[ale] OT: Security code on Credit/Debit cards

Michael H. Warfield mhw at WittsEnd.com
Fri Feb 19 19:33:57 EST 2010 

On Fri, 2010-02-19 at 18:50 -0500, Scott Castaline wrote: 
> Got a question for you security and forensic types. My debit card was 
> once again cloned. As a routine I usually check my bank(s) online at 
> night and again in the morning. Last night all was good, this morning I 
> found that I had bought several Crackberrys and a lot of sportswear as 
> well as a surfboard. After spending about 6 hours trying to make sense 
> of it all, all but one company had held the orders as possible fraud. 
> These orders were done online and a few were well known named big box or 
> large shopping centre companies. The big named companies confirmed that 
> all credit info matched including the security code on the back of the 
> card. They also traced the orders back to an IP coming through NYC via 
> Roadrunner's Broadband Service. Ok my questions:

> 1. The number on the back of the card usually a 3 digit number, is that 
> on the magnetic strip?

No.  That would defeat the purpose.  It's for physical verification of
the presence and control of the card.  That's not necessary for swipe
terminals and wouldn't be verified.

> 2. Even with IP and MAC masquerading, is it possible to actually trace 
> it down to the perp?

Probably not.  Not impossible but highly unlikely.  Even with hard
static addresses, it's almost trivial to use a compromised IP address on
a box somewhere half way around the world.  Only reason for even using
one inside the US is to make it look MORE legit.  Orders from Russia or
China for delivery to Detroit would look rather suspicious. 

> 3. Is there also a way to find where the card info was scanned?

If you have never used that card on-line and never entered the CVV
on-line, it could be quite challenging but would have to be somewhere
you've actually used the card.  Most of the time it is accomplished in
the reverse.  You track them down through the merchandise they
purchased.  Often, though, they purchased the card numbers on a site
sell numbers for a few bucks.  Cards with CVV's are worth more on the
market than ones without but they're still damn cheap.

> Since this is my second time as a victim in less than a year, I would 
> really like to pursue it as far as I can go. Local PD just writes it 
> off, but if I could give them something solid, maybe they might act. I 
> have my suspicions, but posting them would probably make me look racist, 
> which I wasn't, but.... Also in all cases the same name was used address 
> and phone # for delivery. When I google the name (Joanne Salter) I found 
> one person who lives in Great Britain and is a movie production hair 
> stylist, and another on in West Fargo, ND. The address used is in Ulem, 
> MN and the phone number traced as an unlisted number somewhere in IN.

Since the merchandise was destined for MN, that would be my prime
candidate although it could possibly be a mule / drop point.  Since it's
all coming from one, it sounds like common petty crime and not on-line.

Given the description, it does sound like physical card skimming and it
would be someone who did more than just scan your card and hand it back
to you.  I would first suspect anywhere you allowed the card out of your
control (think restaurants and paying your check) would be the prime
candidate.  Check-out lines and registers in stores are much less
likely, although they did catch one person in NY one year double swiping
cards.  They would have to read the CVV number while verifying your
signature.  Fake card readers and fake facades at places like gas
stations are not unheard of but are highly unlikely if they had your
CVV.  You could put a little spot of black paint or tape over the CVV
after noting it to yourself and then never let that card out of your
sight.

Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20100219/6961646a/attachment.bin

More information about the Ale mailing list