Thieves only need a minute, sometimes a second, to pilfer your credit card data.
“Back in the beginning, they got the imprint of credit cards from the carbon copies they dug out of the trash,” says William Noonan, deputy special agent in charge of the Secret Service’s cyber operations branch. “Technology has changed things.”
In 2015, criminals hacked, phished or skimmed their way into the systems of Ashley Madison, the CVS Photo website, Hilton Worldwide, Hyatt Hotels, Landry’s restaurants and Trump Hotel Properties, among others. In some cases, they only obtained names and emails. In the worst cases, they got credit card numbers.
Modus operandi: The waitress whisks away your credit card and swipes it through the restaurant’s register. Then, she pulls out a small device, about the size of an ice cube, and swipes the card through that, says Lt. David Schultz of the Fort Bend County Sheriff’s Office in Texas. While you’re scraping the last of the chocolate frosting from your plate, your credit card information has been stored in the device, known as a skimmer. The waitress returns your card and performs the same magic trick on dozens of credit cards in a week.
Known whereabouts: The data-stealing waitress has been known to moonlight as a bartender, sales clerk or at any place where she can take your credit card out of sight.
Modus operandi: Sally, Simon and Bud walk into a toy store. Sally and Simon roam the aisles, while Bud waits in line to check out. When Bud is at the register, Simon comes running up to the clerk, screaming that his wife has fainted. As Sally and Simon distract the sales clerk, Bud switches the credit card reader at the register with a modified one of his own, says Mike Urban, FICO’s former senior director of fraud product management. For the next week, the sales clerk unwittingly collects credit card data on the modified reader until the trio returns, takes back the modified reader and restores the original terminal.
Known whereabouts: The trio will hit other retailers and restaurants, but sometimes the threesome will instead be a duo or a solo criminal.
4 of 7
Adam Smialy /EyeEm/Getty Images
Suspect: The Gas Lass
Modus operandi: The Gas Lass parks her car in front of a gasoline station off the turnpike. It’s late. There’s no one around except a sleepy attendant at the register inside. The Gas Lass attaches a skimmer over the credit card reader at the pump. It’s a special skimmer: It emits a Bluetooth signal to a laptop close by, says Noonan. The Gas Lass pays, heads off to the motel next door and sets up her laptop to receive the data from the compromised pump over the next several days.
Known whereabouts: The Gas Lass installs skimmers over ATMs, parking meters, vending machines and any other places with unmanned credit card readers.
Modus operandi: Harry the Hacker installs malware — a type of software that damages or infiltrates a computer or network — on to a legitimate website with low security. The malware instantly downloads on to your computer when you visit the site and allows Harry to access your information. In another scenario, Harry puts malware on public computers and gathers the information you share with that computer, says Urban. Harry also infiltrates the computer system of banks, retailers and other businesses, and extracts personal account information, Noonan says.
Phishing Phil uses malware to go after your laptop or tablet. He sends emails with attachments that promise dancing kittens or some other bait. When the user opens the attachment, malware instantly downloads on to the computer and leaves confidential information vulnerable. Phil also sends emails from a familiar sender with a link to a contaminated website that installs malware on to your computer. Some malware, called spyware, allows Phil to capture every keystroke — including passwords to your financial accounts.
6 of 7
Fredrik Telleus/Maskot/Getty Images
Suspects: The rest of the criminal crew
Modus operandi: So what happens to these pieces of data when they’re in no-good hands? They get sold.
The waitress, trio or Gas Lass sells each swipe for about $12, according to Dell SecureWorks. Harry the Hacker and Phishing Phil will get $4 to $8 a card on the black market. The person who buys the information verifies it and then sells it to a person who creates fraudulent credit cards with your account information attached to it. The card maker then sells it to other criminals who buy goods such as stereos or baby formula and sells them to regular consumers.
Avoid public computers. Don’t log on to your email if your bank corresponds with you there. Urban suggests setting up an email account just for your finances and checking it from safe locations.
Avoid doing business with unfamiliar online vendors, Noonan says. Stick to established merchants and websites.
If your information has been compromised, notify your financial institutions and local law enforcement. Also notify any of the 3 major credit reporting agencies — Experian, Equifax and TransUnion — to set up a fraud alert on your credit reports.