Why isn't credit card info stolen more often?

I frequently order stuff from a variety of online companies, and some of them are small outfits. Each time I provide my name, credit card number, expiration date, and security code. Yet after doing this for many years, no one at any of these companies has stolen my CC info. Same goes for restaurants.

Stealing the info would seem so easy to do. At the very least they could sell the info to someone else. So why doesn’t it happen more often? Or am I just lucky?

There are two different ways to use a credit card. One is in person where you have to swipe or insert the card so its chip can be read, and the other is online or by phone where you can’t do that, but you usually need to give the three digit code on the back.

Making a fake card that can duplicate the swipe or chip read is difficult. Just giving the number and 3 digit code fraudulently is easy, but you also need to give an address to send the stuff to – that is pretty easy to track. Some on line places will even verify that the address you give is the one linked to the credit card. At least I assume that is true as I have a problem sometimes because my CC bills go to a post office box which is often not the address I what something chipped to.

How about because most people are honest and trustworthy? I’ve worked in retail before where the stealing of small amounts of cash or merchandise would be pretty easy to do… but I didn’t do it because I didn’t want to get fired, and it wasn’t worth the risk… oh, and it’s wrong.

That’s not entirely true, there’s also online ordering where the data is sent to the business over the internet [encrypted]. The business then punches it into a machine to run it. In those cases, not that you know from your end that it’s happening, it simply comes down to the business not wanting to steal it. I have, probably tens of thousands of full credit card numbers, along with their expiration date and in some cases the CVV and their address. I’m just not going to walk off with them.

As for needing the code on the back, next time you use your credit card over the phone or internet, give them the wrong number and see what happens. The card will typically go through, but it will tell the merchant it was incorrect. It’s then up to the merchant to do what they want with that information (with either a person or a computer making the decision). The same goes for the address and zip code not matching.

Now, if the month on the expiration is incorrect, the card will get declined, however, the year can be wrong.
IOW, there are times when you enter your info on a website, but it’s still manually entered by a person (with full access to it) on the other end.

It’s already been established that most people aren’t crooks, but the next question is why aren’t more crooks stealing credit card info?

My guess would be because it’s a hassle to make money and avoid being caught. You have to order stuff and have it delivered somewhere you can pick it up without your pickup being noticed or recorded. You have to avoid stealing the info in a way that could lead to you being caught. Or if you just pass the info off to someone else, you need connections that are willing to buy stolen credit card info and won’t turn you in.

I seem to recall reading some article that said that when credit card fraudsters sell stolen credit card numbers to each other, the value of any one number is only a few pennies.

Which makes sense if you think about it. As was mentioned above, what can you do with a stolen credit card number? Buy some stuff and have it delivered somewhere, then fence the goods. That sounds like actual work. And it’s limited by your ability to pick up the goods and resell them. Or you could order stuff for your own use, I guess. But if you had ten times as many stolen credit card numbers you wouldn’t be able to steal ten times as much stuff, because the limiting factor isn’t the stolen credit card number, it’s the logistics of how you use the stolen numbers.

So I can imagine a credit card fraudster who routinely uses stolen credit card numbers. He has lists of thousands of them, but only uses a handful of them at a time, and once the number is used for one crime it’s thrown away. The marginal utility of any one stolen credit card number is pretty low.

Credit card info is stolen pretty often. Here’s a (partial) list of recent large breaches. Smaller breaches probably happen even more often.

krebsonsecurity.com is a good source for news about the security of credit card (and other) data, breaches, and how this information is sold and trafficked.

Credit card processors have also gotten better over the years at finding attempted fraudulent transactions, so the impact to any one person may be minor.

Maybe the more interesting question is “Why isn’t credit card info stolen LESS often?”, as in why they don’t improve security/authentication so that credit card theft can’t happen? Even with the new chips, for example, the USA still uses a far less secure pinless system.

Maybe that’s illuminating enough on its own… even the credit card companies themselves consider the risk of fraud to be so low that it’s preferable to just absorb them as a cost of doing business rather than to make it less convenient for the financially unsavvy buyers paying them double-digit interests :frowning: Moving to chips gives them an excuse to offload fraud costs to individual merchants, but beyond that, they don’t really seem to care.

Often these transactions are handled by a secure third party for the online company, and the small outfit never actually sees your CC#. These “payment processors” are audited and secured in a way to minimize the possibility of your number being stolen.

I do believe I said that. Bolding added.

In most online transactions, the processing is done by a third party merchant. For example, if you buy something from a website, your credit card may be processed by stripe . com. The merchant gets an email that they have a new order and an email saying the payment went through. They’ll receive your payment without ever seeing your credit card number (or even having access to it AFAIK). This is different than the a human running an online store receiving your credit card number and entering it into a terminal.

In the former, the store owner likely can’t steal or lose your credit card number, in the latter, they can. I don’t think most people imagine their PAN being printed out, walked over to a physical CC machine, punched in, then (hopefully) destroyed.

Also, as the person who takes care of the day to day CC needs of my business, I have access to your CC number even if you swipe your card and it never leaves your possession.

Getting back to the OP, I think it’s more of a case of confirmation bias and luck. Some random websites I looked at show nearly 50% of people having some kind of fraudulent activity on their credit cards. That, IMO is quite high. But, like you [OP], in the 20 years I’ve had credit cards, I never had any fraudulent until just recently (and my CC company didn’t even process the payment, or at least they never passed the charge on to me.

Side note - it is extremely simple to write credit card data onto a magstripe card. Fargo makes card printers that can produce a printed card (like employee ID cards) for a couple of hundred dollars; and you can buy magnetic stripe blanks. Embossing can also be done in any small shop that has the equipment. Chip cards - not so easy. Apparently the newest trick is to take an old expired card with a chip, and then fry the chip so it doesn’t work. heat the card to remove the embossing and emboss with new fraudulent information, rewrite the stripe. Then when presented to a merchant, the chip will fail and the merchant (they hope) will fall back to stripe reader processing.

First - if a retail establishment or its employees engage in repeated theft, the bank security systems will pick up the pattern - “oh look, all these fraudulent charges were made with cards that recently had a transaction at Joe’s Coffee Shop.” The first debit PIN scam I read about, several decades ago, involved a small merchant in downtown Toronto where the cards were skimmed when swiped and there was a camera embedded in the ceiling to read the PIN as it was entered. Until all ATM’s are converted to CHIP, stealing with a fake debit card and stolen PIN is easy at unattended ATM’s - the card does not even have to look right, it just needs the correct content on the stripe. They were of course caught when the pattern became too obvious.

Next - how else do you convert a credit card to money? A merchant who has too many contested charges will get massive chargebacks, may lose the guarantee the credit card company will absorb the loss, and will possibly be under criminal investigation. Newer computer security programs at the banks are excellent at spotting odd patterns that indicate compromised credit cards. Plus, that security code may not seem secure - but merchants are AFAIK forbidden from storing it. It is accepted for the transaction and then deleted; so a typical compute breach will not get the associated code necessary for freewheeling online ordering. Plus, you need to know the billing address. So the number isn’t enough - they need a pretty good profile on you.

When I was involved with a group that accepted credit cards, the rule was - card present, signature matched. Frankly, nobody cared about the signature, because nobody was an expert in signatures. Today in Canada with Chip and PIN, the merchant is on the hook if the transaction is not done with the chip and PIN. For online, the merchant is on the hook - so it’s up to them to have good security practices for delivering goods, such as no PO boxes or commercial drops. (There was a whole discussion I read once about not allowing parcels to be redirected by the recipient once they had shipped - crook would get tracking number, then call FedEx and have it delivered elsewhere.)

With more and more software requiring online activation and regularly “phoning home”, it’s even hard to buy software activation keys online and get away with it.

In the early days of the internet, apparently one billing company - for assorted porn services - was responsible for 50% or more of charge reversals in the USA. From that came severe penalties for companies with high reversal rates.

Plus, as each scam bubbles to the surface, credit card companies find ways to guard against them. One old trick, for example, was to call and change the billing address, ask for a new card (or steal it from the mailbox), activate it and go on a spree until the bills come due and the card is cancelled for overdue payments. So card companies are careful about both such requests today and computers are watching for it. Some scams require a physical presence.

If it’s from a secured site then these days you get a unique one time code, through email or text, and the transaction only goes through when the code is entered.

There’s a workaround, if an employee doesn’t ring up the sale, or void/refunds it after the card is swiped and the customer leaves, they can, if they want, pocket the money. I can tell you, as a book keeper, that’s going to be a PITA to track down. Also, no one will do a chargeback since they have no idea that anything was wrong. It’s taking the number and using it elsewhere that’s going to raise a redflag.
Now, the owner or book keeper will have a tough, if not impossible time figuring that out, in fact, if done ‘properly’ it would even be noticed*. The owner could do it and it no one would ever catch on, short ridiculously through IRS or CPA (they’d have to match each CC transaction to a sale on the register AND make sure it wasn’t backed out later). That’s not going to happen.
However, if done enough to make a dent AND if the business is audited, the IRS will notice the unsually thin profit margin for the industry that business is in (it’s something they look for, just for this reason).

Both of these methods have workarounds to cover tracks, I’ve mentioned them before, I’d have no problem bringing them up again, but it seems like it might cross a line in this thread.

*To be clear, this is no different than a cashier not ringing up a cash transaction and keeping that money.

Over here, where all cards are chip-and-PIN I can’t see this being possible: The transaction can be voided, but it shows up on the CC statement as a debit and credit. I am sure that the retailer’s records would show something similar. The assistant can’t take a CC payment and refund in cash - ever.

My wife buys some clothes at a major store which refunds without question for most items. When I take something back, they want the CC that paid for it originally to process the credit, or they issue a credit note that can be used later in the store.

The answer to the OP’s question is the one already stated by others - The hassle and risk of buying goods and converting them to cash, makes the effort too great for the return.

Now - If a thief gets your PIN as well as your card, they will just tour the ATMs drawing as much cash as they can before you stop the card.

Huh, I get tons of fraudulent activity. Or, well, my husband and I have had to replace one of our cards at least half a dozen times due to suspicious activity. Only once or twice something was actually stolen – usually it got tagged as suspicious up-front and was stopped, but we had to get new numbers anyway.

All you say may have been true at one time, but times change.

Until about 20 years ago, I routinely made up an expiration date each time I did a phone transaction, and was amused to see that it made no difference. Then one time, I received a call from the CC company suggesting that someone was fraudulently using my CC since the expiration date was incorrect. To get that transaction to complete, I had to make some apologies, and I never did that again.

I have noticed that the name on the card account and the name on the order doesn’t have to match at all. Since I use an alternate name for most online purchases, that’s good for me, but it seems like a security breach. I suspect this policy may change in the future.

It’s simply too risky considering the minimal reward. If a company steals your money, you would report it to the credit card company at minimum. Then the card company has to pay your (probably large) bank, and they go after the merchant. Even Discover is a big company, so the merchant won’t like that.

It’s usually easy to figure out who committed the fraud. Unless they ran away with a huge amount of money, it’s not worth the criminal record and loss of job. Also, I wonder if the person who takes the card information over the phone has access to the merchant account or other appropriate financial tools to actually make a buck off the fraud.

(I used to work as a cashier, and even stealing the cash would have been difficult because the register records what transactions you made. You would pretty much have to lie to someone about the price, raising the price by exactly $20 or something like that, and hope they don’t notice the price clearly displayed to them, and don’t look at the bill, which would have your cashier ID on it…)

I should have clarified, my store, similar to many others, have a standalone credit card terminal. So the credit card machine and the cash register don’t know what each other are doing. It’s would be trivial to ring up a sale on the register and not and not swipe the card, or swipe it for a different amount, or void it back out later and take the cash. While I don’t have any experience with integrated machines, I assume that’s a more difficult task.

I can’t speak for the call you got, but I assure you, with 100% certainty, if the year is incorrect, the card will go through. With some of my regular customers (as in, I do card not present transactions for them at least once a week), if their card expires, I just push the year forward about 3 years until I get a chance to ask them for the new number. It could very well be machine or CC processor specific, but I’ve never had a problem with it.

My terminal doesn’t ask for a name, it does, however, ask for some address info. However, if that information is incorrect, it just lets me know, but the card still goes through.

I would assume the credit card fraud detection would be detecting and alerting when there are a significant number of reversed transactions for a merchant. Not that the credit card company is worried about employee theft from the merchant, but every reversed transaction is a lost 4% commission. Detecting employee theft benefits everyone. Whether it’s standalone hardly matters.

For those whose theft of choice is reversing / cancelling transactions on the register, cash transactions are a helluva lot easier to steal. (In fact my wife caught an employee doing that once when she was manager. She wanted to see if the girl was giving her parents freebies when she was the supervisor. What she saw instead was that mama paid cash, and then when she turned her back with the goods, the supervisor cancelled the transaction and pocketed the money. However, computer tills record every action in a log. Since business was slow in the mornings, this girl was either the only one working or one of two and it turned out with a few spot-checks that she probably pocketed about half the transactions before noon when she was on. )

But it still boils down to - it is trivial to track “common points” of stolen credit cards. Theft of smallish amounts is a waste of time unless you are already doing a life sentence on the installment plan… (Six months, then a little later two years, then another nine-month sentence, etc. etc.) A modern comfortable lifestyle would require what? About $40,000 a year at very least? That’s an awful lot of stolen or fraudulent merchandise to fence…