14
May 18

Detecting Cloned Cards at the ATM, Register

Much of the fraud involving counterfeit credit, ATM debit and retail gift cards relies on the ability of thieves to use cheap, widely available hardware to encode stolen data onto any card’s magnetic stripe. But new research suggests retailers and ATM operators could reliably detect counterfeit cards using a simple technology that flags cards which appear to have been altered by such tools.

A gift card purchased at retail with an unmasked PIN hidden behind a paper sleeve. Such PINs can be easily copied by an adversary, who waits until the card is purchased to steal the card’s funds. Image: University of Florida.

Researchers at the University of Florida found that account data encoded on legitimate cards is invariably written using quality-controlled, automated facilities that tend to imprint the information in uniform, consistent patterns.

Cloned cards, however, usually are created by hand with inexpensive encoding machines, and as a result feature far more variance or “jitter” in the placement of digital bits on the card’s stripe.

Gift cards can be extremely profitable and brand-building for retailers, but gift card fraud creates a very negative shopping experience for consumers and a costly conundrum for retailers. The FBI estimates that while gift card fraud makes up a small percentage of overall gift card sales and use, approximately $130 billion worth of gift cards are sold each year.

One of the most common forms of gift card fraud involves thieves tampering with cards inside the retailer’s store — before the cards are purchased by legitimate customers. Using a handheld card reader, crooks will swipe the stripe to record the card’s serial number and other data needed to duplicate the card.

If there is a PIN on the gift card packaging, the thieves record that as well. In many cases, the PIN is obscured by a scratch-off decal, but gift card thieves can easily scratch those off and then replace the material with identical or similar decals that are sold very cheaply by the roll online.

“They can buy big rolls of that online for almost nothing,” said Patrick Traynor, an associate professor of computer science at the University of Florida. “Retailers we’ve worked with have told us they’ve gone to their gift card racks and found tons of this scratch-off stuff on the ground near the racks.”

At this point the cards are still worthless because they haven’t yet been activated. But armed with the card’s serial number and PIN, thieves can simply monitor the gift card account at the retailer’s online portal and wait until the cards are paid for and activated at the checkout register by an unwitting shopper.

Once a card is activated, thieves can encode that card’s data onto any card with a magnetic stripe and use that counterfeit to purchase merchandise at the retailer. The stolen goods typically are then sold online or on the street. Meanwhile, the person who bought the card (or the person who received it as a gift) finds the card is drained of funds when they eventually get around to using it at a retail store.

The top two gift cards show signs that someone previously peeled back the protective sticker covering the redemption code. Image: Flint Gatrell.

Traynor and a team of five other University of Florida researchers partnered with retail giant WalMart to test their technology, which Traynor said can be easily and quite cheaply incorporated into point-of-sale systems at retail store cash registers. They said the WalMart trial demonstrated that researchers’ technology distinguished legitimate gift cards from clones with up to 99.3 percent accuracy.

While impressive, that rate still means the technology could still generate a “false positive” — erroneously flagging a legitimate customer as using a fraudulently obtained gift card in a non-trivial number of cases. But Traynor said the retailers they spoke with in testing their equipment all indicated they would welcome any additional tools to curb the incidence of gift card fraud.

“We’ve talked with quite a few retail loss prevention folks,” he said. “Most said even if they can simply flag the transaction and make a note of the person [presenting the cloned card] that this would be a win for them. Often, putting someone on notice that loss prevention is watching is enough to make them stop — at least at that store. From our discussions with a few big-box retailers, this kind of fraud is probably their newest big concern, although they don’t talk much about it publicly. If the attacker does any better than simply cloning the card to a blank white card, they’re pretty much powerless to stop the attack, and that’s a pretty consistent story behind closed doors.”

BEYOND GIFT CARDS

Traynor said the University of Florida team’s method works even more accurately in detecting counterfeit ATM and credit cards, thanks to the dramatic difference in jitter between bank-issued cards and those cloned by thieves.

The magnetic material on most gift cards bears a quality that’s known in the industry as “low coercivity.” The stripe on so-called “LoCo” cards is usually brown in color, and new data can be imprinted on them quite cheaply using a machine that emits a relatively low or weak magnetic field. Hotel room keys also rely on LoCo stripes, which is why they tend to so easily lose their charge (particularly when placed next to something else with a magnetic charge).

In contrast, “high coercivity” (HiCo) stripes like those found on bank-issued debit and credit cards are usually black in color, hold their charge much longer, and are far more durable than LoCo cards. The downside of HiCo cards is that they are more expensive to produce, often relying on complex machinery and sophisticated manufacturing processes that encode the account data in highly uniform patterns.

These graphics illustrate the difference between original and cloned cards. Source: University of Florida.

Traynor said tests indicate their technology can detect cloned bank cards with virtually zero false-positives. In fact, when the University of Florida team first began seeing positive results from their method, they originally pitched the technique as a way for banks to cut losses from ATM skimming and other forms of credit and debit card fraud.

Yet, Traynor said fellow academicians who reviewed their draft paper told them that banks probably wouldn’t invest in the technology because most financial institutions are counting on newer, more sophisticated chip-based (EMV) cards to eventually reduce counterfeit fraud losses.

“The original pitch on the paper was actually focused on credit cards, but academic reviewers were having trouble getting past EMV — as in, “EMV solves this and it’s universally deployed – so why is this necessary?'”, Traynor said. “We just kept getting reviews back from other academics saying that credit and bank card fraud is a solved problem.”

The trouble is that virtually all chip cards still store account data in plain text on the magnetic stripe on the back of the card — mainly so that the cards can be used in ATM and retail locations that are not yet equipped to read chip-based cards. As a result, even European countries whose ATMs all require chip-based cards remain heavily targeted by skimming gangs because the data on the chip card’s magnetic stripe can still be copied by a skimmer and used by thieves in the United States.

The University of Florida researchers recently were featured in an Associated Press story about an anti-skimming technology they developed and dubbed the “Skim Reaper.” The device, which can be made cheaply using a 3D printer, fits into the mouth of ATM’s card acceptance slot and can detect the presence of extra card reading devices that skimmer thieves may have fitted on top of or inside the cash machine.

The AP story quoted a New York Police Department financial crimes detective saying the Skim Reapers worked remarkably well in detecting the presence of ATM skimmers. But Traynor said many ATM operators and owners are simply uninterested in paying to upgrade their machines with their technology — in large part because the losses from ATM card counterfeiting are mostly assumed by consumers and financial institutions.

“We found this when we were talking around with the cops in New York City, that the incentive of an ATM bodega owner to upgrade an ATM is very low,” Traynor said. “Why should they go to that expense? Upgrades required to make these machines [chip-card compliant] are significant in cost, and the motivation is not necessarily there.”

Retailers also could choose to produce gift cards with embedded EMV chips that make the cards more expensive and difficult to counterfeit. But doing so likely would increase the cost of manufacturing by $2 to $3 per card, Traynor said.

“Putting a chip on the card dramatically increases the cost, so a $10 gift card might then have a $3 price added,” he said. “And you can imagine the reaction a customer might have when asked to pay $13 for a gift card that has a $10 face value.”

A copy of the University of Florida’s research paper is available here (PDF).

The FBI has compiled a list of recommendations for reducing the likelihood of being victimized by gift card fraud. For starters, when buying in-store don’t just pick cards right off the rack. Look for ones that are sealed in packaging or stored securely behind the checkout counter. Also check the scratch-off area on the back to look for any evidence of tampering.

Here are some other tips from the FBI:

-If possible, only buy cards online directly from the store or restaurant.
-If buying from a secondary gift card market website, check reviews and only buy from or sell to reputable dealers.
-Check the gift card balance before and after purchasing the card to verify the correct balance on the card.
-The re-seller of a gift card is responsible for ensuring the correct balance is on the gift card, not the merchant whose name is listed. If you are scammed, some merchants in some situations will replace the funds. Ask for, but don’t expect, help.
-When selling a gift card through an online marketplace, do not provide the buyer with the card’s PIN until the transaction is complete.
-When purchasing gift cards online, be leery of auction sites selling gift cards at a steep discount or in bulk.

Tags: , , , , , , ,

62 comments

  1. in about one in every XXX times?

  2. Proofreader's EYE

    “…in about one in every XXX times…” Are we resorting to Roman numerals, now? 🙂

  3. with the card’s serial number in PIN
    “in” should be “and”.

  4. > Gift cards can be extremely profitable and brand-building for retailers

    This may be the wrong forum in which to raise this inquiry, but it’s in the story so I figured I’d follow up. Within the past few months, I received two rebates in the form of debit cards, one VISA and one MasterCard. Neither card restricted use to the retailer that issued the rebate.

    Following up on the quoted premise from this story, using these debit cards resulted in no additional purchases at the original retailer; no profit or brand-building for them. Who benefits (other than VISA or MasterCard) from issuing these debit cards rather than paying rebates by check? Under the heading of “brand-building” or “good will”, the fraud perils discussed in this story seem to have more negative rather than positive outcomes.

    • I believe the advantage to the rebating merchant is that Visa or whoever sells them at a discount: issue a $20 rebate card for only $18 (or whatever — making those numbers up).

      How can Visa or whoever make money issuing $20 rebate cards for $18? Because 3 out of 4 consumers never bother to cash them, or only partially cash them.

      I think … just surmising here.

      • “How can Visa or whoever make money issuing $20 rebate cards for $18? Because 3 out of 4 consumers never bother to cash them, or only partially cash them.”

        Also, card issuers charge accepting merchants a commission on transactions and benefit from the float (interest payments generated by holding money on behalf of others).

        • Unfortunately I can bear witness to that. We get gift cards at work once a year, and I have received them for awards/events. I hate them, and have likely let most expire. They are a pain in the ass to use. Call a number, get a pin, find a place that takes it.
          Cash is king, just spend it. Debit cards were a dumb idea – less for the issuer who keeps much of the cash – so yeah, its a scam.
          If you are going to buy a gift card from someone, don’t – give them cash. It will get spent.

          • If you are in california, gift cards cannot expire by state law. Even if they say they do.

          • Do you purchase things online from Amazon? If so, convert those gift cards in full before they expire by depositing the fund amounts into your account and then recycle the plastic card (which is worth nothing at that point). It’s not exactly cash-in-hand, but pretty close.

    • Issuing gift cards instead of checks can simplify bookkeeping and accounting for rebates, stipends, and refunds.

      Essentially, if a firm issues a check, it must track and report all activity resulting from the transaction in its financial records from the time an outgoing payment is requested to when the check is finally cashed by the recipient. But if a gift or debit card is sent, the firm only has to account for a single, quick transaction. The burden of carrying and reporting all further activity is then shifted to the card issuer.

      If a firm also receives a discount on the face value of the cards, that’s just icing on the cake!

    • I recently switch cellphone providers. These days all the major providers offer to pay off your existing device for switching over. The money I received to pay off my mobile device was in the form of a visa gift card that cost me $4.95 for the physical card. I called customer service to ask them if they are willing to reimburse the the cost of the card. They did, actually offered more than just the cost. I got a $20.00 towards my next bill.

  5. The Sunshine State

    Awesome article as usual

  6. “Check the gift card balance before and after purchasing the card” – how does one go about checking the balance on a card before purchasing it?

  7. why don’t retailers just start putting the cards behind locked cabinets and only allow direct purchase of them at the register?? seems to me this would help a good chunk of the problem.

    • The same reason most retailers aren’t all that keen on implementing EMV: delays during checkout. Each transaction, to them, should take the least amount of time possible in order to ensure the maximum amount of transactions can be processed. Adding steps slows the process down so less transactions can be processed. Simple numbers.

      And when you consider that they get their money from the card regardless of whether or not this fraud takes place? Yeah, de-incentivization.

      tl;dr: $$

    • By doing so, those retailers would pretty much preclude a high percentage of so-called “impulsive” buyers, and the cost of card-related scams is (to them) far less than the value of purchase from that particular market segment.

  8. The differences between automated and manual magstripe coding are considerable and so obvious, I’m really surprised it (apparently) never occurred to anyone, especially me. The diffferences in writing to magstripes is much like the differences between the commercially produced music albums on cassettes and home recording on cassettes.

    The machines used to imprint and record to cards run at very high speeds and they must be very accurate in imprinting and writing the magstripe, using a very strong signal to write the magstripe. Actually, in addition to the abovementioned parameters, the position and length of the recorded data are very consistent, almost identical, and can be used as another indicator of authenticity.

    The machines are in fact very expensive and are running constantly due to demand. Accuracty and reliability are imperative. But the security is even more expensive. And it’s not all that much fun for people who do the work.

  9. Dumb question… If the bad stripes are brown and the good ones are black, why do we need a complicated machine here?

    • Because the card readers themselves don’t see color. They see only the encoded data in the form of magnetic fields. Therefore a method that uses the patterns is far better and more easily adaptable as an upgrade to the machine’s software than one that requires adding physical hardware in the form of a color scanner assembly in the swipe slot.

      • Yes but the human could look at the stripe. They already look at the back while carefully comparing the signature….

        Sigh… it is just irritating if it is mostly because of people not being just slightly careful.

    • It didn’t say that, it said cheap cards (gift cards/etc) use the brown and more expensive cards use the black. Both are used for legitimate purposes.

      • It’s not about the color; legitimate magstripes come in all kinds of colors nowadays, and once reencoded they look no different than before. The primary point of that part of the discussion was to improve the magnetic quality of legitimate magstripes to make them harder to reencode and reduce false positives in the detection technology.

  10. Mailing a card is lot cheaper than tracking and issuing a check. For Visa they get transaction fees. Everyone wins except the consumer who pays higher prices.

  11. This would be a great data point to get into the hands of someone (issuers) that actually cares about their cards being counterfeited. If only it had been discovered before the entire ecosystem replaced their card readers.

  12. Harry M Johnston

    My bank’s ATMs update the information on the magnetic strip each time one of their credit cards is used in one, specifically as a fraud prevention measure to invalidate cloned cards.

    I don’t know how this approach compares to the approach described in the article in terms of effectiveness, but I do wonder whether it means that all my credit cards are LoCo – and whether they’d pass inspection if someone was using the article’s technology or whether they’d look like they’d be tampered with.

    Just another potential complication. 🙂

  13. “LoCo” cards is usually brown… (HiCo) stripes … are usually black”

    The stripe on my Capital One card is a gray silver.

  14. Very interesting article. And read the paper with it. Most I teresting. Almost makes me want to tour the card makers shops. I’m wondering if the speed factor in making the cards, involves a cooling effort at the magnetic head, to make the fields depleat faster. Creating a cleaner output. Or digital controllers not found in a sub or low end writer. After all, they only used three low end writers. I may have to write a letter.

  15. Regarding gift cards, does immediately “registering” the card prevent the later cloned card working? And can/should I use a random zip code to prevent a local scammer from using the local zip code with his cloned card?

    • Nope, activating the card is what they’re waiting for. They already have the info to use it, they just need someone to buy it to allow them access to the funds.

    • Registering a VMAD (Visa/MC/Amex/Discover) gift card online usually does nothing more than provide the issuer with address information (name, address, zip code) needed along with the CVV2/CID for card-not-present authorizations; it doesn’t affect the magstripe itself. But then most VMAD cards are already sold in sealed packages to prevent fraudsters from accessing the card itself (numbers and/or magstripes); also, private-label gift cards (where EMV is unlikely to displace magstripe anytime soon) usually don’t call for online registration.

  16. This all smells ,and stinks so bad.
    But usa is full of milk Md honey, and full of free money..since usd dollars have more then euros or pounds.

  17. “The original pitch on the paper was actually focused on credit cards, but academic reviewers were having trouble getting past EMV — as in, “EMV solves this and it’s universally deployed – so why is this necessary?’”, Traynor said. “We just kept getting reviews back from other academics saying that credit and bank card fraud is a solved problem.”

    I guess they never heard of mag stripe fallback.

    • What…? Academics who don’t have a grip on what’s happening in the REAL world…?
      Unheard of…!
      Absurd…!

    • Before telling everyone the best option to but a gift card is to buy it direct from the vendor from behind the counter, you have to take into consideration that your methods for gift card fraud ideas aren’t the only ones here on earth. When in actuality you failed to mention an even easier method and not only that I would have to say behind the counter and direct from vendor is the crooks preferred point of entry. Why? Because of stories like this that convince the customer that it’s the best, safest way to purchase the scam card.

      The problem is that gift card providers and vendors could care less what happens after the fact. After it’s bought , it’s your problem.

      I could mention a few methods but I’ll leave you with the oldest trick in the book but clearly one of the deadliest but should not still be a threat. You do the homework, I’ll give you the program.

      Thc1.91

      So please before sending people down the wrong Avenue , next time you should speak in reality,

      I’d you buy gift cards , you WILL be scammed. No matter how you buy them or who you buy them from, it’s only a matter of time.

      Hope this helps.

      • Word salad with no real content beyond that of Trump’s “fake news” tweets. You don’t say HOW a fraudster can take advantage of gift cards sold from behind the counter beyond saying it can be done after purchase — which I’m sure every regular reader of this blog already knew about (i.e., skimming which affects ALL magstripe cards and potentially even EMV cards). That does NOT affect the anti-fraud benefits of moving gift cards behind the counter.

  18. They should prevent registering a card that hasn’t been loaded. Maybe even put up a scary warning about IP being recorded, if someone tries before it’s loaded.
    There should be no legit times someone takes a card before loading it

    • The three reasons customers buy gift cards are:
      1. convenience
      2. stupidity*
      3. convenience

      Conveniently, most gift cards will have multiple methods to check a balance, including a phone number printed on the back “for balance inquiries.”

      *Gift cards are the most impulsive and thoughtless of gifts. Not only does it provide interest-free capital to a retailer, but it burdens the gift recipient to patronize that retailer. Plus, since most gift card purchases are made by credit card, the buyer is likely to pay interest. Better to give cash or write a check, if the purpose is wealth transfer!

      • +100 on both your comments, Reader.

      • Minor children of parent who can’t be trusted with cash, lives 1,000+ miles away, and can’t open a bank account. Kids need clothes and stuff for school. Best solution in that situation is send a WalMart gift card paid for with cash or debit card. Yes, the parent could sell for less than face value for cash, and there are other ways to convert gift cards to cash.

        The above is an actual situation a relative of mine has faced in the past.

        • Gift cards are worse than cash. While both can be stolen, lost, or damaged, only gift cards can have their value stolen remotely, as explained in this article.

          Unlike prepaid or secured Mastercard/Visa cards offered by major banks, gift cards don’t come with fraud and loss protection.

          Damaged cash can be exchanged for new currency at any bank. However, retailers are not required to provide any reimbursement for damaged gift cards; it’s entirely at their discretion.

          If a check or money order is lost or damaged, it can be stopped and reissued. You can’t do that with a gift card.

          NB: A “minor” “kid” is either trustworthy enough to handle cash or is too immature to shop without adult supervision. One cannot be both. In either case, a gift card offers no advantage.

          The logical solution is to provide funds to the school or adult supervising the minor to purchase what the kid needs, or to mail a care package from home.

  19. It’s only a matter of time before the bad guys have a better encoding machine. Bigger bullets create better armor. It’s a viscous cycle.

    • Fluid dynamics of the cycle notwithstanding, the death-in-progress of mag stripes will render this whole arms-race moot before too long.

  20. Brian , big fan been reading for years you know your subject .. but you really failed on this one brother.
    Your main topic was to bring attention to what amounts to petty retail theft , similar to people switching a label from hamburger to a ateak. Just becuz it involves card readers/writers dosnt mean its a high tech cyber crime worth covering.
    The fact that walmart dosnt hint how their tech works and only tested it internally means its likely a basic failure to understand the dynamics. Which you hint at after when you speak of “Beyond Gift cards” and try and fail to tie retail theft to banking industry threats . Lo-co is what carders used in 2001. They have high quality equipment equal to the banks to both skim and write the stolen data. That study was a waste of time and money.
    Rather than any high tech solutions simply secure and control access to gift cards aka keep them behind the counter under lock and key accessible by mangers only like any valuable itsm in a shop.
    EMV and VBV/MsC eliminate most card fraud on significant global levels. How you managed to tie atm skimmers into an article about petty retail fraud of cloning pre bought giftcards is difficult to comprehend. Brian, sincerely I love your work but this article really disappointed me.

  21. A fraudster can steal a gift card #, and use in a card not present environment and avoid card present altogether. That would defeat this technology. So while one door closes, another door is open.

  22. Why are those Cards not wrapped in RFID blocking material?
    Or keep them behind the counter?
    Anyone?

    • A. The involved tech isn’t RFID. It’s magnetic stripe. Regardless of that, thieves typically are gathering information on cards that are not packaged.

      B. So why not package? Cost and time. Packaging weight adds to shipping costs. Packaging material adds to production costs.

      Then, having customers ripping open the packaging to present to a cashier for loading a card takes time that is used more profitably by getting to more customers.

      C. Keeping it behind the counter will reduce sales, as customers like to touch things they intend to buy. Many gift card purchases are driven by impulse, which is why you’ll find them displayed like candy and with attractive designs.

  23. Great stuff Brian. I never realized they used different mag strips on the throw away cards.

    The strips on CC’s are stout. Buddy of mine’s wife was a shopaholic. He’d go after her CC’s with a magnet to try and disable them. Sometimes it worked. Usually it didn’t.

    Gift cards are the single biggest scam in retail.
    Millions of dollars on gift cards go unspent, only to be service charged down to zero by the issuer.

  24. Robert. J. Tables.

    Isn’t it likely though that at some point scammers will make higher quality ripoffs that can trick the detection of fake cards? Or is the idea that the cost of entry/operation of being able to do high quality fakes will reduce the market enough to be considered a success?

  25. I like the technology and think it is a great idea. Another idea to pair up with this one is for the merchant to monitor their web site traffic for someone checking for active cards. If a card has 3-5 tests in 2-4 days, it was most likely compromised. I would also look for five or more inquiries coming from the same IP.

  26. After reading the article i was shocked, i didn’t know that things like these could happen. I got to get in contact with my bank and get to know what i got do when things like these happen. Thanks

  27. Hey Brian,

    Long time reader, from back to your WaPo days. Really enjoyed the article, even though I was already aware of the in-store gift card “shenanigans.”

    And you may already know, but there is also fraud being perpetrated with online gift cards/codes. My company has been offering gift card “perks” for employees that fulfill a number of health goals (non-smokers, get flu shots, get annual physical, etc.) Once you complete the goals, our health provider (who is a big brand name provider) processes the claim and sends a gift code to the employee via email, to be used at places like Amazon, among other choices that the employee can make.

    I recently got a gift code, but when I went to use it, it was “invalid” according to the Amazon website. I contacted my health provider, and they said that they were aware of a number of compromised gift codes, and that it was under investigation. Not sure if the fraud occurred at Amazon, the health provider, or some intermediary in between. But the gift card/code fraud seems to be pretty rampant, both in-person and online.

  28. Our bank has instant issue. We can encode cards in branch. Wonder where those cards would fall when being examined. The devices that create them are small desktop units, bet they would fail the test.

  29. I got what you imply, many thanks for posting. I’m blissful to find this site through google.

  30. So after reading this this morning i went out with the family shopping, whilst waiting at the till counter i looked at the gift cards, now being in the UK, buying gift cards requires us to choose the nice looking card, handing it to the assistant, paying the amount required and THEN the card is updated and handed back… so essentially the cards are empty.
    However, i checked a well known bookshop chain, and whilst queuing i checked the cards, and as well as the normal pay for and charge up cards for gifts there was also preset amount with the rub off activation codes…. i was quite taken with this so i asked the assistant how many times do they find counterfeit or stolen cards that are being used, the response i got shocked me.
    At least 4 times a day a problem will arise with the cards, either the funds are already empty on the card and the customer comes back shortly after buying and complains or the card is used by a youngster as a gift later and is already empty but the code hasn’t been rubbed off!!! then the customer has to prove they haven’t used it which leads to all sorts of frustrated users both shop staff and customers alike. As like most of us, i spend as little time in shops as possible, preferring to shop online so the problem is probably larger than i thought in the UK. i think i might have to go look into this a little more as its quite a good indicator for economic crime rates, but only a mere slice of the pie in totality.