Why does my debit card keep getting cloned?
September 24, 2011 9:10 PM Subscribe
Twice, about year apart, I have had my debit card cloned, copied or otherwise made use of without my permission. The first was around a year ago. When I checked my account and found point-of-sale transactions for about $120 at two different locations, about 400 miles and two days apart. In states that I've never been to. Called my bank, card turned off, money reimbursed, etc etc. Then yesterday...
Yesterday I give my statement the weekly look and I see two more point-of-sale transactions, hundreds of miles and two days apart. In states I've never been to. These were a bit different because they were obviously for gift cards (exactly $100.00 at two large retailers). Called the bank, new card, money coming back, etc etc.
What the heck? I like to think I know quite a bit about protecting myself. I know how skimmers work, I am mindful and know quite a bit about computer safety and security, I can even diagram an encryption algorithm for you if you want. I don't shop much online and only from reputable merchants. I follow all the other items on the Good Credit Card Hygiene lists.
I'm guessing these guys aren't complete amateurs since they're using POS, they must have made up a real physical card. And I'm assuming my PIN. (Though they might be using it as a credit card.)
I've changed cities and banks since the first time! So clearly I'm doing something wrong. What? Is it card skimming? I'm usually pretty good about covering my PIN and using ATMs that are familiar so I can spot skimming equipment. Is it full-on identity theft? Or is it more likely to be one of the hundred other ways someone could get my card info?
Mostly I want to know how they're doing it so I can protect myself better. I'm at a bit of a loss, and not using a credit/debit card isn't really an option. Any ideas besides going back to bartering?
Yesterday I give my statement the weekly look and I see two more point-of-sale transactions, hundreds of miles and two days apart. In states I've never been to. These were a bit different because they were obviously for gift cards (exactly $100.00 at two large retailers). Called the bank, new card, money coming back, etc etc.
What the heck? I like to think I know quite a bit about protecting myself. I know how skimmers work, I am mindful and know quite a bit about computer safety and security, I can even diagram an encryption algorithm for you if you want. I don't shop much online and only from reputable merchants. I follow all the other items on the Good Credit Card Hygiene lists.
I'm guessing these guys aren't complete amateurs since they're using POS, they must have made up a real physical card. And I'm assuming my PIN. (Though they might be using it as a credit card.)
I've changed cities and banks since the first time! So clearly I'm doing something wrong. What? Is it card skimming? I'm usually pretty good about covering my PIN and using ATMs that are familiar so I can spot skimming equipment. Is it full-on identity theft? Or is it more likely to be one of the hundred other ways someone could get my card info?
Mostly I want to know how they're doing it so I can protect myself better. I'm at a bit of a loss, and not using a credit/debit card isn't really an option. Any ideas besides going back to bartering?
Have you asked your bank this question? Sounds like you are already doing everything reasonable. Maybe there is some sort of known scam going on. Fwiw, I change my PIN monthly, I use gift cards as often as I can online and i shred all receipts.
posted by JohnnyGunn at 9:34 PM on September 24, 2011
posted by JohnnyGunn at 9:34 PM on September 24, 2011
It's improbable to have your card skimmed once. It's extremely improbably to have it skimmed twice. The most likely explanation is that your numbers are being stolen from some place that you frequent either in real life or possible on an internet site. Your numbers can be taken from an disreputable site and then used to create a real life card.
Do you frequent small bodega type foodmarts and use your card there? Stop doing that .
Porn sites? Russian download sites? Russian anything sites for that matter ...Need I say more?
Skimmers can be very deceptive - very difficult to recognize. Your best (but not foolproof) defense would be to get a good grip on the reader mechanism beforehand and give it a good tug or two to see if it loosens prior to inserting your card. Of course this is impossible if your favorite third world restaurant server is skimming the card that you gave to him to pay for dinner. Such a skimmer could fit into his palm and he could skim your card before he runs it for real.
Again, some place that you frequent (likely in real life unless you use the card for porn sites) is likely skimming your card. It's very unlikely that this should happen to someone twice.
posted by Poet_Lariat at 9:37 PM on September 24, 2011 [2 favorites]
Do you frequent small bodega type foodmarts and use your card there? Stop doing that .
Porn sites? Russian download sites? Russian anything sites for that matter ...Need I say more?
Skimmers can be very deceptive - very difficult to recognize. Your best (but not foolproof) defense would be to get a good grip on the reader mechanism beforehand and give it a good tug or two to see if it loosens prior to inserting your card. Of course this is impossible if your favorite third world restaurant server is skimming the card that you gave to him to pay for dinner. Such a skimmer could fit into his palm and he could skim your card before he runs it for real.
Again, some place that you frequent (likely in real life unless you use the card for porn sites) is likely skimming your card. It's very unlikely that this should happen to someone twice.
posted by Poet_Lariat at 9:37 PM on September 24, 2011 [2 favorites]
Do you ever use your debit card in a non-ATM capacity?
posted by jangie at 9:37 PM on September 24, 2011
posted by jangie at 9:37 PM on September 24, 2011
Seconding trevyn. You're not doing anything wrong; probably an online retailer you've used in the past got hacked, and your credit card info was stolen along with 1,500,000 others. Just be vigilant about watching for fraudulent charges on your statement and report them immediately.
And yeah... never use a debit card as a credit card. Better yet, never use a debit card at all.
posted by qxntpqbbbqxl at 9:41 PM on September 24, 2011 [1 favorite]
And yeah... never use a debit card as a credit card. Better yet, never use a debit card at all.
posted by qxntpqbbbqxl at 9:41 PM on September 24, 2011 [1 favorite]
I'm guessing these guys aren't complete amateurs since they're using POS, they must have made up a real physical card.
Is it still rung up as POS if you can enter the card # plus the 3-digit number on the back? (I would think so, that's how you enter it at a POS machine if the card won't swipe.)
posted by desuetude at 9:44 PM on September 24, 2011
Is it still rung up as POS if you can enter the card # plus the 3-digit number on the back? (I would think so, that's how you enter it at a POS machine if the card won't swipe.)
posted by desuetude at 9:44 PM on September 24, 2011
You may be looking for skimming equipment when you use it at an atm, but are you handing your card to a waiter who carries it off to a register out of your line of sight? Using it at a store where you hand it over the counter and they slide it for you? Anytime your card is in the hands of another person, you have the chance of getting it stolen.
And please note that you do not need the physical card to use it in all POS system. The company I work for has a POS system that does not ask for the CVV2 code. Rather, it asks "Is the card present? Y/N?" There is no verification if you just hit yes.
I have found that most times there is a separate credit card terminal (not part of the register but a separate machine to the side), that they will not ask for any sort of verification. The system works by assuming the honesty of the operator.
posted by aristan at 10:40 PM on September 24, 2011
And please note that you do not need the physical card to use it in all POS system. The company I work for has a POS system that does not ask for the CVV2 code. Rather, it asks "Is the card present? Y/N?" There is no verification if you just hit yes.
I have found that most times there is a separate credit card terminal (not part of the register but a separate machine to the side), that they will not ask for any sort of verification. The system works by assuming the honesty of the operator.
posted by aristan at 10:40 PM on September 24, 2011
My bank asked me to open a second checking/savings account for my ATM card, so that when it's skimmed my payroll deposit is unaffected by the mandatory 28-day lock on the account after a debit card fraud report. This is not particularly comforting, but does what it says on the carton.
posted by crysflame at 11:43 PM on September 24, 2011
posted by crysflame at 11:43 PM on September 24, 2011
My bank sent me a new card recently, telling me that their data along with that of two other very large banks had been hacked in some way. They didn't specify and we had no losses but we've had a card skimmed once and the number stolen somehow we never figured out once as well. I think your meticulous weekly check is one of the best protections you've got.
posted by leslies at 5:33 AM on September 25, 2011
posted by leslies at 5:33 AM on September 25, 2011
I have a credit card which is used for one thing only, it is automatically credited to replenish my toll tag account for the Very Long Toll Bridge I commute across. The card itself sits in a safe at home and I never use it for anything else. And it has been fraud-alerted and reissued at least four times in the last five years.
posted by localroger at 7:53 AM on September 25, 2011
posted by localroger at 7:53 AM on September 25, 2011
It is much more likely the numbers are getting randomly generated and cloned onto cards. The first four digits are knowable (they are like routing numbers on checks, linked to the bank), and the rest of the numbers can be autogenerated. There are rules for check digits and whatnot, so valid-ish numbers are trivial to come up with. Burn that into the magstripe, and head to your local big box and try a couple. If one works, great. If one doesn't, they just say "jeez, that one has been giving me trouble. Try this one instead."
All I would recommend is along the lines of what crysflame suggests, have multiple cards and accounts that you can access if one cuts off. If you are particularly security conscious, have your "real" checking account in an account that doesn't have any debit card linked to it so that there is no way anyone can dip into it.
posted by gjc at 9:40 AM on September 25, 2011
All I would recommend is along the lines of what crysflame suggests, have multiple cards and accounts that you can access if one cuts off. If you are particularly security conscious, have your "real" checking account in an account that doesn't have any debit card linked to it so that there is no way anyone can dip into it.
posted by gjc at 9:40 AM on September 25, 2011
This thread is closed to new comments.
If you're worried about not having access to your money when you need it, get a backup credit card or bank account.
posted by trevyn at 9:30 PM on September 24, 2011 [1 favorite]