How Credit Card Numbers Get Stolen

It seems like most people care for carrying around cash anymore, especially younger people like teenagers. But with the endless conveniences that those little pieces of plastic called credit cards offer, who still wants to bother with physical money anymore? Virtually all places of business accept credit cards as a form of payment, credit cards can be used to make bill payments and purchases over the phone or online, and both online and telephone payment systems can save credit card information so that you don’t have to waste time providing the card details over and over again. Best of all, as long as you have available credit or funds, you don’t have to worry about “running out of money” with credit cards as you do with physical cash, eliminating the need for trips to the ATM to withdraw cash, and also avoiding third-party ATMs that charge you fees for using your own money.

Credit Card Security Risk

The only downside to credit cards is that the utilities they provide to cardholders also benefit the thieves who try to get their hands on them, or their information. Credit card theft used to be so one-dimensional back in the old days. Most of the time, thieves had to physically get a hold of your card in order to use it, whether through brute means like purse snatching or sneaky ways like pick pocketing. But with all of the advanced technology that stores credit card information in retail databases and systems, and the existence of standalone, poorly monitored machines that take credit card payments like ATMs and gas station pumps, credit card theft has gotten more sophisticated. Many methods don’t even require acquisition of physical cards but only of the information. Most cardholders don’t even realize that they have been victimized until months later after the theft has occurred.Here are just a few of the clever ways that thieves obtain credit card information and what you can do to cut down on the risks of being one of their victims.

Common Ways Thieves Obtain Credit Card Information

Skimmers

ATM/Payment Terminal Skimming

Card skimming is probably the most dangerous form of credit card theft because it is so stealthy and well-hidden that most victims have absolutely no clue or suspicion while it’s happening. In a card skimming campaign, scammers install electronic card reader devices onto ATM machines and payment terminals; these devices capture and save all the credit card information of the cards that use those machines. Some of these devices are installed inside of the machines, but many are placed on top of the card insertion component, as they are often practically identical to the real card scanner of the machine. These card skimmers acquire all the data of a credit card through its magnetic stripe, including the cardholder’s name, the actual card number, the expiration date, and even the three- or four-digit security code on the back. Installing these fraudulent devices can take as little as a few seconds to a few minutes, and they are typically installed on machines that are not monitored closely, like gas pumps that are only seen from a distance by store clerks inside the store, or ATMs located on the periphery of a building. For ATM card skimmer plots, some thieves may place tiny cameras by the machine to video record users entering their PIN numbers as they access their accounts. Bold skimmers will also target the payment machines located inside of a store. There have been incidents, such as one in 2016 in Miami Beach, where a thief waited until the store clerk inside a convenience store had her back turned to install a card skimmer on top of the credit card payment machine; the skimmer had an exterior panel that was virtually identical to that of the real machine, from the size and shape to the keypads and buttons.

Restaurant Skimming

Card reading scams can also take more hands-on approaches, particularly in restaurants, which are another hot spot for credit card theft. For instance, crooked servers at a restaurant who take credit cards from patrons for bill payments will process the bill payments using the restaurant’s system, as usual. But after the payment transaction, these servers will discretely use handheld skimmers the size of a golf ball to swipe a customer’s credit card, recording all of the card’s information through that magnetic stripe.

Delayed Discovery

Victims of card skimming typically don’t realize that their cards have been compromised until weeks or months later when they see unauthorized transactions on their statements, and that’s if they even notice any unfamiliar transactions. This is because some thieves are smart enough to use the stolen card details to make small, normal purchases that the average person would make, so that naive victims will assume that the fraudulent purchases were made by them.

Phishing

Phishing schemes stand out from other credit card theft plots because they use strategic deception and disguise to get victims to willingly share their card information, instead of utilizing tactics to underhandedly steal credit card details without the victims’ knowledge or approval. Phishing ruses can take different forms, including email, phone, and even text, with email being a primary method for scammers. In a phishing email scam, cyber thieves will send emails that appear to be from reputable institutions like banks or familiar ecommerce sites to users, asking them to click on provided links to perform a task such as updating their passwords or make a payment on an outstanding balance. With the email looking exactly like past emails from the real source, with identical logos, colors, etc., unsuspecting users click on the links that take them to sites that look like those of the real businesses. However, these sites are fraudulent, and when a user logs in to this fake site, the thieves capture their login credentials to use them on the authentic site to access the victims’ personal information, including credit card details. But if the fraudulent link in the email takes a victim to a fake payment processing page, then perpetrators will obtain all of the user’s credit card details through a purchase for a fabricated product, service, or bill. These phishing schemes can also take place via phone or text messaging, in which a person calls or sends a message posing as a representative of a government department or authority like the IRS, demanding payment for a pending bill, possibly even including threats of litigation or criminal charges if payment is not made. Intimidated and caught off guard by these urgent messages, many victims impulsively respond out of fear and provide their credit card information over the phone, unknowingly to thieves.

Public Wi-Fi

Many flock to places like coffee shops and book stores where free Wi-Fi is offered, but the convenience of free, public Wi-Fi comes with security risks that can outweigh its benefits. Public Wi-Fi networks are unsecured and require no credentials for access, creating vulnerable channels through which hackers can infiltrate the network and computers in the vicinity that are on them. They can uses tactics such as Man-in-the-Middle attacks (MITM) to intercept users’ personal information such as social security numbers and credit card data. Instead of invading networks, hackers can also create their own rogue Wi-Fi with names similar to those of nearby businesses, so that users will join their networks and unknowingly give hackers direct access to their computers to steal sensitive data like credit card numbers.

Spyware/Malware

Providing a myriad of ways to sneak onto networks and computers, spyware and other malware are also effective forms of attack that allow cyber thieves to steal credit card information. Users on private PCs or mobile devices who unknowingly visit malicious sites put themselves at risk of information theft through malware that the site can download onto their devices. This malware can include spyware that uses keyloggers to capture data entered through keyboards, such as credit card numbers as users make online payments. Public computers like those in libraries, or corporate computers of an enterprise, are especially tempting targets for thieves to exploit because once a hacker infects one computer via malware, it can use that one computer as an entry way to attack more machines on the same network. If users of these public or corporate computers download infected data onto flash drives or media that they’ll use on other devices, then the malware and any included spyware can spread and inhabit more computers, grabbing credit card information from more users.

Data Breaches

Hackers who want to go for more efficient, large-scale acquisitions of credit card information will set their sights on major institutions like retailers and banks to launch data breaches. Using a variety of entry points and vulnerabilities, hackers can break into the networks and databases of giant organizations, stealing millions of account records and transactions that include sensitive information, such as addresses, dates of birth, and credit card numbers. Some of the past data breaches that made major headlines include the Target retail store attack in 2013 that compromised 40 million debit and credit cards, and the 2015 hack into the social website Ashley Madison that exposed the identities of over 30 million users and their credit card transactions.

Mail and Trash

Though old-fashioned, even a little primitive, stealing credit card information through postal mail and dumpster diving are tried and true, grassroots methods that many identity thieves still rely on to find victims. These thieves like to target residential areas and keep watch of when postal carriers visit neighborhoods and also when residents check their mailboxes. At strategic times, thieves will check mailboxes for both incoming and outgoing mail, examining and even opening the envelopes to see if they look like bills or anything that may contain credit card information.  Thieves who aren’t afraid to get dirty will go into residential garbage cans in the hopes of finding bank or credit card statements or receipts that have full or partial credit card numbers on them. Even if a statement or receipt has only the last four digits of a credit card number, ambitious thieves can use those four digits along with other personal information of the victim to obtain the rest of the card number through phishing.

Reduce Credit Card Information Theft Risks

Once thieves get their “digital hands” on credit card data, they often use it to make their own purchases, or they may sell it to criminal buyers on the Black Market or Dark Web. They may even use the information to create counterfeit credit cards by programming the card details into prepaid credit cards that look and work just like real credit cards once they’re set up.As unnerving as these crafty credit card theft scams are, there are ways to make it harder for these thieves to steal your card information:

Check and Destroy

Check your bank and credit card statements regularly. Look closely at all of the items in your transaction records, even if they look normal or familiar. As mentioned earlier, clever thieves will make small, unsuspicious fraudulent purchases and may make them repeatedly if they notice continued success. To deter mail interlopers and dumpster divers, shred sensitive documents that may contain credit card information, or opt for paperless billing with your bank or card issuer.

Avoid Public and/or Unsecured Computers and Networks

If you can, avoid using unsecured public Wi-Fi networks and public computers, as they are cyber playgrounds for online thieves. If you must use them, then make sure you do not perform any sensitive tasks like ecommerce purchases, bill payments, or anything where you must enter any personally identifiable information (PID) or credit card details.

Only Visit Trustworthy Sites

Be sure to only visit reputable websites that you trust. If you must visit a new, unfamiliar site, do a quick Google search to find reviews and ratings on the site before you click on its link. Malicious sites in the disguise of harmless, legitimate businesses can lure you into downloading spyware, viruses, and other malware onto your device that can expose your personal information, including credit card accounts. Also look for anything out of the ordinary on new sites, such as bad grammar and misspellings, an unsecure http connection, and the absence of a contact page.

Anti-Virus Protection

Protect your computers, tablets, and mobile devices with up-to-date anti-virus and anti-spyware applications that can detect and thwart malware and any other potential threats to your devices. For extra protection against keyloggers from spyware, there are also applications that can encrypt keystroke data, as well as anti-keyloggers that can detect and remove keystroke logger software.

Check for Skimmers

The next time you’re about to perform a credit or debit card transaction at a gas pump, ATM, or POS terminal inside of a store, first take a careful look at the machine. Look for any protruding parts or gaps in between surfaces in the card slot reader. When you insert your card, check to see if the scanner shifts around a little bit or if your card gets stuck. Little observations like this could be signs of a skimmer present.

Do EMV Credit Cards Transactions Only

For in-store credit card purchases, only use registers that can perform Europay, MasterCard, and Visa (EMV) transactions that require you to insert your card into a chip reader instead of the old swipe method that reads the magnetic stripe on your card. These EMV transactions are more secure than the swipe method because in each transaction, the chip generates a unique transaction code that cannot be reused, making it difficult for thieves to use the card information or make fake credit cards. Magnetic stripes, on the other hand, contain static data that can be duplicated and used over and over, since it does not change.

Protect Your Information with Security Knowledge

To keep up with trends in security and stay up-to-date on how to protect your information online, take one of Cybrary’s many cyber security courses.

• End User Security Awareness | 1 Hour
• End User Security Fundamentals