Over the past few years, credit card terminals and users across the US have been transitioning from the old style of credit and debit cards to the newer EMV standard, also sometimes called chip-and-pin. The point of chip-and-pin is to create a newer banking standard that’s more resistant to fraud and abuse, particularly cloning. But the standard was never going to comprehensively protect against everything, a point jammed home now that credit card thieves are going after major corporations with a rather clever attack.
Here’s how PCMag describes the process: First, the thieves intercept a large run of cards, which companies typically order in bulk for many users at a time. Then, they remove the chips from the cards using a heat source and solder bad, dummy chips on. The new cards look legitimate, and can be activated, but they won’t actually work, since the chips don’t match the cards they’re attached to.
But you know what does work? The original chips that have now been activated by the account holder. The associated accounts can now be drained. Replacing the original chips opens up a much larger window before anyone realizes that the card has been stolen, particularly if the recipient activates the card but doesn’t necessarily use it very often. It could take days before the actual bait-and-switch is discovered. The image below is intended to help users spot counterfeit cards and was provided by the US Secret Service:
The scheme relies on the end user actually activating the credit card, because without that activation, the interceptors/thieves can’t pull off the scheme. It’s not clear how thieves are intercepting the parcels in the first place. This could mean that US Postal Service employees or a delivery service are helping with the theft.
The Secret Service, for those of you who did not know, is the federal law enforcement agency tasked with tracking down and preventing counterfeiting. In fact, it was on these grounds, rather than the protection of the President, that the Secret Service was created in 1865. Up to one-third of American currency in circulation following the Civil War was believed to be counterfeit, which puts some concrete size to the problem. It was only after President McKinley’s death that Congress made protection of the president one of the USSS primary responsibilities.
So far everything we’ve heard suggests corporations, not individuals, are the targets here, but be careful with your card activations. It might be wise to activate the card in an ATM and, if it cannot successfully complete transactions, warn your bank immediately. Waiting gives criminals the opportunity to empty your account.
(Top image credit: Hloom via Flickr, CC BY-SA, 401(K) 2013)