House of cards

Why your accounts are vulnerable to thieves

Last reviewed: June 2011
Videos
VIDEO:
 
 

The bank customer was getting suspicious while trying to withdraw cash from a drive-up bank ATM in New Port Richey, Fla., last year. The blinking LED lights around the card slot were flashing faster than usual, and the slot seemed oddly slow to take his card, he told sheriff’s department officers.

Then he reached out and jiggled the card slot. It came off right in his hand. He notified the bank, and police started their investigation.

They discovered that a fake card reader, or skimmer, had been placed over the real card-entry slot and that a pinhole camera had been recording customers entering their personal identification numbers. “We have the bank surveillance tape showing the suspect installing the skimming equipment,” Sgt. Jeffrey Peake of the Pasco County Sheriff’s Office says, but the suspect couldn’t be identified.

The customer avoided becoming a fraud victim, but other Americans have not been as lucky. In the U.S., 32 percent of consumers reported card fraud in the past five years, according to a 2010 survey released earlier this year by ACI Worldwide, which supplies payment systems to financial institutions, processors, and retailers. That was up from 27 percent in 2009.

That number is likely to grow because the credit and debit cards most Americans use are surprisingly vulnerable to fraud, relying on decades-old technology that makes them more susceptible to being skimmed and counterfeited.

Even some contactless credit cards, which use radio frequency identification (RFID) chips that allow you to make purchases without having to swipe your card through a card reader, are vulnerable to virtual skimming, Consumer Reports found in its investigation. We witnessed how they can transmit data such as your card’s account number, expiration date, and security data that thieves could intercept and use to make counterfeit cards.

American credit- and debit-card data are usually stored unencrypted on a magnetic stripe on the back of each card, which thieves can easily and cheaply copy. The U.S. and some nonindustrialized countries in Africa are among the only nations still relying on magstripe payment cards, which came into wide use in the 1970s. China has announced that it will no longer produce or accept such cards after 2015; American travelers are already finding that their cards aren’t accepted at some gas stations, parking facilities, subways, and merchants in Europe. The European Central Bank has recommended that banks stop issuing magstripe cards after 2012.

Most other countries are shifting to what are known as EMV “smart cards” (the acronym comes from Europay MasterCard Visa). Smart cards use multiple layers of security, starting with a computer chip in each card that stores and transmits encrypted data and a unique identifier that can change with each transaction.

In some cases, cardholders also enter a PIN to authorize credit as well as debit transactions. Total fraud losses dropped by 50 percent, and card counterfeiting fell by 78 percent in the first year after EMV smart cards were introduced in France in 1992. Other countries that have switched have also seen card fraud decline.

So why is the U.S. so far behind? It seems to come down to money. The losses for banks do not yet exceed the costs of a switch-over, although merchants say that’s because they usually shoulder much of the cost burden from fraud.

Most cards limit liability for consumers, but the disruption in time and loss of privacy can be considerable.

“We’re falling behind the rest of the world in fraud protection, and I’m afraid American consumers are getting the short end of the stick,” says Richard Oliver, executive vice president of the Federal Reserve Bank of Atlanta and director of the Fed’s Retail Payments Risk Forum, a group that focuses on better ways to detect and reduce fraud.

Skimming is big business

Sgt. Jeffrey Peake of the Pasco County, Fla., Sheriff’s Office
Fraud patrol
Sgt. Jeffrey Peake of the Pasco County, Fla., Sheriff’s Office shows officers how a card-skimming device can steal bank-account information from customers using an ATM.
Photograph by Jay Carlson

The theft of card data in the U.S. is increasingly carried out by organized groups of thieves from other countries. In Eastern Europe particularly, thriving black-market forums exist online to buy and sell skimming equipment and stolen credit- and debit-card information.

“Losses are comfortably in the multimillion- dollar range each year but are incredibly hard to authenticate because of the discreet position that most financial institutions take when asked to assess a loss figure,” says John Buzzard, an executive at FICO, the credit-scoring company. Banking-industry data indicate that debit-card skimming in particular is rising as criminals focus on obtaining debit-card data complete with PINs to get their hands on cash more quickly. “The figures reported by some U.S. banks show losses from fraudulent debit-card transactions using PINs have quintupled at stores in the past five years, and they’ve also risen sharply at ATMs, so it’s clear crooks are succeeding in getting people’s PINs, most likely through a combination of skimming and recording PINs,” says Avivah Litan, a Gartner Research analyst specializing in fraud detection and prevention.

Gas pumps are a popular target for skimmers, especially during vacation season, when more Americans are on the road. Skimmers can be inserted inside a pump without any telltale signs. Last summer, skimming attacks at gas stations in one northern Florida county surged so much that local law-enforcement officials suggested consumers use only cash to pay for gas, according to reports provided to BankInfoSecurity.com, an industry publication.

Crooks are increasingly targeting bank branch ATMs, sometimes installing skimmers in devices near the doors where customers swipe their cards to gain access. Shelby Shearer, a police detective in Bellevue, Wash., says that ATM skimming there has exploded recently, causing more than $300,000 in losses in Seattle’s eastern suburbs in the past eight months.

To obtain the PINs, thieves might attach a keypad overlay that captures your number as you type it in, but more often they’ll install a pinhole video camera aimed at the keypad to record what you’re typing, says Kenneth Jenkins, special agent in charge of the Secret Service’s criminal investigations division. He says a recent probe of an Eastern European skimming group brought arrests of 175 people involved in skimming at ATMs in Connecticut, New York, New Jersey, and Pennsylvania, with $25 million in losses.

Criminals can quickly use the skimmed data to create a counterfeit card to withdraw the maximum allowed from each cardholder’s account at an ATM. Card issuers generally extend zero-liability protection to consumers for fraudulent use of credit and debit cards. But victims of debit-card skimming can still face financial hardships because they are without the cash while the bank investigates, which sometimes takes weeks, says Inspector Gregory Antonsen, commanding officer of the New York City Police Department’s Financial Crimes Task Force.

And the scams can have multiple victims. In December 2010, in Butte, Mont., at least 300 fraud victims reported unauthorized charges made on their cards, most of which were debit cards. Among the victims was a local sheriff. For six to eight months at an unsuspecting retailer, a cash register skimmed data from everyone whose card was swiped. Authorities say the data were sold to other criminals to make counterfeit cards used throughout the U.S. Fraudulent charges on the Butte victims’ cards ranged from $500 to $1,500.

“We’ve recommended to several of the large financial institutions that the biggest deterrent to skimming would be using the kind of cards that are issued in Europe and Canada with a chip that makes them pretty much impossible to skim, but so far they seem unwilling to do that,” says Antonsen at the NYPD.

Americans still receive magstripe cards because banks and other financial players in the card industry claim that losses due to fraud in the U.S. have not been high enough to justify the costs involved in switching to EMV smart-chip technology.

Replacing all payment cards in the U.S. could require issuers to spend as much as $2.85 billion, plus $310 million more to update ATMs to accept the new cards, according to a recent report issued by George Peabody, principal analyst at Mercator Advisory Group, consultants to the banking and payments industries. For merchants, he estimates that replacing sales terminals could cost up to $2.64 billion. But many of the nation’s big-name retailers, including Kroger, McDonalds, Sears, and Walgreens, are pushing for an upgrade to the likes of EMV. And a few, such as Best Buy, Home Depot, and Wal-Mart, are in the process of deploying terminals that can read contact and, in some cases, contactless chip and pin technology, Oliver says.

The Mercator report estimates U.S. card issuers’ total losses from credit- and debit-card fraud at $2.4 billion. That figure does not include losses that are borne by merchants, which probably run into tens of billions of dollars a year.

Merchants usually have to absorb losses for fraudulent transactions conducted by mail, phone, and online, and card issuers generally are supposed to take the financial hit for fraudulent transactions conducted in walk-in stores. But retailers report that banks also often charge those losses back to them.

Despite magstripe cards’ vulnerabilities, card issuers say they have developed effective methods to fight fraud. “We use sophisticated systems to monitor and detect fraudulent activity and employ over 1,000 people dedicated to protecting our customers against fraud,” says Paul Hartwick, a spokesman for Chase Card Services. Visa says it relies on an advanced system that detects fraud in real time.

A turning tide?

When the Federal Reserve Board analyzed fraudulent debit-card transactions that occurred in 2009, it found that merchants absorbed 43 percent of all losses reported by debit-card issuers. For credit-card losses, merchants end up eating more than half of losses from fraudulent transactions, says Doug Kantor, counsel to the Merchant Payments Coalition, a trade group representing restaurants, grocers, gas stations, convenience stores, and other retailers.

“If card issuers can make merchants absorb half of their losses on top of paying them interchange fees for each transaction to supposedly help cover fraud-related costs,” Kantor says, “why should they worry about making investments in new technology to better protect against fraud?”

But the tide might be turning. The Smart Card Alliance, an industry trade group, has issued a report on EMV, developed with the support of players including American Express, Capital One, and Chase Card Services. The report notes that “although the enormous size of the U.S. payment industry makes widespread change costly and difficult, the true cost of fraud is increasing and threatens to damage the industry’s reputation.” It says that damage “could accelerate as criminals move to the U.S. as the weakest link.”

Adopting the smart-chip standard also could provide a more secure basis for mobile payments using smart phones, which analysts expect will rapidly replace plastic cards as a form of payment. And it has been suggested that a federal mandate might be the stick required for a switch.

A carrot to entice banks and credit unions away from magstripe debit cards already exists. It’s in the hotly debated rules the Federal Reserve proposed in December 2010 to limit fees that merchants pay card issuers for debit-card transactions, Mercator analyst Peabody says.

Fiercely fought by banks, the new rules would cut the fees from a current average of 44 cents per transaction to a maximum of 12 cents. But card-reform legislation also gives the Federal Reserve an option to allow higher fees for card issuers that adopt more rigorous antifraud technology standards as set by the Fed.

No form of security technology is foolproof, of course. Researchers at the University of Cambridge in February 2010 uncovered a vulnerability in EMV smart cards that could allow a criminal armed with certain electronic equipment to make a purchase using a stolen smart card without having the correct PIN, though Gartner’s Litan says that attack method would be relatively easy to guard against.

But exposing such potential flaws and correcting them is an important part of ensuring that any security system used to safeguard consumers’ financial data is continually evolving to stay ahead of the latest schemes crooks devise to break it.

“We can’t be working eight-hour days on this when the bad guys are working 24/7,” Oliver at the Federal Reserve says.

Did you know?

A thriving black market trades in crucial personal financial data, according to Idan Aharoni, head of fraud intelligence at RSA, a security firm. He says these are sample prices that some bits of data have commanded recently.

$1,000

Name and password for an online bank account (and additional information in some cases).

$80

Magstripe data on a premium-level credit card.

$6

Mother’s maiden name.

$3

Social Security number.