Several years ago, Ty Huelle was dining in London on business when a waiter helped himself to more than a tip. By the time Big Ben tolled midnight, Huelle’s credit card information had been used to ring up a small fortune in Colombia.
For most of us, having our card data stolen by a waitperson with a sharp pencil or cellphone camera would be little more than a low-tech pain in the neck.
But for Huelle, a veteran high-tech security auditor for the payment card industry, it inspired a one-man crusade to close a card security loophole that is so obvious that we no longer give it a second thought: All of our vital card data is displayed right there on our card for anyone to steal.
“The industry wants you to believe that credit card fraud happens by hackers and skimmers,” Huelle says. “But the Federal Trade Commission estimates that 75 percent of all credit card thefts are reported as a single incident and not a corporate breach. That tells me this is happening more on an individual basis rather than a hacking basis.”
So Huelle created MaskYourCard (get the phonetic?), a wraparound bandage that conceals the first 10 (Amex) or 12 digits (Visa, MasterCard) of the account number on both the front and back of your card, without impeding its use in electronic or “knuckle-cruncher” point-of-sale terminals.
This low-tech deterrent to low-tech fraud sells for a buck a strip, $10 for custom messages or business logos, and comes with a card-shaped Credit Card Tracker on which to store the digits that your various card masks conceal.
Huelle says we’ve been lured into a false sense of security by card brands and issuers so intent on promoting card use that they’ll gladly spring for our losses if our card data becomes compromised. But in their rush to profits, Huelle says they’re ignoring Requirement 3.3 of the industry’s own data security standard, which states that primary account numbers should be masked whenever displayed. While merchants do truncate receipts, card issuers still display all the goods on our cards, mostly for our convenience when shopping online or by phone.
Is presenting a naked credit card to waiters, cashiers, office assistants and hotel clerks really that risky? Or is MaskYourCard a solution in search of a problem?
“While it certainly could happen, I don’t see that as being a real problem,” admits John Joyce, special agent in charge of the U.S. Secret Service field office in Tampa, Fla. “You can buy a skimmer online legally that is going to store more information quicker with a lot less chance of being caught.”
But Huelle insists low-tech is the preferred tech of many a card snatcher these days.
“Hackers leave tons of bread crumbs, making it far more likely that they’ll get caught,” he says. “People who’ve maybe been downsized into the service industry, they don’t need anything that is considered a hacking tool; they use camera phones, Xerox copiers, camcorders and their pen and pencil. It’s so low-tech that nobody is going to think twice about it.”