Copy Credit Card

[Caterina Haggins]

AnEMV (Europay, Mastercard, and Visa) chip is a microchip installed in newer payment cards. It dynamically encrypts each transaction made with the card. This makes it difficult to access the actual authorization information, even if a criminal attempts to clone the card.

The newest payment cards are equipped with radio frequency identification technology (RFID). This allows them to transmit transaction information to a card reader simply by being nearby, without physically inserting the card in a slot. This helps to avoid skimmers and shimmers but is still not without its vulnerabilities.

Criminals have developed an RFID-enabled card cloning device they can conceal on their bodies while walking down the street. This allows them to steal information from RFID-enabled cards just by being in close enough proximity to their owners.

Then, when a customer swipes their payment card through the machine, the skimmer copies their card details. This information is then relayed to (or downloaded by) thieves, who use it to clone cards and then make fraudulent purchases or steal money from bank accounts.

Some creative fraudsters are modifying fake POS terminals to have the credentials of real merchants. Then they conduct fraudulent return transactions to load gift cards or debit cards, then cash out the stolen money at ATMs.

Unfortunately, it is likely impossible to eradicate card cloning fraud. Even now, criminals are finding ways to breach the most current card security standards. So the best approach when it comes to preventing card cloning is a comprehensive risk management strategy.

New security standards like EMV chips and RFID technology make it harder for criminals to clone cards. The implementation of Europay, Mastercard, and Visa (EVM) chips has been one of the biggest advancements in the fight against card cloning since they are safer alternatives to magnetic stripes. They use payment information that is encrypted to make it exceptionally difficult for criminals to clone cards, but EVM chips still have their vulnerabilities.

Even if their cards have EVM, people are more likely to use the magnetic stripe at POS terminals due to the familiarity allowing their credit card information to potentially be stolen. Also, a recent study from a security firm stated that cybercriminals have found a method to make purchases with a magnetic stripe card using data that was meant for EVM chips.

This gives insight to the upsetting reality that is: it is almost impossible to get criminals to stop cloning cards because they will always try and find a workaround, so this should be just one part of an effective strategy to combat card cloning.

Companies, especially financial institutions, should periodically take stock of the points at which they take card transactions, such as ATMs and point-of-sale machines. They should secure these points to make it more difficult to clone cards.

For example, making sure that POS terminals are all EMV compliant as well as helping customers purchase things in a more secure manner are a few ways Merchants can help make it more challenging for criminals to clone cards.

Thanks for your response, but I tried feeding it a credit card and it did scan it. Also worked with insurance cards and they all printed out beautifully. I'm posting this in case it helps someone else in the same situation. (Whether you can scan these items or not was never even mentioned in the instruction booklet, the Virtual Agent or tutorials.) Note: be sure to carefully tape your card/s (you can do several at the same time) onto a full size sheet of printer paper if you don't want to waste your ink. If you just load the card alone, the rest of the page will print out all black and you'll run of out expensive ink!

Hi, we have received your order #12345 and it has been triggered by our fraud alert system. Please send us a copy of your drivers license and credit card used in the transaction. You my black out any personal details like the DL# but please leave the last 4 digits of the credit card, name, and address.

Their response basically reiterated their first email, but insisting that they already had all this information anyways and just needed to verify it. So I ended up cancelling the order and buying the same part from a different retailer. They are indeed legitimate retailers. Their name bounces around the forums without any issues and I found them, they didn't find me.

1) I've had "fraud alerts" on my credit card before when making a larger than usual purchase. They come in the form of an email from my bank asking me to confirm whether I made a given purchase or not. Sometimes they even require that I call in to verify. This "fraud alert" was only from the retailer. My bank did not raise this issue.

2) As far as I'm concerned, I should never take a picture of my credit card. Even if I block out the important details, the original photo probably got synced to the cloud which means I have to go make sure it was deleted everywhere and trust the our google/apple/amazon overlords did indeed delete it. I'm sure there's ways to mitigate this, but it every hoop I jump through is an opportunity for mistakes.

3) If I was a fraudster, I'm pretty sure I could fake a credit card and corresponding ID via Photoshop that I could take a crappy photo of with my phone and satisfy them. I don't think there's much security in their process.

It is very common to have some fraudster use someone else's credit card to make purchases. Merchants have zero protection in these cases and not only pay for the charge processed as well as a dispute fee. Also, their credit card processor will blacklist them and basically throw them out of business if the dispute rate increases.

So, almost any retailer that processes $1M+ in volume a month will use some kind fraud early warning software. There are plenty in market and they are making a killing as SaaS companies. Once a transaction is triggered as potential fraud, the merchant will attempt to verify via multiple methods.

One of the most common methods employed, is asking for Driving Licence/ID and a copy of credit card with numbers hidden. There is almost nothing anyone can do with this piece of info. You are giving away, nothing confidential. It just proves that you are in possession of the card and your name is on the card. If the charge is disputed, these images can be used to prove that the merchant took an effort to verify the transaction and shift liability. This method is employed by many famous companies: AirBnB, Agoda/Priceline, Lyft used it at one point.

As someone who owns a small online business this is something that we are told to do by banks and our payment processors to prevent fraud. If someone is using a stolen card and you report it, it's not the bank refunding you, it's the business. The business loses the product and the money and often even get a chargeback.

It can be very damaging to businesses and so we need to take all the precautions necessary. If you are really concerned you can send a photo with your finger or a piece of paper blocking the personal info so it can't be stolen.

Point 1 is not always true because it depends on the level of escalation, i.e. the middleman like Visa/Master/AMEX may have a delayed clearance issues with the bank. So the logical way to deal with this is calling the bank support.

Point 2 is valid, you should never send a copy of your credit card/ID to through email. At minimum, the merchant should at least provide an encrypted web interface to let you upload it. If they cannot do it due to cost and commission issue (some payment gateways are pretty expensive), then they should ask you to contact your bank than performing such shady process, even it is legitimate request.

Yeah this sounds really sketchy to me. Good call on trusting your gut here. Fraud detection like that would obviously usually happen on the bank side. If for some reason the retailer were doing heavy fraud detection (which, for a store selling items of presumably smaller value, would surprise me), then asking for a copy of your identification without telling you what triggered the fraud alert smells weird. It may have been legit - after all, they did instruct you to obfuscate the valuable parts of the image - but not giving details is weird.

Not in the sense of "Geez dude, how could you not realize they need that?" but rather in the sense of "The credit card companies want it done even though they are skirting liability by strongly suggesting it rather than outright requiring it."

One thing they pushed was motivated by their approach (presented as already in place as such) to considering upon whom the crush of a fraudulent sale would fall. Basically, they said know your customer or don't do the sale because it will fall upon you from now on. Their example of a thing gone wrong was a company wanting an order of parts shipped overseas. The company itself had offices in Kentucky. Fraudulent, of course, and their idea of how that was tipped off to the seller was who in Kentucky would ever want a third-party shipment overseas? Since such a thing is entirely possible, reasonable, and a couple-of-times-a-year occurrence, their example was obviously meant to hustle us into the world of "knowing your customer" and that included getting ID.

(The company in question really did screw themselves, but with the initially presented story details and the bank's take on why the cost lay with the company, not them, it was not clear at all that the seller had been just plain stupid, so it supported my point above.)

Starting in the early 90's, asking for ANY ID to go along with the physical card was forbidden. Utterly so. (Of course, if you were sufficiently profitable, I'm sure they DID allow you to negotiate release from that.) I mentioned that and it turned out that since around 2013, they'd quietly done away with that. News to me and I've still to see their promised "in writing" documentation of the credit card companies now allowing this. But they then went back on the copy of a driver's license beat so it was very clear that allowed or not, if one did not get such, then that seller would bear the cost of fraud, not the bank.

3a8082e126