There is a new reason to think twice about using your debit card when you go shopping. Criminals have managed to steal ATM account information and PINs from shoppers at Dollar Tree stores in western states.

The U.S. Secret Service says it is investigating. Visa Inc. says it is too. No one will say how widespread the crime spree is, but here's a hint -- 150 consumers who shopped at a Dollar Tree store in Modesto, Calif., have told local police that a total of $170,000 has been stolen from their accounts. Similar reports have trickled in from Ashland, Ore., some 350 miles to the north.

It appears criminals are using stolen data to create counterfeit ATM cards, then using stolen PINs to withdraw money from victims' accounts. This kind of theft is far more serious than credit card fraud, because the money instantly disappears from victims' accounts, and it's up to victims to call their banks and get it back. And after 60 days, victims lose their right to refunds. That's much different from credit card frauds, which simply require consumers to call and have items removed from their bills.

And don't forget - while victims and banks sort all this out, consumers often lose access to their checking account money. One victim I heard from said he was traveling, and suddenly couldn't access his cash. Banks often try to paint this kind of crime as painless for consumers. It's not.

The critical question is this: How did the criminals get their hands on PINs? The four-digit numbers are supposed to be sacred - so sacred that they are encrypted the moment consumers enter them into those little PIN pads that are slid across the counter at retail stores. There should be no way for any criminal to access that information. It's immediately hidden inside complicated mathematical formulas and transmitted as something called a PIN block, only to be unwrapped by the consumers' bank in order to check that PIN.

Nevertheless, the fact that the withdrawals were made makes clear that criminals somehow managed to grab PIN numbers. There is also evidence that the crime was at least somewhat sophisticated. Sgt. Craig Gundlach of the Modesto Police Department tells me the data was stolen between March and April from the local Dollar Tree store, but wasn't used to withdraw funds until mid- to late June. A casual criminal would have tried to make off with cash much quicker.

The story echoes a massive ATM data theft that occurred late last year involving perhaps 200,000 accounts. In that case, withdrawals occurred as far away as London and Moscow. Many consumers who reported the thefts had shopped at retailer Office Max, but the firm denies it was involved in losing any consumer data.

"Obviously there were lessons from the last PIN debit breach that weren't learned," said Avivah Litan, a banking security analyst at research firm, the Gartner Group. "There is a desperate need to upgrade (security) standards."

In the Dollar Tree case, the company confirms its customers were struck by the crime. Spokesman Tim Reid said the incident was confined to "a handful of locations," but refused to say how many. He said investigators had come to no conclusions about how the data had been stolen.

The number of possible methods are limited. The PINs might have been stolen by "shoulder surfing" - criminals who watched consumers as they typed in PINs, perhaps through high-powered scopes. But given the number of compromised cards, that seems unlikely.

Criminals could also sit in the parking lot with laptop computers and download the data over a wireless network that had been incorrectly configured to store PINs. Or the PINs could have been stored incorrectly on computers connected to checkout registers -- and then copied by an employee or someone else who had access to the hardware.

Finally, the data could have been stolen from Dollar Tree's payment-processing company. Internet Cybersleuth Richard Smith points out that Meridian Payment Systems indicates on its Web site that it provides processing services for Dollar Tree. Meridian is a division of National Processing Company in Louisville, Ky., which was acquired by Bank of America in 2004.

Betty Reiss, Bank of America spokeswoman, wouldn't comment on the theft. But she did insist that "we haven't lost any data." On the other hand, she confirmed that the company's consumers had recently been hit by data theft. She said Bank of America had recently canceled and reissued a "limited number" of ATM cards in response to a data leak incident -- she wouldn't specify which one.

As is standard in these incidents, hard information is nearly impossible to come by. Thousands of dollars disappears from consumers' checking accounts; mysterious card cancellation notices are received. Nearly everyone says nearly nothing, making it very hard for consumers to know how to react.

Here's my best effort at advice. Consumers' rights governing credit card thefts are much stronger than rights governing debit card theft. So it makes sense to use credit cards for retail purchases instead of debit cards. Each time you give anyone your debit card, you are exposing your entire checking account to possible fraud. It's true that in most occasions, consumers receive a full refund of the stolen money. But you still have to get the refund. Wiping off fraudulent credit purchases is much easier.

As long as ATM PIN thefts remain this mysterious, I'd recommend leaving your check/debit card in your wallet and using a credit card instead.