Data skimming from personal plastic has consumers, retailers restless
Published in CSP Daily News
ATLANTA -- Susceptibility to credit-card fraud has retailers and their customers scurrying for proactive measures necessary to insulate themselves from further exposure.
While new technologies aimed at preventing fraud are starting to arrive on the market, it might take months—even years—for convenience retailers to entirely ramp up on implementing the latest technologies, designed to ferret out credit- and debit-card fraud.
In the interim, retail security breaches continue unabated. In mid-March, Hannaford Bros. Co., an East Coast supermarket chain, revealed this month [image-nocss] that as many as 4.2 million customer account numbers were stolen by thieves. Occurring from December 2007 through March 10, the company said thieves cracked computer system codes of the chain, which ironically had been given high marks by the Payment Card Industry (PCI) for best-practice security protocols.
The Hannaford incident represented a case of credit-card fraud predicated on personal data that was “in-transit”—moving from a store 's POS device to a bank 's back-office processing system.
Meanwhile, another recent credit-card fraud case in Michigan was owed to another fraud technique—“skimming”—wherein employees skim a customer 's credit card with a small, handheld electronic device that scans and stores card data from the magnetic strip. Counterfeit credit cards are then produced, and criminals use cards to make unauthorized purchases.
In Michigan, one consumer said he was victimized by card skimming at a metro Detroit gas station in mid-2007. The individual, Jeff Heng of Clawson, Mich., told CSP Daily News the breach was the second one he endured within three months, each involving a different credit card.
A customer-service representative of Advanta (an East Coast bank processor) alerted Heng to suspicious charges on the card, which he used strictly for fuel purchases. Hengspeculated the theft might have occurred at one of three Speedway stations in either Clawson, Troy or Royal Oak, Mich. Heng estimated that about $10,000 in charges were rung up illegally between the two credit-card fraud incidents."We were never contacted by Heng or the police and would expect either or both to contact us if there was concern that this activity was occurring at our store," Speedway spokesperson Linda Casey told CSP Daily News. "And, of course, we would have immediately investigated. We have no reports of skimming concerns at those stores."Posting his experience on a Web log, Heng was subsequently contacted by San Jose, Calif.-based VeriFone Holdings Inc., a provider of secure electronic payment solutions to retailers.
Sarah Waters, a VeriFone spokesperson, said the company often engages retailers and, to a degree, consumers about implementing techniques for better preparedness to avoid fraud. Waters said one way is for retailers to closely examine fuel dispensers and pumps for tampering. Noticing duct tape and broken or hanging hardware is an indication that tampering might have occurred.
Meanwhile, technology suppliers such as VeriFone and Dresser Wayne, continue to upgrade their products to aid in the detection of fraud.
Groups that create security standards, such as PCI, are trying “to stay ahead of the game on the newer hacking techniques that the ‘fraudsters ' are coming up with. [They] continue to raise the bar on these standards,” Tim Weston, product manager for payment technologies at Dresser Wayne, told CSP Daily News. “And for us, as equipment vendors, it 's important to build more and more secure products to defend against those newly defined attack methods.”
Major credit-card associations have mandated that starting January 1, 2009, all new self-service gasoline pumps must have PCI-approved PIN-entry devices. Further, beginning July 1, 2010, all card transactions at pumps must be protected with advanced Triple DES encryption technology, said Waters.
An encryption breach might have been the root cause of the Hannaford supermarket dilemma, according to a local report detailing the case. If data is vulnerable while in transit, companies must encrypt information along every step of the transmission, experts believe. In practice, there are gaps in the encryption process—often occurring with older POS hardware.
The Hannaford case occurred when shoppers swiped their cards at checkout-line machines and information was transmitted to banks for approval. The supermarket chain was found to be in compliance with the security standards required by the Payment Card Industry, a coalition founded by credit card companies.
Click hereto read CSP magazine 's in-depth coverage of credit-card security issues.