Schneier on Security
A blog covering security and security technology.
« "The Cost of Fearing Strangers" |
| Dognapping »
January 19, 2009
In-Person Credit Card Scam
Surely this isn't new:
Suspects entered the business, selected merchandise worth almost $8,000. They handed a credit card with no financial backing to the clerk which when swiped was rejected by the cash register's computer. The suspects then informed the clerk that this rejection was expected and to contact the credit card company by phone to receive a payment approval confirmation code. The clerk was then given a number to call which was answered by another person in the scam who approved the purchase and gave a bogus confirmation number. The suspects then left the store with the unpaid for merchandise.
Anyone reading this blog would know enough not to call a number given to you by the potential purchaser, but presumably many store clerks don't have good security sense.
Posted on January 19, 2009 at 1:23 PM
• 40 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"Anyone reading this blog would know enough not to call a number given to you by the potential purchaser, but presumably many store clerks don't have good security sense."
True, but many clerks might think that calling a number silk screened on the card would be reasonable, and any counterfeiter could print any number they wanted on a credit card, be it a scratch made fake or a modified real card--so the same scam could be pulled even on somewhat more cautious clerks.
I managed retail stores back in the early 90's and we had a list of numbers for all the credit card companies as well as phone numbers for all the banks in the state. And it was explicitly laid out in employee training* to never call a number provided by the customer for verification.
*not that employees retained or even paid any attention to the info in training.
Yes, I can't speak for what most businesses actually tell their clerks, but the one thing I'd expect at minimum is that they'd only trust the number printed on the back of the card.
Which doesn't eliminate this as a workable con, but it does eliminate people doing this quickly with stolen cards; they have to make their own, or at least be able to believably print on the back of it.
But what good does it do to have someone on the phone if the transaction isn't going to go through? I can't imagine a cashier would have access to override a refused charge.
> I can't imagine a cashier would have access to override a refused charge.
Why not? What if the computer is down, or the store modem? What if it's the era before computers everywhere, when all this was developed? It isn't over riding a rejected transaction, anyway. The cashier has to enter the approval code into their systems and that is rectified later.
The linked story isn't specific, but there are 2 possibilites. The merchant may still have the option to use paper processing on carbon slips where you write in an approval code. Some electronic charge systems, as a backup when the bank network is down, allow you to key in an approval code obtained by phone, which is cached and sent to the financial institution when the network is back up. Of course you shouldn't be able to do that unless the network is really down.
When I worked in retail, we could and did occasionally confirm credit card payments over the phone when the automated electronic system was down.
The catch of course is that we called our own merchant bank, not the customer's card issuer, so there was never any need to call an unknown or untrusted phone number.
The clerks who fall for this must be young and inexperienced enough to have never processed cards using the old paper-based system.
Here's a twist on the same scam. In this case it's a black hat working at a retail establishment:
SneakyRetailer: I'm sorry dear customer, I just tried your credit card and it has been declined. (shh I'm lying!... I didn't swipe at all...but the SillyCustomer will never know).
SillyCustomer: But I am certain my credit card is good.
SneakyRetailer: I will call the credit card company to see if we can have this resolved. Let me dial the number for you. (shh! it's not the real credit card company... but the SillyCustomer will never know).
FakeCustomerService: Hello. How may I help?
SillyCustomer: I just tried to make a purchase for $8000 but it didn't go through.
FakeCustomerService: Yes, I see that on my screen. (Shh... I'm lying...Silly customer!) If we can just confirm your CC number, I can have this cleared up immediately.
SillyCustomer: It's 1234567890 and my expiration date is 01/09 and my zipcode is 12345.
FakeCustomerService: Just a few more clicks... (shh... not really) There. Try it again.
SneakyRetailier: Let me swipe it one more time.
There what do you know. It works. What great service! I'll have to get an account with that Credit Card company. (Shh! I just did! Mwaah Haaah Haaa!)
@twister "it's a black hat working at a retail establishment"
It would simpler for the black hat to just work at a retail establishment that makes it easier to copy down the credit card number. Like when wait-persons take your credit card away from your table in a restaurant.
I'm assuming here the goal of the black hat is to harvest credit card numbers.
Also, I think it's easier to get a job as a wait-person than, say, behind the counter at a jewelry store.
Some places where I go shopping has the customer swipe the card.
Lots of 2nd-tier etailers ask for the bank's phone number as printed on the back of the credit card. Presumably they use that information to call the bank for confirmation of "funny" transactions. The etailer's web pages generally say that providing that number will speed up completion of the ordering and shipping process.
@unimpressed: A customer would likely give up more personal information this way. They think they're talking to a bank rep, so they'll likely give their full address, mother's maiden name, SSN, and whatever other information the scammers request for "verification purposes".
I dont know about other store's but we actually have the number to call right next to our credit card machine. (I've never used it.) Also it would be fairly easy to rember a credit card number if you remember certain patters. (only the last 8 digits and the cvv2 are unique.) When I work the drive-through window it amazes me, people will hand you their ID (We have to card everyone at the window as a condition of our probation), hand you their credit card and ask for their product. The window is seperate from the store and connected by a beer cooler. It would be easy to carry a pen and paper and simply look at the address on the ID instead of the age, walk into the cooler and write it down along with the CC number (on the card), CVV2 (on the card) and name as printed on the card (obviously on the card). People never think about it. They have no idea who they just handed their credit card to. I am a multiple felon. Very few customers know that about me. I would never steal credit card numbers, but how many people would hand me their card and say "Your a convicted felon, now go out of my sight, off camera with everything you need to rob me blind so I dont have to reach out of my car twice." if they thought about it. The point is it doesn't take an elaborate scam with fake bank calls for a retailer to steal your info.
Don't let them out of your sight with your credit card. Watch and if something doesn't seem right, ask. Also scratching out your numbers on the merchant slip is ineffective because it is easy to print a second copy. (The password to do so in most systems is in the manual near the machine.)
LOL! Great idea, gonna try this myself
Interesting stuff. Once again, beware of out of the ordinary behaviour. Like has been said, surely the clerk was relatively new. I guess they would have targeted that new and inexperienced clerk deliberately.
My best retail story is actually from behind the scenes when I worked in facilities for a large store in the UK.
Some guy rings up, and asks whether we have an airlock on our cash office - the office where the safe was, and we bagged and signed for all the cash. The airlock was just two doors, but you could only open one of them at a time.
Obviously, I said I couldn't tell him, and checked with my boss. It turned out he was legitimate, we were having some work done... when I got back to the phone to tell him, he said I was the first guy in 30 stores who hadn't just told him straight off about the security measures!
@dan, pratfall, etc.
Sometimes electronic card authorization systems return a "call for auth" response. This is actually an extra layer of security (no, really), as it involves real people on the acquirers voice referral service who are supposed to check that it's really the cardholder trying to use the card.
Related: forge the credit card. Many foreign credit cards have an unusual appearance and no real security features on them -- no indented text or holographic images or anything like that. If you can buy one of those machines that universities make to issue student ID cards, you can possibly mock up a reasonable forgery. And that forgery could have whatever customer service number you wanted on it.
Person: "Maestro is the European version of MasterCard -- do you think it will go through?"
Cashier: "I don't know, let's see. *swipe* Nope, sorry."
Person: "I'm sure they're interoperable. Could you call the number on the back of my card and see what my bank has to say?"
Cashier: "Well, it's a slow day and I want to be helpful, so sure."
This same security flaw ("here's who you should contact, trust me") is part of what made the MD5 SSL exploit at the beginning of this year so bad. (I know, I know, SSL is a bit of a farce anyways, because it's not so easy for non-ISP-types to eavesdrop on communications -- but bear with me.)
SSL certificates tell you how much you can trust them, as well as where you should look to find out whether they're expired. So, when the research team effectively "lifted the signature" from a valid certificate onto a malicious certificate, they made sure that their malicious certificate said, "you can trust this person to issue certificates, and their certificate cannot be revoked." And that made them able to issue their own certificates for any site they wanted.
It doesn't have to be that way. No common-sense person would design it that way.
The root certificates that come installed in your browser could say something like, "all certificates that this authority issues are valid for ___ days, unless revoked. The revocation list is available at ____. Don't trust anybody that's been certified by this authority to issue their own certificates."
It would be the equivalent of listing the bank's customer-service phone number on every cash register, instead of on the possibly forged credit cards.
I work the drive-through window it amazes me, people will hand you their ID (We have to card everyone at the window as a condition of our probation), hand you their credit card and ask for their product. The window is seperate from the store and connected by a beer cooler. It would be easy to carry a pen and paper and simply look at the address on the ID instead of the age, walk into the cooler and write it down along with the CC number (on the card), CVV2 (on the card) and name as printed on the card (obviously on the card).
Even less obvious would be to show the card front and back to a camera.
As mentioned by others in the thread you always, ALWAYS, call your own merchant in these situations. That must have been an insanely credulous employee who got taken in. I appreciate that some people carry themselves in a way which imports authority into their every word but part of working with the public is an ability to see through that sort of thing and ignore it.
Another shining example of how much security just boils down to plain old common sense...
I'd know it was a scam the instant a human actually answered a call to a credit card company.
I have a friend (a web developer) who fell victim to the precise scam you describe. I only found out about it when I lost her phone number and googled her name and town, and instead found her credit card details (including her home address) listed publicly on some criminal bulletin board. I had to email her immediately to let her know this happened, and she then informed me about how she'd been scammed and thousands of pounds were run up on her credit card before she found out.
Clearly one of the key components of the merchant's business process is telecommunications, and the key vulnerability in this particular example is the fraudster's ability to direct the merchant's communication to an imposter bank.
So perhaps this is an opportunity for a security monitoring company (perhaps one that is a subsidiary of a major telecommunications company?) to design and design security services into this ecosystem, both protecting honest merchants against known threats and detecting new threats.
It's easier to have a legit pen and paper at workplace than a legit camera. The latter's much easier to use, sure
Or, prevent the cash register phones from calling arbitrary phone numbers. Only allow preprogrammed numbers.
Usually when you call a credit card company, there are a few processes before they will actually allow them to accept such a payment with an invalid card. Also, when buying products worth 8000 dollars, isnt there some law which requires a legal form of identification. That is the least that should have been done in this case. I think that if a retailer has to call the credit card company, its always suspicious and should proceed with caution. Anyway, hope we can all learn from this tragedy.
This sounds like an inside job to me. The "story" creates plausible deniability -- "I'm jus' dum' as a rock", even though it makes no sense.
You can't beat an inside job by "process", as several commenters suggest. You've got to fire the fishy folks, and the manager if there's a history of hiring such people -- either she's in on it, or she's too stupid to trust.
This is weak, but anything's possible depending on the retailer. I used to manage in retail security and we trained sales staff specifically against this kind of scam (and similar).
I've been out of that biz for more than 10 years now, but I can't imagine that credit card authorization measures have been relaxed in that time. Even so, $8,000 ought to send up a red-flag in any mind with the slightest common sense.
The story could only be made better if one of the guys with the merchandise answered their cell phone when the clerk placed the call.
I work for a retailer, and we've been warned in the past of scams that do have fake cards with the scam number pre-printed on it. We haven't been hit with it ourselves, but I know of other similar companies (same size and industry) who have. They called the number on the card and got "authorization" from the scammer's buddy. This was four or five years ago.
We have a well established procedure to call the number on our credit card machines, not the one on the card. Of course, I don't know if everyone's following it, but they either are or we've been very lucky.
Bruce, i had a similar variant of this story play out awhile back. It involved my neighbors calling the police when they saw a suspicious white van that had been parked in my driveway. Long story short, the police came and questioned the service guys who promptly called me and handed the phone to the officer. The officer did nothing to authenticate me other than ask me my address (which if I were a confederate in cahoots I would have had prior to the call).
Reading your blog has definitely taught me to think differently about security. FYI I wrote up that experience here and mentioned you:
This works because there is zero cost in failure.
Really, I had people try this with me at the service station. They put everything back, its not like the cops will come to such an incident.
They can then just try the next store....
However there is a phone number left behind to trace....
"Also, when buying products worth 8000 dollars, isnt there some law which requires a legal form of identification. That is the least that should have been done in this case."
Nope. Merchant payment processor agreements specifically FORBID merchants from requiring ID for a credit card purchase. Merchants are still 100% responsible for any losses from fraudulent use of a card even though they are contractually forbidden to verify ID.
I really wish people like you would stop spreading such non-sense. They are not forbidden from asking for ID. They are forbidden from making it part of their normal acceptance procedures. It's like a sub shop asking for my (and everyone else's) ID whenever buying a sandwich (yes, this happened to me. yes, it's ridiculous.).
They are perfectly within their rights to ask for your ID if they suspect the card or card holder may be fraudulent. They can decline your credit card for any reason they chose. It's a free country.
So to re-iterate...they can ask for ID just not for every single transaction for everyone.
The basic idea (here, call this number that I just gave you to confirm that what I'm telling you is correct) is probably as old as the telephone network and, if you substitute other communications mechanisms for the phone, probably much older.
I've seen it where I work, at a small public library. Teenager comes to the desk with a library card that belongs to someone much older. "Oh, that's my [relative]. Here, I'll give you the phone number to call to verify I have permission to use the card." (Of course, in this situation even taking the phone number from the card-owner's account wouldn't necessarily preclude the scam, because the adult might not be home.) We eventually made this irrelevant with a blanket policy that the person whose card is being used must be physically standing in front of us or we won't check out on the card, with a special exception clause for pre-approved shut-ins.
OTOH, we don't have the patron's photo on the card or in the computer, so we only catch the ones where something very obvious (gender, general age category) doesn't match, or where we actually know the person, or (and this is more frequent than you'd imagine) where the person standing in front of us inadvertently lets it slip that the card does not actually belong to them.
I am fairly sure all public libraries will *eventually* have to have patron photos either on the card or in the computer, or some equivalent authentication mechanism. It's a matter of time. An ever-increasing percentage of the population are in regular direct casual contact, even within the same household, with people who would willingly exploit them. That has consequences.
Jonadab: Don't put the picture on the library card. Store it on the computer, linked to the patron's account so it is displayed when the card is scanned. This is more secure and it saves money. My library uses cards with only the account number, so rather than having to print and laminate one card at a time, just have a prepared stock of new cards ready to issue, linking the card number to the patron information as they issue it.
I made some coin in January - Finally! I paid off my Target Visa and they flagged it. Just because it was a large payment my account has been suspended from 01/29 till 02/10. A small time yet a suspension.
Congrats to the Patriot Act working against the little guy.
Watch out America.
I have a strong desire to lie and make up stories on this board for some reason, but I haven't been scammed. I use common sense and think about how things could be abused. I also have a policy that I won't give out or trust information I receive over the phone if I haven't looked up and dialed the number myself. I did get one call from a guy saying he wanted me to fix a "computers" [sic] for him, if I would accept a check for more than the amount and send the difference to "his" pet shipping company. I kept him on the line and got the operator to dial the police!
i need a cridit visa card number and cvv number
is it possible to work out the cvv2 from the pan,expiry etc
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.