How we lost $3K to debit card hackers

A funny thing happened while we were on the road in spring for Denise’s book tour: one of our debit cards got cloned and sold to someone overseas, who ending up racking up $3,000 in charges before we spotted the discrepancies and had our bank shut down the card.

We got all the money back, so don’t worry. This is not one of those stories. But it is a cautionary tale in the sense that it’s the first time this has happened to us, and everything I’ve learned in the past month or about the process has me pretty shaken.

You know what this swiper thingie is, right? You’ve seen them, used them, they’re everywhere. It’s a point-of-sale magnetic stripe reader. This is the side-swipe model. Others require you to “dip” the card with a swift, in-and-out motion.

Every time you use a magstripe reader to make a purchase, the critical data on your card is sent to your bank, which either okays or denies the purchase. Hackers can access that same data with a handheld device or they can team up with a crooked merchant to install a stripe reader which retains your data. The data can then be transferred to a new card and sold to a not-so-innocent third party.

When we’re on the road, we use our cards more than we do at home. We buy gas, food, lodging, etc. And because we’re always in a hurry,  we don’t typically stop to think about the kinds of places we are patronizing. Nor did we think very much about letting our cards leave our sight.

What’s scary about this kind of theft is that the critical moment o’ theft could be visible or totally invisible.

A visible theft: A bartender asks if we want to run a tab and sticks the card in a little cup behind the bar, and another employee or manager steals the data with a handheld device. Or a gas station clerk in NJ—one of the last states which do not permit you to pump your own gas—takes our card while we’re still sitting in our vehicle, not paying attention, and swipes it twice—once on the legit device to pay for your gas, and once again on a handheld to steal the data.

An invisible theft: The magstripe reader has already been compromised because the managers or owners of the establishment is in cahoots with the hackers. You swipe the card to pay and your data is instantly stolen—yet the card has never left your hand.

How do you fight this?

It’s tough. You can switch back to cash. You can swipe only at places you know and trust. You can be hyper-vigilant about downloading your bank charges on a regular basis and checking for suspicious activity. You can call your bank/credit card company to let them know when you’re leaving town. You know—all the stuff people tell you to do but you never do because you think it’ll never happen to you.

Well, it happened to us.

Now we’re warier, wiser, more delightfully paranoid.

And I just thought I’d share.