It’s easy to tell when your physical plastic credit card is lost or stolen. It’s simply not in your wallet, and you can’t find it when you need it.
But it’s far less straightforward to identify when the digital information pertaining to that credit card — like your name, credit card number, and expiration date — gets exposed as the result of a cyberattack or data breach.
Hackers specialize in gaining access to other people’s systems to steal data they don’t own. Depending on the specific data they’re after and their preferred mode of getting it, cyberthieves can all make life far more difficult for you while they turn a profit. Identity theft issues are notoriously time-consuming and bureaucratic to clean up, and loans taken out in someone else’s name end up having legal ramifications all their own.
The negative examples are especially pronounced in instances of stolen credit card data. Bad actors could easily use that data to make online purchases using a victim’s name, number, and billing ZIP code.
That stolen data might also be used to illegally clone credit cards. Thieves can program swipeable gift cards or prepaid gift cards to behave like genuine credit cards by replacing the data stored in the strip. When the cloned card is swiped, the transaction processes just like it would if you swiped the actual credit card.
They could also just sell the information — credit card data has raw value as a black-market asset. It can be sold for between $5 and $100, depending on the amount of information accompanying each record. The more information a thief can offer per entry, the more valuable the haul of stolen data is. You can imagine that credit card data comes at a premium when it’s accompanied by your name, address, mother’s maiden name, and three-digit security code from the back of your card. It becomes more valuable in the aggregate.
So, the incentives are clear: bad guys want credit card information because it represents economic power, whether that information is sold for money or credit is illegally harnessed to some end purpose. But how do they gather credit card numbers in the first place?
They use a variety of methods to do this damage, and we’re going to peel back the layers on some of the biggest ways this happens in order to get some education out of them. By shining a light on how these nefarious tactics work, you can better take the steps to keep yourself, your employees, and your business safe from people specifically seeking to damage you.
The term “skimmer” refers to a small device that fits inside of places you might ordinarily swipe your credit card — the ATM, the self-checkout machine — and harvests new credit card numbers with each swipe. These devices are put there by the bad guys, of course, then later retrieved (or the information is wirelessly transmitted) in order to provide a steady trickle of valid credit card information. They either use that data for themselves or sell it.
Skimming isn’t necessarily just a silent, passive attack depending on someone not noticing the device’s presence. Criminals might recruit waiters or cashiers to swipe cards that pay for the customer’s meal, but then skim those credit cards using a different device when the customers aren’t looking. There is still a human element to skimming.
Installing malware on your computer, tablet, or smartphone
Hackers dream of installing the kind of software on other people’s electronics that let them take control of it or otherwise access its data. This category of malware and virus proliferates online, waiting in an email attachment for someone to download and install, thinking it’s an ordinary software update. But instead, this malware is the secret door that cybercriminals use to gain entry to your computer systems.
Highly pervasive instances of malware will go so far as to take screenshots of what you’re doing on your computer, recording every keystroke, and send all this information to the offending party. Using software to gain a surveillance edge on someone’s information absolutely contributes to stolen credit cards.
Phishing is a type of network security offensive that engineers a situation in which people willingly give up their passwords, credit card number, or other sensitive data. Instead of hacking a computer, these cybercriminals are figuratively hacking people.
They do it by presenting themselves as someone else entirely, even as an existing business entity the victim already has a relationship with. They use crafty emails that might look like something familiar and ordinary (“Your Bank of America account is vulnerable to attack, check your password with this special tool”), but informed technology consumers know that there’s exactly nothing ordinary about this kind of email.
Rather than depend on a complicated technical scheme to gain desired access to an account or someone’s information, hackers can simply trick you into giving them the information they’re looking for.
Stealing data from other businesses
There are multiple versions of us existing as fragmented bundles of data on different company servers. But just because your personal technology wasn’t compromised doesn’t mean an e-commerce site you bought one thing from ends up leaking your credit card number into the internet.
Different businesses store and process different kinds of data about their customers, but credit card details are a rather fundamental part of it. All it takes is for these third-party entity’s IT infrastructure to be less than bulletproof for a cybercriminal to notice. Before long another batch of personal information flies free and exposed online.
Furthermore, businesses aren’t necessarily required to tell compromised customers when their information has been stolen from company servers. Few companies want to own up to the definitely expensive (and potentially game-ending) process of righting a digital wrong at the scale of going through the remuneration process with some number of affected users. These events have massive costs of money and public image or street cred.
If the law doesn’t necessarily compel businesses to inform customers when breaches to their data happen, then no business will volunteer for that hardship.
Old-fashioned dumpster diving
Though talk of “dumpster diving” is usually associated with scoring fresh food and free knickknacks from the garbage, hackers might also do it to collect data on their victims. But instead of hunting ripe produce, these hackers are targeting your sensitive data as it appears on paper.
Although it seems there are more screens than ever before, paper gets quite a bit of use. The United States Post Office delivers more than 187 million pieces of first-class mail per day and contained on that paper is information like you wouldn’t believe. Bad guys may be motivated to go through the trash can at your home or your office on the theory that they’ll uncover valuable personal information, up to and including your credit card number.
The solution here is well-known but get a shredder and use it. Let it be your best tool to nullify the potential gains someone might get by going through your trash. Unshredded information is easily retained, but mutilating it makes it harder to identify what kind of information someone is looking at. If the paper isn’t destroyed, then the information isn’t destroyed. Shredding mail just isn’t as popular as it should be.
With these offensive tactics illuminated and exposed, it’s now easier for you to set up a more defensive cybersecurity posture as your individual situation calls for. Data doesn’t exist in the real world, so it’s not always easy to think about protecting something that you can’t see and weighs nothing. But a window into how the bad guys think about this stuff should make it easier for the good guys to protect and defend themselves.
John Shin is the Managing Director at RSI Security and has 18 years of leadership, management and Information Technology experience. He is a Certified Information Systems Security Professional, CISM, and Project Management Professional (PMP).