If you think the Internet is a scary place for stealing your sensitive bank data, try your local gas station.
The Star Tribune in Malaysia reports that criminals there are increasingly intercepting the transmission of credit card data between the point of sale machines that swipe your card and the bank. This data, incredibly, is being sent in unencrypted text form so all a criminal has to do is ‘wiretap’ the phone line and capture the data — usually onto an MP3 player. All they need to do is find the phone line, either in the outlet’s Main Distribution Frame room, or that of the bank itself and record the gurgling modem sound. A special decoder can then convert that noise into data. Your data.
The banks are finally getting onto this. Malaysia’s central bank has ordered all credit cards in the country to be EMV(Europay/MasterCard/Visa)-compliant by end-2005 (this means smart, and supposedly fraud-proof). But for now, The Star Tribune says, the banking industry is trying to encrypt data. Unfortunately, so far nothing has been agreed on.
At the risk of sounding appalled, I’m appalled. How can such data be transmitted without a modicum of encryption? This means that when we’re typing our credit card number into a web page it’s actually more secure than if we give it to the guy at the gas station or restaurant?
I was never that happy anyway doing the latter, given the prevalence of skimming — where a crooked employee would either double-swipe your card, or swipe it into a separate device that stored your details — but now, it seems, the data is up for grabs even when it’s being transmitted to your bank for verification. Yikes.