Card fraud: It happened to me
That's right -- I'm a victim of ATM fraud. What's funny is that I edit a couple of security magazines. I consider myself pretty well-versed in the mechanics of fraud, because I write about people that commit fraud all the time. But sure enough, when I checked my bank statement yesterday, I found that someone had made several withdrawals from gas station cash machines that I had never visited, on days when I had not withdrawn money, supposedly using my card. Even more peculiar was the fact that my card was in my possession all of the time, and that no one knows my PIN number. So how did this happen?
Was my bank account hacked? Highly unlikely. For one thing, my bank uses two factor authentication. Before I can access my account, I have to plug my card into a special reader that they sent me in the mail, which gives me a number to enter on the website.
Anyway, hacked bank accounts are generally used to transfer money directly to other accounts, and this person used my card to take money directly from a machine at a Shell gas station. So, my card must have been copied.
In most parts of Canada, ATM machines work by scanning the magnetic stripe on the back of your card, and get you to enter your four digit PIN. These magnetic stripes are very easy to read and write using hardware components that you can buy from most electronic stores. If you can gain access to the magnetic stripe on a card, you can copy it very simply. But that still leaves our enterprising thief with the problem of finding a person's PIN, which is not stored on the magnetic stripe. When you type a PIN into a PIN reader, the machine talks to the bank electronically to verify that the number you entered is the same one that the bank has in its records.
So, how did these people get my PIN, which I purposely made sure wasn't anything obvious, such as my birthdate? I never told that PIN to anybody (and neither should you).
It could have happened in several ways. When I entered my PIN into a card reader while making a purchase, malicious software programmed into the machine may have been used to read the data and then send it to someone else.
Does that sound far-fetched? Think again. As far back as 2007, PIN pads were replaced with tampered ones at a Wendy's in Edmonton. The fraudulent PIN pads picked up the customer data, including the PIN, and transmitted it via a Bluetooth interface to a device that was used by the criminals to store it. That same year, US restaurant chain Dave & Buster's admitted that credit and debit card numbers were stolen from the computer systems at 11 of its locations using tampered point of sale devices. It happens a lot more than you might think.
But my money (literally, apparently) lies with card skimming. I visited Vancouver recently, looking for a place to live, and took money out of a few machines using my card while I was there. Criminals have become increasingly sophisticated at developing card skimmers. These devices, carefully crafted to look like the outside of the card slot on a cash machine, fit over the real card slot that you use when entering your card to withdraw cash. They pass the card through to the machine, but read your data while they are doing it. A tiny camera embedded in the device films your hand as it enters the PIN number. All of the information is stored, and at an opportune time, the thief comes and removes the skimmer, complete with a database of juicy magstripe data and PINs that they can use to clone perhaps hundreds of cards.
Think you'd be smart enough to spot a skimmer? Well, check out these excellent pictures of a modern skimmer, posted on security writer Brian Krebs' blog.
How can you avoid suffering the same fate? Well, I could tell you to watch for skimming devices, but as you can see they are so well made these days, that it is hard to spot them. One thing that you should always do when entering your pin is to put your free hand (or, better still, something larger like a magazine) over your other hand when you are entering the number. That way, a camera won't pick it up. It's certainly something I'll be remembering to do in the future.The problem is that none of that will help if your data is stolen by a tampered point-of-sale device. There is absolutely nothing you can do to check the validity of a PIN pad that has been covertly replaced by a crook.
No, the only real defence against this is to check your banking statements, as often as possible. That means not waiting up to a month for a paper statement to be delivered. Instead, you should be considering safe and secure online banking options that let you see your transactions at least once per week. I spotted the fraud because I happened to check in with my online bank account via my phone, purely by coincidence. If you see any suspicious activity at all, call up and cancel your card immediately, as I did.
A 2010 report on identity fraud released this week by Javelin Strategy and Research showed that almost 5% of the US adult population had suffered from identity fraud (which includes other types of fraud and not just ripped-off cards). When victims wait to read paper statements, it takes 39 days to discover the fraud on average, and costs them an average of $274. When they monitor electronically, it takes them an average of 30 days, and costs them $116 on average.
Anyway, I'm going to give you more information on how to monitor your bank statements quickly and easily online another time. Right now, I'm off to go and call my bank's fraud department. Wish me luck.
Danny Bradbury, MSN Tech & Gadgets
Comments
You can follow this conversation by subscribing to the comment feed for this post.
Posted by: Tamara | Feb 11, 2010 12:15:28 PM
Happened to me, Danny. Funny thing was, I check my statement all the time and there weren't any transactions that were NOT mine. I found out I was a victim because the bank put a hold on my account. Peculiar, but I guess it happens. Long story short, the fraud company identified a transaction that was not on my statement and notified the bank. A new card was issued to me right away and the money was put back into my account within two weeks, even though the illegal transaction appeared on the fraud company's statement, not mine.