A few weeks ago, an American Express security official placed an urgent call to New York City — based Secret Service agent Tim Raymond. Someone in Miami had racked up at least half a million dollars' worth of fraudulent charges against more than 100 American Express accounts. The cards hadn't been stolen, so they had to be counterfeits — very good ones, since they had zipped past the security screens in the computers of the giant charge-card company.
The bad guys in Florida covered their tracks expertly, but the American Express computers spat out a curious fact. Every one of the victimized cardholders had recently dined at one of two New York City restaurants. Raymond and his partners visited one of them, a Brazilian steak house on Central Park South called Plantation, and with the cooperation of the restaurant's mortified owner, they looked around the employee dressing room. There, in an open locker, they spotted the likely culprit: a black box the size of a Palm Pilot, with a slit down the front and bits of Velcro tape on the back. Called a "skimmer," the device can read and store the data embedded within a charge card's magnetic stripe — not only the name, number and expiration date that appear on the card's face but also an invisible, encrypted verification code that is transmitted electronically from merchant to card issuer to confirm a card's validity at the point of sale. By copying that code, the counterfeiter has all the data needed to create a perfect clone of the charge card.
"Skimming is the biggest problem in bank fraud today," says Gregory Regan, head of the Secret Service financial-crimes division. "It's the bank robbery of the future. It's technically simple, point-and-click technology. And the equipment is cheap. If you skim 15 or 20 accounts, you can generate $50,000 to $60,000 worth of fraud, and nobody is going to know about it till the victims get their bills, 30 to 60 days after the crime. So the odds of getting caught are reduced."
American charge-card industry officials are reluctant to say how much they are losing to skimmers — in part because they don't want to scare customers out of using their plastic. An analysis of industry-published figures suggests that skimmers reaped about $125 million last year, but U.S. officials suspect that the number is actually higher. In the U.K., the Association for Payment Clearing Services estimates that skimming accounted for $46 million in fraud in 1999, and last week the trade group warned the British Government that those numbers will climb in the next two years. Much of the plunder goes to international organized crime rings; cards skimmed in Britain are often funneled within hours to outfits in Eastern Europe, the Middle East and Indonesia. Skimming lords commonly bribe employees at gas stations and restaurants to do the dirty work. "They blackmail illegal workers to do it," says Paul Lucraft, deputy general manager for Europay International, "because these people are afraid they'll lose their jobs and be deported."
The earliest illegal skimmers, book-size devices that required AC power, were discovered a few years ago under gas station counters, where there was plenty of room for a laptop computer that stored card numbers and codes. But today's skimmer boom started in early 1999, when electronic gray marketeers started peddling a new generation of miniaturized, battery-powered skimmers with a memory chip that could store data from as many as 300 cards. The new wireless devices, outfitted with their own memory chips, can be secreted in a pocket or hung on a belt like a pager and cost as little as $75 a pop. "The charge-card companies make everything so consumer-friendly that it's very simple to compromise the system," says Joe Russo, supervisor of the charge-card fraud squad for the Secret Service's New York City field office.
In the U.S., six major charge-card issuers — American Express, Bank of America, Chase Manhattan Bank, Citibank, Discover and MBNA — have started to fight back by cooperating with the Secret Service to pool information about fraudulent transactions and to generate computer analyses that flag locations where numerous cards may have been skimmed. British banks and card companies have spent $450 million developing "smart cards" containing memory chips that are almost impossible to duplicate. U.K. banks expect to have the new card technology in place by 2002, and similar smart-card projects are underway in France, Germany and Spain. The major credit-card companies are also refining their security programs, called neural networks, to do a better job of spotting suspicious transactions before they are consummated.
But the card companies are reluctant to spend much money to combat a threat they still regard as relatively small. "I think we have to look at the size of the skimming problem vs. the cost to solve it," says John Shaughnessy, senior vice president of risk management at Visa USA, which estimates that fraud losses from skimming represent less than one-tenth of 1% of total sales.
Individual cardholders are not liable for fraudulent charges made to their accounts by skimmers or other scam artists. But those cardholders can be in for a rude shock when thousands of dollars' worth of purchases suddenly show up on their monthly statements. Card companies urge their customers to read their bills closely and report improper charges promptly. But even if they do, they face the hassle of paperwork and of acquiring new charge cards. And the losses incurred by the charge-card companies eventually get passed along, largely invisibly, to consumers through higher interest rates and card fees. Bilked consumers might be doubly distressed to learn that skimming feeds a sizable chunk of change into the coffers of Asian, Russian, Nigerian and Latin organized-crime cabals.
What can a cardholder do to prevent his card from getting skimmed? Not much, the experts say. If at all possible, you should watch waiters and store clerks handle your credit card. You can also check your accounts on the Web or by phone during the month to make sure there are no surprises. The only sure protection is to pay with old-fashioned cash. But if you carry lots of that in your wallet, you still have to worry about the old-fashioned kind of robber.
— With reporting by Carolina Schwartz/London