Data Theft: Protecting Your Data From Physical Theft
In 2018, credit and debit card fraud resulted in losses of nearly $28 billion
Skimming & Shimming
A single stolen credit or debit card number sells for $5 on the dark web — add bank account info and the values triples
How It Works: Scammers collect payment card data to create a spoofed card
Skimmers
Device is attached over the card reader on an ATM or gas pump
When a customer slides their card, the magstripe data is copied
Shimmers
Thin device slips inside a card reader slot to collect chip data
Can only copy limited data — the same card info as magstripe skimmers
Surveillance
A skimmer or shimmer alone won’t get scammers the data they need
A hidden camera or number pad overlay are often used to collect PINs in addition to card data
Getting More Extreme: In 2013, two entirely fake ATMs were found in Brazil, installed on top of existing machines
Consisted of a disassembled laptop and card reader — Complete with a display, PIN pad, and a 3G connection to collect the harvested data
Protecting Your Card Data
Look For Red Flags: Loose pieces, mismatch materials, or obscured markings could be a sign the device has been tampered with
Choose The Right ATM: Go to a busy street or indoor ATM for greater security
Hide Your PIN: Cover your hand to avoid a hidden camera stealing your PIN
Watch For Fraud Alerts: If your bank reaches out to about potential fraud, responding quickly is the best way to protect yourself
Will Chip Cards Stop Skimmers?
From 2015 to 2018 merchants who switched to chip readers saw a 76% drop in counterfeit payments — Nationwide, counterfeit payments dropped by 49%.
In 2019, 99% of U.S. payments were made on chip cards — Less than 5% of Americans are concerned about the security of their chip card. Chip cards can be hacked, but it’s much harder to collect chip data en masse than skimming magstripes — and therefore less profitable.
Even with a shimmer, scammers can only recreate a magstripe card NOT a chip card.
By October 2020 all brick-and-mortar merchants will be required to use chip transactions — or be liable for any fraud that results.
Without a chip, skimmed cards are mostly limited to card – not present (CNP) transactions
BUT, skimmed cards also lack a CVV2 — making them unusable in many online stores
AND financial institutions are constantly improving fraud detection
Not All Chips Are Equal: In the U.S. chip card offer more security, but they’re still not as secure as the chip-and-PIN authentication used throughout Europe — Only a few card issuers in the U.S. offer chip-and-PIN cards.
Accident loss and device theft are the biggest physical threats to your data — In 2017, Nearly 1 in 5 data security incidents involved device theft or loss.
Device Loss & Theft
How It Works:
25% of laptops are stolen from the office or a car
Another 14% are lost in airports or on airplanes
Less than 0.005% are recovered
Laptop theft costs businesses more than 8X more than just replacing the device
Mobile devices store sensitive data like passwords and account numbers
If a device is lost or stolen that data, thieves can easily gain access
In 2006, a laptop and external hard drive were stolen from the home of a Veterans Affairs employee — giving thieves access to unencrypted private data
26.5 million names, social security numbers, and birthdates
2.6 million disability rating — including health information
How To Protect Your Devices
- Physically secure your laptop
- Keep laptops in a locked office or use a cable lock
- Don’t leave your devices unattended
- Secure your sensitive data
- Always use a password and lock screen
- Don’t store sensitive data on mobile devices
- Keep unused connections turned off
- Turn off Bluetooth and WiFi when not using them
- Don’t set your device to be discoverable
- Securing Your Data After Loss Or Theft
- After your phone goes missing, you can still act to secure your data
- Use “Find my phone” to locate the device
- If you can’t recover it quickly, remotely wipe the drive
- Assume your accounts and passwords are compromised
- Login to your accounts and change all passwords stored on that device
- Contact your financial institutions to alert them to possible fraud
- Report the loss to the police — even if your device can’t be recovered, a police report will help if you need to dispute fraudulent charges
The Future Of Physical Data Security
A New Threat: “Juice Jacking”
Criminals can load malware onto USB charging stations and cables left in public places — locking your device or sending data and passwords to the scammer
While security professionals have demonstrated the threat is real, there’s no evidence it has become widespread
What You Can Do:
Opt for an A/C adapter instead of public USB chargers
Watch for pop-ups asking if your connection is secure — these indicate the charger you’re using can transfer more than just power
Advanced Security
Contactless Payments
In 2018, 40% of Visa transactions in the U.S. were contactless
These services tokenize your payment data so skimmers can’t get any reusable data
Apple Pay, Samsung Pay, Android Pay
SmartMetric Credit Card
Requires the cardholder’s fingerprint to use chip, magstripe, or contactless payments — So no one else can use your card
Offers no additional protections against skimming or fraudulent CNP transactions
USB Hard Drives
If you need to secure and mobile storage for sensitive data, try a flash drive or external hard drive with advanced encryption
Advanced security features include PIN protection, fingerprint scanners, and tamper-evident construction
As data security grows more advanced, so do scammers — Act quickly to protect your data
Sources:
https://www.experian.com/blogs/ask-experian/heres-how-much-your-personal-information-is-selling-for-on-the-dark-web/ https://www.businesswire.com/news/home/20191205005661/en/SmartMetric-Biometric-Credit-Cards-Card-Fraud-Losses
https://www.pcmag.com/article/328010/how-to-spot-and-avoid-credit-card-skimmers
https://krebsonsecurity.com/all-about-skimmers/
https://www.securitymagazine.com/articles/85041-brazilian-authorities-discover-real-atm-behind-a-fake-one
https://usa.visa.com/visa-everywhere/blog/bdp/2019/05/28/chip-technology-helps-1559068467332.html
https://www.creditcards.com/credit-card-news/emv-chip-card-slow-1701.php
https://www.creditcardinsider.com/learn/chip-and-signature-chip-and-pin-emv-cards/
https://enterprise.verizon.com/resources/reports/2016/DBIR_2016_Report.pdf
https://www.creditcards.com/credit-card-news/which-us-issuers-offer-chip-and-pin-card.php
https://www.theverge.com/2018/4/12/17225554/credit-card-signatures-us-ending-companies-pin-emv-chip
https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf
https://popcenter.asu.edu/sites/default/files/library/crisp/Laptop-theft.pdf
https://www.cybintsolutions.com/data-breaches-101-why-they-happen-and-what-data-gets-stolen/
https://epic.org/privacy/vatheft/
https://www.technology.pitt.edu/security/physical-security-breaches
https://www.consumerreports.org/cro/2014/04/5-steps-to-protect-your-smart-phone-against-theft-or-loss/index.htm
https://www.snopes.com/fact-check/juice-jacking-real-security-issue/
https://usa.visa.com/visa-everywhere/blog/bdp/2018/11/14/tapping_to_pay_isab-04LA.html
https://www.techradar.com/news/best-secure-drives
https://www.digitalcameraworld.com/news/verbatim-fingerprint-secure-hard-drive-protects-and-encrypts-your-data