Secret Service Warns of Chip Card Scheme (krebsonsecurity.com) 114
Brian Krebs reports of a new scheme where new debit cards are intercepted in the mail and the chips on the cards are replaced with chips from old cards. Thieves can then start draining funds from the account as soon as the modified card is activated. The warning comes from the U.S. Secret Service. Krebs on Security reports: The reason the crooks don't just use the debit cards when intercepting them via the mail is that they need the cards to be activated first, and presumably they lack the privileged information needed to do that. So, they change out the chip and send the card on to the legitimate account holder and then wait for it to be activated. The Secret Service memo doesn't specify at what point in the mail process the crooks are intercepting the cards. It could well involve U.S. Postal Service employees (or another delivery service), or perhaps the thieves are somehow gaining access to company mailboxes directly. Either way, this alert shows the extent to which some thieves will go to target high-value customers.
PIN (Score:2)
Use it.
Re: (Score:1)
Re: (Score:1)
The summary implies they are using debit cards to get cash.
Re: (Score:2)
The summary implies they are using debit cards to get cash.
The summary says that they are "draining accounts". I know of know way to access cash with a debit card without a PIN. Presumably, the actors are using the debit cards/chips to make purchases processed as credit, which requires (typically) no PIN.
Indeed, the article makes no mention of cash.
Re: (Score:2)
Preview is a hell of a drug.
Re: (Score:1)
Yeah, which makes me wonder, why aren't they targeting credit cards.
It seems way easier (there'd never be a question of using a pin), and I wouldn't call using a credit card draining an account.
Guess i should rtfa.
Re: (Score:2)
the confusion is defining a 'Debit' card....
when they first came out they were called 'check cards'
there are two networks at play...
1) bank gateway services like Quest and Star, in which you use a PIN number at an ATM or POS terminal to conclude a transaction. This is using your Debit card like an ATM card
2) then there are the network services for Visa and Mastercard. This is using your Debit card like a Credit Card (ie sign for transaction)
at first they used to say ATM or Credit at the POS machines back in
Re: (Score:2)
they are using the cards with chips to buy merchandise that they can then sell for cash AND/OR making purchases that eventually find their way into some other account. They aren't pulling physical cash from your account, but it gets drained nonetheless.
Re: (Score:1)
> It take some time
Which is why you should never have a debit card. The law protects credit card holders. Bank policies protect debit card holders.
Re: (Score:2)
Okay genius, where do we put our actual cash then? Under the pillow?
I make all deposits to / write checks from my checking account, and never use my debit card. Except for the odd cash purchase, all other purchases - online and in person - I use my credit card. At the end of each month, I pay the credit card from my checking account. The only drawback I've encountered so far is if I have to cancel my credit card because it's been compromised. I'm stuck until the new one arrives. I'm going to get a second one as a backup, but it hasn't been a pressing priority so far.
Re: (Score:2)
And how does you not using your present card prevent someone from intercepting a new card sent to you in the mail when your card expires?
You're as vulnerable to the scam described here as everyone else.
Re: (Score:2)
The only drawback I've encountered so far is if I have to cancel my credit card because it's been compromised. I'm stuck until the new one arrives.
I walk over to my local credit union at lunchtime and they print me a new one. Takes about 3 minutes. You might want to investigate your local places - I'm not sure how I'd ever go back to the timewasting stupidity of the big banks I used to get financially abused by.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Is it possible to have a debit card without pin? What for? Just to avoid having to press 4 to 8 buttons and confirm?
I have a debit/atm card from my bank. The ATM requires the PIN, but I just used it with a merchant and they did not take a PIN, but a signature on a receipt. So your answer is "yes", at least for merchants.
Re: (Score:2)
I have gone to precisely one store (Target) where I stick my card in and enter my PIN. Every other store wants my signature, unless it's below their threshold and they don't want anything.
Re: (Score:2)
Is it possible to have a debit card without pin? What for? Just to avoid having to press 4 to 8 buttons and confirm?
Yes, there are two methods.
1. the numbers on the front of the card allow you to make transactions online without even using the PIN.
2. Contactless payments under £ do not require a PIN.
PINs are not great security when they aren't required. This is why we need to have two factor authentication but banks will never permit that as we'd all go back to using cash (which they cant skim a percentage off the top of).
Re: (Score:2)
If you make the merchants and banks liable for the fraud against their customers, then things will change. Things will not change until this happens. End Of Line
Re: (Score:2)
yes, in the US, when your at a POS terminal (point of sale, not piece of shit), you're given 2 options Debit and Credit. Debit really means ATM at which time you have to use a PIN number, and any sort of cash-back is forfeit. Credit technically is what they used to call 'debit' in which its using Visa or MasterCard clearing houses to withdraw your cash and earns your 1 - 2% cash back, no PIN required. They used to compare the signature on the back of your card to your signed slip, but that doesnt work no
Re: (Score:1)
PINs only hurt consumers since banks assume if the correct PIN was entered that you are at fault. I worked for a grocery store chain with well over a thousand locations that saved them. I even got hit myself with someone that used a cloned magstripe at Fry's with my PIN. I ended-up having to pay the >$800 anyway after my bank threatened to sue me..
Fry's has cameras everywhere Re:PIN (Score:1)
If the statute of limitations hasn't run out, sue the bank for the money and subpoena Fry's for their camera footage.
Re: (Score:2)
Re: (Score:2)
If they can intercept the card, and send it on to you without you suspecting anything, they can probably intercept the PIN and do the same to that.
Re: (Score:2)
Re: (Score:2)
I wasn't aware that you do that in the US - in the UK, you get sent an initial PIN in the post, separately to your card, and you can change it at any ATM. If the card is a replacement to one issued previously, it continues to work with the old cards PIN and you do not get sent a new one.
Re: PIN (Score:4, Informative)
Re: PIN (Score:1)
The bank won't mail you a PIN. In my experience, you have to go into a branch and set up your PIN at least once. After that, any replacement card they send will use the same PIN until you go to a branch and change it.
Your experience is strange. Every bank I've ever had accounts with in the US sends your PIN via mail. In a special envelope with markings to stop it being visible against the light. And on a different day and different carrier, eg UPS or fedex, to the original card.
All US banks do this. Which are you suggesting don't?
Re: (Score:2)
Re: (Score:2)
I've had the option. I could set it myself or I could have them send me one. And of course, even if sent one, you can always go in and change it (sometimes you can even change it via the phone, but I would go it).
Even back in the early 90s, I was doing a co-op in California and opened an account with Wells Fargo. I got to set my own pin, so I had set it to a 10 digit number. It was super secure, but it made it a pain to use it out in public because most terminals expect a four digit pin.
Re: (Score:2)
i havent had a PIN mailed to me in a very long time. I used to have that happen, only when I opened a new bank account and they had to assign a PIN. Once I went in and had my PIN changed to something else, every subsequent card always had the PIN I set up ahead of time.
With my Paypal card I set the PIN from my paypal account. The same with my MyVanilla card of pre-paid funds (I tend to load money on a prepaid card when I am vacationing out of state so if my card gets cloned the damage is limited).
Re: PIN (Score:4, Informative)
Actiate, use, re-activate (Score:1)
OK, how about a 2-stage activation:
When you first activate it, the first time you use it you will get an alert and have a few days to do a second activation.
Until the 2nd activation goes through, you will get an alert on all charges and if it's a high-dollar charge or even a medium-dollar charge at someplace that's not "normal" for you, the charge will be declined and alarms would go off at the bank and on my phone or email.
So, if someone pulls the switcheroo on my card they might be able to buy a $100 TV a
Re: (Score:3)
Nah, no need for such complexity - most non-US banks issue users with card readers that generate one time PINs for use in authenticating online and activating cards, so just require those in the US. It wont work without the proper chip in the card, so job done...
Re: (Score:1)
Re: (Score:2)
The penalties for stealing mail from a mailbox and opening it are very severe as well.
Re: (Score:2)
Aren't these being sent to corporate mailboxes? As soon as the mail is handed off from a USPS employee to a private mail contractor, the severe laws all vanish.
Re: (Score:3)
Every time I have had something stolen from the mail, it was a USPS employee. It usually happens at the distribution point, before it is assigned to a delivery man.
The don't usually catch them, and even certified packages go missing and you can't get your money back.
Twice I have had relatively small packages containing audio/electronic items (e.g. MIDI devices) stolen this way. Filling out forms does nothing. IG does nothing. Package trace log shows the item at the postal distribution warehouse, where it
Re: (Score:2)
Sometimes things really do disappear at the post office.
I once had someone send me a package. It was "lost" at the regional postal center going "around and around" the automated system before someone or some computer realized it was "old" and pulled it off the line and did something with it.
By "old" you mean "2 days" and by "do something with it" you mean "take it home themselves and sell it on e-Bay" LOL.
Re: (Score:3)
OMG, I met one! I finally met one! You're one of those mythical people I read about that believe making a law somehow stops crime. "we need to ban this" , "we need better gun control to stop criminals from getting guns", "we need a law that says...". How are you not besides yourself that criminals *gasp* don't give a shit about laws? There are two groups of people that think laws don't apply to them a) criminals b) elected officials. One can certainly argue that b. really is a member of a. with more damage
Re: (Score:1)
Re: (Score:2)
your comment was that a postal employee could not be the culprit because there is a law that would punish a postal employee for stealing, therefore it could never be a postal employee. In most cases it is in facy occurring at the hub distribution centers. You implied the presence of a law implies noone would dare disobey it. I felt it necessary to give you multiple examples of how far from true that is. Organised crime usually always facilitates the need of having an inside man to complete the job.
Re: (Score:1)
Re: (Score:2)
laws exist so you can push the lawbreaker, agreed. There is quite a bit more fraud in the post office than you may be aware. Its possible you worked at a branch and were fairly isolated in this respect. Even in the 90s there was some reality 'cops' style show that followed postal inspectors. They in fact do more than just look for drugs being mailed. They spend a great deal of time investigating postal employees. One episode indicated that some branch in NYC were using 'temps' do do deliveries. Well, this o
Re: (Score:2)
My point was that certified mail requires a signature and so should solve a mailbox theft problem.
Mailbox theft seems unlikely here.
As far as "requires a signature", I once received a check for about $30k mis-delivered to me by certified mail. Postal carrier took my signature and went on about his day. Fortunately for the intended recipient, they were close by and I didn't mind walking it over.
Re: (Score:3)
Simpler solution:
You activate it by putting it into an ATM for you bank and entering your current PIN.
If you don't have a PIN, you go to your bank and set one up. They should be able to spot a tampered card even if you can't.
Re: (Score:2)
Re: (Score:2)
Equally puzzling is how the bank managed to correctly flag that tiny charge as fraudulent.
It's the same as with Google's spam detection: you just see one transaction on your card, but the bank sees hundreds of similar transactions on hundreds of cards.
Re:Actiate, use, re-activate (Score:4, Interesting)
Re: (Score:2)
The other day my cc got used to make a $5 donation to some Christian website that I had never heard of.
That was a smart crook.
1) It validated the card was good or not.
2) If their victim was married, he might wait to call the bank until he talked to his spouse, because "giving to charity" is something many people would do without checking with their spouse first. This buys the crook time to do real damage.
3) Giving small amounts to charity is something a lot of people do, so it's less likely to be flagged by the bank as suspicious than, say, spending money at a far-away-from-the-victim brick-and-mortar sto
Re: (Score:2)
I suspect it got flagged because there were already reports of fraud and stolen funds in which just prior to large amounts of theft, a $5 donation was donated to the same charity in order to verify the card is in working order before they hit it with a larger withdrawl. Once they realize that they have a large number of reported fraudulent charges, and in every case there is a small charge to a common place, they flag that place and trigger an alert. I suspect that these card companies probably share a secu
How the hell do they get the old chips ? (Score:2)
Dumpster diving, seems ineffective and it shouldn't be too hard to make it difficult to swap chips on new cards.
Re: (Score:2)
They presumably only use the new chips for a few days, draining as much cash as they can. Therefore once they collect enough chips to intercept cards for those few days, they're fine. Because then they have five day old chips they already used to send out.
Re: (Score:2)
Just need a cosmetic replacement, doesn't even need to be a functional chip.
After all, the cards will look right, but they still won't work if they have an old, mismatched chip. In fact it may be even better if it seems like it doesn't work because of malfunction rather than having a key mismatch, might buy you a few more days before the cardholder gets it fixed (assuming the POS equipment flags an obviously wrong chip more clearly than chip malfunction).
Not really a 'chip card hack' . . . (Score:2)
In the sense that it doesn't have anything to do with the underlying technology at all. It's a weakness in the activation/verification scheme in that it verifies that the cardholder received something, not that they have received the genuine card.
An easy way to 'close the loop' would be to perform the activation at an ATM that could verify the authenticity of the chip. Then the 'activation' of the card would be tied to positive proof that the rightful owner had possession of it.
Re: (Score:1)
Re: (Score:2)
Which just moves the problem to how you deliver the PIN associated to the new card.
But sure, once you've established that you can transmit the PIN from the bank to the (correct) customer without anyone else reading it, then you can use that to solve other problems :-)
Re: (Score:2)
Here in Canuckistan the PIN is delivered by mail in a separate envelope several days before or after the card itself is delivered.
Re: (Score:2)
which would not solve a situation of targeted mail intercept, only random mail intercepts. If your mailbox itself is targeted, then they would grab anything with your banks name on it.
Re: (Score:2)
exactly, it sounds as if they replace the chip with any other chip on the card and reseal the envelope. Then with the orginal chip, they put it onto a cloned card. Then ususpecting customer gets card in the mail, and calls the phone number to activate their card, not knowing there is a duplicate floating around. I agree, it might be more hassle, but having to go to the bank or the ATM to activate the card would make sense. I am guessing that it would have to be a bank ATM equipped with a chip reader, since
Re: (Score:2)
Every time I use my paypal card I get a notification of a charge both via email and SMS within a minute or two of the transaction. I find it disturbing that my bank does not do this, nor does any credit card, ...
My Discover card does this via Discover App installed on my phone. Normally, my phone beeps about 10 seconds after the card is approved. The fun part is that at gas stations and hotels, I can actually see the pre-approval go through when I start and the final purchase when I am done.
I'm hoping that their next step is to add some approval features to the app, requiring either proximity to the store or that I click "OK".
Yeah - 3rd party postal overflow guys... (Score:5, Interesting)
Frequently during holiday periods (high mail flow), postal hubs take on outside contractors to handle those overflows. And those guys can be real scummy, to say the least.
One Christmas, I sent a care package to grandparents, including gift cards, and those were removed from the packaging, slit open from the envelopes, snapshot/sold as images with codes online, then thrown back in the package outside the envelopes. I was able to track it down (with a postal inspector and Amazon) to one of these overflow contractors, and although there's a few cases where they've been caught with hundreds of stolen gift cards - the relationship with the contracting organizations largely shield these crooks pretty constantly.
The Post Office can't hire extra real folks - because they're held to a crazy (Republican) demand that every employee get an absurd portion of their benefits completely pre-paid for life into a pool - way more than any other organization is held to - just as one of many attempts to strangle the organization. So, they're forced to play these games, and shield the folks screwing with the mail, lest they be unable to cover during holiday periods.
I can only imagine who the contracting groups are paying off to make this all possible, along with this latest mail-intercept racket.
Ryan Fenton
Funny how when you put people in charge (Score:4, Insightful)
Re:Yeah - 3rd party postal overflow guys... (Score:4, Informative)
The Post Office can't hire extra real folks
Bullshit. The USPS can and does hire temporary employees (here is an example [usps.com] from last year), they do not have any impact on the retirement fund.
The demand that the USPS pre-fund its retirement system is not 'crazy', it is responsible. Note that most other organizations gave up on the pension system altogether and just give the employees money via 401K matches. The employee can then (wisely) 'pre-fund' his own retirement, or (stupidly) not - and be '85 and wanna go home'. About the only pensions that are not fully pre-funded anymore are public service jobs, because you can always just soak the taxpayer later, no sense in being fiscally responsible now.
Re: (Score:2)
The PO can hire temporary seasonal employee and not worry about future health benefits.
But on the topic of that why do you hate the post office employees and don't think they should get the benefits they were told they would get?
Re: (Score:1)
That is the way pensions should be funded. The employer should pay their incremental increase in pension obligation at the same time they pay the employee. At that point it's reserved for the employee
How is that even supposed to work ? (Score:2)
To be more precise (Score:2)
Re: (Score:2)
I once had a card cloned (before the days of the chip) and about a week later I got notified that a Home Depot in Miama (600+ miles away) just hit my card 6 times in a row for $100 each. They bought home depot gift cards. At that point the money trail stops and they can sell these cards to anyone for less than face value. I had suggested that since they knew which gift cards they had activated, they should go in and deactivate them. That way when the person buying the stolen card tries to use it, and gets
Comment removed (Score:3)
Re:not an easy task at all. (Score:4, Informative)
No, you actually don't.
The attack being described is just swapping other chip's in to the new cards they're stealing; as long as they look undamaged to the person getting the card until they activate it, the chip doesn't even need to work on the old card.
So in this case? Mechanically cutting the chip region out is sufficient, the same way some scammers have sliced individual numbers of a lottery ticket or scratcher ticket, cutting only one layer of the paper.
Because it doesn't matter what THEIR chip-and-pin gizmo looks like, it can be a frankenstein's monster. And the card sent on in the mail doesn't need to even have a working chip-and-pin since the USA still has mag-stripe fallback for chip-and-pin read failures instead of rejecting the card outright.
So no, this is far less 007 Bond and far more just simple "write on a grain of rice" hand-eye coordination.
- WolfWings, too lazy to login to /. in too many years.
Re: (Score:2)
There's no requirement for poisoned firmware or for anything to even work after modification. The only requirement here is to get the old chip out of the card and patch up the card in a way that it looks okay. In some cases you could even take a generic blank card and print a picture of the card you stole, you don't even need to modify anything. You just need to fool someone who is unlikely to be paying attention.
Because of the chip+signature garbage in the USA just wait till the card is activated (normally
Debit cards are hazardous (Score:2)
If something dicey happens on your credit card, it is the vendor's problem -- the vendor does not have money yet.
If something dicey happens on your debit card, it is your problem -- the money already left the account.
I do not have a debit card. After I cut up the fourth debit card and demanded a clean ATM card with no debit feature, the fifth time I just changed banks.
Re: (Score:3)
If something dicey happens on your credit card, it is the vendor's problem -- the vendor does not have money yet. If something dicey happens on your debit card, it is your problem -- the money already left the account.
I do not have a debit card. After I cut up the fourth debit card and demanded a clean ATM card with no debit feature, the fifth time I just changed banks.
A few years ago SunTrust wanted to "upgrade" my ATM card to an ATM/Debit card. I wrote a letter to the President of SunTrust explaining my reasons for not wanting an Debit card but rather just an ATM card and threatened to move my accounts to another bank if they would not accommodate me. A week later I got a call from his assistant who told me they got many other such requests and would be sending me an ATM only card -- been using it ever since.
Apparently, when they switched from VISA to MasterCard as t
Re: (Score:2)
As a non-us citizen, what is the distinction between an ATM and a Debit card for you? Here they are one and the same, I could always pay with the card I used at the ATM/Bank with my PIN. Maybe because we have a national debit network here.
Since you mentioned Visa/MC, do you mean a visa/signature "debit" card that does not need a PIN? Or simply an ATM card can only be used to withdraw cash at the bank and you are not able to pay anything with it?
Re: (Score:2)
an ATM card or ATM transaction goes through a banking gateway service like Star, Quest, Paypass, etc. You usually get a fee for every transaction (like $2.50 now)
a Debit transaction uses the Visa and/or MasterCard networks to deduct money from your account, and the marchant usually eats the transaction fee's based on his volume. Small operations eat 4% or tell you that they will add 4% to use the card.
they are two completely different networks where one necessitates a PIN, while the other just wants you to
Re: (Score:2)
Just because you have one card that does both doesn't mean they're the same thing.
I had an ATM card when my bank didn't even have debit cards and I couldn't get a credit card since I hadn't been in the country long enough.
It worked at ATMs. I couldn't pay at a shop or restaurant with it.
Re: (Score:2)
As a non-us citizen, what is the distinction between an ATM and a Debit card for you?
Typically, one can only use an ATM card with an ATM machine, while a Debit card can be used like a Credit Card with merchants. Some banks offer combined ATM/Debit cards that work with both cases. Those physical cards are usually issued by the bank through the vendor that provides the bank's Debit/Credit card services, like VISA or MasterCard. I don't want a debit card, just an ATM card. (a) I have a credit card with a high limit and pay it off every month and (b) don't want my checking account funds availa
Re: (Score:2)
I agree there is no important difference in convenience, under all common scenarios.
The difference is in the legal status and what the burden of proof would be under the bright lights of a courtroom, if things were to go very very wrong.
When things go extremely wrong with a credit card, I can still pay my mortgage, fill my gas tank so I can get to work, and feed my family -- with many months to sort out any problems while negotiations and discussions happen, before any legal actions will even begin to wend
Re: (Score:2)
Why would you have all your money in the account tied to the debit card? My wife and I have a joint debit account where we pitch in a portion of our pay every month to buy the normal monthly expenses. All the rest of our money is tucked safely away in other accounts.
I'm somewhat baffled by why people seem to think the only options are credit or "all my money is at risk". Does your bank not allow you to make multiple sub-accounts that aren't accessible by your debit card? If that's the case, you've chosen th
Re: (Score:2)
Your point makes sense, to a significant degree.
But why should my savings be vulnerable at all, even a single red cent? I can protect it completely with a credit card.
The extent that a credit card is actually really more convenient than a credit card does have something to do with how much is left vulnerable in that savings account. Furthermore, banks love to push "protections" like automatic transfers from savings in case of overdraft of the account tied to the debit card. I presume that some people fal
Re: (Score:2)
So I don't "bank" - I've got a couple of exceptional credit unions in my area, and use them instead. Because they're non-profit and member-owned, they don't do most of that bullshit. Truly exceptional service, and really robust online services as well. Their fraud policy is the same for debit as it is for credit, so there's no real risk on the debit side - they'll credit a large amount of what was claimed to be fraudulent before any investigation is final.
Credit cards are ok, but not always great. I have a
Re: (Score:2)
every time I have had an issue where unauthorized transactions have occurred on my account, I have been refunded within a week.
Re: (Score:2)
In theory, I would have such protections on my checking account, too, when it comes to obviously fraudulent checks. But when I heard the magic words "we will see if we can get your money back [emphasis added]", I realized that reality can be very different from the theory.
I am glad that things worked out for you. But I prefer to know with certainty that I am not completely screwed by keeping my money where it is far more certain who has authority to take money out. If things go very wrong with a credit c
Re: (Score:2)
yea, some of those reasons are why when I vacation I only use money I stuck on a MyVanilla card, and my Paypal card as a backup. It mitigates damages to hundreds, not thousands. I never use my bank card outside the state, and never at gas station pumps etc. I even go as far as to pay for gas with cash (throw $20 in the tank every couple hours) to avoid the risk of bluetooth card readers in the pumps.
Re: (Score:2)
Debit cards are not crazy at all, IMO, if you manage your liability by consistent care about how much cash is sitting in the relevant account. But I definitely do not authorize any magic "we will transfer from savings for you because it is so convenient" things. I want that isolated account to fail, and I will pick up the fees for my own mistakes, as a firewall from my pile of savings.
Humor Irony (Score:2)
Re: (Score:2)
They started out dealing with counterfeiters. Guarding the President is just their most visible job.
how to hack (Score:1)