The bank customer was getting suspicious while trying to withdraw cash from a drive-up bank ATM in New Port Richey, Fla., last year. The blinking LED lights around the card slot were flashing faster than usual, and the slot seemed oddly slow to take his card, he told sheriff’s department officers.
Then he reached out and jiggled the card slot. It came off right in his hand. He notified the bank, and police started their investigation.
They discovered that a fake card reader, or skimmer, had been placed over the real card-entry slot and that a pinhole camera had been recording customers entering their personal identification numbers. “We have the bank surveillance tape showing the suspect installing the skimming equipment,” Sgt. Jeffrey Peake of the Pasco County Sheriff’s Office says, but the suspect couldn’t be identified.
The customer avoided becoming a fraud victim, but other Americans have not been as lucky. In the U.S., 32 percent of consumers reported card fraud in the past five years, according to a 2010 survey released earlier this year by ACI Worldwide, which supplies payment systems to financial institutions, processors, and retailers.
Even some contactless credit cards, which use radio frequency identification (RFID) chips that allow you to make purchases without having to swipe your card through a card reader, are vulnerable to virtual skimming, Consumer Reports found in its investigation. We witnessed how they can transmit data such as your card’s account number, expiration date, and security data that thieves could intercept and use to make counterfeit cards.
American credit- and debit-card data are usually stored unencrypted on a magnetic stripe on the back of each card, which thieves can easily and cheaply copy. The U.S. and some non-industrialized countries in Africa are among the only nations still relying on magstripe payment cards, which came into wide use in the 1970s. China has announced that it will no longer produce or accept such cards after 2015; American travelers are already finding that their cards aren’t accepted at some gas stations, parking facilities, subways, and merchants in Europe.
Most other countries are shifting to what are known as EMV “smart cards” (the acronym comes from Europay MasterCard Visa). Smart cards use multiple layers of security, starting with a computer chip in each card that stores and transmits encrypted data and a unique identifier that can change with each transaction.
“We’re falling behind the rest of the world in fraud protection, and I’m afraid American consumers are getting the short end of the stick,” says Richard Oliver, executive vice president of the Federal Reserve Bank of Atlanta and director of the Fed’s Retail Payments Risk Forum, a group that focuses on better ways to detect and reduce fraud.
Gas pumps are a popular target for skimmers, especially during vacation season, when more Americans are on the road. Skimmers can be inserted inside a pump without any telltale signs. Last summer, skimming attacks at gas stations in one northern Florida county surged so much that local law-enforcement officials suggested consumers use only cash to pay for gas, according to reports provided to BankInfoSecurity.com, an industry publication.
Crooks are increasingly targeting bank branch ATMs, sometimes installing skimmers in devices near the doors where customers swipe their cards to gain access.
To obtain the PINs, thieves might attach a keypad overlay that captures your number as you type it in, but more often they’ll install a pinhole video camera aimed at the keypad to record what you’re typing, says Kenneth Jenkins, special agent in charge of the Secret Service’s criminal investigations division.
But many of the nation’s big-name retailers, including Kroger, McDonalds, Sears, and Walgreens, are pushing for an upgrade to the likes of EMV. And a few, such as Best Buy, Home Depot, and Wal-Mart, are in the process of deploying terminals that can read contact and, in some cases, contactless chip and pin technology.
Despite magstripe cards’ vulnerabilities, card issuers say they have developed effective methods to fight fraud. “We use sophisticated systems to monitor and detect fraudulent activity and employ over 1,000 people dedicated to protecting our customers against fraud,” says Paul Hartwick, a spokesman for Chase Card Services. Visa says it relies on an advanced system that detects fraud in real time.
But the tide might be turning. The Smart Card Alliance, an industry trade group, has issued a report on EMV, developed with the support of players including American Express, Capital One, and Chase Card Services. The report notes that “although the enormous size of the U.S. payment industry makes widespread change costly and difficult, the true cost of fraud is increasing and threatens to damage the industry’s reputation.” It says that damage “could accelerate as criminals move to the U.S. as the weakest link.”
Source: Consumer Reports magazine: June 2011