Photo: By Richard Drew, AP
SEATTLE -- Using brash ingenuity, criminals out to steal your personal
data are tampering with the checkout machines in department stores,
supermarkets, gas stations and even your doctors' office.
Their prime target: your debit card account number and personal identification number.
use ruses, such as posing as repairmen to alter and corrupt payment
terminals - installing skimmers and storage devices that capture account
numbers from the magnetic strip on a card as well as the PIN numbers
the customer keys in.
"Technology is making it easier for criminals to develop smaller, more
effective skimming devices," says Dale Dabbs, CEO of identity theft
protection service EZShield.
The compromised checkout machines are
so widely dispersed that many crimes go unnoticed and public reports
are sporadic, says Jeff Hall, director of Technology Risk Management
Services at consultancy McGladrey.
Barnes & Noble recently
disclosed that data thieves got away with installing corrupted checkout
terminals in 63 bookstores in nine states. The case is under
investigation, and the company has not said how many customers were
In late September, Toronto Police arrested four men at a
subway station in possession of 168 counterfeit debit cards. A fifth
suspect was arrested later in his west side condominium - with a cache
of point of sales (POS) terminals. Some of the devices were ripped apart
for use in assembling altered terminals, says Toronto detective Ian
Verizon's data-breach investigations unit noted that data
thieves have begun targeting POS terminals used by patients to make
co-payments and pay deductibles in health services clinics and
facilities. Verizon annually investigates several hundred data-breach
cases and reports on trends, but does not disclose names of the
Debit card account numbers and PINs are
highly sought because they can be converted quickly into cash. A device
called a mag stripe encoder can be purchased legally on the Internet.
For about $200, anyone can embed a stolen payment card number onto a
blank magnetic striped card. With the associated PIN, free cash is only
an ATM away.
"PINs are the Holy Grail," says Hall. "If it's a debit card, you can cash in up to the limit on the ATM."
fraud using counterfeited debit cards began catching on in the
mid-2000s. In 2007 the TJX retail store chain disclosed that hackers
cracked into its network and siphoned off unencrypted information,
including PINs, for 94 million customer transactions. Two years later
Heartland Payment Systems disclosed that intruders cracked the system it
uses to process 100 million card transactions per month from 175,000
Since those two events, big retailers have tightened
down their networks and expanded use of encryption. So data thieves have
now turned their prowess to that moment in time debit card data remains
unprotected in a public setting - during the swipe and PIN-entry
"The hackers are many steps ahead of the card issuers and
financial institutions, who are unable to pivot quickly," says Cynthia
Larose, who chairs the privacy and security practice at the 500-attorney
firm, Mintz Levin.
Debit card users should be mindful of the
heightened risks, Larose says. Financial institutions generally will act
quickly to make a victim whole in cases of fraud involving use of a
credit card or an ATM machine. However, banks are not obligated to work
with a victim in fraud cases involving use of a debit card at a POS
terminal, she says.
"Other than avoiding the use of debit cards
at POS terminals, there probably is little a consumer can do," Larose
says. A final piece of advice: "Use cash."