Why Does My Card Keep Getting Compromised?

Carlton Howard

Twitter | Email

Published on 10-06-2016

Categories: Member Tips

Are you tired of having your (debit & credit) cards replaced? Perhaps this has even happened to you more than once.

While I am sorry we need to discuss this topic, we all need to be concerned about plastic card fraud because we can't make things more secure without EVERYONE working together.

(Coastal members, before we go any further the absolute best thing you could do RIGHT NOW (to help in this battle against fraud) is to log into Digital Banking and place transaction alerts on your cards. That way, you'll know as quickly as possible about all transactions you did not authorize - give us a quick call and we can stop the fraud and restore your funds. We also suggest that you update your personal information so you are always kept informed of important card-related information.) 

So HOW IS IT that your card is compromised so frequently?

The short answer is - hackers steal the data. (Sure, there are other ways but this is the most common path to stolen card information.)

There are a number of ways this can be done.

The first and most prevalent is for hackers to steal the data from merchants - stores, restaurants, etc. - actual brick and mortar locations (sometimes a "Merchant Processor" is breached - this is a company that funnels payment data from multiple merchants onto the various financial institutions for approval.). Generally this is done by placing malware (a virus) on the computer system used by the merchant. If that is connected to their payments systems (the check out, the "cash register", or card swipe machine) - BOOM they've hit pay dirt because most merchants do not encrypt data while it is on their systems. Crooks generally get this malware onto merchant systems by getting employees there to click on a link in a malicious email. But this can happen via other means.

A second most prevalent way is through skimming data with a card skimmer. A card skimmer is a card swipe device that can be a stand alone unit (that can fit in a waiters pocket, for instance) OR it can be physically attached OVER the existing card reader. With the latter, this commonly happens with gas pumps and ATMs - so always inspect carefully the "slots" through which you intend to slide your card. IF it looks suspicious move on and buy gas/withdraw cash elsewhere (or use your debit card to purchase). With the "stand alone waiter's pocket" example - the stand alone device can be manned by a rogue waiter - IF the card leaves the table to pay - then it is a simple matter for the waiter to secretly swipe your card. Then later they can retrieve the data manually OR they can transmit the data out (if they have built-in wireless capability).

The third most prevalent way is by phishing - you're sent an email and you click on a link and your device is infected with malware OR you are taken to a site where it looks like you are buying something, and as a result, you inadvertently give away your payment data, but it's not a legitimate business.

The fourth most prevalent way is for fraudsters to physically visit a merchant, use social engineering (i.e. they say they are from "corporate IT - here to put in new payment terminals") and they actually replace the equipment with card readers of their own. These attacks are so sophisticated that the new terminals are still able to transmit the legitimate transactions on to the processors!!! In such cases the crooks now have card data AND the PINs to go with the cards - so they can steal cash from any ATM where that card works.

You can read more here: https://krebsonsecurity.com/2015/01/how-was-your-credit-card-stolen/

Okay, so your data has been stolen, now what?

Stolen card data is then sold on the web - "the dark web" - generally through the use of bitcoin (which is rapid, completely anonymous, un-reverseable, yet publicly visible) to "carders". A carder is someone who can take that stolen data and produce counterfeit cards. Then the carders go out and use the cards OR, more likely, they hire "mules" (unsuspecting consumers - who are naive) to go and use the cards and then ship the money to the carders - while keeping a portion.

BOOM!! Just like that - away goes our money. (We say "our" because we're generally going to make EVERY member whole in a situation like this.)

But how do I get compromised repeatedly?

You either have the bad fortune to have shopped at additional merchants that were breached OR one of the places you shopped was breached for quite a while BEFORE the malware was discovered. (The average breach goes on for about 90 days. But some have lasted for more than a year.)

For example: Most news outlets report that Wendy's was breached. Many eat there weekly (or every other week). That's a lot of stolen cards over 6 months.

Of course, it's exponentially worse when multiple merchants are breached at once.

How do I know that Coastal hasn't been breached?

To our knowledge (knock on wood) Coastal has never been compromised or breached. We must guard eternally on that front. But, our best protection is the ugly fact that there are much easier targets out there. Our relative small size is an asset there too. (Low value target - strong array of defenses)  

So, to wrap this up, the best way for YOU to guard yourself against card fraud -

  • Set up alerts on your accounts
  • Use a chip-enhanced credit or debit card at your local merchants to guard against malware that may have been installed on their systems
  • Use virtual payment services like Visa Checkout or Apple Pay
  • Be careful when clicking on links in emails you receive. Inspect the link itself, subject line, and where the sender carefully. If you think anything is suspicious, don't click the link!

There is only so much you can do to protect your card and your identity. Taking the steps listed above today will help. Merchants are working toward safer systems as well. As I said in the beginning, if everyone works together, we can all guard against card fraud.

Tell us what you think!