10
Jan 19

Secret Service: Theft Rings Turn to Fuze Cards

Street thieves who specialize in cashing out stolen credit and debit cards increasingly are hedging their chances of getting caught carrying multiple counterfeit cards by relying on Fuze Cards, a smartcard technology that allows users to store dozens of cards on a single device, the U.S. Secret Service warns.

A Fuze card can store up to 30 credit/debit cards. Image: Fuzecard.com

Launched in May 2017, the Fuze Card is a data storage device that looks like a regular credit card but can hold account data for up to 30 credit cards. The Fuze Card displays no credit card number on either side, instead relying on a small display screen on the front that cardholders can use to change which stored card is to be used to complete a transaction.

After the user chooses the card data to be used, the card data is made available in the dynamic magnetic stripe on the back of the card or via the embedded smart chip. Fuze cards also can be used at ATMs to withdraw funds.

An internal memo the U.S. Secret Service shared with financial industry partners states that Secret Service field offices in New York and St. Louis are currently working criminal investigations where Fuze Cards have been used by fraud rings.

The memo, a copy of which was obtained by KrebsOnSecurity, states that card theft rings are using Fuze Cards to avoid raising suspicions that may arise when shuffling through multiple counterfeit cards at the register.

“The transaction may also appear as a declined transaction but the fraudster, with the push of a button, is changing the card numbers being used,” the memo notes.

Fraud rings often will purchase data on thousands of credit and debit cards stolen from hacked point-of-sale devices or obtained via physical card skimmers. The data can be encoded onto any card with a magnetic stripe, and then used to buy high-priced items at retail outlets — or to withdrawn funds from ATMs (if the fraudsters also have the cardholder’s PIN).

But getting caught holding dozens of counterfeit or stolen cards is tough to explain to authorities. Hence, the allure of the Fuze Card, which may appear to the casual observer to be just another credit card in one’s wallet.

“While this smart card technology makes up a small portion of fraudulent credit cards currently, investigators should be aware of the potential for significant increases in fraud loss amounts with the emergence of this smart card technology,” the Secret Service memo concludes.

Fuze Card did not respond to requests for comment.

In many ways, it is unsurprising that thieves are turning to this new technology to perpetrate credit card fraud, which is something of a constant cat-and-mouse game that employs ever-changing techniques. For evidence of this, one need only look to the constant innovations that fraudsters come up with to deploy physical card skimmers at ATMs and retail checkout lanes.

No doubt, fraudsters engaged in money laundering via virtual currencies like bitcoin will be doubly interested in Fuze Cards in the coming months. Fuze Card says that later this year it plans to launch FuzeX, which contains the same amenities of the Fuze Card and will allow users to conduct purchases using virtual currencies.

Tags: , ,

94 comments

  1. The Sunshine State

    Good informative article.

    I wouldn’t trust those “all in one smart-card technology” credit cards.

    • Someone didn’t read the article. There isn’t a problem with the security on the card. Its the fact that it’s being used by criminals as a vehicle for holding dozens of cards in a single card instead of holding a dozen cards. If anything this device is safer than a normal ccard as it doesn’t have the number exposed.

        • So, even the article title though it says “might” and then goes on to offer NO proof of the actual leak still makes someone cite this?

          Well, so long as it’s not clickbait, sure.

          • A wide-open vulnerability is there. They say “might” because there’s no evidence that anybody’s exploited it yet. If I take my front door off the hinges, my house is insecure, even if I haven’t seen anyone walk in.

            • The article says it has been fixed. I’m guessing you didn’t read it.

              • The company says a fix is “coming” in April.

                We all know digital devices are vulnerable. That’s why we’re here. The article demonstrates that vulnerability.

                Microsoft “fixes” Windows once a month. Sometimes more if there’s a particularly exploitable vulnerability. And, yet, extremely sensitive information is kept on airgapped, disconnected networks.

                Sorry, but no. Aggregating information in a digital format that interfaces with radios increases the vulnerability of that information. Without exception.

              • Zboot it look like you are the one who can’t read. It says a fix is “COMING”. That doesnt mean it has been fixed. Stop trolling to make yourself feel smarter.

        • Fuze should have made a blue tooth station that passed the data through the chip like Chip-n-pin tech. That way hopefully it would not be RF vulnerable in public. Of course you could always keep it in a Faraday cage, but you would always be a target anytime you use it. Not really acceptable. I’m not even sure the chip in a Chip-n-pin credit card is fully safe from RF attacks. Any transistor could react to a radio frequency, I’d guess.

          As soon as these chips appeared in credit cards I knew all kinds of schemes and technology would spring up around it. Today’s miniature circuit technology is just too advanced to keep it from happening. This is a very interesting article – my kudos to Brian for presenting this story.

          • As far as I know, the private key on chip and pin cards (EMV) cannot be extracted and copied to another card. It is generated on the card itself by its CPU and is not readable. The public key can be extracted for signature by the bank. When a signature is required, the process takes place inside the card’s CPU, therefore the private key never exits the card. Therefore it wouldn’t be possible to store multiple “chip and pin” cards on a single third party device (that is, if the EMV standard is properly implemented).

  2. This is going to prompt additional controls on cards like Fuze cards, and strong identity proofing before purchase, esp. if virtual currencies are going to be in use. While this concept is a great idea for many operational reasons, they (Fuze) are going to be the test case for a number of anti-fraud controls now that direct evidence of fraudulent use has been proven to exist.

  3. At least someone is using these things.

  4. LilRobbieCurrency

    What is happening when the actual card credential is being uploaded to the Fuze plastic via their app? Is the actual card credential being tokenized similar to that of a mobile wallet? I read their spec online and that’s not readily apparent to me…

    From a liability perspective: Looking at the Fuze card, it is chip enabled… So are we talking about true counterfeit card present EMV transactions now? Not necessarily fallback.

    • Are any financial institutions actually sharing their cryptographic keys with makers of all in one cards like Fuze? I haven’t heard of any.

      • According to the Fuze Card website, the compatibility depends on individual agreements with banks. So it appears they likely are.

        • I don’t know if that’s a good assumption. It may be largely wishful thinking on their part.

    • I’m SUPER skeptical of this functionality. If the only means of obtaining the data for the device is through your card’s magnetic strip, there are data elements that only reside on the chip that aren’t getting picked up.

      I wonder if they are simply failing to acknowledge that the cards may not work with chip-on-chip if your issuing FI actually validates the pieces of information that make an chip transaction inherently more secure than magnetic stip…

    • The answer has to be NO; a card token (PAN token) only makes sense if you can detokenize it via a lookup (or decryption). The token generation algorithms are well protected! No way an issuer, acquirer, or processor would make this available.

    • EMV is “coming in 2018” (sic) and the ones for sale do not include EMV functionality, so I wouldn’t hold my breath.

      • That is in the US. It arrived here in Europe in 2005. You cannot read out all the important data from an EMV card. Even a magstripe relies on more that the PAN and Expiry date. The PAN data from the chip are not the same as on the physical magstripe.

  5. Currently priced at $129 for a Fuze card: https://fuzecard.com/fuze_shop.html

    Even without seeing the goof fumbling with multiple cards, wouldn’t the cashier still notice the multiple purchase”decline”s ?

    • Why would a cashier care if one payment is declined, as long as one works?

      No different than if you have your cards with you, one got declined and you use another

      decline does not equal fraud

      you may not have enough credit balance left, be over your balance, card isn’t reading properly, etc

      • I triggered a fraud detection on a card by buying gas too many times in one day. It was on a desert road trip. In the desert, you buy gas when you don’t need it because you just never know what can happen. I’ve had hundred mile detours in the desert.

        Apparently when someone steals a credit card physically, filling up the tank for your buddies is a thing. If you think about it, stolen gas in a tank looks just like regular old gas.

        Anyway, that lead to declines of course. The key is to use cards from different companies if you plan on filling up often in one day. This also may not be a fraud detection any more since boaters are known to fill their vehicle tank and boat tank at the same station.

        Supposedly multiple purchases of athletic shoes is a trigger.

        • I would add “buying an iPad at the Apple Store in Vegas” in Vegas to this list. Happened to me.

        • That’s on the same card though, the article mentions multiple declines from different cards, so that’s not going to get flagged

          That’s also only if you’re paying at the pump, if you go to the cashier, the multiple transactions in one day on the same card for gas will get approve.

        • or if you’re going on a road trip, notify your financial institution.. i bank with a credit union, i just call them, tell them which card (debit, credit, or both) they note their file and any flags are minimized, if not eliminated…

      • After I retired from a law enforcement job, I got a job working security for a high end hotel. On a number of occasions I would see a guest checking in at the front desk with a handful of credit cards. The Front Desk Associate (almost always a high school or college student) would keep trying the different cards until one was found that went through. The hotel would rather be defrauded (and have a thief for a guest) than confront a customer who could proceed to cause a scene at the front desk (which actual thieves will always do). So you are correct – the barely trained people at the POS end really don’t care if the card is stolen.

        • Not only that, I can’t tell you how many times recently I’ve been in checkout, and my card showed declined and cashier assures me the machine does that many times a day, just try again, and then it works.

        • In most cases it’s not the hotel that’s being defrauded anyway. It’s the legitimate cardholder, and by extension their issuing bank. Unless the hotel is processing in a way that leaves them exposed, the bank won’t have any recourse to push it back to the card acceptor.

        • They’re not barely trained.

          They’re normal human beings who are unaccustomed to being confrontational law enforcement scum.

      • Multiple declines are a potential red flag. Anti-money laundering policies at companies include training for cashiers in preventing credit card fraud. If you suspect a transaction may be fraudulent, you have the right to refuse the sale.

      • “Why would a cashier care if one payment is declined, as long as one works?”

        What if the card response is not “declined” but rather “declined, destroy card”. Do they not have to destroy the card at that point?

        • that might work if they hand the card over to the cashier for payment, vs. swiping/inserting themselves.. i mean who’s gonna grab the card out of the card holders hand and then hold on to it and say they have to destroy it…

    • Cashiers are not trained to care. I had a big box store tell me that they want the criminals to have the same hassle free shopping experience that you and I have. Made me sick.

      • Steve,

        Are you advocating for cashiers to confront customers, then adjudicate a customer’s potential guilt, then render instant justice?

        How do you plan to handle the public relations nightmare that would result from your cashier courtroom?

        Are you prepared to be on the evening news as the a-hole in a viral video about your store?

        If your cashier chooses to use force to effectuate the detention of a “criminal,” will you pay for her legal fees?

        If the cashier dies because your desire to see point-of-sale justice leads to violence, will you document the funeral cost as a business or personal expense?

        Businesses let stuff go, because a pleasant shopping experience is less costly than the alternative. Being a jerk is not a smart business move.

  6. My experience is it doesn’t really matter if they are shuffling through a handful of cards or inserting the same one in multiple times the retail industry (cashiers etc.) doesn’t confront them or do anything to stop them.

    I wonder which stolen card they are using to pay the price for Fuse card?

  7. Does this mean they are somehow cloning the smart card chip? I thought that was supposed to be impossible, as that was the whole point of the chip.

    Or does this only work in magnetic stripe swipe mode?

    • Great question. I was wondering the same.

    • Not in this case, but as far as I’m concerned, anything becomes possible once you have a chip on a card. Here is just one of the many links I have on what I used to call “Cow chip and Pen”.

      http://www.theregister.co.uk/2014/05/19/chip_and_skim/

      • The chip is one part of a cryptographic handshake. It may have weaknesses of course but it’s orders of magnitude more secure than the magnetic stripe which contains the card details in the clear.

      • That article is from 2014 and describes a well-documented (by researchers – not exploited in the wild) issue with the ‘unknown number’ part of the EMV transaction cryptogram. That vulnerability – which was an acquirer implementation problem and not a weakness of the actual EMV standard – has since been fixed. One of the great strengths of the new card payment standards (EMV, payWave, PayPass) is that they’re software-upgradable – including on current cards, so the security of these standards is continually improving.

  8. Fuze isn’t EMV ready yet. They only have the magnetic stripe cards.

    If an EMV card is stored on the Fuze Card and the fraudster swipes, will the transaction error and ask for the card to be inserted?

  9. PS: card simulators, including smart card simulators, have existed for a long time. This is new packaging. If this is being used in crime maybe it needs to be regulated.

  10. Make sure your Fallback parameters are setup!

  11. Makes me ask the age old question… when will the US get chip AND pin cards like the rest of the world?

    • The US does have Chip-and-PIN for debit cards, at least.

    • The cards have them in the US, but the retailers are still playing catch-up with POS that have that feature.

      • Something like 80 percent of the chip cards issued in the US are chip and signature, not chip and PIN. The PIN only protects against lost and stolen fraud, which is a minute amount compared to other types of card fraud. Also, none of the banks want to be the hardest card to use in the customer’s wallet, so they’re doing signature for the most part here.

        • The 80% “chip & signature” CC users are very unlikely to utilize the Fuze card and the 20% “chip & PIN” CC is not supported by Fuze. At least in the US…

          Spelling the word “fuse” with a “z” makes me question the background for the inventors and the company in general. The Fuze card is seemingly designed for people purchasing CC#s on darknet. The card can be programmed manually with 30 stolen CC numbers at a time, reprogram as needed.

          It’s an interesting technology, nonetheless, with its built-in battery and charger; package comes with card scanner, smartphone app and Bluetooth connection. It’s somewhat reminiscent to Apple Pay and others NFC based payments, that are much easier for the “chip & signature” crowd.

          • Spelling the word “fuse” with a “z” makes me question the background for the inventors and the company in general.

            “Fuze” (with a “z”) in American military English designates detonators for ammunition, e.g., a “proximity fuze” for triggering anti-aircraft shells. I wouldn’t one to carry one in my pocket. 🙂

          • Yikes, if “Fuze” is a problem, you may want to stay away from “Flickr” or “Lyft” or “Bitly”. It’s almost enough to make you think that these were deliberate spelling choices to appeal to a target demographic which translated into beau coup real world dollars.

            Nah, no way they raised millions of dollars.

  12. I had the impression that the chip cards cannot be copied, but it seems I’m wrong.

    So, these smart-chips (which I thought had secure private keys that cannot be extracted) are just a storage device like magnetic strip?

    • A “real” EMV card contains data that cannot be read. The card contains a set of secret data that makes it able to handle a challenge-repose flow from the terminal. An incorrect response to this will make the issuer decline the transaction. It is not possible to copy a physical EMV card into a “loadable card”. The way of handling multiple cards in a single device is by using mobile phone wallet technology.
      The use of an EMV card will however not protect you on the internet, as of now.

  13. Wouldn’t the transaction header include something to indicate that a Fuze card is being used and if so just outright block transactions from anything being used by Fuse?

    • For magstripe, the card would act like a perfect clone.

      I’m assuming these are just magstripe transactions…

  14. “Why would a cashier care if one payment is declined, as long as one works?”

    They’re not being paid enough to care about the company’s bottom line. If they won’t prevent some kindly grandmother from buying $5000 in iTunes gift cards to send to a crime ring, they’re not going to bother with stopping other payments fraud.

  15. and how They Know??
    lol : D
    Funny story really
    fraudsters crooks have Even Better education then the CIA FBI Mossad KGB.
    They are algas one, Step ahead.. lol.
    this things smells. bad

  16. A few snippets from Fuze’s privacy policy:

    The Personal Data may be freely provided by the User, or collected automatically when using this Application.

    Failure to provide certain Personal Data may make it impossible for this Application to provide its services.

    Any use of Cookies – or of other tracking tools – by this Application or by the owners of third party services used by this Application, unless stated otherwise, serves to identify Users and remember their preferences, for the sole purpose of providing the service required by the User.

    The User assumes responsibility for the Personal Data of third parties published or shared through this Application and declares to have the right to communicate or broadcast them, thus relieving the Data Controller of all responsibility.

    To help us deliver ads (remarketing), measure their performance, and make them more relevant to you based on criteria like your activity in our application we use cookies and pixels to tailor ads and measure their performance.

  17. Perhaps the fuze card works like Google Pay: it sends credit card data for a fuze credit card and then fuze collects the money from the real credit card. But…
    …that still doesn’t explain how you copy it.

    • According the the article, the on board chip reprograms the magnetic strip on the back of the card for each credit card and transaction. So the POS reader assumes it is the same card as the one recorded in the chip. I assume Bluetooth is the way you record your cards into the on board chip. Most chip-n-pin POS readers still have mag strip readers for compatibility in the US.

  18. Thanks for this. I was wondering how these cards could be used in a negative way. All tech can be used for good or bad. We still have a lot more work to do as we continue to go more digital with our transactions.

    Thanks again!

  19. Mikey Doesn't Like It

    It would be interesting to see if some retailers were to prohibit the use of Fuze cards. (Which is their prerogative.)

  20. By dozens you mean 30 15 of which are membership type cards, sure, dozens.

    Bit misleading though.

  21. After reading this article and the other comments I conclude that this Fuze card is just a convenience for thieves, there is no new criminal breakthrough. The discussion seemed to wonder off into the separate issue of how to counterfeit ANY card, always the problem for criminals, always.

  22. Tee hee. The online store for buying these things serves over http, not https. Either rookie mistake or cybercreeps.

  23. This card is very similar to the Curve card I use in the UK (https://www.curve.app/). The main difference is that Curve enables me to change the credit card from an app on my phone (not the card itself). The app does NOT communicate with the card. The card has its own number and expiration date, and any charges are processed by Curve, and then Curve’s servers charge the card that I have activated through the Curve app.

  24. “It may be the same size as any other card in your wallet, but Fuze Card is built for bigger things…”

  25. A very good article. My only thoughts are, come on commentators, ok, a pin in chip is part of a circuit, the reader and the chip have to be compatible for one to read the other. Because of that, the chip in the card has certain rules, or programing imbedded in it. That card company modified the rules, it’s a form of cloning. Makes you wonder how long it was in the wild before coming into notice. Very interesting.

  26. I never knew the magnetic strip could be “dynamic”. This story caused me to read the following older story on that technology. https://randomoracle.wordpress.com/2012/11/13/programmable-magnetic-stripes-in-search-of-a-problem/

    Seems like the best long term secure solution is to use a phone (which brings up other issues) or a device that has more power in it and can provide better security.

    Like everything with security, until something really messy happens, companies don’t care enough to implement changes.

  27. What’s surprising is that one of these omnicards actually has survived and seems to work. Coin, Plastc, Stratos, I’d seriously given up on all of these. I’m pretty happy with Samsung Pay but not happy being locked in with Samsung and there are times, rare, that it doesn’t work.

  28. Much obliged for this. I was thinking about how these cards could be utilized adversely. All tech can be utilized for good or awful. Regardless we have significantly more work to do as we keep on running increasingly computerized with our exchanges.

    Much appreciated once more!

  29. It’s amazing how many readers are focused on the mechanics of the Fuze card, EMV, stripes, and other idiotic minutiae. It’s as though their reading comprehension was limited to the first 200 words.

    I’m far more interested in the fact that the Secret Service would have its agents issue a warning about a novel method to conduct a relatively minor financial crime during a partial federal government shutdown. This is the real story.

    The Secret Service doesn’t have a mandate to utilize taxpayer funds to protect private companies (credit card issuers) from fraud. It shouldn’t be distributing a warning like this.

  30. It’s hard for me to envision a legitimate need for this. Are there really that many people who have so many payment cards that are taking up too much room in their wallets that they need a Fuze card? As pointed out in many comments this card would be useless at the POS because no one has been able to clone the chip in the EMV cards as just about all new cards being issued are EMV.

    But also for eCommerce transactions you would need to provide the CVV on the back of the card . PCI prohibits merchants from storing that even with crypto.