Today’s Wall Street Journal article Skimming Devices Target Debit-Card Readers (subscription required, I fear) describes how thieves are hacking debit cards: replace store credit card mag stripe readers with ones that copy the mag card data and the PIN. The thieves leave them in place for a few days, swap them out, and go on a big spending spree – with your money.
That sounds familiar . . .
In principle, similar to the the keyloggers seen on some public keyboards that record all your keystrokes so thieves capture your passwords. Which is why it is smart to take a flash thumb drive loaded with your own software, including an on-screen keyboard for entering passwords, when you travel.
Performance anxiety
For all the focus on data theft from hacking computer systems, the Journal reports:
A recent study by Gartner Inc. analyst Avivah Litan found that 80% of credit-card data breaches are tied to cash-register and other POS terminals. Robert McCullen, [CEO of] a Chicago-based security firm that has serviced about 30,000 businesses, says that in the past two years it has handled more than 200 incidents of POS breaches and that its cases in 2006 doubled from the previous year.
Mag stripes are an ISO standard (7811) storing 226 bytes on a credit card. A cheap gigabyte flash chip could easily store millions of debit cards and associated PINs. The card reader technology is cheap and available. One ring got its data for a $100,000 haul from a couple of hacked gas station card readers.
You even build your own mag stripe reader. Something for the entire hacker family to enjoy!
Par-tay!
The crimes are lucrative and low-risk too.
Two years ago, the Secret Service busted a ring masterminded by two individuals in Miami who stole more than $56 million by skimming data and creating fake cards.
Thankfully not every criminal is so ambitious.
New! Improved security!
The article suggests that new technology makes it more difficult for thieves to skim debit cards, but how much has changed: the card reader reads your data; you enter a PIN; your data gets shipped across a network. Seems eminently hackable to me. Maybe better informed readers can elucidate.
The StorageMojo take
Banks like mag stripe because it is cheap. And banks are happy to shift the burden of enforcement for easily hacked technology to taxpayers, just as credit reporting firms have done with identity theft. With their enormous lobbying budgets – banks spent $100 million buying Congress for the new bankruptcy law – don’t expect Ebay on the Potomac to come to our aid any time soon.
I’m sure there are ways to solve this problem, but they’ll cost money that banks and retailers won’t want to spend. So taxpayers and victims will foot the bill for a 40 year old storage technology that hasn’t kept pace with our changing needs.
Comments welcome, of course. Moderation turned on so spam can be turned off.
I’m not sure an onscreen keyboard is going to help you Robin. If the keyboard’s implementation is independent of an application, say a web browser, then it has to generate the same response as a keystroke on a physical keyboard. The computer, in most cases, would not know the difference and a keylogger would still work.
One slick solution I had the opportunity to learn about is MobiKEY from Route 1. Check it out:
http://www.route1.com/pro_mobikey.htm
Windows only at this point, sorry. But it allows secure remote connection to applications and data. And it is smart enough to clean up after itself on the local PC. I do remember asking them about keyloggers and I cannot remember the response. I believe without the Key, the PWs are basically useless. I’ll ask them again the next time I have them on the phone. In any case, I thought it was a novel solution to identity protection and secure access.
Joe,
Good comment, and I want to follow up on mobiKEY.
There are different kinds of key loggers – the most common being a flash chip and a bit of logic attached to the keyboard. They can be built into the keyboard or some cable connectors. The on-screen keyboard would defeat keyboard loggers. Software keyloggers could be a different story.
To defeat built-in keyloggers, put your operating system, browser and mail reader on the flash drive. Boot the internet cafe machine from the flash drive. You can be pretty confident that your data will stay secure.
Robin