Cartão de crédito

Bank Cards – Learn How to Protect Them

/ Financial Security / By

Talking about bank cards, such as debit and credit cards, is talking about something very attractive in the world of crime.

These are some of the attacks carried out on bank cards that it is important to know about, and we will address them in this article, providing the necessary details to help you protect yourself against them:

  • The theft of bank card data, which allows a malicious actor to make payments with them, can be carried out by observing physical cards or compromising platforms where you have used them and that store your data to make it easier for you to use the same cards for future payments;
  • Contactless technologies allow a criminal to bring a payment terminal close to your pocket to make unauthorized payments, as payments up to certain amounts do not require PIN entry, or to copy the data from your bank cards;
  • The cloning of bank cards in ATMs and gas station pumps, using disguised technology;
  • Among others.

Knowing the existing vulnerabilities is essential to protect your payment card accounts from unauthorized transactions.

The evolution of payments with bank cards

The first bank cards appeared in the 1950s. In the United States, Diners Club launched the first multipurpose credit card, made of paper, allowing consumers to make purchases at a limited network of establishments.

A few years later, in 1958, American Express and BankAmericard (now Visa) launched their own bank cards.

In 1966, Master Charge (now Mastercard) was introduced.

Get to know the main types of bank cards used today, as well as the most modern ways to make payments.

Magnetic stripe bank cards

Magnetic stripe cards, developed by IBM in 1969, store information in a static manner that is read at payment terminals. Since they do not use encryption and the information never changes, they can be easily read and copied onto a blank card by anyone with a magnetic stripe reader, potentially being used for unauthorized payments by the consumer.

Cartão bancário de banda magnética
Magnetic stripe bank card. Credit: AhmadArdity via Pixabay

EMV contact chip bank cards

EMV contact chip bank cards were first developed in 1994. The first EMV chip cards were launched in Europe in 1996, and global adoption began in 2000. They require physical insertion into payment terminals to complete a transaction and use encryption to generate a unique code for each transaction, known as a cryptogram, which is validated by the bank. Since this code can only be used once, it makes cloning more difficult, thus offering greater security compared to magnetic stripe cards.

Cartão bancário de contacto
Contact bank card. Credit: Falco via Pixabay

However, although considered more secure than magnetic stripe cards, they are not completely immune and several attacks are known. Given this, it is important not to let your guard down.

EMV chip contactless payment cards

EMV contactless cards use Near-Field Communication (NFC) technology, making them more convenient to use and, in a way, more secure since they do not need to be inserted into payment terminals.

Pagamento contactless
Contactless payment. Credit: Towfiqu Barbhuiya via Pexels

However, to maximize their security, it is necessary to store them properly in wallets or cardholders with Radio Frequency Identification (RFID) blocking technology. Otherwise, they are susceptible to data being read without your knowledge. We will discuss this type of wallet further down in this article.

Mobile Devices

Contactless Payments (NFC)

Mobile payment using devices like smartphones, tablets, and smartwatches through proximity using NFC technology has made payments even more convenient, as we typically have our phone more readily available than our bank cards.

Pagamento por aproximação com telemóvel
Contactless payment with mobile phone. Credit: cottonbro studio via Pexels

In this type of payment, it should be ensured that biometric authentication is requested for each transaction to guarantee that unauthorized payments are not executed.

Digital wallets (e-wallets)

Digital wallets, such as Apple Pay and Google Pay, become even more convenient by allowing both in-person (NFC) and online payments through the same app.

These transactions should also be protected with biometric authentication, ensuring that unauthorized payments are not made.

QR Codes

Pagamento com telemóvel por leitura de QR Code
Mobile payment via QR Code scanning. Credit: iMin Technology via Pexels

The use of QR Codes for making payments is widely adopted, especially due to its simplicity, as it doesn’t involve inserting or tapping anything—just scanning a QR Code.

Physical protection

Store your bank cards securely

For some years now, banks have been issuing contactless cards equipped with RFID technology, allowing you to simply tap the card on the payment terminal instead of inserting it and entering a PIN.

This has undoubtedly simplified payments, but it has also introduced an inconvenience that many have already experienced: if someone brings a payment terminal close to your card while it’s in your wallet and in your pocket, for example, money can be withdrawn from your account without you even noticing!

In other words, the infamous pickpockets have had their lives made somewhat easier. Instead of risking being caught stealing a wallet from a pocket, they simply need the right moment to approach with one of these devices. If the payment is below a certain amount (€50 in Portugal), no PIN is even required.

Another vulnerability is the copying of card data through proximity.

To prevent this, you should purchase an anti-RFID wallet, which blocks electromagnetic fields, thus preventing this trick. There are many available on the market to suit all tastes and budgets.

Your bank card should be physically non-transferable

The most important thing to remember is that your card contains information such as the number, expiration date, and security code (CVV). These three pieces of information are enough for a malicious person to make online payments with your card.

Taking this into account, think twice before handing your card to anyone.

Sometimes, store employees, when it’s time to use the payment terminals, stretch their hands to ask for the card, aiming to insert it into the terminal themselves. Even though the security code is intentionally placed on a different side than the card number and expiration date, there is no reason for you to hand the card to anyone, instead of inserting it directly into the terminal yourself.

The same applies when bank employees ask for your card to retrieve your account number in order to perform any banking operation. Although these employees have access to sensitive details of your account as part of their role, there is no justification for them to ask for your card. Refuse to hand it over and provide them with your account number instead. Alternatively, using your identification, the bank can easily retrieve your account number.

These are some of the problems that can occur when you hand your card to others:

  • Card cloning – the store or bank employee could discreetly clone your card using a device they have.
  • Exposure of card data – the employee could observe and even copy the details of your card, which would allow them to make online payments or sell the data.
  • Lack of control over the transaction – in stores where you are making payments, by not personally placing the card in the terminal, you lose control over the transaction. For example, you may not be able to control the amount you are being charged.

Pay attention to where you insert your bank card

ATM / Multibanco
ATM / Multibanco. Credit: Peggy_Marco via Pixabay

Automated Teller Machines (ATMs), commonly referred to as cash machines, as well as card readers at fuel station pumps, are frequent targets of disguised technology that captures debit and credit card data without the customers suspecting. Before they realize, hundreds or even thousands of euros may have been stolen from their accounts.

ATMs, many of which are available on the exterior of banks and other locations, provide a convenient way to withdraw money and perform other banking operations without the need to go to the bank and wait for assistance from an employee.

Gas stations, especially the more recent ones, are equipped with card readers on the pumps, allowing customers to pay for fuel right there, instead of having to go to the attendant inside the counter at the gas station building.

Despite all the convenience, these devices often lack the same level of surveillance as those found inside banks, making them easy targets for criminals. Card cloning technologies and fake keypads are very similar to the legitimate ones. Some store data internally, requiring criminals to return to the location to collect it, while others transmit it in real-time via mobile data, wireless networks, or Bluetooth.

Follow these tips to detect fake equipment and avoid falling into these traps:

  • Pull the keyboard and card reader to check if they come off easily;
  • Pay attention to the spelling on the equipment. Just as often happens in phishing emails, many criminals are not fluent in Portuguese, and spelling mistakes are often indicative of something unusual;
  • If errors occur after inserting the card and entering the PIN, it may indicate that something unusual is happening, and that a criminal may have already received your data.

In addition to these points that can help you detect these devices, there are other ways to avoid falling into these traps, such as:

  • Use cash whenever possible.
  • Check your card transactions frequently.
  • Avoid ATMs located outside of banks.
  • Always cover the keypad as best as you can while entering your PIN. Some of these schemes involve installing mini-cameras pointed at the keypad, recording the PIN you enter. Although this won’t prevent your card data from being copied or a cloned card from being used in payment terminals, it will make it harder for criminals to empty your bank account, as they won’t have your PIN.

That said, it is crucial that these devices are equipped with anti-tampering technology, which prevents the installation of these disguises.

These attacks are known as skimming when they target magnetic stripe bank cards, and shimming when the target bank cards contain EMV chips.

Skimming

Skimming is an older attack targeted at magnetic stripe cards, involving the reading of their data using a card reader. Since the information is static, never changes, and no encryption is used, it is easy to clone these cards.

Shimming

Shimming is an attack similar to skimming, but aimed at EMV chip cards. It is less common and less effective because, while skimming allows cloning of a magnetic stripe card, shimming captures some data from the EMV chip but cannot generate the unique cryptogram used for each transaction. This cryptogram cannot be reused, so it is not possible to create a functional copy of an EMV card. However, these captured data could be used in transactions where only static data is needed, such as magnetic stripe transactions, if the merchant’s system security is low.

It is also worth noting that shimming devices are harder to detect, as they need to be installed inside the equipment, requiring dismantling to identify them. This makes them more challenging to spot compared to traditional skimming devices, which are often more visible and easier to spot by the consumer.

Secure Online Payments

Connect to the Internet securely

If you are going to make online purchases and therefore share payment details, make sure to:

  • Use a personal device instead of a public or someone else’s device. This is an important step in helping to ensure, to some extent, that you are actually visiting the website you intend to and that the data you enter is not intercepted.
  • Use a secure connection. Avoid public wireless (Wi-Fi) networks, such as those found in cafés, airports, hotels, etc. If you must use them, it is recommended to use a trusted Virtual Private Network (VPN).

Once these steps are ensured, it is also important to verify that you are connecting to the genuine website. That is, type the address of the service you want to access directly or, if you are searching for it on a search engine, be cautious not to click on fake sites posing as the one you want to visit. Well-known cases exist where users are deceived by a site that closely resembles the one they intend to visit. In such cases, the data entered on the site is sent directly to malicious individuals who created it online with the sole purpose of stealing your card details. To avoid this issue, besides being careful when clicking on search results, it is essential to check the address in your browser’s address bar to ensure that it is indeed the site you want to visit.

Prefer services that comply with PCI-DSS

No matter how careful you are, when sharing your card details with e-commerce websites, you’re taking on risks that you can no longer control. If these websites don’t follow certain precautions, your card details and personal information (such as your name and address) could be accessed by unauthorized individuals.

Being compliant with the Payment Card Industry (PCI) means adhering to security standards outlined in the Payment Card Industry Data Security Standard (PCI-DSS). These standards ensure that companies that process, store, or transmit credit card information take the necessary steps to protect cardholder data, preventing data breaches, fraud, and unauthorized access.

E-commerce platforms like Shopify and WooCommerce strive to comply with PCI-DSS and provide information on the topic at the following links, respectively:

Use virtual cards

A virtual card is similar to your physical card, but with some advantages, including:

  • You can create multiple cards – That is, most services allow you to create multiple virtual cards based on your needs. This means, for example, that you can have a different card for each service you use or, if you prefer, for each payment you make.
  • You can specify whether the card is for one-time use, for multiple purchases, or for recurring payments for a service.
  • You can specify the card’s maximum spending limit.

In addition to these advantages, you can cancel any virtual card at any time. That means if you cancel a subscription to a particular service and want to ensure that the cancellation is effective, you can cancel the card. This way, if the service tries to charge the subscription fee, they won’t be able to. However, before canceling a card, check which services are being charged to it, as canceling the card will affect them all.

Conclusion

In summary, the important takeaway is that your card data is of great interest to those involved in the criminal world, so:

  • Avoid magnetic stripe credit cards and prefer EMV chip cards as they are more secure. Use NFC or QR Code payments when possible, preferably configured to require authentication with biometric data.
  • You should never hand your physical card to another person.
  • You should never share your physical card details (such as the number, expiry date, and security code) in person or online. Instead, create virtual cards with usage limits.
  • You should store your cards in RFID-blocking wallets to prevent payment terminals from being placed near your pocket, making unauthorized payments, or attempting to read your card data.
  • You should pay special attention to ATMs and fuel station pumps, as they are common targets for disguised technology aimed at cloning your cards.
  • Make online payments using your own devices and internet connections, and ensure that you use reputable e-commerce services that comply with PCI-DSS.