Feature Article
Mark Pribish
Your 2011 Summer Vacation Threat: Credit/Debit Card Skimming and RFID Fraud - Part I
By Mark Pribish
Vice President and ID Theft Practice Leader

In just the last six weeks, a breathtaking number of data breach events have taken place including some of the most well-known corporate names in the United States including Anthem Blue Cross, Bank of America, Citigroup, Delta Dental, Lexis-Nexis, Michaels Stores, Regions Bank, Sony, Sun Trust Bank, and the SEC (Securities and Exchange Commission).

This information is important to know because if the companies listed above (and other companies that you and your family members have a relationship with) do not or cannot protect your Personally Identifiable Information (PII) from being lost or stolen – then your PII (including back account, Social Security Number and driver's license numbers) could fall into the hands of ID Theft criminals resulting in ID Theft, fraud or some other negative life changing event.

Separate from the above, and with the summer vacation season upon us, it is even more important for you to learn about the threat of Credit/Debit Card Skimming and the use of Radio-Frequency Identification (RFID) technology which is being used to commit ID Theft and fraud.

Please note that I will write about Credit/Debit Card Skimming in this month's newsletter and how Radio-Frequency-Identification or RFID technology is being used to steal your and my PII in our July newsletter.

That said, credit and debit card transactions have become and will continue to be a primary target for ID Theft criminals. In particular, here are four types of skimming fraud that you and your family should be aware of, especially as your travel away from home on summer vacation:

  • Pay-at-the-Pump Skimming – unlike ATM skimming devices which are attached to the outside of the ATM on the card reader, Pay-at-the-Pump skimming devices can be placed inside the gas pump unbeknownst to the gas station/convenience store and the customer. Unfortunately, ID Theft criminals are aware that all gas pumps have a universal key which provides easy access to the card readers inside. This allows the ID Theft criminal access to install a skimming device between the card scanner and the computer/control board.

  • ATM Skimming – unlike Pay-at-the-Pump skimming devices, financial institution ATM requirements include unique keys and codes for service and maintenance. However, law enforcement has documented multiple methods of ATM Skimming where ID Theft criminals replace PIN pads on branch lobby ATMs with manipulated devices that collect card details and PIN's as customers use their cards. Law enforcement has also reported on how ID Theft criminals attach a skimming device and a pinhole camera just above the keypad of an ATM so while the skimmer collects credit / debit card information, the camera captures the associated PIN number.

  • POS (Point-of-Sale) Skimming – two recent POS Skimming examples include a regional grocery store chain (of 1,100 stores) where customers swiped their credit / debit cards using Point-of-Sale terminals that were tampered with by ID Theft criminals. The POS credit card reader was breached by the ID Theft criminal by attaching a small skimming device inside the card reader. The skimmer then stores all information for every credit card that is processed through the card reader. Specific to debit cards, the skimmer can even record the PIN number.

    A second POS Skimming example happened just last month at Michaels Stores where customers used the POS terminals at stores in at least 20 states which had been breached by ID Theft criminals. These criminals infiltrated the Michaels stores by pretending to work for the Point-of-Sale company (Social Engineering) that handled the stores transactions and put skimmers on the POS card readers. As you might have guessed, these skimmers captured the credit / debit card numbers and 4 digit PINs of customers. See details from Michaels, including affected stores list here.

  • Magnetic Card Reader Skimming – this happens when ID Theft criminals take your card away from you and then bring it back after they have received authorization for a specific transaction (e.g. at a restaurant). Your risk of ID Theft and credit / debit card fraud happens when your card is out of your sight and a dishonest employee or independent contractor swipes it through a card reader that stores the information from the magnetic strip allowing for the creation of a fraudulent credit / debit card. Examples of industry groups where this can happen include hospitality (e.g. restaurants, bars, hotels, and sports events) and healthcare (e.g. emergency rooms and drive though pharmacies).

To conclude, I have listed below some tips to help you fight the ID Theft criminals and credit/debit card skimming:

  1. Never allow your debit card to be swiped away from your view.
  2. Try not to have your credit card swiped away from your view.
  3. Keep an eye out for suspicious individuals who are watching you use your credit or debit card.
  4. Pay for your gas inside the convenience store or gas station versus paying at the pump.
  5. Look closely at the card readers and key pads of ATMs and POS machines to spot something unusual, as some have safety seals which should not be broken.
  6. Take advantage of online banking by regularly checking your bank and credit card accounts.
  7. Take advantage of bank account and credit card alerts to notify you of specific transactions.
  8. Education including ID Theft scams in your hometown and where you will be travelling on vacation.

To learn more about these threats and how to protect yourself and your family from Identity Theft, you can read my past newsletters at the Merchants Identity Theft Educational Website at www.idtheftedu.com.

Sincerely,
Mark


Scam Central

We are here to support you. Not!

No matter what type of operating system your computer has, when you have a serious problem with your computer, you would like to think that the operating system vendor would be willing to help you get it fixed. In fact, would it not be great if a software company was proactive and called you to tell you something was wrong with your computer and that they want to help you fix it? That is just what is happening to many computer users over the past year. The only problem is, there was no problem in the first place, and the company calling was not who they were claiming to be.

How It Works:

Identity thieves are now targeting Windows users, posing as Microsoft support technicians. The technicians try to trick the user into believing that a virus has infected their computer, and they will even point the user to log files indicating some computer issues. They then offer to help the user remove the virus by having the unsuspecting victim purchase, download, and install a piece of software on their computer. They may also try to dupe the user into letting them control their machine remotely so they can fix the problem for them. However, the technician does not work for Microsoft, and the software they want the victim to download is a malicious program that will allow the thief to steal the user's online account information, including account numbers and passwords.

Your Defense:

This scam is not new, it has been reported for the last year, but seems to be resurging and targeting new victims. If you receive a call from any software vendor, be leery. Never give any person who calls you unsolicited access to remotely control your computer. If you do initiate a support call with a software vendor, they should not charge you to purchase a program to install and correct any issues. The support technician should have the ability to fix the problem with a set of tools they can install free of charge. If you later need to purchase an anti-virus utility, you can choose the vendor yourself. Also, if you do initiate a support call, make sure that you get a support ticket number. If someone calls you pretending to be a support technician and they do not have the support ticket number given to you before, hang up immediately.

While some operating systems do allow you the option to automatically submit bug and other technical information about your system to the software vendor, unless you have initiated a support ticket, no technician should ever call you out of the blue to tell you there is a problem with your computer. They should also not charge you for an additional piece of software to help fix your alleged problem.

Having support in times of need is a good thing. Just make sure that who you think you are talking to is who they claim to be.

If you believe your identity has been stolen, call 866.SMART68 today.