By Robert Beckstead

We're welcoming the cold to Utah and with it comes holiday shopping. Although, I don't participate in the "black Friday" tradition, I remember in the years gone by, many trips to the mall and other local stores to purchase gifts. The internet has changed that to a degree in recent times, and the majority of my shopping happens online.

When making purchases in person, there is risk that the individual takes your check (if you still use those) and takes your bank account information to commit check fraud. There is also the risk that they take your debit card (DC)/credit card (CC) and copy the information onto a machine and then use it later make purchases with - this can also happen at an ATM/gas-pump/point-of-sale (POS) machines (the ones where you swipe at the register, your table, or the server takes your card at a restaurant) where a device is placed over the original card reader. Check fraud is less prevalent due to the general populous using DC/CC more frequently and/or checks not being taken. Therefore, I would like to focus more on DC/CC fraud both in person and online.

Physical DC/CC skimmers are made to look like the devices you would normally see at places where DC/CC payments are taken, some of which I mentioned above. They are meant to make you think you are conducting a legitimate transaction, which you are. But at the same time, your DC/CC information is being stolen (or, skimmed). For a collection of articles and pictures on DC/CC skimmers, a simple internet search will provide you with a number of them. May I provide a few results of my search here - and there are many:

Krebs On Security

PCMag.com

Snopes.com

MarketWatch.com

Some quick things to note as red flags (the old adage of "trust your gut" applies in all cases):

  • The device protrudes, moves when pressure is applied, or is placed in an unfamiliar/different position;
  • There are wires that are visible;
  • There is a sticky substance around the keypad, card slot, and/or camera;
  • The keypad seems raised or out-of-place;
  • Cameras are pointing down toward the pin keypad versus out toward the person; and,
  • There are items on the exterior of the ATM, gas-pump, etc that look out of place, or that they would be an extra, or odd component.

Online, there are more subversive ways that folks put "skimmers" on the top of websites. This is generally done with a process called cross-site scripting (XSS) (https://en.wikipedia.org/wiki/Cross-site_scripting) where a link to a malicious/imitation webpage is inserted into a link on another legitimate webpage in order to direct the individual clicking on the link to a webpage that looks like the one they intended to go to by clicking the link. You would then be shown a website that will try to trick you into putting your login, payment, or other sensitive information into the malicious/imitation webpage, and therefore give it to a thief.

Most internet browsers (Internet Explorer, MS Edge, Google Chrome, Mozilla Firefox, etc) are providing good XSS protection. However, there are some things you can do to recognize XSS and prevent your information from being stolen:

  • Ignore pop-up ads;
  • "X"-out of pop-up messages that prompt you to install something while browsing;
  • Promptly exit webpages that you get to by clicking on a link and the new webpage asks you to re-enter your passwords, or other sensitive information;
  • Be leery of offers that seem too good to be true and don't navigate to those link - this is an especially popular method used in blogs and social-media message boards (e.g. Facebook, Twitter, LinkedIn, etc.);
  • Navigate to websites that you enter payment information directly by typing the URL/web-address into your internet browser, rather than using a link in a website, in an email, or on a message board/social-media site;
  • Don't scan QR codes placed over legitimate QR codes in the real world (e.g. QR code stickers applied to posters); and,
  • Update your computer software and anti-virus software regularly.

Robert Beckstead is the Information Technology Security Officer at Bank of Utah. He comes to the Bank with experience managing information and IT security programs at various federal agencies. In addition to multiple professional certifications, he has an MBA with an emphasis in Information Assurance from Idaho State University.