TO wrote:My wife was a victim of a debit card skimming incident a few days ago. When reviewing my checking account activity online this morning, I noticed 5 consecutive $100 withdrawals from yesterday at the same ATM location in a neighboring suburb that we do not frequently visit.
I wouldn't be so fast to blame Costco for this incidence. Fraudulent ATM withdrawals require stealing your PIN as well. It's a lot harder to steal your PIN at Costco versus an unattended ATM machine. Stealing the pin usually requires a camera that records your entries. It's not easy to mount the camera at Costco.
Skimming has long since evolved beyond putting a skimmer and camera on an ATM like it was originally. If they replace the entire card swipe and PIN entry pad device with a counterfeit device, no camera would be needed to record the PIN. This is a very common attack now, even at manned and video-recorded registers. They can swap PIN pads for counterfeit devices at manned registers by employing the classic technique of distraction and rarely is someone watching the video feed in real time to catch them red-handed. Such counterfeit devices have existed in-the-wild (e.g. actively being used for swiping incidents) for at least half a decade. The Barnes and Nobles incident this year was only the latest in a long string of such attacks.
That the Costco manager in question inspects his machines daily means they are on the alert for such attacks, but visual inspection alone is not good enough for some of the counterfeit devices. There is a very sophisticated black market in these devices, particularly to make devices that are visually identical to the legitimate devices. It's a difficult problem for merchants to guard against, because, short of gluing all their PIN pad devices to the checkout lane furniture (and then what if someone in a wheelchair can't reach it?), it's nearly impossible to prevent and hard to detect.
Edit: I suppose they could mount the PIN pad to one of the alarm units that sends an auditory alert when the pad is moved too far away from the base (normally used to secure demo units in the electronics section). But then the clerks would need a way to temporarily disable the auditory alarm for the customers who need the PIN pad moved for normal transactions or it would get annoying very quickly.