Criminals have devised a new scheme that aims to drain the bank accounts of large corporations.
US authorities are alerting banks to a new type of payment card fraud that is targeting chips in debit cards sent through the mail, a report by KrebsOnSecurity reveals.
According to a warning issued by the United States Secret Service in late March that was obtained by security journalist Brian Krebs, it is a rather elaborate scheme that ultimately seeks to drain funds from the accounts of large corporations.
First, fraudsters intercept letters containing chip-based debit cards sent in the mail to high-value corporate customers. They then prise the chip from the newly-issued payment card by exposing the card to heat and melting the glue.
Next, they replace the chip with an expired or invalid chip while placing the stolen chip into an old card. They then repackage the card with the dud chip and dispatch it to its recipient, waiting for the unsuspecting firm to activate it.
It’s not clear how exactly the thieves are able to intercept the letters. Krebs suggests that the scheme could involve postal employees or that perhaps the fraudsters steal the letters directly from corporate mailboxes. “Either way, this alert shows the extent to which some thieves will go to target high-value customers,” Krebs wrote.
“The reason the crooks don’t just use the debit cards when intercepting them via the mail is that they need the cards to be activated first, and presumably they lack the privileged information needed to do that,” he added.
It probably doesn’t take long before the companies notice that something is amiss, which gives the criminals only a narrow window of opportunity to steal funds. Also, apparently the scam can only pay dividends if no PIN validation is required.
In late January, Krebs informed about another memo that the Secret Service issued to financial firms. Back then, he reported that jackpotting – a kind of attack that involves manipulating ATMs into spewing out cash like slot machines – had made its way into the United States.
written by Tomas Foltyn, ESET We Live Security