05
Apr 18

Secret Service Warns of Chip Card Scheme

The U.S. Secret Service is warning financial institutions about a new scam involving the temporary theft of chip-based debit cards issued to large corporations. In this scheme, the fraudsters intercept new debit cards in the mail and replace the chips on the cards with chips from old cards. When the unsuspecting business receives and activates the modified card, thieves can start draining funds from the account.

Signs of a card with an old or invalid chip include heat damage around the chip or on the card, or a small hole in the plastic used to pry the chip off the card. Image: U.S. Secret Service.

According to an alert sent to banks late last month, the entire scheme goes as follows:

1. Criminals intercept mail sent from a financial institution to large corporations that contain payment cards, targeting debit payment cards with access to large amount of funds.

2. The crooks remove the chip from the debit payment card using a heat source that warms the glue.

3. Criminals replace the chip with an old or invalid chip and repackage the payment card for delivery.

4. Criminals place the stolen chip into an old payment card.

5. The corporation receives the debit payment card without realizing the chip has been replaced.

6. The corporate office activates the debit payment card; however, their payment card is inoperable thanks to the old chip.

7. Criminals use the payment card with the stolen chip for their personal gain once the corporate office activates the card.

The reason the crooks don’t just use the debit cards when intercepting them via the mail is that they need the cards to be activated first, and presumably they lack the privileged information needed to do that. So, they change out the chip and send the card on to the legitimate account holder and then wait for it to be activated.

The Secret Service memo doesn’t specify at what point in the mail process the crooks are intercepting the cards. It could well involve U.S. Postal Service employees (or another delivery service), or perhaps the thieves are somehow gaining access to company mailboxes directly. Either way, this alert shows the extent to which some thieves will go to target high-value customers.

One final note: It seems almost every time I write about the Secret Service in relation to credit card fraud, some readers are mystified why an agency entrusted with protecting the President of the United States is involved at all in these types of investigations. The truth is that safeguarding the nation’s currency supply from counterfeiters was the Secret Service’s original mission when it was first created in 1865. Only after the assassination of President William McKinley — the third sitting president to be assassinated — did that mandate come to include protecting the president and foreign dignitaries.

Incidentally, if you enjoy reading historical non-fiction, I’d highly recommend Candice Millard‘s magnificently researched and written book, Destiny of the Republic, about the life and slow, painful death of President James A. Garfield after he was shot in the back by his lunatic assailant.

Tags: , ,

138 comments

  1. The Sunshine State

    Fascinating read

    • Best history read with famous folks trying to save the Prez like Alexander Graham Bell and one man whose discovery may have saved the Prez but it was not used – Lister of Listerene fame.

    • What i wondering about is that nobody recognize that somebody can remove and replace the smartcard module without any scratches or traces on back. 2nd. when the smart card module is used in an old card, the card number on card front will not match the number in the module.

  2. This one shows initiative.

    Often when I get a call from a scammer, I try to engage them, but they usually give up pretty quickly. It’s discouraging to see that lack of industriousness among young people today. But stories like this give me hope.

    • Jon,

      Your comment seems to be purely praising of the fraudsters. While I would agree that this scam is fairly well-thought and resourceful, I don’t know if I would agree that it provides any real ‘hope’.

      Instead I’d hope that they would redirect their industriousness and resourcefulness towards more legitimate forms of obtaining wealth (aka getting a job, starting a business, etc.).

      I do have to admit, though, that these kinds of fraudsters are why I have the job I do (credit card fraud prevention).

      • I think you the joke.

      • I think Jon’s comment was more sarcasm than real admiration

      • sarcasm… might fit the bill here

      • Alton,

        See “tongue-in-cheek”, or “sarcasm”. Lol

      • Herringbone Sundae

        Instead I’d hope that they would redirect their industriousness and resourcefulness towards more legitimate forms of obtaining wealth (aka getting a job, starting a business, etc.).

        Perhaps if one could actually get a job these days, and said job actually paid enough to keep a roof over one’s head and food in one’s belly without supplementation from food stamps or other public or family assistance, then you’d get your wish …

        And in reference to the original article: if the activation procedure for these cards required the activator do something with the card that in turn required the correct chip be in the card, then this whole scheme would fall apart.

      • Marc Grundfest

        The failure to identify sarcasm, removes all such hope..

        Fraud is easy. Prevention is hard. We will never win if we can’t even understand sarcasm.

  3. Amazing the lengths fraudsters will go to make some of these schemes possible. Seems like they will keep me employed for a long, long time. YAY EMV

  4. What?!! I thought “Cow chip & Pen” was going to solve ALL of our banking and shopping security problems!!! /sarc

    😉

    • A lot of corporate credit cards are actually chip and PIN and not chip and signature. Of course, that doesn’t help much when a lot of businesses don’t bother asking for the PIN at all. Even worse, some issuers seem to be allowing PIN bypass for US transactions too.

      • Because requiring a PIN for a $2.35 cup of Joe at a convenience store cuts out so little charge back fraud with no benefit to their cardholder other than incentivizing dome other form of payment. That’s why. The goal of security is risk mitigation, not risk elimination.

  5. Shock, the security arms race continues. I got the impression from all the Europeans living over in their Utopia that chip and pin would solve every security issue.

    • Alive in America

      We could address this problem if we all had usb devices we could attach to computers that use the chip on the credit card to verify a “test transaction” as part of authorizing it.

      Big companies could definitely do this when they receive a big batch of cards. You could offer this to people who do crazy things like 2 factor auth. It should be relatively cheap to in practice, can the ‘host’ do more than have contacts, send and receive small amounts of data back and forth over the internet?

      Could it be they have too little foresight to design for this use case? Maybe they can’t help themselves from pricing the hardware too high or making the specs “secret”?

      • Sweet. USB devices that then become a new avenue for hacking, either by intercepting the devices themselves or getting malware on machines that target such devices.

      • The card activation step should bind the chip into the action – people had assumed up to now that the card would be intact.

        • KoSReader6000000

          Yes, I wondered that the “flip the chip” scam has not be done before. I saw Brian Ks list of permutations crime and it makes me shutter.

          Is it a cryptographic error or just not easy to change the chip and pin system?

          Who and how are these scammers getting into the US postal system?

          I thought it was solid and the postal inspector was good.

    • Not an expert, but what I’ve heard is that the US implementation of Emv is sorta half-***, in that we don’t require the PIN every time (which would solve this issue).

      • See ATM keypad cameras. See train station payphone scams. PINs are only a roadbump, an inconvenience, not a solution.

        There is no fraud prevention 100% solution until there is more prosecution and incarceration of fraudsters.

        • “There is no fraud prevention 100% solution until there is more prosecution and incarceration of fraudsters.”

          Not so! Prosecution and incarceration aren’t magic bullets. Your first sentence says as much.

          • My point is that no technical or manufacturing process exists to prevent the crimes of a determined thief. Instead, one must resort to deterrence and incarceration.

    • Can’t do much about stolen chips (although requiring a PIN rather than signature would help).

    • I always wondered why we had to activate the card in a ATM machine (with chip+pin of course) by making a transaction, before the wave-card-over-sensor-to-pay functionality was activated. Now I know.

    • Where is the word PIN mentioned in the article?

      I’m in Europe. I’ve never had a card that was just Chip & Signature.

      Chip & PIN doesn’t have this issue. In the scenario above the chip would be replaced then when the card is inserted into the machine the thief wouldn’t have the PIN.

      To activate the cards in Europe you go to an ATM, insert your card and type in the PIN. At this stage the activation would fail obviously. It’s been like that over here for about 10 years now.

    • Correct. In the US PINs are rarely used with credit card transactions.

      That said, PINs are almost always issued as part of establishing of a credit card account but they are only required for cash advance transactions. This is a rare type of transaction that few cardholders ever perform. (I personally always destroy the PIN for any of my cards if they are ever sent to me and I don’t remember or store them anywhere — I suspect many other people do the same.)

      For all other transactions besides cash advances, a signature may be required (usually if the transaction is above a certain amount).

  6. Krebs under sporadic attack? Couldn’t get through for several minutes. Got this error message on one browser. No typo and wouldn’t work via Google, Bing, DDG, etc.

    Hmmm…can’t reach this page
    Try this
    Make sure you’ve got the right web address: https://krebsonsecurity.com
    Search for “https://krebsonsecurity.com” on Bing
    Refresh the page
    Details
    There were too many redirections.
    Error Code: INET_E_REDIRECT_FAILED

  7. LowValueTarget

    Ah, the bliss of not being a high value target!

  8. Chris Nielsen

    Security blinders we wear.

  9. Seriously though, as some with some payments experience I love to know why doesn’t the PIN part of “chip and PIN” protect against this?

    And doesn’t the chip need to be present when the card is activated?

    • Don’t most new debit cards come with a PIN printed on the piece of paper to which the card is glued? That’s how every one of mine arrived. Hence, if the thieves are opening the mail (which they are because how else would they get to the cards) then they could just record the PIN.

      • mine come in a separate piece of mail, usually 3-5 days later..

      • I’ve had cards and PINs mailed separately. I imagine that would help, but it’s just another piece of mail to intercept in this case.

      • Wow Brian – you better get a new bank! The PIN should never be in the same envelope with the card! However, if the fraudsters accessed the mail for the cards, they certainly could have also intercepted the PIN mailer.

        Chip and PIN however, is a fallacy in the US for Visa issuers. You cannot force a PIN transaction – it is an option, but customer can also choose to run as ‘credit’ and no PIN needed.

        The activation probably required the PIN, but the physical card is not needed if you have a VRU or some other call in mechanism for activation.

        • KrebsReader6000000

          Good point about Visa and the option to use a debit card as a credit card Tammy Plummer. Merrill Lynch CMA visa cards simply use a signature and no pin when I used ML brokerage. This may explain some aspects of Brian Krebs picture of a chip removed from a ML CMA visa card.

      • My debit card ask you to set the PIN after you activate it on the web. I didn’t think of the issues. However, I was impressed the card number itself was tiny on the back of the card, eliminating security cameras and gazers from optically obtaining it.

      • Never had this happen. The PIN always arrives separately in the mail. It’s been like that for me for more than 20 years.

        • If the card is being intercepted, the pin is also via the same method. The envelopes are the same for every customer, and easily identified.

          • The PIN codes often come on paper that needs to be destroyed / clearly damaged to access the PIN. If banks instructed users to not activate cards until the PIN has been received in good condition, this might be a partial mitigation.

            • If banks provided a single-use activation code on the same type of paper, users would not be ABLE to activate cards until that paper had been received.

        • Same here, but if the fraudster has enough info about the vic to order a replacement card from the issuer, they probably have enough info about the vic to reset the PIN and/or order a PIN mailer from issuer.

      • Contactless payments should be the norm by now. If the transaction is over a certain value (in the UK there is a max permitted of £30) then a PIN should be an option, then a large percentage of this trouble would go away.

        The contactless element is very good because a unique transaction number is stored and can’t be used a second time not the card number. The use of a PIN is confirming card isn’t stolen for high value purchases.

        • I suspect contactless cards will never really be a thing in the US and that mobile wallets will take quite a long time to actually gain traction–assuming they ever do. For one thing, there’s still a culture that accepts employees running cards for customers that has to be worked through (hence why even restaurants that accept chip mostly still take cards away). Not to mention that issuers in the US tried contactless cards before and don’t really want to try something again that they’ve considered as failed.

          Anyway, I’m not sure how contactless would help in this situation when you can still insert cards. The act of swapping out the chip would likely make contactless stop working.

          • The contactless chip is separate, mounted inside the card (often under the EMV chip), and connected to an antenna that extends around at least half the card. It might be possible to extract the chip and connect it to a new antenna, but almost certainly prohibitively challenging.

          • Nah. Just needs some more security controls.

            I’ve a debit card that I can disable by an app on my phone.
            There are other features on it.

            Disable ecommerce transactions.

            Disable tap to pay transactions.

            Disable swipe payments.

            Disable ATM withdrawals.

            Set a spending limit.

            Use the location of my phone to see if the card is far from my phone. If it is, then disable transactions.

            Or just disable the card totally.

            One or more of the features above can be turned on or off. And it takes 2 seconds in the app. So my card is permanently disabled and I just log into the app and turn it back on for my transactions.

            I don’t know why every company doesn’t do this. When you think of it, it’s easy.

            The transaction gets sent to the vendor and they just approve or reject based on the settings you’ve set for the card. It probably only works for debit cards.

        • Here in Ireland the PIN-less transactions are limited to €30, *and* after a certain number of PIN-less transctions (3 IIRC) you will be asked for the PIN. This puts a brake on the “skimming” attacks and limits the amount that can be taken that way.

          I’d like to nail down just how having access to the card alone, without the PIN, leads to “draining the account”. Is it because retailers in the USA are not requiring the PIN and take a signature instead? That method is going to go away in the USA, as it already has in Europe – signatures are no longer accepted fpr payment anywhere. Or are we talking about online transactions, which are usually traceable? Physical items have to be delivered somewhere, PayPal requires verification … are these scammers buying Bitcoin or something with those cards?

          • Brian t:

            In the US, what the scammer does with online order of physical items, is they get them delivered to a random address.

            They have a return label sent to the first address with a note of a mis-delivery. The “return label” actually sends to a third party which either returns the item for a credit, or passes the item on to the scammer where he resells it on craigslist, yardsale sites or such.

            Item laundering instead of money laundering

      • Harry Johnston

        Huh. Most of my cards come with the same PIN that was on the card being replaced, or on one of my existing cards from the same bank.

        Certainly I’ve never been mailed a PIN – when a card doesn’t already have a PIN set, I have to go to the bank to do it. (Except for one card from a financial services company where I can set the PIN online.)

        Corporate cards might be different, I guess.

      • As others have told you, the PIN usually comes in a separate piece of mail these days. But if the mail is being intercepted then obviously the PIN can be too.
        If they sent the PIN through a completely different method, ie. an email or text to a mobile on record, that would be better.

      • Wow, I’ve never had a PIN sent – I was always required to set PINs at a local branch after showing ID.

        I’m sure there’s a “PIN by mail” option if you don’t live near enough to a local branch, but I haven’t really run into that.

      • Nope. Most banks send the PIN in a separate letter, with some material to scratch off (like a scratch card) so you can see if the letter was intercepted.

        If your bank is sending you a card and a PIN in the same letter you’d be better off doing an expose on them.

        • My memory could be fuzzy. I haven’t used a debit card for ages. The ones I have I just use to id myself when I go into the bank. I couldn’t tell you the PIN to them if I tried. They all even still have the sticker on them and haven’t yet been activated.

      • Our bank mails the card and the PIN mailer separately. They arrive a day or two apart.

      • KoSReader6000000

        To your point on printed pins with debit cards, Some do and others don’t. Instructions from a major bank required me to go to a local branch and present ID and type in a pin twice before activation. A reason was not forthcoming after asking.

        To your CMA “quasi debit” card, it uses a signature only [as a credit card] when I was using Merrill Lynch Wealth Management and trading, and since I don’t trust ML I switched brokers and much has changed.

        Next, to Peters question, “The card activation step should bind the chip into the action.” I would gather there is a cryptography method of binding the card to an unknown part of the card number, Name on account, and security code.

        Brian please ask security experts in your circle about this binding “chip to card” idea and see if they say: Yes or No. Then give us your opinion. Thank you.

      • Reader Chris Bagge commented above: “If you send a new PIN to a cardholder, never use the same channel as for the physical card. Do not use mail fro both of them.”

        I agree.

        My layperson’s (I’m not an IT person) thought is that you should be directed to log into your financial institution’s website and receive the PIN there.

        • This doesn’t work.

          If I intercept your email, I can print new instructions with a new URL pointing to a fake site that performs a MITM attack on the activation process.

          There’s a reason that the PIN should be sent via a wholly distinct means.

          Fwiw, my national ID card from Finland had a distinct PIN that I had to set up. Unfortunately, I set it up long before receiving my card, which meant that I’d forgotten it by the time the card arrived…

          This is the problem that American Banks fear.

          • “If I intercept your email, I can print new instructions with a new URL pointing to a fake site that performs a MITM attack on the activation process.”

            I understand your point, but this would require intercepting both your postal mail and sending a phony email which would increase the difficulty associated with this crime. Would this added difficulty be sufficient to deter fraudsters? IT professionals might be able to opine on this. My guess is that it probably depends on the capability and motivation of the criminals.

            Also, a certain percentage of customers might correctly be wary about clicking on an email link and instead would proceed directly to the website or communicate by phone. This might reduce the damage a bit as well as allow the financial institution an opportunity to take defensive measures when it becomes aware of the illegitimate emails.

            No easy solutions, it seems.

  10. I’m not a fan of debit cards anyway, and here’s why:

    If there’s fraud with a credit card, the bank *must* credit your account during the investigation and in the absolute worst case you can just not pay them (although your credit rating may suffer).

    With a debit card, the bank *may* credit your account during a fraud investigation. They often do, but they don’t have to and your money is gone until (best case) the situation is resolved. I’ve had a few friends have their checking accounts emptied and left unable to pay rent/mortgage for a few months while things are sorted out. Banks have better fee structures for debit cards and will practically force them down your throat, but it is usually possible to “just say no” and get a regular, non-debit ATM card if you make a big enough fuss. IMHO most people should do this unless they are unable to get a credit or charge card (and even then, “refillable” credit cards are probably a better option).

    • I used to have an ATM-only card from my credit union. Then they said it wasn’t allowed due to some Federal regulation and had to be a debit card for anything linked to a checking account. Something to do with Regulation D – I’m not sure, nor could I figure out why it mattered.

      So what I did was this, and it’s actually even more secure: I told them, “Ok, so if I have a Savings-only account, can I have an ATM-only card” – they had a very hard time understanding why I’d want this, but said this was possible. So I opened another Savings-only account and got an ATM-only card. Then, I had them link my normal Checking/Savings online account to allow me to transfer funds to this Savings-only account (but not the other way).

      I typically just keep $44 for a quick emergency in the Savings-only account. Whenever I need to get cash out, I use my credit union smartphone app and transfer funds from my Checking/Savings account to the Savings-only account, then withdraw the funds with the ATM-only card which is tied only to the Savings-only account.

      One cool aspect to this is when I do the transfer via the smartphone app, it allows me to make a comment, and I note what the funds are going to be used for, so that when I do my monthly reconciling, I have a fairly accurate picture where my physical cash is going (not precisely, as any spare $1s left over from a gas fill-up is “fun money” for taco truck or the like).

      I don’t need an ATM card to deposit checks to my normal Checking/Savings account – the smartphone app has a deposit function that takes a picture and processes these for me.

      • Yup, I do the same. Fool proof way to limit losses on debit card.

      • I do something similar.
        I use two checking accounts. The main account is used for all deposits and for paying by check.
        The secondary is for ATM purposes.
        I transfer money from the primary to the secondary to cover the withdrawals.
        For all non-ATM activities my accounts are password protected.

    • Erik
      Not sure where you got that info but it is entirely incorrect. Banks are required under Regulation E to provide credit during the investigation for fraudulent debit card transactions.

      • Are they required to cover the fees associated with bounced checks due to lack of funds, and any financial penalties assessed by payees because of delayed or late payments? To my knowledge they aren’t and they don’t.

        • Brian, debit card disputes handled under Regulation E are required to be investigated by banks within 10 business days of notice. If the investigation takes longer than 10 days, banks are required to grant provisional credit for the disputed amount. Unless the disputd amount drains your account, if you’ve been granted credit, ceteris paribus, you wont be overdrawn. Of course, during that first 10 days there are no REQUIREMENTS to make you whole, but in practice banks do waive those fees. Most banks are pay-all anyway so if you’re not getting a fee and your items are being cleared, it’s not quite so drastic.

          As always, the quicker the consumer notices the error and reports it, the more likely there will be a satisfactory outcome.

          • Yes, this assumes the bank acknowledges the issue and doesn’t dispute skimming with the customer. I’ve heard from plenty of customers who suspected being skimmed but couldn’t prove it and the bank said tough noogies. I realize this is a he-said, she-said thing, but you can imagine a scenario in which the attacker gets only a few accounts before someone detects the skimmer, and the bank hopes the issue just goes away.

            • Suppose a customer detected a skimmer at a local bank’s ATM after the bank closed on a Friday evening. What’s the right way for the customer to report it, so an employee would investigate it, or should the customer try to remove it?

              • An individual should never try to manipulate an ATM machine or other kind of card device. It doesn’t matter what you suspect about it. Either use it if you trust it, or don’t use it if you don’t.

                Nothing good can come from an individual off the street trying to remove a skimmer. You might damage the ATM, destroy evidence, or be subject yourself to suspicion.

                If you suspect something wrong and you want to alert the bank, call the 800 number on the back of the card.

                • “You might damage the ATM, destroy evidence, or be subject yourself to suspicion.”

                  … or find yourself being confronted by some imposing thugs monitoring their skimmer. I’ve encountered a couple of cases of this.

                  • CrouchingLurker

                    Ooooh ya, that’s happened to me once…And ended with a pair of badly bruised thugs and a pair of vaguely amused officers. Good times. But I’m not exactly your standard mark, physical security is very important if you’re going to mark skimmers to prevent others from using them.

                • CrouchingLurker

                  If I’m completely sure that there’s a skimmer on a given unattended device then I’ll tape an ‘out of order’ sign over the card slot. When this happened at my bank I also directly called the branch just before opening and asked the manager about the note I left them.

                  Being part of a small bank has its advantages, I know the branch managers, their habits, and where to conceal a note where they’ll find it before opening. And they’re quite proactive about skimmers, they’re pretty rare where I live, so if someone reports one directly to my bank at least they’ll preemptively re-issue exposed debit cards and talk to other local banks about it.

              • Leave it and call the police. In a great many cases, whoever put the skimmer on the machine is somewhere nearby watching it. After all, the devices usually cost quite a bit, and if they lose the skimmer they lose quite a bit of potential loot. So just leave it and avoid a likely physical confrontation with a thug, or worse — having to explain to the police why you are in possession of a skimmer with tons of stolen card data on it.

            • The issuing financial institution has no choice but to acknowledge the dispute. If a cardholder claims an electronic error occurred the burden of proof rests with the issuing FI to prove it didn’t. If they cannot prove an error did not occur within a reasonable doubt the cardholder claim is valid. Reg-E is fairly clear on this issue.
              Any bank not providing provisional credit or refusing to accept a claim can be fined.

  11. If the company, or employee, is receiving usage alerts (either email or SMS) this scam would last about 5 minutes. Usage alerts can be set up online at the same time the card is activated.

    I know that I’m not typical, but all my credit cards and bank accounts send me SMS usage alerts. The SMS cost is so low, I don’t know why this is feature is not automatic for every card and account. It should be an opt-out feature instead of an opt-in feature.

    • Chase are good with this, although as you state – it’s an opt-in feature. Citi are pretty good too. Barclaycard not so much – notifications come days late.

  12. EMV cards they’ve had in Europe for years is the way to go, and they’re slowly rolling them out here thankfully.
    Regarding PINs – some banks don’t mail PINs these days – the user usually creates their own online.
    The only thing really left to do is have 2-step verification for purchases over a set limit that users select themselves – i.e. all purchases over $XX you receive a text with a code to enter into the card reader.
    Either way, since banks in the US are ridiculously slow to catch on to new technologies, this is why I never use my debit card, and instead use Visa or MasterCards with protections. That way if I am hacked, it’s the issue that loses out, and not me getting my checking account cleaned out.

    • In Spain (EU), at least, the pin for the card is NEVER sent with the credit or debit card. You will receive a mail with the pin first and later the card both in unmarked letters without return addresses.

      And when you go an activate it, online or in an ATM you are prompted to change it to something personal, by telephone the operator will suggest you change the pin on your first visit to an ATM.

      Besides nowadays many cards, specially most if not all of the ones that have high limits, the bank will notify the user of any transaction with the card in real time, asking to call if he does not recognize the transaction.

      And you know why? banks in Europe due to the consumers protection law cannot charge the consumers a cent for the fraudulent use of their cards unless the Bank is able to proof in a court of law that the consumer handling of the card was gross negligent.

  13. The article specifically referenced debit cards, am I correct in my assumption that this attack would also work on credit cards?

    • Debit or Credit Cards would be vulnerable to this when they can be run with just Chip.

      However, more and more places are making folks run Debit cards with Pin.

    • While it would work for credit, debit is more valuable to fraudsters, as debit cards are tied to “real money,” and I think it’s easier for a customer to reverse a fraudulent credit transaction than debit.

      • You are missing the point. Frausters don’t really care if the money/goods they obtain comes from your personal account or something the bank ends up funding. They still have their loot. Come on US time to catch up, EU banks are just about to progress on to their next security protocol after simple chip & PIN before US banks have even got that far!

    • While sometimes credit issuers and debit issuers are more or less the same, it seems like credit card issuing entities are better at correlating fraud and stopping it, having access to more cards/transactions.

      It’s also possible that users are less likely to use a debit card in a way that they detect that it’s compromised…

      I suspect that the companies giving employees these cards have less oversight over them than they would on credit cards…

      Of course, it’s also possible that the criminals gave just found a convenient kink ina specific debit card delivery chain, which if it happened to deliver credit cards, they’d have been happy to attack those instead…

  14. Jonathan Rosenne

    I always test a new card after activation by buying something or at the nearest ATM. I had been doing this to verify that the activation had been successful, but this will protect me against this scam too.

  15. The third step is to make sure the card cannot be used until a transaction has taken place. My debit card was that way.

    Also, maybe a credit limit should be placed on the card until verified by a phone call to the bank.

    • I’ve had some debit cards that must first be used for a balance inquiry at an ATM before they can be used for purchases or withdrawals.

  16. Lost and Stolen Fraud was decided to be worth the risk by the financial institutions when they didn’t roll out with offline pins in the US. Fraudsters figuring out a novel way to steal cards is the price they pay for cheaping out on what EMV capabilities they use. Nothing new here. Maybe the amount of lost and stolen fraud is still cheaper to cover than the cost of implementing offline pin… Or maybe they made a poor decision and it’ll cost them more.

    • Considering that the networks mentioned nothing about moving to PIN when they got rid of the signature requirement, I suspect the former. In fact, I heard a rumor that Visa (not sure about others) are going to deprecate and soon get rid of offline PIN support altogether worldwide. Which might be for the best since the adoption of Quick Chip in the US basically made offline PIN unworkable anyway even if banks wanted to switch away from chip and signature/nothing.

  17. Frightening but fascinating. More information would be great. I’m interested in how one steals an older card and transfers the chip to a new card w/o it not having been previously been reported as stolen. I’m definitely missing something aren’t I.

  18. I might not understood it or missed it, but how do the thieves know when the card was activated?

  19. Keith Ledbetter

    Sounds like the bigger problem is the people delivering the mail. Otherwise how would it be intercepted

  20. Oh, I’ll start off with good article. Those of you who use an app are a program to access your account, let’s put it this way, would you do the same from your desktop, which is loads safer? Even apples next phone has security flaws, and you betting your last check till your next one, that you flew under the bad guys radar.
    Debit cards, if you found a good one, should never be tied to an account. They should be a minor refillable device. Not tied to a savings or checking account, and definitely nothing that gets your paycheck.

  21. Communism is the answer to all of America’s problem

  22. The obvious countermeasure is placing some heat-sensitive color-changing compound around the chip and on the back of the card opposite the chip, similar to how paper checks have a “VOID” watermark that appears when they are photocopied.

    “Hey, why is there a big blaze-orange splotch on my new card?”

  23. To those having a shot at EMV tech for cards, the actual chip tech has not been compromised.

    the fraudsters have to physically replace a chip in this case, involving manual labour which is time consuming.

    Here in Australia, we have full tilt gone to chip tech for our EFTPOS terminals and ATMs and we are NOT looking back.

    America, you really need to catch up !!!

  24. Is there any reason that we need to give, the up-and-coming criminals, step by step instructions on how to do this? Isn’t it enough just to alert Banks, so that they can to be aware of the existing problem and have some time to maybe, do something to offset the ability for this to happen? They don’t even have time to think about it… Before we start training the world step by step.

    • “Is there any reason that we need to give, the up-and-coming criminals, step by step instructions on how to do this?”

      I’m not sure I understand what you mean by “giving criminals step by step instructions” or who “we” is, so I going to assume that your concern is that Brian’s articles and the commentators here give the miscreants valuable intel by airing the issue. While that might be true to some non-zero degree, keeping silent about real – especially in-the-wild – attacks, methods and capabilities would be counterproductive and arguable dangerous.

      The credit card companies and their customer banks are notorious secret keepers, and how’s that working out for them?

      • It’s a bit like saying we shouldn’t release patches for software flaws because bad guys can reverse engineer those patches to how to exploit them against people who haven’t gotten around to patching. It’s true but it doesn’t outweigh the benefit of patching. In this case, knowledge of what to look for is key to foiling the scheme, so hiding that knowledge from individual users who are the ones that will go to activate these tampered cards is not really a great approach. It’s clear the fraudsters already know how to do this.

  25. I get the process but, don’t they need specific information to activate the stolen chip?

  26. One way that they could do it is, that when a person applies for a credit card they have to give a code on the application that they will be using to activate that card. So when the car gets there, not only do they have to have the pin number… But they have to have the code in which they created, when they applied for the card. If both the pain and the code are not correct then the card cannot be activated.

  27. One fascinating little quirk about chip cards — the actual silicon chips are exactly the same as those used for cellphone SIMs. This was noted when someone looked at the relevant specifications for both and noted that they had few distinguishing characteristics when used according to their relevant spec…..but a huge distinction when going “out-of-spec”.

    Chip cards were allowed to use about 8x the juice of a cellphone SIM, because they could be assumed to be read by something running on standard current instead of a battery. As it turns out, though, all chip cards known to date can run on cellphone current levels…..strongly indicating that it’s the same silicon.

    • I noticed they looked to be about the same size, but wasn’t sure. Thanks for the confirmation.

  28. Veronica Rowland

    They just charge more once they notice that you have been to a street where the store charges extra for putting the merchandise under credit instead of debit. Per say instead of going to the cashier, you uses a EBT machine in that store you get charged three fee, first is EBT second is the card agreement fee, third is that credit charge. I notice this myself going in dispute with this now I notice this.

  29. This tactic seems pretty null and void to me.

    Although letter distribution methods will vary from bank to bank, here in the UK the way it generally works is the Card letter and PIN letter are sent separately – add to this the PIN is always obfuscated underneath a material you need to scratch off – so the recipient of the letter would immediately know its been compromised.

    • As long as the letter can be reproduced & resubmitted, that isn’t actually protection. And keep in mind that users don’t receive these frequently, so they won’t have any reason to know what the protections should look like, and the reproduced letter can be changed to describe a different “security” mechanism.

      Once a communication mechanism is compromised, it’s compromised and nothing sent through it can/should be trusted.

  30. Well, as of this month US EMV (or contactless) transactions using Visa, MasterCard, AmEx, and Discover no longer even require a signature. Further, It is not anticipate there will any assignment of PINs by issuers so I guess we will be a chip-only EMV card country. Yay (sarcastic)

    • This varies by issuer. Most MasterCard issuers did produce a PIN for their cards from day one, while Visa issuers for the most part did not.

      Also, I recently got a notice from my Health Savings Account debit card issuer that I needed to establish a PIN for that card after the fact.