[August 03, 2011] St. Louis Post-Dispatch Jim Gallagher column Tweet Jun 19, 2011 (St. Louis Post-Dispatch - McClatchy-Tribune Information Services via COMTEX) -- Dumb thieves rob banks with pistols. The smart ones use card readers, laptops and the Internet. The dumb ones are often caught, while the smart ones largely get away with it. Bernice Krauze of St. Louis Hills learned about that last month. On May 24, she used her debit card at an ATM in St. Louis. Two hours later, a thief used a clone of the card to withdraw $503 from her checking account through an ATM in California. Krauze says U.S. Bank spotted the California theft and froze her debit card within hours. The bank returned her money two weeks later, after she filed a police report. But Krauze, a 69-year-old retiree, has lost faith in plastic. "I think I'll go to cash, you know?" she says. "It kind of scares me. It feels like you've been violated and you don't know what will happen next." Computer hackers, skimmer scammers, crooked bank employees and the like made off with more than 4 million electronic records last year, according to cyber-sleuths at Verizon, which investigates such incidents for companies. The haul was mainly credit and debit card information, bank account log-ons and the like. That's an improvement. In 2008, thieves swiped 361 million. All that theft explains why one-third of Americans report being victims of some sort of credit or debit card fraud over the past five years, according to a survey by the payment systems company ACI Worldwide. How did the thieves get the electronic codes and PIN number to duplicate Krauze's card? Krauze thinks it happened at a Michaels store in Rockville, Md. Michael Stores last month discovered that thieves had rigged about 90 PIN pads at its stores to swipe account numbers, customer names and PINs from debit and credit cards. The Maryland store had a rigged pad, although the St. Louis stores did not. Krauze's experience points out the one happy truth about credit and debit card fraud: Consumer victims go through angst and hassle -- sometimes lasting months -- but they generally don't lose their money. Banks and merchants eat the losses. Under federal law, consumer liability in credit card fraud is limited to $50, although most card issuers charge consumers nothing. It's $50 on debit cards too -- as long as you report the fraud within two days of learning of it. Wait longer and the limit is $500. However, banks generally return the entire amount rather than anger the customer. Odysseas Papidimitriou's experience holds another lesson: Even experts can be ripped off. "When I saw it, I almost had a heart attack," said Papidimitriou. He'd logged on to his online bank account and found $4,000 missing. It had been sent through his bill-paying service to a company he'd never heard of. "I called the bank and within hours I had my money back," he said. Papidimitriou runs Cardhub.com, an online advice and comparison site for credit cards. He hands out advice on avoiding card scams. He's not one to fall for a "phishing" expedition, in which scammers try to trick people into revealing account information in phone calls, or through emails luring them to fake bank or merchant websites. He doesn't open unexpected attachments in emails, which can download malware to computers. Yet someone got into his account. Papidimitriou did learn a lesson from the experience. "Change your password often," he says. Even bankers get scammed. Last year, according to Verizon, three officials at an unnamed bank clicked on a PDF attachment that arrived in emails purportedly from the FDIC. It infected their computers and sent the electronic key to the bank's money transfer system to hackers in Romania. The bank lost millions. Consumers who guard their own security still fall victim when hackers penetrate files at banks, retailers and other companies that have their credit card information. There's been a rash of that lately. Last month, thieves penetrated Citibank's computers and got off with 200,000 names and credit card numbers, along with addresses and phone numbers. The nation's third-largest credit card issuer waited three weeks to tell customers about it. The thieves didn't get the expiration dates, or security codes for the cards. That makes the information hard to use. Instead, those consumers can expect to be phished, says Jay Foley, director of the Identity Theft Resource Center. "They'll get calls from someone pretending to be a fraud investigator," says Foley. They'll ask for the card security codes and expiration dates. Card-readers in the hands of thieves may pose a bigger risk than hackers. When the waiter takes your card at the restaurant, does he run it through his own scanner as well as the restaurant's terminal? I suspect that something like that happened to my daughter two years ago. She was using her credit card in Sicily, when thieves began using clones of it in Chicago, to the tune of nearly $2,000. CapitalOne caught the fraud quickly, and my daughter lost not a dime. But it took more than a month to straighten it out. Tech-savvy thieves are attaching electronic data skimmers to ATM machines and gasoline pumps where credit and debit cards are used. Big hacking attacks yield the mother lode of customer financial information. Hospitality firms -- mainly restaurants and hotels -- account for 40 percent of hacking targets, according to Verizon, followed by retailers at 25 percent. Financial institutions gave up 22 percent of swiped records. About 65 percent of the hack attacks appear to come from Eastern Europe, with North America a distant second with 19 percent. Hackers sometimes have help. Insiders are involved in 17 percent of data breaches, either providing electronic entry ways for outside gangs, or simply swiping data themselves. For instance, a call-center employee for Netflix was filching customer names and credit card information for two months before being nabbed in April, according to a letter from Neflix to the New Hampshire attorney general. So, what's a consumer to do? Remember that scammers are devilishly sneaky. That e-mail attachment from your mom may really come from a crook and contain a computer program designed to snatch your bank information. Remember that no legitimate company will call or email you asking for your passwords and account numbers. Never click on links sent in unsolicited emails -- they may lead to fraudsters' websites masquerading as banks or retailers. Type in a Web address you know. Don't check financial accounts, or give out personal information, on a public wireless network, such as those in coffee shops. Deter dumpster divers by ripping up financial paperwork. "If you use Peer-to-Peer file sharing, check the settings to make sure you are not sharing your sensitive private files with other users," says the Federal Trade Commission. Change passwords now and then, and avoid obvious ones such as your birth date. If you ask, many banks will email or text you when your account drops to a certain level. That could be a warning that thieves are at work. Watch your credit report for weird goings on. You can get a free copy of your report once a year from each of the three agencies, so pull a different one every four months. Go to www.annualcreditreport.com or call 877-322-8228. Kavita Kumar of the Post-Dispatch contributed to this column To see more of the St. Louis Post-Dispatch, or to subscribe to the newspaper, go to http://www.stltoday.com. Copyright (c) 2011, St. Louis Post-Dispatch Distributed by McClatchy-Tribune Information Services. For more information about the content services offered by McClatchy-Tribune Information Services (MCT), visit www.mctinfoservices.com. [ Back To TMCnet.com's Homepage ]