Why Visa and MasterCard Want Smart Card in U.S.

T he word "skimming" brings to mind an idyllic scene - throwing a rock across Golden Pond, perhaps. But in the financial world, skimming has far more sinister consequences, and what makes this image even scarier is that most people don't see it until it's too late.

Exactly what is skimming? It is the illegal copying of personal credit card information located in the magnetic strip on the back of a plastic credit/debit card. It takes only a few seconds while you are innocently paying a bill for the crime to occur. In that short time, the confidential codes stored in the magnetic strip of a legitimate credit card can be illegally copied. In just a few more seconds, that information can be illegally transferred to a counterfeit card.

This relatively new form of fraud cost Australians $3.5 billion last year. In Great Britain, the tab was $1.4 billion. In the U.S., it cost $1.2 billion. And, everywhere, the cost is going up.

"Skimming is the biggest problem in bank fraud today; it's the bank robbery of the future," says Gregory Regan, head of the Secret Service financial crimes division. "It's technically simple, point-and-click technology. And the equipment is cheap. If you skim 15 or 20 accounts, you can generate $50,000 to $60,000 worth of fraud, and nobody is going to even be aware of it until the victims get their bills, 30 to 60 days after the crime. So the odds of the crooks getting caught are reduced."

Skimming is easier than stealing cars or pushing drugs and can be carried out on any scale. Targets have included banks, insurers, telecommunication companies, Internet service providers, government departments and businesses. In fact, no organization or business is exempt from being a target. Wherever there is money or credit involved, there is fraud.

Skimming has been around for more than a decade, but it has increased dramatically in the last three years. The device originally was designed to be used for legitimate business purposes, but, unfortunately, it also is frequently misused for criminal activities.

Last year alone, card fraud increased by 60 percent, and company credit cards, gold cards and purchasing cards were the main victims, according to the Association of Payment Clearing Services (APACS). Meridien Research says online credit card fraud will exceed $9 billion by the end of the year. Federal authorities say skimming has escalated to account for 25 percent of all fraud involving high-tech devices, compared to three percent just a few years ago. Skimming now accounts for about 20 percent of credit card fraud, up from only one percent 10 years ago.

"Every day I get calls from frantic people," says Sgt. Candy Loftus of the Miami-Dade Police Department's economic crimes unit. "There's so much (skimming) going on, we can't keep up with it."

Here is how the scam works:

Criminal gangs recruit stables of servers, paying them for each credit card they steal. The servers then find temporary employment within restaurants, hotels and retail outlets where there is a high rate of employee turnover. The servers are supplied with small, illegal, electronic devices known as "skimmers" that contain a mathematical logarithm necessary to capture all of the customer's credit or debit card information.

When skimmers first appeared a few years ago, they were clunky - as large as a paperback book. They also used AC power and had a memory big enough for only a dozen numbers. But with new technology, skimmers are now the size of a pager and easily can handle more than 300 accounts.

Top-class magnetic stripe readers/writers are sold legally for $1,700 to $2,500. They have a myriad of legitimate uses: encoding club cards, phone cards, travel tickets, security passes, etc. Materials for a home-built reader can cost very little: $75 for a read head, plus the cost of basic circuitry. There is absolutely nothing stopping the bad guys from producing the device locally or getting one on the Internet. As unsuspecting customers pay their bill, their card is first swiped through the legitimate credit card machine but then secretly swiped through the smaller skimmer device. The servers then pass the skimmers onto the counterfeiters, who pay them the equivalent of around $150 per card for their part in the crime. Once the details have been stolen by the counterfeiters, they download the information onto a computer and make up a fake card.

The information itself is not complicated. There are three tracks to each magnetic stripe: Tracks 1 and 3 have a higher density of information, and each carries the cardholder's name, card number, expiration date and additional information for internal bank or credit company use. Track 2 is used for financial transactions and contains only the 16-digit card number. The lower density of information makes it better suited for use on POS terminals and ATM machines. The skimmer records all three tracks and clones them onto a counterfeit card, but the information on Track 2 is vital to the crime.

The fraudulent card is then embossed with the details of the victim's credit card and passed on to gang members who, police say, sell it for $400 to $700, depending on the perceived credit limit. Gold or platinum cards are normally targeted because of their higher credit limit, meaning the bank takes longer to realize there is a problem. Criminals spend, on average, about $3,100 per counterfeit card, typically making large and frequent purchases over a two-day period before discarding the card.

The customer, still in possession of the original card, is none the wiser. In fact, victims might not realize that they have been skimmed until they check their statement at the end of the month. By that time, the criminal has moved on, and the electronic and paper trails are cold.

The latest handheld skimmers let criminals use your credit card soon after you put it back in your wallet. "It is not unusual," says Regan, "to see a card compromised in New York City or Washington and the numbers used overseas in Taiwan, Japan or Europe within 24 to 48 hours."

Merchants are passively complacent: If their POS terminal accepts the card, they accept the sale, believing that they will be paid. The merchant is usually the true (although often overlooked) victim. In the majority of cases, credit card merchant account agreements usually place 100 percent liability on the merchant when fraud occurs in this category of transactions. Criminals have realized that credit cards and the banking industry are easy pickings.

An American Express security official recently placed an urgent call to New York City based Secret Service agent Tim Raymond. Someone in Miami had racked up at least a half-million dollars' worth of fraudulent charges against more than 100 American Express accounts. The cards hadn't been stolen, so they had to be counterfeits - very good ones, because they had zipped past the security screens in the computers of the giant charge-card company.

The bad guys in Florida covered their tracks expertly, but the American Express computers spat out a curious fact: Every one of the victimized cardholders had recently dined at one of two New York restaurants.

In fact, servers at two New York restaurants recently were charged with skimming a total of more than $300,000 from unsuspecting customers.

Last November, a Bloomingdale's shopper in New York paying for sunglasses with a credit card noticed something fishy. The card was swiped twice, once through the store's credit card device and through a store vendor's Palm organizer, which had a skimming device attached to it. Law enforcement authorities often see this ploy at restaurants, where a dishonest waiter or waitress will unobtrusively pull the small device out of his or her pocket, swipe the card and hide it before anyone notices.

An alert restaurant manager recently noticed one of his waitresses remove a small, electronic device from her coat, swipe a credit card through it, then put the device back in her coat. The manager, who had just gotten skimming training from his Visa merchant bank, suspected the employee of wrongdoing and called the local police.

The responding officer confronted the employee and asked to see the pager-like device, which had a green and a red light on the side near the swipe slot. According to the suspect, if she swiped a card and the green light came on, the swipe was successful in capturing the card's magnetic stripe information. If the red light came on, this meant that the magnetic stripe was not captured. If both lights came on at the same time, the device was full to capacity.

The face of the device also had a "kill" switch that, if pushed, would erase the device of all the numbers previously captured. The suspect told police that she recently had taken the job at the restaurant with the sole purpose of skimming credit card numbers. She had worked at the restaurant for only three weeks but already had received a $4,000 payment from a second suspect for the return of a skimmer loaded with credit card account numbers. During the arrest, two skimming devices were recovered.

What can be done? What can a cardholder do to prevent a card from being skimmed? Not much, the experts say. If possible, you should watch waiters and store clerks handle your credit card. You also can check your accounts on the Web or by phone during the month to make sure there are no surprises. But the only sure protection is to pay with old-fashioned cash. And if you carry a lot of money in your wallet, you still have to worry about the old-fashioned kind of robber.

At a Stanford University Law School conference on cybercrime, former Attorney General Janet Reno pleaded for greater cooperation between the private and public sectors. "It seems to me that we all have a common goal - to keep the nation's computer network secure, safe and reliable," Reno told the assembled CEOs and top prosecutors.

On June 13, a House of Representatives subcommittee approved legislation to create a computer network that would link the existing databases of U.S. state and federal banking, securities and insurance regulators in an effort to combat financial fraud.

More than 200 separate state and federal agencies share responsibility for financial regulation in the United States. Allowing them to better exchange disciplinary and enforcement data is intended to make it harder for criminals barred from one industry to simply resurface in another.

"Modern technology and the Internet have created a new frontier for criminals, allowing them to defraud consumers at the mere click of a computer mouse," said Michigan Republican Rep. Mike Rogers, a former FBI special agent and the bill's author. "Our regulators need the same technological tools."

Six major charge-card issuers - American Express, Bank of America, Chase Manhattan Bank, Citibank, Discover and MBNA - have started to fight back by cooperating with the Secret Service to pool information about fraudulent transactions and to generate computer analyses that flag locations where numerous cards may have been skimmed.

The Visa and MasterCard associations, along with American Express, are refining their security programs, called neural networks, to do a better job of spotting suspicious transactions before they are consummated. (If, for example, someone in Hong Kong tries to buy something with a card that was used just two hours earlier in Chicago, the computer will reject the transaction.)

Ron Indeck, director of the Magnetics and Information Science Center at Washington University, has developed a system that will help reduce the latest trend in credit card skimming. Indeck's system, Magneprint, is being tested by MasterCard International in Asia. The credit card company has more than 1 billion cards in circulation with more than 19 million acceptance locations. Using the electronic noise emitted by a magnetic stripe card, Magneprint can detect a counterfeit card.

The industry also is moving forward with its ultimate weapon against skimming. Smart card chips will make credit cards "skimming proof," says Visa, because smart cards are not a "passive" medium and can be authenticated online using secure encryption techniques. They are highly tamper resistant and represent a level of technology that is impenetrable by criminals today and for the near future.

In fact, when France rolled out smart cards, it wiped out most fraud immediately. These were smart card-based credit and debit cards, not the much talked about stored value cards. So maybe there is something in smart cards for the merchant after all.