Scammers are intercepting debit cards through the mail in order to steal the card chips as part of an elaborate fraud scheme bent on draining the bank accounts of large corporations.
According to a letter obtained by independent security researcher Brian Krebs, the US Secret Service told various banks that the crooks are swapping the chips from corporate-issued debit cards with old chips and then sending the tampered cards on to the companies. They then install the new chips on old cards, and when the company activates the card, the chip in the criminal’s possession is turned on, giving them access to business bank accounts.
The payment card sent to the company is inoperable because of the old chip, so there’s only a small window of time that the crooks can carry out their activities before the companies notice a problem.
“The reason the crooks don’t just use the debit cards when intercepting them via the mail is that they need the cards to be activated first, and presumably they lack the privileged information needed to do that. So, they change out the chip and send the card on to the legitimate account holder and then wait for it to be activated,” Krebs explained.
It’s unclear how the fraudsters are able to intercept the mail; Krebs postulated that the letter carriers or other postal employees are accomplices or that the thieves are stealing the letters directly from corporate mailboxes.
“Either way, this alert shows the extent to which some thieves will go to target high-value customers,” Krebs noted.