Tuesday, July 13, 2004

Card Skimming

My bank disabled my banking card over the weekend; apparently, I used it at a location that's under investigation for card skimming. When I first got the call Sunday morning, I thought I'd pegged the compromised automated banking machine, but today the teller told me it could've been any location - including stores - I'd banked at in the last month. (They don't give out the location to avoid compromising the investigation.)

Now, one scheme I've heard of reads the information off the magnetic stripe on your banking card while a camera in the pamphlet holder records you entering your PIN. I learned today that a common scheme ignores the PIN, making a copy of your card and forcing a reset of the PIN with a master PIN, using the same machine you use to change your PIN at your branch. Schneier would love it! Foiled again by a global secret (in all card writers, in this case).

The good news is that so long as I notify the bank within 24 hours of learning my banking card has been lost or stolen, I'm not liable for any of the subsequent charges. Same goes for the scenario where the bank informs me of the compromise, obviously (which is why I still suspect that it was that ABM I used on Friday; the bank disabled the card right away because they knew they'd be footing any bill the skimmers or their friends racked up). Now, this all assumes that I haven't contributed to the compromise (e.g., helpfully writing my PIN on a Post-it stuck to my card, giving my card and PIN to my long-lost Uncle Bob so he can buy some smokes); should the bank be able to prove otherwise, I could be liable for even more than my account balance!

No comments: