Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security The Almighty Buck Government United States

Secret Service Warns of Chip Card Scheme (krebsonsecurity.com) 114

Brian Krebs reports of a new scheme where new debit cards are intercepted in the mail and the chips on the cards are replaced with chips from old cards. Thieves can then start draining funds from the account as soon as the modified card is activated. The warning comes from the U.S. Secret Service. Krebs on Security reports: The reason the crooks don't just use the debit cards when intercepting them via the mail is that they need the cards to be activated first, and presumably they lack the privileged information needed to do that. So, they change out the chip and send the card on to the legitimate account holder and then wait for it to be activated. The Secret Service memo doesn't specify at what point in the mail process the crooks are intercepting the cards. It could well involve U.S. Postal Service employees (or another delivery service), or perhaps the thieves are somehow gaining access to company mailboxes directly. Either way, this alert shows the extent to which some thieves will go to target high-value customers.
This discussion has been archived. No new comments can be posted.

Secret Service Warns of Chip Card Scheme

Comments Filter:
  • by zm ( 257549 )

    Use it.

    • Is it possible to have a debit card without pin? What for? Just to avoid having to press 4 to 8 buttons and confirm?
      • by glitch! ( 57276 )

        Is it possible to have a debit card without pin? What for? Just to avoid having to press 4 to 8 buttons and confirm?

        I have a debit/atm card from my bank. The ATM requires the PIN, but I just used it with a merchant and they did not take a PIN, but a signature on a receipt. So your answer is "yes", at least for merchants.

      • by mjwx ( 966435 )

        Is it possible to have a debit card without pin? What for? Just to avoid having to press 4 to 8 buttons and confirm?

        Yes, there are two methods.

        1. the numbers on the front of the card allow you to make transactions online without even using the PIN.
        2. Contactless payments under £ do not require a PIN.

        PINs are not great security when they aren't required. This is why we need to have two factor authentication but banks will never permit that as we'd all go back to using cash (which they cant skim a percentage off the top of).

        • If you make the merchants and banks liable for the fraud against their customers, then things will change. Things will not change until this happens. End Of Line

      • by e3m4n ( 947977 )

        yes, in the US, when your at a POS terminal (point of sale, not piece of shit), you're given 2 options Debit and Credit. Debit really means ATM at which time you have to use a PIN number, and any sort of cash-back is forfeit. Credit technically is what they used to call 'debit' in which its using Visa or MasterCard clearing houses to withdraw your cash and earns your 1 - 2% cash back, no PIN required. They used to compare the signature on the back of your card to your signed slip, but that doesnt work no

    • by Anonymous Coward

      PINs only hurt consumers since banks assume if the correct PIN was entered that you are at fault. I worked for a grocery store chain with well over a thousand locations that saved them. I even got hit myself with someone that used a cloned magstripe at Fry's with my PIN. I ended-up having to pay the >$800 anyway after my bank threatened to sue me..

      • If the statute of limitations hasn't run out, sue the bank for the money and subpoena Fry's for their camera footage.

      • Which is why I always use a credit card. Aside from the interest-free loan (since I always pay it in full), my liability is limited to $50. The one time when an old card was used for a fraudulent transaction, I actually paid nothing.
    • If they can intercept the card, and send it on to you without you suspecting anything, they can probably intercept the PIN and do the same to that.

      • by mark-t ( 151149 )
        How would they do that, exactly, when you set your own pin at the bank branch?
        • I wasn't aware that you do that in the US - in the UK, you get sent an initial PIN in the post, separately to your card, and you can change it at any ATM. If the card is a replacement to one issued previously, it continues to work with the old cards PIN and you do not get sent a new one.

  • OK, how about a 2-stage activation:

    When you first activate it, the first time you use it you will get an alert and have a few days to do a second activation.

    Until the 2nd activation goes through, you will get an alert on all charges and if it's a high-dollar charge or even a medium-dollar charge at someplace that's not "normal" for you, the charge will be declined and alarms would go off at the bank and on my phone or email.

    So, if someone pulls the switcheroo on my card they might be able to buy a $100 TV a

    • Nah, no need for such complexity - most non-US banks issue users with card readers that generate one time PINs for use in authenticating online and activating cards, so just require those in the US. It wont work without the proper chip in the card, so job done...

    • I assume these cards are being swiped from mailboxes, because the penalties for Postal employees tampering with the mail are pretty severe. If that's the case, just send the cards via certified mail, that should solve the problem.
      • The penalties for stealing mail from a mailbox and opening it are very severe as well.

        • by lgw ( 121541 )

          Aren't these being sent to corporate mailboxes? As soon as the mail is handed off from a USPS employee to a private mail contractor, the severe laws all vanish.

      • by cstacy ( 534252 )

        Every time I have had something stolen from the mail, it was a USPS employee. It usually happens at the distribution point, before it is assigned to a delivery man.

        The don't usually catch them, and even certified packages go missing and you can't get your money back.

        Twice I have had relatively small packages containing audio/electronic items (e.g. MIDI devices) stolen this way. Filling out forms does nothing. IG does nothing. Package trace log shows the item at the postal distribution warehouse, where it

      • by e3m4n ( 947977 )

        OMG, I met one! I finally met one! You're one of those mythical people I read about that believe making a law somehow stops crime. "we need to ban this" , "we need better gun control to stop criminals from getting guns", "we need a law that says...". How are you not besides yourself that criminals *gasp* don't give a shit about laws? There are two groups of people that think laws don't apply to them a) criminals b) elected officials. One can certainly argue that b. really is a member of a. with more damage

        • Huh? My point was that certified mail requires a signature and so should solve a mailbox theft problem. Not everything is about guns, dude.
          • by e3m4n ( 947977 )

            your comment was that a postal employee could not be the culprit because there is a law that would punish a postal employee for stealing, therefore it could never be a postal employee. In most cases it is in facy occurring at the hub distribution centers. You implied the presence of a law implies noone would dare disobey it. I felt it necessary to give you multiple examples of how far from true that is. Organised crime usually always facilitates the need of having an inside man to complete the job.

            • There are always some assholes who break the law. That doesn't mean laws are useless. If we said fuck it and didn't have any laws because some people break them, society would collapse quickly. Look, I worked in a Post Office in a previous life, and while theft does occur, the penalties DO discourage most people from trying. The only ones that do are idiots, because it's completely not worth it. We're talking federal prison time. You don't make laws because you expect them to be universally obeyed; yo
              • by e3m4n ( 947977 )

                laws exist so you can push the lawbreaker, agreed. There is quite a bit more fraud in the post office than you may be aware. Its possible you worked at a branch and were fairly isolated in this respect. Even in the 90s there was some reality 'cops' style show that followed postal inspectors. They in fact do more than just look for drugs being mailed. They spend a great deal of time investigating postal employees. One episode indicated that some branch in NYC were using 'temps' do do deliveries. Well, this o

          • by lgw ( 121541 )

            My point was that certified mail requires a signature and so should solve a mailbox theft problem.

            Mailbox theft seems unlikely here.

            As far as "requires a signature", I once received a check for about $30k mis-delivered to me by certified mail. Postal carrier took my signature and went on about his day. Fortunately for the intended recipient, they were close by and I didn't mind walking it over.

    • by mark-t ( 151149 )

      Simpler solution:

      You activate it by putting it into an ATM for you bank and entering your current PIN.

      If you don't have a PIN, you go to your bank and set one up. They should be able to spot a tampered card even if you can't.

    • by Leuf ( 918654 )
      The other day my cc got used to make a $5 donation to some Christian website that I had never heard of. The charge got flagged as fraudulent and I got an alert. It's puzzling as to how they got the info and why they only charged $5 to it. I guess hoping to fly under the radar. Equally puzzling is how the bank managed to correctly flag that tiny charge as fraudulent. My point being that current fraud detection is already better than what you are suggesting. The tricky part would be with new customers w
      • by ColaMan ( 37550 )

        Equally puzzling is how the bank managed to correctly flag that tiny charge as fraudulent.

        It's the same as with Google's spam detection: you just see one transaction on your card, but the bank sees hundreds of similar transactions on hundreds of cards.

      • by TheRaven64 ( 641858 ) on Friday April 06, 2018 @03:45AM (#56391423) Journal
        It's one of two things. Either the transaction itself correlated with fraudulent transactions, or the transaction didn't correlate with your own spending habits. Banks build fairly complex statistical models of spending and flag any outliers as potential fraud. The most amusing one of these for me was the registration fee for a DARPA PI meeting. Apparently my bank believes that paying money to the US government correlates strongly with fraud. Somewhat less helpfully, they insisted on calling me during UK business hours (i.e. in the middle of the night where I was) to confirm. After a very grumpy 4am conversation (the third time they'd woken me up that night, but the first time I'd managed to get to my phone before it stopped ringing) they gave me a 24-hour number that I could call from anywhere in the world.
      • by davidwr ( 791652 )

        The other day my cc got used to make a $5 donation to some Christian website that I had never heard of.

        That was a smart crook.

        1) It validated the card was good or not.

        2) If their victim was married, he might wait to call the bank until he talked to his spouse, because "giving to charity" is something many people would do without checking with their spouse first. This buys the crook time to do real damage.

        3) Giving small amounts to charity is something a lot of people do, so it's less likely to be flagged by the bank as suspicious than, say, spending money at a far-away-from-the-victim brick-and-mortar sto

      • by e3m4n ( 947977 )

        I suspect it got flagged because there were already reports of fraud and stolen funds in which just prior to large amounts of theft, a $5 donation was donated to the same charity in order to verify the card is in working order before they hit it with a larger withdrawl. Once they realize that they have a large number of reported fraudulent charges, and in every case there is a small charge to a common place, they flag that place and trigger an alert. I suspect that these card companies probably share a secu

  • Dumpster diving, seems ineffective and it shouldn't be too hard to make it difficult to swap chips on new cards.

    • They presumably only use the new chips for a few days, draining as much cash as they can. Therefore once they collect enough chips to intercept cards for those few days, they're fine. Because then they have five day old chips they already used to send out.

    • by Junta ( 36770 )

      Just need a cosmetic replacement, doesn't even need to be a functional chip.

      After all, the cards will look right, but they still won't work if they have an old, mismatched chip. In fact it may be even better if it seems like it doesn't work because of malfunction rather than having a key mismatch, might buy you a few more days before the cardholder gets it fixed (assuming the POS equipment flags an obviously wrong chip more clearly than chip malfunction).

  • In the sense that it doesn't have anything to do with the underlying technology at all. It's a weakness in the activation/verification scheme in that it verifies that the cardholder received something, not that they have received the genuine card.

    An easy way to 'close the loop' would be to perform the activation at an ATM that could verify the authenticity of the chip. Then the 'activation' of the card would be tied to positive proof that the rightful owner had possession of it.

    • Here in Norway, where chip and pin is the normal, when I receive a new card it is activated the first time I use it. At the same time, the old card is deactivated.
      • Which just moves the problem to how you deliver the PIN associated to the new card.

        But sure, once you've established that you can transmit the PIN from the bank to the (correct) customer without anyone else reading it, then you can use that to solve other problems :-)

        • Here in Canuckistan the PIN is delivered by mail in a separate envelope several days before or after the card itself is delivered.

          • by e3m4n ( 947977 )

            which would not solve a situation of targeted mail intercept, only random mail intercepts. If your mailbox itself is targeted, then they would grab anything with your banks name on it.

    • by e3m4n ( 947977 )

      exactly, it sounds as if they replace the chip with any other chip on the card and reseal the envelope. Then with the orginal chip, they put it onto a cloned card. Then ususpecting customer gets card in the mail, and calls the phone number to activate their card, not knowing there is a duplicate floating around. I agree, it might be more hassle, but having to go to the bank or the ATM to activate the card would make sense. I am guessing that it would have to be a bank ATM equipped with a chip reader, since

      • Every time I use my paypal card I get a notification of a charge both via email and SMS within a minute or two of the transaction. I find it disturbing that my bank does not do this, nor does any credit card, ...

        My Discover card does this via Discover App installed on my phone. Normally, my phone beeps about 10 seconds after the card is approved. The fun part is that at gas stations and hotels, I can actually see the pre-approval go through when I start and the final purchase when I am done.

        I'm hoping that their next step is to add some approval features to the app, requiring either proximity to the store or that I click "OK".

  • by RyanFenton ( 230700 ) on Thursday April 05, 2018 @08:36PM (#56390453)

    Frequently during holiday periods (high mail flow), postal hubs take on outside contractors to handle those overflows. And those guys can be real scummy, to say the least.

    One Christmas, I sent a care package to grandparents, including gift cards, and those were removed from the packaging, slit open from the envelopes, snapshot/sold as images with codes online, then thrown back in the package outside the envelopes. I was able to track it down (with a postal inspector and Amazon) to one of these overflow contractors, and although there's a few cases where they've been caught with hundreds of stolen gift cards - the relationship with the contracting organizations largely shield these crooks pretty constantly.

    The Post Office can't hire extra real folks - because they're held to a crazy (Republican) demand that every employee get an absurd portion of their benefits completely pre-paid for life into a pool - way more than any other organization is held to - just as one of many attempts to strangle the organization. So, they're forced to play these games, and shield the folks screwing with the mail, lest they be unable to cover during holiday periods.

    I can only imagine who the contracting groups are paying off to make this all possible, along with this latest mail-intercept racket.

    Ryan Fenton

    • by rsilvergun ( 571051 ) on Thursday April 05, 2018 @09:31PM (#56390615)
      of government who don't believe in government then government doesn't do so well.
    • by bws111 ( 1216812 ) on Friday April 06, 2018 @07:46AM (#56391935)

      The Post Office can't hire extra real folks

      Bullshit. The USPS can and does hire temporary employees (here is an example [usps.com] from last year), they do not have any impact on the retirement fund.

      The demand that the USPS pre-fund its retirement system is not 'crazy', it is responsible. Note that most other organizations gave up on the pension system altogether and just give the employees money via 401K matches. The employee can then (wisely) 'pre-fund' his own retirement, or (stupidly) not - and be '85 and wanna go home'. About the only pensions that are not fully pre-funded anymore are public service jobs, because you can always just soak the taxpayer later, no sense in being fiscally responsible now.

    • Are you just really ignorant of the truth or trolling?
      The PO can hire temporary seasonal employee and not worry about future health benefits.
      But on the topic of that why do you hate the post office employees and don't think they should get the benefits they were told they would get?
    • The Post Office can't hire extra real folks - because they're held to a crazy (Republican) demand that every employee get an absurd portion of their benefits completely pre-paid for life into a pool - way more than any other organization is held to - just as one of many attempts to strangle the organization.

      That is the way pensions should be funded. The employer should pay their incremental increase in pension obligation at the same time they pay the employee. At that point it's reserved for the employee

  • The chip is supposed to also contain keys and pins. How do the crook even replace that ?
    • Imagine that instead of replacing the chip, they wait the card is activated , murder the victim and steal the card. Same effect they have an activated card. OK so no what ? Maybe for ecommerce you can use that, but then again so would simply write down the card number and write down the 3 digits number behind - no need to replace the chip. But you still cannot use the card to withdraw fund because you haven't have the pin...
      • by e3m4n ( 947977 )

        I once had a card cloned (before the days of the chip) and about a week later I got notified that a Home Depot in Miama (600+ miles away) just hit my card 6 times in a row for $100 each. They bought home depot gift cards. At that point the money trail stops and they can sell these cards to anyone for less than face value. I had suggested that since they knew which gift cards they had activated, they should go in and deactivate them. That way when the person buying the stolen card tries to use it, and gets

  • by account_deleted ( 4530225 ) on Thursday April 05, 2018 @08:57PM (#56390511)
    Comment removed based on user account deletion
    • by Anonymous Coward on Thursday April 05, 2018 @09:41PM (#56390647)

      No, you actually don't.

      The attack being described is just swapping other chip's in to the new cards they're stealing; as long as they look undamaged to the person getting the card until they activate it, the chip doesn't even need to work on the old card.

      So in this case? Mechanically cutting the chip region out is sufficient, the same way some scammers have sliced individual numbers of a lottery ticket or scratcher ticket, cutting only one layer of the paper.

      Because it doesn't matter what THEIR chip-and-pin gizmo looks like, it can be a frankenstein's monster. And the card sent on in the mail doesn't need to even have a working chip-and-pin since the USA still has mag-stripe fallback for chip-and-pin read failures instead of rejecting the card outright.

      So no, this is far less 007 Bond and far more just simple "write on a grain of rice" hand-eye coordination.

      - WolfWings, too lazy to login to /. in too many years.

    • There's no requirement for poisoned firmware or for anything to even work after modification. The only requirement here is to get the old chip out of the card and patch up the card in a way that it looks okay. In some cases you could even take a generic blank card and print a picture of the card you stole, you don't even need to modify anything. You just need to fool someone who is unlikely to be paying attention.

      Because of the chip+signature garbage in the USA just wait till the card is activated (normally

  • If something dicey happens on your credit card, it is the vendor's problem -- the vendor does not have money yet.
    If something dicey happens on your debit card, it is your problem -- the money already left the account.

    I do not have a debit card. After I cut up the fourth debit card and demanded a clean ATM card with no debit feature, the fifth time I just changed banks.

    • If something dicey happens on your credit card, it is the vendor's problem -- the vendor does not have money yet. If something dicey happens on your debit card, it is your problem -- the money already left the account.

      I do not have a debit card. After I cut up the fourth debit card and demanded a clean ATM card with no debit feature, the fifth time I just changed banks.

      A few years ago SunTrust wanted to "upgrade" my ATM card to an ATM/Debit card. I wrote a letter to the President of SunTrust explaining my reasons for not wanting an Debit card but rather just an ATM card and threatened to move my accounts to another bank if they would not accommodate me. A week later I got a call from his assistant who told me they got many other such requests and would be sending me an ATM only card -- been using it ever since.

      Apparently, when they switched from VISA to MasterCard as t

      • As a non-us citizen, what is the distinction between an ATM and a Debit card for you? Here they are one and the same, I could always pay with the card I used at the ATM/Bank with my PIN. Maybe because we have a national debit network here.

        Since you mentioned Visa/MC, do you mean a visa/signature "debit" card that does not need a PIN? Or simply an ATM card can only be used to withdraw cash at the bank and you are not able to pay anything with it?

        • by e3m4n ( 947977 )

          an ATM card or ATM transaction goes through a banking gateway service like Star, Quest, Paypass, etc. You usually get a fee for every transaction (like $2.50 now)

          a Debit transaction uses the Visa and/or MasterCard networks to deduct money from your account, and the marchant usually eats the transaction fee's based on his volume. Small operations eat 4% or tell you that they will add 4% to use the card.

          they are two completely different networks where one necessitates a PIN, while the other just wants you to

        • Just because you have one card that does both doesn't mean they're the same thing.

          I had an ATM card when my bank didn't even have debit cards and I couldn't get a credit card since I hadn't been in the country long enough.

          It worked at ATMs. I couldn't pay at a shop or restaurant with it.

        • As a non-us citizen, what is the distinction between an ATM and a Debit card for you?

          Typically, one can only use an ATM card with an ATM machine, while a Debit card can be used like a Credit Card with merchants. Some banks offer combined ATM/Debit cards that work with both cases. Those physical cards are usually issued by the bank through the vendor that provides the bank's Debit/Credit card services, like VISA or MasterCard. I don't want a debit card, just an ATM card. (a) I have a credit card with a high limit and pay it off every month and (b) don't want my checking account funds availa

  • The Secret Service doing anything except guard the president.
  • Hello everyone! I had seen so many recommendations on ENRIQUE so I contacted him to help me Clone my husband's cell phone and WhatsApp. Just like Magic, I got the files to get it done and I have access to my husband's phone. He was really efficient and I have access to everything including phone calls, logs, sms, surrounding and location. What I like about the job is that it cannot be traced back to me. I have this working for 3 months now. I am just another satisfied customers. Thanks to ENRIQUE LEWIS , CO

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...