Slashdot Mirror

← Back to Stories (view on slashdot.org)

Secret Service Warns of Chip Card Scheme (krebsonsecurity.com)

Posted by BeauHD on from the heads-up dept.

Brian Krebs reports of a new scheme where new debit cards are intercepted in the mail and the chips on the cards are replaced with chips from old cards. Thieves can then start draining funds from the account as soon as the modified card is activated. The warning comes from the U.S. Secret Service. Krebs on Security reports: The reason the crooks don't just use the debit cards when intercepting them via the mail is that they need the cards to be activated first, and presumably they lack the privileged information needed to do that. So, they change out the chip and send the card on to the legitimate account holder and then wait for it to be activated. The Secret Service memo doesn't specify at what point in the mail process the crooks are intercepting the cards. It could well involve U.S. Postal Service employees (or another delivery service), or perhaps the thieves are somehow gaining access to company mailboxes directly. Either way, this alert shows the extent to which some thieves will go to target high-value customers.

4 of 114 comments (clear)

  1. Re: PIN by mark-t · · Score: 3, Informative

    The bank won't mail you a PIN. In my experience, you have to go into a branch and set up your PIN at least once. After that, any replacement card they send will use the same PIN until you go to a branch and change it.

    --
    File under 'M' for 'Manic ranting'
  2. Re:not an easy task at all. by Anonymous Coward · · Score: 4, Informative

    No, you actually don't.

    The attack being described is just swapping other chip's in to the new cards they're stealing; as long as they look undamaged to the person getting the card until they activate it, the chip doesn't even need to work on the old card.

    So in this case? Mechanically cutting the chip region out is sufficient, the same way some scammers have sliced individual numbers of a lottery ticket or scratcher ticket, cutting only one layer of the paper.

    Because it doesn't matter what THEIR chip-and-pin gizmo looks like, it can be a frankenstein's monster. And the card sent on in the mail doesn't need to even have a working chip-and-pin since the USA still has mag-stripe fallback for chip-and-pin read failures instead of rejecting the card outright.

    So no, this is far less 007 Bond and far more just simple "write on a grain of rice" hand-eye coordination.

    - WolfWings, too lazy to login to /. in too many years.

  3. Re: PIN by TheRaven64 · · Score: 3, Informative

    All UK banks that I'm familiar with mail you out the initial PIN (on a weird sticker thing that's meant to make it impossible to read by shining a bright light through the envelope) and then suggest that you change it at an ATM.

    --
    I am TheRaven on Soylent News
  4. Re:Yeah - 3rd party postal overflow guys... by bws111 · · Score: 3, Informative

    The Post Office can't hire extra real folks

    Bullshit. The USPS can and does hire temporary employees (here is an example from last year), they do not have any impact on the retirement fund.

    The demand that the USPS pre-fund its retirement system is not 'crazy', it is responsible. Note that most other organizations gave up on the pension system altogether and just give the employees money via 401K matches. The employee can then (wisely) 'pre-fund' his own retirement, or (stupidly) not - and be '85 and wanna go home'. About the only pensions that are not fully pre-funded anymore are public service jobs, because you can always just soak the taxpayer later, no sense in being fiscally responsible now.