8

I have a bank account that I never use, someone cloned my debit card and used it to buy something in Brazil in order to make sure the cloning was successful then they started making transactions of £10 till they sucked everything in the account. The account had a little bit over £50, the bank refunded the money straight away as I dont even use the card.

The question is how did they manage to clone my card if I dont use it? Yes it's in my pocket all the time but I never use it to make payment nor I check my balance at the ATM.

The only thing I can think of is that I recently spend a lot of time in the mosque where someone could sit next to me and like in movies use a device to clone my card, is such technology available?

enter image description here

Anders
  • 64,406
  • 24
  • 178
  • 215
Ulkoma
  • 8,793
  • 16
  • 65
  • 95
  • What sort of card it? It might be possible to get details from a [contactless](https://en.wikipedia.org/wiki/Contactless_smart_card) card that are sufficient to create a magnetic-stripe-only clone. Contactless cards in my locale all have a four-concentric arc symbol on them. – RedGrittyBrick Jun 27 '16 at 13:19

2 Answers2

10

If your debit card has an NFC chip on it (the "tap to pay"), it's possible. This presentation discusses two methods. One is skimming an NFC card and using the recovered data for making Card Not Present transactions online. The other is called a "pre-play" attack, where "future transactions" are skimmed from the card in your pocket, and used to make purchases before you use the card again. Ironically, you might have stopped some of these if you had used your card before the attacker had the chance to commit fraud.

Because it's possible, does that mean it's likely? Hard to say. But if it was in fact a case of NFC skimming, then you live, work, and pray very near someone who might target you again. Consider keeping your NFC cards in an RF-blocking wallet, or leaving them at home. Since it sounds like you rarely use them, this shouldn't alter the convenience factor much.

The good news is that your bank protected you from losses related to the theft, and that you don't have to worry too much about it.

John Deters
  • 33,650
  • 3
  • 57
  • 110
0

In addition to the above reference you should also consider "RNG" Random Number Generator. the first 6-8 digits on every debit/credit card is considered a BIN range, and very per financial institution. Fraudsters will use RNG to generate the remaining numbers and conduct an online test transaction to see if the card number is valid. If so they will use "CNP" Card no Present transactions to drain the account dry or sale the card numbers off to a 3rd party so they can create a cloned card and conduct ATM Withdrawals with a mass number of cards at one time, which is usually done in a fraud ring.

Joe
  • 9
  • 1
  • 1
    This answer makes no sense at all. Credit card numbers are generated using the Luhn algorithm, meaning they have a checksum as the final digit so you can't simply generate everything but the BIN with an RNG. Additionally, CNP transactions require the use of the CVV2 and AVS verification, so numbers alone get you nowhere. That aside, use in a machine or ATM requires stripe data which you can't get from an CNP transaction, so once again, the scenario you've presented simply don't make sense. – Xander Aug 30 '16 at 20:30