Editor’s Note: The following article provides an excellent narrative regarding the ongoing concerns associated with credit card skimming. As retailers and companies issuing credit cards in the United States continue to move forward with chip-and-pin and/or chip-and-signature technology, many of the issues associated with credit card skimming may be resolved. However, while technologies have continued to evolve practical application has not always kept pace, and the issues discussed are as relevant today as they were when this article was originally authored.
Recently, I was asked to present at the National Food Service Security Council (NFSSC) annual loss prevention conference in Dallas, Texas. Always eager for an opportunity to meet and network with loss prevention professionals from different retail and service formats, I readily agreed. I was given a list of topics from which to choose; one of which was credit card skimming. Although I was not well versed on the topic, what I did know was the importance of educating retailers and merchants to protect both their business reputation and personal interests. What struck me was the perception that retailers aren’t the victims of this crime.
I set about the task of becoming more educated on this topic. I spoke to merchants who are victims of credit card skimming, law enforcement personnel who handle consumer complaints, the Secret Service who works with banks to close down credit card skimming operations, and financial institution security directors for the card issuers who detect, monitor, and track fraud related to credit cards
I started my research close to home with contacts from local law enforcement specializing in white collar crimes who clued me in on some of the local cases. From there I was put in contact with senior security officers for the banks who also deal with the investigation and aftermath of these crimes. I was humbled by the graciousness of each agency I reached out to and their eagerness to help educate others on the impact of the crime of credit card skimming.
The research process for the presentation was just as rewarding as the actual presentation. Ours is a hospitable group of professionals who are generous with both time and resources when the need relates to educating others with the goal of eliminating or reducing loss due to fraudulent activity.
Defining the Problem
Just what is credit card skimming and how does it impact us as retailers, merchants, and consumers?
By definition credit card skimming is the theft of credit card information used in an otherwise legitimate transaction. It is typically carried out by a dishonest employee of a legitimate merchant. However, there are documented cases in which business owners were the culprit in this form of identity theft. In some instances, connections to terrorist organizations have been made to this fraud activity.
The tools used to carry out this fraud are varied from the archaic, simply using pen and paper to copy credit card numbers and security codes, to the more technologically advanced use of magnetic-stripe readers. With the use of the magnetic-stripe readers, the fraudster is able to capture all of the information that appears on the card, including name, card number, and expiration date.
If the Cvv2 (card verification value) number located on the back of the card is also captured, it allows for cloning of the cards and factory production of duplicates. The Cvv2 is the three- or four-digit credit card security code located on the back of most cards. The Cvv2 code is an important security feature for preventing credit card fraud, especially in the card-not-present transaction environment, such as telephone and Internet sales
While credit card skimming is often a high-tech crime, it doesn’t necessarily require magnetic-stripe readers and computer equipment. Simply put, an employee who fraudulently gathers and records credit card information is just as much a threat as one who uses more technically advanced methods.
Where Skimming Occurs
Credit card skimming activity occurs in many places, but the most prevalent location for this crime is in restaurants. According to a research and advisory service for the payment industry, restaurants account for 70 percent of credit card skimming activities. Why? Restaurants are one of the few establishments in which the card actually leaves the hands or the sight of the cardholder for a period of time; enough time for a fraudster to capture the data from the card manually or by means of a skimming device.
Other known locations ripe for this crime include gas stations with card readers at the pump, self-checkout registers, and standalone vending machines or kiosks that accept credit cards as a form of payment. In these formats a credit card skimming device is placed over the existing card reader. When an unsuspecting customer uses their credit card at the pump, through the checkout, or in the vending kiosk, the initial entry of the card into the reader captures the information for the fraud. As the card is inserted further it captures the information for the legitimate sale. The credit card skimmers may be left on the machine for a period of time before being removed. Information gathered in the skimmer over that period of time can be periodically uploaded to a computer wirelessly.
ATM machines are also an opportune environment to aid in the execution of skimming fraud. The fraudsters in this case may use cameras in addition to the card reader in order to capture the cardholder’s debit card PIN numbers. In this case the cardholder’s bank accounts can be quickly emptied before they even realize they were victimized.
A Form of Organized Retail Crime
In retail loss prevention, we talk a lot about organized retail crime (ORC) as it relates to shoplifting—when a group coordinates or organizes in such a way as to execute shoplifting crimes with the intent to steal thousands of dollars worth of merchandise that is then resold on-line, through fencing operations, or diverted back to the retailers it was stolen from. Credit card skimming in many cases is also well organized and has the potential to generate thousands of dollars of fraud from just one operation. In some cases the proceeds from these organized groups support terrorist activity.
When skimming is part of an organized retail crime operation, a group or chain of restaurants may be targeted based on their known operations and procedures for handling credit card transactions. In these instances, operatives are hired by the fraudsters to specifically seek employment at these chain restaurants for the sole purpose of obtaining credit card data.
Why is credit card skimming the new perfect crime? When the card data is captured and sold, it can then either be resold as is, in an electronic format, or manufactured and cloned onto look-alike cards. In either case, the cardholder isn’t aware of the theft of their credit card information until charges actually appear on their statement thirty days after purchases. The fraudsters have plenty of time to gather account numbers, clone cards, and then sell them. The buyers then use the cards for purchases and the crime goes undetected until the card holder’s statement arrives in the mail. It is not uncommon for stolen accounts to be used in different continents within days of each other. Credit card companies have stepped up their fraud alert detection to identify these transactions and decline the purchase if strange activity is apparent.
With this relatively long window of opportunity, the fraudsters have time to make the account numbers more attractive to the buyer, thereby demanding a higher price for each account. One method used by the fraudster to ensure a good account is sold to the buyer is called “carding.”
Carding is a term used for the process of verifying the validity of stolen card data. The thief presents the card information on a web site that has real-time transaction processing. If the transaction is processed successfully, the thief knows that the card is still good. The problem presented with carding is the seller has just started the clock ticking by completing a fraudulent transaction. Within the next thirty days an alert consumer may see the charge and question it.
When credit card details have been verified in this way, it is known in fraud circles as a “phish.” A carder (the name used for persons who perpetrate this type of fraud) will typically sell data files of phished card numbers to other individuals who will carry out the actual fraud. Market price for a phish varies depending on the type of card, freshness of the data, and credit status of the victim
Investigating Credit Card Fraud
When the fraudulent transactions of credit card skimming are realized, information begins to pour into different agencies. Cardholders may first discover the fraud when viewing activity on-line or upon receipt of their monthly statement and begin disputing unauthorized use of their credit card. However, in many cases the card issuer…banks or credit card companies…become aware of the fraud before the cardholder does by utilizing advanced software programs that alert them to changes in cardholder behavior or location of charges.
A bank’s fraud prevention department compiles a list of all the cardholders who have complained about fraudulent transactions, and then uses data mining to discover relationships among the cardholders and the merchants they use. For example, if many of the customers used one particular restaurant or chain, that merchant’s terminals (devices used to authorize transactions) can be directly investigated.
Sophisticated algorithms can also search for known patterns of fraud. Merchants must ensure the physical security of their terminals, and penalties for merchants can be severe in cases of compromise.
The U.S. Secret Service is working with the credit card industry to track down credit card skimming rings by assembling a database of locations where scams have occurred.
Other advancements on the horizon to combat credit card skimming includes chip cards. These cards have a microcomputer chip embedded in the card. Information on a chip card is virtually impossible to copy. Countries who have already implemented these chip cards have seen up to an 80 percent reduction in credit card fraud
Even when all of the parties involved respond and react perfectly, identifying the culprits and then bringing them to justice may be difficult at best.
If the fraudsters are identified and prosecuted, the punishment varies by state. Many states have adopted laws that identify credit card skimming or, specifically, possession of a skimming device with the intent to defraud as a felonious act. However, other states still define possession of a skimming device as a misdemeanor. Most state laws addressing the use of stolen credit card information to make fraudulent purchases define the crime as a felony act punishable with imprisonment and court-ordered restitution.
The Impact of this Crime
What impact does credit card skimming have on the business from which the credit card data was stolen? Merchants may think that the subsequent charges will likely be made elsewhere, so there’s no fall out on them, right? Wrong!
The reputation of a company is its most valuable asset. When one’s business reputation is damaged from a breach of data security, customer trust suffers. When customer trust suffers, sales are impacted and the company’s position in the market is threatened
The public has a long memory when their sense of security has been shaken. Consider a few examples.
Most of us will remember the fast-food restaurant chain in which a customer claimed to find a finger in her chili back in 2005. Although the allegation was proven false, we still remember. [See “The 99 Cents Chili Crisis” January-February 2008.]
Most of us will also remember the brand of pain reliever that was the target of a cyanide contamination in 1982. The parent company was honest and sincere with the public and took immediate steps to ensure its product, and others like it, would never have undetected contamination again. Despite their efforts and regaining of market share, we still remember.
The reputation of a company is its most valuable asset. When one’s business reputation is damaged from a breach of data security, customer trust suffers. When customer trust suffers, sales are impacted and the company’s position in the market is threatened.
More recently, most of us are very aware of the retailer who discovered and reported a breach of 45-million credit cards used in purchases made by their customers. Many of us were directly impacted by that breach and, yes, we will likely remember that company brand for a long while.
These examples are of very large companies with very strong brands who were able to withstand the multimillion-dollar impact on their bottom lines. Smaller retail or chain restaurant establishments don’t have the corporate financial backing to sustain the public backlash of reputation-damaging events, even those in which the company was not at fault.
Simply search “credit card skimming” on the Internet and you’ll find many small businesses that have been highlighted in the media for a breach that took place under their roof. Following are items from one such search.
- A 21-year-old used a pocket-sized electronic swipe pad to record credit card numbers while working as a cashier at Union 76/Circle K convenience stores.
- A waitress formerly employed at Harpoon Hanna’s restaurant in Fenwick, Delaware, was indicted for skimming credit card information.
- Police in the New York area broke up a credit card scam ring that involved waiters in about forty restaurants recording credit card information and passing it to thieves. The scam brought in about $3 million. Stolen numbers, lifted with skimming devices, were used to make counterfeit cards, which were used to buy merchandise that was then sold for cash. When the ringleader was arrested, police found 296 counterfeit credit cards, about $200,000 in cash, and numerous fancy wristwatches and handbags.
- Redbox, the DVD rental kiosk often found in supermarkets, recently sent warnings to customers about credit card skimming.
- According to state police, Wawa locations in several Delaware counties have had skimming devices placed inside their gas pumps.
- A personal trainer at a Boston fitness club was charged with skimming credit card data that ultimately went to the two Algerian nationals convicted of planning the bombing of Los Angeles International Airport.
- Syracuse, New York, police worked on a case with the Secret Service involving a local Middle Eastern restaurant. They arrested a local restaurant owner and courier who transported skimmed information from a handheld skimmer to a location in Montreal where the ringleader, an associate of the Russian mob, manufactured cloned credit cards that were used to commit fraud at various mercantile locations in Canada and across the United States. The courier and restaurant owner were charged federally. The Russian mobster ringleader was never apprehended due to extradition difficulties with Canadian authorities
Protection against Credit Card Skimming
Both individuals and merchants can help prevent fraud due to credit card skimming. Following is a list of suggestions.
Individuals. What can an individual do as a cardholder to protect himself from identity theft?
- Watch your credit card. Keep it in your possession when possible or keep your eye on it if the server or clerk takes it from you.
- When possible take your check to the bar to close out your tab.
- Ask questions if you see your card swiped more than once.
- Look for wait staff or sales clerks carrying extra equipment in environments where the clerk takes your card to process the transaction.
- Check your card activity throughout the cycle period on-line for unauthorized transactions.
- Check your statement carefully and report inaccuracies immediately.
- Sign up for fraud alerts. Keep in mind your credit may be temporarily frozen or suspended until transactions can be validated as authorized by you.
Merchants: As a merchant, what can you do to prevent credit card skimming?
- Monitor associate behavior and define policies for cell phone use.
- Educate new associates on the consequences of fraudulent acts, including prosecution, termination, and public embarrassment.
- Pay attention to personal calls into the business for employees or frequent visits to them from friends.
- Control the register and ensure extra devices are not present.
- Utilize tableside card payment devices that allow the customer to swipe their own card.
- Notify merchant services if you suspect skimming is taking place.
The steps you take to protect your customers from credit card fraud will be rewarded by their continued patronage and the preservation of the reputation you worked so hard to establish.
There will always be a new scam, and there will always be those who are willing to try them. However, just as technology is created to commit crimes, there is as much technology being developed to help us prevent it
Staying informed and educated on the latest scams, such as credit card skimming, is your best defense.
This article was first published in 2009 and updated May 2016.