How Was Your Credit Card Stolen?

Posted on Posted in Hacker News

Almost once a week, I receive an email from a reader who has suffered credit card fraud and is seeking help figuring out which hacked merchant was responsible. I generally reply that this is a fruitless pursuit, and instead encourage readers to keep a close eye on their card statements and report any fraud. But it occurred to me recently that I’ve never published a primer on the types of card fraud and the likelihood with each of the cardholder ever learning how their account was compromised. This post is an effort to remedy that.

carddominoesThe card associations (Visa, MasterCard, et. al) very often know which merchant was compromised before even the banks or the merchant itself does. But they rarely tell banks which merchant got hacked. Rather, in response to a breach, the card associations will send each affected bank a list of card numbers that were compromised.

The bank may be able to work backwards from that list to the breached merchant if the merchant in question is not one that a majority of their cardholders shop at in a given month anyway. However, in the cases where banks do know which merchant caused a card to be compromised and/or replaced, the banks rarely share that information with their customers.

Here’s a look at some of the most common forms of credit card fraud:

Hacked main street merchant, restaurant:
Most often powered by malicious software installed on point-of-sale devices remotely.

Distinguishing characteristic: Most common and costly source of card fraud. Losses are high because crooks can take the information and produce counterfeit cards that can be used in big box stores to buy gift cards and/or expensive goods that can be easily resold for cash.

Chances of consumer learning source of fraud: Low, depending on customer card usage.

Processor breach:
A network compromise at a company that processes transactions between credit card issuing banks and merchant banks.

Distinguishing characteristic: High volume of card accounts can be stolen in a very short time.

Chances of consumer learning source of fraud: Virtually nil. Processor breaches are rare compared to retail break-ins, but it’s also difficult for banks to trace back fraud on a card to a processor. Card associations/banks generally don’t tell consumers when they do know.

Hacked point-of-sale service company/vendor:

Distinguishing characteristic: Can be time-consuming for banks and card associations to determine vendor responsible. Fraud is generally localized to a specific town or geographic region served by vendor.

Chances of consumer learning source of fraud: Low, given that compromised point-of-sale service company or vendor does not have a direct relationship with the card holder or issuing bank.

Hacked E-commerce Merchant:
A database or Web site compromise at an online merchant.

Distinguishing characteristic: Results in online fraud. Consumer likely to learn about fraud from monthly statement, incorrectly attribute fraud to merchant where unauthorized transaction occurred. Bank customer service representatives are trained not to give out information about the breached online merchant, or address information associated with the fraudulent order.

Chances of consumer learning source of fraud: Nil to low.

A Bluetooth enabled gas pump skimmer lets thieves retrieve stolen card and PIN data wirelessly while they gas up.

ATM or Gas Pump Skimmer:
Thieves attach physical fraud devices to ATMs and pumps to steal card numbers and PINs. For more on skimmers, see my All About Skimmers series.

Distinguishing characteristic: Fraud can take many months to figure out. Often tied to gang activity.

Chances of consumer learning source of fraud: High. Bank should disclose to cardholder the source of the fraud and replace stolen funds.

Crooked employee:
Uses hidden or handheld device to copy card for later counterfeiting.

Distinguishing characteristic: Most frequently committed by restaurant workers. Often tied to a local crime rings, or seasonal and transient workers.

Chances of consumer learning source of fraud: Nil to low.

Lost/Stolen card:

Distinguishing characteristic: The smallest source of fraud on cards. Consumer generally knows immediately or is alerted by bank to suspicious transactions, which often involve small test transactions to see if the card is still active — such as at automated gas station pumps.

Chances of consumer learning source of fraud: High.

Malware on Consumer PC

Distinguishing characteristic: Malicious software that hooks into the victim’s browser, and records all data submitted into Web site forms, including credit card information. Leads to authorized online charges.

Chances of consumer learning source of fraud: Discovering the infection? Fairly good. Definitively tying card-not-present card fraud to a malware infection? Very low.

Physical record theft:
Merchant, government agency or some other entity charged with storing and protecting card data improperly disposes of card account records.

Distinguishing characteristic: Usually not high-volume. Less common form of fraud than it used to be.

Chances of consumer learning source of fraud: Nil to low.

I hope it’s clear from the above that most consumers are unlikely to discover the true source or reason for any card fraud. It’s far more important for cardholders to keep a close eye on their statements for unauthorized charges, and to report that activity as quickly as possible.

Quelle: KrebsonSecurity