Posts

The Ever Present Credit Card Scam

The Ever Present Credit Card Scam

When people ask me, “How do I protect myself from credit card fraud?” I tell them, “Cancel the card, or never use it.” Because that’s the only way. Otherwise, all you can do is hope the merchant has a sophisticated system in place to mitigate the fraud.

The FBI’s Internet Crime Complaint Center’s Annual Report determined that the total dollar loss from all cases of fraud in 2009 that were referred to law enforcement by IC3 was $559.7 million; that loss was greater than 2008 when a total loss of $264.6 million was reported. Some estimate identity fraud in total at over $50 billion.

Flaws in the system used to issue credit facilitate new account fraud, since creditors often neglect to fully vet credit applicants with technology as essential as device reputation. Account takeover requires nothing more than access to credit card numbers, which can be accessed by hacking into databases or skimming cards at a point of sale terminal, ATM, or gas pump.

You should be aware of these common scams:

Micro Charges: Micro charges are fraudulent charges ranging from twenty cents to ten dollars. The idea is to keep the amounts low enough to go unnoticed by cardholders.

ATM Skimmers: Criminals can place a card reader device on the face of an ATM to copy your card data. The device, which appears to be part of the machine, may use wireless technology to transmit the data to the criminals. In many cases, thieves will also hide a small pinhole camera somewhere around the ATM (in a brochure holder, mirror, or speaker, for example) in order to record PIN numbers as well. Always cover the keypad with your other hand when entering your PIN.

Dummy ATMs: ATMs can be purchased through eBay or Craigslist and installed anywhere. (I bought one from a guy at a bar for $750.) A dummy machine has been programmed to read and copy card data.

Phone Fraud: The phone rings and it’s a scammer claiming to be calling from your bank’s fraud department. The scammer may already have your entire card number, which could be stolen from another source. You might be asked about a fictional charge you supposedly made, and when you deny it, you’ll have to provide your three to four digit CVV number in order to have the charge removed. Never give out this type of information over the phone.

Phantom Charges: When searching for something on the web, you come across a great deal. In the process of ordering, the website informs you that a discount is available along with a free trial of another product. Thinking you’re saving money, you take the bait. The next thing you know, your card is being charged every month and the company makes it very difficult to cancel the charges.

Look for and do business with companies that have a comprehensive, defense-in-depth approach to protect consumers against identity and financial fraud. Check your credit and banking statements carefully. Scrutinize every charge and call your bank or credit card company immediately to refute any unauthorized transactions.

(Be sure to do it within 30 or 60 days at most, depending on the type of card.)

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses ATM skimming on Extra TV. Disclosures.

“Flash Attacks” Make Big Money for Debit and Credit Card Scammers

The latest ATM scam is so brilliantly simple, it’s hard to believe that it actually works. Apparently, banks’ fraud detection systems are unable to flag nearly simultaneous transactions from the same account. This leaves bank customers vulnerable to what’s been termed a “flash attack,” in which multiple scanners use a stolen debit card number to withdraw cash from the same account.

Once a victim’s debit card number has been successfully skimmed, the card can be cloned, say, 100 times, and the cloned cards can be distributed to 100 people. All 100 people can then use the cloned cards to withdraw cash from 100 different ATMs within a brief window of five or ten minutes. If 100 people withdraw $200 each from the same account, at the same time, the scam nets $20,000 in almost no time.

Your credit or debit card number can be skimmed in a number of different ways:

Wedge Skimming: The most common type of skimming occurs when a salesperson or waiter takes your credit or debit card and runs it through a card reader, which copies the information contained in the card’s magnetic stripe. Once the thief has obtained the credit or debit card data, he can then burn the card number to a blank card, or simply use the number to make purchases online or over the phone.

POS Swaps: Many people pay for goods or services by swiping a credit or debit card through the in-store point of sale machines. EFTPOS (electronic funds transfers at the point of sale) skimming occurs when the point of sale terminal has been replaced with a skimming device. In Australia, fast food chains, convenience stores, and specialty clothing stores have been common targets. McDonald’s, for example, has been hit with this scam.

ATM Skimmers: A card reader device can also be placed on the face of an ATM, disguised as part of the machine. It’s almost impossible for the average user to recognize a skimmer unless it is of poor quality, or the user has an eye for security. Often, the thieves will hide a small pinhole camera in a brochure holder, light bar, mirror or car stereo looking speaker on the face of the ATM in order to extract the victim’s pin number. The device may use wireless Bluetooth or cellular technology built to obtain the data remotely. Gas pumps are equally vulnerable to this type of scam.

Data Interceptors: Rather than simply placing a skimmer on the face of a gas pump, some criminals place a data-stealing device inside the pump. Posing as a fuel pump technician, a criminal can use a universal key purchased on eBay to access the terminal. Once inside, they unplug a cable that connects the keypad to the display, and piggyback their own device within the mechanism, in order to capture all the unencrypted card data.

Dummy ATMs: ATMs can easily be purchased through eBay or other outlets, and installed in any heavily trafficked location. The machine, which might be powered by car batteries or plugged into the nearest outlet, is programmed to read and record card data. I found one advertised on Craigslist and picked it up at a nearby bar, for $750 from a guy named Bob.

Once credit card numbers have been skimmed, hackers can copy the data on to blank cards, hotel keys, or “white cards,” which are effective at self-checkouts, or in situations where the thief knows the salesperson and is able to “sweetheart” the transaction. A white card can also be pressed with foils, giving it the appearance of a legitimate credit card.

Federal laws limit cardholder liability to $50 in the case of credit card fraud, as long as the cardholder disputes the charge within 60 days. In order for the $50 limit to apply to debit cards, fraud victims must notify the bank within two days of discovering the fraudulent transactions. After two days, the maximum liability jumps to $500.

When using an ATM, gas pump, or point of sale terminal, always cover your PIN.

As inconvenient as this may seem, regular debit card users should check online statements daily.

Consider limiting your debit card use. I use mine only two or three times a month, for deposits and withdrawals.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. (Disclosures)