80

I have had the same debit card for several years, and I've never had a problem with any fraudulent charges until yesterday. I am careful about where I use my debit card number online, and I am fairly vigilant about computer security, although certainly not perfect.

Yesterday, I checked my bank statement, and saw two strange charges, one in Wyoming and one in California, both of which are literally half a continent away from me. The charge in Wyoming was immediately refunded, but the other wasn't, so I called my bank to find out what was going on. The person with whom I spoke told me that the card had been used about 30 minutes ago, and that her system indicated it had been used in California physically. This in spite of the fact that the thing was in my wallet at the start of the day, and right before I called the bank. I did my due diligence with respect to the card, and the fraudulent charge, but I am curious: how could this have happened? I understanding stealing someone's card information and using it, but running a charge such that the bank's system 'thinks' it was physically swiped? Could anyone give some insight into what's behind this? Thank you.

Addendum: the card does not have a chip, and I didn't ask if the Wyoming charge was also supposedly made with the physical card.

EDIT: I should have stated originally, I have already canceled the card. Thanks to all who have replied so far.

user
  • 1,063
  • 1
  • 9
  • 9
  • 5
    I would recommend getting a different card, when my card was cloned they contacted me before I noticed and told me I would be refunded as long as I confirmed it wasn't me. – Chris Aug 21 '18 at 13:53
  • 11
    You might want to ask your bank to replace all your cards with ones with chips and if they can't, consider switching to a bank that will. I actually thought chips were required everywhere in the US now, but clearly that's not the case. – Todd Wilcox Aug 21 '18 at 18:00
  • 2
    @Todd Wilcox There isn't, strictly, speaking, a "requirement", but the liability rules strongly incentivize it. If the card doesn't have a chip, the issuer has gets the liability; if the card has a chip, but the merchant doesn't support it, they get the liability. – Acccumulation Aug 21 '18 at 19:41
  • 21
    Run out and do a chip card-present purchase with the card Right Now. They will have trouble explaining how you could swipe in CA and then chip again in your location 8 hours later, when even the perfect combination of cab-airport security-nonstop flight-cab could not posibly get you between those two points that quickly. – Harper - Reinstate Monica Aug 21 '18 at 19:56
  • 2
    Does it have a magnetic strip or just the chip? – gerrit Aug 22 '18 at 11:26
  • 2
    It is entirely possible that a transaction may show as being from a different state if the transaction was at a chain restaurant or other vendor - they often route all credit transactions to a central location. In the case of a physical card swipe being reported though, it's most certainly a skimmer like others have said. – Zibbobz Aug 22 '18 at 13:20
  • @Chris I got a new card yesterday. This am, I have to go do the paperwork to get the charge removed, ostensibly to confirm it wasn't me. – user Aug 22 '18 at 14:11
  • 1
    @ToddWilcox Yes, I did that, and the new card has a chip. – user Aug 22 '18 at 14:12
  • 1
    @Harper Yeah, my old card didn't have a chip, but I called about 20 minutes after the supposed 'swipe' of my card happened, and I was at my bank about 30 minutes after that. – user Aug 22 '18 at 14:13
  • @PeterTaylor Thank you for pointing that out, done. – user Aug 22 '18 at 14:13
  • 1
    @user I meant get a different card from a new provider and stop using that card. – Chris Aug 22 '18 at 14:39
  • 2
    I can't find a confirming article online, so I'm not posting this as an answer, but evidently there's a way to turn your smartphone into a credit card, in such a way that it works with the normal card reader. I keep getting "Google Pay" or "Google Wallet", but neither says explicitly that it'll do this. Maybe that thief was sophisticated enough to do this with their phone, so that it actually looks completely legit from the banks end, since it would have been processed the normal way. I've had my bank reverse charges due to physical travel limitations, like your situation. – computercarguy Aug 23 '18 at 14:29
  • 1
    Looks like you’ve got a lot of good answers here (and one that you have accepted), however you may find some more insight with this question on the infosec SE. –  Aug 26 '18 at 17:05

4 Answers4

146

It’s possible your card was skimmed. This works by the scammer getting a physical swipe of your card, for example from a bogus attachment to a legitimate card reader, then making a duplicate card. That duplicate card can then be sent anywhere, resulting in your card seemingly having been ‘scanned at a distance’.

Contact your bank and ask them to block your current card and to issue you a replacement card.

In comments below, Adonalsium shared a link with more information about technology used by skimmers: "Brian Krebs has a fantastic series on Skimmers. krebsonsecurity.com/all-about-skimmers"

Lawrence
  • 9,362
  • 4
  • 20
  • 25
  • 19
    Note that not only the card can be sent anywhere, but also the data and then the card being reproduced, I have seen this happening 5 minutes after the card has been skimmed in another part of the world. – PlasmaHH Aug 21 '18 at 13:01
  • 82
    Just to close the loop, this is the reason for adding chips to cards. When read, they do not transmit the secrets that would be required to duplicate the chip. – JimmyJames Aug 21 '18 at 14:04
  • 13
    About 10 years ago, I had a corporate credit card that I never used outside of online transactions. I received notification from the issuing bank that the card was used for a physical swipe in another country, while I still had the card in my possession, and more than a year since my prior use. The card was never swiped at a physical location, so could not have been skimmed. I believe it is possible to create a physical copy without skimming. – Beofett Aug 21 '18 at 17:38
  • @JimmyJames Do you have any sources for how they work? I find it extremely difficult to believe that it wouldn't be possible to duplicate the output, even if the chip's structure itself is unknown. With that said, it clearly works (at least, as far as I've heard), and I'm curious how they do it. –  Aug 21 '18 at 18:28
  • 4
    @NicHartley shared key and public key are known cryptographic algorithms. The simplest way I can think of is signing tuple (time, terminal, payment, nonce). That said there were known attacks on particular implementation of chip technology. Probably security.se or cryptography.se would be better place. – Maja Piechotka Aug 21 '18 at 18:49
  • 6
    @NicHartley At a very high level, they work using the same principle as HTTPS: public key cryptography. RSA is a good starting point for understanding how this can be possible. I had a similar reaction when I first learned of public key crpytography. – JimmyJames Aug 21 '18 at 18:57
  • 47
    @NicHartley: The tldr is that the card's chip has a random equation hardcoded in it, and the bank knows your card's equation. When you insert, the bank gives the card a bunch of randomly generated numbers, the card runs those numbers through the equation, and sends back the result. The bank can confirm that the result is correct. Each insert gets new random inputs from the bank. So the scammer can listen to the input and result, but that isn't enough to duplicate your card, until they've scanned a single card billions of billions of times. – Mooing Duck Aug 21 '18 at 20:28
  • 1
    Ah, I see my mistake now. I assumed they were like RFID chips, just outputting the same value again -- I didn't realize they might be computing anything –  Aug 21 '18 at 20:33
  • 3
    @NicHartley They are low power cryptography; they get their power from the "radio" field of the scanner. :) – Yakk Aug 21 '18 at 20:57
  • 2
    @Yakk Yeah, after looking at a few Wikipe^H^H^H^H^H^Honline resources, it's pretty impressive how they turn the relatively tiny amount of power in a radio pulse into enough energy to run through a fixed computation and transmit the result. –  Aug 21 '18 at 21:37
  • 2
    @Yakk: RFID gets power that way. A chip has actual physical contact with the electronics in the reader. – WGroleau Aug 21 '18 at 21:42
  • 2
    @Beofett you can usually guess the right info to put on a card from the name, number, and expiration date. https://en.wikipedia.org/wiki/ISO/IEC_7813 – fectin Aug 21 '18 at 22:05
  • 3
    @WGroleau contactless payment cards (and others) power the chip without any physical contact, and can perform the same kind of crypto as regular contact chip cards. – jcaron Aug 21 '18 at 22:51
  • 1
    @wgro My chip is contactless; admittedly maybe contactless lacks security. – Yakk Aug 21 '18 at 23:01
  • 1
    Contactless is RFID, typically not capable of doing more than sending a unique identifier. The ones with contacts are a lot like a SIM card, storing information and (possibly) doing a limited amount of processing. A contactless card can be read and the ID duplicated by passing a receiver near it. That’s why folks are making money selling shielded wallets. – WGroleau Aug 22 '18 at 00:00
  • 1
    @JimmyJames: no, chip cards were created first and foremost as an attempt for banks to absolve themselves of liability in preventing fraud. – whatsisname Aug 22 '18 at 01:10
  • 1
    A physical card is not necessary. The stolen card number could have been used at a merchant who dishonestly reports "card present" to receive a better rate from the payment gateway. (I was a software developer for a company that did this. I quit.) – StackOverthrow Aug 22 '18 at 16:45
  • 2
    @WGroleau, even though in the US there is an aberration known as contactless mag stripe, in most other countries contactless uses the same exact chip as the contact version. You can still read the card number and a few other things very easily, but if you want to make a payment, you'll need the chip to sign the transaction exactly like for a regular contact payment. – jcaron Aug 22 '18 at 17:02
  • The mag stripe is irrelevant. When you tap, you are using RFID and not reading the mag stripe nor the chip. RFID cannot transmit as much info as a six-contact chip or mag stripe can contain. – WGroleau Aug 22 '18 at 18:46
  • 2
    @WGroleau Contactless is not synonymous with RFID. A RFID tag is pure storage (the reader reads some data). It can store a lot more than a magnetic stripe (<100 bytes vs 1–4kB) though. A credit/banking/payment card always contains a chip which is used even for contactless operation. It can't be copied without equipment that costs way more than what you can get by copying credit cards. The risk that shielded wallets prevents is a rogue reader contacting the card and the card responding by validating the payment, because no user intervention is needed to validate a contactless payment. – Gilles 'SO- stop being evil' Aug 22 '18 at 22:59
  • @Beofett nowadays, the data format of most cards is known and hence, reproducible without having the card, when the information is known. However, there were also cases in the past, where the card data was copied right in the factory (en mass) by corrupt employees, before the cards were sent to the customers. In one case, the bank wanted to blame the customer but she could show that she never opened the envelope at all. – Holger Aug 23 '18 at 07:16
  • Comments are not for extended discussion; this conversation has been moved to chat. – GS - Apologise to Monica Aug 23 '18 at 07:55
  • @Beofett Do note that a card can be skimmed while it sits in your wallet, in your pocket. (Thus the advent of RFID wallets.) And as others have said, the same info can be acquired from other sources. – jpaugh Aug 23 '18 at 15:44
  • 1
    Brian Krebs has a fantastic series on Skimmers. https://krebsonsecurity.com/all-about-skimmers/ – Monica Apologists Get Out Aug 24 '18 at 13:38
  • @jpaugh That's a myth. "RFID wallets" exist because people are suckers for FUD. – Fax Jul 18 '19 at 11:38
  • @Fax If you have a source, that would be quite helpful. – jpaugh Jul 19 '19 at 15:33
  • 2
    @jpaugh https://www.finextra.com/blogposting/16365/5-myths-of-contactless-payments-security https://newsroom.mastercard.com/2018/01/17/dispelling-the-myths-the-reality-about-contactless-security-2/ https://www.halifax.co.uk/bankaccounts/debit-cards/contactless/articles/5-contactless-myths-debunked/ https://blog.nxp.com/payments/busting-the-contactless-payment-myths etc. – Fax Jul 22 '19 at 09:36
37

Your card was either skimmed or cloned somehow. One of the problems with the "stripe" system is that it's so easy to hack/fake it. It is 1970s tech.

The Banking system is built on trust; a lot more than you would imagine. There was , and still is, a lotof resistance to switching to "chip" owing to the definite cost of doing so vs. the maybe savings of reduced fraud. The way this was finally handled is a Liability Shift: as of October 2015, merchants who still use stripe eat the liability for fraud. And so each business is left to "run the numbers" and see whether the cost of chip conversion is worth it to them.

Liability shifts like this are the stock-and-trade of how banks deal with risk. That's why you need to pay attention to credit vs debit card rules and the practices and case law which follow: Comerica v. Experi-Metals (EMI) comes to mind. Mind you, they don't write the case law, but they do write the rules.

Perhaps you did all that when you evaluated whether to use debit vs credit cards, but I for one reached a different conclusion. My impression is that you are likey to prevail on these new card-present-swipe charges eventually if you stick with it, but the money in dispute will not be available to you while the long process runs.

Harper - Reinstate Monica
  • 58,229
  • 10
  • 91
  • 195
  • 5
    Depending on whether you are a bank or not, you can also claim Europe to set itself back 5+ years, as for a while banks used chip and pin as a means to completely absolve themselves of dealing with fraud, claiming the cards to be hackproof. – whatsisname Aug 22 '18 at 01:16
  • 14
    @whatsisname Throwing Europe into one bucket for this might work for European laws, but not for a general "how far are they with the tech". When I moved to the Netherlands in 2010, "pinnen" (paying with your bank card chip and PIN) was already the payment method, even if you just buy a pack of chewing gum for 70 cent. Starting ~2 years ago, available in most places by now, you can just hold your card within ~2 inches of the card reader, without PIN, for up to 50,-/day. They're joking about paying with "metal and paper" here - meanwhile in "bigger" Germany, cash is still the norm. – R. Schmitz Aug 22 '18 at 10:05
  • "mostly hemming and hawing over who would pay for the conversion" In my experience it is actually the people being against change. Everybody seems to think that because the card has to sit in the reader it is significantly slower. Personally I think they just think it is slower because it makes them pay attention vs just swiping and zoning out for a minute. – Marie Aug 22 '18 at 16:02
  • 2
    @Marie: It's slower due to the use of woefully underpowered CPUs in the cheap end readers. The readers have to do crypto work now. – Joshua Aug 22 '18 at 18:57
  • I meant that in my experience it doesnt actually seem slower. I have to be in contact with the reader longer but I dont have to wait after removing my card like I do when I swipe – Marie Aug 22 '18 at 19:00
  • 1
    @Joe okay. Edited. – Harper - Reinstate Monica Aug 24 '18 at 12:57
20

There are three possibilities here:

  1. You flew to California, used the card, and flew back, and you've forgotten that you made this trip.

  2. Invisible Martians teleported into your house, stole the credit card from your wallet, teleported to California where they used it to make a purchase, then teleported back and replaced it in your wallet before disappearing.

  3. Someone made a fake card with your account number on it.

I'm going to go out on a limb and say it's probably #3.

Obviously the credit card company is capable of writing your account number and all onto a card. There's no reason why a scammer with the right equipment can't do the same. The trick is to get the necessary information. There are any number of ways to do this, from hacking into the credit card company's computer, to intercepting signals from a card reader where you used the card, etc.

Of course in 2018, once they get the data, transmitting it to a place 1000 miles away need not take more than a few seconds.

Jay
  • 22,675
  • 1
  • 32
  • 72
6

You will have to go through the normal procedures of this account being compromised. Contact the CC company and tell them so. You will likely have to fill out a form to dispute these charges. This account should be closed ASAP, and have new cards issued.

This is typically a bit of a hassle as many of us have a card saved for automatic transactions for things from Apple/Samsung pay to the water bill. These will all need to have the new account numbers entered.

Given that your card does not have a chip, a scammer could have made a new card, the merchant may be lying, or perhaps the CSR from the CC company gave you the wrong information.

Once fraud is detected on a credit or debit card, that card must be shut down ASAP.

Pete B.
  • 76,481
  • 16
  • 167
  • 236
  • The crook can write stripe(s) on a card with a fake or broken chip, and even a chip-capable merchant will accept it as stripe rather than turn away business. And as noted many US merchants haven't upgraded yet and can't even detect when chip is missing. – dave_thompson_085 Aug 23 '18 at 00:02