19
Jan 15

How Was Your Credit Card Stolen?

Almost once a week, I receive an email from a reader who has suffered credit card fraud and is seeking help figuring out which hacked merchant was responsible. I generally reply that this is a fruitless pursuit, and instead encourage readers to keep a close eye on their card statements and report any fraud. But it occurred to me recently that I’ve never published a primer on the types of card fraud and the likelihood with each of the cardholder ever learning how their account was compromised. This post is an effort to remedy that.

carddominoesThe card associations (Visa, MasterCard, et. al) very often know which merchant was compromised before even the banks or the merchant itself does. But they rarely tell banks which merchant got hacked. Rather, in response to a breach, the card associations will send each affected bank a list of card numbers that were compromised.

The bank may be able to work backwards from that list to the breached merchant if the merchant in question is not one that a majority of their cardholders shop at in a given month anyway. However, in the cases where banks do know which merchant caused a card to be compromised and/or replaced, the banks rarely share that information with their customers.

Here’s a look at some of the most common forms of credit card fraud:

Hacked main street merchant, restaurant:
Most often powered by malicious software installed on point-of-sale devices remotely.

Distinguishing characteristic: Most common and costly source of card fraud. Losses are high because crooks can take the information and produce counterfeit cards that can be used in big box stores to buy gift cards and/or expensive goods that can be easily resold for cash.

Chances of consumer learning source of fraud: Low, depending on customer card usage.

Processor breach:
A network compromise at a company that processes transactions between credit card issuing banks and merchant banks.

Distinguishing characteristic: High volume of card accounts can be stolen in a very short time.

Chances of consumer learning source of fraud: Virtually nil. Processor breaches are rare compared to retail break-ins, but it’s also difficult for banks to trace back fraud on a card to a processor. Card associations/banks generally don’t tell consumers when they do know.

Hacked point-of-sale service company/vendor:

Distinguishing characteristic: Can be time-consuming for banks and card associations to determine vendor responsible. Fraud is generally localized to a specific town or geographic region served by vendor.

Chances of consumer learning source of fraud: Low, given that compromised point-of-sale service company or vendor does not have a direct relationship with the card holder or issuing bank.

Hacked E-commerce Merchant:
A database or Web site compromise at an online merchant.

Distinguishing characteristic: Results in online fraud. Consumer likely to learn about fraud from monthly statement, incorrectly attribute fraud to merchant where unauthorized transaction occurred. Bank customer service representatives are trained not to give out information about the breached online merchant, or address information associated with the fraudulent order.

Chances of consumer learning source of fraud: Nil to low.

A Bluetooth enabled gas pump skimmer lets thieves retrieve stolen card and PIN data wirelessly while they gas up.

A Bluetooth enabled gas pump skimmer lets thieves retrieve stolen card and PIN data wirelessly while they gas up.

ATM or Gas Pump Skimmer:
Thieves attach physical fraud devices to ATMs and pumps to steal card numbers and PINs. For more on skimmers, see my All About Skimmers series.

Distinguishing characteristic: Fraud can take many months to figure out. Often tied to gang activity.

Chances of consumer learning source of fraud: High. Bank should disclose to cardholder the source of the fraud and replace stolen funds.

Crooked employee:
Uses hidden or handheld device to copy card for later counterfeiting.

Distinguishing characteristic: Most frequently committed by restaurant workers. Often tied to a local crime rings, or seasonal and transient workers.

Chances of consumer learning source of fraud: Nil to low.

Lost/Stolen card:

Distinguishing characteristic: The smallest source of fraud on cards. Consumer generally knows immediately or is alerted by bank to suspicious transactions, which often involve small test transactions to see if the card is still active — such as at automated gas station pumps.

Chances of consumer learning source of fraud: High.

Malware on Consumer PC

Distinguishing characteristic: Malicious software that hooks into the victim’s browser, and records all data submitted into Web site forms, including credit card information. Leads to authorized online charges.

Chances of consumer learning source of fraud: Discovering the infection? Fairly good. Definitively tying card-not-present card fraud to a malware infection? Very low.

Physical record theft:
Merchant, government agency or some other entity charged with storing and protecting card data improperly disposes of card account records.

Distinguishing characteristic: Usually not high-volume. Less common form of fraud than it used to be.

Chances of consumer learning source of fraud: Nil to low.

I hope it’s clear from the above that most consumers are unlikely to discover the true source or reason for any card fraud. It’s far more important for cardholders to keep a close eye on their statements for unauthorized charges, and to report that activity as quickly as possible.

92 comments

  1. Crooks are getting a new tool which will help them automate some of the steps to drain bank accounts.

    Called FraudFox VM, the software is a special version of Windows with a heavily modified version of the Firefox browser that runs on VMware’s Workstation for Windows or VMware Fusion on OSX. It’s for sale on Evolution, the successor to the Silk Road online contraband market, for 1.8 bitcoins, which is about $390.

    http://www.csoonline.com/article/2871248/fraud-prevention/this-tool-may-make-it-easier-for-thieves-to-empty-bank-accounts.html#tk.rss_news

  2. Keep in mind that it doesn’t need to involve a POS transaction, ever. I had a brand new account that had never been used. The card was filed away by me, and many months later, I had fraudulent charges on the account. Finally managed to get it cleared up, and cancelled the account.

  3. I had a CC with Unnamed Very Large Credit Card Company. It had a fraudulent charge, which I noticed and challenged. So they issued a new account number and a new card. The usual routine.

    I received the new card in the mail, and put it in my drawer. Never activated. Never used anywhere. Surprise! Fraudulent charges eventually appeared on that one too!

    I called to cancel the account completely, and I asked how this could happen, when the card hasn’t even been activated, let alone used. The response was something like “We wish we knew.” This was years ago, and I’ve always wondered if the CC company themselves had been hacked, or their card manufacturer, or what.

    • Some credit card companies will allow “reoccurring subscriptions” to rebill to a new credit card number using the old credit card number. I had that happen with a card I had stolen – the fraud charge they put through was classified as a subscription and the credit card issuer let it through with the old, stolen number.

    • Some credit card companies will allow “reoccurring subscriptions” to rebill to a new credit card number using the old credit card number. I had that happen with a card I had stolen – the fraud charge they put through was classified as a subscription and the credit card issuer let it through with the old, stolen number.

  4. I have no idea how they got it–I’ve been hacked three times. Ironically, I have what I call a “dummy card,” i.e., I only load it with as much as I’m going to spend online, that way, if it gets hacked, there’s nothing to get. It appears to be bullet-proof–it’s never been accessed illegally, and I’ve used it for years.

    • It looks like you have a pre-paid card which only a certain amount is used to fund activity. It’s a great way to prevent it simply there’s not much to get at. I’ve used one via GW and I’ll know the transaction happens immediately.

  5. My wife had her card used on two separate occasions to buy airline tickets. Now how on earth could these people NOT be caught in a situation like this? Assuming they (or the people they bought the tickets for) actually utilize the tickets they could wait right there at the airlines’s gate for these LOSERS and bust them!! Not rocket science, but I’m sure the CC companies don’t have the resources to track these clowns down as often as this happens. Severe jail time needs to be imposed on these LOSERS to dissuade this S**T from happening in the first place.

    • The problem lies in where the thieves are in order to be apprehended. If they are overseas, there are not much law enforcement can do about with the exception of extradition treaties that covers such activities.

    • Typically the fraudster will purchase an airline ticket that is scheduled to depart farely soon (usually same day) in order for the ticket to not be cancelled once the institution realizes it’s a fraudulent purchase. Also, financial institutions do not have the resources nor the enforcement to actively pursue the fraudsters and I can tell you from experience that law enforcement only cares if it is a fairly significant dollar amount.

  6. One could use crowd-sourcing to identify likely sources of large hacks…

    • Great idea! And just how do you propose to keep the miscreants from manipulating the process to produce whatever outcome they want? Think I’d rather trust my bank’s fraud investigations unit.

  7. Mine was stolen in India. I was in a market paying for some Jewelry. They had a Visa sticker and I was short on cash. I handed them my card and before I could say anything they left the booth. One week later when I was home I got a call from my Bank that my card had been hacked. How they figured it out was interesting as they called me before it had ever been used.

  8. I had a card number stolen 3 years ago. I’ll name names because it’s a good story. The Fraud department with US Bank spent more than an hour on the phone with me and we chased down all the fraudulent transactions. We called the merchants together and even talked to the individual people who handled the transactions. I can’t say enough good about what US Bank did.

    And then I brought all that to the FBI. This was something like $10k worth of attempted transactions and with help from US Bank, we had names, dates, and details. In writing. I gave it all to the FBI and it disappeared into a black hole, never to be heard from again. I like to think the FBI went after the bad guys but never closed the loop with me, but more likely nothing happened.

    So Brian, in your tutorial, be sure to tell people not to count on law enforcement for help.

    – Greg Scott

  9. Hi Kreb,

    What about the cards that get scripted by crookers? E.g., the card generators that can target specific issuers/BINs?

  10. Hi Kreb,

    What about those who use card generators to script cards? Althought quite old-fashioned, there is still plenty of examples on the web of crookers who script cards targeting specific issuers/BIN’s

  11. Any InfraGard member will confirm that the FBI does indeed take this type of fraud seriously and definitely does pursue the criminals, even overseas.

    • Re: Paul –

      > Any InfraGard member will confirm that the FBI does indeed
      > take this type of fraud seriously and definitely does pursue
      > the criminals, even overseas.

      I’m sure that’s what the press releases say. But I also know what really happened in my case when the rubber met the road. Fortunately for me, the crooks were clumsy, the US Bank Fraud department was great, and none of the attempted charges went through.

      And I paid my InfraGard dues a couple months ago at the last meeting here.

      – Greg Scott

  12. A lot of suppliers sell RFID Blocking Card Sleeves. These look like ordinary card sleeves though. I haven’t been able to get my hands on one yet & was wondering if you know how they differ?

    • This has to be the most over-hyped form of credit card theft there is. I do not believe you have to worry about thieves stealing your card number via RFID attacks. This might be different for high-value targets in very hostile areas of the world, but for average users this is a non-threat IMHO.

  13. What about malicious apps on smart phones? That seems to be a open area for organized crime. The growth of financial services on smart phones is tremendous – just a matter of time before malicious apps start to use that ecosystem to steal payment data….

    • Already happening. As long as you don’t jailbreak your iDevice and don’t allow third-party app sources for Android you’re relatively safe though (but assume never completely safe).

  14. LessThanObvious

    I had two cards compromised at a Chevron Station in Redmond Washington. One thing I found odd was that neither credit card company seemed all that interested my ability to tell them the source of the fraud. I’d think they would at least note the source so they can follow the trend from that merchant and inform them of the issue. If they are going to leave it to the card holder to go file a police report on the merchant then they are missing a lot of data, as most people won’t bother formally reporting once the new card is in the mail.

  15. I would challenge the banks and other issuers to prove their security is effective. So few do any independent red team testing, and so many have miserable security, especially for their infrastructure. Fear of service interruptions outweigh good security practice, every day.

    Do what we do. Check every one of your accounts every day and twice on weekend days.

  16. I would also be interesting in knowing how they hack seldom-to-never used cards as some others have reported. Happened to me with a card that I use very infrequently and had probably not been used for a transaction in close to a year.

  17. Mr. Krebs could you please remove this article, if someone researchs about these stuff they can learn it.

    • You sir Alex C are clearly a genius! I would like to second this sentiment Brian: Please remove this very useful article. Why? Because I could do hours of research on my own and get most of the information that way (minus your excellent comments comparing the varying likelihoods of each method).

    • What do you imagine is the harm published in this article, Alex?

      • Yes, many people are hackers from little forums and they see this and try to do the same stuff with their knowledge.

  18. Last week my checking account got charged for BN Membership. I contacted bank & was told Barnes & Noble charged it. The membership is not mine, it’s my son-in-laws. I renewed (1x) for him as a gift in Jan 2014. That means Barnes & Noble STORED my debit card information without my authorization AND renewed his membership without his authorization.

    Spent about 40 minutes talking to 5 different people going through the process of cancelling my debit card, attempt to stop the charge & interim credit, filing a claim, ordering a new card & getting a temporary card.

    • Their website has been infested with MITM attacks I notice lately as well. I was having a hell of time today clicking links on their page. I had to clear out my sandbox and reload browser to get them to work.

      I think using a script blocker in your browser helps alot too.

  19. If your card was used fraudulently and you never made any purchases on the card it could be one of 2 things.

    1. A sneaky wife
    2. You got very unlucky and reissued a card number that was previously compromised years ago. However, that is a long-shot considering CVV/CVC and Expire date checks.

    Here’s another scenario. I was waiting for a Credit Card to be overnighted to me one day. When I got home from work I had the letter sitting on my porch. When I opened said letter it was not my Credit Card. The mailman delivered my neighbors replacement card down the block. However once opened, it was very easy to lift the card off the back of the paper to view the CVV code on the back and numbers were clearly visible on the front of the card.

    I simply sealed the letter back up and dropped it on his porch.

    Very simple for someone in a mail room, or working for a post office to perpetrate.

  20. I have had to shut down two CC accounts in under five years for fraudulent activity. Neither instance began with the loss of card or any visible hack of my online accounts. I still don’t know how the card numbers were lifted because I didn’t swipe either card at gas stations, ATMs and other places where card readers are likely to be present, either. The cards had been used online, but the passwords were always different (not used in perpetuity, either). I still don’t know how this has happened to me twice — or how to prevent it from occurring again.

    The first time fraud occurred, the charges were made half way across the country in a place I have never visited — for airline tickets. This should have flagged with the card issuer on either count, but didn’t even though I had never previously purchased airline tickets with that card, let alone in excess of $1K worth!

    The latest instance is even more puzzling in that there must have been a clone of my credit card made because it was used at physical addresses (stores and gas stations within 50 miles of my home). How did they obtain a physical duplicate of my credit card if I never lost it?

    My first reaction is to assume this theft traces to some online use even though I have never been aware of a hack and do not make the usual password mistakes of relying upon the same password over and over again. Then, again, with Walgreens, TJMaxx/Marshalls, Target and Home Depot having breached customer information (not to mention, laptops with patient information stolen from a hospital I went to less than three years ago) it seems almost impossible to narrow down the cause.

    I know this is unrelated but I want to point out the horrible problem with electronic voting machines that don’t have the proper security measures in place and/or who rely on contractors for setup, service and the like. There are some things that should not pass through online networks, period, and paperless voting is one of them — which sadly is too often overlooked.

  21. Or, it could simply be the result of an inside job by an employee who, for various reasons, thinks they can make some quick cash and get away with it….

    “Former Home Depot employee admits to selling customer credit card info”

    http://www.mystatesman.com/news/news/crime-law/former-home-depot-employee-admits-to-selling-custo/nj2Gh/#0b1957a6.3363884.735629

  22. The problem I have with the current system of security breach reporting is the lack of transparency. If there is a security breach, there should be a law that stipulates that at the very least, the customers associated with the payment processing companies, the banks and/or the merchants involved should be notified IMMEDIATELY. If several months go by before even a vague acknowledgement that there was a breach occurred, who knows how many more hundreds, thousands or even hundreds of thousands of customers would be affected? There’s been reports that notification do not go out for even weeks or months after the incident, which is simply unacceptable. Influential consumer advocate groups as well as security experts like Krebs need to push harder for better transparency, instead of falsely aligning with these groups (banks, merchants, processors) who portray themselves as victims (when ultimately the REAL victims are the consumers and customers who have to deal with the ugly fallout, e.g., lowered credit scores, stolen identity, etc.)

  23. Reducing credit card theft begins with PCI DSS security awareness training, which is often overlooked in today’s world of compliance. Both merchants and service providers need to put in place comprehensive training programs for all employees, and for good reason when you stop and think about it. While companies often spend untold sums of money on the latest and greatest hardware and software products, they fail to recognize the importance of training and educating employees on security issues, threats, and best practices. There are a multitude of programs available online, many for free, so there’s really no excuse. Want to stay in business, then protect cardholder data by training your employees on important security issues and threats – it’s really that simple.