Do they also randomly try out expiration dates? It seems like this would be difficult to accomplish in an economical manner, but who am I to say. I'm too busy earning money the old fashioned way...

Wow. Seems to me that the thieves are getting better and better and our regulatory system is getting worse.

at some point, it seems like it would just be easier to mug people.

@Flame: This wouldnt really fall on "regulatory systems" per se (I never get to say per se, thanks!). MC, Visa and Amex have to work on this. The stop gap they have in place is charging merchants a prime rate for doing a transaction where the card is key entered vs swiped. Something along the lines of 3.5% interchange fee vs. 2.0% for swiped.

Furthermore, banks dont really care about credit card fraud, they lose much more on bad debts.

@CRNewsom: Yeah, seems pretty crappy that merchants can accept a credit card with the number only. What happened to entering a CVV2 or the exp date?

Next up: 24 digit card numbers, and perhaps some letters thrown into the combination.

@m4ximusprim3: True, but who has the time to mug enough people to buy a big screen TV? I know I don't!

You use to able to get software from hacking sites that would generate working CC numbers with expiry dates for just about any bank in the country. I really only remember it because I did one of my senior papers on computer hacking and CC fraud and demonstrated it to my Prof. who, the very next day, had me demo it for the RCMP who were playing with the idea of finding charges to lay.

It's frightening how easy it is to pull off.

This wouldn't be a problem if they would just implement a PIN on credit cards like with debit cards- but thats a dumb idea. :)

This sounds like an overly complex procedure. Maybe it isn't very widespread.

I don't see how a store clerk can be dumb enough to miss the fact that numbers are glued on.

I wish that a photo id would be required for all in store credit card transactions.

@johnarlington: What makes you think that the average cashier could distinguish a fake ID from a real one if they cannot tell the numbers were glued onto a card.

/It's much easier to punch the numbers yourself than trying to glue them on.

@RvLeshrac: Exactly. Unless the clerks are in cahoots with the the criminals.

It's easier that it sounds, considering that credit card numbers follow a pattern.
Also, when I worked retail, we were trained to spot this kind of thing. Usually, tampered cards are kind of obvious.

@Beerad: Parts of me would be okay with that, it would prevent me from being able to memorize my credit card number, making online purchases much more difficult. hehe.

@homerjay: This was one thing that I found very refreshing when I took a recent vacation to New Zealand & Australia. When you use a Visa or Mastercard in those countries they have you enter a PIN on a keypad (like a debit machine) instead of simply signing a statement. Since I knew I had a PIN on my Visa it was very easy for me to use it there. You can sign a printed copy of a statement if you don't have a PIN or in situations like restaurants where you might pay at your table, but the vast majority of the transactions are done using PIN's. Unfortunately a lot of cashiers recognized my American accent and promptly printed out a receipt for me to sign rather than asking for me to enter my PIN but still I really liked the idea of the PIN.

@e-gadgetjunkie: Especially since the algorithms for verifying credit card numbers can be found on the internet through a quick Google search. It would take even a neophyte programmer just a few minutes to write a program to generate pages of potential numbers.

@e-gadgetjunkie: Tampered cards are usually easy to spot much in the same way that fake dollar bills are usually easy to spot. The dumb criminals will always get caught, but they aren't the ones that I'm really worried about.

If it's feasible to "try credit cards until one works", then something's broken.

If the reporter doesn't specifically know this is happening, and it just making it up as they go along, then there's no story.

Another point in the article that has been so far been missed in the comments is that this scam also works for credit cards that you think you have cancelled.

There needs to be a Federal Regulation that requires that when you cancel a credit card that it is REALLY COMPLETELY CANCELLED and can never be used again.

so basically it's a brute-force attack on credit cards.

@sohmc: You don't have to rob that many people to get a flat screen tv! Just rob the guy who buys the flat screen tv. Cut out all the middle men.

@johnarlington: I was thinking about photo ID and cards the other day, oddly enough while watching a Captial One advert. You know the series where you get to choose the picture on the card. Well I wondered if instead of using a picture of war kittens you used a passport picture of yourself maybe even with "check I'm the guy paying" written next to it.

Then I vaguely remembered that I was sure some banks in Europe issued cards with your picture on as a matter of course but can't remember their names.

Then I remembered the Consumerist article the other day about Student ID cards being debit cards as well but not many people seemed to like those.

Seems like the perfect scam for OCD meth heads with alot of time on their hands...

@madanthony: Ha.

"That card didn't work? No prob! I've got a whole box here, one is bound to have enough to get that flat screen."

@missdona: Agreed.

@RvLeshrac: Yeah, and also that the card now has holes in it.

Is this an urban legend? Like the police warning in FL about the jenkum? It is very unlikely that this happened the way they said it did. You first get your number. You have to find a credit card which matches the right brand of card you want to make as well as being marked with the first four digits of the number. Then shave off the digits. Then get numbers that match the new card you want to make. You then affix them to the "new" card, making sure to line them up perfectly as the human eye can pick up slight misalignments. Then you have to color the numbers so they match the original, which includes the four in the hologram black. I would believe this more if they took card blanks, printed what the card should look like, affix that to the blank, then punched the numbers using a letter punch.

@Mr. Gunn: Once you understand the algorithm, I'd say you've got a 2:3 chance of hitting a valid one. As long as your expiration date you enter is before the actual one, many systems used to just accept it and move on. Not sure how true this is today, but this is how it used to work.

If you a cashier (or at least occasionally use the cash register), you should check credit card. Most fakes are easy to tell, just by paying attention. Also, UV machine is great beside the cash, since all credit cards have images/letters visible under UV light only.

I'm not really buying the idea that crooks can churn through 16 digit numbers until they find one that works. I am a merchant and there's no way I can process a transaction without keying in a CORRECT expiration date. I can't imagine that it's all that different for large merchants.

@sir_eccles: I got a card made w/ a picture of me and my now ex. One of the first times I used it, I was asked for my photo ID b/c I wrote that on the back, even though she saw my face on the front, and my ex was sitting next to me at the time. I give that waitress props.

@timmus: Well it's a little easier than just random 16 digit numbers; the first six digits is always the issuer code, and there's an algorithm that you can use to check for valid numbers (even if not necessarily actual accounts).

"Try out 16 digit numbers"?

Ok, even if we drop the checksum digit and the prefix digit, that's still a pool of 100,000,000,000,000 potentially valid visa numbers. Unless there's an easy and very fast method of testing a credit card number that I'm not aware of, I think they're doing something other than random guessing.

@DadCooks: I wonder, if when you decide to cancel a card, you could tell them that the card was lost/stolen and not to bother issuing a new card. If they think the card was lost/stolen they'll cancel it permanently but then 99.9% of the time they'll automatically issue you a new card w/ a new number. If you can prevent them from doing that then you should be fairly safe. Of course that's a very big "if".

@FLConsumer: How did you calculate 2:3 chance?

@esd2020: As the article indicated, the first 12 digits of most cards identify the bank that issued the card. I'm sure with a bit of Google searching you could easily find some examples of those first 12 digits for various banks.

On top of that, the checksum algorithm used for veriifying credit card numbers is well known and can be found through a few minutes of searching. Using that algorithm and a little bit of computer programming you can easily whittle down that list of 100,000,000,000,000 potential numbers to a much smaller pool.

@DadCooks: That's the best idea I've read in a while.

@IphtashuFitz: I think the article is wrong about the first 12 digits. Wikipedia says that, at most, the first 6 digits are a bank identifier.

And the checksum algorithm doesn't magically whittle down the list -- it just means that you can ignore the last digit (since it can be calculated from the other digits)

@homerjay: Yeah, but then the criminals would just go from one location to another trying various combinations of PINs until they found the right one to match the number they spent weeks figuring out.

I know I'm anal but I check my credit card and bank accounts online every day. I spotted a fraudulant charge last year the day it posted, and had it reversed the next day, about 25 days before I would have gotten the statement.

@e-gadgetjunkie: "It's easier that it sounds, considering that credit card numbers follow a pattern.
Also, when I worked retail, we were trained to spot this kind of thing. Usually, tampered cards are kind of obvious. "

i feel so much safer in knowing that my last line of defense against credit card fraud is a pimply kid or underachieving adult making minimum wage at a retail outlet cashier's stand.

i have the simplest solution of all... never get issued a credit card, and pay all of your bills late so as to ruin what little credit you've accumulated.

there's nothing for thieves to steal, and your credit is unable to sustain someone who steals your identity.

@sohmc: Really, it's a different skill set. You're either a 'smash and grab' sort of thug or a 'shave and glue'. Mugging just isn't an option for the latter folk.

@oakie: Whose manager probably doesn't care either. I once had some girl passing a bad check on my register, and I KNEW it was a stolen check(work in customer service, you get a gut). She used the "My friend has my wallet out in the car, etc.." excuse and I airphoned the booth, and no one wanted to get up to go outside to get her license plate number as I watched her jogging to a car and then take off. After that, you kind of stop caring. Unfortunately.

As far as trying out the numbers ahead of time, I believe a crook could just go online and try a bunch of different expiration dates until he/she finds the one that works. Also, some receipts will print the fill credit card number, so all you'd really need to do is:
1.) Find a receipt with a full credit card number
2.) Buy a couple gift cards with generic coloring.
3.) Find a credit card with generic coloring.
4.) Carefully, carefully put the new card together.
5.) Use internet retailers to systematically find the expiration date.
6.) Add the correct expiration date to the card.
7.) Go to a big box-type store where Minimum Wage Joe doesn't give two craps whether your card looks legit or not.

@IphtashuFitz: The problem with that system is that with some implementations, you're the one who's liable for fraud if a PIN is used. I think this is the case in England. So if your PIN is stolen somehow you're on the hook for all the fraud.

I don't believe that the expiration date is that important. I've been conducting an experiment (a la Frank Abagnale's expired ID experiment) since the recent flurry of articles about credit cards and how insecure they are.

I recently received a replacement to my old expired credit card. I've been using it unactivated, and unsigned for about three months, and the only thing that has stopped me was an incorrect CVV2 number (for online orders). I've given incorrect expiration dates and I've had no problems so long as the date is in the future.

Not one clerk has questioned the lack of signature (though one guy said, "oh, you don't sign your cards," before he swiped it). I've also not signed receipts - I either leave them blank, make a line or a bunch of dots on receipts/card readers. Many places don't even ask for a signature anymore.

The only real defense I see is to check my accounts online daily.

@mbprice: I believe it's federal law that they can't print more than 4-6 numbers on the receipts anymore, especially if it's an account number.

The retailer I work with requires a manual imprint of any card that does not swipe and has to be entered manually. I've only had this happen twice with my current company. The first time, the customer completely freaked out and accused me of mangling her card. The second time, I realized that someone had cleaned out "unnecessary stuff" from our wrap desk and that the manual swipe machine was missing. So I haven't bothered with it since then.

When a retailer actually enforces their policies, it can stop most of these fraudulent credit cards from being accepted at the point of sale.