Fraudulent credit card activities
Skimming is the theft of credit card information used in an otherwise legitimate transaction.
In general, information necessary for a transaction is retrievable four ways:
- the embedded electronic chip
- contactless through embedded RFID
- the magnetic stripe
- printed on the card
The magnetic stripe stores information such as the card number and expiry date. The electronic chip functions similarly with additional authentication information such as a PIN. Information printed on the card includes card number, cardholder name, expiry date and the security code/CVV.
Traditionally, the easiest method credit card skimmers use is swiping the card on a skimming device out of the cardholder’s view. With the implementation of PIN/chip technology, credit card skimming has become more difficult as the PIN/chip method indicates the cardholder has possession of the card. Stealing the information through a skimming device remains plausible when the cardholder is requested to surrender the credit card.
The other method for credit card skimming is duplication of the printed information on the card by photocopying, photographing, or writing down the information for later use. Similarly, this method would require the card to be out of the cardholder’s possession temporarily.
The highest level of security is maintained if a card transaction is carried out via PIN/chip or RFID tapping methods. All other methods provide leeway for a transaction handler to duplicate the information on the card.
A certain level of protection remains in place even when part of the card information is stolen. While the four methods retrieve overlapping information, the retrieved information is not the same. For example, the stolen information from the skimming device and duplication of printed info cannot be used for online and phone transactions, as these methods cannot retrieve CVV and primary address. Likewise, information stolen from online transactions would not be useable for offline transactions, as the PIN would be required for most transactions.
The Calgary Police Service would like to highlight two emerging methods for card skimming:
- Stolen credit card information from online transactions
- Stolen credit card information or unsolicited transaction through RFID tapping
Stolen credit card information from online transactions is usually associated with untrusted websites and data breaches. While the information cannot be used directly for offline transactions, this information would be valuable to criminals when personal information is also obtained criminally. Specifically, obtaining the primary address which can be easily found on energy bills or bank statements, would make most online transactions successful. This is the reason the underground market for ‘Fullz’, a slang term used by criminals for obtaining personal information, is sizeable and the Calgary Police Service strongly advise the public to take identify theft and fraud seriously.
Stolen credit card information or unsolicited transactions through RFID tapping requires the criminal to have a high level of technical skill. Once a illegitimate RFID receiver is made, information can be stolen and transactions can be made by staying within the card’s RFID broadcasting radius without physical contact. Preventing this type of risk can be done by using a RFID-safe wallet, card holder, or wrapping the credit card with aluminium foil.
Common scenarios for fraudulent credit card activities
- Online transactions on untrusted websites or non-reputable card processors.
- Online transactions with a merchant with poor privacy controls resulting in data breaches.
- Credit card is temporarily out of the cardholder’s possession and view. This may occur in restaurants, bars, hotels, car rental sites, etc. The thief may also use a small keypad to transcribe the three or four-digit card security code which is not present on the magnetic strip.
- Credit card and personal information provided over the phone to enable a transaction.
- A suspicious person staying overly close to a cardholder.
- A physical card skimming device is layered over the keypad for a fuel dispenser at gas stations or vending machines.