How Your Credit Card Got Stolen
That moment when you see a bunch of weird charges on your credit card or bank statement: Cigars in Brazil? Airline tickets in Nigeria? A tank of gas in Las Vegas? Someone has obtained your credit or debit card number, and now you're going to have to suffer months of updating it with all your utilities and other vendors. How did these thieves get your card information? Was it something you did? Should you have done something differently? Today we're going to look at some of the most common ways credit card numbers are compromised, correct some popular misinformation, and point out a few tips to more secure charging habits.
For this show, we don't really differentiate between credit cards and debit cards. From the perspective of keeping card info secure, there's very little difference. Either is just as likely to show up in a large database of card data that some thief acquired, and another purchased; that latter one is either making online charges in bulk, or he's printing up duplicate cards and selling and using those. What we're going to talk about today is how to minimize the chance of your card getting into that database in the first place.
One of the best known methods of stealing card numbers is a device called a skimmer. Skimmers are false card slot overlays affixed to the front of ATM machines, gas pumps, or anywhere you might slide your credit, debit, or ATM card. These take their own read off your card's magnetic stripe as you slide it into the machine. While skimmers used to be clumsy and easy to spot, today the best skimmers are seamless. They often incorporate an entire front panel of the ATM so that it looks factory fresh. Many of these also include a PIN pad overlay that captures your PIN as you type it. Most skimmers that don't include a PIN pad overlay use a hidden camera installed overhead or nearby to watch you type your PIN. Less familiar, harder to spot, and increasingly common, are "shimmers" — functionally the same as a skimmer, but thin enough to be inserted inside the card slot where they're not visible at all. Some skimmers and shimmers are retrieved by the thieves after collecting data for a time, and some transmit what they collect via bluetooth or some other wireless technology.
These days it's not very likely that a stolen database of card data came from an inside job at some financial institution. The payment card industry (PCI) has something called PCI Compliance, set by the PCI Council. They maintain the PCI DSS, or Data Security Standard, which is (in their words) "a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment." The standard is extremely rigorous, requiring a stringent set of both physical and electronic security measures. Any merchant that is fully PCI compliant is, by any practical definition, a safe place to use your credit card. Whether a company is PCI compliant or not isn't a matter of public record, but you can be sure that major online retailers like Amazon.com, and financial services companies like PayPal, are PCI compliant.
But independently achieving PCI compliance is far beyond the means of most small merchants. These companies usually go one of two ways. First, the safe way: they work with a third party credit card vault and tokenization provider that is PCI compliant. When you use your credit card at one of these online merchants, you type the card number into their online form (or if they're a brick-and-mortar store, you swipe your card at a terminal), but the card information never goes to the merchant at all; it goes directly to the third party. They store it safely and are the ones who actually process the transactions. The online merchant gets a token to reference each credit card: a long, unique alphanumeric string that will only work for that particular merchant. Since these merchants never have access to the credit card data, buying from them with your card has no practical likelihood of compromising your card.
The other way small merchants go is to simply take and process cards, and employ their own notions of security. Some merchant service providers will refuse to work with them, but others will, and often charge them a monthly fee that is essentially a fine for not being PCI compliant. This amount is usually a lot less than PCI compliance would cost them, so they do it. Whether your card is safe or not is a crapshoot. Fortunately the overwhelming majority of online transactions come from a small number of major merchants who are PCI compliant, so these sketchy merchants make up only a tiny slice of the total transaction volume.
There are a lot of people who say "Oh, I won't use my credit card online." Well, that's fine, and it's a good idea, inasmuch as never using or even having a credit card at all is the best possible defense. But probably most of these people carry their credit card around in their wallet or purse. They may even use it at restaurants or gas stations. Well, statistically, they happily use their credit card for all the riskiest behavior, and think they're somehow being safer by foregoing one of the safest behaviors. Using your credit card at a PCI compliant online merchant like Amazon.com is far, far, far safer than simply having your credit card in a wallet or purse that might be lost or stolen, or skimmed at every shop you visit. If you have a credit card, and only one choice of where to use it, choose online, not offline.
There are a lot of ways that your financial information online can be compromised that don't involve your credit card, and that unfairly contribute to distrust of online credit card use. This is a long, long list, and I don't really advise the layperson to try to learn about these, but rather to install security software from a top vendor such as Kaspersky Lab (totally not a paid endorsement, it's a genuine recommendation). To briefly describe a couple of these threats, and hopefully frighten you into protecting your computer, I'll talk about two.
One is called a "Man-in-the-browser" attack. This is trojan horse software that comes onto your computer just like a virus, and behaves like a browser extension that modifies certain web pages you look at. They are usually targeted at certain bank or online payment web sites. If you try to make an online payment through your bank, the man-in-the-browser will send payee information to the bank that's different than what you type. What you see on the web page will be what you expect, for example, a confirmation page that looks like you paid your utility bill; but what the bank was actually instructed was to send money to the thief, usually at some overseas bank. There are many, many variations of this.
Another is called "clickjacking", also usually targeted at online payment or shopping sites that it assumes many victims will have, and will occasionally be logged into. Clickjacking allows for something like a giant invisible button to be overlaid atop whatever web page you're viewing — and there are any number of ways such a layer can be injected into your browser's display of a web page — so that anywhere you click, it's hijacking that click and sending it instead to a "Buy Now" or "Donate Now" button that sends money directly to the thief from your default payment method at whatever site was targeted.
The lesson to learn from these types of threats is that while you're right to be concerned about your credit card, you're wrong to think that simply avoiding use of your credit card online makes your finances a whole lot safer.
Much of the reason for that is that most retail point of sale terminals run Windows and are connected to the Internet. As a result, they often become infected with POS malware. Thieves often design campaigns targeted at large retailers. Once a major retailer's terminals are infected, such malware collects card data, security codes, and even the valuable data from the magnetic stripe, called Track 2 data. Such malware has resulted in the theft of this data from hundreds of millions of cards all in one swoop. It is fatally naive to believe that using your card online is more risky than using it in the brick and mortar world.
So now, here are your 2017 Best Practices recommendations for credit and debit card users:
Of course there are many other avenues by which thieves get credit cards, including mugging you and taking it. You might type it into a web site over an insecure connection, you might fall for a phishing email prompting you to verify your credit card information. But no matter what you do, you'll never be 100% safe. Follow best practices, be as safe as is reasonable, and don't knock yourself out trying to prevent what is, for almost all of us, inevitable. Disputing some charges and getting a replacement card is not the end of the world.
Cite this article:
Copyright ©2021 Skeptoid Media, Inc. All Rights Reserved.