30
Apr 19

Data: E-Retail Hacks More Lucrative Than Ever

For many years and until quite recently, credit card data stolen from online merchants has been worth far less in the cybercrime underground than cards pilfered from hacked brick-and-mortar stores. But new data suggests that over the past year, the economics of supply-and-demand have helped to double the average price fetched by card-not-present data, meaning cybercrooks now have far more incentive than ever to target e-commerce stores.

Traditionally, the average price for card data nabbed from online retailers — referred to in the underground as “CVVs” — has ranged somewhere between $2 and $8 per account. CVVs are are almost exclusively purchased by criminals looking to make unauthorized purchases at online stores, a form of thievery known as “card not present” fraud.

In contrast, the value of “dumps” — hacker slang for card data swiped from compromised retail stores, hotels and restaurants with the help of malware installed on point-of-sale systems — has long hovered around $15-$20 per card. Dumps allow street thieves to create physical clones of debit and credit cards, which are then used to perpetrate so-called “card present” fraud at brick and mortar stores.

But according to Gemini Advisory, a New York-based company that works with financial institutions to monitor dozens of underground markets trafficking in both types of data, over the past year the demand for CVVs has far outstripped supply, bringing prices for both CVVs and dumps roughly in line with each other.

Median price of card not present (CNP) vs. card-present (CP) over the past year. Image: Gemini

Stas Alforov, director of research and development at Gemini, says his company is currently monitoring most underground stores that peddle stolen card data — including such heavy hitters as Joker’s Stash, Trump’s Dumps, and BriansDump.

Contrary to popular belief, when these shops sell a CVV or dump, that record is then removed from the inventory of items for sale, allowing companies that track such activity to determine roughly how many new cards are put up for sale and how many have sold. Underground markets that do otherwise quickly earn a reputation among criminals for selling unreliable card data and are soon forced out of business.

“We can see in pretty much real-time what’s being sold and which marketplaces are the most active or have the highest number of records and where the bad guys shop the most,” Alforov said. “The biggest trend we’ve seen recently is there appears to be a much greater demand than there is supply of card not present data being uploaded to these markets.”

Alforov said dumps are still way ahead in terms of the overall number of compromised records for sale. For example, over the past year Gemini has seen some 66 million new dumps show up on underground markets, and roughly half as many CVVs.

“The demand for card not present data remains strong while the supply is not as great as the bad guys need it to be, which means prices have been steadily going up,” Alforov said. “A lot of the bad guys who used to do card present fraud are now shifting to card-not-present fraud.”

One likely reason for that shift is the United States is the last of the G20 nations to make the transition to more secure chip-based payment cards, which is slowly making it more difficult and expensive for thieves to turn dumps into cold hard cash. This same increase in card-not-present fraud has occurred in virtually every other country that long ago made the chip card transition, including AustraliaCanadaFrance and the United Kingdom.

The increasing value of CVV data may help explain why we’ve seen such a huge uptick over the past year in e-commerce sites getting hacked. In a typical online retailer intrusion, the attackers will use vulnerabilities in content management systems, shopping cart software, or third-party hosted scripts to upload malicious code that snarfs customer payment details directly from the site before it can be encrypted and sent to card processors.

Research released last year by Thales eSecurity found that 50 percent of all medium and large online retailers it surveyed acknowledged they’d been hacked. That figure was more than two and a half times higher than a year earlier.

BIG BANG VS. LOW-AND-SLOW

Much of the media’s attention has been focused on recent hacks against larger online retailers, such those at the Web sites of British Airways, Ticketmaster, and electronics giant NewEgg. But these incidents tend to overshadow a great number of “low-and-slow” compromises at much smaller online retailers — which often take far longer to realize they’ve been hacked.

For example, in March 2019 an analysis of Gemini’s data strongly suggested that criminals had compromised Ticketstorm.com, an Oklahoma-based business that sells tickets to a range of sporting events and concerts. Going back many months through its data, Gemini determined that the site has likely been hacked for more than two years — allowing intruders to extract around 4,000 CVVs from the site’s customers each month, and approximately 35,000 accounts in total since February 2017.

Ticketstorm.com did not respond to requests for comment, but an individual at the company who answered a call from KrebsOnSecurity confirmed Ticketstorm had recently heard from Gemini and from card fraud investigators with the U.S. Secret Service.

“It’s not just large sites getting popped, it’s mostly small to mid-sized organizations that are being compromised for long periods of time,” Alforov said. “Ticketstorm is just one of ten or twenty different breaches we’ve seen where the fraudsters sell what they collected and then come back and collect more over several years.”

In some ways, CVVs are more versatile for fraudsters than dumps. That’s because about 90 percent of dumps for sale in the underground do not come with other consumer data points needed to complete a various online transactions — such as the cardholder’s name or billing address, Gemini found.

This is particularly true when CVV data is collected or amended by phishing sites, which often ask unwitting consumers to give up other personal information that can aid in identity theft and new account fraud — including Social Security number, date of birth and mother’s maiden name.

All of which means e-commerce retailers need to be stepping up their game when it comes to staving off card thieves. This in-depth report from Trustwave contains a number of useful suggestions that sites can consider for a defense-in-depth approach to combating an increasingly crowded field of criminal groups turning more of their attention toward stealing CVV data.

“There is a lot more incentive now than ever before for thieves to compromise e-commerce sites,” Alforov said.

Tags: , , , , ,

60 comments

  1. Goes some way to explain the prolific nature of magecart. Ensighten ran a webinar discussing mitigation for digital payment skimming :

    https://vimeo.com/ensighten/review/317031021/53dfc3e1ce

  2. I had my personal credit card hijacked for the first time online recently. Bank detected it before I did, same day.

    First they did a small transaction for a movie ticket, about $12.
    Then they spent about $220 at ASOS.

    Interestingly enough I tried to contact ASOS asap to get them to cancel the order, but their support mechanisms aren’t set up to allow fast fraud reporting, so by the time they called me back to confirm my BIN/IIN, they’d already shipped the goods.

    I did get all my money back through chargeback process in under 2 weeks.

    • Hi Anthony,

      This was recently brought to our attention and we wanted to investigate further.

      I don’t suppose you would be able to provide more details? Could you please ping me on igor.r@asos.com?

      Many thanks,
      Igor

      • This is a very suspicious way to contact “Anthony.” You do see that correct? I don’t know the comment moderation policy here but this reply ought to be removed. This reply from “Igor” seems like a classic example of a social engineering attack based on establishing an authority. I did not find much online for this person based on the given email address that Anthony is supposedly to contact.

  3. The Sunshine State

    Another very informative article !

  4. Cool trick useful for finding which type of CC fraud is occurring…

    Get 2 Credit Card accounts from your bank… and use discipline to only use one for Online purchases, and the other is in your wallet for in person, Card-Present transactions.

    I even put tape over the numbers for my wallet card, to resist the temptation to use in a Card-Not-Present situation. Occasionally, you’ll see a cashier with a broken card reader wanting to make the purchase as Card-Not-Present.

    So if/when your card is compromised, you know with reasonable certainty if it was online or a physical skimmer. Also, you have a backup CC to continue making purchases while waiting for the bank to re-issue, and without defaulting to cash or debit card which has other limitations.

    • That’s actually really interesting and a great idea. Though, if your bank is like mine, they respond so quickly that knowing if it was online or retail is an after-thought. This happened recently to me (within the past several months) for a $150 purchase at a Walmart several states from me. When I noticed the purchase, my bank already had another CC in the mail and cancelled my current one. I really didn’t have time to care if it was online or retail since it was handled so quickly by my bank.

      • The root cause shouldn’t be an after-thought for you or the bank. Oftentimes, the bank’s fraud dept is so good and quick to remediate, they really don’t try to find out where the compromise originated. They are more focused on finding the first fraudulent charge, and not the legitimate use of the card that may have had a skimmer attached.

        It is usually up to the consumer to question their recent (or not so recent) uses of the card that may have led to the compromise.
        Maybe they went on a road trip and visited a gas station without good lighting and camera coverage.
        Maybe they made an online purchase directly to a website that let malvertisments sniff the CC form fields.

        Having multiple cards is a good way to narrow it down some and reinforce diligent behavior.

        • That’s a very good point, I hadn’t considered that. My primary concern is two-fold: (1) getting my money back and (2) ensuring this doesn’t happen again. I think, as you mentioned, by having separate cards for separate transactions, that’ll help to narrow down the where/why/how, but also it makes it so you are not without a CC while the new one is getting shipped out. Very interesting, thank you for the insight!

        • I too used one card for in person and one for the internet for several years, I used both so little, I’m down to one again. But it is good.
          About the banks not looking into where the breach was, not accurate, at least at the bank I work at. We do aggregate the data, BUT, we are not allowed to inform members of the suspect business by law. Which really bites. When Wendy’s was breached, we knew it was them, but legally our hands were tied. Our customers were upset their card was compromised and blamed us… We wanted to tell them – no it was Wendys, and you kept going there – some laws just suck.

          • It really depends on the internal goals of the fraud team I guess. But you’re right, it will never fully benefit the end user since they cannot learn from the mistake and adjust their habits. Instead it is whack-a-mole with these skimmers.

            Big breaches you would expect to get notifications, or at least the news coverage.
            But non-breach, individual compromises from those common skimmers… the individual won’t get help from the bank to avoid that likely compromised website or gas station pump.

          • Well in due respect even if you knew the card had been used multiple times at Wendy’s you can’t ever really pin point that as the reason they were breached. For the most part I believe every card is compromised its just a matter of a) will it make it with the 4% of cards sold that actually end up on the streets or b) will the merchant ever go public if and when they ever even find out they were breached. Just my 2 cents.

    • In person isn’t safe either, lots of skimmers. Safest actually is google pay or apple pay, since they can’t be skimmed.

      And if you stick with credit card for 100% of purchases online or in person, you are never out any money and they can’t drain your bank account like a debit card. Yes I realize the money will get restored but that can take weeks, meanwhile your house payment is bouncing, and banks usually don’t give you late fees reimbursement.

      • midwestjones

        +1 for this comment but -1 for the other comments trying to figure out where the compromise happened. Does it even matter? No, not really. It’s not like you’ll be able to confront the manager and get some instant repayment or see anyone arrested for fraud/theft. Once your card number is out there it’s gone and you have no control over it.

        • Ummm… many of us have absolutely changed our habits after finding out that some stores are more prone to skimmers.
          There are a few gas stations, that may be convenient or cheap to refuel at.. but we stopped going there because of a likely skimmer compromise. We couldn’t ask the manager if they found one and what they did… but we could definitely stop going to that place.
          Same for online, digital, skimmers… once you’ve realized that it was an online purchase, and not a physical store, you start to be more careful about typing in your card number to every online merchant website, and start preferring other options, like Paypal, and Visa Checkout,… or just finding that item on Amazon instead.

    • @Joe. While I’ll admit that is some ingenuity…it will likely not yield the outcome you hope if it is for fraud purposes. What I will tell you from a bank perspective in fraud and common point of purchases (breaches/compromises) with a normal card holder with normal use is that both cards will be compromised. The misconception is that the companies/entities that are breached are limited to what is in the media but the majority never admit and/or lawyer up so much you will never know. If you ever just mysteriously got a new card in the mail from your bank….well you likely were in more than one breach so take the card in the event that fraud doesn’t occur when you need it.

      What it comes down to is the pricing of your BIN, base, expiration date of the card, and sometimes geography of where your card was compromised. I will say that YOU’RE RIGHT in the sense that most card present compromises follow the trend of card present fraud. However, many O times have I seen cards that have reached near the expiration date that were card present breached and used as card not present fraud.

      Here is a suggestion that I give to friends, and family. Most all major banks, and even mid sized banks have something called card preferences inside the banking app or online banking. You can set your card to a number of different options such as no online transactions, no overseas transactions, no transactions over X amount, no more than x amount in a day, lock the card, and many more options. I would advise anyone to use these options as a layer to mitigate fraud in addition to what the bank is already doing that you will never see.

      • I’m not sure what you are saying exactly.

        Having two cards, with two numbers does prevent having both compromised at the same time. Of course, if you give any single merchant both cards, then well, you have failed at the purchase “discipline” that keeps them separate.
        Are you talking about the bank getting breached? Because that is the only way you’ll have both cards compromised at the same time. It takes some discipline to never use both cards with the same company, but that is what ultimately provides the protection.

        Granular card preferences are great, as are liquid cards, virtual cards and many other solutions. But I disagree that most major banks offer them. Many offer the bare minimum, check the box, options that don’t really help and wind up being unused as they are inconvenient to use in real life.
        And again, those do protect against the fraud, but if a card manages to become compromised anyway… the customer still has to wait for a new card, and a backup is always a good idea. I just recommend using the backup with some purchase discipline so you can at least narrow down what might have been the bad card reader or website.

        • @Joe. I will agree that both cards with fraud charges at the same time would be rare. Compromised at the same time…not so rare. That was never the theme of my post as you never geared towards the topic of being compromised or taking fraud at the same time. I am just here simply to say that is normally not how it works. A card is compromised/breached within the range of 3-12 months from the time the fraud transaction occurred making it hard for you and the bank to locate the common point of purchase. Unless you have taken PIN fraud, the compromise wasn’t a skimmer it was malware on the terminal that infects literally chains of locations using different methods such as ram scrapes, and other.

          Having two cards only provides a cushion if you don’t use the other one. Reason being is the likeliness that both cards will be in a breach/compromise with normal use in about a year (regardless of sizing) is high. Your bank pulls a sleight of hand, or sleight of card for a lot of attempted frauds especially e-commerce. You could be getting murdered in attempts right now as I am typing this, but since the banks/processors know that it is 100% fraud they will not even alert you if they feel the threat is contained. It varies on the type of transaction, and entry mode…..but having two different cards AT THIS TIME provides no added protection.

          • Your premise is factually incorrect. You seem to be focused only on large single data breaches. 3-12 months of criminals holding onto card data? No.
            4-30 days harvesting period for ATM Skimming fraud, according to “State of Card Fraud: 2018”.

            And similar numbers for other card skimmers like on gas station pumps. For digital skimmers too, which can sit on compromised client systems and/or 3rd party ad servers that the website is using. These cards skimmers are persistently sending card data to the criminal network to be sold ASAP.

            There is no reason to hold for several months.
            Stolen card data gets used fairly quickly, pretty much as soon as they can hit the dark web and a buyer found. The “freshest” card data sells best.

            Large data breaches, where “stored” card information is stolen during a single hack/breach… is very different than skimmers. Although they make news, they are much less common a reason for fraudulent card charges. And a large scale breach is really the only reason a criminal would sit on card data for 3-12 months, so they can sell en masse, and not risk spoiling the data by selling smaller dumps quicker.

            Regarding your 2nd paragraph… no. The likelihood of having both cards compromised if you separate the types of transactions to wallet and online… is Extremely Low.
            Also, that is not how fraud teams operate. They do not just deny/contain a bunch of fraudulent charges and do nothing. They are highly regulated and MUST issue a new card. Each institution varies on how/when they alert the end user, but there are regulatory requirements for these banks when it comes to fraud. They cannot do as you suggest.

            All this is to say that having two cards, and maintaining purchase discipline is useful to narrow down the possibilities if a skimmer is the root cause. And definitely useful as a backup while waiting for a new card to arrive.

            • Well Joe I do not know what the State of Fraud 2018 says. However, I do know what the data says, talking to colleagues in other fraud teams at other banks, talking to cyber security vendors, and doing this for a long time. I will point out you’re right about actual skimmer found on ATMs, or gas station pumps….but those are never sold. They’re used right away which is correct, but they’re normally installed and cashed out by the same criminal gangs which occasionally gets caught. However, tracking bases (breaches) do you think a bank/institution really can’t see when the transaction took place (WOE window of exposure) and when the fraud happened (WOF window of fraud) to develop an average, or possibly Visa/MC/Processor didn’t give out one to their industry???? Domestically I said it correct despite what you think it should be. This is not even exclusive to the larger breaches/compromises as it is the smaller unheard of breaches which normally you will encounter as the validity rate is much higher on these compared to a well known one. You’re trying to convince me or other professionals on this thread that your methodology of using two cards for two separate uses is much safer when it just prolongs the inevitable, or you will just not see it due to very hard fraud detection work on the back end.

              Also, you DO NOT have to close a card if the transaction was successfully blocked. I do not know where you read this, or what regulation you are confusing. Every bank/institution would waste about 100x more card stock if that was the case dependent on how their rules are set up. No customer sees what rules or transactions were blocked…only the transactions that were successful. They MAY get called (or sms/email) about attempts and at the leisure of the bank/institution will they recommend re-issuing another card.

              • You should probably read the papers that are published with the actual statistics. I’ve been doing this very long as well, long enough not to trust security vendors trying to sell a solution. You shouldn’t make judgements based on anecdotes and conversations with other teams. That could be misleading as well.
                Use FS-ISAC and other formal channels information sharing.

                “those are never sold. They’re used right away which is correct, but they’re normally installed and cashed out by the same criminal gangs”
                That is exactly my point. That your assertion, “3-12 months from the time the fraud transaction occurred making it hard for you and the bank to locate the common point of purchase.”…
                is wrong and invalidating your entire premise.

                Whether sold within days or used within hours… that means it is MUCH easier for you to track down the most likely point of compromise.

                “You’re trying to convince me or other professionals on this thread that your methodology of using two cards for two separate uses is much safer when it just prolongs the inevitable”
                Are you misreading what I wrote?
                This method does not, cannot, prevent fraud from occurring, it just allows a person to possibly narrow down the point of compromise. At best it can lead to better awareness and better habits. The extra benefit is having a backup card while waiting for reissue.

                “you DO NOT have to close a card if the transaction was successfully blocked”
                Are you misreading what I wrote again, or changing your argument?
                This was never about a few blocked attempts that may or may not be fraud.
                This is what you said, “You could be getting murdered in attempts right now as I am typing this, but since the banks/processors know that it is 100% fraud they will not even alert you if they feel the threat is contained.”

                There is no such thing as “feel the threat is contained”, just because you are blocking a bunch of attacks. If an analyst misses one real fraudulent transaction, because of this illogical confidence, then the bank should fire that person. That is why no bank does this. Not in the US at least.

                If the bank is 100% certain about ongoing fraud, with dozens of attempts, they would be criminally negligent to not reissue the card at that point. Why? Because having a great true positive rate (catching a lot of fraud attempts) is not indicative of having a zero false negative rate (missing real fraud transactions).

                • I am afraid Joe we will never agree. It didn’t take long figure out from your posts that you may work in the financial industry or not, but not directly with card related fraud. You definitely do not work for a security vendor as the breach question would have already be answered for you. FYI, a lot of the card shops discount the cards when they come within the last month of expiration regardless of base. This is typically sometimes are where you see gradual to significant amount of attempts answering your cards immediately question once compromised….which is not the case.

                  There is no such thing as “feel the threat is contained”, just because you are blocking a bunch of attacks. If an analyst misses one real fraudulent transaction, because of this illogical confidence, then the bank should fire that person. That is why no bank does this. Again, you don’t know what you’re talking about. There will always be a false positive ratio, and fraud just will get in. It has to be adapted to the changing of the landscape. The amount of fraud that is actually prevented compared to attempted completely dwarfs successful gross/net fraud….so by firing an employee over a missed transaction review you would have a revolving door all over the country regardless institution because it is going to happen.

                  I am going to lay off this topic because it is going nowhere. I came on the this thread as good intentions to offer expert advice on where the logic you presented has a couple of issues, but can be strengthened by using other practices.

                  However, since you have a habit of bring up reports you can pay/book one of many various banking and fraud conferences around the US where you will find someone like me that will tell you how the sausage is made taking stage, or in the audience. You might even find the individuals who wrote those reports at those conferences, but I assure you in the card fraud channel will you find out quickly most of the items you wrote have conflicts if you get into a conversation and bring up this thread. Have a good one Joe.

                  • I think I admitted my distrust of security vendors, so that obviously counted me out as working for one.

                    Yes, “fresh” cards are higher value, which is why they are used quickly. My point was that your 3-12 months of sitting on cards is NOT what we see in reality. That sounds more like a general statistic related to large breaches that need to go unnoticed for a while. Not credit card fraud specific.

                    I am not sure you understand the language used in the industry. We aren’t talking about false positives. Read again. We are talking about your claim that a card could be getting “murdered with attempts” that are blocked as known fraud (which is true positive) leading to the fraud team to “feel the threat is contained”
                    This is simply not how fraud teams operate. No security team in any discipline should operate this way. And in the highly regulated financial industry, they really can’t operate this way.

                    Yes, prevented fraud vastly outnumber successful fraud. That isn’t disputed. But that wasn’t your claim. Your claim was that it could be done without issuing a new card. Nope. Reissue of a card, after the card data is definitely compromised, is still the primary means of fraud prevention.

                    My advice started out with very mild claims, of being a “Cool trick useful for finding which type of CC fraud is occurring”. Yet you attacked it as though I was claiming fraud prevention.

                    I won’t even bother claiming “authority” on an anonymous blog. It does no good for anybody here to claim “expert” status, as the advice should speak for itself.

                    If your intentions were good, then I’m sorry for vigorously defending my initial advice, but it does not conflict with how fraud prevention works. This entire argument was really about how YOUR counter arguments conflict with fraud operations and US banking regulation.
                    My apologies again, if you are not US based, as other countries may have lax regulation.

    • Advice I think I first saw here is to use one card for recurring transactions, one for everything else, and have one spare. — It’s a real pain to reset all of the recurring transactions (they’re typically bills that should be “set and forget”).

      While it’s vaguely interesting to know if your card was compromised by a reader or CNP, I don’t know of any particular value.

      General truisms: Your card details will be compromised. A given vendor that hasn’t yet been compromised is at best that, a vendor that hasn’t been compromised yet, or at worst, a vendor that hasn’t realized it’s been compromised.

      • I do find a benefit for knowing if the compromise was CNP or at a reader. Especially if I had been visiting shady gas stations or used entered the card into a new website.
        It takes a bit of guessing with your bank statement, and can only really just narrow it down, but it can be useful.

        Having a 3rd one for the recurring payments is good too.

  5. I had my Chase personal credit card hijacked yesterday. Chase detected it before I did, same day.

    First, thieves did a small transaction hold at a gas station for $1. That generated a fraud alert because it was outside my normal shopping area. Bank texted me to confirm it was my transaction. I said “No”. Bank killed the card. Thieves got nothing.

    Weird thing is I have text alerts for any holds or purchases. I never got a text for the $1 hold.

    I have separate credit cards for “online”, “wallet”, and “auto payments”. It was the “wallet” card that got hacked. This will have zero impact on my life.

    • I use the Liquid reloadable debit card from Chase. I use it for all purchases; atm, online purchases, gas, and retailer. I use my mobile bank app to move funds over to card just before I execute my purchase. Takes some planning and estimating, but imo worth it. On average I have around $10 balance on card. My main debit card and regular credit cards rarely get used.

      Skimmer hit the liquid card few times at pumps, and like you I had alerts and card was killed by chase. Went into branch and picked up new liquid card one same day.

      Great product offering IMO.

      • I wish more banks did liquid cards. And I might do purchases like you, transferring funds just before purchase, but I’m always paranoid about logging into a banking mobile app in public. Too many cameras everywhere. I do have MFA too, but still, I don’t like typing in passwords in public.

        I also wish more banks did virtual cards for single use online purchases.

      • But not for customers who do not already have one.

        https://www.digitaltransactions.net/chase-replacing-prepaid-liquid-card-with-a-bank-account/
        Chase Replacing Prepaid Liquid Card With a Bank Account
        Jim Daly March 20, 2019

        Banking giant JPMorgan Chase & Co. is discontinuing its Chase Liquid general-purpose reloadable prepaid card and replacing it with a checking account called Chase Secure Banking, which has many of the same features but requires the customer to open a Chase bank account.

        Chase Secure Banking has the same $4.95 monthly fee as Chase Liquid. The new account includes a Visa debit card for payments and access to 17,500 Chase-branded ATMs, access to Chase’s mobile app and online banking, direct deposit, and other banking services. It does not provide paper checks. Current Chase Liquid cardholders can keep their Liquid account after opening a Chase Secure Banking account, but Liquid no longer will be offered to new customers, Chase said.

        • Hmmm… I like the features… but not willing to go back to $5 / month fees for something I feel should be free.

          Banks have lost my confidence since the last “fee” debacle… and they can’t be trusted to inflate those fees later, once people become dependent on such a critical security feature.

  6. I’m surprised that more credit card issuers don’t offer services such as Bank of America’s ShopSafe. It can generate limited-use and one-time-use “virtual” credit card numbers for online purchases. (The consumer doesn’t expose their real credit card info.) Once a merchant has processed a transaction with a card number, attempts by any other merchant to use the same card number will be declined automatically. CVVs of these number are essentially useless to criminals.

    • These are interesting developments in light of the proposed implementation of 3D Secure 2 by EMVCO which will shift liability from the merchant to the issuing bank (or credit card company if the issuing bank have not implemented) and the EU requirements to authenticate transactions that come into effect in September PSD2. The credit card companies should be leaders in this field but they always seem to be playing catchup. It would be helpful if they engaged actively with developers like us who have working solutions that will fix these problems.

    • Could be because while the solution protects the customer it doesnt protect the payment processor as the code can still be phished and used. Also would appear to be poor CX and payment processing industry is super competitive so anything that annoys users is generally not seen as a good solution.

      • Users of these one-time-use virtual credit card systems can create card numbers that expire in a month, and can set the exact amount of credit that can be charged against it. Even if they were to get phished, the numbers’ limited validity period and credit amount would make them much lower value to criminals, as they’re like ripe bananas that have to be sold before they become trash.

        Although using a virtual card system is a bit more cumbersome than pulling a card out of a wallet to read the number, it’s hardly annoying. As a user myself, I find it comforting to know that once I provide one of these numbers to a merchant, it doesn’t matter to me (or the merchant or my bank) if the number subsequently gets stolen, because it’s worthless for any other transaction.

        • Unfortunately Phishing sites don’t discriminate and don’t wait to relay the data captured. Its best not to use device keyboards and numbers at all for user code entry.

    • Citibank has a virtual account number generator, which I would gladly use the heck out of if only they didn’t have terrible support for it. Unfortunately it uses an ancient Flash app in browser, which I have long since uninstalled. They also have a windows exe that I could never get to work. So I just charge stuff to the main number, and if that gets pwned, I let Citibank clean up the mess.

      I really wish they would fix it to be useful. I get the impression though that most people do not care about CC fraud since they are not liable, so the exert no pressure on the bank to fix it.

  7. Over the last 7 years I’ve had my credit cards hijacked 4 times. As a result I’ve set up both ‘card not present’ and ‘card charge over $xxx’ alerts to circumvent the bad guys.

    Unfortunately, last time they did their deed in Florida in the early morning while I was still sleeping in California. But when I awoke the alert was there and was able to immediately contact bank and mitigate the damage.

    I’m amazed how quickly these alerts are sent out – I make an online purchase and the alert arrives on my phone within 5 seconds. I’d urge anyone that has the ‘alert’ capability at their bank to use it.

    • Yes, on setting text alarms for “large withdrawals” (you set that limit easily) and almost soon a transaction is done, a text buzzes in

    • I get texts and emails from my bank for every transaction on my accounts, save one.

      The bank, which I shall not name (but does ride a stagecoach) offers no notification option* for ATM debit card cash withdrawals.

      Deposits, Debit card (Visa) CC purchases, CC purchases, daily balances, and everything else I can notifications for days.

      (* They do offer “an ap for that” but wtf dudes? You have no problem notifying every time money goes in to the account but I need an ap to see when cash comes out?)

  8. Good tips here.

    But how go you get an alert/notification if you are in Europe?

    • During my recent trip, I received notifications via email for any purchases I made using the CC. I usually received notifications via a mobile device but since I do not have international data, its no use. I have to call the international # to report if there are any fraudulent activities. For the rest of my CC that I won’t be using, I freeze them before traveling.

    • If you’re a T- Mobile US customer, you get no-charge international texting and 2G data on most plans, so that shouldn’t be an issue. Always alert your card companies when you are going to be away from your home area to avoid potential issues.

  9. Great story Brian. I live in the PNW and was in NY for a few days. Had an afternoon flight and my card was skimmed in Penn Station buying a train ticket to Newark. Sure enough my card counterfeited and used in the morning the very next day at a restaurant in the PNW. I was very surprised of the quick turnaround time with my card data by the fraudsters.

  10. In December 2018 I noticed fraudulent charges on my Citi credit card, which I carefully monitor. I immediately contacted Citi, they canceled card and sent me a new one. I updated my info with all of my online billers, and used the card for another 3 weeks or so until I again had fraudulent charges to Apple itunes (which I don’t use) and Netflix (which I pay from Paypal, so Netflix does not have my card number). I again contacted Citi, account was closed and new card issued. Once again, I updated my info with all of my online billers. A couple of weeks later, I once again had a fraudulent charge to Netflix. After contacting Citi again through multiple chat sessions, I learned that each time they had shared my new card number with “Reputable Billers” for my convenience. I demanded that they NOT share my new card number with anyone, as I update my info with my billers directly. I had no idea that they shared my new card number with anyone, and I’m convinced that this is how my card was repeatedly compromised after the initial event. I have had no problems since.

    • Your bank’s processor (if not in-house) and the networks share the new card info with recurring merchants. The bank or credit union might not have a choice. Basically, if the account, name, and address matches, then these merchants will rotate to the replacement card. If you pay bills with your card, it is convenient…and you already know the downside. Hate to say it, but close your checking and open a new card if your bank is unable to stop it after your second fraud report.

  11. Brian, Would be VERY interesting to see a follow-up piece to this article, focusing on how credit card fraud impacts retailers (both brick & mortar and e-comm) through the chargeback process. Cardholders may have their CVV purchased on the dark web & fraudulently utilized, but ultimately we receive our money back from our credit card company. It is the merchant that gets stuck with the loss via a chargeback (and loss of merch that could be otherwise resold to a legit customer) for processing the fraudulent transaction. Hope you may consider a follow-up piece. Thank you!!

    • Merchants don’t get stuck eating the cost of selling merchandise or services to criminals. Every penny is covered by the banks that issue the cards, as long as the CVV is collected.

      Merchants don’t care and won’t take extra steps to verify that the purchase is actually being made by the authorized cardholder, because there’s no penalty.

      Amazon is among the largest beneficiaries of online card fraud, aside from the criminals themselves. They process twice as much fraud as normal stores (1), but don’t suffer for it. I estimate that 6% of Amazon sales income would vanish if they eliminated sales to card criminals.

      (1) https://abcnews.go.com/Business/credit-card-theft-crooks-shop-best-buy-target/story?id=9931006

  12. Rube Goldberg's Razor

    I have techno-Down syndrome, so this may not be a viable idea; but what if an online order were placed on hold for fulfillment and shipping, until verified (or denied) by the actual owner of the credit card, based on where the purchase is to be shipped? If the card owner’s home address (or other address pre-approved by the owner) is not the address to be shipped to, an instantaneous e-notification to the cardholder would be auto-generated and sent to the cardholder’s various e-devices. This would make it more complex to order a gift to be sent to your brother in Kalamazoo for his birthday, but it would prevent an enormous percentage of these false purchases. Again, I write from Gilligan’s Island’s Coco-Shell Low-Tech Labs.

    • Hillary Clinton's Left Nut

      I think that’s an interesting idea, it’s almost like a two-factor authentication of credit purchases in a sense. Though, I do think that will put a major annoyance on the credit card holder. I just see it being rather annoying and I think the users will think so too which will lead them to eventually disable the feature.

      “Did you make this purchase?”
      “Yes.”
      “Is it supposed to go to this address?”
      “Yes.”
      “Are you suuuuure?”
      “…..YES!”

      • Michelle Obama's Skirt Bulge

        2FA for credit cards… now that’s interesting

        • Kind of like chip-and-pin?

          Theoretically one could have a card reader attached to your PC with an interface to the browser, which would allow an online order to authenticate with the chip. The vast majority of people would never bother to do this.

          In some ways, the greatest limitation to security is that the vendors all want to make it seamless for end users. If you make it too complicated, lots of users will just go elsewhere. So instead we are stuck with dumb stuff like sending PIN numbers to cellphones.

          • My bank already forces me to do this for online shopping using my CC. I have a card reader to use for my cc in combination with a pin and a code generated by the website.

            Having the option disabled is not an option.

  13. Almost correct.
    But you missed a major point.
    There has been a huge Change in Fintech Industry.
    A lot of new digital Player are on the Market.
    Players like Stripe etc.

    So there are more possibilities to Cash Out the CVVs .
    There are also a lot of new Online Banks appearing on the Internet.

    Reloadable Debit Cards (you can load them with CVV)
    Cashout through Apps from your local Appstore.
    Mobile game fraud etc.

  14. I have used CITI card virtual numbers for all my online purchases for over 10 years and have always felt very secure as each number is for a specific amount and time limit. I just hope the hackers don’t find a way to use the virtual number to track back to your real credit card number to which the virtual number is tied.

  15. I, too, use virtual card numbers, but from Bank of America, which is, apparently, the ONLY other bank in the USA that has virtual numbers. Just yesterday I ran into a MAJOR PROBLEM that was completely caused by, in my opinion, the STUPIDITY of Bank of America.

    And, then, their attempt to fix the problem made the problem worse caused, once again, by what I view as their incompetence.

    I had previously generated virtual numbers that I stored with my health insurance, electric company, cell phone company, landline company, grocery delivery, pet food delivery, Netflix, etc. I can register those numbers and just use them over and over each month for a year. As I make one-time purchases at other websites, I generate a virtual number as needed. So, at any one time, I may have 30 to 50 active virtual numbers. That has never been a problem.

    Yesterday, I tried to create a new number at 11:30 AM and it gave me a message that said, “A system update is in progress.” I knew immediately that that message HAD to be wrong since we all know that banks do not update their systems during the daytime. That is reserved for overnight.

    I called them and the rep said, “No, we are not updating anything. You have hit the limit on the number of virtual card numbers.” That was puzzling since I had 29 active numbers at that time and she told me the limit was 60! I asked how that could be and she told me that SHE can see, but I cannot, that there are 31 expired numbers still visible in her system that bring it to the limit. I said to her, “Well, what do I care about expired numbers? Just make it work.” She told me that she would message another department and have them delete the expired numbers and I could use it again in 2 hours. So, 2 hours later I signed in and I found ALL of my virtual card numbers gone!

    They had deleted everything.

    Do you know what a pain it is to now have to generate all new virtual numbers and then go to EVERY SINGLE website, health insurance and electric and so on, and enter all new card information?

    So, you can see that B of A’s stupid handling of the problem only made it worse. But there’s more!

    Why is the limit so LOW to begin with? This is the 21st century–practically no one pays bills with checks, so virtual card numbers would be even MORE useful in 2019 than they would have been in any prior year. Why is BOA so stupid as to set so low a limit?

    I called them again to complain and found out from a supervisor that the ACTUAL limit is 40! The woman who told me 60 was wrong.

    The supervisor told me that the limit USED TO BE 500, which is why I never ran into the problem in the 10 years prior, and they had made a system change on April 5 that lowered the limit to 20!!

    He told me that they got such an ANGRY RESPONSE to the limit of 20 that they just increased it 40.

    I’m still wondering why they didn’t leave the limit higher. Are they TRYING to make me use my card LESS? I thought the banks try to give you incentives to use your card for MORE transactions.

    I told BofA that this change is just stupid stupid stupid.

  16. Chase has a pretty good and fast transaction notification. I frequently receive alerts as my card is pulled from the chip reader. I find it lacking in their policy. Gas station charges (including convenience stores) have no amount. My pay at the pump alerts don’t arrived until the receipt prints when the final amount is available. The explanation is holds and the merchant chooses their own category. Yet restaurants where initial amount often changes for tips the alert arrives as fast as any other. This is inconsistent, and leaves alerts less useful to detect fraud when more than one household member makes valid charges.

    Amex alerts seem to me to be quite useful.

    I have another card where alerts arrive a day or so after the fact, OK I guess, but my or my wife’s memories are not improving with age.

    My takeaway from this article is that it is time to inform friends and family of the changes and where to be cautious.

  17. Selling user data to third party sources is not acceptable. Because they might not know how these third parties use the data.

  18. I am Australian, so have ‘chip&pin’ credit card for ‘card present’ transactions.

    For ‘card not present’ transactions, when Papal is not an option, I use a Commonwealth Bank ‘Travel Money’ or National Australia Bank ‘Traveller’ debit card. These are designed to replace the old paper travellers cheque system. I simply transfer the minimal dollars required into the card before making a purchase, and if the card is compromised, the bank cancels the primary card and I switch to using the secondary (they are issued in primary/secondary pairs).

    A few years ago, one of these cards was compromised and drained for small purchases in Mexico and Canada while I was still physically in Australia. The bank promptly cancelled the primary card and refunded my money.

    ….. Paradox