Gas pumps, taxicabs, and even vending machines take credit
cards, and thieves worldwide are cashing in. Criminals are becoming more
sophisticated at intercepting payment information as banking and retail systems
lag behind. Lax regulation and a lack of investment in security tilts the scale in favor of crooks.
The Association of Chartered Certified Accountants (ACCA)
and Pace University yesterday released a report
on the myriad ways that fraudsters are obtaining credit card information with
“skimming” devices that are becoming smaller and smarter. The technology is readily available online and at spy stores.
Skimming devices are surreptitiously installed where we pay.
of tech savvy thieves in Manhattan was clever enough to install a skimmer
directly into gas pumps, using the pump’s own power supply and Bluetooth to
transmit cards data wirelessly. The scheme siphoned millions of dollars from
unwary drivers before it was noticed by law enforcement. Those responsible are being prosecuted for their crimes.
“Devices are becoming smaller and have more memory,”
said report author Darren Hayes of Pace University. “The quality of data
on the devices has improved over time, and skimmers often are password
protected and use advanced encryption protocols.” ATMs, ticket vending
machines, stores, and restaurants are all targets.
ATMS are the most common target. The United
States has the world’s largest ATM market – with nearly 425,000 installed today, ACAC
said. Skimmers will record information from the magnetic strip on credit cards
as they are used at ATMs. The cards are cloned, and sometimes turn up in Ghana,
Costa Rica, Mexico and Malta.
Why? The United States is using old technology and fails to
seriously monitor skimmer fraud activity, the report found. Europe has taken a
hard line against fraud, with more advanced EMV (Europay, MasterCard and Visa)
credit cards, practices and technologies that make skimming more difficult to
accomplish, Hayes said.
The ATM industry is pushing back against implementing EMV,
because it would be expensive to upgrade machines, Hayes said. Payment
processors are likewise opposed to it, and providers don’t receive an annual
fee for cards in the U.S. that could finance increasing security, he said. Many Europeans pay for the privilege of a card.
“…The United States is a consumer-driven market and, with so
many providers to choose from, financial institutions are more likely to
sacrifice additional security measures to keep their customers happy and
prevent any inconvenience,” he said.
A consumer driven market
The United States is also far less likely to regulate –
despite accusations of rampant over-regulating. Credit card breaches happen
often; Target was just the most recent debacle. There was no cost to the store
for its security lapses other than bad PR. It was even warned
that its systems were vulnerable, but didn’t act on the information. It's the retail equivalent of coal ash pouring into a West Virginia river.
The primary reason is - drumroll please - that the payment card industry is charged with
regulating itself. The PCI, or Payment Card Industry, Standard outline best
practices but these are superficial. There’s no enforcement as with HIPPA, which seriously holds corporate executives to
task for any lapses.
PCI isn't even being followed. It's voluntary, and therefore an unnecessary cost.
and lax regulation
“…Many companies that have been breached have not been able to
meet these minimum [PCI] standards,” Hayes said. “Security is all too often
viewed as expensive overhead rather than a necessity. When you ask about self-regulation,
what is really interesting is that when we read about these massive breaches,
the company itself is usually told by another company (often one of their
customers) that they have been breached.”
Hayes said that credit card companies want to shift any
liability onto banks and retailers that don’t use EMV and penalize banks and
retailers that don’t implement EMV for fraudulent transactions. For example,
the entity (a store or bank) that processes a fraudulent transaction would be
held responsible for paying the loss.
ACCA suggests that U.S. financial institutions should
accelerate their adoption of anti-skimming solutions, which, along with fraud
investigations, should become a part of daily operations. Cooperation with law
enforcement will also be necessary to keep pace with the ingenuity of skimmers.
Lastly, ATM cards must be phased out in favor of contactless cards, biometric
security, and smartphone withdrawals.
Those are some nice recommendations, but there’s still no real incentive to act on the ACCA's advice. No single company can be punished by consumer sentiment, because there are bad actors across the board.
I’d like to
see PCI be given some teeth. When was the last time you heard of medical
information (HIPPA) being stolen? I can’t recall any incident. It’s time for electronic
payments to be modernized, even if the stakeholders are brought to the table
kicking and screaming. Enough is enough.
This post was originally published on Smartplanet.com