From Hypercom Corporation
Credit card "skimming" is an alarmingly
escalating form of fraud that is victimizing consumers, causing havoc
with merchants, and costing the industry hundreds of millions of dollars
every year. Skimming fraud takes many forms, but most often involves
a cardholder turning over physical possession of his or her card to
a retail or restaurant employee, who then swipes the card through a
small, illegal card reader, called a "skimmer." The skimmer
copies the data encoded on the card's magnetic stripe. This information
is then used to manufacture counterfeit cards that are used to rack
up illegal charges. Industry sources estimate that the average skimmed
credit card will generate some $2,000 in fraudulent charges before being
detected.
Skimming is rapidly growing in virtually every major
city in the U.S., UK, Europe, Canada, and Latin America. It is especially
rampant in Asia. A new, and far more dangerous variant of skimming involves
implanting sophisticated skimmer bugs into card payment terminals. All
legacy terminals of the current installed base are susceptible to this
type of attack. There is no discernible pattern towards any brand of
terminal. Every merchant with a legacy terminal from any manufacturer
is at risk. This form of skimming is particularly insidious since it
obliterates the Common Point of Purchase (CPP), which is used today
by the card associations' neural network software to pinpoint those
merchants where most skimming originates.
"Until now, the card associations had an effective
weapon to combat skimming," commented George Wallner, Hypercom's
chairman and chief strategist, during a high-level briefing with key
industry analysts, consultants and market intelligence specialists in
Phoenix, Arizona, USA. "By using sophisticated software they could
identify the juxtaposition common to skimmed cards and thus the merchants
where high levels of skimming originates, for most of the skimming.
The associations could then assess fines against those merchants (and
their acquirers) or withdraw their card accepting privileges. But with
skimmers in terminals, whose skimmed contents are extracted infrequently
- often many weeks after the card has passed through the particular
location - there is no clear pattern. There is no easily identified
CPP. As a result, there is no longer an easily implemented defense against
skimming."
Essentially, skimming takes advantage of the fact
that a magnetic stripe is a passive media: its digital content can be
copied with perfection, and there is no difference between a copy and
the original. Technology available to fraudsters has reached a point
where it leaves the 25 year old magnetic stripe largely defenseless.
To make things worse, skimmed magstripe data is now available from numerous
web sites.
"What is happening to the mag stripe is not unlike
what has been done to digitally recorded music on the Internet, except
this is more insidious with no pretense of legality. The magnetic stripe
was simply not designed to withstand attacks that use the sophisticated
technologies available today," said George Devitt, senior vice
president and chief marketing officer of Hypercom.
Upsetting relationships built on trust
"Our industry is built on trust. Under normal
circumstances, the merchant trusts the acquirer to get paid; the acquirer
trusts the issuers to get settled; the issuers trust the cardholders;
and the cardholders trust the merchants. The most alarming thing about
this new wave of fraud is that it is seriously undermining this trust,"
added Wallner. "For example, in Asia acquirers now increasingly
require merchants to provide a security deposit of US$25,000 to cover
the fines they sustain when skimming originates within their merchant
base. This is upsetting the relationship between merchants and acquirers,
as well as the relationship between the associations, issuers and the
acquirers. In some cases this has even led to merchants declining to
accept certain brands. Consumers are also affected as they will be denied
the use of their skimmed cards and they may choose not to return to
a location they suspect having skimmed their card to use their replacement
card.
"This is no longer about fraud losses. This is
about the integrity of the card payment system. This new form of uncontrollable
skimming has the potential to seriously weaken the brands that form
the cornerstones of our industry," Wallner said.
A call to arms
"It is time for merchants, consumers and industry
leaders to join forces and seriously combat skimming," Wallner
declared. "We have the technology to stop this criminal activity
in its tracks, but we cannot do it alone. Issuers, acquirers, terminal
vendors, merchants and consumers must cooperate and adopt the tools
necessary to eradicate this destructive activity." We have four
tools at our disposal to combat skimming: in the short term, we must
put in place terminals that process cards right where the card holder
is - especially in restaurants, right at the table. Terminals must also
be made tamper resistant to prevent the implantation of skimmer bugs.
They also must be capable of secure downloads to prevent the downloading
of software skimmer bugs ' which are surfacing at an increasing rate.
Ultimately, however, our industry must move to smart card based credit
cards because smart cards are 'skimming-proof'."
Leading the attack
Taking the lead in attacking credit card skimming,
Hypercom and a growing number of leading merchant processors are deploying
high-performance, touch screen ICE card payment terminals that are consumer-activated,
ensuring that the card never leaves the consumer's possession. In addition,
Hypercom's devices are made tamper-resistant through various intrusion
detectors that deny access to the internal circuitry of the terminal
without wiping out all of its software and merchant tables, and rendering
it useless. In the event of an intrusion the software and tables are
wiped out, making the terminal useless. These terminals also employ
secure downloads that prevent unauthorized downloads from anyone else
but the acquirer or processor with which they are associated. This prevents
the downloading of software skimmer bugs.
Smart cards: the ultimate weapon
The industry is also moving forward with its ultimate
weapon against skimming. Smart card chips will make credit cards "skimming
proof" as smart cards are not a "passive" medium and
can be authenticated online using secure encryption techniques. They
are highly tamper resistant and represent a level of technology that
is impenetrable by criminals today and for the foreseeable future. In
fact, when France rolled out smart cards it wiped out most fraud immediately.
These were smart card based credit and debit cards, not the much talked
about stored value cards.
Following guidelines and standards set by Visa, MasterCard
and Europay, Hypercom and other terminal vendors have incorporated comprehensive
smart card readers into their new terminals. For example, all Hypercom
terminals are now available with EMV certified smart card readers and
many of Hypercom's customers, including customers in the U.S., are installing
smart card enabled terminals. These terminals will play a key roll in
stopping credit card skimming.
Immediate action
Smart cards, however, will be rolled out gradually
and will take many years to fully replace magnetic stripe cards. In
the meantime the industry must switch to tamper resistant and secure
terminals and where necessary such as in restaurants, deploy portable
terminals that allow consumers to pay at the table. "The minute you
allow the consumer to retain possession of their card during the transaction,
you can put a lot of criminals out of business and make a lot of shoppers
feel a lot safer," said Jeff Roster, senior analyst, retail and consumer
goods, for Gartner Dataquest.
"It is essential that we do something to combat credit
card skimming now. Out-of-control skimming will hurt the entire industry,"
Wallner said. "We have the technology and the products. We are calling
on merchants, acquirers, processors and issuers to join forces so that
we can virtually eradicate this crime."
Credit Card Fraud and Skimming Fact Sheet