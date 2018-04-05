Secret Service Warns of Chip Card Scheme (krebsonsecurity.com) 23
Brian Krebs reports of a new scheme where new debit cards are intercepted in the mail and the chips on the cards are replaced with chips from old cards. Thieves can then start draining funds from the account as soon as the modified card is activated. The warning comes from the U.S. Secret Service. Krebs on Security reports: The reason the crooks don't just use the debit cards when intercepting them via the mail is that they need the cards to be activated first, and presumably they lack the privileged information needed to do that. So, they change out the chip and send the card on to the legitimate account holder and then wait for it to be activated. The Secret Service memo doesn't specify at what point in the mail process the crooks are intercepting the cards. It could well involve U.S. Postal Service employees (or another delivery service), or perhaps the thieves are somehow gaining access to company mailboxes directly. Either way, this alert shows the extent to which some thieves will go to target high-value customers.
Use it.
The summary implies they are using debit cards to get cash.
Is it possible to have a debit card without pin? What for? Just to avoid having to press 4 to 8 buttons and confirm?
I have a debit/atm card from my bank. The ATM requires the PIN, but I just used it with a merchant and they did not take a PIN, but a signature on a receipt. So your answer is "yes", at least for merchants.
If they can intercept the card, and send it on to you without you suspecting anything, they can probably intercept the PIN and do the same to that.
OK, how about a 2-stage activation:
When you first activate it, the first time you use it you will get an alert and have a few days to do a second activation.
Until the 2nd activation goes through, you will get an alert on all charges and if it's a high-dollar charge or even a medium-dollar charge at someplace that's not "normal" for you, the charge will be declined and alarms would go off at the bank and on my phone or email.
So, if someone pulls the switcheroo on my card they might be able to buy a $100 TV a
Nah, no need for such complexity - most non-US banks issue users with card readers that generate one time PINs for use in authenticating online and activating cards, so just require those in the US. It wont work without the proper chip in the card, so job done...
The penalties for stealing mail from a mailbox and opening it are very severe as well.
Every time I have had something stolen from the mail, it was a USPS employee. It usually happens at the distribution point, before it is assigned to a delivery man.
The don't usually catch them, and even certified packages go missing and you can't get your money back.
Twice I have had relatively small packages containing audio/electronic items (e.g. MIDI devices) stolen this way. Filling out forms does nothing. IG does nothing. Package trace log shows the item at the postal distribution warehouse, where it
Dumpster diving, seems ineffective and it shouldn't be too hard to make it difficult to swap chips on new cards.
They presumably only use the new chips for a few days, draining as much cash as they can. Therefore once they collect enough chips to intercept cards for those few days, they're fine. Because then they have five day old chips they already used to send out.
In the sense that it doesn't have anything to do with the underlying technology at all. It's a weakness in the activation/verification scheme in that it verifies that the cardholder received something, not that they have received the genuine card.
An easy way to 'close the loop' would be to perform the activation at an ATM that could verify the authenticity of the chip. Then the 'activation' of the card would be tied to positive proof that the rightful owner had possession of it.
Frequently during holiday periods (high mail flow), postal hubs take on outside contractors to handle those overflows. And those guys can be real scummy, to say the least.
One Christmas, I sent a care package to grandparents, including gift cards, and those were removed from the packaging, slit open from the envelopes, snapshot/sold as images with codes online, then thrown back in the package outside the envelopes. I was able to track it down (with a postal inspector and Amazon) to one of these overflow co
