10
Jan 19

Secret Service: Theft Rings Turn to Fuze Cards

Street thieves who specialize in cashing out stolen credit and debit cards increasingly are hedging their chances of getting caught carrying multiple counterfeit cards by relying on Fuze Cards, a smartcard technology that allows users to store dozens of cards on a single device, the U.S. Secret Service warns.

A Fuze card can store up to 30 credit/debit cards. Image: Fuzecard.com

Launched in May 2017, the Fuze Card is a data storage device that looks like a regular credit card but can hold account data for up to 30 credit cards. The Fuze Card displays no credit card number on either side, instead relying on a small display screen on the front that cardholders can use to change which stored card is to be used to complete a transaction.

After the user chooses the card data to be used, the card data is made available in the dynamic magnetic stripe on the back of the card or via the embedded smart chip. Fuze cards also can be used at ATMs to withdraw funds.

An internal memo the U.S. Secret Service shared with financial industry partners states that Secret Service field offices in New York and St. Louis are currently working criminal investigations where Fuze Cards have been used by fraud rings.

The memo, a copy of which was obtained by KrebsOnSecurity, states that card theft rings are using Fuze Cards to avoid raising suspicions that may arise when shuffling through multiple counterfeit cards at the register.

“The transaction may also appear as a declined transaction but the fraudster, with the push of a button, is changing the card numbers being used,” the memo notes.

Fraud rings often will purchase data on thousands of credit and debit cards stolen from hacked point-of-sale devices or obtained via physical card skimmers. The data can be encoded onto any card with a magnetic stripe, and then used to buy high-priced items at retail outlets — or to withdrawn funds from ATMs (if the fraudsters also have the cardholder’s PIN).

But getting caught holding dozens of counterfeit or stolen cards is tough to explain to authorities. Hence, the allure of the Fuze Card, which may appear to the casual observer to be just another credit card in one’s wallet.

“While this smart card technology makes up a small portion of fraudulent credit cards currently, investigators should be aware of the potential for significant increases in fraud loss amounts with the emergence of this smart card technology,” the Secret Service memo concludes.

Fuze Card did not respond to requests for comment.

In many ways, it is unsurprising that thieves are turning to this new technology to perpetrate credit card fraud, which is something of a constant cat-and-mouse game that employs ever-changing techniques. For evidence of this, one need only look to the constant innovations that fraudsters come up with to deploy physical card skimmers at ATMs and retail checkout lanes.

No doubt, fraudsters engaged in money laundering via virtual currencies like bitcoin will be doubly interested in Fuze Cards in the coming months. Fuze Card says that later this year it plans to launch FuzeX, which contains the same amenities of the Fuze Card and will allow users to conduct purchases using virtual currencies.

Tags: , ,

93 comments

  1. This is reminiscent of the warnings that came out about ApplePay being used by fraudsters for similar reasons. Kind of makes you wonder if these warnings are issued to be picked up by the press as a way to attach new FinTech to slow it down. A lot of that is also going on with cryptocurrencies right now. It’s a brave new world with more payment innovations on the way so get used to it!

    • It’s just media pandering – if a significant share of their audience are nervous about new banking technology, they’ll run stories about how ‘scary’ new banking technologies are. Echo chambers feeding profit centers.

  2. Interesting article. What caught my attention was how this relates to the threat to payment terminals posed by chip cards. Brian has several articles on this subject. I highly recommend them to anyone that manages payment terminals.

    I’ve been doing some non-scientific research, and a large number of retailers have reported their terminals being “locked up” by customer chip cards. A couple of people even reported it taking down their POS system in the back office.

    These Faze cards point out how much computational power can be packed into a credit card format. Think about it. These devices have a display to load and manage cards, input devices to interact with it, and enough space and computing power to store 30 credit cards. I expect the 30 card limit is arbitrary too. The actual card information would take up almost no space. I’m sure they could easily store hundreds or thousands of cards.

    So that strong a computer can fit into a credit card format and have physical contact with the payment terminal.

    We’ll probably see an article soon where they’re compromising the Fuze cards to take over this ready made hacking tool.

    • Actually, there is one flaw in this article.

      If you look at the pictures that Fuze has of their card, they almost all sport a chip. Reading the FAQ and other parts of their website, there are statements about it having an EMV chip. But in truth, the product they sell has no such chip, nor does it have contacts on its surface to emulate one. There is no product today which allows you to effectively store the identity of one or more other chip-based cards (whether they use EMV or chip-and-pin); every product that has ever come to market like Fuze is magnetic-stripe-only.

  3. We are the independent group of cyber security that helps you to grow your business better. Protecting you and your business from fraudsters and saving your money from useless payments which will give you no result as it should do.

    For more information click on the website link given below

  4. We are the independent group of cyber security that helps you to grow your business better. Protecting you and your business from fraudsters and saving your money from useless payments which will give you no result as it should do.

    for more information contact us on our website ,link is given below
    http://medsonlinejack.us

    • It’s actually quite difficult to remember to include the link that is the main point of a message. Could happen to anyone. Your attention to detail bodes well for those who purchase your security services.

  5. Since the presentation of the card data via the chip interface can obviously not be a full EMV transaction (chip does not have the keys for a cryptogram) this would come through as a fallback transaction, I suppose?

    More reason for issuers from the developed world to decline magstripe fallback at chip terminals from developing countries like the US, until finally the terminal base gets mature. One would have thought that US terminal manufacturers and providers could have learned how to implement this properly from pretty much all other regions of the world .

Leave a comment