Dr Karl

Great Moments in Science

home :: Karl's Blog :: Credit card theft: why it pays to be careful

r1522877_22649833
Credit card (Source: Gary Buss/Getty Images)

comments Comments

Credit card theft: why it pays to be careful

Wednesday 27th January 2016 8:56 am

Criminals don’t need to steal your credit card to get your information. There are many other sneaky ways they can nab your details, says Dr Karl.

On two separate occasions, I have taken a phone call from my bank, asking me if I had just made some purchases in the town of Hendersonville, just outside of Las Vegas in Nevada in the USA. I said “no”.

In each case, the person making a purchase had spent a few dollars to see if my credit card actually worked, and then immediately jumped to a series of purchases each just under $1,000.

Welcome to the land of credit card theft, where something can be taken from you, even though you still have it. This something is your credit card information.

Credit card fraud is the fraudulent acquisition, and/or the use of a card, or the card details, for financial gain.

Besides credit cards, this criminal fraud can include debit cards, charge cards, gift cards, and ATM cards.

In the Australian financial year of 2012-2013, nearly one-and-a-half million frauds were carried out using Australian-issued cards. The value of the transactions was around $280 million.

The information on your credit card is stored in three major ways.

First, there’s the magnetic stripe that you need to sign for.

Second, there’s the chip that needs your PIN.

And more recently, there’s the Tap-and-Go or PayWave card, that carries an internal RFID or radio frequency identification.

So while not actually stealing your physical credit card, how do the criminals get its information? Many ways.

First, the criminals manage to install malicious software on the point-of-sale device in a restaurant, bakery or hardware store. This is very common.

The crooks will use this information to make counterfeit credit cards that can be used to buy gift or debit cards, which in turn can be used to buy expensive stuff that can be resold for cash.

Second, the hackers can compromise the network of a company that processes transactions between the various banks involved – such as the bank that issued your card, and the merchant bank used by your retailer. They can steal an enormous amount of card accounts in a very short time.

Third, they can attack the database or website of an online merchant.

The fourth method is an oldie but a goldie – “skimming”.

You know that there’s a slot on the front of an ATM, or petrol-pump, where you can insert your credit card. The crooks can attach a physical device onto the top of this slot – sometimes just with double-sided tape.

This skimming device has a slot, some electronics and a tiny camera. So now your credit card goes through two slots – the real one so that you can get your cash or pay for your petrol, and the fraudulent one.

The electronics in the fraudulent one capture all your card’s details, and the camera films you keying in your PIN. The electronics will sometimes WiFi or Bluetooth the stolen information to a crook in a nearby hotel or motel – and can be so fine-tuned that they will ignore all except gold and platinum cards.

A variation on skimming is when a waiter or taxi-driver might carry a small box the size of a matchbox. They take your card, smoothly and unobtrusively first swipe it through their portable skimmer, and then immediately swipe your card in the official point-of-sale device.

Other methods include malware that has been installed on your computer or a public computer, crooked employees and even the old-fashioned theft of the physical card.

But of course, it’s the hacking of computer systems that deliver the big and quick returns to the crims.

In 2013, Adobe Systems had 152 million data records stolen, Experian (a company that does credit history and offers free credit reports) had 200 million data records stolen, while that friendly retail giant, Target, had 40 million credit card numbers and various identification details stolen.

But how do the criminals, having stolen millions of credit card details, turn “data” into “dosh”? Well, I’ll talk more about that, next time.

tags: | | |

This blog first appeared on Dr Karl's Great Moments in Science

comments1 Comments

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

  1. Charlie Conlon says:

    ISPS tend to require users making some queries (e.g. access from a different machine ) to ‘ prove (they’re ) human by keying a set of characters displayed in an obscure form – not readily processed by a scambot. Wouldn’t it be good if ATMs did the same, at least for queries & withdrawals online? The customer could respond while waiting in a queue, perhaps keying a PIN. This could differ from the regular PIN & expire after ATM use or, say, 20 minutes. What about some public pressure, or do we expect the banks to do it as responsible traders? Honestly, I don’t mind waking up at 3am. Your devoted fan, Charlie.

Follow Karl on Instagram