Forget TikTok and worry about the security of your wallet
You may, or may not, be worried about how Chinese-owned TikTok uses your private data, but what should worry you more is whether you’re sharing day-to-day credit card data with common fraudsters, some of whom are connected to organized crime.
Increasingly, stolen personal data is traded on the dark web, an encrypted section of the internet not accessible to the general public. On forums there, criminals can buy and sell checks or credit card data, paving the way to full-blown identity theft. I know because after a check of mine, made out to the IRS for thousands of dollars, was stolen and cashed, criminals later tried to file a bogus IRS tax return. The theory of the various local and federal investigators who looked into my case is that after the initial information and cash from the stolen check were in hand, it was combined with other information of mine that was stolen and available on the dark web, possibly from a skimmer event (more on that later) at an ATM, a gas station or elsewhere. And this information as a package was used to build a complete data profile of me.
Of course thieves also often try to contact you directly to steal your money or data, impersonating someone else to persuade you to release sensitive information. A bundle of relentless texts, phone calls and emails from unrecognized senders signaled that I was being targeted.
Fraudulently obtained credit card information is especially useful to such criminals. Secure, the company that sells identity information services to banks, says that there are upwards of 3 million synthetic identity accounts for sale for nefarious dealings. And organized crime is using sophisticated, large data file management tools to build complete composites with data from multiple sources.
The technical ingenuity is impressive.
Some months ago, a cyber crimes investigator at the Washington,
D.C., Metropolitan Police Department laughed when I asked him if it would be a more secure world if we stopped writing checks and used credit cards more. “Check washing is on the rise, but credit card fraud is an epidemic,” were his knowing words. Unlike with a check, fraudsters don’t even need a physical credit card; the data works just fine. In 2021, merchants and cardholders lost roughly $12 billion in the U.S. alone.
One of the favorite sneaky ways to get your credit card data, according to the Baltimore County Police Department and the FBI, is with what’s called a “skimmer” attached to a card reader to collect personal data. Skimming devices have been built with parts from old MP3 players, and 3D printers produce skimmer devices with flawless precision.
They can be installed in 30 seconds or so into a legitimate card reader.
There have been cases where the card reader that’s used to unlock the door of a bank, after-hours for ATM use, is equipped with a skimmer. If whatever card involved requires a PIN, there’s the possibility that once you’re in front of the ATM, a pinhole camera is mounted somewhere surreptitiously to capture that, too. With this information, and maybe some more information about you from other sources, such as a social media account, fraudsters have enough to make purchases without even having possession of your card. Some of the criminals are part of cloning rings to print look-alike credit cards. (By the way, there’s now e-skimming, a malicious code reader that pilfers data from payment websites.)
While the sophistication can be impressive, at least the skimmers are detectable; often with a plastic casing that protrudes from the card-acceptance slot. Still, they often go unnoticed and don’t even interfere with the transaction. Another device, known as a shimmer, is more challenging to detect because it fits — “shimmies” — inside the card reader. They are little more than an integrated circuit printed on a thin plastic sheet that can read the data on a credit card’s chip.
Such chip cards are fast becoming standard in the U.S., and they are better than magnetic strips. They can not be duplicated, but fraudsters can use data from the chip to clone the magnetic strip or use the information in some other way.
So what to do?
It’s hard to beat the flexibility and convenience that bank cards offer. The New York Police Department is working with tech entrepreneurs on an inexpensive anti-fraud tool known as “Skim Reaper,” a thin gadget that can detect if there’s more than one “read head” in a credit card device.
As with any type of scam, being aware matters. Smart thieves often start with innocuous-looking transactions to see if you’re paying attention. Checking your statements regularly is important. Signing up for fraud alerts is easy enough. Over the long term, identity theft protection has given me some peace of mind.
Recent data breaches at UnitedHealth Group or at American Express are particularly troubling. Changing passwords, two-factor authentication, and the various monitoring services available can help. Meanwhile, any data breach or unknown sharing of personal information puts us at risk. The buzz of the day is about TikTok. But the challenge I worry about is more immediate and closer to my wallet than the personal information that TikTok has access to.