All Episodes
Previous Next
Plain Text
Jan. 17, 2017 - Skeptoid
17:42
Skeptoid #554: How Your Credit Card Got Stolen

Here are the most likely ways that your credit card got stolen, and how you can prevent it in the future. Learn about your ad choices: dovetail.prx.org/ad-choices

Transcriber: nvidia/parakeet-tdt-0.6b-v2, sat-12l-sm, and large-v3-turbo
|

Time Text
Minimizing Card Data Theft 00:07:10
Nobody likes having to cancel their credit card and reissue it when fraud pops up, as it inevitably does.
But how is it happening?
How are the bad guys getting your card data?
Well, for every one real way to get it, there are about 10 pieces of misinformation about ways that it almost certainly wasn't taken.
Today we're going to separate the fact from the fiction and find out what the best practices actually are.
And that's coming up next on Skeptoid.
Hi, I'm Alex Goldman.
You may know me as the host of Reply All, but I'm done with that.
I'm doing something else now.
I started a new podcast called Hyperfixed.
On every episode of Hyperfixed, listeners write in with their problems and I try to solve them.
Some massive and life-altering, and some so minuscule it'll boggle your mind.
No matter the problem, no matter the size, I'm here for you.
That's HyperFixed, the new podcast from Radiotopia.
Find it wherever you listen to podcasts or at hyperfixedpod.com.
You're listening to Skeptoid.
I'm Brian Dunning from Skeptoid.com.
How your credit card got stolen.
That moment when you see a bunch of weird charges on your credit card or bank statement.
Cigars in Brazil?
Airline tickets in Nigeria?
A tank of gas in Las Vegas.
Someone has obtained your credit or debit card number.
And now you're going to have to suffer months of updating it with all your utilities and other vendors.
How did these thieves get your card information?
Was it something you did?
Should you have done something differently?
Today we're going to look at some of the most common ways credit card numbers are compromised, correct some popular misinformation, and point out a few tips to more secure charging habits.
For this show, we don't really differentiate between credit cards and debit cards.
From the perspective of keeping card info secure, there's very little difference.
Either is just as likely to show up in a large database of card data that some thief acquired and another purchased.
That latter one is either making online charges in bulk or he's printing up duplicate cards and selling and using those.
What we're going to talk about today is how to minimize the chance of your card getting into that database in the first place.
One of the best known methods of stealing card numbers is a device called a skimmer.
Skimmers are false card slot overlays affixed to the front of ATM machines, gas pumps, or anywhere you might slide your credit, debit, or ATM card.
These take their own read off the card's magnetic stripe as you slide it into the machine.
While skimmers used to be clumsy and easy to spot, today the best skimmers are seamless.
They often incorporate an entire front panel of the ATM so it looks factory fresh.
Many of these also include a pin pad overlay that captures your pin as you type it.
Most skimmers that don't include a pin pad overlay use a hidden camera installed overhead or somewhere nearby to watch you type your pin.
Less familiar, harder to spot, and increasingly common are shimmers, functionally the same as a skimmer, but thin enough to be inserted inside the card slot where they're not visible at all.
Some skimmers and shimmers are retrieved by the thieves after collecting data for a time, and some transmit what they collect via Bluetooth or some other wireless technology.
These days, it's not very likely that a stolen database of card data came from an inside job at some financial institution.
The payment card industry, PCI, has something called PCI Compliance, set by the PCI Council.
They maintain the PCI DSS, or Data Security Standard, which is, in their words, a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.
The standard is extremely rigorous, requiring a stringent set of both physical and electronic security measures.
Any merchant that is fully PCI compliant is by any practical definition, a safe place to use your credit card.
Whether a company is PCI compliant or not isn't a matter of public record though, but you can be sure that major online retailers like Amazon.com and financial service companies like PayPal are PCI compliant.
But independently achieving PCI compliance is far beyond the means of most small merchants.
These companies usually go one of two ways.
First, the safe way, they work with a third-party credit card, vault, and tokenization provider that is PCI compliant.
When you use your credit card at one of these online merchants, you type the credit card number into their online form, or if they're a brick-and-mortar store, you swipe your card at a terminal.
But the card information never goes to the merchant at all.
It goes directly to the third party.
They store it safely and are the ones who actually process the transactions.
The online merchant gets a token to reference each credit card, a long, unique alphanumeric string that will only work for that particular merchant.
Since these merchants never have access to the credit card data, buying from them with your card has no practical likelihood of compromising your card.
The other way small merchants go is to simply take and process cards and employ their own notions of security.
Some merchant service providers will refuse to work with them, but others will and often charge them a monthly fee that is essentially a fine for not being PCI compliant.
This amount is usually a lot less than PCI compliance would cost them, so they do it.
Whether your card is safe or not is a crapshoot.
Fortunately, the overwhelming majority of online transactions come from a small number of major merchants who are PCI compliant, so these sketchy merchants make up only a tiny slice of the total transaction volume.
There are a lot of people who say, oh, I won't use my credit card online.
Well, that's fine, and it's a good idea, inasmuch as never using or even having a credit card at all is the best possible defense.
But probably most of these people carry their credit card around in their wallet or purse.
They may even use it at restaurants or gas stations.
Well, statistically, they happily use their credit card for all the riskiest behavior and think they're somehow being safer by foregoing one of the safest behaviors.
Using your credit card at a PCI-compliant online merchant like Amazon.com is far, far, far safer than simply having your credit card in a wallet or purse that might be lost or stolen, or skimmed at every shop you visit.
Choosing Online Safely 00:08:35
If you have a credit card and only one choice of where to use it, choose online, not offline.
There are a lot of ways that your financial information online can be compromised that don't involve your credit card and that contribute unfairly to distrust of online credit card use.
This is a long, long list, and I really don't advise the layperson to try to learn about these, but rather to install security software from a top vendor such as Kaspersky Lab.
Totally not a paid endorsement, it's a genuine recommendation.
To briefly describe a couple of these threats and hopefully frighten you into protecting your computer, I will talk about just two.
In a world that can feel overwhelming, spreading thoughtful, evidence-based content is one of the best ways to make a positive impact.
Ask your local public radio station to air the Skeptoid files, a 30-minute radio-friendly version of Skeptoid that pairs two related episodes promoting real science, true history, and critical thinking.
And in these challenging times for public media, we're offering these broadcasts for free to radio stations, available on the PRX Exchange or directly from Skeptoid Media.
It's an easy ask.
Just send a quick message to your station's programming director.
By helping to bring the Skeptoid files to the airwaves, you'll help promote the essential skills we all need to tell fact from fiction.
Just go to your local station's website, find the programming director's email address, or just their general email address.
You can even use the telephone.
I know that might sound crazy.
It's an old legacy device that allows real-time voice communication.
I know that's weird, but hey, it's an option.
The world can feel chaotic, but you're not powerless.
When you promote critical thinking, you can help your community tell fact from fiction.
And that's how we shape a better future.
In uncertain times, spreading good ideas can make you feel helpful, not helpless.
Let's stand up for reason, truth, and understanding.
Together, get them to air the Skeptoid files from Skeptoid Media, available on the PRX Exchange, and they'll know what that is.
One is called a man-in-the-browser attack.
This is a Trojan horse software that comes onto your computer just like a virus and behaves like a browser extension that modifies certain web pages you look at.
They're usually targeted at certain bank or online payment websites.
If you try to make an online payment through your bank, the man in the browser will send payee information to the bank that's different than what you type.
What you see on the web page will be what you expect.
For example, a confirmation page that looks like you paid your utility bill.
But what the bank was actually instructed was to send money to the thief, usually at some overseas bank.
There are many, many, many variations of this.
Another is called clickjacking, also usually targeted at online payment or shopping sites that it assumes many victims will have and will occasionally be logged into.
Clickjacking allows for something like a giant invisible button to be overlaid atop whatever web page you're viewing.
And there are any number of ways such a layer can be injected into your browser's display of a web page so that anywhere you click, it's hijacking that click and sending it instead to a buy now or donate now button that sends money directly to the thief from your default payment method at whatever site was targeted.
The lesson to learn from these types of threats is that while you're right to be concerned about your credit card, you're wrong to think that simply avoiding use of your credit card online makes your finances a whole lot safer.
Much of the reason for that is that most retail point-of-sale terminals run Windows and are connected to the internet.
As a result, they often become infected with point-of-sale or POS malware.
Thieves often design campaigns targeted at large retailers.
Once a major retailer's terminals are infected, such malware collects card data, security codes, and even the valuable data from the magnetic stripe called TRACK 2 data.
Such malware has resulted in the theft of this data from hundreds of millions of cards, all in one swoop.
It is fatally naive to believe that using your card online is more risky than using it in the brick-and-mortar world.
So, now, here are your 2017 best practices recommendations for credit and debit card users.
First, when using an ATM, always choose an indoor machine over an outdoor machine.
Thieves install skimmers on machines located in places where they can get away with it.
Choose a built-in machine over a standalone machine.
Be most careful on weekends and holidays when the skimmer installers know nobody's around.
At any ATM or gas pump, give the machine a quick examination.
Is there any loose plastic around the card slot, anything that doesn't appear to be original?
Is there anything overhead that may have been stuck on and may contain a camera?
Is the slot tight, possibly indicating a shimmer?
Whenever you put your card in and the terminal asks you debit or credit, always choose credit.
This doesn't affect the likelihood of your number being stolen, but it does affect your liability.
With debit, you could lose your entire account balance and no one will pay it back to you, depending on how quickly you discover and report the loss.
But with credit, your liability for fraudulent charges is either zero or very small, by law.
Always choose credit.
For your point-of-sale purchases, consider setting up Apple Pay, Android Pay, or Samsung Pay on your smartphone.
Although no technology is 100% safe, these mobile wallets all employ single-use tokens to complete a transaction.
No credit card information is ever present on the phone or in the transaction, and the tokens used immediately become worthless.
Mobile wallets are unquestionably safer than credit or debit cards at the point of sale, and, like the phone itself, if you've set up proper password protection, they're useless to someone who might physically steal the device.
If you insist on using a plastic card, make sure it's a chip card, also known as an EMV card.
The embedded microchip establishes a two-way encrypted connection directly to the bank and employs single-use tokens.
No credit card data is ever exposed to the merchant or to the network.
Many card holders have no reason to waste money on a special sleeve or wallet claimed to protect your credit card from being remotely read.
Contrary to popular belief, neither magnetic stripes nor EMV chip cards incorporate anything that can be remotely or wirelessly read.
Such protection only works with RFID dongles and RFID cards like PayWave, PayPass, and ExpressPay, which never really caught on in the United States.
In some countries, they're common.
These cards use NFC, or near-field communication, a subset of RFID, which can only be read from distances less than 5 centimeters.
Thus, in the real world, such theft is almost unheard of.
Some researchers, however, have tested ways to access them from as far away as 20 to 90 centimeters.
But again, EMV and NFC cards are not the same thing.
Your chip card is safe from this threat.
Of course, there are many other avenues by which thieves get credit cards, including mugging you and taking it.
You might type it into a website over an insecure connection.
You might fall for a phishing email, prompting you to verify your credit card information.
But no matter what you do, you will never be 100% safe.
Premium Membership Appeal 00:01:53
Follow best practices.
Be as safe as is reasonable, and don't knock yourself out trying to prevent what is, for almost all of us, inevitable.
Disputing some charges and getting a replacement card is not the end of the world.
If you like these episodes, share the transcripts via Twitter and Facebook.
There's tools for doing that right here on the website, skeptoid.com.
Start an online discussion with your friends.
Just maybe you'll bring them over from the dark side.
You're listening to Skeptoid, a listener-supported program.
I'm Brian Dunning from skeptoid.com.
Hello, everyone.
This is Adrian Hill from Skookum Studios in Calgary, Canada, the land of maple syrup and mousse.
And I'm here to ask you to consider becoming a premium member of Skeptoid for as little as five US dollars per month.
And that's only the cost of a couple of Tim Horton's double-doubles.
And that's Canadian for coffee with double cream and sugar.
Why support Skeptoid?
If you are like me and don't like ads, but like extended versions of each episode, Premium is for you.
If you want to support a worthwhile nonprofit that combats pseudoscience, promotes critical thinking, and provides free access to teachers to use the podcast in the classroom via the Teacher's Toolkit, then sign up today.
Remember that skepticism is the best medicine.
Next to giggling, of course.
Until next time, this is Adrienne Hill.
From PRX.
Export Selection