Social Engineering People’s Credit Card Details

Good Wall Street Journal article on criminal gangs that scam people out of their credit card information:

Your highway toll payment is now past due, one text warns. You have U.S. Postal Service fees to pay, another threatens. You owe the New York City Department of Finance for unpaid traffic violations.

The texts are ploys to get unsuspecting victims to fork over their credit-card details. The gangs behind the scams take advantage of this information to buy iPhones, gift cards, clothing and cosmetics.

Criminal organizations operating out of China, which investigators blame for the toll and postage messages, have used them to make more than $1 billion over the last three years, according to the Department of Homeland Security.

[…]

Making the fraud possible: an ingenious trick allowing criminals to install stolen card numbers in Google and Apple Wallets in Asia, then share the cards with the people in the U.S. making purchases half a world away.

Tags: , , , ,

Posted on October 28, 2025 at 7:01 AM14 Comments

Comments

K.S October 28, 2025 8:52 AM

>install stolen card numbers in Google and Apple Wallets in Asia

How are they subverting authentication at the issuing bank? You can’t just “install” CC, there is whole process for token activation that must be followed that ought to involve bank authenticating the request.

Kam-Yung Soh October 28, 2025 8:56 AM

I cannot read the WSJ article, but I am aware of the “trick allowing criminals to install stolen card numbers in Google and Apple Wallets in Asia”.

Some Singapore banks now prevent that by blocking the feature unless enabled by the cardholder. Here’s a local article about it from May 2025 [ https://www.straitstimes.com/singapore/dbs-to-roll-out-new-switch-to-prevent-phished-card-details-from-being-added-to-mobile-wallets ].

“SINGAPORE – A new mobile banking app feature will allow DBS and POSB card holders to control who can add their cards to mobile phone wallets from mid-May.
[…]
With this launch, users will no longer be able to add card details to their device for contactless payment until they switch on the “mobile wallets” toggle in the DBS banking app.

The switch will be “off” by default. After turning it on, users have 10 minutes to add their card details before the switch automatically turns off again.”

DBA October 28, 2025 9:49 AM

Amusingly, just last week I was deleting old emails from unused dump accounts that I’d created but never checked, things like webadmin@… They went back a decade or more. I was quite amused at the number of “I’ve hacked your web cam and have seen the nasty stuff that you’ve been doing, you naughty boy” sorts, not to mention the invoice fraud attempts. I was a little disappointed that none of them attempted to map my street address, but then again, I do pay for anonymization.

Paul T October 28, 2025 10:16 AM

Could CC companies establish fake CC numbers that would set off alarms when used? The number would appear to work, like say “in process” but would somehow activate tracing? Maybe for one of these fake numbers the CC company would redirect the web service responsible for authorizing or authenticating the purchase would accept the TCP connection then just stall out. I say all this while admitting I have no idea about all the mechanics of how a CC purchase is approved. The idea is to get the IP address submitting the purchase. If even that would do any good. Probably TOR.

KC October 28, 2025 10:58 AM

The Journal also has a podcast on this story, with a nice transcript.

https://www.wsj.com/podcasts/the-journal/no-your-toll-payment-is-not-overdue/a9ed26a4-f9a2-4937-83a5-ff1c3ed8877a

From the article: “At least 200 SIM boxes are operating in at least 38 farms across the U.S., in cities such as Houston, Los Angeles, Phoenix and Miami…” We’ve got farms in office spaces, crack houses, and an auto repair shop.

And the podcast: “[Some of these SIM farms are] basically pitched as sort of a gig economy job. The criminals will give you one of these boxes. You just plug it in your home, you get it on your wireless network, and so you’re basically a spam pumping operation at that point.”

The WSJ’s Bob McMillan talks in greater detail about how these scams could be pared down. Telco’s can play a role, as can phone makers, as well as banks and credit card companies.

And a note to self … ‘anytime you find yourself reaching for your wallet with a sense of urgency’

‘Just take a breath and ask yourself, “Is this a scam?”‘

Anonymous October 28, 2025 12:10 PM

I get text messages threatening dire consequences if I don’t pay a “fine.” I went to one of their links to see how their supposed payment site is set up.

I found my payment was trivial, less then 5 dollars.

The unsuspecting naive and because often it takes forever to verify with a governmental agency like motor vehicles tend to pay under the assumption they’ll only be out a small amount.

But the whole point is to get their cc details. Often followed with surprisingly large charges.

BCS October 28, 2025 8:25 PM

I wonder what effect it would have if US courts allowed its citizens to sue foreign nations that negligently allow criminals to defraud them?

It would be rather easy to enable prevailing parties to collect given how many t-bills china holds. Just transfer ownership.

PC Chen October 29, 2025 12:09 AM

This article is very light on how they add the cards to mobile wallets. Since most banks require some sort of SMS authentication to add cards, I suspect it’s included in the phising scheme. For example, the scam web site asking for your CC number might also have a field for “authorization code” and it’s understandable that some people might mistaken a SMS from the bank for adding the card as from the scam site.

It’s important that’s possible because using stolen CC on e-commerce sites was very common but that creates a big problem of fencing the good as the goods need to be sent to an address, and that’s tracable. However, with a contactless wallet, the scammers can easily buy expensive goods in person and that’d be much less tracable.

DDNSA October 29, 2025 5:45 AM

…to make matters worse, on top of all issues mentioned, comes the PCI DSS implementation requirement, which is a U.S. Legal Standard so begs a question of: are there PCI DSS Equivalents outside of U.S. Jurisdictions, and how stringent are they?

Clive Robinson October 29, 2025 6:18 AM

@ BCS,

With regards your question,

“I wonder what effect it would have if US courts allowed its citizens to sue foreign nations that negligently allow criminals to defraud them?”

The court would not have any standing under international law.

In part because Nation States are independent jurisdictions and in part because there is an international “trade”[1] process to deal with this already in existence.

For years companies basically ignored judgements made against them in other jurisdictions. The partial solution came through the WTO in 1994 and the formation of the interstate “Dispute Settlement Understanding”(DSU) and resulting processes.

https://en.wikipedia.org/wiki/Dispute_settlement_in_the_World_Trade_Organization

It’s supposed to be an apolitical process based on arbitration.

However US politics being what it is via “exceptionalism” has in effect hamstrung the process.

Thus US entities are not seen favourably even by people in the US…

China for instance has started a process against the US with the headline grievances being reported a few days ago as,

China’s mission to the World Trade Organization (WTO) accused the US for undermining the rules-based multilateral trading system since the new administration took office in 2025.

‘The Chinese Government trade mission cited the U.S. Government’s “frequent implementation of trade discriminatory policies” and introduction of “so-called reciprocal tariffs” that have “severely infringed upon legitimate rights of various countries” by launching what China describes as a global trade war.

The mission further accused the U.S. of refusing to implement WTO panel rulings while persistently blocking the reappointment of WTO Appellate Body members[2], effectively hampering the organization’s dispute resolution mechanism.

The mission further stated that the U.S. has “continued to escalate its bullying behaviours in imposing unilateral sanctions and long-arm jurisdictions, which violated principles of market economy and fair competition grievously.”‘

The more normal usage of the WTO process would have be seen by the disputes being processed under it. However none can proceed because of US behaviour. So most of those currently pending are against the US for the current US executive actions…

So currently what you propose can not work.

However under international law “Assets belong to the Sovereign / Crown” in any national jurisdiction. Remember as “any person legal or natural” you only get the rights the government of that nation gives you in their jurisdiction. So they can simply take the assets away from you and there is little or nothing you can do (legally the “You will own nothing” statement has been true for centuries).

In theory if the offending entities had assets in the US these could quite lawfully be taken. But one thing nearly all Governments appear to agree on, is that assets grabbed go into the National Treasury, not the actual persons harmed.

[1] What you see here as crime actually exists within the framework of “trade”. Whilst there is no agreement internationally as to what is and is not a crime, trade on the other-hand is fairly well agreed upon as are it’s rules and regulation. Thus “negligence” by a trade entity to prevent harm kind of falls under the WTO processes currently.

[2] This is a typical US technique of “If we don’t own it veto everything” they have done it 91 times so far on this issue alone,

https://www.reuters.com/business/us-blocks-wto-proposal-fill-appellate-body-vacancies-91st-time-says-trade-2025-10-24/

For a more in depth DW report,

https://www.youtube.com/watch?v=8cBJFUpK_xI

Doug Deden October 29, 2025 10:48 AM

@DDNSA,

You say:

…to make matters worse, on top of all issues mentioned, comes the PCI DSS implementation requirement, which is a U.S. Legal Standard so begs a question of: are there PCI DSS Equivalents outside of U.S. Jurisdictions, and how stringent are they?

What do you mean by “to make matters worse”? How does the PCI DSS make things worse?

Also, the PCI DSS is neither a legal standard nor a US-specific thing. It’s a set of security standards that applies to merchants and processors of the big payment card brands, regardless of country. It’s enforced by contractual obligations between merchants and issuers, not via legislation and the courts.

…doug

Doggie Doug October 29, 2025 6:54 PM

@Doug Deden,

next thing you know, “experts” will be claiming that even HIPAA is implemented on a voluntary basis as well? Either it’s MANDATED or it is VOLUNTARY. Why would any business spend so much money on PCI DSS Compliance and/or AUDITS if there were no negative consequences as a result of non-compliance? Liabilities-nobody wants them.

Clive Robinson October 30, 2025 2:58 AM

@DDNSA, Doug Deden,

“are there PCI DSS Equivalents outside of U.S. Jurisdictions, and how stringent are they?”

The answer is it’s complicated for two basic “base” reasons,

1, Contrary to what many think, legislation and regulation do not cross “sovereign” jurisdictional boundries.

2, In any movement of “information” it’s seen as an “object” somewhat equivalent to a physical object in transit. Thus there are three things to consider, where the movement starts, where the movement ends, and surprise suprise all points the information crosses in between.

With actual physical objects there is national legislation covering the end points and International treaties. International treaties for information objects are really few and quite murky. Much of it is done through the United Nations via the ITU.

So the first question you have to ask is,

“What is the PCI DSS actually, and what does it cover?”

The reality is it’s “a standard” from a commercial organisation. As such it has no legal status, except

1, By agreed contract.
2, Where a jurisdiction directly references it in “primary legislation”.

These two points show there is a very real legal issue.

Ask yourself a question,

“What happens when the commercial entity ‘changes the standard’?”

It’s why it’s usual to not quote a commercial standard title or section numbers but “directly quote” the passages.

There are however non commercial standards issued by accredited “Standards Bodies” they have legal obligations that unwind some of the issues, and generally they try not to create any.

I used to have involvement with the “British Standards Institute”(BSI) back when it was in Chiswick / Kew SW London. And most standards even though technical in nature were not written by engineers but lawyers with long experience in “the legalise required”. It used to be the same in the EU, except for the additional process of translating into the required languages. But it might have changed in the couple of decades or so since I last had to have direct dealings with them.

Commercial Standards are very rarely written in formal legalise thus incorporating them in primary legislation really is asking for trouble. Which is probably why the US Federal Government has not put PCI DSS in their legislation, nor have most US states (the last time I checked)[1].

OK having “salted the earth” the PCI DSS covers information security in the three states of information,

1, Communications
2, Storage
3, Processing

And enforcement is for the latter two by contract not legislation

Because,

“All organizations that process or transfer cardholder data need to be compliant with PCI DSS. But this isn’t enshrined in national legislation. Instead, compliance is mandated by the PCI Security Standards Council, (a group of the five largest card issuers[3]). Companies can face fines from these card issuers if they do not meet the correct PCI DSS compliance level.”

If the organisations don’t pay when fined, they will nolonger be allowed to be part of the PCI payments system. Thus in many cases they would go out of business in very short order.

So there is a significant level of coercion, but only for contract tied entities that process card data.

But In Europe and UK data security of personal information is “back stopped” by primary legislation. That is if a data breach does happen and the entity does not have suitably adequate data protection policies. They could potentially vface huge fines from government regulatory bodies. As these fines are based on “global turnover”, the penalties of a data breach of consequence can be quite significant.

But “communications” is different.
Because the other two are in effect covered by “contract at a known location” owned by a “signed up entity” both end points are in effect covered. Which leaves open the question of the journey.

As communications is in most cases actually done, not by a “signed up entity” but a notionally public entity with “common carrier” status. This means that the journey is not enforceable by contract and might get routed any where in the world even if only intended to cross town.

It’s a distinction that is lost on many. But it’s why you see statements such as,

“PCI DSS sets 12 requirements for the secure processing and storage of cardholder data.”

Note that “communications” is omitted…

But of more concern is the changes from v3.2.1 to v4.0 the older version was prescriptive where as the latter is effectively advisory.

So you see,

“Protect cardholder data with strong cryptography during transmission over open, public networks.”

So you have to dig down, but you might also miss,

“Restrict physical access to cardholder data.”

And it’s relationship to “strong cryptgraphy”.

In essence you need to think in multiple levels of encryption. That is encryption of information, and further Super encryption of communications channels.

There is a lot of nuance in v4.0 which is actually a bad thing in some respects.

But the point is,

1, An information object needs to be encrypted when stored and communicated.

2, Communications needs it’s own additional encryption from channel end to end.

And they need to be as segregated and independent as possible.

There are all sorts of other requirements when you get into the 300 or so sub points that are under the 12 major points

I hope that covers what your question could cover.

Personally I’m glad I no longer need to get my hands dirty with PCI DSS.

[1] Fun fact you are supposed to know all laws and regulations in the UK, it’s an impossibility even for Judges. But Courts stick to the fantasy for various reasons.

However formally legislation has to be published without impediment…

Which raises the thorny question of what an “impediment” actually is. I’ve been involved with a challenge that basically said “Standards Bodies do not Publish they sell for more than cost, thus profit”[2]. Which makes it an impediment as it is no longer “a social good” there was lots of twisting and turning and,

“It got kicked into the long grass”

So never got to an answer, so the Status Quo prevailed.

[2] The last time I had reason to check the prices, there was a vast price difference between “The London Gazette” and the price of all the Standards issued in a year by a factor of well over a hundred. In between but much closer to the equivalent daily price of the gazette was legislation in printed form from “Her Majesty’s Stationary Office”(HMSO). But this was before “political idiocy” ment that for “cost savings” the HMSO ceased to exist and became a “commercial entity” called TSO. And it was required to in effect “make a significant profit”. Thus “Law became a “Commercial Concern” not “A public Good”. A quick check shows that the London Gazette is now only available on annual subscription and costs over $5000 or ~$20/day. So nolonger in any way “Published Publicly” or available to “The man on the Clapham Omnibus”.

[3] The list of five “” is ,

American Express,
Discover Financial Services,
JCB International,
MasterCard Worldwide,
Visa Inc.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.