money, cards, business-256319.jpg

Bank Cards – Learn How to Protect Them

To talk about bank cards, such as debit and credit cards, is to talk about something very enticing in the world of crime.

These are some of the attacks perpetrated on bank cards that are important to know about and that we will address in this article, providing the necessary details so that you can protect yourself against them:

  • The theft of bank card data, which allows a malicious agent to make payments with them, can be carried out by observing the physical cards or by compromising platforms where you have used the cards and that store your data for more convenient use in future payments;
  • Recent contactless technologies that allow a criminal to bring a payment terminal close to your pocket to make an unauthorized payment, as payments up to a certain amount do not require a PIN, or to copy the data from your bank cards;
  • The cloning of bank cards at ATMs and gas station pumps, using concealed technology;
  • Among others.

Knowing the existing vulnerabilities is essential so you can protect your accounts from unauthorized card payments.

The Evolution of Payments with Bank Cards

The first bank cards appeared in the 1950s. In the United States, the Diners Club launched the first multipurpose credit card, made of paper, which allowed consumers to make purchases within a limited network of establishments.

A few years later, in 1958, American Express and BankAmericard (now Visa) launched their own bank cards.

In 1966, Master Charge (now Mastercard) was introduced.

Learn about the main types of bank cards used today, as well as the most modern ways of making payments.

Magnetic stripe bank cards

Magnetic stripe cards, developed by IBM in 1969, store information statically that is read at the Point-of-Sale (POS). Because they do not use encryption and the information never changes, they can be easily read and copied onto a blank card by anyone with a magnetic stripe reader, allowing them to be used for unauthorized payments without the consumer’s consent.

Magnetic stripe bank card
Magnetic stripe bank card

Contact EMV chip bank cards

EMV chip cards (Europay, Mastercard, and Visa) began development in 1994. The first EMV chip cards were launched in Europe in 1996, with global adoption taking place in 2000. They require physical insertion into a payment terminal to complete a transaction and use encryption to generate a unique code for each transaction, known as a cryptogram, which is validated by the bank. Because this code can only be used once, it makes cloning more complex, thus making EMV chip cards safer to use than magnetic stripe cards.

EMV chip bank card
EMV chip bank card

However, despite being considered more secure than magnetic stripe cards, EMV chip cards are not completely immune, as several attacks are known. Therefore, it is necessary to remain vigilant and not lower one’s defenses.

Contactless EMV chip bank cards

Contactless EMV chip cards utilize Near-Field Communication (NFC) technology, making them more convenient to use and somewhat more secure because they do not need to be inserted into payment terminals.

Contactless payment with bank card
Contactless payment with bank card

However, to maximize their security, it’s important to store them properly in wallets or card holders with RFID-blocking technology, as otherwise they are susceptible to having their data read without your knowledge. We’ll discuss this type of wallet further below.

Mobile devices

Contactless payments (NFC payments)

Paying with mobile devices such as smartphones, tablets, and smartwatches using contactless NFC technology has made payments even more convenient, as we typically have our mobile phones closer at hand than our bank cards.

Contactless payment with smartphone
Contactless payment with smartphone

In this type of payment, it should be ensured that biometric authentication is requested for each transaction to prevent unauthorized payments from being executed.

Digital wallets, also known as e-wallets

Digital wallets, such as Apple Pay and Google Pay, become even more convenient by allowing both in-person (via NFC) and online payments through the same application.

These transactions should also be protected with biometric authentication, ensuring that unauthorized payments are not made.

QR Codes

Payment made by scanning a QR code
Payment made by scanning a QR code

The use of QR codes for making payments is seeing widespread adoption, especially due to its simplicity, as there is no tapping or touching involved, just the scanning of a QR code.

Physical protection

Store your bank cards securely

For the past few years, banks have been providing contactless cards equipped with NFC technology, allowing you to tap the card on the payment terminal instead of inserting it and entering a PIN.

Indeed, this has simplified payments, but it has also brought a concern that many have experienced: if someone brings an electronic payment terminal close to your pocket where your wallet is, money can be withdrawn from your account without you even realizing it!

In other words, pickpockets have found it somewhat easier now because instead of risking being caught taking a wallet from a pocket, they just need the right moment to bring a device close. If the payment is below a certain amount, no PIN is even required.

Another vulnerability is the copying of card data through proximity as well.

To prevent this, you should buy an anti-RFID wallet, which blocks electromagnetic fields, thus inhibiting this trick. There are several options available on the market to suit different tastes and budgets.

Your bank card should be physically non-transmittable

The most important aspect to remember is that your card contains information such as the number, expiration date, and security code (CVV). With these three pieces of information, a malicious person can make online payments using your card.

Considering this information, think twice before handing your card to anyone.

Sometimes store employees stretch out their hand for us to hand over our card when it’s time to use the payment terminals, aiming to insert the card themselves. Even if the security code isn’t intentionally on the same side as the card number and expiration date, there’s no reason you should hand over your card to anyone instead of inserting it directly into the terminal yourself.

The same situation occurs when bank employees ask for your card to access your account number for any banking transaction. Despite these employees having access to sensitive details of your account as part of their duties, there is no justification for them to ask for your card. Refuse to hand it over and provide them with your account number instead. Alternatively, through your identification, the bank can perfectly well identify the number of your account.

Here are some of the problems that can occur when you hand your card to other people:

  • Card cloning – the store or bank employee can discreetly clone your card with a specialized device;
  • Exposure of card data – the employee can observe and even copy your card data, enabling them to make online payments;
  • Lack of transaction control – in stores where you are making payments, by not personally inserting the card into the terminal, you lose control over the transaction. For example, you may not be aware of the amount being charged to you.

Pay attention to where you insert your bank card

ATMs are often targeted for skimming
ATMs are often targeted for skimming

Automated Teller Machines (ATMs), as well as card readers at gas station pumps, are frequent targets of disguised technology that captures debit and credit card data without customers suspecting. Before they realize it, hundreds or even thousands of dolares have been stolen from their accounts.

ATMs, many of which are available outside banks and in other locations, are a convenient way to withdraw money and perform other banking transactions without needing to go to the bank and wait to be assisted by a bank employee.

Gas stations, especially newer ones, have card readers right at the pumps themselves, allowing customers to pay for fuel right there instead of needing to go inside to the attendant at the counter within the gas station building.

Despite all this convenience, these devices often lack the same level of surveillance as those inside banks, making them easy targets for criminals. Card cloning technologies and skimming devices are very similar to legitimate ones. Some store data internally, requiring criminals to return to retrieve it, while others can transmit data in real-time via mobile data, wireless connections, or Bluetooth.

Follow these tips to detect these fake devices and avoid falling into these traps:

  1. Pull on the keypad and card reader to check if they detach easily.
  2. Pay attention to the equipment’s spelling. Just as often happens in email phishing attempts, many criminals do not master the English language, and spelling errors are often indicative that something abnormal is going on.
  3. If errors occur after inserting your card and PIN, they may indicate that something abnormal is happening and that a criminal may have already obtained your data.

In addition to these points that can help you detect these mechanisms, there are other ways to avoid falling into these traps, such as:

  • Use cash whenever possible.
  • Regularly check your card transactions.
  • Avoid ATMs outside of banks.
  • Always cover the keypad as best as you can when entering your PIN. Some schemes involve installing mini cameras aimed at the keypad to capture the PIN you enter. While this won’t prevent your card data from being copied and used with a cloned card at payment machines, it will make it difficult for criminals to empty your bank account because they won’t have your PIN.

Therefore, it is of utmost importance that these devices have anti-tampering technology to prevent the application of these disguises.

These attacks are known as skimming when carried out against magnetic stripe bank cards, and shimming when the targeted bank cards have EMV chips.

Skimming

Skimming is an older attack method primarily targeted at magnetic stripe cards, which involves reading data using a card reader. As the information is static, never changing, and encryption is not used, it is easy to clone these cards.

Shimming

Shimming is an attack similar to skimming but that targets EMV chip bank cards. It’s a less common and less effective attack because while skimming allows for cloning of magnetic stripe bank cards, shimming captures some data from the EMV chip but cannot generate the unique cryptogram used in each transaction. This cryptogram cannot be reused, so shimming cannot create a functional copy of an EMV chip card. However, shimmers can be used in transactions where only static data is required, such as magnetic stripe transactions, if the merchant’s security system is weak.

It should also be noted that shimming devices are harder to identify because they require disassembling the equipment where they are inserted.

Secure online payments

Connect to the internet securely

If you’re going to make online purchases and therefore share payment information, do your best to:

  • Use a personal device rather than a public or shared device. This is an important step to help ensure, to some extent, that you are actually visiting the website you intend to visit and that the data you enter there is not intercepted.
  • Use a trusted connection. Avoid public Wi-Fi networks such as those in cafes, airports, hotels, etc. If you must use them, it is recommended to use a trusted Virtual Private Network (VPN).

After ensuring these steps, it is equally important to ensure that you are connecting to the genuine website. That is, type the service’s address directly into your browser or, if searching on a search engine, be vigilant not to click on fake sites posing as the one you intend to visit. It’s well-known that such cases occur where users are deceived by a site that closely resembles the one they intend to visit. In these cases, the data entered on the site is directly sent to malicious individuals who put it online solely to steal your card information. Therefore, to avoid this problem, in addition to being cautious when clicking on search results, it’s essential to verify the website’s address in your browser’s address bar to ensure it’s the legitimate site you intend to visit.

Prefer services that comply with PCI-DSS

No matter how careful you are, when sharing your card details with e-commerce websites, you are exposing yourself to risks beyond your control. If these sites do not take certain precautions, your card information and personal details (such as your name and address) could be accessed by unauthorized individuals.

Being compliant with the Payment Card Industry (PCI) means adhering to security standards outlined in the Payment Card Industry Data Security Standard (PCI-DSS). These standards ensure that companies processing, storing, or transmitting credit card information take necessary measures to secure cardholder data, preventing data breaches, fraud, and unauthorized access.

E-commerce platforms like Shopify and WooCommerce strive to comply with PCI-DSS and have information available on the subject at the following links, respectively:

Use virtual cards

A virtual card is similar to your physical card in many ways, but with some advantages, including:

  • You can create multiple cards – Most services allow you to create multiple virtual cards tailored to your needs. This means, for example, you can have a different card for each service you use or, if you want, for each payment you make.
  • You can specify whether the card is for single use, for multiple purchases, or for recurring payment of a service.
  • You can specify the maximum limit of the card’s value.

In addition to these advantages, you can cancel any virtual card at any time. This means that if you have canceled a subscription to a particular service and want to ensure the cancellation is effective, you can cancel the card. This way, if the service attempts to charge the subscription value, it will not succeed. However, before canceling a card, verify which services are associated with it, as canceling the card will affect all of them.

Conclusion

In summary, it’s important to remember that your card details are highly valuable to criminals, so:

  • Avoid magnetic strip bank cards, and prefer EMV chip ones as they are more secure. Use NFC payments or QR Codes when possible, preferably configured to require biometric authentication.
  • You should never hand over your physical card to another person.
  • You should never share your physical bank card details (such as the number, expiry date, and security code) in person or over the internet. Instead, use virtual cards with usage limits.
  • You should store your bank cards in RFID-blocking wallets to prevent unauthorized payments by someone touching a payment terminal to your pocket or attempting to read your card data.
  • You should be especially careful at ATMs and fuel station pumps, as these are common targets for concealed technology designed to clone your cards.
  • Make online purchases using your own devices and Internet connections, and be sure to use reputable e-commerce services that comply with PCI-DSS.