Today as I filled up, I noticed that they changed my BP / Arco pump kiosk’s payment instructions, probably as a result of the Hotea Arco skimming case a few years back. AntiSkimmerWarning2010_BPArcoWith the recent commentary on skimming David Harley provided, I thought a picture of anti-skimming advice might speak a thousand words – or at least a few dozen words. It now reads:

  1. Be aware of someone loitering while you use your card.
  2. Never accept assistance with your card/pin.
  3. Report suspicious activity to store staff.
  4. Before using your card check for
  5. Loose card reader – report it
  6. Loose key pad – report it

And yes, I did manage to realize that the money in my photo was turned the wrong way. :) But these tips are solid although I am skeptical about what the minimum wage clerk behind the glass cage may actually do about these issues, but at least by reporting it to them, you’ve performed your civic duty. If I had the time, I may actually call the police department rather than report it inside, but that’s up to you.

What I recommend: No Debit, No Way!

Don’t use a debit card, period. Even if there’s not a physical skimmer if the wireless network is compromised like TJX was you could become a victim. I see it as too much personal risk to avoid the merchant a VISA surcharge or to save a dime a gallon.

In particular don’t use the debit card functionality on a BUSINESS bank account. As I’ve blogged about previously, the money lost from consumer checking has up to sixty days to report. With business accounts, often you may have less than 48 hours and your rights depend upon the bank’s interpretation of the applicable UCC section. Again, really not worth the risk.

Option Two: Cutout Accounts Mitigate Your Debit Risk!

If you violate rule number one of no debit, no way, then at least use a card which is from a separate bank account. In the criminal and intelligence world, this activity is known to some as a ‘cutout’ and offers a quick fix with lower risk if intercepted. This will isolate the immediate damage which can be done and mitigate your risk so your mortgage or rent check never bounces.

  1. Often personal checking accounts are free with direct deposit, so splitting a percentage of your paycheck should be as easy as filling the form out with your Human Resources department. For instance, most security specialists here at ESET I’ve polled have multiple accounts and state that it’s well worth the dual card-carrying.
  2. Additionally, setting up a bank account with a bank which offers notification through multiple means is becoming more and more the norm. If you’re seeking a new account, check out the ability to be notified through SMS text or email or both – any notifications out of band made on transactions is always recommended to SOeC session attendees by presenter Brandon Stigers.

Option Three: Go Inside

By running your transaction inside, you run less risk for skimming than an unattended kiosk however network compromise is still a risk factor. Besides, you can pick up that pack of smokes or your favorite fountain drink and also get cash back. :)

Option Four: Use A Loyalty Card

By using gas station specific charge cards, you reduce your exposure to widespread carding theft. The cybercriminal in Romania or Vietnam will not likely have a local branded gas station he or she could use your information with, and will choose to filter out the useless carding information which is intercepted.

At the station where this is located, BP / Arco have created a debit to debit card account. I’m still researching this further to find out how exactly this might work should it be compromised, however this mixes the cutout philosophy with the station loyalty program. [UPDATE: 14:37 PST] I’m not sold on this debit to debit business so use at your own risk.

Summing up, make them work harder to sell your account information. Follow these tips and you’ll harden the target with very little effort.

Securing Our eCity Contributing Writer

debit carding sale June 21 2010 ESET CTAC