During a recent visit to Singapore my debit card was skimmed and almost $500 extracted from my account. It's a common enough occurrence but with a little more diligence on my part it might never have happened.
I'd made three transactions using my Citibank Visa debit card. The first was at the rooftop bar of the Marina Bay Sands where I paid for cocktails. The barman took my card away and came back a minute later with a keypad asking me to key in my PIN number. The other two transactions were at Singapore Airport next morning, where I used the same card to pay for purchases at a chemist shop and also a coffee bar. I'd normally pay cash for these small buys but I'd just used the last of my Singapore currency to pay for a taxi to the airport.
At one of these three transactions my card details were skimmed. Skimmers are card readers that harvest the data from the card's magnetic stripe. They can either be incorporated into an existing legitimate card reader or a separate device that a salesperson will use to swipe the card a second time out of sight of the cardholder.
The other vital ingredient is your PIN, obtained by a hidden camera, by inserting a pressure sensitive pad beneath the keypad or by a careful pair of eyes. In my case, I keyed in my PIN while the keypad was resting on the counter, and the cashier could have seen me doing it.
Slightly more paranoia-inducing, a fraudster with a FLIR ONE Thermal Imager equipped smartphone can capture the thermal signature that your fingers leave behind on a keypad. All the PIN thief has to do is hover their FLIR ONE equipped smartphone over the keypad on which you've just tapped your PIN and bingo – the thermal image reveals which numbers you pressed. Not only are the numbers revealed but the different colours on the image show the order in which they were pressed. The device can be bought for about $400 in Australia, about $100 less on Amazon.
A thief only has to download the information collected from the skimmer and imprint that onto a fake card, key in your PIN and visit an ATM or pay for merchandise and your account says "hello friend" and pops open like a jack-in-the-box.
After Singapore I departed on a cruise and it was only a few weeks later, back in Sydney when a withdrawal was declined that I realised things were not right. I checked my account online and there were four unauthorised withdrawals at the Hotel Ibis Menteng in Jakarta. The first was for $49.44, followed by three more for $148.31 each, all on the same day. At the end of that spree my available funds had shrunk to just $29.08.
I'd become a contributing member of a US$16 billion dollar global industry. That's the figure for worldwide credit card fraud in 2014, the most recent available figures, and more than BHP's net profit for the same year.
When I reported the theft to Citibank at the end of December I was told it could take up to two months to reach a verdict. Less than two weeks later all the missing funds were restored to my account.
Wherever my card was skimmed it probably required help from the inside. The thief needs to get hold of the information and that usually requires someone to physically collect the data. What happens is the person at the point-of-sale is paid a commission, typically between $10-50, for every card skimmed. There are also skimming devices with wireless capabilities. Once installed, the crook can retrieve the information on a smartphone from a couple of hundred metres away.
The newer technology chip and PIN cards are more secure but these cards also have a magnetic stripe to make them backwards compatible with older-tech systems that can't read the chip. If you're asked to swipe a chip-and-PIN card through a reader you're cancelling out any security advantage that the card offers.
It's a wake-up call, and I won't be quite such an easy mark in future. There are five simple protocols I'm adopting anytime any card leaves my wallet.
1. Never again will I allow anyone to walk away with my card.
2. Most of us have learned to cover the keypad with one hand when we punch in our PIN at an ATM. We're much less likely to do that when we do the same in a restaurant, a shop or a bar. I'm now covering up whenever I tap in my PIN.
3. I'm going to be a lot more diligent about who might be around when I use my card.
4. When I enter my PIN I'm also going to rest my fingers on random keys , leaving behind a scrambled heat signature for any scammer who might be using a thermal imaging device.
5. I'm limiting the debit and credit transactions I make overseas to major purchases only. From now on, cash is king.