Debit Card Cloning

[Lochnar]

Recently, I had someone create physical duplicates of both my and my wife's debit card and rack up $1,100 dollars in fraudulent charges. I would have suspected being caught by a skimmer at first, but it was both our cards and we live 2,000 miles from where the physical cards were used. My question is this: what information could a person utilize to create physical copies of a debit card other than physically skimming it?

Thank you.

[Mr-Protocol]

I would guess that if you do anything online (banking, purchases, etc.) that would be how they got them. Or if they are stored on any sites that have been compromised.

[Lochnar]

That is exactly what I am curious about. Is the information saved on a site enough information to be able to create a new physical card that a person could take into a store and use? I would expect that there would be some encryption in place on the mag strip on the card that while could be copied out-right with a skimmer could not just be written on a card because they have my account number. I am trying to get an in depth understanding of what goes on the magnetic strip on a card.

[Mr-Protocol]

It may have been online purchases or they manually had them typed in.

Readers are really cheap, I mean, square, paypal, etc. do it. But the writers I'm not sure about. Last I remember, there are 3 layers, and finding a writer that does 3 layers is difficult and expensive. Or at least it used to be.

[h0T_rails]

its not all that hard, or expensive to get a MSR writer now days. The MSR605 on ebay is like 300$ somethin dollars. If they cloned your card, thats more than likely what they used. but Mr-Protocol is right about the 3 layers, whats crazy about that is that only 2 are used. i think the format is called hi-co, or lo-co. i cant really remember. they only use all 3 layers on Amex cards i think. i could be wrong on that one. but anyway, to actually make an exact clone of your cards , they would have had to actually skim your card somehow ,somebody somewhere did. because you cant actually " clone " a card from just the 16 digit number a thief would get from , lets say maybe an SQL-injection on a website that they compromised.because the information on the mag strip on your card is really like a 48 digit number or something like that. but, what i think "they" do is somehow compromise a POS(point of sale) instead of skimming. becuase skimming is soooo 2006. haha. then "they" get massive amounts CC data, along with the magstrip "dumps" and the CVV2, then they sell it on "carding" sites. i could be wrong though. :D i hope this gives you some half ass idea about how it could have went down.

[Mr-Protocol]

Here is my logic behind the scenario.

I don't believe it was a skim job since nobody is going to "invest" money and sell physical cloned cards online. I would think it would be online purchases using the card number and the CVV off the back. This information can be gotten by just taking a picture of the front and back of the card. With that, you have a name and with a little bit of google, a billing address.

Either your information was intercepted by handing your card to a waiter/waitress, online transaction; or it was part of an intrusion that saves your card number (they shouldn't store your CVV number per PCI Compliance).

What I would do is contact your local/state law enforcement agency if you haven't already and allow them to see what they can do. And h0T_rails is correct with the selling of stolen information, there is a whole underground-ish network/market for this kind of stuff.

[no42]

One question - odd they got both you and your wifes cards; Where do both of you shop? be it petrol stations or internet sites? might narrow down the culprit?

[Lochnar]

That is something I have also been pondering midnitesnake. There are only a small handful of places that our cards both get used, and they are not small ma and pop places, nor do our cards generally get used close together at any given place. It is also weird that the crooks made purchases using physical cards, I made sure to ask that bank about it. That is why I am now so curious as to what information a person would need in order to build a usable copy of my card. Plus all the thefts occurred 2,000 miles away, so it is not like someone ran my card through a reader, made a duplicate, then drove across the country to use it. I am leaning towards the possibility of a data breach from the bank, stolen laptop or something like that. I am in IT Security, so I have an understanding of how data gets compromised, stolen, sniffed, etc. I am trying to get an understanding of how much is needed to get used in my case and in this fashion.

[xrad]

Something like that happened to me a few years back.

I always wondered how they were able to have a physical card 1500 miles away.

I never let a waiter/waitress walk away with my card.

The bank didn't care much, they just fixed my account.

It wasn't a fun experience, they used all my cash in the bank and left me with a negative of $2000.

I didn't notice until a Friday at 5:00, had the whole weekend with no cash, and no gas.

The bank fixed it on Monday, and I was good again.

I thought maybe I had a trojan or malware on my pc, needless to say I changed the way I do purchases.

Now on all purchases I only use my iPhone or iPad.

I know that isn't completly full proof, but it's a bit safer than the possibility of my pc being infected.

I had never thought about the possibility of someone at the bank, who knows.

Edited November 27, 2013 by xrad

[no42]

Plus all the thefts occurred 2,000 miles away, so it is not like someone ran my card through a reader, made a duplicate, then drove across the country to use it. I am leaning towards the possibility of a data breach from the bank, stolen laptop or something like that. I am in IT Security, so I have an understanding of how data gets compromised, stolen, sniffed, etc. I am trying to get an understanding of how much is needed to get used in my case and in this fashion.

Most likely skimmed, when you didn't notice; this could be 2nd skimmer under a till, or portable version hidden in a waiter/cashiers pocket. If your not Chip 'n Pin, your magstripe on the card will contain 3x tracks, everything needed to clone the card in 1x swipe. This information was probably sold on the internet/darknet to another carder or a set of mules, that then perform the 'cash-in' buying of goods to sell on craigslist,ebay or similar.