Jimmy Atkinson has written to tell us about a series he's involved in at Credit Card Blog  “that may interest readers of Identity Weblog. It's the Top Five Credit Card Scams. Each day this week, we're covering a different scam and providing tips to consumers as to how they can protect themselves against identity theft and credit card fraud.” 

The site will definitely give you things to think about.  I don't know a lot about  Maybe Jimmy can help us to understand more.

Anyway, here is a sample – the recent posting on “skimming”:

One of the most insidious forms of credit card fraud occurs with a little device known as a skimmer. Skimmers are the size of a pager and can be carried by a scam artist to swipe your credit card and steal the information needed to create a counterfeit card with your name on it. Here’s how it works: You pay at a restaurant or other business and the clerk takes your card. In the back, the clerk swipes your card for the purchase and then swipes it secretly into the skimmer, which records the name and numbers.

The numbers in the skimmer can be downloaded into a computer and emailed anywhere across the globe. They are then used to make fake credit cards that are used by thieves in Europe, Asia, Latin America, and the US. Skimming is responsible for over $1 billion in losses each year.

Skimmers can also be placed on some older ATMs so that when you swipe your own card, the information is stored in the tiny bug and then retrieved at a later date by the scammer. To protect yourself, keep an eye on your credit card bills. Watch for any unusual activity and report it immediately. Also shred all your statements so that the numbers cannot be stolen.

When out and about, keep a close eye on your credit card as well, and report any suspicious activity to the Federal Trade Commission.

It all just shows how hard it is to change an infrastructure once it's in, no matter how many flaws it has.  It's the problem of exposing your secret (as happens with north american credit cards) rather than using your secret to prove something.  InfoCards give us a way to fix this in the online environment.  The payment identity provider does not need to release a long-term credit card number – just a one-time approval (potentially modelled as a credit card number for compatibility purposes).


Published by

Kim Cameron

Work on identity.


  1. This also demonstrates the importance – and necessity – of being protected by a multi-layered security system. In the physical world, for instance, it isn't enough to have a sign saying “Beware of the Dog” outside your house, or even to rely on secure bolts on your front door. You need to have alarms and motion-detectors inside the house too, so that if someone manages to bypass the (authentication) measures that you have at the point of entry, they are not free to roam around inside your property and pilfer your belongings.

    In the online world, this involves transaction monitoring and fraud detection – just as we are all used to with our credit card companies, who will alert/contact us if strange activity is detected. A number of banks are deploying this monitoring technique today, and combining it with risk-based authentication technology that means users are semlessly authenticated and allowed to go about their business until something out of the ordinary takes place.

    This is balance between security and convenience that is necessary before identity-protection solutions are taken seriously and broadly-adopted.

  2. Good luck getting the card providers to do anything about this.
    So far, they don't care.
    Their customers – the card holders – get a little pain when credit card number theft happens, but then they get a piece of joy when their bank tells them “and we're going to refund all the money that was taken from your account” – how wonderful of the bank to make everything better for them!
    Except that the bank does this mainly because it's a legal requirement.
    The banks don't lose a penny – in fact, they make money from the fraud, because they get to reverse the charge back to the vendor, and add the “discount fee” in as well as a $25 chargeback fee. Yes, that's right, without giving the vendor any chance to tell in advance that the credit card has been stolen, the banks charge the vendor $25 for the temerity they exhibit in accepting a credit card that they were assured by the bank is genuine.
    Why would the payment provider change this scheme? They make money, and they look like they're helping the customer by returning their money to them. The customer doesn't care that the money comes from the vendor that was scammed.

  3. Pingback: Vibro.NET
  4. Wouldn't it be easier to make so phishing is of no use?
    Our system lets the consumer authenticate each and every transaction, or only those above a chosen limit. (and even then the thief won't know the limit)
    It has the distinct advantage that it costs almost nothing and protects the money even if the card and pin are stolen and not noticed or reported.
    Sure it's not free but it is only a fraction of the cost of any other system and it can't be exploited like all those others. Even a key device can be duplicated in minutes while you're in the gym.
    I doubt the banks will want it because they make a profit regardless of how much fraud there is. If there's a brave bank out there we'll do it for your customers for free and guarantee no losses even if the card and pin or logon and password are stolen.
    You can't get a better offer than that, but we have found that the ‘experts’ at the bank who make the decisions see themselves heading for the unemployment line, instead of jetting around to the latest ‘conference’. The big firms are afraid no-one will buy their biometric devices and encryption/key systems so they won't rise to the challenge. We'll probably have to shame them in public, like one of our banks which introduced a ‘new’ security feature which lasted a whole 12 minutes..
    I would mortgage my house and launch a competiton like RSA, but unfortunately there is no way to defeat the system without the user co-operating, and it certainly can't be done by a hacker in a remote location or the shoulder surfer behind you.
    I'm beginning to wonder about all those conspiracy theories – especially seeing no-one has actually even said they even thought they could beat it, let alone tried.
    Maybe it just sounds too good to be true.
    It can even be used to prevent identity theft……..

Comments are closed.