Robert Siciliano Identity Theft Speaker

At an ATM or a point of sale (cash register -POS), most debit card users are blissfully unaware of what occurs in the process of swiping a card then entering a pin. There is a magical mystery that takes place and we get to walk away with cash and goods by swiping a card and typing in our first dog’s name. The money magically disappears from our account and we celebrate by eating our just bought Twinkie.

Debit cards are linked directly to our checking accounts which makes it a tasty treat to the criminal hacker.

The process in its simplest terms is similar for ATMs and POS. It involves the user swiping their card, punching their pin and the data card-swipechecked by a 3rd party payment processor (or bank) over telephone lines or the Internet. Once the information is validated and the payment processor verifys the funds exist, funds are moved from your account to the merchants account, or dispensed in cash.

The convenience of a debit card has pushed its use far beyond that of hand written checks all the way into 3rd world countries.

We’ve known for some time that low tech skimming at ATMs and gas pumps has been a point of compromise. The convenience of the debit transaction has long had the attention of criminal hackers and Wired has reported that the entire transaction is compromised.

Academics discovered this flaw years ago but didn’t think it was possible to execute in the field. Criminal hackers however have come up with the holy grail of hacks to steal large amounts of encrypted and unencrypted debit card and pin numbers. And they figured a way to hacker11 crack the codes of encryption.

The first signs of PIN tampering were recognized when investigators studied the processes of the 11 criminals who were caught in relation to the TJX breach. That breach involved 45 million credit and debit cards. This ring needed PIN codes to turn lots of that data to cash and here was their motivation to do so. An investigation into this breach reported, the hacks resulted in “more targeted, cutting-edge, complex, and clever cyber crime attacks than seen in previous years.”

This revelation has some saying that the only cure to this type of hack is a complete overhaul the payment processing system.

The compromise occurs in a device called a hardware security module (HSM), which sits on bank networks. PIN numbers pass through on their way from an ATM or POS to the card issuer. The module is a tamper-resistant device and provides a secure environment for encryption and decryption for PINs and card numbers.

Criminal Hackers are accessing the HSM and tricking them into providing the decrypting data. And they are installing malware on the systems called “memory scrapers” that captures the data unencrypted and even store it on the hacked system.

The PCI Security Standards Council a self regulating body who oversees much of what occurs regarding payment card transaction said they would begin testing HSMs. Bob Russo, general manager of the global standards body, said the council’s testing of the devices would “focus specifically on security properties that are critical to the payment system”.

I don’t own a debit card and never have and never will. Simply put, when a debit card is hacked, that’s money directly from my bank account. The evidence of hacking often missing from an ATM or POS transaction. Now I have to go through the arduous process of explaining it wasn’t me who rifled thousands of dollars from my account. Whereas if a credit card is compromised the zero liability kicks in and I’m cured much quicker.

Your ultimate responsibility here is to check your statements very closely and look for unauthorized activity. Check your statements online bi-weekly opposed to monthly and refute unauthorized charges immediately. Consider using a credit card instead of a debit card.

While this type of fraud is generally out of your control it’s still imperative you invest in internet security software such as McAfee and consider identity theft protection.

Identity Theft Expert discussing flawed card transactions

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out for more information.

Be Sociable, Share!