My work day usually begins with a review of the latest news in the payments industry; I check mobile payments news first and then credit cards and everything else. There are very few days on which I don’t see a headline about the latest bust-up of a credit card skimming operation (I haven’t run the numbers, but “bust-up” does seem to be the preferred way for journalists to describe the taking down of a skimming crime ring). Typically, such news stories give us little more than a simple account of the details: who got arrested, what they did and where, how much they stole before getting caught, etc. Every now and then, however, there would be a more detailed review of the latest data and trends and this morning there were two of them.
Ars Technica’s Sean Gallagher has taken up the task of educating us on how skimming works in practice and has done a marvelous job at it. So much so that I fear that his piece alone may end up producing a whole new generation of skimmers. For his part, CardRatings.com’s Matt Brownell is more concerned with the opposite end of the skimming scheme and examines its effects on the cardholders. Let’s take a look at these two articles.
How Skimming Works
Before I begin, let me remind you that skimming is the process of illegally copying the data contained in a payment card’s magnetic stripe. This information can then be used to manufacture counterfeit cards, which can be used to pay for purchases or for ATM withdrawals. And it has never been easier to buy skimming equipment. Here is Gallagher’s short list of skimming devices, complete with their market price:
The skimmer’s gear starts with a card reader. Anyone can buy one, and they’re relatively inexpensive. You can get a basic reader, ready for hacking, from an electronics store for around five bucks or start with a complete USB-based off-the-shelf model for about $30 retail. (Interested hardware hackers can find instructions on how to build a complete card reader with an Arduino prototyping board for under $15 on Instructables.) More sophisticated readers, such as those with built-in Bluetooth connectivity, run for about 10 times that amount. Self-contained pocket card readers — the tool of choice for credit-card skimming rings like the Manhattan steakhouse operation — sell for around $200 and can store thousands of card swipes in digital form.
There are two distinct types of skimming environments where the readers can be deployed. When the target is an unattended terminal, such as an ATM, a grocery store self-checkout or a gas pump, the criminals would attach a reader to the machine’s card slot. Skimming devices can be so well-designed that even an experienced eye may not be able to discern anything out of the order, never mind the casual cardholder. The other type of skimming operations relies on hand-held devices that are most often used at restaurants. Here is how such a scheme works, in the words of Shirley Inscoe, senior analyst for the Aite Group, a consultancy, as quoted by Brownell:
You could have a waiter in a restaurant or someone else who takes your card for the briefest moment, and they will swipe your card in a device that has memory to hold the information of hundreds or thousands of credit cards.
Who Loses from Skimming?
Skimming is a big and still growing problem. In 2010 alone, one in five Americans were hit by an ATM skimmer, according to a report from Javelin Strategy & Research, another consultancy, and skimming losses in the U.S. totaled close to $1 billion, according to data from Bankrate.com cited in the same Javelin study. However, these losses are split among the card issuers, payment processors and merchants, whereas the cardholders are left largely unaffected. As credit expert John Ulzheimer puts it in Brownell piece:
We as cardholders thankfully have very effective protection against fraud. As long as you’re diligent enough to check your account online, read your statement and let them know right away [if you find fraudulent charges], you really have almost no liability.
However, the fact that consumers are not directly hit by the skimming losses doesn’t mean that we are left untouched by their indirect effects. Fraud losses, including from skimming operations, are reflected to at least some degree in the credit card interest rates and fees that we pay. So no one is unaffected.
We can and should be paying closer attention to the readers through which we swipe our cards, but it’s really difficult to focus on such a routine process (I know I’m guilty of not doing it). And anyway, inspecting the reader is only an option at unattended terminals. As Brownell notes, when checking out of a restaurant, you can’t just follow the waitress to see what she does with your credit card.
A more realistic hope may be offered by the upcoming adoption of the EMV technology in the U.S. In EMV-based payment cards the account information is stored into a chip that is attached to the card, not in the outdated magnetic stripe. Chip-based cards cannot be read by a traditional skimming device, however they have other vulnerabilities, one of which is that the information that is exchanged between the card’s chip and the merchant’s terminal can be intercepted during transmission. Still, countries that have shifted to the EMV technology have seen a marked fall in card fraud losses.
Image credit: HD.org.