Scam Watch: Credit Card Shaving

Have you heard of “credit card shaving?” In this version of credit card fraud, thieves try out 16-digit number sequences until hitting one that works. Then they take gift cards from stores and shave off the digits and glue them onto a credit card. They scratch the magnetic strip so the clerk has to enter the credit card number by hand. It’s apparently all the rage in Portland There’s no defense against it except to monitor your statement for suspicious charges.

Credit card scam requires no credit card [The Oregonian] (Thanks to Ellis!)
(Photo: Getty)

Comments

Edit Your Comment

  1. CRNewsom says:

    Do they also randomly try out expiration dates? It seems like this would be difficult to accomplish in an economical manner, but who am I to say. I’m too busy earning money the old fashioned way…

  2. Flame says:

    Wow. Seems to me that the thieves are getting better and better and our regulatory system is getting worse.

  3. m4ximusprim3 says:

    at some point, it seems like it would just be easier to mug people.

  4. Wormfather says:

    @Flame: This wouldnt really fall on “regulatory systems” per se (I never get to say per se, thanks!). MC, Visa and Amex have to work on this. The stop gap they have in place is charging merchants a prime rate for doing a transaction where the card is key entered vs swiped. Something along the lines of 3.5% interchange fee vs. 2.0% for swiped.

    Furthermore, banks dont really care about credit card fraud, they lose much more on bad debts.

  5. hypnotik_jello says:

    @CRNewsom: Yeah, seems pretty crappy that merchants can accept a credit card with the number only. What happened to entering a CVV2 or the exp date?

  6. Beerad says:

    Next up: 24 digit card numbers, and perhaps some letters thrown into the combination.

  7. mike says:

    @m4ximusprim3: True, but who has the time to mug enough people to buy a big screen TV? I know I don’t!

  8. UNSTOPPABLE says:

    You use to able to get software from hacking sites that would generate working CC numbers with expiry dates for just about any bank in the country. I really only remember it because I did one of my senior papers on computer hacking and CC fraud and demonstrated it to my Prof. who, the very next day, had me demo it for the RCMP who were playing with the idea of finding charges to lay.

    It’s frightening how easy it is to pull off.

  9. homerjay says:

    This wouldn’t be a problem if they would just implement a PIN on credit cards like with debit cards- but thats a dumb idea. :)

  10. AlteredBeast (blaming the OP one article at a time.) says:

    This sounds like an overly complex procedure. Maybe it isn’t very widespread.

  11. RvLeshrac says:

    I don’t see how a store clerk can be dumb enough to miss the fact that numbers are glued on.

  12. I wish that a photo id would be required for all in store credit card transactions.

  13. CRNewsom says:

    @johnarlington: What makes you think that the average cashier could distinguish a fake ID from a real one if they cannot tell the numbers were glued onto a card.

    /It’s much easier to punch the numbers yourself than trying to glue them on.

  14. missdona says:

    @RvLeshrac: Exactly. Unless the clerks are in cahoots with the the criminals.

  15. e-gadgetjunkie says:

    It’s easier that it sounds, considering that credit card numbers follow a pattern.
    Also, when I worked retail, we were trained to spot this kind of thing. Usually, tampered cards are kind of obvious.

  16. CaptainSemantics says:

    @Beerad: Parts of me would be okay with that, it would prevent me from being able to memorize my credit card number, making online purchases much more difficult. hehe.

  17. IphtashuFitz says:

    @homerjay: This was one thing that I found very refreshing when I took a recent vacation to New Zealand & Australia. When you use a Visa or Mastercard in those countries they have you enter a PIN on a keypad (like a debit machine) instead of simply signing a statement. Since I knew I had a PIN on my Visa it was very easy for me to use it there. You can sign a printed copy of a statement if you don’t have a PIN or in situations like restaurants where you might pay at your table, but the vast majority of the transactions are done using PIN’s. Unfortunately a lot of cashiers recognized my American accent and promptly printed out a receipt for me to sign rather than asking for me to enter my PIN but still I really liked the idea of the PIN.

  18. IphtashuFitz says:

    @e-gadgetjunkie: Especially since the algorithms for verifying credit card numbers can be found on the internet through a quick Google search. It would take even a neophyte programmer just a few minutes to write a program to generate pages of potential numbers.

  19. teh says:

    @e-gadgetjunkie: Tampered cards are usually easy to spot much in the same way that fake dollar bills are usually easy to spot. The dumb criminals will always get caught, but they aren’t the ones that I’m really worried about.

  20. Mr. Gunn says:

    If it’s feasible to “try credit cards until one works”, then something’s broken.

    If the reporter doesn’t specifically know this is happening, and it just making it up as they go along, then there’s no story.

  21. DadCooks says:

    Another point in the article that has been so far been missed in the comments is that this scam also works for credit cards that you think you have cancelled.

    There needs to be a Federal Regulation that requires that when you cancel a credit card that it is REALLY COMPLETELY CANCELLED and can never be used again.

  22. madanthony says:

    so basically it’s a brute-force attack on credit cards.

  23. lore says:

    @sohmc: You don’t have to rob that many people to get a flat screen tv! Just rob the guy who buys the flat screen tv. Cut out all the middle men.

  24. sir_eccles says:

    @johnarlington: I was thinking about photo ID and cards the other day, oddly enough while watching a Captial One advert. You know the series where you get to choose the picture on the card. Well I wondered if instead of using a picture of war kittens you used a passport picture of yourself maybe even with “check I’m the guy paying” written next to it.

    Then I vaguely remembered that I was sure some banks in Europe issued cards with your picture on as a matter of course but can’t remember their names.

    Then I remembered the Consumerist article the other day about Student ID cards being debit cards as well but not many people seemed to like those.

  25. econobiker says:

    Seems like the perfect scam for OCD meth heads with alot of time on their hands…

  26. Jetts says:

    @madanthony: Ha.

    “That card didn’t work? No prob! I’ve got a whole box here, one is bound to have enough to get that flat screen.”

  27. @missdona: Agreed.

    @RvLeshrac: Yeah, and also that the card now has holes in it.

    Is this an urban legend? Like the police warning in FL about the jenkum? It is very unlikely that this happened the way they said it did. You first get your number. You have to find a credit card which matches the right brand of card you want to make as well as being marked with the first four digits of the number. Then shave off the digits. Then get numbers that match the new card you want to make. You then affix them to the “new” card, making sure to line them up perfectly as the human eye can pick up slight misalignments. Then you have to color the numbers so they match the original, which includes the four in the hologram black. I would believe this more if they took card blanks, printed what the card should look like, affix that to the blank, then punched the numbers using a letter punch.

  28. FLConsumer says:

    @Mr. Gunn: Once you understand the algorithm, I’d say you’ve got a 2:3 chance of hitting a valid one. As long as your expiration date you enter is before the actual one, many systems used to just accept it and move on. Not sure how true this is today, but this is how it used to work.

  29. Parting says:

    If you a cashier (or at least occasionally use the cash register), you should check credit card. Most fakes are easy to tell, just by paying attention. Also, UV machine is great beside the cash, since all credit cards have images/letters visible under UV light only.

  30. timmus says:

    I’m not really buying the idea that crooks can churn through 16 digit numbers until they find one that works. I am a merchant and there’s no way I can process a transaction without keying in a CORRECT expiration date. I can’t imagine that it’s all that different for large merchants.

  31. @sir_eccles: I got a card made w/ a picture of me and my now ex. One of the first times I used it, I was asked for my photo ID b/c I wrote that on the back, even though she saw my face on the front, and my ex was sitting next to me at the time. I give that waitress props.

  32. @timmus: Well it’s a little easier than just random 16 digit numbers; the first six digits is always the issuer code, and there’s an algorithm that you can use to check for valid numbers (even if not necessarily actual accounts).

  33. esd2020 says:

    “Try out 16 digit numbers”?

    Ok, even if we drop the checksum digit and the prefix digit, that’s still a pool of 100,000,000,000,000 potentially valid visa numbers. Unless there’s an easy and very fast method of testing a credit card number that I’m not aware of, I think they’re doing something other than random guessing.

  34. IphtashuFitz says:

    @DadCooks: I wonder, if when you decide to cancel a card, you could tell them that the card was lost/stolen and not to bother issuing a new card. If they think the card was lost/stolen they’ll cancel it permanently but then 99.9% of the time they’ll automatically issue you a new card w/ a new number. If you can prevent them from doing that then you should be fairly safe. Of course that’s a very big “if”.

  35. esd2020 says:

    @FLConsumer: How did you calculate 2:3 chance?

  36. IphtashuFitz says:

    @esd2020: As the article indicated, the first 12 digits of most cards identify the bank that issued the card. I’m sure with a bit of Google searching you could easily find some examples of those first 12 digits for various banks.

    On top of that, the checksum algorithm used for veriifying credit card numbers is well known and can be found through a few minutes of searching. Using that algorithm and a little bit of computer programming you can easily whittle down that list of 100,000,000,000,000 potential numbers to a much smaller pool.

  37. qwickone says:

    @DadCooks: That’s the best idea I’ve read in a while.

  38. esd2020 says:

    @IphtashuFitz: I think the article is wrong about the first 12 digits. Wikipedia says that, at most, the first 6 digits are a bank identifier.

    And the checksum algorithm doesn’t magically whittle down the list — it just means that you can ignore the last digit (since it can be calculated from the other digits)

  39. bhall03 says:

    @homerjay: Yeah, but then the criminals would just go from one location to another trying various combinations of PINs until they found the right one to match the number they spent weeks figuring out.

  40. AD8BC says:

    I know I’m anal but I check my credit card and bank accounts online every day. I spotted a fraudulant charge last year the day it posted, and had it reversed the next day, about 25 days before I would have gotten the statement.

  41. oakie says:

    @e-gadgetjunkie: “It’s easier that it sounds, considering that credit card numbers follow a pattern.
    Also, when I worked retail, we were trained to spot this kind of thing. Usually, tampered cards are kind of obvious. “

    i feel so much safer in knowing that my last line of defense against credit card fraud is a pimply kid or underachieving adult making minimum wage at a retail outlet cashier’s stand.

  42. oakie says:

    i have the simplest solution of all… never get issued a credit card, and pay all of your bills late so as to ruin what little credit you’ve accumulated.

    there’s nothing for thieves to steal, and your credit is unable to sustain someone who steals your identity.

  43. anatak says:

    @sohmc: Really, it’s a different skill set. You’re either a ‘smash and grab’ sort of thug or a ‘shave and glue’. Mugging just isn’t an option for the latter folk.

  44. @oakie: Whose manager probably doesn’t care either. I once had some girl passing a bad check on my register, and I KNEW it was a stolen check(work in customer service, you get a gut). She used the “My friend has my wallet out in the car, etc..” excuse and I airphoned the booth, and no one wanted to get up to go outside to get her license plate number as I watched her jogging to a car and then take off. After that, you kind of stop caring. Unfortunately.

  45. mbprice says:

    As far as trying out the numbers ahead of time, I believe a crook could just go online and try a bunch of different expiration dates until he/she finds the one that works. Also, some receipts will print the fill credit card number, so all you’d really need to do is:
    1.) Find a receipt with a full credit card number
    2.) Buy a couple gift cards with generic coloring.
    3.) Find a credit card with generic coloring.
    4.) Carefully, carefully put the new card together.
    5.) Use internet retailers to systematically find the expiration date.
    6.) Add the correct expiration date to the card.
    7.) Go to a big box-type store where Minimum Wage Joe doesn’t give two craps whether your card looks legit or not.

  46. Buran says:

    @IphtashuFitz: The problem with that system is that with some implementations, you’re the one who’s liable for fraud if a PIN is used. I think this is the case in England. So if your PIN is stolen somehow you’re on the hook for all the fraud.

  47. Xerloq says:

    I don’t believe that the expiration date is that important. I’ve been conducting an experiment (a la Frank Abagnale’s expired ID experiment) since the recent flurry of articles about credit cards and how insecure they are.

    I recently received a replacement to my old expired credit card. I’ve been using it unactivated, and unsigned for about three months, and the only thing that has stopped me was an incorrect CVV2 number (for online orders). I’ve given incorrect expiration dates and I’ve had no problems so long as the date is in the future.

    Not one clerk has questioned the lack of signature (though one guy said, “oh, you don’t sign your cards,” before he swiped it). I’ve also not signed receipts – I either leave them blank, make a line or a bunch of dots on receipts/card readers. Many places don’t even ask for a signature anymore.

    The only real defense I see is to check my accounts online daily.

  48. @mbprice: I believe it’s federal law that they can’t print more than 4-6 numbers on the receipts anymore, especially if it’s an account number.

  49. Amelia Subverxin says:

    The retailer I work with requires a manual imprint of any card that does not swipe and has to be entered manually. I’ve only had this happen twice with my current company. The first time, the customer completely freaked out and accused me of mangling her card. The second time, I realized that someone had cleaned out “unnecessary stuff” from our wrap desk and that the manual swipe machine was missing. So I haven’t bothered with it since then.

    When a retailer actually enforces their policies, it can stop most of these fraudulent credit cards from being accepted at the point of sale.

  50. nutrigm says:

    I’m sure they will have this up at instructables and break it down step by step. lol

  51. jeff303 says:

    @IphtashuFitz: Not to mention that a lot of companies’ idea of “hiding” the number is to show only the last 4 digits (i.e. “Your Visa card ending in 1234″). In other words, to display the four digits that would ordinarily be the most difficult to crack. Granted, showing the first 4 wouldn’t be particularly useful but showing the last 4 is downright irresponsible.

  52. Maulleigh says:

    Great. Everything old is new again.

  53. @AlteredBeast: Yeah, why wouldn’t you just put the random numbers in on an internet shopping site?

  54. @oakie: Once I caught one and the feds sent me $50 and a nice letter about how pimply kids like me were and important part of the defense against fraud.

    Okay, okay, I wasn’t pimply in high school. Just had bad hair.

  55. Grrrrrrr, now with two buns made of bacon. says:

    I vote for the PIN number idea.

  56. theczardictates says:

    When you close a credit card or store charge card account, the magic words are to insist on a “hard close”. This is the industry jargon to really shut the acct completely — otherwise they just leave it “passive” in case they can persuade you to reactivate it.

    I’m kinda surprised that this hasn’t been mentioned on a site like this already…

  57. Craig says:

    This is either an urban legend or an early April Fools gag.

  58. Snakeophelia says:

    I just got back from a trip to Melbourne. EVERY SINGLE PERSON to whom I handed my credit card, from ritzy hotel clerk right on down to the dude working at the 7-11 (yes, they’re everywhere there) asked for a photo ID when I used my card. Also, every single one of them held on to my card until after I had signed the receipt, so they could compare the two signatures. I was there 10 days and was using my corporate or personal card at least six times a day. No one let me slide by. If they can be serious there about asking for ID, why can’t we?

  59. MBZ321 says:

    I’m sorry but this just doesn’t seem feasible. I work as a cashier at a grocery store, and while we can manually enter card numbers, you also need the correct expiration date. And if they’re handing me something that didn’t scan through automatically you’re gonna be damn sure I’m going to check BOTH sides of the card.

  60. Craig says:

    @IphtashuFitz: If the first 12 digits really do identify the bank then that means each bank can only issue 10,000 credit cards. I don’t think so.

  61. mac-phisto says:

    this is known as bin probing & it’s a growing problem in the cc industry. basically, certain merchant codes are allowed to pass thru a charge w/o an approval under what’s known as the “floor limit”. if the number hits an active bin (bank id number), then it can slip thru.

    here’s the thing: the number doesn’t even need to correspond to an actual card for it to be processed. nice, huh?

    banks have certain chargeback rights in these circumstances, but many times the amount of the charge (& the fact that the charges almost always originate from foreign countries) dictates that nothing is done with it. either way, the bank either eats the cost of the transaction or the cost of processing the chargeback.

    & as the article states – really the only way to catch this is to review your statements.

  62. diamondmaster1 says:

    @johnarlington:

    A complete and total change on the part of the American public would have to occur for that to happen smoothly with all transactions, starting with the Rabid Privacy Freeaks (RPFs) who are so paranoid that they believe you can memorize all of their ID info with just a glance.

  63. FLConsumer says:

    @esd2020: Just my own experience in analyzing and playing with the algorithms. I don’t know the exact algorithms (that’d take the fun out of it), but I’ve got a good idea of what they look like, similar for the checksum. Now, the CVV code appears to be a random #. Haven’t found a pattern to those YET.

    But you also have to keep in mind that I could “randomly” come up with Windows 95/98 product key #’s in about 5 tries. Treat it like Chess or a good crossword game and you’ll start to see the patterns.

  64. Mr. Stupid says:

    Why wound’t the clerk notice that the name that pops up doesn’t match the name on the card?

  65. MissTic says:

    what ever happened to the credit cards with the user’s photo on them?

  66. thebrave says:

    I know it’s a french technology and some americans have an grudge against french people, but… here we ony use “smart cards” (righ word ? cards with an microchip) and it is impossible to manually enter a card number even if swipping the card is still possible for foreign cards.

    It’s not much expensive, and latest chips can use real, proven public key cryptography. Futhermore, following accidents with the yes-card several years ago, use of certificates is now mandatory.

    To sum up: you can’t clone or fake them. Why everyone is not using them ?

  67. kromelizard says:

    @danger42:
    Names don’t pop up when manually entering a card number.

    The reason cashiers won’t catch it is because most people don’t care enough about their security to bother being inconvenienced. It seems like 1 in 3 cardholders don’t even sign their cards, and that’s literally the only security you’ve got if your card is stolen. It’d take a determined retailer to force that many people to sign their own cards. Really, it doesn’t take a rocket scientist to figure out that what is potentially lost to a chargeback does not match what you lose to sales possibly turned away by hassling consumers who neither understand nor really care about the security of their card.

    So, you take a card, don’t bother looking at it, get an authorization and a signature, take an imprint if you have to, and write off the occasional problem with a disputed transaction as the cost of doing business. Because harping on proper credit card procedures will just turn away more legitimate business than the fraud it will protect the retailer from.

  68. RvLeshrac says:

    @IphtashuFitz:

    Yeah…

    I got in trouble like that when I was 14.

    Today, things are a little more difficult. Still not impossible.

    ————————–

    In the interest of open security:

    1) The first 4-6 digits of a card number identify the lender. (Chevy Chase Bank, Chemical Bank, Bank of America, Capital One, etc.)

    2) CVV1 and CVV2 are not uncrackable. It is entirely possible and plausible for a card number generator to calculate CVV1 and CVV2.

    3) Through the magic of phone sex, obtaining the expiration date is easy. Phone sex lines use automated card processing, and will not process without a correct date. The use is obvious. The only solution for this is to have single-attempt failover to an operator.

    4) (This is the tricky part today) Most mail/web-order merchants now *require* that the billing address be correct, if not the shipping address. If neither address matches, the merchant will either decline the purchase or request confirmation from the card provider, which is why you’ll sometimes get a call from your credit card company asking you about recent purchases. It used to be that you would simply have your “acquired” merchandise shipped to a vacant house, but that rarely works now.

    In a nutshell, much more difficult to actually have things shipped to you using a fake card – which is why the in-store methods are becoming more popular.

    Of course, with the greatly increased penalties over the years, in addition to the increased security measures, credit card theft is actually *less* common than it was years ago – regardless of what you’re constantly hammered with by the card providers.

  69. RvLeshrac says:

    @thebrave:

    They’re still not immune to theft, and the infrastructure comes at no small expense.

    Merchants in the US are slowly moving towards using them, but it will take quite a while. Keep in mind that there are far more people and far more businesses here.

  70. mariospants says:

    I dunno. I’m sceptical… nobody’s gonna get rich off of this scheme unless he or she is buying stuff from people who aren’t running the numbers properly through the system. Nobody’s gonna be able to buy a TV set without the exp date at the very least. That + 16 numbers is suspiciously impossible to guess. Likely these folks are stealing numbers from their friends who work in stores and then using those numbers at stores and hotels where their friends work.

  71. smileyeagle1021 says:

    for this whole coming up with random number bit… not necessarily that hard to do… mainly because it’s not so random. A lot of companies that have online and phone order will have a ghost credit card number that they use in training and testing… get a hold on that and you can get whatever you want on the companies dime… I however would not suggest this technique because about the only way to get those numbers is either work for the company or know someone who does, which does make it a lot easier to be tracked back to you (i know this because I had a coworker who was caught doing just that).