Credit Card Skimmers

[PorscheGAL]

Anyone know what information can come off a CC strip for a scammer to use?

Husband had CC number used for an Ebay/Paypal purchase. We contacted CC company and they sent a new CC with a new number. The new number was compromised 2 days after we activated it, also an Ebay/Paypal order. All he bought with the CC was gas, hence the skimmer question.

Even weirder: he got a text from eBay/Paypal notifying him of the 2 purchases but when we try to go on eBay or PayPal directly, they have no account linked to his phone number.

Thoughts?

[Zeke]

Call the CC number!

[Brando]

Report the fraudulent charge(s) immediately. The bank will likely give him a new card. There are numerous ways that someone could have got the card. Usually there is a small (less than $5) charge beforehand to make sure the card works before a larger transaction is tested.

[PorscheGAL]

Both cards were cancelled immediately. I have alerts set up every time the card is used. I’m ocd about watching it. I just think it’s bizarre the 2nd card was active 2 days and only used once before it was hijacked. That’s is why I wondered if a skimmer at the gas station would be able to pick up a phone number

[techman1]

I ask the question of myself many times:
Gas station pumps are a frequent scanner that is compromised.
Why use a credit card there? Get a gas station card.
Use it there. If it gets skimmed, you are not challenging a $800 online purchase.

The famous “Catch Me if You Can” inspiration said never use a debit card.
Get a credit card, use the bank’s money and pay it off.

[Nostril Cheese]

Dont pay at the pump. Always pay inside.

[Brando]

I forgot to ask - are your cards "tap to pay" compatible? Might be time to get an RFID blocking wallet.

[PorscheGAL]

Quote:

Originally Posted by Brando

I forgot to ask - are your cards "tap to pay" compatible? Might be time to get an RFID blocking wallet.

They are. Didn't think of that. Might be worth looking into.

[Steve Carlton]

Seems beyond coincidence that your second card would be compromised within 2 days, unless the gas station was the same one that compromised your first card. Or somehow someone has access to your personal information, which is a lot scarier. You might want to get some identity theft insurance until you figure this out.

[PorscheGAL]

Same gas station. But the fact that they have his phone number too was the interesting part.

The credit card company has been really proactive about this. The second card charge was actually rejected because of the previous card issue.

We have a credit lock so not as worried about a new account being opened with SSN.

Of course, we will avoid this gas station in the future

[Steve Carlton]

What about alerting the gas station to the possible skimmer? You might even be able to see if it's possible by looking at it. Maybe once they have your credit card info they can access your phone number? I don't know.

[looneybin]

I had the same thing happen that was traced back to a gas station I frequented
When I told the station owner, he didn’t seem to care about it, he was probably in on the scam.
I haven’t got gas there since
Maybe they need the CC companies to start cracking down and revoke their use contract, and just maybe that would get there attention to up their security
The station I use now has tap to pay pumps

[rusnak]

CC skimmers are pretty easy to see and avoid, if you know what to look for because they sit right on top of the Point of Sale device. They try to disguise them, but you can't fake things like keypad depth, wear on keys, height of a card reader clamshell, etc etc.

I caught one before the bad guy could come back and download the credit card numbers. I cut the wires to the batteries and now use it as a teaching aid.

And it was INSIDE THE STORE, not outside.

NFC cards, or the ones that use Apple Pay, Samsung Pay, etc are a terrible idea.

RFID cards, or more precisely CARD READERS will prompt you to leave your card in the reader while the transaction goes through. They have much better encryption and are now the standard.

I don't know any business owner who doesn't care about credit card fraud. He's going to rack up a metric sh!+ ton of charge backs. It's not a profit for him, why would he be "in on it"?

[biosurfer1]

Quote:

Originally Posted by Nostril Cheese

Dont pay at the pump. Always pay inside.

That won't help


https://youtu.be/5b1axnNK-wI

[pwd72s]

Buy Gas with Cash...since getting caught up with the debit card scam at Target, we use cash for misc. purchases...never have used paypal since it's protections are zilch compared to a bank.

Thinking about it, might not be a big problem in Oregon. One of the few states that doesn't let you pump your own...as if only a 17 years old "technician" can know how to pump gas safely.

Also, a fun oldie song from the 1950's, maybe early 60's? Describes when out problems started.

https://www.youtube.com/watch?v=-hiqY0QK1QM

[Tishabet]

Quote:

Originally Posted by PorscheGAL

Anyone know what information can come off a CC strip for a scammer to use?

Husband had CC number used for an Ebay/Paypal purchase. We contacted CC company and they sent a new CC with a new number. The new number was compromised 2 days after we activated it, also an Ebay/Paypal order. All he bought with the CC was gas, hence the skimmer question.

Even weirder: he got a text from eBay/Paypal notifying him of the 2 purchases but when we try to go on eBay or PayPal directly, they have no account linked to his phone number.

Thoughts?

Since when does Paypal or eBay send texts to customers? Are you sure that these texts aren't phishing/aren't the actual source of the compromise? Just a thought.

Sidebar/not directly commentating on you or on this specific instance: Years ago I made my living consulting for banks/financial services (and of course law enforcement) on fraud crime, and although my knowledge is now getting rusty (haven't worked in that space in about 8 years) one thing I am confident is still the case is that your average consumer gives the fraudsters way too much credit... very rarely are the fraud vectors complicated, usually it is something dead simple. We have a nation of people carefully examining the ATM machine for a card skimmer, who then hand their CC to a waiter (who takes it away and returns minutes later) without giving it a second thought. Once someone is the crime of a fraud or a con, they (at least in my experience) often push back on you once you explain what happened in detail exactly because it is too simple. Similarly, there are many victims of cons who insist that they were not victims and you are mistaken. It is easy to con someone, it is difficult to convince someone that they have been conned. This is just human nature and it is as true of me as it is of the rest of you.

Neat example of a skimmer fraud that I helped detect: fraudster installed a skimmer in an ATM kiosk (small glass building housing an ATM in a city core location) in a spot in the Dominican Republic frequented by tourists from cruise ships. But the thing is, they didn't install the skimmer on the ATM machine itself (where people would usually have a greater level of scrutiny)... they knew that ATM kiosks in the US are typically locked and you unlock the door by entering your card into a "lock" there. ATM kiosks don't usually have this feature in the Dominican Republic, but the tourists don't know that. So they installed a 100% fake "unlock the door" skimmer at the door of the ATM kiosk and captured a ton of tourist ATM card data.

[stomachmonkey]

Quote:

Originally Posted by rusnak

CC skimmers are pretty easy to see and avoid, if you know what to look for because they sit right on top of the Point of Sale device. They try to disguise them, but you can't fake things like keypad depth, wear on keys, height of a card reader clamshell, etc etc.

I caught one before the bad guy could come back and download the credit card numbers. I cut the wires to the batteries and now use it as a teaching aid.

And it was INSIDE THE STORE, not outside.

NFC cards, or the ones that use Apple Pay, Samsung Pay, etc are a terrible idea.

RFID cards, or more precisely CARD READERS will prompt you to leave your card in the reader while the transaction goes through. They have much better encryption and are now the standard.

I don't know any business owner who doesn't care about credit card fraud. He's going to rack up a metric sh!+ ton of charge backs. It's not a profit for him, why would he be "in on it"?

NFC cards are more secure than a dip or strip.

The handshake involves a unique one time code for every single transaction.

They never send the same data twice.

The chip readers you speak of that hold onto your card, those are EMV devices, same tech as the tap to pay NFC cards.

[J-Mac]

The most compromiseable card reader is usually the car wash keypad unit, usually round back of the shop. The one time I used it was the second time my card was skimmed. I usually go to Chevron or Shell for gas but I always check the card reader for a tight fit, looking too new etc. The one time I didn’t do the check at the pump I was in a hurry and yes was skimmed out in remote Carmel Valley. I used to work in the credit card payments industry. In the banks mind the merchant is always at fault and the onus is on them to prove no fraud. So you are always safe from that angle. But never ever use a debit card, period, to purchase. Just for ATM at the bank’s ATM. I am very sure your telephone number is not stored on your card. In the US the most likely place to get skimmed is in a restaurant or bar where they take your card away from you. In Europe they have to bring the card reader to your table, you swipe or tap it and then you input your PIN - well it was that way when I was there two years ago. But your credit card doesn’t leave your hand.

[PorscheGAL]

Quote:

Originally Posted by Tishabet

Since when does Paypal or eBay send texts to customers? Are you sure that these texts aren't phishing/aren't the actual source of the compromise? Just a thought.

That's what I would think but we just happened to be in the car together when he got the text from PayPal and I got a text and email from the CC company that the card had been used. So I guess PayPal is now doing text confirmations.

[rusnak]

Quote:

Originally Posted by stomachmonkey

NFC cards are more secure than a dip or strip.

The handshake involves a unique one time code for every single transaction.

They never send the same data twice.

The chip readers you speak of that hold onto your card, those are EMV devices, same tech as the tap to pay NFC cards.

Yes, my bad, I was typing on the go. EMV is what I meant to type.