Visa card compromized

Well isn’t this just ducky. Somehow our Visa card got compromised and some asshole in Yonkers New York got $3000 from the Citibank there and made a couple of much smaller charges at a food store and a GameTown store.

The card is canceled and we are supposed to get a new one via FedX tomorrow.
We have no idea how the turd got the number. Our on-line purchases are made using a virtual number that can only be used once and only for the amount we set.

In the old days before the magnetic stripes were used and the card was run through a little machine that used the raised number to print the number on the receipt. An expired card could be pressed flat with a heated plate and a stolen number embossed on it. That happened to a guy that worked for me with his company American Express card.

So how do they do it nowadays? Do they somehow get the info on the stripe of an old card?

Could have been a skimmer at a gas station, ATM, restaurant. Or even simpler, someone may have just read the number.
Sitting right next to me, just about 2 feet away from my head, I have thousands of credit card numbers, with expiration dates (and signatures, not that it matters). It would be trivial for me to just grab a random one and use it online if I wanted to or if I was the criminal type, I could sell the stack of receipts to someone that made fake credit cards in some other state (but that would probably get tracked back to me pretty quickly).

But, it’s my understanding that skimmers are the most common way now. You slide your card into an ATM or gas pump and don’t realize that someone mounted a skimmer on the pump (or the waitress is holding a skimmer and records it on the way back to the terminal). Someone, somewhere else, programs the number onto a a different credit card.

My credit card machine, after you swipe the card, says something like “Are the last 4 digits 2536” specifically to make sure the card hasn’t been reprogrammed (the display shows the last 4 digits on the mag stripe, you compare it to the last 4 embossed digits). But most people don’t check, they just hit yes.

Here’s a skimmer, they’re almost unnoticeable. Especially if you’re not familiar with the ATM/pump. It goes with the camera so the person can recover your PIN.

Thanks.
I am familiar with the skimmers and I don’t think that is how they got the number.

In any case with the number I don’t know how they get a get the number into a card so they can use it.

With the proper hardware and a computer, it’s simple. Just like when you go to a hotel and they make you a new keycard.

A lot of cards aren’t even embossed these days, they’re just printed. So with a card printer, you can print the proper front on the card to match the encoded data on the magnetic strip. Certainly good enough to fool most of the people most of the time.

I meant to say getting the correct info into the magnetic stripe on the card. Are the assholes sophisticated enough now to do that?

These are nothing new.
The trick is probably going to be knowing which one to buy so it writes to the correct tracks and IIRC, you need one that also erases (but I could be wrong on that).

Yep, that’s what I was talking about too. Not at all difficult to do. You could carry around all the stuff to do it in a backpack.

I guess I am pretty naive about this.
I looked at the Fed web site that has info on credit card fraud and they don’t really have much info about what the bad guys capability’s are.

Google turned up a couple of web sites that looked like places where the bad guys go but I didn’t look at them.

Does anyone know of a web site that I could look at to educate myself?

The problem with that, is it would give information to new bad guys. Go to your bank and sit across the desk from someone who is well versed in that information.

In Canada, the merchant no longer ever sees the card. He gives you the machine (mobile if it is waiter), you stick it in, agree to the amount the merchant or waiter has entered, you may be given the chance to add a tip, you enter the pin and, when the machine tells you to, you remove the card. No skimming is possible. On the the other hand, if a cracker breaks into the CC site…

Now that is a good idea. I hope they start doing that here.

I don’t know your actual situation, but one way they could have gotten your CC number is that you went to an actual store (say, the grocery store), paid with your credit card, and the store kept a record of that on their computer. Then bad guy got into store’s computer and read the stored CC numbers. Nothing you could have done about that of course.
Theoretically, in most cases, the store is supposed to tell you if they know the bad guy might have read your CC number, but I’m not sure that really happens all that often.

As far as making fake cards, that’s easy. Just take any old card, and with fairly inexpensive hardware re-write the number on the magnetic strip. What are the chances a cashier even looks at the card, and even then what are the chances they notice the CC number on the receipt is different from the number on the card?
Of course, the bad guys are buying on line, they don’t even need to make a fake card.

Unholy mother of coitus!!!

I’m fairly certain (eidetic memory) that my local bank’s ATM had a skimmer on it last time I used it - I see the bit in that pic on the right that holds the skimmer and it didn’t stand out to me until now!

I’m going to contact my bank and have a new debit card issued. Bastages.

yea, in the pic note the camera as a chunk on the top left.
In Canada, some ATMs have a row of blinking LEDs around the feed slot. This makes it a bit more obvious if something is covering the slot.

There was a problem a while ago where the batages were going around swapping the debit card units. They would steal one from a place like McD’s, insert a card reader into the device (inlcuding a way to read the keystrokes). The extra pieces would be built into the device, so it looked the same as before. They would then go to a store that used the same model of reader, during a not-busy time, distract the help and swap readers. A few days or weeks later, return and downlaod what had been captured - mag stripe and keypad info. McDonalds has issued warning about this to staff several times in the last decade.

the only way to figure out the problem, would be to either catch the skimmer unit in place, or the card people to see a pattern - “look, all these people who were scammed did a transaction at XXX”. That latter is the hardest par of “getting away with it” for crooks. Stock shrinkage software is very good at correlating losses with location or even particular shift patterns at particular locations, if the waitress or saleperson is skimming.

Note too, for online purchases, merchants need the security code. IIRC from a recent thread, this is NOT on the stripe info, and merchants are forbidden by the card companies from retaining this number; so if the user has the correct number, they obviously eyeballed the card or seriously compromised a site that used the code.

Wouldn’t the cameras on ATM machines deter the installation of skimmers?

Okay we got our new cards via FedX today and can now access our account history.
Although we live full time in our motor home and use our cards all over the US we have been in our new summer home in western CO all summer. (A couple of blood clots in my right leg kept us grounded)

We use this card for almost everything and pay it off in full each month. The only places we had used it for a month or so before the fraudulent charges were local stores and my dentist. So we probably won’t ever know how they got the number.

Regarding on-line purchases; We use a credit card service called Shopsafe provided by Bank of America which issues a virtual number that can only be used once and then only for the maximum amount I set. I think CitiBank is the only other bank that offers a similar service. In any case that offers some protection for on-line purchases.

I guess other than watching for skimmers and trying to be careful about letting your card out of your sight (like in a restaurant) there isn’t any way to be 100% safe - other than paying cash for everything.
Checks should be pretty safe but we travel a lot using out of town checks can be problematic in most places.

Heck that kid in Terminator 2 was doing it from stuff in his backpack, and that was, what, 1991? The technology has to be ten times better now.

And that skimmer picture posted up-thread, skimmers can be made much, much smaller now-- they’re particularly nefarious on gas pumps because, while your bank always uses the exact same model of ATM (and thus you can easily learn what to look for), gas stations use dozens of models of card readers, so you encounter a different once each week with no way of knowing if it looks “correct” or has a skimmer on it.

The perps could install a skimmer wearing a hoodie or mask, during off hours; after all, who reviews those tapes unless there’s a problem or complaint? If the device is not caught within two weeks, it’s possible the pictures will be overwritten. (Another reason to hold the data for a month or two before using; install skimmer, come back a day or two later, wait a month before using the data, and any record of you installing it will be gone).

The real solution is to switch from mag stripe to the security chip embedded in the card. That raises the tech bar a lot, lot higher. Europe has done this for a long time. Canada statred using it for some transactions now… but there are a lot of ATM’s out there and until they are all switched it will be a problem.

It might (might) allow the bank to trace back to when the skimmer was installed and get an ID on who did it.

I’m guessing what happens in actuality is the skimmer is installed at 3:00 AM with nobody around by some guy in a balaclava, nobody notices until days later and by that time they find either that the face doesn’t show up in the footage, or it’s been erased altogether (they record-over the tapes/disk if nothing unusual was reported.)

EDIT: You won’t see skimmers on ATMs in highly trafficked areas, BTW, probably because if there’s people around at all hours of the day that is a deterrant. But smaller cities or ATMs in relatively remote locations go 8-10 hours a day without anybody using them. In my town, even the ATM attached to the bank would be easy to hit at 3:00 AM, it’s in a parking lot well off the street and there’s not nearly enough police presence to make getting caught likely.

These days, with credit/debit cards used so often, it may be hard to track down the source of the criminal action. I’ve only had one experience with a card being compromised, years ago, and it was easy to point the finger, since I only used that card once, ever, and I knew exactly where and when that was (Diner’s Club, Chicago O’Hare Hertz rental counter and I had the date and exact time). I left it up to the card company to handle it.