Beware of Debit Card Fraud
How does someone in Moscow step up to a cash machine and withdraw money from an account holder half a world away? Even when the debit card is still in the victim's wallet?
Last week’s story about criminals withdrawing money from ATMs all around the world had many readers asking how such a thing was possible. It's easy, actually, say fraud experts. The recipe for creating counterfeit cards is right there on the Internet.
It's often called "White Card Fraud". Criminals somehow get their hands on the electronic information stored on a legitimate card's magnetic stripe. Generally, it’s stolen from a retailer or payment processor’s database, as happened when thieves last year broke into computers at CardSystems Solutions Inc. Luckily for the criminals, CardSystems didn't store just account numbers -- it even stored customer's secret codes that were never meant to be copied on magnetic stripes. Stolen "mag stripe" data is the holy grail for card thieves.
Then they take the stolen data and write it onto a new, blank card -- a card that's often plain white -- and they're off to the bank.
To show me how easy it was, two executives from MagTek Inc. one of the largest makers of credit card stripe readers and gave a demonstration.
Within minutes, I was withdrawing money from my account using a plain white piece of plastic at an ATM. In this case, I knew the PIN code. But, as last week's story explained, resourceful criminals are finding ways to derive PINs. This was only a demonstration, mind you, so everything was on the up-and-up.
But a visit from experts is hardly necessary to get started in white card fraud. Dan Clements, who runs CardCops.com, shared with me a magnetic card theft tutorial that's commonly found on Web sites operated by Internet criminals. The document is surprising both in its detail and its smugness.
"You must have certain mindset," the author, identified as jedimasterC, writes. "It takes charisma. It takes charm. If you're a pimply 16 year old wearing cut offs and a sleeveless shirt, do you honestly think that someone will believe you can afford a $3,000 computer system? It's possible, if you know how to act and what to say."
The key: getting an encoder
Andy and Paul Deignan are brothers who both work for MagTek. Both came by to show me how easily thieves can manufacture scores of counterfeit cards. MagTek sells both card readers, which are seen in stores across America, and card encoders, which very few people should ever see. Encoders actually write information onto that mysterious piece of magnetic tape on the back of the card. Banks use them to create credit cards. Readers cost about $100. Encoders cost between $1,500 and $2,000.
Except on eBay, where stolen or salvaged encoders can sell for as little as $500. Armed with one, someone can create credit and debit cards that work exactly like the cards produced by financial institutions.
Magnetic strips may seem mysterious, but they're not. In fact, they are just like the magnetic tape you'll find on cassette tapes. Card readers and encoders are very similar to the "heads" you'll find on cassette recorders, Andy Deignan tells me.
For demonstration purposes, the Deignan brothers took my debit card, dropped it in an encoder, copied the data from the back, and handed the card back to me. Then they took a piece of white plastic, a second card, inserted that into the encoder, and essentially pasted my ATM information onto the second card. The process took less than 15 seconds.
The walk to the nearest cash machine took longer. Within a minute, I had taken a white piece of plastic and withdrawn $100 from my own checking account. Obviously, with slightly different data and a PIN number, I could have taken the money from someone else's account. With a database of stolen information, I could have withdrawn money from hundreds of accounts.
'Keep the fake stuff and your real stuff separate'
In fact, as jedimasterC makes clear in his document, anyone with magnetic stripe data, blank cards and an encoder can churn out counterfeit credit cards. Anyone with a PIN can make counterfeit debit cards and start withdrawing money from anywhere in the world. That’s what happened last week to thousands of consumers around the country.
We're going to omit much of the detail in jedimasterC's tutorial, but to give you a taste of how detailed it is, the author even recommends specific encoder models that would-be thieves should get. To have a portable manufacturing operation, he tells pupils to buy a briefcase to carry the equipment in, even a cigarette lighter power inverter so they can create counterfeit cards while in the car.
And he recommends an extra wallet, so criminals can "(k)eep the fake stuff and your real stuff separate."
Criminals demand instructions
To create fake stuff, criminals do have to fork over at least a few hundred dollars for an encoder -- a small barrier, given that many are purchased with stolen credit cards. But there is one obstacle, the Deignan brothers say.
The machines are normally castoffs from banks and retailers, so they rarely come with the appropriate cables, software and instruction manuals.
That's when MagTek hears from the crooks. Many are brazen enough to write to MagTek to ask for help.
In January, a writer using the name Dan asked MagTek for that kind of help.
"I have a MagTek. and I need the documentation for it. When I try to access this information (on MagTek's Web site) it says that I need a login/password. Can you provide me with this or at least the documentation?" wrote Dan in early February. He even provided the model's serial number. When MagTek looked up the unit, it found the items was originally purchased by a financial institution. MagTek customer support then told the writer it would not provide a manual.
Dan then went on the attack.
"Are you saying that MagTek does not provide any support for resale hardware? Isn't this illegal. I hope that the provided statement was a mistake and you can provide me with access to the documentation I need. Otherwise I will start legal action against MagTek," he wrote in one e-mail.
Then later on:
"I have no doubt that the corrupt government that exists will not do anything about your blatant violation of the laws in this country, I will still submit a complaint to the attorney general. I see no disclaimer on the unit that I bought. Therefore MagTek is in violation of the law. Of course, being a large corporation MagTek is exempt from the law," he said. "Your greed is surely destructive to any innovation."
Greed, it turns out, is a powerful motivator. While MagTek does what it can to make things hard on potential criminals like Dan, people manage to get the software and hardware they need anyway, Clements said -- normally by buying it from each other.
It's all about attitude
In fact, according to the tutorial shared by CardCops, creating the fake card is the easy part of magnetic stripe counterfeiting. JedimasterC spends most of his time in the tutorial explaining the attitude that's necessary to pass off a counterfeit card as real.
White cards can only be used in situations where a person is not involved in the transaction, such as an ATM or a gas station. Store transactions are a bit tougher, requiring plastic that actually looks authentic. Criminals can use their own plastic and rewrite the information on the magnetic stripe (a bad idea, JedimasterC warns), or they can buy prepaid credit cards and use them as "card stock."
Either way, committing crimes in person requires a certain mindset, the author says.
"You ARE the person on your ID. This is YOUR credit card. You are buying something you saved for. It is YOUR money you are spending," he writes. And in case something goes wrong and the card is denied -- most often, the account used to create the fake card has been called in as fraudulent -- jedimasterC has a plan.
"You will have cards declined frequently. I like to make the nice person at the register think it may be declined before I even use it. I'll say something like "Ohhh, I didn't think it was that much. I hope I have enough left to buy it! They will expect it to be declined and think nothing of it if it is."
Retailers taking extra steps
Retailers and processors have caught on to the widespread phenomenon of card counterfeiting and have made some small adjustments to their systems to combat it. Riders of the New York City subway are now required to enter their ZIP codes when swiping bank plastic to buy Metro cards. Many stores now force their clerks to type into payment terminals the last four digits found on the front of the plastic card, to make sure it matches the data on the magnetic stripe. Obviously, if they don't match, the card is fraudulent.
Such checking does make a counterfeit thief’s life a bit harder.
But the cat-and-mouse game continues, and the criminals have a counter-measure. JedimasterC's file includes a list of stores that do this kind of fraud checking.
Clements says the tutorial written by jedimasterC really is old news -- he's had the information for 18 months, and the file is probably quite a bit older. Retailers and credit card companies have had time to implement upgraded fraud detection, which has reduced the amount of counterfeit credit card fraud, he said.
That's why the recent spate of stories of debit card fraud have him concerned. Since no human interaction is required, and cold, hard cash is the end result, he is one of many experts who believe debit card counterfeiting will only get worse in upcoming months.
"You can easily get these machines. The software you need to encode cards can be gotten easily. With the advent of compromised PINs, these guys are off to the ATMs,” he said. “Consumers and banks need to realize the bad guys have the data and plastic and can make ATM cards in minutes.”
Consumers should regularly check their bank account information and report evidence of fraud to their banks immediately. Consumers who don’t report debit card fraud within 60 days may not be able to recover the stolen money.
be an easy target for thieves
Report says lax bank security allows phishers to feast on 'white card' fraud
It's supposed to be impossible.
Criminals aren't supposed to be able to print their own ATM cards and withdraw funds from your bank accounts at cash machines.
But a new report from the research firm Gartner Inc. says many banks are skipping an important security check, which makes it easier for criminals to forge ATM cards and walk off with thousands of dollars at a time.
Researcher Avivah Litan, author of the Gartner report, says one bank told her it had lost $1 million a month to such fraud. She said that payment processors have told her that up to half of all banks don't check to see if the ATM card used to withdraw money is really the ATM card they gave the consumer.
"Until recently ATM fraud was fairly limited,” Litan said. “This is a pretty new phenomenon that has caught banks off guard."
Litan composed her research note after conversations with several bank security experts while investigating cash machine fraud.
While some banking experts agree with Litan's conclusions, others say the problem is minimal, or contend the problems she cites have been fixed.
But the fraud is serious, says Tony Hayes, an ATM analyst with Dove Consulting -- serious enough to be the first real challenge to the PIN-based security of ATM cash machines, Withdrawals with cloned cards are known as "white card" fraud in the banking industry, because stolen data are loaded onto the back of blank, white plastic cards that look like credit cards. Encoders that write data to the magnetic stripe on blank ATM cards are readily available and sell for as little as $50 on the Internet. They have legitimate purposes, such as for businesses that create consumer loyalty cards or make hotel keys, but, in the right hands can be used to forge cards.
Often, cloned ATM cards are the end result of a successful phishing e-mail, which tricks a consumer into divulging a PIN and account number. Numbers can also be obtained from receipts or "shoulder surfing" for PIN codes.
But that information shouldn't be enough to let an ATM card be forged. Still, card hackers are making off with cash all around the world, experts claim.
Consumers aren't liable for criminal withdrawals from their accounts through ATM machines, but they must report the fraud within 60 days of receiving their bank statements. Otherwise, they have no legal right to a refund. And getting a refund for a fraudulent cash withdrawal is not as easy as disputing a fraudulent credit card charge. Consumers are out the money until it's refunded by the bank -- as opposed to a credit card dispute, in which the consumer never lays out funds.
"Consumers do get their money back, but until they do, they have no assurances. And it's incredibly disruptive to their daily life," Litan said.
How cards are cloned
For years, special security codes have been embedded in the magnetic stripes on the back of every ATM card -- secrets that allow the bank to verify the authenticity of the plastic being inserted into ATM machines. But many banks don't bother checking the codes, experts say. Instead, they rely on correctly-entered PINs to prove the ATM card is authentic.
But with the widespread success of phishing e-mails, which appear to come from banks and sometimes trick consumers into divulging account numbers and PINs, forgers are having an easy time getting the data they need to print up fake ATM cards.
The combination of stolen data and the lapsed security checks allows criminals to raid ATM machines, Litan says.
Hackers generally know which banks aren't doing the checking, and call the easy targets "cashable," industry insiders say.
Until recently, most banks believed they didn't need to check the extra security information, because the PIN requirements limited fraud, Hayes said. "Most banks believed it was a very secure mechanism, and they were right," he said. "The level of fraud on ATMs has been historically miniscule."
But in the past twelve months, Hayes said, white card fraud has risen steadily thanks to phishing attacks.
Individual bank losses are "in the millions, if not tens of millions," he said.
"This PIN mechanism that has worked so well for 30 years, this is the first time it has been seriously challenged," Hayes said. "It's a global phenomenon."
Because the ATM network operates around the world, withdrawals from a U.S. bank account, for example, are not limited by geography. "You'll see all of the sudden all these transactions coming from Romania. These crooks are incredibly smart," Hayes said.
ATM fraud rates rising
Nessa Feddis, senior federal counsel at the American Bankers Association, said U.S. banks she's spoken to concede there was a problem with white card fraud in the recent past, but say they've largely defeated it. She suggested information in the Gartner report about white card fraud was outdated.
"About a year ago. they did see some problems with debit cards," Feddis said. "They all now say they do check the security code on magnetic stripes and debit cards losses are significantly down. This study may be based on old data. They all seem to be verifying the code now and losses are down significantly."
But another financial industry trade group, the Anti-Phishing Working Group, said white card fraud is still a real issue for banks.
"Yes, it's happening," said Dave Jevans, a spokesman for the group, which is sponsored by Visa, Mastercard, and other financial firms, along with a host of software companies. "It stands to reason if you can phish somebody's ATM and PIN you can make an ATM card and make withdrawals if the mag stripe security information is not being checked."
It's hard to peg just how common white card fraud is. In a separate report published in June, Gartner's Litan estimated that $2.75 billion has been stolen from 3 million bank accounts through various kinds of ATM and debit card fraud in the past 12 months. That report was based on a consumer survey.
Banks are tight-lipped about the problem. But there are signs that ATM fraud has increased around the world.
Last year, the Association of Payment Clearing Services in the United Kingdom announced that counterfeit ATM card fraud had cost the banks $230 million in 2004, up from about $195 million last year. Jemma Smith, a spokeswoman for the association, says UK banks have largely stemmed the tide of counterfeit ATM fraud by introducing new cards that include a computer chip for extra identification.
Hidden security code
The magnetic stripe on the back of a credit card is similar to magnetic tape used for cassette recordings, or to back up computer data. Every ATM card stripe is loaded with a three-digit security code, known as either CVV (Card Verification Value) or CVC (Card Verification Code). The characters are different from the CVV2 value that's actually printed on the card, and often requested of consumers when shopping online.
These CVV or CVC codes are invisible to consumers, so they can't be tricked into divulging the information. The secret data is supposed to prove the plastic inserted into an ATM machine is really the plastic issued to the consumer by the bank.
But many banks don't check the codes. They just skip the process, assuming that if the PIN is accurate, the card must be authentic.
"Banks are not checking the magnetic stripe data as they should. It's not clear why," Litan said. "It's not an expensive process. It doesn't add much to the cost of the transaction."
Jevans said most banks just didn't think it was necessary until recently.
"Tons of people don't set up their ATMs to check (the security codes)," he said. "They never thought to turn it on. It was never a problem."
Banks targeted by such fraud can spend months trying to figure out what's happening, Litan said. But once they do, adding the security code check stops the thieves cold, she said.
"They are often quickly able to stop the crime with a relatively simple solution," she said. Would-be thieves then just move to the next "cashable" bank.
SunTrust Bank Inc. ATMs were described as "cashable" until last December in an online bulletin board devoted to ATM fraud. On the bulletin board pages, described by a bank security expert as a discussion between con artists talking about ATM white card fraud, criminals lament SunTrust's upgrade.
"Hey everyone. Again, really bad news," one bulletin board participant writes. "SunTrust is not cashable anymore, anywhere in the world. So I think we should start some other banks."
Responding to a question regarding the bulletin board, Hugh Suhr, a spokesman for SunTrust said: "(We) don’t have any input as this appears to pertain to security-related matters and we don’t publicly discuss as we see that as counterproductive to those efforts."
Going after smaller fish
Jevans, of the Anti-Phishing Working Group, says most big U.S. banks have fixed the problem. "The bigger guys are way farther ahead on these things. So the bad guys move on to smaller targets who are less sophisticated," he said.
A spokesman for a small-bank interest group denied white card fraud was a problem for those institutions.
"We're not seeing much if any of this," said Dave Petro, executive vice president for the Independent Community Bankers Association Bankcard division, which helps smaller banks process ATM transactions. "Eight or nine years ago there were some programs that didn't do CVC or CVV validations, but they do that validation now. I wouldn't be surprised that some of the smaller processors may not be doing it. But I would be very surprised, shocked if it was widespread."
Either way, there's not much consumers can do to protect themselves, other than follow the standard advice: don't reveal your PIN to anyone, even over e-mail; and check your bank statement each month for signs of fraud.
In this case, it's up to banks to turn up the protection, Litan said. Implementing the added step of checking all the magnetic stripe information will largely stop the crime, she said.
But Feddis said the cat-and-mouse game with criminals will simply continue.
"Nothing is infallible," she said. "First there were cards with account numbers, then magnetic strips, then we put holograms on the cards. You are always trying to stay one step ahead."