'Secure' Chip Cards Can Be Vulnerable to Hackers, Too

  • Posted by a hidden member.
    Log in to view his profile

    Mar 02, 2018 12:58 PM GMT
    The chips now found in plastic cards were supposed to be safer against fraud than magnetic strips. Turns out maybe not so secure after all. Hackers are now using 'shimmers' hidden inside chip reading machines to poach your data, using it to clone another card for themselves. And if your chip doesn't contain your PIN number to hack, some merchants don't require using it anyway. Several I deal with have you sign the paper receipt instead, which strikes me as being very unsecure.

    This article suggests using credit cards instead of bank debit cards (I always use debit, dislike using credit and paying fees fees). But the argument is that credit cards usually have a $50 limit or less against fraud, whereas debit cards can be $500, and give you a much more limited time to report the theft before all protections expire. After which a hacker can clean out your entire bank account. Something to consider when using plastic.

    Your credit or debit card with a chip in it, touted as being less vulnerable than magnetic strip cards, may not be as safe as you think. Some consumers' chip cards are getting hacked anyway and they have little protection when it happens.
    .........
    Amber Kellogg was shocked when she recently saw two back-to-back ATM withdrawals on her Chase bank statement, totaling $400. Amber says she didn't withdraw the money, so she assumed her card had been hacked.

    "I called Chase. And they said, 'Oh, this must be fraud, we'll refund your money.' So I got the money back in my account," said Kellogg.

    But Chase changed its mind. It pointed to the chip on the back of Amber's debit card, saying chip cards can't be hacked.

    WalletHub, a personal finance website, says scammers have found a way to hack chip cards. It's called "shimming." Shimmers are devices hidden inside chip readers, and when you insert your debit card, they steal your data. WalletHub says Amber's chip was likely hacked.
  • Posted by a hidden member.
    Log in to view his profile

    Mar 02, 2018 2:10 PM GMT
    I travel a ton for work, so I've dealt with a fair amount of credit and debit card fraud over the years. My experience is, you're much better off with credit cards. Basically, they flag the charge, ask you to watch your statements, and send you another card ASAP, even via overnight mail if needed. You're able to keep going. Also, if there is fraud with a credit card, it's basically the bank's money that's been taken, whereas if it's with a debit card, your personal funds in your bank account are at risk. I think most banks cap your personal funds at a US$500 fraud loss. Many credit card companies feature a zero or trivial fraud loss as a discriminator.

    The only time I had a fraudulent charge on my debit card, the bank froze the fraudulent/disputed amount in my bank account. I was required to write a letter of explanation in my own handwriting, denying the charge. After about a 10-day investigation process, the bank declared me not culpable and unfroze the disputed funds. In my case, it was a few hundred dollars, and not a big deal, but I feel bad for anybody who has a rent or mortgage or car payment due and has disputed funds frozen due to fraudulent activity by others.

    I've never lost a dime to fraud-related charges, though, by credit or debit card.
  • Posted by a hidden member.
    Log in to view his profile

    Mar 02, 2018 5:34 PM GMT
    My husband once had $20,000 stolen from his bank account. At the very moment we were sitting in the bank discussing earlier breaches that day!

    That morning, while trying to access his bank account info online from home, he was blocked. A phone call revealed the block was done automatically because of detected suspicious activity. So we went in person to a nearby bank branch to resolve.

    They all know us there, so it was corrected very quickly. But by the time we got back home it was blocked again. We returned a second time and now the corporate security people were notified. We sat there for hours, finally invited to the branch manager’s desk, whom we know socially outside the bank.

    That’s when my husband’s cell rang and he gave it to me. They asked for him, and I replied he was busy, could I help them. “We’re with [our bank’s name], phoning about some problems with his account.” “Well, that’s strange, I said, “He’s sitting here with a bank branch manager this very moment, discussing this...” ***CLICK***

    I showed the local number to the manager, and he didn’t recognize it. Later back home I did an online number search and it was a Fort Lauderdale residential address. I printed it and included it in a police report I made.

    The next day, when we returned to the bank to change all his accounts, we learned about the attempted $20,000 transaction. It happened seconds after that cell call he had received.

    The $20,000 was frozen before it could be moved, BTW, and wasn’t lost. I asked why it was much less than they could have gotten. I was told that’s typical. They probe for a more modest amount, a really large one possibly triggering other alarms. And if that works then they go for the whole thing.
  • Posted by a hidden member.
    Log in to view his profile

    Mar 02, 2018 6:20 PM GMT
    A more proactive step I take when traveling is to notify the bank’s card division of where & when we’ll be traveling. And request a $500 daily limit, on all card expenses including ATM. Somewhat limiting, although between our 2 cards I can usually find the money. Or if necessary phone them and make a temporary change.

    And actually sometimes the bank does it on its own. It runs a security algorithm, and it I make purchases in South Florida, and within hours purchases appear on my card as made in California, they freeze the account.

    It’s happened, usually very small amounts, but again the security types tell me it’s probing. Crooks may have gotten my card info off a hacked list, and are seeing which ones work. After that I change all my account numbers, but it’s a damn inconvenience. Oh, well, our modern hi-tech world.
  • carew28

    Posts: 855

    Mar 02, 2018 7:44 PM GMT
    I also prefer credit-cards to debit-cards. I actually don't have any debit-cards, even though some banks have offered a $50.00 bonus for establishing a debit-card, and some gas-stations offer a slight reduction in the price of gas for paying with a debit-card. I don't care at all for the idea of allowing access to my chequing-account through a debit-card. Credit-cards just seem safer to me.

    Last year, one of my credit-cards notified me that they'd refused 2 charges on my card that didn't resemble previous charges, and asked me if I'd made them. I hadn't and told them so. Both were made in distant parts of the country that I'd never been to. The credit-card rep told me that the first one was for only a small amount (a hotel reservation by phone), while the second one was for a couple of hundred dollars at a department-store. He asked me if I physically had possession of my card, and I told him that I did. He told me that the second charge that they'd refused had been made with an actual credit-card that had my account number, and used to try to pay for a purchase at the department-store, so a phony credit-card must have actually been created with my account number. The rep told me it was surely a case of attempted stolen identity/credit-card fraud, and that they'd send me a new credit-card with a new account number. It arrived soon after. He'd also told me that the first telephone attempt was probably a trial by whoever had stolen the account-number just to see if it would work. (The new card has a chip, I think the previous cancelled one had only a magnetic-strip). I thanked the rep for his help. The credit-card company must have been quite alert to have noticed those fraudulent transactions. I'm lucky that it wasn't a debit-card.

    Shortly before that happened, I'd read in the newspaper that several devices had been discovered at the local supermarket that I use attached to the credit-card reader that were fraudulently recording credit-card numbers. I'd used that credit-card numerous times at that supermarket, and I suspect that that was where the fraud originated.
  • Posted by a hidden member.
    Log in to view his profile

    Mar 03, 2018 12:31 AM GMT
    carew28 saidI also prefer credit-cards to debit-cards. I actually don't have any debit-cards, even though some banks have offered a $50.00 bonus for establishing a debit-card, and some gas-stations offer a slight reduction in the price of gas for paying with a debit-card. I don't care at all for the idea of allowing access to my chequing-account through a debit-card. Credit-cards just seem safer to me.

    Last year, one of my credit-cards notified me that they'd refused 2 charges on my card that didn't resemble previous charges, and asked me if I'd made them. I hadn't and told them so. Both were made in distant parts of the country that I'd never been to. The credit-card rep told me that the first one was for only a small amount (a hotel reservation by phone), while the second one was for a couple of hundred dollars at a department-store. He asked me if I physically had possession of my card, and I told him that I did. He told me that the second charge that they'd refused had been made with an actual credit-card that had my account number, and used to try to pay for a purchase at the department-store, so a phony credit-card must have actually been created with my account number. The rep told me it was surely a case of attempted stolen identity/credit-card fraud, and that they'd send me a new credit-card with a new account number. It arrived soon after. He'd also told me that the first telephone attempt was probably a trial by whoever had stolen the account-number just to see if it would work. (The new card has a chip, I think the previous cancelled one had only a magnetic-strip). I thanked the rep for his help. The credit-card company must have been quite alert to have noticed those fraudulent transactions. I'm lucky that it wasn't a debit-card.

    Shortly before that happened, I'd read in the newspaper that several devices had been discovered at the local supermarket that I use attached to the credit-card reader that were fraudulently recording credit-card numbers. I'd used that credit-card numerous times at that supermarket, and I suspect that that was where the fraud originated.

    This is exactly what I understand is happening nationwide, and has happened to us personally. And yet I never read of anyone being prosecuted for this crime. Apparently it's not any kind of priority with our elected officials, to bring resources to bear, and create laws.