Secret Service Warns of Chip Card Scheme

Brian Krebs reports of a new scheme where new debit cards are intercepted in the mail and the chips on the cards are replaced with chips from old cards. Thieves can then start draining funds from the account as soon as the modified card is activated. The warning comes from the U.S. Secret Service. Krebs on Security reports: The reason the crooks don't just use the debit cards when intercepting them via the mail is that they need the cards to be activated first, and presumably they lack the privileged information needed to do that. So, they change out the chip and send the card on to the legitimate account holder and then wait for it to be activated. The Secret Service memo doesn't specify at what point in the mail process the crooks are intercepting the cards. It could well involve U.S. Postal Service employees (or another delivery service), or perhaps the thieves are somehow gaining access to company mailboxes directly. Either way, this alert shows the extent to which some thieves will go to target high-value customers.

Yeah - 3rd party postal overflow guys...

[RyanFenton]

Frequently during holiday periods (high mail flow), postal hubs take on outside contractors to handle those overflows. And those guys can be real scummy, to say the least.

One Christmas, I sent a care package to grandparents, including gift cards, and those were removed from the packaging, slit open from the envelopes, snapshot/sold as images with codes online, then thrown back in the package outside the envelopes. I was able to track it down (with a postal inspector and Amazon) to one of these overflow contractors, and although there's a few cases where they've been caught with hundreds of stolen gift cards - the relationship with the contracting organizations largely shield these crooks pretty constantly.

The Post Office can't hire extra real folks - because they're held to a crazy (Republican) demand that every employee get an absurd portion of their benefits completely pre-paid for life into a pool - way more than any other organization is held to - just as one of many attempts to strangle the organization. So, they're forced to play these games, and shield the folks screwing with the mail, lest they be unable to cover during holiday periods.

I can only imagine who the contracting groups are paying off to make this all possible, along with this latest mail-intercept racket.

Ryan Fenton

Re:Yeah - 3rd party postal overflow guys...

[bws111]

The Post Office can't hire extra real folks

Bullshit. The USPS can and does hire temporary employees (here is an example from last year), they do not have any impact on the retirement fund.

The demand that the USPS pre-fund its retirement system is not 'crazy', it is responsible. Note that most other organizations gave up on the pension system altogether and just give the employees money via 401K matches. The employee can then (wisely) 'pre-fund' his own retirement, or (stupidly) not - and be '85 and wanna go home'. About the only pensions that are not fully pre-funded anymore are public service jobs, because you can always just soak the taxpayer later, no sense in being fiscally responsible now.

Re: PIN

[mark-t]

The bank won't mail you a PIN. In my experience, you have to go into a branch and set up your PIN at least once. After that, any replacement card they send will use the same PIN until you go to a branch and change it.

Funny how when you put people in charge

[rsilvergun]

of government who don't believe in government then government doesn't do so well.

Re:not an easy task at all.

No, you actually don't.

The attack being described is just swapping other chip's in to the new cards they're stealing; as long as they look undamaged to the person getting the card until they activate it, the chip doesn't even need to work on the old card.

So in this case? Mechanically cutting the chip region out is sufficient, the same way some scammers have sliced individual numbers of a lottery ticket or scratcher ticket, cutting only one layer of the paper.

Because it doesn't matter what THEIR chip-and-pin gizmo looks like, it can be a frankenstein's monster. And the card sent on in the mail doesn't need to even have a working chip-and-pin since the USA still has mag-stripe fallback for chip-and-pin read failures instead of rejecting the card outright.

So no, this is far less 007 Bond and far more just simple "write on a grain of rice" hand-eye coordination.

- WolfWings, too lazy to login to /. in too many years.

Re: PIN

[TheRaven64]

All UK banks that I'm familiar with mail you out the initial PIN (on a weird sticker thing that's meant to make it impossible to read by shining a bright light through the envelope) and then suggest that you change it at an ATM.

Re:Actiate, use, re-activate

[TheRaven64]

It's one of two things. Either the transaction itself correlated with fraudulent transactions, or the transaction didn't correlate with your own spending habits. Banks build fairly complex statistical models of spending and flag any outliers as potential fraud. The most amusing one of these for me was the registration fee for a DARPA PI meeting. Apparently my bank believes that paying money to the US government correlates strongly with fraud. Somewhat less helpfully, they insisted on calling me during UK business hours (i.e. in the middle of the night where I was) to confirm. After a very grumpy 4am conversation (the third time they'd woken me up that night, but the first time I'd managed to get to my phone before it stopped ringing) they gave me a 24-hour number that I could call from anywhere in the world.