Skip to content ↓ | Skip to navigation ↓

The United States Secret Service is warning of a new scam in which thieves are targeting the chip-based debit cards issued to corporations.

As reported by Brian Krebs, the scam involves criminals intercepting a newly issued debit card along its way to a corporation, tampering with the chip and waiting until it’s activated so that they can profit off that enterprise’s funds.

Here’s a breakdown of how this scheme operates:

  1. Bad actors steal payment cards, particularly debit cards, sent from financial institutions to large corporations.
  2. They use a heat source to melt the glue holding the chips of the stolen cards in place. They then remove the chips and replace them with chips from old or deactivated cards.
  3. The criminals repackage the modified payment cards and send them along their way to the large corporations. They then wait for activation, presumably because they lack the information and/or authority to trigger the cards themselves.
  4. The receiving corporations activate the payment cards but discover that they don’t work. In the meantime, the malefactors use the stolen chips to benefit personally off the victimized organizations’ financial accounts.

The Secret Service, which first warned banks about this ruse in late-March 2018, has not clarified how criminals are intercepting the payment cards. Krebs has some ideas:

It could well involve U.S. Postal Service employees (or another delivery service), or perhaps the thieves are somehow gaining access to company mailboxes directly. Either way, this alert shows the extent to which some thieves will go to target high-value customers.

Organizations of all sizes should recognize this scam as a call to protect themselves against fraudsters. They can do so by carefully inspecting envelopes containing newly issued payment cards as well as the cards themselves for signs of tampering. If they notice anything suspicious, they should contact the issuing financial institution immediately. They should also place alerts on all of their accounts so that they can quickly spot any unauthorized transactions and close off the suspicious access.

At the same time, corporations should take efforts to protect customers’ payment card information against breaches like those at Orbitz and Saks Fifth Avenue/Lord & Taylor if they handle that type of data. They can do so in part by working to achieve PCI DSS compliance. For information on how Tripwire can help, click here.