Gone are the days of the good old-fashioned purse snatcher. With little brute and more skill, thieves only need a minute, sometimes a second, to pilfer your credit card data. “Back in the beginning, they got the imprint of credit cards from the carbon copies they dug out of the trash,” says William Noonan, assistant special agent in charge of the Secret Service’s criminal investigative division. “Technology has changed things.” The number of compromised records has been on the decline the last two years, according to the Secret Service, after reaching a record high of 361 million records in 2008. The trend might reverse this year, however, after a recent string of mishaps. This spring criminals hacked, phished or skimmed their way into the systems of Michaels Stores, Sony, marketing firm Epsilon, Citibank and even security expert RSA, among others. In some cases, they only obtained names and emails. In the worst cases, they got credit card numbers.
The schemes are simpler than you think. Bankrate presents the most common ways thieves pilfer your credit card information.
1: Suspect: the waitress at the diner
The waitress whisks away your credit card and swipes it through the restaurant’s register. Then, she pulls out a small device, about the size of an ice cube, from her apron and swipes it through that, says Sergeant David Schultz of the Fort Bend County Sheriff’s Office in Texas. While you’re scraping the last of the chocolate frosting from your plate, your credit card information has been stored in the device, known as a skimmer. The waitress returns your card and performs the same magic trick on dozens of credit cards in a week. The data-stealing waitress has been known to moonlight as a bartender, sales clerk or at any place where she can take your credit card out of sight.
2: Suspect: the toy store trio
Sally, Simon and Bud walk into a toy store. Sally and Simon roam the aisles, while Bud waits in line to check out. When Bud is at the register, Simon comes running up to the clerk, screaming that his wife has fainted. As Sally and Simon distract the sales clerk, Bud switches the credit card reader at the register with a modified one of his own, says FICO’s Fraud Chief Mike Urban. For the next week, the sales clerk unwittingly collects credit card data on the modified reader until the trio returns, takes back the modified reader and restores the original terminal. The trio will hit other retailers and restaurants, but sometimes the threesome will instead be a duo or a solo criminal.
3: Suspect: the Gas Lass
The Gas Lass parks her car in front of a gasoline station off the turnpike. It’s late. There’s no one around except a sleepy attendant at the register inside. The Gas Lass attaches a skimmer over the credit card reader at the pump. It’s a special skimmer: It emits a Bluetooth signal to a laptop close by, says Noonan. The Gas Lass pays, heads off to the motel next door and sets up her laptop to receive the data from the compromised pump over the next several days. The Gas Lass installs skimmers over ATMs, parking meters, vending machines and any other places with unmanned credit card readers.
4: Suspects: Harry the Hacker and Phishing Phil
Harry the Hacker installs malware — a type of software that damages or infiltrates a computer or network — onto a legitimate website with low security. The malware instantly downloads onto your computer when you visit the site and allows Harry to access your information. In another scenario, Harry puts malware on public computers and gathers the information you share with that computer, says Urban. Harry also infiltrates the computer system of banks, retailers and other businesses and extracts personal account information, Noonan says.
I think we all assume the companies that issue credit cards will do everything possible to prevent and detect the fraudulent use of that card. But according to a recent report from Javelin Strategy & Research, that’s not always the case.
They looked at policies and procedures at 24 of the country’s top credit card issuers and found that financial institutions do a much better job than retailers when it comes to credit card security.
Javelin named Bank of America “best in class” for the seventh consecutive year with an overall score of 70 percent, significantly higher than the average score of 55 percent.
Clearly, it’s better for the bank and the customer to stop fraud, rather than deal with it afterward. USAA earned the top score for preventing fraud. Bank of America was a close second in the prevention category, followed by Citi.
Javelin named Wells Fargo best at detecting fraud.
You might not know it, but your credit card company is tracking your every move. Advances in how card providers and networks process massive amounts of data from card usage means they often alert consumers to potential fraud before consumers notice anything amiss.
That’s what happened to Ted Sindzinski, a digital marketer who lives in Orange County, Calif. A few months ago, out of the blue, his card provider called and asked him if he had recently made a purchase at the women’s retailer Anthropologie. He hadn’t. The company immediately shut down his card and denied several more online charges. “I was surprised when [the card provider] called me. I know card fraud can happen to anyone, but I didn’t think I’d have an issue given how diligent I am,” Sindzinski says. He still doesn’t know how or where the fraudster got his card number.
Banks are increasingly responding with that kind of aggression. While card providers and networks have long analyzed shoppers’ spending data to look for problems, they now have more automated systems in place as well as more sophisticated methods of sorting through data. And by the end of the year, consumers will start noticing an even newer technology that will almost completely shut down point-of-sale fraud.
[Read: 5 Things to Know About New Debit Card Fees.]
“[Card companies] look for patterns and search for anomalies,” says Kurt Helwig, president and CEO of the Electronic Funds Transfer Association. “If you typically use your card in the D.C. area, and then suddenly it’s being used in Eastern Europe, they’ll flag that. Or if you usually keep your spending under $1,000 a month, and then there’s suddenly a purchase for $6,000, it will raise flags,” he says. The card provider will then call the customer and ask him or her to verify the purchases.
Companies are often first alerted to problems from customers themselves, and the information can then be used to identify other instances of fraud. “As consumers recognize fraud on their accounts, they call in, and [card providers and networks] note that in their system, and then they’ll build a sort of heat map of all the areas where they are seeing consumers report fraud,” says Julie Conroy, a research director at Aite Group, a Boston-based research and advisory firm. After the card providers and networks identify hot spots, like a certain merchant that keeps coming up, then they will proactively notify customers, she explains.