One of the advantages and drawbacks of using a credit card is that it creates a paper trail. This makes it possible for your credit card issuer to send you a bill for the charges you make. It also lets the issuer see where someone who stole your credit card used it, potentially making it easier to catch that person.
Tips
Credit card companies can track where your stolen credit card was last used, in most cases, only once the card is used by the person who took it. The credit card authorization process helps bank's track this. However, by the time law enforcement arrives, the person may be long gone.
Credit Card Authorizations
The credit card authorization process creates an opportunity for tracking. When you, or a card thief, hands your card to a store clerk, he uses a card reader to send its information to a card processing company. That company checks with your credit card company to make sure that your card is good and that it has enough money to cover the charge. If it does, the charge gets approved and you – or the crook – get the stuff. Along the way, information on the store, its location and the amount charged gets passed through to your credit card issuer. This way, it knows where the card got used and can build a history.
"Tracking" Card Users
While your bank can track stolen cards, the tracking isn't perfect. It can generally only track the card if it gets used. Also, since people usually pay when they are on their way out of a retail establishment, it's reasonable to expect that they would be gone by the time that law enforcement could arrive. On the other hand, stores and card issuers can also use transaction information to pinpoint the exact time the stolen card was used and find video footage of the person from the store's surveillance system.
How Cards Get Stolen
Card thieves don't have to take your card to steal it. They can use the carbon copies that were part of the paper slips used to capture physical card imprints, too. At restaurants, waiters would write down the information on your card while running it for you. Now, theft has gone digital. Waiters can use small card-skimming devices in their aprons, thieves can attach readers to gas pumps and larger-scale cyber criminals can steal credit card numbers by the millions by hacking into corporate databases.
Card Theft and You
If your card gets stolen, it shouldn't matter to you whether or not authorities ever ever catch the thief. Under federal law, your liability for fraudulent charges is capped at $50 as long as you promptly report the theft, and, if your card number is stolen or you report the theft before your card gets used, you have no liability. Some card issuers might give you even more protection than this, too.
Criminals are more organized and sophisticated than ever before. Attacks on ATM machines range from simplistic to highly organized efforts involving multiple ATMs across the country, hundreds of fraudulent cards and criminal gangs spanning the globe.
So, how do criminals get your customers' debit card data? Here are 10 different ways:
Steal cards
Attack sophistication: Low / Scale of attack: Small
The simplest way for a criminal to get card data is to steal someone's card. To get the PIN, the thief might shoulder surf or guess a weak password, such as a birth date.
Steal machines
Attack sophistication: Low / Scale of attack: Moderate
A criminal might decide to steal either an ATM or POS terminal. Cash can be pulled from the ATMs, but both types of machines could store card numbers if misconfigured. A stolen machine is also valuable in order to learn about weaknesses or ways to physically attack it.
Offline account takeover
Attack sophistication: Moderate / Scale of attack: Small
Breaking into mailboxes and stealing bank statements or other personal information can let a criminal conduct identity theft. Often they'll try to change the victim's mailing address with the bank, order a new card, and activate it. If the bank has good processes in place that are adhered to, then this type of attack can be stopped.
Separate skimming device
Attack sophistication: Low / Scale of attack: Moderate
If a deft criminal can get a hold of a card for a few seconds, then they can swipe it through a reader and get its data.
Overlaid skimming devices
Attack sophistication: Low / Scale of attack: Moderate
In this case, the criminal places a card reader over the machine's intrinsic reader. They might also attach a video camera or a pin-pad overlay to capture the PIN.
Internal skimming devices
Attack sophistication: Moderate / Scale of attack: Large
More capable criminals could place a skimming device inside a terminal, such as at a gas pump. The skimmer intercepts messages on the data lines, and is tough to detect without opening up machines.
Hijacked terminals
Attack sophistication: High / Scale of attack: Moderate
A terminal can be hijacked by replacing the operating system with a compromised one. An avenue of attack might be available for those ATMs with remote control capabilities that are left in the default (and insecure) settings. Stolen machines might also be modified and then used to replace an existing, non-compromised terminal.
Ghost ATMs and fake fronts
Attack sophistication: Moderate / Scale of attack: Moderate
Why add a skimming device to a real terminal when you can just use your own fake one? Criminals have been known to place fake, modified terminals in public spaces where victims will use their cards but receive communication error messages. In reality the terminal has captured card data and PIN, and stored it for later retrieval.
Buying the data
Attack sophistication: Low / Scale of attack: Moderate to Huge
With so many means of attack, there is a glut of card information on the market. Lazy criminals can simply buy card data, starting at $1 or less. Quality costs extra, but in the underground marketplace there are products for everyone.
Data breaches
Attack sophistication: High / Scale of attack: Huge
Capable hackers are able to crack the security on merchants and other card data holders, and access large volumes of card data. With the heightened awareness of cybercrime, the industry has made strides in using more secure techniques for storing data (or in many cases, ensuring that they don't store it). This has made it harder for criminals, but there are still many opportunities for attacks.
"10 Ways Criminals Get Debit Card Data." Verafin.com. Verafin Inc. Web. 8 Aug 2013