The Startup
Published in

The Startup

Your Debit Card Number Got Stolen. So What?

Recently, my friend Scott sent me a text message that read “my debit card number got stolen and they [cybercriminals] spent $800”. As the President & CEO of The Penn Group, I hear about this kind of fraudulent activity often. With 78% of Americans living paycheck to paycheck, it isn’t difficult to draw the conclusion that these type of losses are not sustainable by nearly 4 in 5 people in America. The troubling thing is, these losses not only continue to happen, but their frequency is on the rise.

In 2018, the Federal Trade Commission processed 1.4 million fraud reports totaling $1.48 billion in losses. 33,000 bank accounts were compromised, with $78 million in losses. Credit card compromises clocked in at 50,000 incidents, with $150 million in losses. In the first half of 2019 alone, 23 million cards have been compromised worldwide. With these staggering figures, you might be wondering how this type of fraud occurs.

Credit Card and Debit Card numbers are very valuable to cybercriminals. For obvious reasons, access to someone else’s funds can provide a quick theft that is difficult to disrupt. In order to perform this type of fraud, a criminal usually resorts to one of the following tools:


What is a skimmer? A skimmer is a discreet device that is attached to a card reader in a high traffic location such as a gas pump. These devices are patched together, using components from other devices, to surreptitiously scrape the PAN (personal account number) from a card as its swiped. Skimmers can be incredibly difficult to detect and, in some cases, contain advanced technology that increase their effectiveness with spectacular results. Skimmers have been found with cellular internet technology, Bluetooth, and advanced WIFI capabilities, all in the name of capturing the not-so-elusive account number. Now, before you fire off hate mail and tell me that EMV solves the problem of skimmers, that isn’t true. Cybercriminals are innovative and continue to find ways to exploit the technology. EMV, by the way, is an acronym for EuroPay, Mastercard, and Visa. These companies originally developed and implemented the Chip and Pin or Chip and Swipe authentication mechanisms. If you have ever went to a store and tried to swipe your card, and instead had to insert the chip, these people are responsible for your annoyance.

POS Malware

For the less MacGyver type, cybercriminals have long resorted to a far easier way of obtaining a victim’s account information. Why go through the trouble of creating a specialized device or spending thousands on the Dark Web? Instead, from the comfort of the cybercriminal’s evil lair, they could remotely install malware onto the cash register of a local business and instantly begin to offload card numbers to a server in the cloud. This is so easy, in fact, that it happens with shocking frequency. Although it is nearly the year 2020, many large organizations still employ largely antiquated technology that is easier to hack than a wet paper bag. Irrespective of the age of the technology, even new technology still requires a complex concoction of patches and updates to ensure their security. In specific industries, such as those who leverage franchise models, the complexity of defending these critical systems only becomes more complicated. Ultimately, many resign to the reality that there is too much work to be done, and just not enough people to get the job done.


If a skimmer or POS malware wasn’t enough to cut up your credit cards and switch to a cash only with an emphasis on pennies lifestyle, then you might be shocked to learn that even the “secure” websites that you purchase items from could be compromised. With basic networking security getting much better in the latter half of this decade, cybercriminals have turned to a much easier target. Application security is a rather tricky area of security. While among the most important, little attention has been paid to application security with the exception of the largest organizations. The result has been a stunning uptick in the amount of security vulnerabilities that are discovered specifically related to application security. Here is how easy it is to hack a payment form.

Who is Responsible?

Who is responsible for ensuring my card is protected from these threats? Well, unfortunately the organizations responsible for protecting your personal account numbers are also the same organizations that have dominated headlines for eye popping data breaches. The PCI DSS (Payment Card Industry, Data Security Standards) is a set of rules that are enforced by the major card brands to ensure data security of customer’s card numbers. The sad reality is, while organizations with large transaction volumes can be severely penalized in the event of a card breach, the vast majority of organizations fall into a level of the requirements that required little action up until the past few years. Even now, the majority of the SMB continues to fall into the self-assessment category of the requirements. Meaning, it is the responsibility of the organization to self-regulate, even though the PCI Council doesn’t have any regulatory authority. Other than the threat of lawsuit or fines, there isn’t a lot of incentive for an organization to spend millions of dollars a year on security. In another unfortunate reality, most senior executives today grew up in a time where computers did not play a prominent role in society. The reality is, cybersecurity is an extremely complicated subject. It’s a tough ask to tell someone to spend money on something they do not understand, especially when nothing has happened before. Scott lost $800 due to cybercriminals. When he called his bank to label the charges as fraudulent, the charges went through anyway. He was out $800 for 2 weeks until the bank finally reversed course.

How can I stop this?

From a security standpoint, it is recommended to purchase as much as you can on credit cards as opposed to debit cards. While the difference between the two may seem obvious, the terms are synonymous in culture today. Debit cards make a direct withdraw from your bank, using your real cash as tender. Credit cards use the bank’s money to pay for the transaction. At the end of the month, you’re presented with a bill for the balance. This distinction is critical from a security standpoint. When purchasing with a credit card, the bank is on the line for 100% of any fraud, not you. A lot of large banks have improved their fraud policies in recent years to cover 100% of fraudulent activity, but this process takes an unusually long time. It is highly recommended to make all day-to-day transactions on a credit card opposed to a debit card. Watch your credit card statements carefully, and always pay it in full at the end of each month.

Austin Harman is the President & CEO of The Penn Group. He currently holds the coveted CISSP certification, in conjunction with the CCSP, CAP, and Security+ certifications from ISC2 and CompTIA respectively. He resides in Columbus, Ohio.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Austin Harman, CISSP

Austin Harman, CISSP

An experienced cybersecurity leader serving as the President & CEO of The Penn Group. I hold the CISSP, CCSP, CAP, and Security+ certifications.