SEATTLE - Using brash ingenuity, criminals out to steal your personal data are tampering with the checkout machines in department stores, supermarkets, gas stations and even your doctors' office.
Their prime target: your debit card account number and personal identification number.
Thieves use ruses, such as posing as repairmen to alter and corrupt payment terminals - installing skimmers and storage devices that capture account numbers from the magnetic strip on a card as well as the PIN numbers the customer keys in.
"Technology is making it easier for criminals to develop smaller, more effective skimming devices," says Dale Dabbs, CEO of identity theft protection service EZShield.
The compromised checkout machines are so widely dispersed that many crimes go unnoticed and public reports are sporadic, says Jeff Hall, director of Technology Risk Management Services at consultancy McGladrey.
Barnes & Noble recently disclosed that data thieves got away with installing corrupted checkout terminals in 63 bookstores in nine states. The case is under investigation, and the company has not said how many customers were affected.
In late September, Toronto Police arrested four men at a subway station in possession of 168 counterfeit debit cards. A fifth suspect was arrested later in his west side condominium - with a cache of point of sales (POS) terminals. Some of the devices were ripped apart for use in assembling altered terminals, says Toronto detective Ian Nichol.
Verizon's data-breach investigations unit noted that data thieves have begun targeting POS terminals used by patients to make co-payments and pay deductibles in health services clinics and facilities. Verizon annually investigates several hundred data-breach cases and reports on trends, but does not disclose names of the victimized companies.?
Debit card account numbers and PINs are highly sought because they can be converted quickly into cash. A device called a mag stripe encoder can be purchased legally on the Internet. For about $200, anyone can embed a stolen payment card number onto a blank magnetic striped card. With the associated PIN, free cash is only an ATM away.
"PINs are the Holy Grail," says Hall. "If it's a debit card, you can cash in up to the limit on the ATM."
ATM fraud using counterfeited debit cards began catching on in the mid-2000s. In 2007 the TJX retail store chain disclosed that hackers cracked into its network and siphoned off unencrypted information, including PINs, for 94 million customer transactions. Two years later Heartland Payment Systems disclosed that intruders cracked the system it uses to process 100 million card transactions per month from 175,000 merchants.
Since those two events, big retailers have tightened down their networks and expanded use of encryption. So data thieves have now turned their prowess to that moment in time debit card data remains unprotected in a public setting - during the swipe and PIN-entry process.
"The hackers are many steps ahead of the card issuers and financial institutions, who are unable to pivot quickly," says Cynthia Larose, who chairs the privacy and security practice at the 500-attorney firm, Mintz Levin.
Debit card users should be mindful of the heightened risks, Larose says. Financial institutions generally will act quickly to make a victim whole in cases of fraud involving use of a credit card or an ATM machine. However, banks are not obligated to work with a victim in fraud cases involving use of a debit card at a POS terminal, she says.
"Other than avoiding the use of debit cards at POS terminals, there probably is little a consumer can do," Larose says. A final piece of advice: "Use cash."