Archive for January, 2015


Data: Credit card fraud isn't always apparent to card holders, and banks don't always share information about an incident.

Data: Credit card fraud isn’t always apparent to card holders, and banks don’t always share information about an incident. Photo: Karl Hilzinger
Unaware of credit card fraud until the statement arrives or the bank rings? Here are eight ways tech-savvy criminals can get your details from shops, ATMs and other systems.

Card issuers like Visa and MasterCard often know if merchants have suffered a breach before even the banks or the merchant itself, but they rarely reveal their names to the banks. Rather, in response to a breach, card issuers will send each affected bank a list of compromised card numbers often triggering their cancellation.

Banks may be able to work backwards from that list to the breached merchant, however, in cases where hacked merchants are known rarely is that information shared with their customers.

Here’s a look at some of the most common forms of credit card fraud:

1. Hacked bricks-and-mortar merchant, restaurant:

Here criminals capture credit card details most often by remotely installing malicious software on point-of-sale systems – the software that controls a shop’s payments and inventory.

Distinguishing characteristic: Most common and costly source of card fraud. Losses are high because crooks can take information from multiple cards and produce counterfeit cards that can be used in big box stores to buy gift cards and/or expensive goods that can be easily resold for cash.

Chances of consumer learning source of fraud: Low, depending on customer card usage.

2. Processor breach:

This is a network compromise at a company that processes transactions between credit card issuing banks and merchant banks. One such breach occurred in 2012 and involved some 10 million card numbers.

Distinguishing characteristic: High volume of card accounts can be stolen in a very short time.

Chances of consumer learning source of fraud: Virtually nil. Processor breaches are rare compared to retail break-ins, but it’s also difficult for banks to trace back fraud on a card to a processor. Card issuers/banks generally don’t tell consumers when they do know.


3. Hacked point-of-sale service company/vendor:

This is a compromise at the supplier of the point-of-sale system, not the merchant.

Distinguishing characteristic: Can be time-consuming for banks and card issuers to determine vendor responsible. Fraud is generally localised to a specific town or geographic region served by vendor.

Chances of consumer learning source of fraud: Low, given that compromised point-of-sale service company or vendor does not have a direct relationship with the card holder or issuing bank.

4. Hacked e-commerce merchant:

A database or website compromise at an online merchant.

Distinguishing characteristic: Results in online fraud. Consumer likely to learn about fraud from monthly statement, incorrectly attribute fraud to merchant where unauthorised transaction occurred. Bank customer service representatives are trained not to give out information about the breached online merchant, or address information associated with the fraudulent order.

Chances of consumer learning source of fraud: Nil to low.

5. ATM or other skimmer:

Thieves attach physical fraud devices to ATMs, gas pumps and other card readers to steal card numbers and PINs. For more on skimmers, see All About Skimmers series.

Distinguishing characteristic: Fraud can take many months to figure out. Often tied to gang activity.

Chances of consumer learning source of fraud: High. Banks often disclose to cardholder the source of the fraud.


6. Crook employee:

A case often associated with small car hire outlets, motels and restaurants, it involves an employee using a hidden or handheld device to copy card for later counterfeiting.

Distinguishing characteristic: Most frequently committed by restaurant workers. Often tied to a local crime rings, or seasonal and transient workers.

Chances of consumer learning source of fraud: Nil to low.

7. Lost or stolen card:

Distinguishing characteristic: The smallest source of fraud on cards. Consumer generally knows immediately or is alerted by bank to suspicious transactions, which often involve small fraudulent test transactions to see if the card is still active – such as at automated gas station pumps in the US.

Chances of consumer learning source of fraud: High.

8. Record theft:

Merchant, government agency or some other entity charged with storing and protecting card data improperly disposes of card account records.

Distinguishing characteristic: Usually not high-volume. A form of fraud less common than it used to be.

Chances of consumer learning source of fraud: Nil to low.

It’s clear from the above that most consumers are unlikely to discover the true source or reason for any card fraud. It’s far more important for cardholders to keep a close eye on their statements for unauthorised charges, and to report that activity as quickly as possible.


Henry Sapiecha