Well-known cybersecurity journalist Brian Krebs is reporting a US scam aimed at chip-based payment cards.
The crooks are stealing cards before they reach their intended recipients – an old technique for credit card fraud, admittedly, but now with an added twist.
These days, just stealing a new card in transit often won’t work, because the crooks don’t have the information needed to activate the new card…
…but in this scam, the crooks have figured out a way to do an end run around the activation process: steal just the chip off the card, and wait for the legitimate recipient to activate the card.
Assuming the recipient doesn’t spot the tampering, of course.
How the crime works
According to the US Secret Service, the government law enforcement agency that deals, amongst other things, with postal fraud, the crime goes something like this:
- Intercept cards on the way to corporate recipients. We’re not sure whether corporates are targeted because they have more money, because they tend to receive cards in easily-detectable batches, or because their card usage patterns mean that scammed cards generally take longer to get spotted.
- Prise the chips out of the cards.
- Glue old chips from expired cards into the holes left by the real chips. The replacement chips don’t need to work – they merely need to look OK to disguise the fact that the cards have been tampered with.
- Send the original cards onwards to the intended recipients.
- Wait for the recipients to activate the modified cards.
- Spend, spend, spend using the stolen chips glued onto fake blank cards. This works either until the card issuers spot irregularities in the transactions being processed, or until the cardholders try to do chip transactions themselves, realise their new cards have a dud chips, and report the problem.
What to do?
As far as we can see, this sort of scam would be harder to pull off outside the US, where chip transactions require a PIN as well as the chip.
Banks in some countries still insist on sending out both new cards and PINs by snail mail, which is insecure for recipients who live or work in apartment or office blocks with a shared mailbox area, but the crooks would nevertheless need to intercept both the cards and their matching PIN mailers to be able to use the stolen chips.
Chips aren’t hard to remove, however – here’s a video of us doing it using just a hairdryer and a pair of tweezers:
What to do?
Here are some tips that will help if you are worried about chip-swap scams:
- Inspect the card mailer carefully. We assume that the crooks need accomplices inside the postal service who remove letters from the system so they can be opened, modified and re-sealed.
- Inspect the chip and the card carefully. It’s hard to remove the chip without leaving some signs of tampering, so look out for heat damage (the card plastic tends to wrinkle, bend and change colour easily) or scratches around the chip where the original was pried out.
- Take the card into your bank to activate it. That way the bank can verify whether the chip is valid or not before enabling it – activating online or over the phone works without validating the chip itself.
- If you can’t activate in the bank, do a small chip transaction immediately after activation. Do not swipe the card, because you are testing to see if the chip is dud or not. If it is, cancel the card at once.