Cybersecurity, Security, Security Awareness
If you live in the U.S. and have ever noticed false charges on your credit card statement and had to call your bank to have your card canceled, chances are that you are the victim of skimming.
Skimming is the most popular way to steal credit card numbers in the United States.
It works like this:
An evil hacker places a device over or near the credit card reader at a gas station or ATM. When an unsuspecting victim uses the gas pump, the pump WORKS just like normal but an evil hacker has grabbed your credit card number and PIN (or zip code). The skimmers are made to look just like part of the gas pump, point of sale station at a store or ATM. Some skimmers are so well made they can even fool security experts.
Does this card reader have a skimmer installed? It might take an expert to take it apart to find out.
This problem primarily exists in the United States because we have been slow to convert our point of sale systems to “chip and pin”. That is changing now but the adoption is slow.
According to security researchers skimmers have a high return on investment. Researchers claim that a skimming device costs $20 or less to manufacture and can bring in more than $4,000 per day.
Because the devices are difficult to visually detect, a gas station owner will likely have no idea that his customer’s credit card number are being stolen. That may now be changing.
The Achilles heel of skimmers is that the evil hacker has to collect the stolen numbers from the device. The evil hacker likely does not want to retrieve the device after it has been placed so most skimmers wirelessly transmit their data to a nearby cell phone, Wi-Fi router or specialized Bluetooth device.
A team of computer scientists at UC San Diego and the University of Illinois has developed an app that can detect skimming devices by their unique Bluetooth radio transmissions. The app, called Bluetana, detects the skimmers’ wireless transmissions and thus allows inspectors to find them without the need to dismantle point of sale devices and gas pumps.
This could be a significant tool in helping to stop skimmers, however at this time they are only releasing the app to state and federal inspectors.
While I am certain this will be a wonderful tool for state and federal inspectors, I personally don’t think those inspectors cover enough ground per week to put much of dent in this highly popular form of cyber theft. I hope that the researchers will allow use of the app to a broader audience such as verified merchants that use credit card readers or at least a broader range of security and law enforcement agencies.
What can you do to protect your corporate and personal credit card numbers from skimmers?
The good news is that credit card companies will almost always refund false charges on your credit cards as long as you catch the false charges in a reasonably short amount of time. The bad news is that typically you will be greatly inconvenienced by having your card number retired and replaced and if you or your employees are traveling the problems could become serious.
Since some experts can’t always spot a skimmer, trying to learn to spot these devices yourself or to teach your employees to do so is likely not going to be a realistic solution.
One solution might be to have a policy that you and your employees are not to use a credit card in a reader that does not support Chip and PIN. This is not entirely practical because at this time in the US there are still many merchants that you might need to purchase gas, lodging or supplies from that will not have secure readers. Also, often times you don’t know a merchant’s reader does not have the chip reader disabled until during checkout.
A methodology that I personally use is to carry two credit cards. Once credit card is used for readers that are Chip and PIN. This card I have tied to “important stuff” like auto deduct services and other accounts. It also has a high credit limit. The second card I carry is used for readers that I do not trust. If this card number is stolen I still have a backup card and because the limit on the second card is low, my risk is lowered.
I realize that none of these procedures offer a great or convenient solution to the problem. That is why the creation of this new app is so compelling. If the app were to be available more widely the cost/benefit of skimmers would go way down along with how commonly they are used. Currently, Bluetana is only available to official gas pump inspectors in select U.S. states and the researchers have noted this is not expected to change soon.
I will keep an eye out for new versions of apps like Bluetana and update this blog with my findings so check back, and let’s hope the researchers change their minds about availability.
Recap for reducing your exposure to skimmers:
- Check your online account often for false charges
- Avoid merchants with “slide type” card readers (non Chip and PIN)
- Have a spare credit card when traveling and use the spare for non Chip and PIN transactions
- Let merchants know you would like to see them upgrade to more secure card readers
