January 10, 2019

Street thieves who specialize in cashing out stolen credit and debit cards increasingly are hedging their chances of getting caught carrying multiple counterfeit cards by relying on Fuze Cards, a smartcard technology that allows users to store dozens of cards on a single device, the U.S. Secret Service warns.

A Fuze card can store up to 30 credit/debit cards. Image: Fuzecard.com

Launched in May 2017, the Fuze Card is a data storage device that looks like a regular credit card but can hold account data for up to 30 credit cards. The Fuze Card displays no credit card number on either side, instead relying on a small display screen on the front that cardholders can use to change which stored card is to be used to complete a transaction.

After the user chooses the card data to be used, the card data is made available in the dynamic magnetic stripe on the back of the card or via the embedded smart chip. Fuze cards also can be used at ATMs to withdraw funds.

An internal memo the U.S. Secret Service shared with financial industry partners states that Secret Service field offices in New York and St. Louis are currently working criminal investigations where Fuze Cards have been used by fraud rings.

The memo, a copy of which was obtained by KrebsOnSecurity, states that card theft rings are using Fuze Cards to avoid raising suspicions that may arise when shuffling through multiple counterfeit cards at the register.

“The transaction may also appear as a declined transaction but the fraudster, with the push of a button, is changing the card numbers being used,” the memo notes.

Fraud rings often will purchase data on thousands of credit and debit cards stolen from hacked point-of-sale devices or obtained via physical card skimmers. The data can be encoded onto any card with a magnetic stripe, and then used to buy high-priced items at retail outlets — or to withdrawn funds from ATMs (if the fraudsters also have the cardholder’s PIN).

But getting caught holding dozens of counterfeit or stolen cards is tough to explain to authorities. Hence, the allure of the Fuze Card, which may appear to the casual observer to be just another credit card in one’s wallet.

“While this smart card technology makes up a small portion of fraudulent credit cards currently, investigators should be aware of the potential for significant increases in fraud loss amounts with the emergence of this smart card technology,” the Secret Service memo concludes.

Fuze Card did not respond to requests for comment.

In many ways, it is unsurprising that thieves are turning to this new technology to perpetrate credit card fraud, which is something of a constant cat-and-mouse game that employs ever-changing techniques. For evidence of this, one need only look to the constant innovations that fraudsters come up with to deploy physical card skimmers at ATMs and retail checkout lanes.

No doubt, fraudsters engaged in money laundering via virtual currencies like bitcoin will be doubly interested in Fuze Cards in the coming months. Fuze Card says that later this year it plans to launch FuzeX, which contains the same amenities of the Fuze Card and will allow users to conduct purchases using virtual currencies.

94 thoughts on “Secret Service: Theft Rings Turn to Fuze Cards

  1. Blake Wood

    This is reminiscent of the warnings that came out about ApplePay being used by fraudsters for similar reasons. Kind of makes you wonder if these warnings are issued to be picked up by the press as a way to attach new FinTech to slow it down. A lot of that is also going on with cryptocurrencies right now. It’s a brave new world with more payment innovations on the way so get used to it!

    1. Vog Bedrog

      It’s just media pandering – if a significant share of their audience are nervous about new banking technology, they’ll run stories about how ‘scary’ new banking technologies are. Echo chambers feeding profit centers.

  2. Bill Castle

    Interesting article. What caught my attention was how this relates to the threat to payment terminals posed by chip cards. Brian has several articles on this subject. I highly recommend them to anyone that manages payment terminals.

    I’ve been doing some non-scientific research, and a large number of retailers have reported their terminals being “locked up” by customer chip cards. A couple of people even reported it taking down their POS system in the back office.

    These Faze cards point out how much computational power can be packed into a credit card format. Think about it. These devices have a display to load and manage cards, input devices to interact with it, and enough space and computing power to store 30 credit cards. I expect the 30 card limit is arbitrary too. The actual card information would take up almost no space. I’m sure they could easily store hundreds or thousands of cards.

    So that strong a computer can fit into a credit card format and have physical contact with the payment terminal.

    We’ll probably see an article soon where they’re compromising the Fuze cards to take over this ready made hacking tool.

    1. Rob Shein

      Actually, there is one flaw in this article.

      If you look at the pictures that Fuze has of their card, they almost all sport a chip. Reading the FAQ and other parts of their website, there are statements about it having an EMV chip. But in truth, the product they sell has no such chip, nor does it have contacts on its surface to emulate one. There is no product today which allows you to effectively store the identity of one or more other chip-based cards (whether they use EMV or chip-and-pin); every product that has ever come to market like Fuze is magnetic-stripe-only.

  3. Jashon martin

    We are the independent group of cyber security that helps you to grow your business better. Protecting you and your business from fraudsters and saving your money from useless payments which will give you no result as it should do.

    For more information click on the website link given below

    1. Orph Gibberson

      Your computer skills are quite obviously formidable…

      1. Rob Shein

        He had me at “group of cyber security.”

        Why have just one cyber security when you can get a whole group of cyber security at the same time? Sign me up for that!

  4. Jashon martin

    We are the independent group of cyber security that helps you to grow your business better. Protecting you and your business from fraudsters and saving your money from useless payments which will give you no result as it should do.

    for more information contact us on our website ,link is given below

    1. Orph Gibberson

      It’s actually quite difficult to remember to include the link that is the main point of a message. Could happen to anyone. Your attention to detail bodes well for those who purchase your security services.

  5. Christoph

    Since the presentation of the card data via the chip interface can obviously not be a full EMV transaction (chip does not have the keys for a cryptogram) this would come through as a fallback transaction, I suppose?

    More reason for issuers from the developed world to decline magstripe fallback at chip terminals from developing countries like the US, until finally the terminal base gets mature. One would have thought that US terminal manufacturers and providers could have learned how to implement this properly from pretty much all other regions of the world .

  6. Tom

    The fuse card is no different from other digital wallets which allowed criminals to store multiple cards on one device. What is the real value to the criminal? Is it really because the criminal does not want to shuffle through mounds of credit cards while at the register. I highly doubt it. I would imagine the main purpose of the fuse card to a criminal is to have their transaction look like normal legit transactions. Allow me to explain. When a criminal uses a magnetic reader an writer to encode his stolen credit card numbers to a cloned card the information is stored within the metal particles of the magnetic strip. When any payment card is swiped at the register it has a magnetic signature much like when you view a EEG machine monitoring heart activity. Legit cards have a similar magnetic signature opposed to cloned cards. Cloned cards magnetic signature is so obvious it is easy to detect the irregular signature before the payment is even processed; Here is where the Fuze card benefits the criminal. The Fuze card’s magnetic strip looks just like all legit payment card signatures which allows the criminal to bypass security features of the POS machine to process his/her order. Of course you are thinking the Fuze card does not have a chip included so how do the criminals use stolen chipped cards or EMV’s to process orders? The reality is only the low level criminals are going into storefronts and processing stolen credit cards most sophisticated carders build fake business along with fake websites then get approved for merchant accounts which do not require the administrator uses a chipped card processor (only swipe) like square,PayPal, or stripe; these processors allow you to swip chipped cards without having to be restricted by chip. In the event a low level criminal needed to use a Fuze card in a storefront then he would simply remove a chip from an old chipped card an then paste the chip on the Fuze card then blanket chip with superglue. The cashier will try to process the chip 3 times then the POS machine would allow the card to be swiped as if it did not have a chip.

Comments are closed.