Today’s Wall Street Journal article Skimming Devices Target Debit-Card Readers (subscription required, I fear) describes how thieves are hacking debit cards: replace store credit card mag stripe readers with ones that copy the mag card data and the PIN. The thieves leave them in place for a few days, swap them out, and go on a big spending spree – with your money.

That sounds familiar . . .
In principle, similar to the the keyloggers seen on some public keyboards that record all your keystrokes so thieves capture your passwords. Which is why it is smart to take a flash thumb drive loaded with your own software, including an on-screen keyboard for entering passwords, when you travel.

Performance anxiety
For all the focus on data theft from hacking computer systems, the Journal reports:

A recent study by Gartner Inc. analyst Avivah Litan found that 80% of credit-card data breaches are tied to cash-register and other POS terminals. Robert McCullen, [CEO of] a Chicago-based security firm that has serviced about 30,000 businesses, says that in the past two years it has handled more than 200 incidents of POS breaches and that its cases in 2006 doubled from the previous year.

Mag stripes are an ISO standard (7811) storing 226 bytes on a credit card. A cheap gigabyte flash chip could easily store millions of debit cards and associated PINs. The card reader technology is cheap and available. One ring got its data for a $100,000 haul from a couple of hacked gas station card readers.

You even build your own mag stripe reader. Something for the entire hacker family to enjoy!

Par-tay!
The crimes are lucrative and low-risk too.

Two years ago, the Secret Service busted a ring masterminded by two individuals in Miami who stole more than $56 million by skimming data and creating fake cards.

Thankfully not every criminal is so ambitious.

New! Improved security!
The article suggests that new technology makes it more difficult for thieves to skim debit cards, but how much has changed: the card reader reads your data; you enter a PIN; your data gets shipped across a network. Seems eminently hackable to me. Maybe better informed readers can elucidate.

The StorageMojo take
Banks like mag stripe because it is cheap. And banks are happy to shift the burden of enforcement for easily hacked technology to taxpayers, just as credit reporting firms have done with identity theft. With their enormous lobbying budgets – banks spent $100 million buying Congress for the new bankruptcy law – don’t expect Ebay on the Potomac to come to our aid any time soon.

I’m sure there are ways to solve this problem, but they’ll cost money that banks and retailers won’t want to spend. So taxpayers and victims will foot the bill for a 40 year old storage technology that hasn’t kept pace with our changing needs.

Comments welcome, of course. Moderation turned on so spam can be turned off.