How is non-stolen offline credit card fraud possible?
June 10, 2014 12:14 AM Subscribe
I just got notified about suspicious credit card activity that is indeed not me. Talked to my bank and all is good. But what boggles me is how this even happened. I have my credit card with me right now (not stolen/lost). The purchases that were made also seem to have required a physical card (gas station, fast food restaurant, home supplies store, etc.).
So how was it even possible for the fraudster to make physical purchases without an actual card? As far as I know, whenever you make a purchase offline, you have to swipe a physical card, correct? I am bewildered and now highly paranoid. I just want to know so I can be more aware and hopefully prevent something like this from happening again.
Yeah, scammers attach devices to ATMs that read and copy (skim) card details, and card skimmers can be used by anyone who has hold of your card for a few moments (e.g. if you give it to a waiter who then goes off to get the card machine and sneakily skims your CC while you're not looking).
posted by EndsOfInvention at 12:34 AM on June 10, 2014
posted by EndsOfInvention at 12:34 AM on June 10, 2014
Response by poster: So after they skim the card, they can take that info and put it on a new fake card? Cashiers don't notice?
posted by pockimidget at 1:04 AM on June 10, 2014
posted by pockimidget at 1:04 AM on June 10, 2014
Best answer: Doesn't even have to be attached to an ATM. Every hand your credit card to a waiter or barmaid? You can buy a device smaller than a pack of cigarettes that will clone it. Quick swipe and that stranger has your details.
As the article points out, they have no problem printing cards that look just like the real thing.
American style swipe + sign cards are ridiculously insecure. It's the electronic equivalent of "I promise I'm not looking." Banks haven't really cared until recently because the fraud was generally low compared to the volume of legitimate purchases. Easy to eat the cost. But with high profile breaks like Target they're finally rolling out new technology.
Chip + PIN should make this much more secure. At least until the hackers figure a way to break it... but that will hopefully be more than a couple years away.
posted by sbutler at 1:23 AM on June 10, 2014 [3 favorites]
As the article points out, they have no problem printing cards that look just like the real thing.
American style swipe + sign cards are ridiculously insecure. It's the electronic equivalent of "I promise I'm not looking." Banks haven't really cared until recently because the fraud was generally low compared to the volume of legitimate purchases. Easy to eat the cost. But with high profile breaks like Target they're finally rolling out new technology.
Chip + PIN should make this much more secure. At least until the hackers figure a way to break it... but that will hopefully be more than a couple years away.
posted by sbutler at 1:23 AM on June 10, 2014 [3 favorites]
Best answer: In order to speed up payment processing a transaction can be processed off-line where the terminal does not dial out for an authorisation.
There are a number of reasons why this would happen but the most common one is that the payment amount is below the floor limit agreed by the merchant and their bank (the acquirer)
Basically your card was cloned and the merchant took the risk on the payment because it was so low. The terminal never checked with your payments processor (eg. Visa or MasterCard) who maintain a list of lost and stolen cards nor did it go to your bank for them to decline the transaction.
posted by mr_silver at 1:44 AM on June 10, 2014 [2 favorites]
There are a number of reasons why this would happen but the most common one is that the payment amount is below the floor limit agreed by the merchant and their bank (the acquirer)
Basically your card was cloned and the merchant took the risk on the payment because it was so low. The terminal never checked with your payments processor (eg. Visa or MasterCard) who maintain a list of lost and stolen cards nor did it go to your bank for them to decline the transaction.
posted by mr_silver at 1:44 AM on June 10, 2014 [2 favorites]
So after they skim the card, they can take that info and put it on a new fake card? Cashiers don't notice?
Yes, they program the details of your card onto a blank one, making a clone. The cashier wouldn't notice as the card would look like a regular credit card.
posted by EndsOfInvention at 3:06 AM on June 10, 2014 [1 favorite]
Yes, they program the details of your card onto a blank one, making a clone. The cashier wouldn't notice as the card would look like a regular credit card.
posted by EndsOfInvention at 3:06 AM on June 10, 2014 [1 favorite]
Best answer: Chip + PIN should make this much more secure. At least until the hackers figure a way to break it... but that will hopefully be more than a couple years away.
The ATM skimmers commonly have a camera on to video you entering your PIN - so covering the keypad with your hand while you enter the PIN is a good idea.
posted by EndsOfInvention at 3:07 AM on June 10, 2014 [1 favorite]
The ATM skimmers commonly have a camera on to video you entering your PIN - so covering the keypad with your hand while you enter the PIN is a good idea.
posted by EndsOfInvention at 3:07 AM on June 10, 2014 [1 favorite]
So after they skim the card, they can take that info and put it on a new fake card? Cashiers don't notice?
As long as it looks even remotely like a real credit card the cashier is most likely not going to care. In the last dozen or so years I've either written "see ID" or not even signed the back of my CC, and can count the number of times I've actually been asked for ID on one hand.
posted by mcrandello at 4:00 AM on June 10, 2014
As long as it looks even remotely like a real credit card the cashier is most likely not going to care. In the last dozen or so years I've either written "see ID" or not even signed the back of my CC, and can count the number of times I've actually been asked for ID on one hand.
posted by mcrandello at 4:00 AM on June 10, 2014
You can generally enter the credit card number on the keypad if the card won't scan. I had my card "stolen" when I ordered some flowers at an out-of-town florist and gave my credit card details over the phone. The florist's assistant (some part-time kid) wrote down the number and wrote himself a copy and he and his friends went to a bunch of other stores where their friends worked and bought cigarettes and liquor and so forth, and let a cab driver they knew run up a few fake cab ride receipts.
Extremely low-tech, and they managed to charge quite a bit in 18 hours before they went to the smoke shop and my credit card issuer went, "Wait ... you don't smoke!" and gave me the fraud alert.
posted by Eyebrows McGee at 5:29 AM on June 10, 2014 [2 favorites]
Extremely low-tech, and they managed to charge quite a bit in 18 hours before they went to the smoke shop and my credit card issuer went, "Wait ... you don't smoke!" and gave me the fraud alert.
posted by Eyebrows McGee at 5:29 AM on June 10, 2014 [2 favorites]
gas station, fast food restaurant, home supplies store
I've also seen all of those types of places have a setup where the customer would swipe their own card.
posted by Nonsteroidal Anti-Inflammatory Drug at 6:29 AM on June 10, 2014
I've also seen all of those types of places have a setup where the customer would swipe their own card.
posted by Nonsteroidal Anti-Inflammatory Drug at 6:29 AM on June 10, 2014
Not everyone asks for the code on the back of the card, either, which may or may not have been on the back of the dupe card.
The best things you can do to protect yourself are (1) always use a credit card rather than a debit card, as it adds some legal protection and puts a layer between the thief and your bank account (2) choose a credit card provider who is very vigilant about fraud monitoring.
Even with those measures in place, it's likely to happen again. There are plenty of other things over which to cultivate healthy paranoia.
posted by gnomeloaf at 6:58 AM on June 10, 2014
The best things you can do to protect yourself are (1) always use a credit card rather than a debit card, as it adds some legal protection and puts a layer between the thief and your bank account (2) choose a credit card provider who is very vigilant about fraud monitoring.
Even with those measures in place, it's likely to happen again. There are plenty of other things over which to cultivate healthy paranoia.
posted by gnomeloaf at 6:58 AM on June 10, 2014
Chip + PIN should make this much more secure. At least until the hackers figure a way to break it... but that will hopefully be more than a couple years away.
I have some bad news for you.
posted by toomuchpete at 8:16 AM on June 10, 2014
I have some bad news for you.
posted by toomuchpete at 8:16 AM on June 10, 2014
Best answer: If you're really interested in the details of this underworld of credit card fraud, I suggest reading Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground which outlines in nitpicky detail how a lot of this works. What machines people buy, how they trade in stolen card numbers, etc. The best things you can do are
- use credit not debit
- keep an eye on your credit card statements regularly as they go, not just monthly when the bills come in
posted by jessamyn at 8:26 AM on June 10, 2014 [3 favorites]
- use credit not debit
- keep an eye on your credit card statements regularly as they go, not just monthly when the bills come in
posted by jessamyn at 8:26 AM on June 10, 2014 [3 favorites]
Fake cloned card, where they swipe it themselves. If you notice at some stores they take your card and punch in the last 4 digits embossed on the front to check that the mag stripe data matches the card.
posted by TheAdamist at 8:30 AM on June 10, 2014
posted by TheAdamist at 8:30 AM on June 10, 2014
Cloned card is the likely scenario, but then there's also insider information theft.
posted by randomkeystrike at 11:41 AM on June 10, 2014
posted by randomkeystrike at 11:41 AM on June 10, 2014
@toomuchpete: I believe I've read that white paper the article is referencing. Couple things:
1. It requires quite a bit of hardware at the moment.
2. It requires the original card itself.
3. Changes in software from the card issuers could close the hole (by verifying that the terminal and card both saw the same user verification method); hopefully future versions do.
I'll still take that any day over the current American situation. It's a far cry from a card cloner that fits in your hand.
posted by sbutler at 9:48 PM on June 10, 2014
1. It requires quite a bit of hardware at the moment.
2. It requires the original card itself.
3. Changes in software from the card issuers could close the hole (by verifying that the terminal and card both saw the same user verification method); hopefully future versions do.
I'll still take that any day over the current American situation. It's a far cry from a card cloner that fits in your hand.
posted by sbutler at 9:48 PM on June 10, 2014
Response by poster: Thanks everyone for your enlightening answers! I had no idea it was that simple to get my card hacked without even losing it... And good to know it wasn't necessarily because I did something stupid! Thanks!
posted by pockimidget at 12:29 PM on June 14, 2014
posted by pockimidget at 12:29 PM on June 14, 2014
« Older Square Pin in Round Hole (which happens to be my... | Working for Redfin as a Real Estate Agent Newer »
This thread is closed to new comments.
posted by taff at 12:17 AM on June 10, 2014 [2 favorites]