This article is a reprint from a recent Consumer Reports on-line edition
A bank customer was getting suspicious while trying to withdraw cash from a drive-up bank ATM in New Port Richey, Florida. The blinking LED lights around the card slot were flashing faster than usual, and the slot seemed oddly slow to take his card, he told sheriff’s department officers.
Then he reached out and jiggled the card slot. It came off right in his hand. He notified the bank, and police started their investigation. They discovered that a fake card reader, or skimmer, had been placed over the real card-entry slot and that a pinhole camera had been recording customers entering their personal identification numbers.
The bank customer avoided becoming a fraud victim, but many other Americans have not been as lucky. In the U.S., 32 percent of consumers reported card fraud in the past five years, according to a 2011 survey released earlier this year by ACI Worldwide, which supplies payment systems to financial institutions, processors, and retailers. That was up from 27 percent in 2010.
That number is likely to grow because the credit and debit cards most Americans use are surprisingly vulnerable to fraud, relying on decades-old technology that makes them more susceptible to being skimmed and counterfeited. Even some contactless credit cards, which use radio frequency identification (RFID) chips that allow you to make purchases without having to swipe your card through a card reader, are vulnerable to virtual skimming.
American credit- and debit-card data are usually stored unencrypted on a magnetic stripe on the back of each card, which thieves can easily and cheaply copy. The U.S. and some non-industrialized countries in Africa are among the only nations still relying on magstripe payment cards, which came into wide use in the 1970s. China has announced that it will no longer produce or accept such cards after 2015; American travelers are already finding that their cards aren’t accepted at some gas stations, parking facilities, subways, and merchants in Europe. The European Central Bank has recommended that banks stop issuing magstripe cards after 2012.
Most other countries are shifting to what are known as EMV “smart cards” (the acronym comes from Europay MasterCard Visa). Smart cards use multiple layers of security, starting with a computer chip in each card that stores and transmits encrypted data and a unique identifier that can change with each transaction.
In some cases, cardholders also enter a PIN to authorize credit as well as debit transactions. Total fraud losses dropped by 50 percent, and card counterfeiting fell by 78 percent in the first year after EMV smart cards were introduced in France in 1992. Other countries that have switched have also seen card fraud decline.
So why is the U.S. so far behind?
It seems to come down to money. The losses for banks do not yet exceed the costs of a switch-over, although merchants say that’s because they usually shoulder much of the cost burden from fraud. Most cards limit liability for consumers, but the disruption in time and loss of privacy can be considerable.
Hence, the US is falling behind the rest of the world in fraud protection, and American consumers are getting the short end of the stick
Skimming is big business
The theft of card data in the U.S. is increasingly carried out by organized thieves from other countries. In Eastern Europe particularly, thriving black-market forums exist online to buy and sell skimming equipment and stolen credit- and debit-card information.
Losses are comfortably in the multimillion- dollar range each year but are incredibly hard to authenticate because of the discreet position that most financial institutions take when asked to assess a loss figure. Banking-industry data indicate that debit-card skimming in particular is rising as criminals focus on obtaining debit-card data complete with PINs to get their hands on cash more quickly.
The figures reported by some U.S. banks show losses from fraudulent debit-card transactions using PINs have quintupled at stores in the past five years, and they’ve also risen sharply at ATMs, so it’s clear crooks are succeeding in getting people’s PINs, most likely through a combination of skimming and recording PINs.
Gas pumps are a popular target for skimmers, especially during vacation season, when more Americans are on the road. Skimmers can be inserted inside a pump without any telltale signs. Last summer, skimming attacks at gas stations in one northern Florida county surged so much that local law-enforcement officials suggested consumers use only cash to pay for gas.
Crooks are increasingly targeting bank branch ATMs, sometimes installing skimmers in devices near the doors where customers swipe their cards to gain access.
To obtain the PINs, thieves attach a keypad overlay that captures your number as you type it in, but more often they’ll install a pinhole video camera aimed at the keypad to record what you’re typing. A recent probe of an Eastern European skimming group brought arrests of 175 people involved in skimming at ATMs in Connecticut, New York, New Jersey, and Pennsylvania, with $25 million in losses.
Criminals can quickly use the skimmed data to create a counterfeit card to withdraw the maximum allowed from each cardholder’s account at an ATM. Card issuers generally extend zero-liability protection to consumers for fraudulent use of credit and debit cards. But victims of debit-card skimming can still face financial hardships because they are without the cash while the bank investigates, which sometimes takes weeks.
And the scams can have multiple victims. In December 2010, in Butte, Mont., at least 300 fraud victims reported unauthorized charges made on their cards, most of which were debit cards. Among the victims was a local sheriff. For six to eight months at an unsuspecting retailer, a cash register skimmed data from everyone whose card was swiped. Authorities say the data were sold to other criminals to make counterfeit cards used throughout the U.S. Fraudulent charges on the Butte victims’ cards ranged from $500 to $1,500.
Authorities have recommended to several of the large financial institutions that the biggest deterrent to skimming would be using the kind of cards that are issued in Europe and Canada with a chip that makes them pretty much impossible to skim, but so far they seem unwilling to make the change.
Americans still receive magstripe cards because banks and other financial players in the card industry claim that losses due to fraud in the U.S. have not been high enough to justify the costs involved in switching to EMV smart-chip technology.
Replacing all payment cards in the U.S. could require issuers to spend as much as $2.85 billion, plus $310 million more to update ATMs to accept the new cards. For merchants, he estimates that replacing sales terminals could cost up to $2.64 billion. But many of the nation’s big-name retailers, including Kroger, McDonalds, Sears, and Walgreens, are pushing for an upgrade to the likes of EMV. And a few, such as Best Buy, Home Depot, and Wal-Mart, are in the process of deploying terminals that can read contact and, in some cases, contactless chip and pin technology.
One report estimates U.S. card issuers’ total losses from credit- and debit-card fraud at $2.4 billion. That figure does not include losses that are borne by merchants, which probably run into tens of billions of dollars a year.
Merchants usually have to absorb losses for fraudulent transactions conducted by mail, phone, and online, and card issuers generally are supposed to take the financial hit for fraudulent transactions conducted in walk-in stores. But retailers report that banks also often charge those losses back to them.
Despite magstripe cards’ vulnerabilities, card issuers say they have developed effective methods to fight fraud. Visa says it relies on an advanced system that detects fraud in real time.
A turning tide?
When the Federal Reserve Board analyzed fraudulent debit-card transactions, it found that merchants absorbed 43 percent of all losses reported by debit-card issuers. For credit-card losses, merchants end up eating more than half of losses from fraudulent transactions.
So if card issuers can make merchants absorb half of their losses on top of paying them interchange fees for each transaction to supposedly help cover fraud-related costs, why should they worry about making investments in new technology to better protect against fraud?
But the tide might be turning. The Smart Card Alliance, an industry trade group, has issued a report on EMV, developed with the support of players including American Express, Capital One, and Chase Card Services. The report notes that “although the enormous size of the U.S. payment industry makes widespread change costly and difficult, the true cost of fraud is increasing and threatens to damage the industry’s reputation.” It says that damage “could accelerate as criminals move to the U.S. as the weakest link.”
Adopting the smart-chip standard also could provide a more secure basis for mobile payments using smart phones, which analysts expect will rapidly replace plastic cards as a form of payment. And it has been suggested that a federal mandate might be the stick required for a switch.
A carrot to entice banks and credit unions away from magstripe debit cards already exists. It’s in the hotly debated rules the Federal Reserve proposed in December 2010 to limit fees that merchants pay card issuers for debit-card transactions.
Fiercely fought by banks, the new rules would cut the fees from a current average of 44 cents per transaction to a maximum of 12 cents. But card-reform legislation also gives the Federal Reserve an option to allow higher fees for card issuers that adopt more rigorous antifraud technology standards as set by the Fed.
No form of security technology is foolproof, of course. Researchers at the University of Cambridge in February 2010 uncovered a vulnerability in EMV smart cards that could allow a criminal armed with certain electronic equipment to make a purchase using a stolen smart card without having the correct PIN, though that attack method would be relatively easy to guard against.
But exposing such potential flaws and correcting them is an important part of ensuring that any security system used to safeguard consumers’ financial data is continually evolving to stay ahead of the latest schemes devised to break it.
