Sure, it’s Not Your Fault – But They Got Your CC Info Anyway

We are well into the summer and for a whole lot of people that means by now you have burned through a whole lot of cash. Just think about it – you’re spending money on stuff to do with your kids because there is no school, you’ll spend more money on stuff to feed your kids because they’re bored. And because there’s no school, you’ll wind up spending even more money on different stuff for your kids to wear, – because ya’ know, there’s no school. And soon it will time to go back to school and you know what that means – Ch-ching! Even more money spent on buying stuff – because there will be school. It sure seems like the summer is when our credit cards become our best friends and our finely tuned budgeting plans fly out the window.

PO.. Whaaa???

But did you know that lurking behind every swipe of your beloved credit card there is a potential danger called POS malware? POS stands for Point of Sales, referring to the credit card machines used by businesses to accept payments for goods and services. Criminals plant malware on the devices themselves that skim information from the magnetic strip on the backs of cards. As the card gets swiped through the device, the data that’s stored on the strip is transmitted for processing.

When the system works properly, untainted by malware, the information is processed and the payment goes through. But there is one critical moment in this process that allows hackers to jump in and steal your data – See, as you might imagine, card data is encrypted as it’s being sent for authorization of payment. But surprisingly, it’s not encrypted while the payment is being processed, a vulnerability that hackers are all too happy to exploit. This is precisely when the malware intercepts the data, and gives those rotten hackers access to your credit card number, expiration date, name of the card holder etc. Pretty bad stuff indeed.

POS malware is stealthy and as such can hang around for a long time unnoticed. This is by design in more ways than one – and the longer it sits undetected, the longer it has to skim info from cards and the bigger the heist.

Now back to the summer. Let’s say you have been working away, while you kids have been lounging around for the last two months. You know what? You deserve a vacation! Wouldn’t you just love to get away for a few days in a nice Marriott? How about a classy Weston Hotel? Starwood? They all sound dreamy, right? Think again – HEI Hotels and resorts, all of which the above are part of, just announced earlier this week that they found a nasty POS hiding on their system which had been sitting undetected as far back as March of this year. According to Reuters, the data of tens of thousands of cards could be at risk.  And earlier this year, Omni Hotels and resorts announced that they were hit with POS malware. Camping, anyone?

The truth is that POS malware can affect any sector, not just the hospitality sector. The massive Target breach back in 2013 that affected over 40 million customers was at least in part carried out via POS malware – even if you never take a vacation, chances are, you have been in a Target at least once.

Where does all that stolen info go?

So just what happens to your data once those baddies have, um, swiped it from you? As you can imagine, some will use it to make purchases with your card. Others looking for a little more action, take their wares to the Dark Web and sell it on forums that specialize in selling stolen credit card data. The hackers will use this data to create clone cards, that look and function exactly as real ones do.

EMV to save the day… Maybe

Back on the light side of things, credit card companies such as EuroPay, Visa and MasterCard (along with some other smaller companies) have created the new appropriately named EMV chip card which aims to cut down on credit card fraud and POS malware incidents. These new cards are decked out with computer chips along with the magnetic strips we all know and love. The new cards are more secure, in theory at least, because as we have seen, hackers can skim the static data from those strips and make those clone cards. But every time an EMV card is used, a new and unique transaction code is created, which can’t be used again, thus making for a more secure transaction.

Sure, this sounds great, but whip out your chip card at many stores and the cashier will look at you like you just fell off the moon. They don’t have the technology in place to use the cards yet, but they “should be upgrading sometime.. Uh… Sometime soon..,right Jim ? We’re doing that chip thing sometime… Soon…” Uh-huh.

What can you do, if anything, about POS malware?

For now, as a consumer, there are a few things you can do to keep yourself safe from POS malware, although understandably, it’s really more dependent on the merchant’s habits than yours:

  • Change your PIN code on a regular basis.
  • Use your EMV chip card wherever and whenever you can if stores have the technology in place, as opposed to the regular magnetic strip.
  • Review your credit card statement on a regular basis to scan for irregularities.

On the other hand, many experts caution people from placing too much faith in the new cards. According to an article in Wired.com, just as hackers found a millisecond with which to exploit traditional POS card readers, so too, it’s just a matter of time before they find a vulnerability with which to exploit the new system. For now though, it seems that they haven’t found it – so perhaps that means that right now, this very second would be the right time to go buy those back to school supplies…and as they say “Hurry in, before time runs out….”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s