Gas pumps, taxicabs, and even vending machines take credit cards, and thieves worldwide are cashing in. Criminals are becoming more sophisticated at intercepting payment information as banking and retail systems lag behind. Lax regulation and a lack of investment in security tilts the scale in favor of crooks.
The Association of Chartered Certified Accountants (ACCA) and Pace University yesterday released a report on the myriad ways that fraudsters are obtaining credit card information with “skimming” devices that are becoming smaller and smarter. The technology is readily available online and at spy stores.
Skimming devices are surreptitiously installed where we pay. A ring of tech savvy thieves in Manhattan was clever enough to install a skimmer directly into gas pumps, using the pump’s own power supply and Bluetooth to transmit cards data wirelessly. The scheme siphoned millions of dollars from unwary drivers before it was noticed by law enforcement. Those responsible are being prosecuted for their crimes.
“Devices are becoming smaller and have more memory,” said report author Darren Hayes of Pace University. “The quality of data on the devices has improved over time, and skimmers often are password protected and use advanced encryption protocols.” ATMs, ticket vending machines, stores, and restaurants are all targets.
ATMS are the most common target. The United States has the world’s largest ATM market – with nearly 425,000 installed today, ACAC said. Skimmers will record information from the magnetic strip on credit cards as they are used at ATMs. The cards are cloned, and sometimes turn up in Ghana, Costa Rica, Mexico and Malta.
Why? The United States is using old technology and fails to seriously monitor skimmer fraud activity, the report found. Europe has taken a hard line against fraud, with more advanced EMV (Europay, MasterCard and Visa) credit cards, practices and technologies that make skimming more difficult to accomplish, Hayes said.
The ATM industry is pushing back against implementing EMV, because it would be expensive to upgrade machines, Hayes said. Payment processors are likewise opposed to it, and providers don’t receive an annual fee for cards in the U.S. that could finance increasing security, he said. Many Europeans pay for the privilege of a card.
“…The United States is a consumer-driven market and, with so many providers to choose from, financial institutions are more likely to sacrifice additional security measures to keep their customers happy and prevent any inconvenience,” he said.
A consumer driven market
The United States is also far less likely to regulate – despite accusations of rampant over-regulating. Credit card breaches happen often; Target was just the most recent debacle. There was no cost to the store for its security lapses other than bad PR. It was even warned that its systems were vulnerable, but didn’t act on the information. It's the retail equivalent of coal ash pouring into a West Virginia river.
The primary reason is - drumroll please - that the payment card industry is charged with regulating itself. The PCI, or Payment Card Industry, Standard outline best practices but these are superficial. There’s no enforcement as with HIPPA, which seriously holds corporate executives to task for any lapses.
PCI isn't even being followed. It's voluntary, and therefore an unnecessary cost.
Zero accountability and lax regulation
“…Many companies that have been breached have not been able to meet these minimum [PCI] standards,” Hayes said. “Security is all too often viewed as expensive overhead rather than a necessity. When you ask about self-regulation, what is really interesting is that when we read about these massive breaches, the company itself is usually told by another company (often one of their customers) that they have been breached.”
Hayes said that credit card companies want to shift any liability onto banks and retailers that don’t use EMV and penalize banks and retailers that don’t implement EMV for fraudulent transactions. For example, the entity (a store or bank) that processes a fraudulent transaction would be held responsible for paying the loss.
ACCA suggests that U.S. financial institutions should accelerate their adoption of anti-skimming solutions, which, along with fraud investigations, should become a part of daily operations. Cooperation with law enforcement will also be necessary to keep pace with the ingenuity of skimmers. Lastly, ATM cards must be phased out in favor of contactless cards, biometric security, and smartphone withdrawals.
Those are some nice recommendations, but there’s still no real incentive to act on the ACCA's advice. No single company can be punished by consumer sentiment, because there are bad actors across the board.
I’d like to see PCI be given some teeth. When was the last time you heard of medical information (HIPPA) being stolen? I can’t recall any incident. It’s time for electronic payments to be modernized, even if the stakeholders are brought to the table kicking and screaming. Enough is enough.