Secret Service Warns of Chip Card Scheme

Brian Krebs reports of a new scheme where new debit cards are intercepted in the mail and the chips on the cards are replaced with chips from old cards. Thieves can then start draining funds from the account as soon as the modified card is activated. The warning comes from the U.S. Secret Service. Krebs on Security reports: The reason the crooks don't just use the debit cards when intercepting them via the mail is that they need the cards to be activated first, and presumably they lack the privileged information needed to do that. So, they change out the chip and send the card on to the legitimate account holder and then wait for it to be activated. The Secret Service memo doesn't specify at what point in the mail process the crooks are intercepting the cards. It could well involve U.S. Postal Service employees (or another delivery service), or perhaps the thieves are somehow gaining access to company mailboxes directly. Either way, this alert shows the extent to which some thieves will go to target high-value customers.

Yeah - 3rd party postal overflow guys...

[RyanFenton]

Frequently during holiday periods (high mail flow), postal hubs take on outside contractors to handle those overflows. And those guys can be real scummy, to say the least.

One Christmas, I sent a care package to grandparents, including gift cards, and those were removed from the packaging, slit open from the envelopes, snapshot/sold as images with codes online, then thrown back in the package outside the envelopes. I was able to track it down (with a postal inspector and Amazon) to one of these overflow contractors, and although there's a few cases where they've been caught with hundreds of stolen gift cards - the relationship with the contracting organizations largely shield these crooks pretty constantly.

The Post Office can't hire extra real folks - because they're held to a crazy (Republican) demand that every employee get an absurd portion of their benefits completely pre-paid for life into a pool - way more than any other organization is held to - just as one of many attempts to strangle the organization. So, they're forced to play these games, and shield the folks screwing with the mail, lest they be unable to cover during holiday periods.

I can only imagine who the contracting groups are paying off to make this all possible, along with this latest mail-intercept racket.

Ryan Fenton

Re:not an easy task at all.

No, you actually don't.

The attack being described is just swapping other chip's in to the new cards they're stealing; as long as they look undamaged to the person getting the card until they activate it, the chip doesn't even need to work on the old card.

So in this case? Mechanically cutting the chip region out is sufficient, the same way some scammers have sliced individual numbers of a lottery ticket or scratcher ticket, cutting only one layer of the paper.

Because it doesn't matter what THEIR chip-and-pin gizmo looks like, it can be a frankenstein's monster. And the card sent on in the mail doesn't need to even have a working chip-and-pin since the USA still has mag-stripe fallback for chip-and-pin read failures instead of rejecting the card outright.

So no, this is far less 007 Bond and far more just simple "write on a grain of rice" hand-eye coordination.

- WolfWings, too lazy to login to /. in too many years.