Aug 28, 2007

[Security] POS devices still insecure

Joyfulchicken of Chicken Mafia recounts what is purportedly said to be common amongst Citibank credit card users - fraud:

When the Citibank person asked me if I had used my card yesterday, I just sighed knowingly and said, "No. What is it this time?" Well, someone bought 16,231.50 pesos worth of stuff in Ace Hardware SM Manila using a clone of my card. Whoa, that's around $350. I wonder what the guy bought. 10 of these perhaps?

Anyway, Citibank faxed over a dispute form for me to sign. My card has been canceled, and a new one will be sent to me in a few days. The process is still annoying, but it's relatively painless. It seems that Citibank is getting more and more efficient at handling credit card fraud. I guess they've been getting a lot of practice.

Maybe I share part of the blame for not learning my lesson from four years ago. Last Saturday evening, I foolishly filled up at a random gas station in the middle of nowhere. And now this happens. Hmm, is there a syndicate of credit card-stealing gas station attendants? More evidence that oil companies are vortexes of pure evil....

Well, he's no joyful chicken at the moment. And you will be joining him, if you are not careful.

The Internet Storm Center reports on vulnerabilities and security problems regarding point-of-sale (POS) devices (PDF of the white paper here). The white paper asserts that while security risks are known since Heaven knows when, credit card companies and retailers are slow in addressing them, and it criticizes the actions taken as either inadequate or too late.

As for now, here are some steps in securely using credit cards:

1. Use credit cards at stores that take several steps in the process. For example, National Bookstore requires the credit card holder to present a valid ID before the transaction is processed. SM Supermarket, SM Department Store, and Music One do not demand for IDs. (If you know retailers who do not demand IDs, list them down in the comments.)

2. When paying using credit cards, make sure you see where it is to be swiped. That means, do not use credit cards in restaurants and gasoline stations.

3. Shop using cash. This way, you can stick to your budget.

Why can't they require PINs for credit cards?


  1. tnx for all d tips on dis credit card scams. yeah, citibank is one of d most reliable and efficient card around. Just dont be delinquent in paying ur bills f u know what i mean...

    Oh, not use d card in restaurants? I have d habit of doing this pa naman but in reputable store's only like fastfood shakey's & max chicken... hehehe

  2. Hi, Josh, the reason I recommend not using credit cards in restaurant is that it is very easy for unscrupulous waiters/servers to swipe your card using a portable card reader. You'll never know.

  3. ahem.

    as this is the geeky guide to nearly everything, may I post my two cents' worth?

    the only time I worked at a call center, I was assigned to a credit card fraud ops account.

    there are too many ways of perpetrating credit card fraud these days - as mentioned here, someone may have copied data off the magnetic card. heinell is right in terms of this happening in places where people take your card from you to swipe through their machines.

    there are also lost/stolen cards, cards whose accounts are taken over, accounts that are created under aliases, etc. etc.

    joyfulchicken's experience certainly brought back to mind my work as a fraud analyst before, and cements how I feel about credit cards - I'll always be wary about using them.

    [too bad that one way of having an own domain requires payment via credit card....]

  4. "Why can't they require PINs for credit cards?"

    From what I've heard, the main reason is that upgrading the whole system would cost more than just accepting the current level of credit card fraud. So it's basically a business decision and not a technical one.

    Besides, the "Chip & PIN" system has its own set of security issues.

  5. well this item generated more responses than initially expected - i guess it just goes to show how much credit card fraud concerns us all.

    eternal vigilance is the only key. i like tracking my expenses online and i monitor my card expenses real-time to make sure no surprises come up. if you're going to use them, be ready to protect yourself against such potential losses.