This is the story of a stolen credit card number, money laundering, and how EMV chip technology could have prevented it.
Quick EMV Recap
Two short weeks from today, on October 1, 2015, the payment card industry in the U.S. will change who is responsible for fraud liability. There's a big potential for you to lose money if you are not compliant. You can read my previous in-depth Nuggets about the October 1 EMV deadline and what you need to know about EMV cards.
The summary of those is essentially this:
1. You are supposed to have EMV technology by October 1, 2015, including card terminals and POS software
2. You will be held responsible for a fraudulent purchase if you don't have EMV technology and the purchase was made with an EMV card
3. You will probably have to pay for the upgrade to the EMV technology
EMV Card Issuing Delays
As I've watched the EMV story unfold over the past four years, I've always assumed it would be the U.S. retailers that would drag their feet the longest with regard to replacing their card swipe equipment with the chip readers, but it turns out that the banks are dragging their feet just as much.
Issuing a payment card with a memory chip is more expensive than the simple magnetic strips. Not only do banks have to reissue millions of cards, they also have to change the technology in their ATMs. I've been quite surprised with the delays in my own personal bank with reissuing new cards. I have 4 checking accounts with the same bank, only one of which has an associated EMV chip in it as of today. I also have 3 credit cards, none of which have EMV chips as of today.
After October 1, 2015, any bank who doesn't issue EMV cards is accepting the liability for fraud loss. On the other hand, they have been accepting that loss for years, and they use it as a tax deduction.
POS EMV Card Readers
Banks delaying reissuing EMV cards are sending the wrong message to retailers nationwide. If the banks aren't taking this seriously, then why should a retail business? On the other hand, the merchant companies have done a good job with notifying their retailers and deploying new card readers. Of the approximate 13.9 million card readers in the U.S. this infographic shows estimates of at most 7 million that are EMV compliant by the end of 2015.
Are you ready yet? Just give a call to your merchant card processing company to have your machine switched out. Yes, there might be a fee, but that fee will be less than the first loss that you are held responsible for. If you don't want to pay the fee you could also switch to a different merchant account that will send you brand new, free, equipment.
My Personal Card Safety Precautions
I don't often use my debit cards when I travel to France unless I'm withdrawing cash from an ATM. My bank charges me a transaction fee for using the card internationally, so I limit my usage. I have a low limit credit card I use when I travel; it's one of those non-EMV cards that forces me to give a signature at a French retail store when everyone else uses chip-on-chip transaction with a PIN.
Security cameras and ubiquitous smartphones with cameras have made me wary of holding my credit card out in the open. I consciously obfuscate part of my card number with my hand every time I pull any card out of my wallet. This is just my little protection against someone standing within a few feet of me with a smartphone. I also never allow my cards to be placed out in the open on a counter where it only takes 1 second for those security cameras and smartphones can get my card numbers.
I use this low limit like a re-loadable, prepaid card, in that I will pay it off at the end of every week. The credit card doesn't charge me an international transaction fee, making it more attractive for me to use for incidental charges everywhere.
My personal philosophy is that professional hackers will always find a way into any system, but they are more likely to attack larger businesses where the payoff is greater for the same amount of time it takes to do the hacking. Using this one card of mine for small incidental charges at many locations means that I'm more likely to have that card number stolen if one of those places has a data breach, but that's okay since the card has a low limit and the thief won't get away with much.
Just a Few House Essentials
On Saturday, September 12th, my card was declined at the local French store when trying to buy about 100 Euros of groceries. This seemed very odd since I know my payment of $300 had been posted and made available on Friday, September 11th. I tried swiping the card a second time before using another card.
A quick login to my online account and I see that my card is back at its limit again, but not by my doing. There were several charges for $54.19 at three different Kroger retail stores in Houston, Texas from Friday, September 11th that maxed the card out. Naturally, I called the card company to tell them of the fraud and cancel the card. They already knew I was in France, so it's pretty easy to dispute in-store purchases taking place in Texas.
Cyber criminals are always trying to figure out quick schemes to turn stolen credit card numbers into cash or merchandise. If you do a Google search for "money laundering process with stolen credit cards," you'll find several detailed methods of how stolen cards have been used to buy merchandise from retail stores that is then shipped out of the U.S. for resale again. However, law enforcement has figured out how to track and intercept this type of money laundering, forcing criminals to add a few extra levels of laundering.
One laundering tactic is to use a stolen card number to purchase pre-paid debit cards or other chain store gift cards. Those cards can then be used to purchase products from retail stores or perhaps even withdraw the cash from an ATM.
For this to work the cyber-criminals need a way to produce a plastic card with a magnetic strip. Then they need a "runner" to physically go to the store and buy the pre-paid cards and the retail products.
I found it odd that there would be multiple purchases for $54.19 on my card at different Kroger grocery stores, what does a grocery store sell that would be of interest to a criminal, yet have an identical cost at different stores. The more I thought about this the more I realized I was looking at multiple purchases of $50 face value pre-paid gift cards with a $4.19 purchase and activation cost. This is a perfect example of money laundering.
This laundering process relies on the low security magnetic strip along with a signature. European retailers have been using the EMV technology since the 90s making them a less attractive target for cyber-criminals since they wouldn't be able to recreate the data on the chip nor would they have access to a the PIN that activates the chip. Thus my card was probably part of a data breach at a large U.S. retailer.
From Data Breach To Fraud
I imagine that it takes a few months, at least, from the time a cyber-criminal hacks and acquires card numbers to the time the cards are used for fraud. I'm also aware that the cyber-criminals that hack into systems usually offload those card numbers through underground internet site rather than using them directly. There's then a process of manufacturing the cards one at a time and getting them into circulation. In other words, the people using stolen card numbers in the stores are two or three levels removed from the hacker who stole the numbers in the first place.
With this time frame in mind I was able to go back through my card statements from the last 24 months and quickly find all the large retailers that might have had a data breach. Here's that list:
- Chevron gas 11/2013
- Enterprise Rent-A-Car 11/2013
- Sunoco gas 12/2013
- Home Depot 12/2013
- Wal-Mart 5/2015
- AMC Movie Theaters 6/2015
- A&P Grocery Stores 6/2015
Of the listed retailers, the only one with a known data breach at the time of this writing is Home Depot, but the time frame of that data breach has been reported as April or May 2014, not December 2013 when I used the card there.
I didn't use my card at any other large U.S. retailers from December 2013 through May 2015 until my purchase at Wal-Mart. So my thoughts here are that the Home Depot data breach extends back much further than reported, or we are about to hear that either Wal-Mart, AMC, or A&P (which recently filed for bankruptcy) have experienced major data breaches.
Fraud Responsibility Shift
Let me return to the topic of the EMV cards and responsibility shift. My card number was used in-person at a few Kroger stores in Texas, which means someone created a fake card to use in a card swipe machine. I assume I won't be held responsible for the transactions, and it's very possible that Kroger will lose the money. Kroger will have to submit proof of my signature on their credit card slips, which obviously won't match my signature. They will then be held accountable for the financial loss.
However, let's fast forward the clock by a few weeks to after October 1, 2015. Assuming Kroger has EMV card readers installed in their stores, this would be a situation where the card issuer is at fault. Since my card doesn't have an EMV chip the liability falls on my card company, and they would lose money, not Kroger.
How This Affects You
If you don't already have an EMV card reader, it's time to get that done. In this Nugget I also explained a little bit about money laundering and how merchandise is purchased and shipped overseas. The "runners" who make these in-person purchases know which local retailers don't cross reference IDs or signatures, so the best way to remove yourself as a target for purchase fraud is to institute a requirement to check ID and signatures from now on. You might think it's a hassle to require this extra step at the point of sale, but it will help prevent a financial loss if and when someone uses a stolen card in your store.