 |
| RFID chip pulled from new credit card (Photo credit: Wikipedia) |
October 5, 2015 Deadline
November 2015 Issue
This summer, I had a credit card “cloned” while driving along the Interstate 76 Tollway. Because I check my credit card statements online after any trip, I noticed the fraudulent charges and cancelled the card. Credit cards remain one of the easiest targets for criminals and no easy solution seems likely. Two years ago, I had another credit card number stolen by a waiter. Local police informed me that such thefts remained the most common form of credit card fraud.
In both instances, I did everything “right” and was still a victim of thieves.
The waiter stealing card numbers asked to see my driver’s license before walking away from the table. He was writing down numbers, expiration dates and card verification values while standing behind a low wall. With these data, another criminal ran charges at a convenience store, listing charges as gas purchases.
When a credit or debit card leaves your sight, there’s little you can do to protect yourself from such simple, old-fashioned fraud. Before electronic credit card processing, unscrupulous cashiers would double-imprint cards to steal numbers. Today, there are smartphone apps that use the phone camera to capture card numbers and security codes. Stealing cards in person is easy… and difficult to prevent.
The card that was cloned on the I-76 Tollway was likely stolen at a gas pump, my credit union determined. For those unfamiliar with tollways, a common part of driving in the Midwest and Northeast, there are Tollway Plazas with food courts and other services. The gas stations are franchises of major convenience chains and the plazas are small shopping malls.
Without anyone detecting it, a “card skimmer” was installed by an employee or contractor at one of the gas pumps. The card skimmer reads magnetic strips as cards pass into the pump’s card reader. Data are retrieved by removing the skimmer or by using an external wireless device.
Because I know skimmers are most commonly found in non-bank ATMs, I only use bank ATMs and I carry cash for small purchases. Cash remains the safest form of currency, but I can’t recall the last time I paid cash for gasoline. If anything, that one person going inside to pay a cashier and then returning to collect change annoys most of us waiting in line at the pump island. It turns out, gas pumps are ideal places for credit and debit card theft.
Credit card issuers, processing companies, retailers and banks began a national migration to what’s being called the “Chip, Dip, PIN and Sign” solution to retail security. New cards have small chips embedded in them. These chips will replace the magnetic strip with a more secure, harder-to-clone technology. This new standard is known as “EMV Chipping,” which stands for Europay, MasterCard and Visa, the companies that collaborated to promote the new security. One problem with the new cards, however, is that the transaction must have an online connection for the security features to work properly.
The old strip has data embedded. Card readers access the data encoded in the strip, which includes the card number and any card access codes, such as a personal identification number (PIN). The strip never changes, which is how skimmers can clone a code.
The EMV chip contains encryption key values and other data. Instead of swiping an EMV card through a terminal, you “dip” the card into a slot. The chip reader transmits the encryption key to the payment processor and a one-time “transaction number” that looks similar to a credit card number is generated. No two transactions are ever associated with the same transaction number.
Not only does the transaction number change, but EMV cards expect a PIN and a signature. Unlike the PIN with magnetic strip cards, the PIN and your ZIP code are not stored on the card chip. These data are confirmed via the network, another reason the security requires an active network connection.
One of the gas stations I frequent has implemented EMV readers. To purchase gasoline with an EMV card, you dip the card into the reader and enter both the PIN and ZIP code. No signature is required, but the transaction is far more secure than in the past.
EMV card accounts also support automatic transaction alerts via text message or email. I have set my credit and debit card accounts to chime my iPhone with alerts. I often receive the alert before a waiter returns with my credit card. If my phone ever signals an unexpected charge, I will be able to take action immediately.
ApplePay turns an iPhone into a virtual EMV credit card. Most EMV cards include near-field communication (NFC) allowing you to tap or wave the card near a terminal instead of inserting the card into a slot. Newer iPhones and Android phones also have EMV-compatible NFC. Because the phones include additional security, such as their own access codes and fingerprint readers, credit card processors would like us to all switch to phones for purchases.
Companies like Target, which was the victim of a complex skimming attack, are rushing to implement EMV technologies. European merchants switched to EMV chips during the last three years. Credit card issuers have vowed to hold merchants without EMV terminals responsible for thefts and fraudulent charges.
You should ensure every card you carry is an EMV-enabled card. The cards have visible chips, making it easy to recognize. You can also switch to using ApplePay and other EMV-compatible services with a phone. That’s the most secure way to shop in person. Also, be sure you have registered a PIN for each EMV card or device. Some EMV cards have two PINs: one for cash machines and one for purchases.
Online purchases remain a weak-link for credit card security. Always use a credit card, not a debit card. If your card offers online double-verification, sign up for that service. Sometimes called two-step verification, the card processor sends a message to your phone or computer when a retailer requests payment. You must acknowledge the message, usually by entering a numeric code, before a charge is processed. A data thief is unlikely to have your credit card number and your phone.
Criminals will always be racing to beat current security technology. If you seek security for your financial transactions, EMV chip cards and two-step security are welcomed improvements to a familiar shopping experience.
Comments
Post a Comment