She paid for the $5 beverage with her American Express card and then slipped the card back into her pocketbook, where it stayed for the rest of her vacation. When she returned home, Shanley, a sales associate for a department store in Burlington, Ky., found $1,300 in fraudulent charges on the card — and she suspects that Southwest Airlines is responsible for the security breach.
Travelers are easy prey for “carders,” who take illegal credit card impressions in a crime called cloning or skimming. Airline passengers such as Shanley may feel extra vulnerable, because on a plane, plastic is often the only payment option for beverages, meals or duty-free items. (Airlines euphemistically call it a “cashless environment.”)
Apart from the timing of the charges, several other clues point to Southwest as the responsible party. First, Shanley says, the flight attendant took 15 minutes to return her card; and second, she’d never had a fraudulent credit card charge until she made the in-flight purchase. “I think it’s strange that the charges showed up two days after that flight, and I have never had a problem before,” she says.
Southwest says it isn’t responsible. “Cardholders tend to focus on the last known legitimate charge as being the point of compromise,” airline spokeswoman Linda Rutherford says. “However, our security folks advise us that it could be any number of merchants where the card was used prior to the Southwest flight.” She says Southwest has “no reason” to suspect the crew on Shanley’s flight but agreed to forward her complaint to management “for their review.”
Shanley’s credit card company reversed the bogus charges.
But Shanley’s problem raises two bigger questions for air travelers who want to buy something on board: Is it safe? And is there a way to protect your card?
Here’s the bottom line: Fraud can take place anywhere, even at cruising altitude, and no protection measures are airtight.
Could a flight attendant moonlight as a carder? You bet, says John Sileo, an expert in digital privacy. The gadgets used to perpetrate these crimes are small enough to be concealed in a pocket. “There are skimming devices that are only slightly larger than a matchbox,” he says. “I’ve seen waiters hold the check folio in such a way that they hide a skimmer and are able to skim the credit card while standing at the table.”
An accomplished carder can clone a credit card right in front of you without your knowing it, he adds. “They make it look like they’re sliding the card into the check folio,” he says, “but they’re actually swiping the card.”
The credit card security experts I spoke with say that Southwest isn’t necessarily to blame, because a card can be skimmed anywhere, and the bad charges don’t always appear immediately after the theft. Any time you hand over your credit card, you’re exposed, because you’re giving a potentially dishonest clerk an opportunity to make an illicit copy of your card information from the magnetic strip.
“Once the thief has the credit or debit card data, he or she can place orders over the phone or online,” says data-security expert Robert Siciliano. But thieves can also copy that data onto blank cards, which are called “white” cards. The plastic can even be dressed up to look like a legitimate card, he said.
Such data theft creates a massive money drain. The most frequently cited statistic is a 2010 U.S. Secret Service estimate that skimming is an $8-billion-a-year problem. (It includes ATM skimming, which, as the name implies, happens when you use your credit or debit card at an automatic teller machine.)
I know that it’s a problem, because my own card has been cloned, and I’m not entirely sure how it happened. The last place I’d used the card before the fraudulent charges popped up was in a sandwich shop in British Columbia. But that means nothing. Carders can wait weeks before running fraudulent charges, and I’d like to think that the deli was as honest as the tuna sandwich they made to order.
How do you avoid being skimmed? Identity-theft expert Rob Douglas says that using cash whenever possible is the only way to be safe. He recommends forking over greenbacks for minor purchases typically associated with this kind of fraud. “That includes cab rides, coffee and newspaper kiosks, meals in restaurants located in high-tourism locales, airport vendors and similar operations where a carder can obtain a large amount of card data with little risk of any single stolen transaction being tracked,” he says.
Experts say that the only long-term fix is to tighten security on credit cards by requiring PINs and using security chips that are far more difficult to copy. But American credit card companies have been slow to embrace such changes, citing higher costs and downplaying the security risks.
The next time they do that, maybe they should talk to Shanley or Southwest Airlines — or me.