Byron Acohido, USA TODAY
Jeff Hall directs the information-security practice at tax and risk consultancy McGladrey. He has more than 30 years of experience assisting companies of all sizes with information-security issues. In an interview with USA TODAY, Hall confirmed that ATM fraud using counterfeit debit cards and stolen personal identification numbers is occurring more often than the general public realizes. And he outlined what companies and consumers should do about it.
Q: To what extent are data thieves in the hunt for payment registers in department stores, supermarkets, professional services offices - anywhere payment checkout terminals are used and not closely guarded?
A: Criminals are scouting vulnerable venues. We are aware of a number of private instances where payment terminals and point-of-sales registers have been tampered with to obtain credit card and other data. The concern extends to data networks, medical devices, automobiles, TV sets - essentially any electronic device. All electronic devices today run some sort of operating system. As such, they can all be misused if the right person can insert themselves into the process at the right point.
Q: Why are they increasingly focusing on debit card mag stripe data, account numbers and PINs?
A: Debit cards are tied directly to someone's bank account. As a result, there is typically a high likelihood of tapping into a large amount of cash quickly. Mag stripe data is fairly easy to come by. If you have complete mag stripe data with a PIN, you can completely impersonate the real card.
Q: What can or should retailers, doctors' offices and others be doing to mitigate this threat?
A: Only contract with a reliable terminal supplier. Organizations should ask a supplier of terminals what they do to ensure terminals do not get tampered with. Also, lock down terminals. Terminals that are not locked down are easy to quickly swap out with a doctored unit. And monitor your devices and your network. If a credit card terminal or POS gets unplugged from a network, the network should generate an alert.
Q: What should consumers do?
A: Consumers should use credit cards and stop using debit cards. However, that means consumers will need to be diligent in paying off the balance of their cards every month. Debit cards are risky because the government has not put the same loss restrictions on them that they have for credit cards. Consumer groups have been lobbying for these types of restrictions for the last few years, but that is likely to come to an end in the next year or two as state governments and/or the federal government respond.