Banks and businesses in the US have been warned about a new type of card crime that interdicts debit cards sent in the post and replaces the chip on the card - before returning it to the mail to be delivered.
According to KrebsOnSecurity, US officials have issued a warning after reports that criminals were intercepting corporate, chip-based debit cards.
While the stolen chip put into a different card, the new debit card is typically activated straightaway and it may be some time before the business finds out that it doesn't work. This gives the thieves time to use the card bearing the stolen chip.
According to Brian Krebs, the security journalist behind KrebsOnSecurity, he US government sent a bulletin to banks at the end of March warning them about the new scam. It also included seven steps that the fraudsters use to intercept and modify the cards.
First, the criminals intercept the card in the post. Second, they expose the card to heat to melt the glue and remove the chip.
Next, they replace the chip in the new card with an older one, before placing the new chip into an old card.
Then, they put the new card back into the post for the company to receive. In the six and seventh steps, company staff activate the card in the belief that it is in full-working order.
However, while unusable the criminals can make purchases and withdraw money by using the old card kitted out with the new chip.
While the memo does not explain how crooks intercept the cards in the first replace. Krebs suggests that it could be an inside job involving staff working for the US Postal Service, but the thieves may also be targeting company postboxes.
"The reason the crooks don't just use the debit cards when intercepting them via the mail is that they need the cards to be activated first, and presumably they lack the privileged information needed to do that," suggested Krebs.
"So, they change out the chip and send the card on to the legitimate account holder and then wait for it to be activated."
It's also not clear whether they also intercept the PIN mailed to the recipient, or exploit current rules in the US enabling them to sign for purchases instead of tapping in their digits at a checkout.
The US has struggled to uniformly roll-out the same kind of chip-and-pin system the UK adopted in 2006, with retailers struggling to process chip card transaction due to out of date software and till systems.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago