Tuesday, October 18, 2016

Is it safe to use your credit card at the store?

I've posted before about skimmers, devices that thieves use to steam credit card numbers and debit card PINs.  The thief installs the skimmer on top of the store card swipe terminal.  The skimmer records the card information and PIN and then passes that to the real terminal for processing.  Brian Krebs has had an excellent series on skimmers; the photo below is from his latest post:



Things to look for: at the far right, the skimmer version (on the left) is a lot wider between the card swipe slot and the end of the unit.  On a non-skimmed terminal the picture showing the card being swiped pretty much fills up the entire width.

Another: The logo on the top of the non-skimmed terminal goes from about the top of the unit to the top of the screen.  The skimmed version has a lot more space there, because the skimmer has to be physically larger than the real terminal (to fit over it).

My advice: take a quick look at the terminals before you swipe.  If anything looks unusual, use a credit card (not your debit card).  The credit card company has financial coverage to protect you if your card is used fraudulently, but your bank may or may not cover fraudulent withdrawals using your debit card.

8 comments:

Will said...

A big clue:

there is no longer room for the stylus to fit into its' holding clips on the side of the unit.

Unknown said...

Does the business where the terminals are installed have any responsibility for ensuring that their units have not been tampered with?

Jeffrey Smith said...

I'll add another incentive, although not security related.
(I work on retail.)
If you need to return or get some sort of adjustment on the item you purchased, it can take several days before the bank puts the money back into the account linked to the debit card. Credit refunds are not always immediate, but almost always quicker. If you need to use the debit for whatever reason, at least choose the option to treat it as a credit.

Borepatch said...

Will, that's an excellent point.

Bill, they do, but this is an area that I don't have a lot of confidence in.

Jeff, that's also a good point.

Old NFO said...

Excellent points all! And I've gotten to the point I ONLY use the debit card to get money from the bank directly... sigh

Unknown said...

I just want to add one thing regarding these terminals. There are a fair number of producers of these devices and even in the small town I live in they are different in almost every business not to mention that they seem to be upgraded from time-to-time. As a consumer and therefore a user of these devices how is it that I'm seemingly required to recognize if one of them has been tampered with?
I guess using the credit card function is the best way if I'm going to use them at all -or- I start carrying significant sums of cash on my person and that seems almost as risky.

B said...

Just you a Credit Card and pay it off at the end of the month. Use you Bank issued card *only* at Bank ATM's.

If someone gets my Credit Card number and maxes it out, no big deal. My checking account funds aren't tied up... I have other CC to use while I fight the fraud. If you get my Debit Card and drain my bank account, it is more difficult to deal with.

I NEVER use a debit card anywhere but at my banks ATM.

you shouldn't either.

Rick C said...

It's hard to tell from this picture, but those Ingenico terminals have a pair of read/write heads right smack in the middle of the slot--you can just barely make them out to the right of the model number. If they look a little like the heads on old tape recorders/walkmen, it's because they're basically the same exact thing, and if you look, you'll see one or two in every card reader. Two next to each other means you can put your card in either way, stripe facing left or right; if you only see one, those are the ones where you can sometimes put your card in the wrong way and be told to take it out and re-swipe it.

At any rate, the skimmer has its own head, and it looks like you can just barely see it in the fake machine, at the very top, partly obscured by the red "note how thick this is" bracket added to the picture.

So one thing you can do is look for extra read heads--that would (probably) indicate a hacked terminal.

Next time you're at a store, look in the slot and you'll see what I mean.