Ways Your Credit Card Information Can Be Stolen and How to Protect

 If it’s the first time you’ve had a brand new or unused credit card compromised, it’s definitely a surprise. But there are literally over a dozen ways your credit card information can be compromised and many of those ways can occur before you get your card. Once someone understands all the components and vendors involved in generating and operating a credit card, the places that can be attacked become more clear.

In the past, I always recommended people to Brian Krebs’ excellent 2015 blog post on the topic, How Was Your Credit Card Stolen? (https://krebsonsecurity.com/2015/01/how-was-your-credit-card-stolen/). It’s still a great, summary article and Brian has more knowledge of credit card theft in his little finger than I have in my whole body, but I’ve come up with a few that he didn’t cover at the time or simply skimmed over. So, I made my own little list of the different ways a credit card can be compromised. I’m sure there are more ways that I missed, and if you can think of any, send them to me at [email protected] and I’ll update the article and give you credit.

Ways Your Credit Card Can Be Compromised

If a hacker can break into and/or control any of these participating parties and devices in a credit card’s lifecycle, they can steal credit card information and re-use it in fraudulent transactions. Here are all the ways I know of.

Issuer and Supporting Infrastructure and Partners

The ultimate holder of all your credit information is the issuer, whether it is your bank (e.g. Chase, Citi, Bank of America, etc.) or whoever else created it and put their financial weight and regulations behind the card. The issuer is the entity that is the ultimate creditor behind the card. It is they who are lending you the money, on credit, to make your purchases with retailers and vendors, until you reimburse them by paying your credit card bill. They have all your credit card information, including that super-secret 3- or 4-digit (known as the Card Verification Code (CVC), Card Verification Value (CVV or CVV2), or Card Identification Number (CID) security code) printed on the front or back of the card.

Card Network

Every credit card issuer is associated with one or more credit card networks (e.g. VISA, Mastercard, Discover, American Express, Diner’s Club, UnionPay, etc.). These card networks dictate the rules, treatment, and handling of the issuer cards and participating retail vendors must be done to be part of their network.  For example, if your credit card displays Bank of America and Mastercard emblems, the issuer and creditor of the credit card is Bank of America and it is participating on the Mastercard network. If your VISA credit card is issued by Fidelity Investments, Fidelity is the creditor and it participates on the VISA credit card network. You may also see another network logo on your credit card, such as Plus, Cirrus, STAR, or Pulse, on your credit card. There can also be additional international partners. These are interbank networks and they help link the various card networks to banks, ATMs, and other partners. Credit card networks and all the participants and servicers can be hacked.

Issuer and Network Supporting Infrastructure and Partners

No issuer or credit card network provider is an island. Like any company, they have dozens to thousands of third-party vendors and services they rely on to provide the services that they do. Any of those services and vendors they rely on that also get a copy of your credit card information is a potential spot for credit card thieves. Any third-party can be hacked and used as an entry point into the more trusted network servicing vendor.

Card Manufacturer

Issuers and networks don’t physically make credit cards. They subcontract the actual manufacturing of cards to a trusted, low-cost bidder, who makes the cards, and then mails them onto the customer (or they often partner with another separate company who mails them to the ultimate customer). I haven’t seen the actual data, but it anecdotally appears to me that manufacturers are getting hacked more lately. The hackers are getting the credit card data before the customers even get their credit cards, and all the credit card thieves have to do is wait for the legitimate customer to activate the card, to begin stealing from it. I’m hearing from more and more people that go to activate their brand new, never used before, credit cards, only to see on the activation web site that their brand-new card already has charges on it. I don’t know if hacked manufacturers are involved, but someone very early in the production of the credit card is.

Retailer/Vendor

Retailers are often hacked and remote thieves collect credit card information as it is used by the legitimate customer at the vendor. There are dozens of ways the credit card info can be stolen from a retailer or vendor. I’ll cover some of the most popular ways. It’s very common for credit card thieves to hack a vendor’s point-of-sale (POS) system which participates in the sale to eavesdrop and copy all the inputted credit card information. There are literally hundreds of malware programs specifically coded to exploit different POS systems. Many of the POS malware programs are memory-only, meaning they don’t reside on a permanent storage device or are “fileless”, meaning they don’t store themselves in normal computer files. This makes them harder to detect and remove.

Millions of credit cards have been stolen by the hackers eavesdropping on POS systems and transactions over the wired or wireless network of the retailer. Oftentimes these networks were not using encrypted communications or using weakly encrypted networks. In either case, the hacker can sit outside of the retailer’s physical location and steal the credit card data.

Skimming devices, which fit over or into a vendor’s POS credit card accepting equipment is very popular at gas stations and ATMs. When the credit card user swipes their credit card into what they think is the vendor’s normal swipe-reading equipment, the hacker’s skimming device captures the information at the same time. Skimmers often include tiny “pinhole” cameras, which can record typed in PINs or CVV numbers. The hacker can then come back at a future date and collect all the captured information from the skimmer. The hackers used to have to physical connect to their skimmer or remove it to collect the copied information, but they moved on to USB storage so all they would have to do is pick up and replace the USB storage device. These days, most skimmers can be connected to wirelessly (e.g. Bluetooth or 802.11), so all the hacker has to do is be in the general area and not physically touching the skimmer, to collect the ill-gotten credit card information. I love watching this YouTube video where a team of hackers place their skimming device over a retail store’s credit card machine in 3 seconds while one of the team members distracts the clerk (https://www.youtube.com/watch?v=5b1axnNK-wI).

Vendors are not supposed to collect user’s credit card information, but sometimes they do (often violating the credit card network’s rules), and place that information into a database. That database can be stolen. Lastly, it is not uncommon for criminal employees of the vendor to be involved with stealing credit cards of customers. If the employee regularly comes in contact with customer credit cards they may be able to swipe the customer’s credit card into a second, malicious, collection device when the customer can’t see them. Other times, the vendor’s IT employee can simply steal the customer’s credit card information if it is stored into a database used by the vendor for legitimate transactions.

Websites

All the hacks and potential thieving opportunities on physical retail vendors exponentially apply on websites. Web sites who accept credit card payment are frequently hacked, including compromised POS, stolen databases, and malicious redirection. Hackers like stealing credit card information from websites even more than from physical retailers because they can usually steal far more credit cards at once (depending on the web site) before getting detected and have nearly zero chance of getting arrested. Credit card thieves who rob physical vendor stores are more likely to be caught on camera and ultimately apprehended and arrested. Only dumb credit card criminals rob physical stores and their customers.

A popular website hack by attackers is to compromise the website and insert their own malicious coding into the portion of the web site that accepts credit card payments. The malware eavesdrops on the customer-inputted information, capturing the buyer’s name, address, credit card number, expiration date, and CVV code – all the essentials to commit future credit card crime.

Processor/Clearinghouse/Servicer

When you make a purchase at a retail vendor or website, the transaction and its approval is not being directly scrutinized and approved by the issuer. It’s being handled by the credit card network and its services and vendors. These servicers and vendors have all the necessary credit card information, and they can be hacked just like any other component in the credit card lifecycle.

Compromised Consumer Device

If your computer or cell phone gets compromised, it’s game over. The hacker can keystroke record your credit card details as you type them and malware will often look around and collect any digitally-stored credit cards in virtual wallets or stored within browsers. This is very common for malware to do these days.

User Phishing

It goes without saying that a huge amount of credit card information comes from users being socially engineered and phished. You think you are buying something on a known and trusted web site, but you’ve been maliciously redirected to a fake, look-alike website with a “sound-alike” URL. There are literally tens of thousands of fake websites created each day, often created on-the-fly just for you when you click on the phisher’s URL link. The web site gets created, you accidentally hand over your credit card credentials, and they get your credit information for fraudulent use and resell. The simplest phishing emails simply claim you’ve won a prize or will get money if you will only provide your contact and credit card information to secure the payment. How anyone is still falling for these “Nigerian” emails is a mystery to most of us, but the phishers would not do it if it didn’t work.

Many online vendors exist hoping you’ll be dumb enough to input your credit card information on their web site to buy some “super cheap” desired good (e.g. drugs, vehicles, etc.). Literally, half the spam industry is dedicated to hoping you’ll be stupid enough to buy something on one of their web sites. That fake, look-a-like, cheap Viagra is going to cost you a lot more in the long run. Fake tech support web sites and dubious web sites touting all sorts of products have been stealing credit cards for decades.

These days, the phone calling fake tech support campaigns are all the rage. You know that one. They call you claiming to be from Microsoft and have detected a bad virus on your system. They trick users into allowing them remote access into the computer to further troubleshoot and, not surprisingly, find all sorts of malware and bad things on your PC. For just $75 they will clean your computer and install a new anti-malware program you’ve never heard of. The bonus is now that they have your credit card and they sell it to other scammers who specialize in credit card sale and fraudulent transactions.

Romance scams are pretty big right now, too. The phishers claim to be some beautiful, model-perfect, girl or handsome military hero that is just waiting to fall in love so, so very quickly. If the scammed victim provides them their credit card information, they will suddenly find many “mysterious” fraudulent charges on their card. The spam and phishing industry was literally created to steal credit card information and it still continues to do so successfully decades later.

Credit Card Rating Agencies

Credit card rating companies collect everyone’s financial history, often including every significant credit card transaction and payment history, and then offer a summary of that information (e.g. FICO score) or all the details to nearly anyone willing to pay them money. Your credit card information is stored within many databases within those companies and their relying vendors, and those databases can be compromised.

One of the largest data breaches in the history of the world was from a credit card rating company, which allowed over 147 million records to be stolen. That information even included social security numbers and impacted over half of the US population. It happened because that agency slowly patched two web servers. It could happen to any credit card rating agency, any company. It wasn’t like that particular company had really bad security, far lower than most companies. Nope, it had average computer security like most companies (which was perhaps too low considering what happened). Hackers routinely break into the credit card rating agencies and their third-party vendors and steal your credit card information.

Fake Generated Cards

Although this isn’t as popular now, credit card hackers use to generate brand new credit cards and what looked like legitimate information using algorithms tied to specific issuers and bins of particular credit card campaigns. As most people know, the first digit of a credit card number can be used to identify the credit card network (e.g. 4 for VISA, 5 for MasterCard, 6 for Discover Card, 34 and 37 for American Express, etc.), and other digits identify the issuer. The remaining digits are created by an agreed upon algorithm, which is often well known. Hackers can use these algorithms to generate fake cards which may not even really exist (or they do exist but have been assigned with other user contact information). Hackers then look for websites and vendors which accept these cards without verifying them online with the credit card network or servicers. Because almost all credit card transactions are verified in real-time now with up-to-date information, fake generated cards are far less of a problem for the industry.

Network Eavesdropping

Hackers can often insert themselves into unprotected networks and siphon any found credit card information going by on wire or airwaves. Some of the most well known credit card hacks happened because an attacker used a wireless interface to sniff an unprotected wireless network outside of a store or any of the components involved in the credit card lifecycle. Today, most networks are protected by HTTPS or other encryption technology and so wired or wireless “sniffing” is less likely to work for a hacker.

Physically Lost or Stolen Card

It goes without saying that if someone loses their card or gets it hacked, someone else can use it. However, these days most credit card transactions require the legitimate user’s name, address, or at least zip code, which is not usually visible on the card. The user’s address is usually not accessible on the unprotected magnetic stripe on the back of the card or, if enabled, on the wireless RFID information, so that it’s harder for a thief to use. But many vendors or merchants will still accept any credit card transaction as valid as long as the name, credit card number, and CVV code is correct, and so stolen credit cards are still of limited value.

Note: Many people think that remote RFID eavesdropping on RFID-enabled credit cards is a major way hackers hack their credit cards. This is not true. If you’ve been led otherwise, check out (https://www.dhirubhai.net/pulse/all-i-want-christmas-certainly-isnt-rfid-credit-card-sleeve-grimes). I still get emails from people absolutely convinced that their credit card information had to be…just had to be…stolen wirelessly via RFID because they had never used their card. These people are simply unaware of all the ways their credit cards could have been stolen.

Fraudulent CC Application Using Your Real Data

Of course, attackers can just apply for a new credit card using your personal information, but using a new address and other contact information, get that card, and spend away until it eventually gets blocked. This is a very common type of credit card crime. The hackers aren’t necessarily stealing your credit card information, but you are often, at least temporarily, responsible for the transactions just the same until you prove you didn’t make them.

This document lists over a dozens ways your credit card information can be stolen. Essentially, any cog in the credit card issuing, operating, and using process is a potential point of failure. And oftentimes you don’t even have to use your card to have it compromised. That’s just a fact of life right now.

Credit Card Crime Isn’t Likely to Become Rarer

Unfortunately, I don’t see a lot of effort being put into decreasing credit card crime anytime soon. It may be unbelievable, but most of the issuers and credit card companies actually think they have credit card crime fairly well handled. It only amounts to a smaller percentage of the cost of them providing the service and they are making far more revenue with a minimum amount of pissed off customers.

Think about it. Most of us when we find out our credit card information is compromised…we get a little mad and feel inconvenienced for a few days…but then we just get our new cards and go on with life. The credit card company usually voids any fraudulent transactions or replaces any stolen funds. These days the worst thing most credit card customers have to do is to go online and update all their stored credit cards on their favorite, must used web sites (e.g. Amazon, etc.).

We only get mad enough to actually change credit card vendors if a vendor or our card gets compromised too often in a short period of time and even then we’re not likely to switch vendors. We’ve all just accepted that our credit card information is going to occasionally get compromised and we’ll need to get new cards every few years. The issuers and servicers are actually far more worried about their anti-theft detection services false-positively stopping a legitimate customer from performing a legitimate transaction than in stopping a higher percentage of thieves. Because if you get more than a transaction or two blocked every few years, you’re going to be mad at the vendor or issuer and not the thief and are more likely to use another retail site or issuer’s card. The vast majority of credit card security expense is being spent to more accurately detect fraud without inconveniencing customers. If they wanted to get more accurate in stopping fraud they would undoubtedly accidentally stop far more legitimate transactions. So, they are living with the amount of fraud detection they have now. So for good or bad, that’s our current situation right now.

Your Best Protection

There are many ways to help protect your credit card information or to have early warning of compromises, including these:

·        Get good security awareness training to recognize good and bad scenarios of when to use or provide your credit information

·        Do not give your credit card information to any you are not absolutely sure who they are. Someone calling you over the phone and asking for your credit card information needs to verify they really are from the vendor they are claiming, before you provide any account information

·        Monitor your credit card account daily or at least several times a week

·        Set alerts on your credit card account for large or strange purchases

·        Put a credit “freeze” on your credit at the credit card agencies (see https://krebsonsecurity.com/2018/09/credit-freezes-are-free-let-the-ice-age-begin/)

·        Don’t give your credit card info to “shaky” or suspicious websites or retail vendors

·        Subscribe to a credit monitoring service

·        Quickly report lost or stolen credit cards

·        Look for signs of tampering or skimmer devices on POS systems

·        Make sure your credit card issuer provides the most protection and quickest recovery services for compromised credit card information

·        Do not permanently store your credit information on web sites, or only on very trusted, mature web sites

·        Consider getting and using “temporary” credit cards for potentially suspicious transactions or vendors.

·        Consider using PayPal and other types of online payment services which provide additional fraud protection.

·        Use a credit card instead of a debit card when possible. Fraudulent debit card transactions immediately impact your bank account balance in a way that can quickly impact your financial situation

·        Shred any documentation that contains your credit card information before disposing of

So, if your credit card information gets compromised and you don’t know how it could possibly have happened, well, it could have happened a lot of different ways. Hopefully, you were able to limit the damage, get a new card, and go on with life.