To catch a thief

by Paul Holmes ([email protected]) 1,011 views 

Dear Whoever You Are,

I can only suppose that your Valentine’s Day holiday was one of the best ever. I would tell you you’re welcome, but you’re not and anyway, I don’t expect a thank you note from someone like you.

However, I really would like to know what you cooked for dinner with all the groceries you purchased in mid-February and who received the nice floral arrangements and gift baskets that you ordered until my bank caught it and derailed your larcenous gravy train.

Had I realized at the time I was paying for it all, I might have wanted input on the menu or the flower selection since some of those arrangements can smell downright funeral. At the very least, I would have wanted to peruse the guest list. But you might not have known in advance who your Valentine was going to be, since you also visited several dating sites on my dime.

I suppose you’d want your place to be decorated nicely and you would need a new wardrobe in case you managed to coax somebody from one of those dating sites into coming over for Valentine’s Day dinner. That would explain the multiple charges in one day to an online shopping site, the purchases that by the way, attracted the bank’s attention. Had you asked me a month ago, I would have said that Zulily is a perennial plant grown outside the lion enclosure, but thanks to you, I know better now. Perhaps you shouldn’t have been so greedy.

•••

That is the letter I would write if I knew who hijacked my debit card number last month and had what I expect was a heckuva great time with it for a few days. I surmise that the number was hijacked because the card itself was in my possession while the fraudulent activity was taking place.

Thankfully, the bank refunded the bogus charges, so one might shrug and say— to use a basketball phrase — no harm, no foul. Actually, from a business perspective, that’s far from the truth.

The number of debit and credit cards that were exposed to hacking efforts at U.S. ATMs and stores jumped 70% in 2016, according to a report from data analytics and credit scoring company Fair Isaac Corporation (FICO).

What’s known as “card-not-present” fraud — fraudulent transactions that occur when the card isn’t physically present — is expected to cost merchants and retailers $7.2 billion by 2020. That’s the kind of fraud the Valentine’s Day bandit used to steal from me.

$7 billion is a significant loss indeed, one that businesses have to make up somewhere, most likely in higher prices to their honest customers. Banks, of course, incur substantial costs in dealing with this type of fraud. Banks are not organized as nonprofit charitable institutions. They cannot and certainly shouldn’t be expected to just eat the cost of fraud.

There are several types of “card not present” fraud schemes. As technology has steadily advanced, so too have the methods thieves use to get other folks’ money, particularly from debit cards.

For years, one of the most popular pieces of equipment that fraudsters used to gain access to consumers’ bank accounts was a handy little device called a skimmer. A skimmer fits over the card access slot at a gas pump, ATM or other payment device and “skims” the information from the customer’s card for retrieval later by the crooks. Pretty simple, no?

For the most part, customers, merchants, banks and standalone ATM companies got wise to the older-generation skimmers, so naturally, thieves have come up with newer, more sophisticated skimmers. One type is the deep-insert skimmer that is placed further inside the payment device so it’s harder to detect. Data from skimmers now can be gathered wirelessly so the thieves don’t have to physically visit the machine to retrieve the data and the device.

Just when we thought we were wise to skimmers, fraudsters are deploying a new piece of hardware — the shimmer. It’s a tiny type of skimmer that’s capable of reading the data from the new chip-based debit and credit cards, according to the ATM Industry Association, a nonprofit trade association.

If a fraudulent charge is made on your credit card, there’s no immediate financial hit while you and the bank get it all straightened out. Since credit card bills are paid later, no money actually leaves your hands. But if thieves get hold of your physical debit card or debit card number, they gain access to your entire bank account in one fell swoop. Make that one fell swipe.

Getting hacked made me reread all the financial industry’s and law enforcement’s advice for avoiding such situations. Those include taking a good look at any payment device to make sure there’s no skimmer attached before poking your card in the slot, using credit rather than debit cards at gas pumps, using bank branch ATMs instead of standalones that may be less likely to have surveillance cameras, and making online purchases with credit rather than debit cards.

I, of course, have been guilty of paying little heed to these caveats. I’ll do better. So should we all. If you haven’t done it today, review your business and personal accounts for suspicious activity. There’s somebody out there just waiting for the chance to separate you from your money, and if they succeed, it costs us all.

Editor’s note: Paul Holmes is editor-at-large for the Northeast Arkansas Talk Business & Politics. He can be reached at [email protected]. The opinions expressed are those of the author.