April 5, 2018

The U.S. Secret Service is warning financial institutions about a new scam involving the temporary theft of chip-based debit cards issued to large corporations. In this scheme, the fraudsters intercept new debit cards in the mail and replace the chips on the cards with chips from old cards. When the unsuspecting business receives and activates the modified card, thieves can start draining funds from the account.

Signs of a card with an old or invalid chip include heat damage around the chip or on the card, or a small hole in the plastic used to pry the chip off the card. Image: U.S. Secret Service.

According to an alert sent to banks late last month, the entire scheme goes as follows:

1. Criminals intercept mail sent from a financial institution to large corporations that contain payment cards, targeting debit payment cards with access to large amount of funds.

2. The crooks remove the chip from the debit payment card using a heat source that warms the glue.

3. Criminals replace the chip with an old or invalid chip and repackage the payment card for delivery.

4. Criminals place the stolen chip into an old payment card.

5. The corporation receives the debit payment card without realizing the chip has been replaced.

6. The corporate office activates the debit payment card; however, their payment card is inoperable thanks to the old chip.

7. Criminals use the payment card with the stolen chip for their personal gain once the corporate office activates the card.

The reason the crooks don’t just use the debit cards when intercepting them via the mail is that they need the cards to be activated first, and presumably they lack the privileged information needed to do that. So, they change out the chip and send the card on to the legitimate account holder and then wait for it to be activated.

The Secret Service memo doesn’t specify at what point in the mail process the crooks are intercepting the cards. It could well involve U.S. Postal Service employees (or another delivery service), or perhaps the thieves are somehow gaining access to company mailboxes directly. Either way, this alert shows the extent to which some thieves will go to target high-value customers.

One final note: It seems almost every time I write about the Secret Service in relation to credit card fraud, some readers are mystified why an agency entrusted with protecting the President of the United States is involved at all in these types of investigations. The truth is that safeguarding the nation’s currency supply from counterfeiters was the Secret Service’s original mission when it was first created in 1865. Only after the assassination of President William McKinley — the third sitting president to be assassinated — did that mandate come to include protecting the president and foreign dignitaries.

Incidentally, if you enjoy reading historical non-fiction, I’d highly recommend Candice Millard‘s magnificently researched and written book, Destiny of the Republic, about the life and slow, painful death of President James A. Garfield after he was shot in the back by his lunatic assailant.

138 thoughts on “Secret Service Warns of Chip Card Scheme

  1. Chip Overclock

    Another way to think about the Secret Service mission is that an attempt on the life of the President of the United States is considered a “financial crime”. And it probably is.

    1. Gregory O'Hara

      As a former US Treasury Police Corporal and one that has gone to school with and assisted on investigations with the US Secret Service, there are a lot of things affecting our economy today, this is just a tip of the iceberg. Financial crimes of all sorts that cross international boundaries and those aimed at our economy are a direct threat to our security. Since before 9-11 the USSS used to be under the Treasury Dept. After 9-11 they were re-assigned to DHS as it’s name says it all. They also handle counterfeiting which has gotten to be more of an effort to fight sine the more powerful and quality driven printers some counterfeiters can almost get away with it.

  2. boldje

    those are just small criminals, who sooner or later end up in jail.
    wolrd biggest thiefes are the ones who print out money and those big guy paly with home equity and things like that.
    in this wolrd we have Emperors, Pirates and victims.
    Emperors are the biggest criminals.
    pirates are all this peddy criminals,like fraudsters carders and the rest.

    1. Nate

      If you’re not a criminal, you’re a victim? Sounds like something an aspiring criminal would tell themselves.

  3. Chris Bagge

    I’m living in Europe and is involved in card processing. I would like to give some feedback on this fraud scenario.

    We have been using EMV cards here for more that 15 years, so we have quite some experience. The US is lagging far behind in this area!
    > It is an UK experience that EMV card alone will not reduce fraud unless you go for Chip & PIN. There is quite a lot of public information in this area. Search for “Financial Fraud Action UK”.
    > It was fast to roll out the Chip & PIN cards but it really took some time, 3 – 4 years, to get the merchant to update their terminal and activate the ICC reader. Many of them had tape across the ICC reader slot. Many merchant were reluctant due to the cost of a new terminal.
    > There was initially a speed penalty on using Chip and PIN. This is no longer the case. The total transaction time from inserting the card until the terminal says “Remove Card” is around 6 seconds nowadays. Anything slower is a bad design.
    > Cellphone SIM’s and EMV card chips do basically follow the same standards but the chip behind is normally different. There are different requirements to their capabilities.
    > There is a problem in the transfer phase, where you sometimes “fall back” to magstripe. People were used to it, but they are no longer. We have a fallback rate on our national debit card of 0.2%. Yes 99.8% of the card transactions are chip. People will nowadays remark if they are required to use the magstripe. This could be one of the reasons that the cardholders do not detect a false/defect/replaced chip.
    > If you send a new PIN to a cardholder, never use the same channel as for the physical card. Do not use mail fro both of them.
    > It takes some time to learn people to remember their PIN. It is not a problem any more.
    > We have recently been taking on contactless EMV cards. The use of contactless EMV transactions has risen to 50% of the total number of transactions within one year. The “old” contactless Magstripe schemes were never accepted in Europe. > You are able to make online NoCVM transaction below a certain amount. The limits are the current amount and/or the accumulated amount. After that you have to make an Online Chip and PIN transaction to reset the counters in the card.
    > The chip is, for a contactless card, connected to a wire loop in the card. This loop will be broken if you try to swap the chip. People here would immediately detect that they cannot perform a transaction.
    > The use of NoCVM has reduced fraud since “shoulder surfing” attacks do not work here.
    > The use of Chip and PIN has moved a lot of the fraud to the Internet transactions.
    > The EU has introduced a directive of forced limits on the allowed fees for transaction using EU issued cards inside the EU, cross border as well. A maximum of 0,3% fee on credit transactions and 0.2% on debit transaction on all intra EU transactions.
    > Keep in mind that event though you may avoid paying for fraud costs up front, then you have to pay for it in the long run. It is a cost for your bank.
    >There is always a balance between ease of use and security. The merchant would like to make it easy for the cardholders to purchase but they are not willing to take the risk ;-).

  4. Fernando

    Just for curiosity, since I am European citizen: is it true that in the USA, there are bank cards (debit cards) which can be used to withdraw cash from the payment account at an ATM without the need to enter the Card‘s PIN? At least I got the story above like this. I have never experienced such a scenario in Europe…

    1. rlocone

      A PIN is required to withdraw any cash from credit/debit card here in the US.

    2. timeless

      It’s pretty hard to prove a negative.

      There are definitely demos where one doesn’t enter a PIN into the ATM itself, NCR is a major vendor in the US:

      I actually found a European demonstrating a PIN-less version:
      The currency is definitely €…

      I certainly haven’t seen that in the real world, but…

    3. Becca

      Just recently in my neighborhood there was a news report about someone’s phone being stolen and the thieves using the debit card app on the phone to go to an ATM and getting money out of it. So ha ha, even if you don’t use a physical debit card, you aren’t safe.

    4. Marduk

      Some banks will add Visa or MC network ability to ATM card, usually calling them a “Visa check card” or similar catchy name. This allows the debit card to be used on the debit card network or Visa/MC network. Essentially this allowa the user to skip the PIN since the Visa/MC network does not require a PIN, while still pulling the funds from the attached bank account. I know businesses get charged different amounts and percentages on debit or Visa/MC networks. I have never looked into if using a debit card on the Visa/MC network provides additional features of a Visa/MC card to a debit card.

    5. sunman42

      Apple Pay (which substitutes NFC and a Secure Enclave within the mobile device CPU for a card) can be used without any PINs to retrieve cash at several thousand Wells Fargo ATMS in the US. They’re supposed to upgrade their remaining 8.000 ATMs here to support Apple Pay by the end of 2019.

      1. Beeker25

        Bank of America is doing that. Now you can use your phone to deposit or withdraw from the ATM. On top of that, they are instituting cardless ATM.

      2. A

        You still need to input a PIN at WF ATM when using Apple Pay. All it does is replace the card being inserted. All other aspects still apply

  5. Rick

    “Incidentally, if you enjoy reading historical non-fiction, I’d highly recommend Candice Millard‘s magnificently researched and written book, Destiny of the Republic, about the life and slow, painful death of President James A. Garfield after he was shot in the back by his lunatic assailant.”

    And learn why medical malpractice laws came into being.

  6. Jason

    …slow, painful death of President James A. Garfield after he was shot in the back by his lunatic assailant… and tortured by a gang of lunatics calling themselves doctors.

    1. M

      Much hasn’t changed since. Today, we call them “pregnancy counselors”.

  7. Martijn Wismeijer

    The solution is quite simple. Stop using cards, a payment system that’s over half a century old… Switch to Bitcoin… It is time to dump your bank, time for plan “B” #bitcoinrevolution

    1. Jason

      That only shifts the point of vulnerability. Expecting the average person to fully understand the importance of securing their wallet.dat or being careful about trusting just any exchange out there is an order of magnitude more difficult than teaching someone to remember a PIN. And that’s not mentioning the volatility factor.

    2. sunman42

      Or switch to Apple Pay, and don’t get involved in a scam that is also the currency of choice of drug dealers and ransomware purveyors.

      1. namnus24

        @sunman42 “Or switch to Apple Pay, and don’t get involved in a scam that is also the currency of choice of drug dealers and ransomware purveyors.”

        Cash is still the king of currency of choice for drug dealers and other crime. Just because Bitcoin can be used for bad doesn’t make it bad. A hammer can be used as a productive tool or a weapon.

  8. Harry Johnston

    The article talks specifically about debit cards; is there any particular reason why debit cards would be more vulnerable to this attack than credit cards? Or do they really mean both?

    1. timeless

      Debit card protections after much weaker.

      First, with a senior transaction, the money leaves your account more or less immediately. With a credit card transaction, you get a bill 30-45 days later and have the ability to challenge transactions.

      The structure of payments is different, the credit card company wants to keep your business and doesn’t really care about the payee, and if a payee is annoying, the credit card company can leverage all if its customers against it.

      Second, you aren’t liable for a single dollar of a fraudulent credit card transaction, whereas you’re topically liable for at least $50 of a debit card…

      This, debit cards can be used to access other pieces of an account.

      In general, you should never use your debit card outside your bank.

      1. Harry Johnston

        Sorry, but I don’t see how any of those factors (except perhaps your second to last sentence, which I don’t understand at all) affect the usefulness of the stolen chip to the criminals.

        Are they able to somehow use a debit card to transfer money directly to themselves, rather than having to buy things with it?

  9. Harry Johnston

    Sorry, but I don’t see how any of this (except perhaps the second to last sentence, which I don’t understand at all) affects the usefulness of the chip to the criminals.

    Are they somehow able to use the debit card chip to transfer money directly to themselves, rather than just buying stuff with it?

  10. @law

    Quite a windy story Brian, the real facts are probably kept hush for obvious reasons. But a chip replacement alone won’t do your “neverwelldoers” any good. There is more to the story…
    And yes the USSS has two objectives: the $ and the POTUS and they do a pretty good job.

  11. Tina Jones

    If we cut through Brian’s waffle, and call a spade a spade, surely the real problem here is Americans being dumb as usual.

    Surely the only way this “scam” works is if you have been dumb enough to implement a “chip&pin” card system without requiring a PIN. Only in America !

    Correct me if wrong Brian, but surely that’s it. Because otherwise the crims would have just skimmed the card details if they wanted to use if for your average fraud purposes.

    The transplanting of the Chip would be to enable use in POS systems and thus could only work if the PIN is not demanded.

  12. Josh

    So, they are merely using these cards as credit for in store shopping, because they the guys do not have the PIN#. Hey, business cards probably have less scrutiny, so a nice big TV purchase wouldn’t alarm an algorithm system.

Comments are closed.