provide any kind of API access to their data, requiring a screen scraping approach that neither Plaid nor the banks nor their customers liked.
Anyway, things have gotten better. Most the top institutions how provide API access and don't require that you give Plaid your password. From my quick testing, all these use API integration:
That's useful - accurate info is always a good thing - but I'd still be deeply skeptical of any company that would even consider storing users' banking credentials. Same way I wouldn't want to eat from a place with a zero food hygiene rating even if I watched them use safe ingredients to make my sandwich in particular, you know?
My one almost-interaction with Plaid actually was an API integration, too, but they still wanted access to all of my past and future transactions in order to process a single one-off payment, which was more than enough to put them on my "absolutely not" list even before I knew about the credential storage.
Yeah, I read the ToS when I first encountered it. It seemed like a great idea but after reading some stuff I didn't like, it was a hard nope.
@tibpoe I'm not really sure what API really entails, but my two banks are on that list. Not really pertinent to this topic, but I may have to start figuring that stuff out.
API is shorthand for "programatic access" basically. Programs talking to programs. It's kind of like using a command line computer interface in that it's a bunch of text in a specified format (and encrypted) being sent back and forth.
If a bank doesn't provide some way for that to happen, the next best approach is to load the bank's website as normal, log in with your username/password, and read the webpage. This all happens in code on a server somewhere, it doesn't need a screen.
The difference is when a bank and Plaid (or whoever) are communicating through an API, the bank knows it's talking to Plaid, not you. The bank and Plaid have their own agreed encryption key/token instead of your username/password. Ideally Plaid can only read info for your accounts, because that's what you gave permission for, but not do anything else like authorize a transaction.
If they're just using username/password there's nothing to distinguish between talking to you and talking to Plaid, or whoever gets a hold of Plaid's database. Which is hopefully itself encrypted and it's not as easy as someone 'stumbling' across thousands of valid bank logons... but that's the concern.
If you also have 2 Factor Authentication set up (preferably an app instead of text messaging, but texts are better than nothing) that's another layer of security. It basically limits the time Plaid or anyone else has access to your accounts. It makes it so every time you want to refresh / load new transactions you have to give the 2FA code, which unfortunately neither Plaid or any of their competitors I've used are all that graceful about handling. Some just give up or ask you to disable it, which isn't acceptable.
I agree that it's the banks' fault at the core but that doesn't make it not the customer's problem if you work around it and something goes wrong.
I'm glad more banks offer actual API access now but on Plaid's safety page that I linked in my edit they very prominently still refer to you providing bank credentials to Plaid. There is also a page that directly answers the question -
https://support-my.plaid.com/hc/en-us/articles/4410324401047-Does-Plaid-have-access-to-my-credentials
Always nice to see someone else who's concerned about Plaid and their ilk. I remember looking for an easy budgeting option a few years back and couldn't find anything that didn't want my bank credentials.
Yeah it's kind of crazy how normalized it's gotten. I've talked about these concerns with Plaid on reddit a few tiems and been downvoted.
Not sharing credentials is online safety 101 yet for some reason people just don't think about it with possibly the most important credentials they have.
Dang, yeah I've avoided Plaid like the plague. Thanks for pointing this out.
I would have likely noticed when signing up and going to purchase - I'd rather them not have any info like that, especially now that I know that Plaid's in the background.
This is entirely outdated information. Almost every US bank supports oauth and plaid has implemented it all since. They are also one of the biggest proponents pushing for this standardization.
If things have improved then that's good, however Plaid still prominently refers to you providing your credentials to Plaid on their safety page - https://plaid.com/safety/
They also have a page specifically answering if they store credentials on which they say that they do when a bank doesn't support OAuth - https://support-my.plaid.com/hc/en-us/articles/4410324401047-Does-Plaid-have-access-to-my-credentials
Wow I hadn't heard any of this before, I'll strike it from my recommendations going forward. Thank you for the in depth explanation.
Privacy is good. I use it for some things. Less so for privacy and more for the credit card fraud/identity theft protections if a merchant gets breached (creating single use cards, card that can only be used at one merchant, spending caps, etc). That said, I actually don't know how much info is passed to the merchant. Their website says the following:
Which sounds like you can use any name or address/zip code for these. I actually didn't know that! I always use my real info, again because I'm not using it primarily for privacy. Though of course, if someone is ordering a physical product, could be more difficult to hide a name and address from the merchant since they gotta send you something.
And of course, Privacy itself does have the user's personal information. Probably for KYC/AML purposes. Wonder how long they retain those records.
That's correct. They will authorize the transaction no matter what name or address is sent to them. There's not much sense from a security standpoint in verifying those anyway since each card number is unique and locked to the first merchant that uses them.
However, a merchant/processor's fraud detection mechanisms might be a little more picky. Sometimes they validate that an address actually exists before trying to process the transaction, so you have to go find a house on a map. One merchant, I could not get it to process without giving it my real name and address... I have no idea how they knew.
Thanks, I believe I was hoping for something like this. I did want a physical options, but depending on how fees and whatnot play out, this may work just as well.
Depending on what CCs you already have, your CC provider may offer a service that generates one time or limited use virtual card numbers you can use, that behind the scenes tie into your existing account. That of course lets the provider know your business, which may or may not be acceptable to you.
I would prefer the app to not know, vs the CC, though I'd also not prefer that. But I really hadn't thought of looking into it, thanks.
To answer any question like this it's really helpful to know who specifically you're hiding from and what level of detail you're trying to hide. As a random example, you mention using a visa gift card to buy liquor so nobody is tracing your bad habits. That's fine, but credit card providers don't see what you're buying, only what you spent, so if you're buying liquor at a regular grocery store nobody would know anyway (besides the grocery store). And similarly, you don't want to buy visa cards in cash because it's not worth it. That's fine too, but then you're not really hiding anything from e.g. a government effort against you because they could put those details together pretty trivially.
I guess the fundamental question is this:
Are you trying to hide your credit card number from discord or hide discord from your credit card company? Which one and why? Understanding that will help people give better advice.
As a quick aside: In many states, the liquor portion of the grocery store is separate from the grocery store. So while your credit card/bank may not know what specific items are on your receipt, they almost certainly know the vendors are separate and unique, and that you are buying liquor (as will your budgeting app.) Additionally, (and I have to preface this with I'm not positive on physical locations doing this and don't have the time to look into it at the moment), vendors are happy to sell out transaction details. Even if you de-personalize these transaction details, with the amount of fingerprinting that happens to all of us from all angles, I would suspect it is relatively trivial to match transaction to individual, especially if the entity you are trying to hide from is "governmental level."
Yes, but where I live liquor stores are a state-run business; so if I go to the store next to it beforehand, I'll pull out cash for the liquor. Beer can be sold in grocery stores, which I know is filed under "groceries".
Mostly I don't want any personal info going out to apps. They typically have an email or know I use Google Play, but that's about it.
I receive these prepaid visa gift cards, as a gift, once a year and it used to be you could spend it anywhere, online or in person, without any account or setup. About 2-3 years ago I would say that changed and now you need to setup an account to use them online and they ask for an address and other things that I just didn't want to provide, but you can still spend them in person without any setup.
I used to specifically use these cards to game free trials because you could use a card with like $3 to get the trial and then when they tried to bill you after it expired there wouldn't be enough money and it would just auto cancel. I'm going to assume this is part of the reason they now make you set up an account.
I guess what I'm saying is I'm not sure what you're asking for exists anymore, but hopefully I'm wrong.
...Should I be concerned with companies tracking how much alcohol (and marijuana, for that matter) I buy? It's... kind of a lot.
Is it in case health insurance companies start using that data to deny claims to heavy drinkers? Have they started doing that already? I hadn't considered that before, but it's entirely plausible.
I'm not sure it's reached that point ... yet. But with how all our data is so easily bought/sold, I've been wary of stuff like this for a while.
I mean, with law enforcement able to purchase paid tracking systems to see where my car goes on the regular, why not add in where my last CC purchase was when they pull me over... "Oh, you were at a brewery? Are you driving drunk?"
I've recently discovered that those visa gift cards are actually refillable. I'm not sure if it's a service any retailers actually provide, but I recently worked for a point-of-sale company where I needed to troubleshoot an issue with prepaid cards. I ended up buying a $20 Vanilla visa card, spending all the money on it during testing, then refunded the money I spent testing to the card.
What I realized after the fact is, I wasn't refunding a specific transaction, I actually had ten or fifteen transactions and I just hit refund, $20, manager code, ok, and it put twenty bucks on the card. Incidentally I ended up defrauding a dollar or so since I realized there was as small balance left, leaving my $20 card with $21.39 or something.
Any retailer could take twenty bucks cash, hit refund on their machine, and put that money on the card.
I'm not sure if this is helpful or not. Like I said I don't know if this is a service any retailer actually provides.