Banks and businesses in the US have been warned about a new type of card crime that interdicts debit cards sent in the post and replaces the chip on the card - before returning it to the mail to be delivered.
According to KrebsOnSecurity, US officials have issued a warning after reports that criminals were intercepting corporate, chip-based debit cards.
While the stolen chip put into a different card, the new debit card is typically activated straightaway and it may be some time before the business finds out that it doesn't work. This gives the thieves time to use the card bearing the stolen chip.
According to Brian Krebs, the security journalist behind KrebsOnSecurity, he US government sent a bulletin to banks at the end of March warning them about the new scam. It also included seven steps that the fraudsters use to intercept and modify the cards.
First, the criminals intercept the card in the post. Second, they expose the card to heat to melt the glue and remove the chip.
Next, they replace the chip in the new card with an older one, before placing the new chip into an old card.
Then, they put the new card back into the post for the company to receive. In the six and seventh steps, company staff activate the card in the belief that it is in full-working order.
However, while unusable the criminals can make purchases and withdraw money by using the old card kitted out with the new chip.
While the memo does not explain how crooks intercept the cards in the first replace. Krebs suggests that it could be an inside job involving staff working for the US Postal Service, but the thieves may also be targeting company postboxes.
"The reason the crooks don't just use the debit cards when intercepting them via the mail is that they need the cards to be activated first, and presumably they lack the privileged information needed to do that," suggested Krebs.
"So, they change out the chip and send the card on to the legitimate account holder and then wait for it to be activated."
It's also not clear whether they also intercept the PIN mailed to the recipient, or exploit current rules in the US enabling them to sign for purchases instead of tapping in their digits at a checkout.
The US has struggled to uniformly roll-out the same kind of chip-and-pin system the UK adopted in 2006, with retailers struggling to process chip card transaction due to out of date software and till systems.
Geoengineering on the sea floor near glaciers would form a new ice shelf to prevent melting
Alterations in capillary blood flow can be caused by body position change
Curiosity rover is in 'normal mode' but not transmitting scientific data back to base
NatWest outage comes a day after Barclays' IT systems shut out customers and staff