Credit Card Fraud: Harvesting the Credit Card Number


t card fraud is on the rise and is the most costly type of fraud world wide. Once the criminal has a credit card number and expiration date, it is possible to clone the credit card with relative ease.

How Criminals Use Credit Card Numbers

To make a fully legitimate copy of a credit card, a rather expensive investment in printing equipment is needed, but the actual process is quite easy and extremely profitable, as the credit card looks genuine. Of course, many criminals simply use expired credit cards or even supermarket rewards cards, which also have a magnetic strip, and put the stolen credit card number on them.

This option will not pass a manual review, but it can still be used at self serve cash stations or on an inattentive clerk. Given that studies have shown that it is possible to make a big purchase using white paper, instead of cash[citation needed], with only a little social engineering, finding a clerk to accept one of these cards is not going to be too difficult.

It Starts with Getting the Credit Card Number

Of course, the first step for the criminal is to actually harvest the credit card numbers. Often, this occurs when the criminal discovers a credit card merchant who does not secure their information well and is able to hack their servers, with almost every month reports being issued stating hundreds of thousands of credit card numbers were stolen and many likely going unreported.

However, it is much easier for a small time and less technical criminal to steal credit card numbers at an ATM.

Compromising the ATM: Social Engineering and Low Tech Methods

Most of the methods of harvesting credit card details from an ATM involve actually compromising the machine in some manner. At its most basic, this could involve what is called a “Lebanese Loop,” which can be as simple as a thin piece of plastic or film, which is inserted into the credit card reader.

When the victim inserts their credit card, the piece of plastic prevents it from being read, as well as keeping the card from being ejected. After several minutes, the victim assumes their credit card has been "eaten" by the machine, leaving or going into the bank for assistance.

At this point, the criminal can walk up the ATM, remove the plastic, and physically steal the credit card. Of course, this low tech approach has a number of variations, with some installing a collection box over the card reader, so as cards are inserted they end up in the box, which the criminal can pick up later.

The downside to this is that these credit cards will usually have a much shorter lifespan, as the victim knows something went wrong. This not only means the criminal must act quickly to use it before the card is reported lost or stolen, but they must also physically go get the card, which presents another risk.

It is also common for the criminal to use social engineering to obtain credit card numbers. For example, it is not uncommon for a credit card thief to set up a swipe next to the ATM, which is labeled as a "Credit Card Cleaner." When a victim, albeit a rather inept victim, sees the notice, they slide their card through the cleaner, which transmits the credit card details to the criminal. There are a number of variations on this type of social engineering, which is alarmingly effective.

Compromising the ATM: Credit Card Skimming

Increasingly a much more advanced method of tampering with ATMs has emerged called Card Skimming. The criminal will attach a credit card reader to the ATM, so that whenever a credit card is scanned, it passes through the criminal cards scanner, as well as the legitimate one on the ATM. This information is either stored on a small storage disk at the ATM or it could be wireless transmitted to a nearby computer.

The advantage of this method is that the ATM will work for the victim, so they will go on about their business none the wiser. It can also be used on both the ATMs that actually suck the card in, as well as the ones that you simply slide.

Many times the presences of a card skimmer is rather obvious, as it does not match the ATM's scanner, but this is not always the case. Recently, a pair of gas station attendants opened up the gas pumps at their station and inserted the skimmers on the inside of the pump. This made it impossible to tell that a skimmer was in place, without actually taking the machine apart and preforming a manual audit.

More and more, we are seeing cases where the ATM itself is owned and operated by a criminal organization. The Criminal will approach store owners and offer them a large cut of the proceeds to place an ATM in their store, more so than legitimate companies offer. For all intensive purposes, the ATM works as intended. However, in addition to providing money, all transactions are recorded. This is why it is rarely a good idea to use an ATM at a gas station or other store. Instead, it is better to only use Bank ATMs.

One of the best ways to protect yourself as a consumer is to always pay attention to the card reader on the ATM and look carefully for anything that looks off. Most are fairly obvious if you take a second to look at it, but as illustrated in the gas station example above, this is not always the case. Remember that it is very likely that the criminal is nearby if you encounter a credit card skimmer, so always proceed with caution.

No Comments Yet

Add Comment