My local freesheet had an article entitled ‘Skimming device found at Tesco’ (‘Bedfordshire on Sunday’, May 21, p 30). This managed barely 6 column inches, so common is the offence these days. What caught my eye was an appeal by the police for anyone who used the machine at Flitwick between 1030 and 1130 AM on Tuesday last week to check their accounts and report any unauthorised transactions.
Now hang on. What can’t the bank that operates the machine help them? They have the definitive list of potential victims. Come to think of it, when a skimmer is found on Barclays’ machine, and they see that customer X from Lloyds just used it, why don’t they write to Lloyds suggesting they invite her to check her account? Well, you can imagine what Barclays’ lawyers would think of that, but where does the public interest lie?
The Americans do this sort of thing much better. California has a law mandating prompt notification of individuals potentially affected by information compromises, and many other states are trying to follow. According to survey reported by SANS, 71% of Americans want this to become a federal law, and 46% said that they would have serious doubts about political candidates who did not support improving the law.
I initially had my doubts about the Californian initiative, but Tescos in Flitwick are helping convince me.
Looks like there has already been a previous one at that store, and another at nearby Flitwick … http://www.bedfordshire.police.uk/news/news.cfm?news_id=2595
… and also associated with Tesco in Oxfordshire .. http://www.thisisoxfordshire.co.uk/display.var.746387.0.0.php
There’s even a picture of the “Skim 4” apparently about to disable a nearby cashpoint to direct people to the skimming ATM … http://www.bedfordshire.police.uk/news/news.cfm?news_id=2632 (is it my imagination, or is one of those guys actually wearing a stocking on his head ???)
A worrying but inevitable trend is that specific companies get targeted one at a time. I’m sure crims would like to steal fairly and evenly, but they have to invest development time becoming interoperable with different types of ATMs.
This, I imagine is why Tescos has a recurring problem, because the gangs have got nice kit the right shape for that sort of machine. Hmmml, or is there some other advantage of the supermarket setting which I haven’t considered?
Ditto for Shell, who pulled the plug on Chip and PIN to prevent a crisis of faith for customers. Now if everyone who shopped at Tescos had to use the ATM, Tesco’s would be right on the case of getting this fixed, lest there be a consumer confidence crisis.
Now here’s a nice twist. Maybe the banks should develop a global standard slot shape for ATMs to make skimming devices more easily interoperable. Easier for the crims, yes, but better for the banks as they don’t get singled out for punishment (and consumer confience crises) one at a time.
The underlying issue bubbling under all this of course, should banks compete on issues of security?
I don’t know about the Tesco implementation in particular but a quite plausible possibility for such devices is that no connection would be made to the bank at all, and the device be jobbed to report “paid” to all transactions.
It might be true that at this moment California have a law to protect the consumer from companies that “loose” their information, but California is the exception. Like so many consumer protections in the USA, California is not leading the pack but rather the exception to the rule. Congress is trying its best to pass a law that will not only severely weaken the Californian law, but also repeal the right of states to pass more servere measures.
With a little luck, the November 2006 elections will send all the sleaze bags in the Congress and the Senate home where they will suffer at the hands of many identity thiefs.