US business warned about new chip-based card fraud

Fraudsters intercepting corporate debit cards in the post in order to replace their chips

Authorities in the US have issued a warning over a new type of credit card crime targeting chip-based debit and credit cards.

According to KrebsOnSecurity, US officials have issued a warning to financial firms that crooks are intercepting corporate, chip-based debit cards, replacing the chip on the card before putting the card back into the envelope and completing the delivery.

The stolen chip is then put into a different card. On receipt of the new debit card, the business will typically activate it, but might not use it straightaway. This gives the thieves time to use the card bearing the stolen chip.

According to Brian Krebs, the security journalist behind KrebsOnSecurity, he US government sent a bulletin to banks at the end of March warning them about the new scam. It also included seven steps that the fraudsters use to intercept and modify the cards.

First, the criminals intercept the card in the post. Second, they expose the card to heat to melt the glue and remove the chip.

Next, they replace the chip in the new card with an older one, before placing the new chip into an old card.

Then, they put the new card back into the post for the company to receive. In the six and seventh steps, company staff activate the card in the belief that it is in full-working order.

However, while unusable the criminals can make purchases and withdraw money by using the old card kitted out with the new chip.

While the memo does not explain how crooks intercept the cards in the first replace. Krebs suggests that it could be an inside job involving staff working for the US Postal Service, but the thieves may also be targeting company postboxes.

"The reason the crooks don't just use the debit cards when intercepting them via the mail is that they need the cards to be activated first, and presumably they lack the privileged information needed to do that," suggested Krebs.

"So, they change out the chip and send the card on to the legitimate account holder and then wait for it to be activated."

It's also not clear whether they also intercept the PIN mailed to the recipient, or exploit current rules in the US enabling them to sign for purchases instead of tapping in their digits at a checkout.

The US has struggled to uniformly roll-out the same kind of chip-and-pin system the UK adopted in 2006, with retailers struggling to process chip card transaction due to out of date software and till systems.