R. Paul Wilson On: Credit Card Scams
Editor’s Note: This is the first article of R. Paul Wilson’s four-part series on the biggest credit card scams and how to avoid them. Although the UK is cracking down on credit card use in gambling, our UK-based readers will still benefit from reading the series as the scams can occur in any situation where you might use a credit or debit card.
It’s almost impossible to gamble online without using your credit or debit card and therefore exposing yourself to potential fraud.
In this short series of articles, I’ll discuss how to protect yourself in real life and online, and what to look out for as fraudsters become ever-more sophisticated.
Skimming – Common Card Scam
This was once one of the most common methods of stealing someone’s card details.
Essentially, when your card was handed over, the waiter, bar tender or cashier would swipe your card through a hidden reader that would record its details. It also remembered the CVV code printed on the signature strip of the card so that it could married with the data just collected.
This data would then be used to make a clone of the skimmed card that could be used in ATM machines or readers around the world.
These clones might even have been just blank plastic cards with a magnetic stripe, since they would be used solely for extracting cash until the real owner cancelled their skimmed card.
There’s a limit to how much can be done with a skimmed card and many skimmers would simply sell the data collected to people who would clone hundreds of skimmed cards to collect small amounts, which would add up to thousands of dollars depending how many working cards they had and how many ATMs they were willing to hit.
Naturally, greed tends to overcome intelligence. As the data would spread and more clones existed, scammed owners of those cards would quickly cancel them.
But, if an organised gang managed their stolen cards carefully, victims might never notice 20 or even 50 dollars appearing on their bill and the card could remain “good” – so long as it wasn’t shared with less disciplined crooks!
ATM hopping also required a PIN number and I’ve seen many ingenious ways of stealing that information.
From simple shoulder surfing to my favourite: a small additional keypad that was offered to customers so they can enter their PIN for approval. This keypad actually served no purpose in the buying procedure – it was only necessary to steal and record that PIN number!
I’ve seen many skimmers in action, and they’ve hidden their secret card readers in many ingenious ways.
A classic method is to just put it in their pocket and skim the card as they reach inside, though it amazes me that they’d be brazen enough to pocket a customer’s card at all.
I’ve seen readers hidden in boots, belt lines and aprons, but a very clever version was in a bar towel that was used to “clean” the card, which was secretly swiped in the cleaning action.
If a crooked staff member is working on their own, these methods might be common but if you stop for lunch in a criminal’s cafe, the credit card reader itself might be hacked to record card details at the same time that payment is being processed.
Not-So-Secure Chip and PIN
Once declared the “ultimate defence” against skimmers, Chip and PIN technology was quickly defeated by a team from Cambridge University. Since then, other methods to get around this system have been discovered.
But the simplest was to claim the chip couldn’t be read as an excuse to revert to swiping the card’s stripe on the machine’s magnetic reader.
Since most cards will work without the chip and PIN this is an obvious flaw in the system. So even if a chip exists, swiping the card can be useful if the subsequent cloned card is used in countries without chip and PIN machines.
That said, I’ve seen chip and PIN machines hacked to record the user’s PIN and the magnetic stripe making this process easier for the scammer while seeming more “natural” as far as the victim is concerned.
Chips may be copied but it’s not easy to do, and far from practical while there are plenty of countries that will allow chipped cards to be swiped without the need for the PIN.
The “Lebanese Loop” Device
One remarkably simple way to steal money from chipped cards is to steal the card and the PIN number at the same time.
The so-called “Lebanese Loop” is an example of an in-machine trap that can be used to capture a card, along with a tiny camera to record the PIN number.
The card may work fine in the ATM and money might be withdrawn by the owner, but the card then becomes stuck inside the ATM card reader and will not eject.
This forces the frustrated victim to abandon the machine with his card inside.
The “Loop” is then pulled out of the machine along with the card and the hidden camera retrieved to note the PIN number.
Typically, the card is then used to buy as much as possible or withdraw maximum amounts within hours of the theft.
The key to a working “Loop” is the outer shell that fits over the reader to look like part of the machine. If it’s well made, victims might never notice anything unusual about the ATM, especially once their card is lost.
Similarly, the camera has to be positioned and hidden so that it blends perfectly.
I’ve seen some remarkable shells that fit over readers, keypads and even the entire ATM! I’ve even seen entirely bogus ATMs positioned in tourist traps around the world.
When The Real Hustle Made a Fake ATM – And it Worked…
As an experiment for The Real Hustle we built a small phone-box sized ATM out of wood, painted it to appear similar to a typical bank machine, then hid Jess inside with a card reader and a laptop.
Watch it here:
When people tried to use that machine, Jess simply took their card (she was the only thing behind the face of the machine – there were no “working parts”), skimmed the card and used her laptop to request a PIN via the monitor on the face of the ATM.
Jess then watched through a peephole to see the number that was typed on the keypad, wrote that down, then pushed the card back out of the machine while switching the monitor to say: “sorry, out of order”!
The victim would then go to another, legitimate machine to retry their card and find that it worked on that machine while blissfully unaware that their card and PIN had been successfully stolen thanks to our bogus ATM box.
This all proved how a simple coat of paint, location and lack of suspicion could easily trap anyone into compromising their bank card.
In my next article, I’ll describe some more credit card scams and how stolen cards are used in casinos. I’ll also discuss some simple steps anyone can take to protect their details while online or on the road.