The U.S. Secret Service is warning financial institutions about a new scam involving the temporary theft of chip-based debit cards issued to large corporations. In this scheme, the fraudsters intercept new debit cards in the mail and replace the chips on the cards with chips from old cards. When the unsuspecting business receives and activates the modified card, thieves can start draining funds from the account.

According to an alert sent to banks late last month, the entire scheme goes as follows:

1. Criminals intercept mail sent from a financial institution to large corporations that contain payment cards, targeting debit payment cards with access to large amount of funds.

2. The crooks remove the chip from the debit payment card using a heat source that warms the glue.

3. Criminals replace the chip with an old or invalid chip and repackage the payment card for delivery.

4. Criminals place the stolen chip into an old payment card.

5. The corporation receives the debit payment card without realizing the chip has been replaced.

6. The corporate office activates the debit payment card; however, their payment card is inoperable thanks to the old chip.

7. Criminals use the payment card with the stolen chip for their personal gain once the corporate office activates the card.

The reason the crooks don’t just use the debit cards when intercepting them via the mail is that they need the cards to be activated first, and presumably they lack the privileged information needed to do that. So, they change out the chip and send the card on to the legitimate account holder and then wait for it to be activated.

The Secret Service memo doesn’t specify at what point in the mail process the crooks are intercepting the cards. It could well involve U.S. Postal Service employees (or another delivery service), or perhaps the thieves are somehow gaining access to company mailboxes directly. Either way, this alert shows the extent to which some thieves will go to target high-value customers.

– krebsonsecurity.com –

Three men have been arrested on suspicion of printing out small pieces of paper with the QR codes on them and then sticking them over 60 codes used by traders in Nanjing, the capital of Jiangsu province, late last week, Xiandai Kuaibao reported on Monday.

The alleged scam is said to have netted 3,000 yuan (US$480) from more than 100 transactions, which targeted traders selling expensive items such as seafood.

The three unemployed men – who were only identified by their surnames Zhao, Zhu and Zhang – reportedly told police they had been inspired by a friend who had made money this way.

People opening mobile payment accounts are now obliged to provide their full names and ID documents, but the three are accused of trying to hide their tracks by using an account opened by a friend before the regulations came into force.

Police tracked down the suspects using surveillance footage and found them in an internet cafe where they were playing computer games.

In the newspaper report local police warned shoppers to take care when scanning QR codes and always confirm that shop owners had received the payment.

– scmp.com –

A new report has revealed that there was a 10 percent increase in the number of payment cards compromised at U.S. ATMs and merchants in 2017.

“The number of compromises and the number of card members impacted set a new record last year,” said TJ Horan, vice president of fraud solutions at FICO. “While most devices are safe, fraudsters are developing new technology and methods for hacking ATMs. This is why it’s important for consumers to be cautious when withdrawing cash, and also for them to check their account regularly and confirm that all the transactions on their debit card are legitimate.”

The data – which is taken from the FICO Card Alert Service that monitors hundreds of thousands of ATMs and other readers in the U.S. – also showed that compromised card readers at U.S. ATMs, restaurants and merchants went up 8 percent in 2017.

ATM hacks have proven to be a real concern for consumers and financial institutions. Earlier this year, Diebold Nixdorf and NCR Corporation – the two biggest ATM makers in the world – warned that hackers are going after ATM machines in the U.S. with tools that can force the machines to spit out cash. A confidential alert was sent to banks from the U.S. Secret Service that hackers are targeting standalone ATMs that are usually found in drug stores, big-box retailers and drive-thru ATMs.

And while financial institutions are launching cardless ATM transactions in which customers can use their mobile phones to withdraw money, Krebs on Security found that feature can be hacked, with criminals using stolen bank account usernames and passwords to quietly take cash out of ATMs.

In its report, FICO offered tips to keep payment card info safe, including staying away from an ATM that looks odd, or where your card doesn’t enter the machine smoothly; avoiding an ATM if anyone is hanging around nearby; calling your bank immediately if your card is captured inside of an ATM; requesting a new card number if you believe your card has been compromised; and checking your transactions frequently.

– pymnts.com –

Cyberattacks cost the U.S. economy upwards of $109 billion in 2016, with activity coming from inside the country as well as outside.

According to news from Reuters, citing the White House Council of Economic Advisers (CEA), cyberattacks cost the U.S. anywhere from $57 billion to $109 billion. Outside the U.S., entities with malicious intent were based in Russia, China, Iran and North Korea.

But many cyberattacks were carried out by those residing in the U.S., with the White House Council of Economic Advisers suggesting corporate competitors, activists and organized crime were behind many cybersecurity breaches in the U.S. The report noted efforts from the public and private sectors would go a long way in fighting cyberattacks and would contribute to growth in the gross domestic product.

The report out of the CEA follows another recent survey, which reveals that cybersecurity is the biggest worry for companies, especially since few of them feel prepared to handle an online attack. The survey, which was conducted by Microsoft and Marsh, found that when 1,300 senior executives were polled, two-thirds ranked cybersecurity among their organizations’ top five risk management priorities, with 75 percent saying the business interruption that comes from a hack has the greatest impact on their organizations. But while companies fear the impact of a cyberattack, only 19 percent are highly confident in their organization’s ability to prevent and respond to one. In fact, only 30 percent have developed a plan to respond to a cybersecurity incident.

“Cyber risk is an escalating management priority, as the use of technology in business increases and the threat environment gets more complex,” said John Drzik, president of Global Risk and Digital at Marsh. “It’s time for organizations to adopt a more comprehensive approach to cyber resilience, which engages the full executive team and spans risk prevention, response, mitigation and transfer.”

– pymnts.com –

The number of identity fraud victims has increased by 8 percent (rising to 16.7 million U.S. consumers) over the last year, a record high since Javelin Strategy & Research began tracking identity fraud in 2003, according to a press release about the report.

The study found that despite industry efforts to prevent identity fraud, fraudsters successfully adapted to net 1.3 million more victims in 2017, with the amount stolen rising to $16.8 billion. With the adoption of EMV cards and terminals, the types of identity fraud continued to shift online and away from physical stores. The complexity of fraud is also on the rise as criminals are opening more new accounts as a means of compromising accounts consumers already have, according to the press release.

“Fraudsters are growing more sophisticated in response to industry’s efforts to implement better security,” Al Pascual, senior vice president, research director and head of fraud and security for Javelin Strategy & Research, said in the press release. “Fortunately, there are a variety of digital tools that consumers can leverage to stay better informed on the status of their identities and accounts, and to ultimately stay better protected.”

The study found the following:

• Record high incidence of identity fraud — In 2017, 6.64 percent of consumers became victims of identity fraud, an increase of almost one million victims from the previous year. This increase was driven by growth in both existing non-card fraud and account takeover.
• Account takeover grew significantly — Account takeover tripled over the past year, reaching a four-year high. Total ATO losses reached $5.1 billion, a 120 percent increase from 2016. Account takeover continues to be one of the most challenging fraud types for consumers with victims paying an average of $290 in out-of-pocket costs and spending 16 hours on average to resolve. This translates to more than 62.2 million hours of time consumers lost in 2017. That is enough time for more than three million people to binge watch the first and second season of Stranger Things.
• Online shopping presents the greatest fraud opportunity — EMV is driving more fraudsters to seek online channels for fraud. Card Not Present Fraud is now 81 percent more likely than point of sale fraud, the greatest gap Javelin has observed.
• Fraudsters are getting more sophisticated — Fraudsters are getting more sophisticated in their attacks and using more complex and difficult to detect monetization schemes. One-and-a-half million victims of existing account fraud had an intermediary account opened in their name first. This is 200 percent greater than the previous high.