Friday, September 24, 2021

Payment fraud facts

There have been a number of social media posts recently on payment card breaches, their origination, and other information not based in facts. The only thing that is accurate in many of these posts is that someone was impacted by a payment card breach or skimming incident somewhere, but everything else is either partially or entirely false.

I’m writing this as someone with more than 20 years experience in the InfoSec space including working for the largest payment card processor in the U.S., participating in multiple payment card breach investigations, and consulting for two of the four major payment networks in the U.S.

As an industry insider, I’ve assembled a few facts and trends that may help shed some light on this rather confusing world of payment fraud.

First, let’s establish this important fact. Here in the good old USA, you have ZERO LIABILITY for fraudulent transactions. There are some exceptions to this, specifically on the Debit side of the house, but for the most part, ZERO LIABILITY. If you have questions on what your liability is, call the number on the back of your credit card and ask them. If you don’t have zero liability, consider switching to one of the hundreds of banks who offer this.

Is a credit card breach a hassle? Yes, but it is not identity theft and it does not mean you are out a bunch of money.

Consider the alternative. You set an envelope containing $200 in down and someone swipes it. That money is gone. You will never get it back. If someone steals and uses your credit/debit card, you call your bank and your money is returned. Carrying and using your cards is much safer than carrying and using cash.

Next, there is no possible way you can know with certainty where your card was stolen unless you physically leave it somewhere. Calling out any local business here is like screaming fire in a crowded theater (and, possibly a violation of Rule #9 on the side bar). Even as a technician working the forensic investigation, finding your card number in a compromised merchant’s files does not guarantee THAT compromise led to the fraudulent use of your card.

Criminals will often sit on batches of cards for a while before using them so they can commit lots of fraud in a short period of time. In addition, it is possible for your card to be used fraudulently, EVEN IF YOU HAVE NEVER USED IT AT A STORE OR ON A WEBSITE. Credit/Debit cards are based on very old technology and cyber criminals are crafty! Even that fancy “new” chip in your card is based on 25+ year old tech and can easily be defeated (but not as easily counterfeited).

The last charge on your card or the last place you used your card is likely NOT the source of the fraud (again, unless you left your physical card there). The compromise could be from weeks or months ago. I would urge everyone here to please use discretion and NOT call out merchants unfairly (which, again, possibly violation of Rule #9). You have no way of knowing they are the source, and the person you are talking to at your bank probably doesn’t know either.

On skimmers, it is becoming far less likely that you or someone who is not a specialist would be able to detect a skimmer. Picking a particular brand of gas pump or ATM to only use your card at is no guarantee.

Stories of false fronts on ATMs or gas pumps still happen. Keep in mind, pulling on these to attempt to remove a skimmer could cause you to break the machine, which is vandalism. ATMs have cameras, and you will be captured pulling on the front of the ATM. The really good criminals have ways of hiding the skimmers so they are not detected from the outside. Go Google Insert Skimmers or read some of the skimming posts on Brian Krebs ( blog.

So, how about some tips? What can you do?

1) Check your statements regularly.
2) Set up your banking/credit card apps to alert you to transactions when they happen or over a certain dollar amount.
3) Understand that by using an electronic payment mechanism, you have zero liability for fraudulent transactions (see your bank for more info). This means debit OR credit.

Branden Williams

Flower Mound, TX

CTG Staff
The Cross Timbers Gazette News Department

Related Articles


Popular This Week