Low-tech credit card scam used to bypass security protections…
Security programs are typically designed to protect consumers against high-tech credit card theft. But a recent low-tech credit card scam uses X-Acto knives and glue sticks, rather than wi-fi and computer hacking, to victimize consumers. Thieves begin by buying a list of valid credit card numbers on the black market. To verify the numbers are valid, they make small purchases online or by phone. Using a simple cut and paste technique, the scammers then create new cards using the verified numbers by shaving them off gift cards or expired credit cards with an X-Acto knife and then glue them onto a canceled or stolen credit cards. They then use the knife to damage the magnetic strip so that merchants must manually enter the card number, virtually bypassing all protections.
If they’re successful, months can pass before a cardholder discovers the fraud. After all, the card is still in the cardholder’s possession and there’s no way to verify the account number was compromised. Cardholders need to be diligent about reviewing their monthly statement for suspicious purchases to stop the activity as quickly as possible.
Card shaving and other low-tech credit card schemes are on the rise due to increasingly tight security measures. “As regulations and security is tightened on electronic credit card processing networks, it becomes increasingly difficult for hackers to penetrate them,” says Shyam Krishnan, an industry analyst with the Smart Cards group at Frost & Sullivan, a high-tech research and consulting firm. This opens the door for low-tech scammers.
Merchants are the first line of defense against this particular scheme. With fraudulent card in hand, store clerks may see visual signs that something is amiss such as numbers and letters that are haphazardly arranged. This should immediately raise a red flag for cashiers and customer service employees. But since many shaving scammers wait for hectic and busy store hours to launch their schemes, most clerks are too distracted to pay much attention. And since most retailers require no matching verification if a card is signed, thieves have an even greater opportunity for success.
Merchants need to keep vigilant. Fraudulent transactions will eventually be disputed by the card’s rightful owner and the merchant will be left with little option but to absorb the loss. Manually typing a card number is risky and experts are advising that merchants refuse service, if the card doesn’t scan. Merchants should also look at the back of the card to be sure the proper marks are intact. For sales conducted online or by phone, merchants need to protect themselves by requesting the three-digit security code on the back of the card (four digits and on the front of American Express cards).
One way to avoid ‘shaving’ is with a credit card account that generates a new number for every new transaction. Virtual Account Numbers are provided for online purchases by Citibank. PayPal offers a MasterCard debit card with similar security features. And SmartStripe will soon be introduced by Qsecure for debit and credit cards, which will use an embedded chip in the magnetic strip to generate a different number automatically for every purchase.
* For more security tips, see our article on Credit Card Security & Fraud >