With almost weekly revelations about new, big data breaches or malware attacks, it’s easy to get numbed into complacency. Especially when doing otherwise might introduce inconvenience into our daily lives. But literally, can you, afford to ignore these and similar threats?
Global losses due to fraudulent credit card, debit card, and mobile payment transactions reached $22.8 billion in 2016, according to recent data from the trade publication Nilson Report. Breaches are, by far, the largest source of the stolen payment information that’s enabling these financial crimes with more than 4.5 billion records compromised in just the first half of 2018.
How can your data be stolen?
Now that you understand how cybercrime is increasing by leaps and bounds, how do thieves get your payment data anyway? Regardless of whether you are using a debit or credit card, these methods are varied and pretty similar overall, with some minor variations for mobile devices such as your smartphone.
There’s the “old fashioned way” in cases where a restaurant employee might take away your card to “run it” through their point-of-sale (POS) terminal. During this process, the employee or someone else can simply copy down the relevant data from your card and use it later.
Skimming, now shimming
There’s skimming, in which the bad guys attach a physical device to a card reader on the premises somewhere at a store, restaurant, gas station or similar. These devices capture your card identifying numbers, including your PIN. But a newer variant of this in which the capturing device is almost undetectable has been coined “shimming.” With shimming, an extremely thin microchip and flash memory device is placed into the slot into which you insert the “chip” of your chipped credit card. You can’t see it from the outside of the reader, but you can see it on your credit statement!
Enterprise data breaches can rake in a lot of data in one fell swoop. This is big business: the perpetrators sell their purloined data on the dark web. Not all of these breaches capture your debit or credit card details; for instance, the recently revealed 50-million user Facebook breach won’t include those. But there are those that do—for instance, the massive Target breach in 2013 exposed the card information of over 110 million customers. Earlier this year, the parent company of department stores Macy’s and Bloomingdale’s reported that some customer data, including names and card numbers, were exposed to an unauthorized third party. There are many more security breaches — and those are the ones that are detected and disclosed.
High tech spying: RFID and infrared
While less efficient than stealing thousands of records in a data breach, thieves who are in physical proximity to you can suck up your payment information with high-tech gadgets. And with “contactless” payment, it’s possible to use a RFID reader to intercept the data that passes between the payment device such as your card or smartphone and the device reader. Whether this is actually an active method of the dark forces out there is not entirely clear.
Or, how’s this for nervy? By using an infrared camera, an attacker an determine the PIN number that you entered on an electronic keypad at an ATM or POS terminal. The infrared camera captures the latent heat signature left by your fingers on the keypad. Since the heat signature dissipates with time, the thief can tell the order in which the keys were pressed. Viola! The bad guy has your PIN and is now heading to the ATM machine to drain your funds.
Will newer technology protect you?
At the pace of our technological changes, it’s hardly new—but “chip” and “PIN” cards (sometimes called EMV technology) are a newer entry into the electronic transaction space, and contactless payments are even newer. The purveyors of these tools, of course, tout their increased security over prior methods and indeed, they contain extra fraud-protection layers not present in a magnetic “swipe” type of card. But, they can be hacked, too.
What’s the answer to avoiding theft?
Deep down, you already know it. The only absolute way to not give electronic fraudsters a chance is avoid using any electronic payment methods or even putting any of your other personal data in electronic form. Sure, like that’s going to realistically happen. So, besides renting out trucks and stuffing them with actual cash, or gold bars for those high-end purchases, what’s a reasonable person to do? First, accept that absolute invulnerability is impossible, and then remember these tactics for reducing the risk of being scammed.
- Make sure your credit and debit cards are EMV-compliant. Look for the chip embedded in the front of the card. And, if your retailer is still using the magnetic stripe for transactions, and not the chip…well, think about changing your retailer loyalties. Or pay in cash. Seriously.
- Before you insert your card, check card-reading devices for what might look odd or tampered with, which might mean a skimming or shimming device is present. Be especially watchful at gas stations and ATMs that are not inside a bank, which are more popular with fraudsters.
- If you are entering a PIN or passcode, cover your typing hand with your other hand, and rest some additional non-typing fingers on the keypad. This covers two scenarios: someone looking over your shoulder or having a hidden camera, watching your keypresses, and the presence of an infrared camera.
- For online purchases: Never make your online purchases over public Wifi networks like in the airport lounge, restaurants or your hotel unless you’ve taken extra security precautions, such as installing specialized security software. Or wait until you get home to buy that big-screen TV, and make sure that similar security layers are installed to protect your private internet connection.
- Also make sure that the web page in which you enter your card data uses the SSL/TSL protocol. A tiny lock icon in the address field of your web browser should be displayed, and the full web address should start with “https.”
- Finally, don’t ever submit your payment info twice for a given transaction. If you are asked twice, it’s possible that someone has infiltrated the retailer’s system and inserted a fake web page with a man-in-the-middle attack, in which case you will be delivering your card details straight to the bad guys.
- If you use contactless payment, consider using RFID-shielding, whether in a wallet, sleeve, or bag.
- Most card issuers now allow you to set up automatic notifications when a purchase is made that is over a predefined limit. Set these up.
The only SURE way to catch a crook
It’s pretty simple really. Boring, even, but it’s got to be done. Check your credit card and bank account statements regularly and often, even every day. If you see any strange or unfamiliar purchases—or odd purchased locations— report it immediately to the card-issuer. The truth is, cyber fraud is here to stay. So don’t be negligent—take these defensive measures and avoid being a victim.