In the movie "Office Space," the main characters exact their revenge on The Man by writing a computer program that pilfers fractions of pennies off of corporate transactions by rounding off monetary amounts to the nearest cent, then depositing the minute amounts of cash in a side account. The idea is their huge employer would never notice the microscopic amounts of money that was missing. But since the company does millions of transactions every week, the tiny amounts would add up fast, eventually making the perpetrators rich.
Critics panned the film, partly because it was the handiwork of "Beavis and Butthead" creator Mike Judge, but also because the scheme that was central to the plot seemed too far-fetched to the critics to have any basis in reality. Those critics likely don't work for iDefense, which says the threat of thefts, some similar to the "Office Space" heist, is very real, and is particularly dangerous to banks due to its stealth nature and links to international organized crime.
"It's an underground industry, not a hacker or a group of bad guys," says John Watters, the CEO of iDefense, the security intelligence company that works with eight of the country's 10 largest banks, none of which would comment publicly on actual or anecdotal losses from skimming attacks or other types of "stealth" petty thefts-such as stealing credit card numbers at gas stations. The U.S. Senate's Finance Committee estimates that overall, companies stand to loose as much as $50 billion per year from these kinds of crimes.
Watters views skimming as the "dirty secret" of financial cyber crime in an age where ID theft, bank fraud and phishing are grabbing headlines. Since skimming at its most basic level involves stealing small amounts of money, it goes widely ignored. "It's a dollar loss for banks when you compare the loss from skimming to the costs incurred to detect those losses. It makes no economic sense to do anything about it," Watters says. "But that's a big risk, since inaction is a false sense of security."
Skimming involves taking an amount of money out of a larger transaction in a manner or amount that's not recognizable to the effected account. Watters says this basic idea is being expanded upon by organized crime groups such as the Russian mobs who are coming up with a variety of ways, traditional skimming and otherwise, to nab bits and pieces of a financial services firm's cash and credit card data. The diminutive heists-a few cents here, a few credit card numbers there-are starting to accumulate since the "small time" thefts are taking place far and wide. "The trajectory is steep, and firms aren't going to have time to catch up. Companies need to take action," Watters says.
Some of the newest petty crimes involve stealing credit card information at merchants. Watters says there's a large market for stolen credit cards, and a wide-range of small merchants are being targeted in organized networks of theft. While the theft is happening beyond the scope of the financial institutions that issue the cards, it's these issuers that stand to feel the pain.
"There's a risk to the brand of an issuer and the financial institution itself because consumers may lose confidence in their ability to do business with a card company," Watters says.
One of the creepier ploys that's being pulled off with surprising regularity is the mounting of hidden cameras at gas stations by employees working on behalf of a criminal ring. These cameras videotape the PIN being entered at a pump and the credit card number. That's used to create a duplicate card which finds its way into circulation in the criminal world.
"Magnetic strips are easy to duplicate," says Penny Gillespie, a senior banking analyst at Forrester, who says about 70 percent of all financial fraud has its origins with some inside or connected source. "A lot of it comes back to an inside job. The employee works at a gas station for a few months and installs some software to lift credit card numbers. And he's paid well to do this."
Gillespie says there's not a lot of recourse when it comes to institutions pressuring merchants to shore up their own electronic infrastructure, since as a financial institution you'd have to prove the credit card number was lifted at a specific merchant in order for the financial institution to have any cause of action against that merchant. "Few perpetrators get caught."
Both Gillespie and Watters note a general increase in organized networks of petty "below the radar" thefts in the past couple of years, in part because of improvements in bank security in Europe, where many of the criminal networks got their start.
Gillespie says a major concern is how much skimming in the United States will increase in the future as Europe moves further away from credit cards with magnetic stripes, deploy ATMs that make it harder to deploy rogue software to pilfer personal information and adopt other security improvements that make individual credit card purchases and other one-off transactions less of a soft target. "The criminals have gotten more sophisticated, and it's harder and harder to detect this kind of crime at first glance," Gillespie says.
