I have a bank account set aside for my sister and BIL. Tonight I got a call from the credit union’s security representative asking if I’d used the card at a gas station ($20.02) and a bus station ($54.59) in Zapopan, MX. Nope! The BIL said the last place he used the card was for fuel in Lemon Grove, CA.
Since he had the card in his possession, how could it have been stolen? I’m guessing the fuel pump had a – what are they called? Those devices that read card information surreptitiously? – and it recorded the card number and PIN and a new card was made in Mexico.
Anyway, there’s a permanent hold on the card, and I’ll have to order a new one in the morning. But I’m curious as to how the card was ‘stolen’.
The twerp who copied my father’s credit card used a very simple device: binoculars. We know this because the thief was caught somewhere in New England and told the police his method. Now Dad goes into the store to pay.
ETA: Forgot to mention the name of the device the OP described. It’s a skimmer.
All that is required to steal the card is the face number and the PIN. Apparently, the actual stripe data isn’t strictly necessary, and can be derived or otherwise faked.
Any merchant the BIL gave the card to, and any physical reader they used since the card was issued (probably several years, right?) could have stolen this information. Or, if you used it online, your computer could have been compromised, or any of the servers you gave the card to had been compromised.
In short, it’s Mickey Mouse security. It will always remain trivial to steal credit and debit cards so long as the only thing that must be stolen is a 16 digit number, an expiration date, and a 4 digit number. Even the PIN is apparently not always necessary because certain PINs are used far more often than others so guessing works as a strategy.
Someone could have broken into any store, anywhere, that your BIL used, opened the plastic casing of the credit card reader, and installed a sniffer.
Or hacked in to the windows PC that many stores used to hold that data.
Or gotten it off receipts in the trash - I’ve worked for stores that printed the entire number onto receipts.
Or put a skimmer on the outside of the gas pump.
Or the inside of the gas pump.
Or compromised the bank itself (much less likely than the above though)
Apparently, there are a never ending supply of these numbers being stolen, all the time, such that the black market price for a crook to purchase some stolen card numbers is a buck a card or so. I think this low price indicates that the limitation is not stealing credit card numbers, but of crooks ballzy enough to use them.
The fix for this is to go to cards where an internal chip generates a unique number for each transaction, checked against a computer the bank keeps secure that has the other half of the cryptographic key the chip uses.
This has been in common use in Europe for many years. This reduces the surface area you need to defend. With chip and PIN, you merely need the card holders to make sure they still have physical possession of the card (and report it when they lose it), and for the banks to secure the one computer that actually stores the other half of the crytographic keys.
The US is mandating chip and pin credit cards by October 2015. However, while the cards will be required, the technology will not. The US is sticking with signatures. The fraud will continue.
Well Chip and Pin are more secure except for this flaw which apparently lets someone walk close enough to you and get a “valid” transaction for 999,999.99
If you notice, though, most of the security flaws are using the cards in a way that is not the intended main path.
This bug is for foreign currency transactions, conducted offline (aka without realtime communication with the bank). Individual banks could simply refuse to honor any such transactions.
There’s another issue that these chip and pin cards can still be used like a regular credit card, and swiped as usual. Again, the banks could stop honoring this type of transaction.
But, yes. They don’t reduce fraud to zero. It’s a huge drop, however.
With the new RFID cards. A person with an RFID card reader can “read” the card while it’s still in your wallet. All they have to do is get next to you. These types of cards should be kept in a sleeve with a protective shield.
Did the bank security guy also ask you to verify your card number by reading it back to him? And verify your address and date of birth? And verify your name and address? DId he ask you to tell him your PIN?
Negative. I told the guy I’d call him back, which I did after speaking with the BIL. The woman just said that fraud had occurred, she’s putting a permanent hold on the card ending with [last four digits], and I would have to contact the credit union in the morning to request a new card.
They’re pretty good about catching things. I get a call a year when my sister uses the card, and they caught fraud when my dad (who had TBI) was being scammed. They returned the money that had been scammed from him.
Chip and Pin is not totally secure but a lot better than signatures. In the UK, the biggest problem now is the card-not-present purchases where the chip has no part to play. Many suppliers (Amazon for one) make extra checks when the delivery address is different to the billing address, but not all do this.
The problem with contactless cards has now been dealt with and in any case they only work for relatively small amounts. You can buy a coffee and a doughnut, or even a book, but not a TV or a washing machine.
In European cities, the CC scammers specifically target Americans because they know that in most cases they are carrying easily cloned cards (no binoculars needed for the PIN - just a tiny camera above the keypad) and they are away from home and probably won’t discover the fraud until they get back off holiday.
I suggest that one of the best defences is frequent checks on transactions at your bank and your CC company. It take only a couple of minutes online and you will soon spot any fraud.
The chip and pin cards we have in Canada are not RFID and cannot be read remotely. The merchant never actually holds the card, although I guess the terminal could record things. But if a new password is generated on the spot, then it ought to be secure. My transit pass could be remotely read, but it rarely has more than $20 on it and is probably not worth the effort to steal. If we get RFID cards, we will need tin-foil lined wallets to go with our tin-foil hats.
The incidents described in this thread are why I never use a debit card for purchases. Only credit. If something screws up, I want it to be with someone else’s money, not mine.
My passport card came with a foil-lined security envelope.
Here is an interesting thread on this subject. As usual, it looks like the US is taking it’s own path even when it is doing what everyone else is doing…
My recent (Canadian) credit and debit cards came with PayWave. Along with the very secure Chip and Pin was the ability to wave the card over a reader and make a purchase, with NO WAY TO TURN THIS OFF. Unsecured purchases by waving the card, up to $100. I had to resort to using a LED light to trace the antenna for the Paywave and cutting it in multiple places. (Antenna is induction power for chip and way to communicate wit reader). This did not disable the chipe for insert, just for paywave. Simply score the card on the back deep enough to cut the embedded metal traces.
The TD bank also sent me a new debit card with the added ability to be processed as a Visa card for foreign or online purchases - brilliant, in the situation where the most fraud occurs, online remote purchases, allow anyone who can get my card number to remove money from my bank account. Needless to say, they are no longer my bank.
A large number of Chip machines here still don’t work with American Express.
As I understand it, the USA is moving to Chip and Pin; the incentive is that by the end of 2015 (2016?) any merchant not using Chip and Pin will be responsible for any disputed charges on the card.
