Everybody talks about HTTPS and being careful with credit or debit cards online, but what makes you think your cards are safe offline? I can’t speak for anyone other than myself, but I’d be willing to bet that you’ve walked into a grocery store, restaurant, or gas station and willingly handed your credit card over to some person you’ve never met or probably even seen before, subconsciously trusting a complete stranger just because he or she is standing near a somewhat official looking point-of-sale terminal.
I worked as a bartender after graduating college but before I started writing about computer security. I had very little knowledge of and spent zero time thinking about network security. I had no idea what a virus was, how it worked, or why anyone would create one, but I knew enough to know that that testy, old Micros point-of-sale terminal was bad news. To this day, I’m not 100 percent sure what happened after I swiped a credit card into it. It broke down though, a lot, which caused me to question integrity of the system from – what I now know we call – ‘end-to-end’ (consumer to retailer to credit card issuer or bank and anything and everything in between).
Perhaps more concerning yet, when the thing did break down and, again, it did break down, we’d call up Sam: a 16 year old, local high school hacker and computer hobbyist with waist-length blond hair and, inexplicably, though I supposed he thought it fashionable at the time, a cane. Sam would come in at all hours of the night (this was a bar after all) and “fix” the system for us. Only he and his crony friend, Jesse, who worked as a sandwich-maker at the bar until we ultimately fired him for stealing a bottle of booze, knew how to fix the system.
I’m not suggesting that either of these two boys acted with nefarious intent nor am I suggesting that the establishment was in some way sketchy. In fact, this was a well-respected restaurant, and if my memory serves me well, Sam ended up studying computer science at Georgetown and Jesse has grown out of his rough-and-tumble youth into a perfectly respectable adult. While this is probably not the norm, it just goes to show you that you really have no idea what goes on behind the counter.
Pragmatically though, what can we do to guarantee that our payment data is safe from the second it’s printed on a plastic card until that fateful day that we chop the plastic card in half with a pair of scissors? Well, one person suggested jokingly to me that we should use a lead wallet and others have said we should start by keeping our wallets in the harder-to-pick-pocket-side-pocket. I contest, however, that buttoning my back pocket is deterrent enough for would-be thieves. You’d need some pretty nimble fingers to lift my wallet out of a buttoned pocket without me knowing.
Pick-pocket scenarios aside, you definitely want to vet the guy your about to hand you card to. I once got my haircut in beautiful Boston, Massachusetts. When I asked the friendly beautician if he accepted credit cards, he told me no, but that his sister owned a gift-shop down the street. He told me that he could give her the card number over the phone and that I would be charged at her shop and that she’d pay him cash later. I respectfully declined.
Again, this is likely a rarity, but the point is this: anyone that wants to write down your card number or run it through one of those old-timey slide machines is probably a person you should just pay with cash.
All this without even mentioning ATMs! If you really want to be terrified, then you should start reading the news site of security journalist and foremost ATM-skimmer expert, Brian Krebs. Thankfully, Krebs isn’t merely scaring and snaring, he’s also got a great resource page with pictures of skimming equipment and explanation of how they work.
An ATM skimmer, by the way, is just a term we use to refer to a device or a piece of equipment that is fixed on to an ATM in order to steal credit card data as you enter it into the machine. For all intents and purposes, these are the same as similar skimmers that can be attached to point-of-sale terminals and gas pump credit card key pads. Skimmers are sort of the real world equivalent of a man-in-the-middle attack. If you want to know more of the technical details about how these things work then I implore to go over to Krebs on Security.
Now, if the guy that hacked the PoS terminal or installed the skimmer on the ATM did a decent job, then you’ll never even know he was there until you get that dreaded data breach notification in the mail (or email). However, criminals are human beings, so criminals cut corners too. Before you go swiping-away, take a look at PoS terminals and, especially, ATMs. Again, most skimmers are unnoticeable unless you take the ATM apart, but nonetheless, I really check out ATMs. I fidget with keypad casing to make sure it’s securely attached. I reach up around the screen and under the screen if it happens to overlook the keypad and generally just poke and prod around to make sure nothing is out of place. Keep an eye out for cameras too, which is easier said than done considering how small cameras have gotten. All ATMs should have cameras, but these cameras should be pointed at your face, not the key pad. I never use street ATMs and I try to avoid ATMs in out of sight areas, by which I mean those in areas that can’t be easily seen by a seemingly responsible adult at all times. Bank ATMs are the safest bet, because, theoretically at least, bank employees should know about skimmers and how to spot them. This isn’t one of those hypothetical problems either, according to Krebs, the U.S. Secret Service said that ATM skimmers stole $1 billion in 2008. That number has probably risen since.
Hacks of points-of-sale are even trickier. It’s certainly worth making sure that the casing is completely intact and unaltered, but it’s more likely that the machines that store and transmit the payment data are compromised. These things need to be secure from end-to-end, and that is a lot of area to protect (again, all the way from your hand to whoever is collecting the money). However, a security expert once told me a story of criminals dressing up in matching, quasi-official looking uniforms and telling the unwitting employees of an unnamed retail location that they were there to repair the PoS system. They did not repair anything. Instead, they installed skimmers and left. Hard to know for certain if the story was true, but it didn’t seem all that far-fetched to me.
Think of it like a game of poker as well, you want to play your hand close to your vest as possible. Leaving your cards lying around is pretty much the same as posting pictures of your debit card online. In that vein, use your pen as seldom as possible. Given the opportunity, choose to charge your debit cards on credit. In this way, if you are skimmed, at least the bad guys aren’t making off with your pin number.
Finally, a lot of this stuff is really out of your hands. That said, there are countermeasures available: as always, keep one eye on your bank account and credit card balance. Some banks will let you put limits on ATM withdrawals, so if someone does skim you, they can only take out so much cash. It’s also good to use a number of different credit cards or debit cards from different banks if you can. Think about it: would you rather have your black, no limit American Express card skimmed, or some other card with $1000 dollar limit? Same goes for debit cards, I wouldn’t go walking around with a debit card linked to the bank account in which you keep your life’s savings.
As always, throw your own suggestions in the comments here or on Facebook or tweet them to us.