Anatomy of a Credit Card Hack

credit-card-theft-image-from-shutterstockAnatomy of a Credit Card Hack: a reader asked…

My credit card information, but not the credit card was recently stolen. I never lost sight of my card, but somehow someone got enough information to make some fraudulent purchases. Fortunately, my bank called about suspected purchases and I was able to have the card replaced in one day. So my question is, how could something like this happen and can I do anything to prevent it happening again?

Credit card fraud is a multi-billion dollar business worldwide. It’s a sorry situation. And what makes it sorrier is that we, the consumers, are paying for this fraud. Don’t believe me? Consider this: all the costs your bank incurs to run a credit card service are part of their costs of doing business – even fraud. Banks aren’t in business to lose money any more than any other business, so they make sure their rates are sufficient to cover all their costs. These costs are passed on to consumers either through the increased cost of goods and services by the banks or merchants, or the reduced interest earned on funds stored in the bank. There ain’t no free lunch.

What fries me is that the banks could do a much better job of eliminating fraud. Outside the US, many countries have been issuing Chip & PIN credit cards for over a decade. Here in the US, banks are just starting to issue the much weaker Chip & Signature cards, with very few banks issuing the much-more-secure Chip & PIN card. I find the even more secure one-time-transaction-code method (such as Apple Pay and the forthcoming Samsung Pay) to be vastly better for consumer security, but the banks and merchants are barely moving on rolling this out. For more information about this, please check out this article.

Consider this: Your basic credit card information (the card number, expiration date, name on the card, and CVV code) are both printed on the card itself, and recorded in the magnetic stripe on the back. For the new chip-based cards, that information is also recorded inside the chip (and encrypted). Merchants take your credit card and capture this information, then send that to their payment processor who communicates with your bank to authorize the transaction. One authorized, the transaction is complete and this usually takes just a few seconds. So your credit card information is in several places:

  1. on your card, printed and magnetically recorded
  2. on the merchant’s point of sale card swiper, and possibly on the transaction records held on the merchant’s server
  3. on the payment processor’s server, and
  4. on your bank’s server

Any one of those places could be hacked, and in fact, undoubtedly several places have already been hacked. This information is stored in massive databases that hackers have broken into and grabbed the data, including yours. For online purchases, gas stations and many other merchants you also have to provide your billing zip code, but that’s not a real security step as everybody’s name, address and zip code are recorded somewhere on the internet, also available to hackers. And even chip-based cards have to have backwards-capability for older systems, so the information is still on a magnetic stripe.

Advertisement

There are plenty of ways your credit card info can be stolen directly from you, for example the relatively low-paid waiter or waitress who takes your card to charge your meal could easily have a small card swiper in their pocket to capture the information. These card swipers can also be snuck into ATM machines. But let’s assume that hasn’t happened to you.

hacking-code-image-from-shutterstockHere’s a fanciful scenario of a credit card hack I dreamed up – but it’s based on real-world capabilities that are being used now. You’ve used your credit card at a number of merchants, at least some of whom have retained your credit card information in their databases. One or more of these merchants gets hacked, and your credit card information along with millions of others is posted for sale on the internet. A group of hackers who specialize in credit card fraud buy this mass of data. They’ve also purchased a lot of public record information on consumers in your state or country. With a few data queries and a bit of simple programming, the group puts together enough information to impersonate you, but they don’t even need to go that far. They’ve purchased credit card stamping equipment (available on the internet), so they simply take the information from your credit card and make a fresh cards on-demand for buyers who want to get in on the credit card fraud bonanza.

credit-cards-in-envelope-image-from-shutterstockSomeone, let’s call him Bill Smith (matching his fake ID), wants to buy some fake credit cards. He has the hacker group make him a couple hundred different cards, using his own name printed on the card, but using your information (and 99 other victims) on the magnetic stripe. Bill starts shopping, going to large and well-known merchants. He uses your card and makes a few purchases for a couple hundred dollars each. He rolls through a shopping mall, using different cards at different merchants. Loaded down with packages, he heads to his lair and starts an eBay store to sell all the items he bought. He doesn’t worry too much because he got some goods before the bank caught on and cancelled the fake card with your card info on it, and if he had to show ID at a merchant, the card name printed on the card matched his fake ID.

This is just one of many different ways in which your credit card can be fraudulently used. Sadly, there’s very little risk for the fraudsters, and even if they try to use a fake card that’s been cancelled, they only lose the now-worthless fake card, one out of hundreds they have.

three-easy-steps-graphic-from-shutterstockIt’s pretty much impossible for you to prevent this from happening to you. What you can do is:

  1. watch your credit card statements like a hawk and question any transaction (even for a penny or a few cents) that you don’t recognize.
  2. If you have a smartphone, most credit card issuers will have an app that alerts you every time a transaction is made.
  3. If you don’t, but have a computer, you can log into your account as often as you want and look at the recent transactions.

This website runs on a patronage model. If you find my answers of value, please consider supporting me by sending any dollar amount via:

Click or tap to open a new browser tab or your Venmo app and send money via Venmo to @positek
(@PosiTek)

Click or tap to open a new browser tab or your Paypal app to send money via your Paypal account to support@positek.net
(Support@PosiTek.net)

Click or tap to open a new browser tab or your Paypal app to send money using your credit card to support@positek.net (no Paypal account required)
(using any credit card)

or by mailing a check/cash to PosiTek.net LLC 1934 Old Gallows Road, Suite 350, Tysons Corner VA 22182. I am not a non-profit, but your support helps me to continue delivering advice and consumer technology support to the public. Thanks!

Leave a Comment

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

This site uses Akismet to reduce spam. Learn how your comment data is processed.