Below is an edited version of our conversation.
Why are the holidays such a vulnerable time for this sort of crime?
Your credit card companies have an algorithm in place to detect fraud based on what works for you and how you shop. They look for unusual patterns, so they know if they need to touch base and make sure there’s no fraud. But they have to edit those algorithms during the holiday season because otherwise everything would grind to a halt. You may buy two or three iPods for gifts, or an iPad — purchases that would normally trigger these things. But at the holiday season, big purchases aren’t unusual. People are buying electronics, plasma TVs, gift cards...and criminals know that. They know that this is their best chance to go undetected, take your information and monetize it.
What information do they want and why?
If I’m a criminal, I normally want to do one of three things with your information. I can sell your information to other people, for one. There’s essentially an eBay of personal information out there, forums were people are selling this kind of data and trying to buy blocks of identities to sell to other criminals. All they’re doing is selling a copy of information they have on you. I could also apply for new credit card or new services posing as you if I can take your financial information. Or I can use the card number until you catch on to the fact that I’m using it, and you shut it down. That’s normally the most painless type of fraud, since if you catch it within 30 days, the banks can’t hold you accountable for more than $50 of charges. Then again, criminals know that you're probably not going to notice that extra charge at Best Buy or whatever during the holidays.
How do they get this information?
There are a couple of ways. For one, during the holidays, the people working in the malls, in the stores, are often temporary employees, and so they may be more motivated to do these kinds of things. They could be skimming your card information: there are devices I could hold in my apron at the register or wherever, and when you hand me the credit card, I can swipe it on my skimming device. I’m still processing the transaction as normal, but I’m also keeping a copy.
Or we see people modifying the devices at the point of sale, where they will attach the skimming device with a Bluetooth unit on it, so that when it runs the card it also is storing a snapshot of the magnetic strip. Then, people can download hundreds to thousands of cards at a time from these stored devices.