Recently I worked with Acme (the name has been changed to protect their identify), a retail company that had been contacted by their bank. (Let’s call the company Acme.) During an investigation of some credit card frauds, the bank discovered that many of the fraudulent transactions appeared to have one location in common, Acme.
The analysis works like this. Let’s assume that Joe Smith and Mary Jones used their credit cards at Acme on March 1st. Then, on March 20th, both Joe’s and Mary’s credit cards were involved in fraudulent transactions. Once a credit card is involved in a fraudulent transaction, the banks look to see if this transaction is part of a larger fraud. So, they check the historical transactions of Joe and Mary, looking for the business that they both have in common. The theory is simple, if Joe and Mary visited a company with a security breach, it will be seen in the historical analysis.
This type of fraud analysis is useful for detecting when many credit cards are compromised at a business. If the bank can identify the location where credit card numbers were compromised, it can prevent future fraud from that compromise. In order to do that, the bank will need to cancel all credit cards that were used at the business where the compromised occurred and re-issue new ones.
Back to Acme. So, based upon fraud analysis, the bank had strong reason to believe that somehow Acme was leaking credit card numbers. In fact, the bank suspected that over 70 fraudulent transactions resulted from a problem with Acme. Our review of Acme showed that their network was Payment Card Industry (PCI) compliant. The credit card numbers were protected in Acme’s network. So, the card numbers were not leaking out because a network hacker.
This left only two options. The first is that an employee or employees were stealing the credit card numbers through the use of a skimmer, or that Acme’s card processor was hacked. Based upon the fact that only certain transactions at Acme were reported as compromised, this meant that the skimmer possibility was much more likely.
While there has been a lot of work on securing credit card data over the network, the physical credit card is still vulnerable to the skimming attack.
In order to protect yourself, do not let you credit card out of your sight when you use it. Because when it is out of your sight, it is possible that the person that took your credit card also took a copy of your credit card.