The Rippleshot Data Breach Blog

Credit Card Fraud Schemes in the News

Written by Anna Kragie | Apr 13, 2018 5:08:15 PM

There’s never quite a dull moment in the world of credit card fraud, which was the case this week in the mainstream news cycle. With topics like “chip card scheme,” “fake fraud alerts” and “card shimming scam” in the headlines, it’s easy to see why banks are rushing to implement better, faster fraud detection solutions.

That was just a sliver of what made the headlines in the world of payment card fraud news this week. We’ve taken a deeper dive into the reports that surfaced, and have explored why these problems keep showing back up in the mainstream news cycle.

‘Secret Service Warns of Chip Card Scheme’

That was a headline this week from KrebsOnSecurity.com, a report that details a new scheme that involves criminals tampering with letters that contain debit cards with EMV chips. This scheme reportedly is when the criminals swap out the chip from a new card with an old chip before sending the letter on to its original destination. Once the cardholder activates that card, this scheme allows criminals to use the stolen chip information to access the cardholder’s account, which allows them to drain funds directly from their bank account.

The warming about this scheme reportedly came by way of a Secret Service memo that was sent to financial institutions last month. The letter did not indicate how widespread of a problem this is believed to be, or where in the country it is likely occurring. Speculation is that the criminals are gaining access to the cardholder’s mail before they notice it was stolen. While the card itself can’t be used, the hackers are still able to access their bank accounts since they have the new chip, according to the report.

This scheme shows how criminals have caught on to the value in stealing debit cards. Instead of stealing the card itself, which would have no value until activated, they are stealing the mechanism that provides access to account data. By changing out the chip card and sending the chip on a card attached to a legitimate account, this activates the access to the bank account for the criminal, according to Krebs report.

Based on the warning cited by Krebs, the fraudsters aren’t necessarily going after individuals, but rather eyeing business accounts that would have larger bank accounts to access. This report joins the list of concerns some security experts have expressed over chip card technology itself as it’s believed that criminals have found new ways to hack the data in chip cards, just as they did with traditional magstripe cards.

‘Dodging Fake Card Alerts’

A New York Times headline this week gave a friendly reminder that fraudulent card alerts are alive and well in the world of payment fraud. This particular piece warned about scammers sending unsolicited text messages about credit card fraud.

Since text message alerts from banks and card issuers are becoming standard, it’s no wonder hackers have caught onto this method. This has caused fake credit card alerts to plague the financial ecosystem. The problem? For most consumers unaware of such schemes, it’s easy to overlook why these alerts can be fraudulent.

Avoiding fake card alerts takes an extra step on the cardholder’s part. Typically, a debit or credit card alert will read something along these lines: “Did you authorize $103 to this retailer? If yes, text 1, if no call us.” These types of alerts are getting more common, which is why fraudsters are beginning to capitalize on this type of communication.

When a cardholder gets an alert that seems out of the typical scope of why their bank or card issuer would be contacting them, this should be the first red flag. Either way, a cardholder can best protect themselves by calling the customer service number on their card to speak to an actual person. They should avoid calling a number suggested in the text if it doesn’t match the number on the card as that may actually be a fraudulent number, too. Cardholders should avoid clicking any links with the message to avoid additional fraud from occurring.

‘New Credit Card 'Shimming' Scam’

A local new affiliate out of Dayton Ohio may have oversold how “new” the credit card shimming problem actually is, but this scam appears to be hitting the chip card market more frequently.

An auditor’s office released a warning about the technique known as shimming, which is where — similar to ATM skimming — the fraudster “shims” the information from credit cards using a paper-thin device that has embedded microchips with flash storage. Unlike skimmers, shimmers are harder to detect and doesn’t prevent cardholders from using an ATM machine or POS device. When a shimmer is present, this allows hackers to get their information whenever a card is inserted.

Globally, ATM skimming fraud is a $2 billion problem. This is a rapidly-growing issue that’s become a major pain point for banks and credit unions already faced with increased challenges on how to manage their fraud-fighting measures. Now with shimming adding to the ATM and POS fraud problem, this is going to be another problem for financial institutions to add to their long list of cost fraud problems.