Buying A Stolen Credit Card Is Like Picking Out Candy

NPR shows just how easy it is for crooks to buy thousands of stolen credit card numbers and convert them into useable credit cards using a simple desktop setup.

An FBI agent walks them through a website that’s basically an eBay for stolen credit card numbers. In order to get access, he had to provide two existing members with two different files of 50 credit card numbers and get them to write a positive review of how well they worked.

Once inside, he could buy and sell thousands of credit card numbers in the blink of an eye. After buying the number, it was a snap to get it onto a working credit card and go on a Toys R’ Us style mad dash with a shopping cart spree.

The central device is a swipe gadget that reads and writes to any magnetic card strip called the MSR-206. A quick search showed it available from a multitude of online retailers for under $600.

Just incredible. In order to make an instrument that’s easy for everyone to use, the credit card companies have also created a financial access tool that’s also very easy to steal. It’s scary how easy it is for your credit card number to be stolen, resold, and embedded on a new card, and how little credit card companies are doing to stop it. For them, the profits of having a really easy card more than offset the credit card theft losses. Good for them, but a maddening hassle for the consumer who has to dispute the charges and clean up their ruined credit.

How To Buy A Stolen Credit Card [NPR: Planet Money]


Edit Your Comment

  1. Blueskylaw says:

    That mansion I’ve been dreaming about doesn’t seem so far away anymore.

  2. StutiCebriones says:

    Is that really an RS-232 port? What decade are we in again?

    • Fremen9 says:

      For many applications a simple RS232 port is good enough and easier to set up/use programmatically then a USB port. If you don’t need the speed and power of USB, why use it? Its like saying you should always use a jackhammer when a smaller hammer will suffice.

    • TheGreySpectre says:

      RS-232 is still extensively used in enterprise. It is very easy interface to program for and debugging is 1000x easier when you have one.

  3. Power Imbalance says:

    Why bother going to an Ebay like site for stolen CCs when you can just get a job as a waiter and go nuts!

    • Oranges w/ Cheese says:

      We found out that my boyfriend had been returned someone elses card this weekend. Luckily she realized and cancelled her card but we didn’t realize until we tried to use it to buy lunch.

      Also, she paid for our dinner apparently. We think it got switched at the bar beforehand and he paid for dinner with it later that night without noticing. Now we feel bad :(

      • KaralynK says:

        I work for a credit card company in fraud claims. This happens more often than you might think. If you feel bad about it, report it to the company on your end too and they can switch the charges to the correct accounts. At least at my company they can’t do it if both cards aren’t reported as having “fraud”

  4. Lethe says:

    Aren’t most credit and debit cards moving towards chip cards? All of my bank accounts and credit cards sent me new cards last year. I thought they were supposed to be safer.

    • ShruggingGalt says:

      We are still years away from that in the United States, and Canada is enroute, but their merchants also have a few years before they must get the new equipment….

    • LoadStar says:

      In the states, “chip and pin” is virtually unheard of. The big thing here is contactless. Many cards have RFID (Radio Frequency ID) chips built in, and things are rapidly building towards NFC (Near Field Communication) on cell phones being the next big thing.

      I don’t think I’ve ever seen a merchant here in the states that has a chip reader, and the last card that I had that had a smart chip embedded was the AmEx Blue card, and they replaced that with a RFID card many years ago. I know some banks are now starting to distribute chip cards again, but that’s mostly for use outside the US.

      • bluevideo says:

        For what it’s worth – all Wal-Mart cash registers (no exception) have Ingenico EMV-compatible credit card terminals. Just that the EMV part is currently inactive, and you have to look for it since there’s no logo or what not to show you where it is (it’s in the “heel” of the unit, in the middle)

        Wal-Mart has been actively fussing to get EMV more widespread in the US as they have no interest in going with RFID. Then they could activate their EMV readers by a (software) flick of a switch.

  5. says:

    How “scary” is this really? Credit card companies will wave the charges as soon as you realize your card or card number has been stolen. Sure, it might be a hassle to resolve, but it won’t exactly cost you a fortune to fix.

    • Murph1908 says:

      It will eventually, and does already a little.

      Someone has to eat that cost, whether it be the credit card comapany or the merchant. If this problem escalates, the cost of doing business for the merchant or the CC company will rise, and we’ll feel the effects in higher costs, fees, or other ways.

  6. crashfrog says:

    The problem here is that any security measure that prevents a single theft will result in a hundred people being blocked from a legitimate use of their card.

  7. Annoyed says:

    Is their anyone that wasnt aware of this? This will never end no matter what is done. Lets use the wasted money from the war on drugs to the war on cyber theft. Im moving to ghana

  8. shepd says:

    Before anyone cries out that we shouldn’t be selling those to the general public, you can copy a magstrip with a piece of paper and an iron (and some water).

  9. kella says:

    I’ve had both credit and debit cards stolen before. I stick to using and carrying credit cards more now because my liability is lower, but I’ve never had to pay a penny. I really would prefer to avoid complex systems for accessing my money. I certainly don’t want recurring online payments to get more complex (and I would imagine systems that allow for that can easily be tricked to use a stolen card, in fact any online payment system probably can).

    There must be some way to add security (PINs for credit purchases might be a good start, but difficult to implement in situations like restaurants).

    It took a couple of calls to get Chase to drop some charges before, and certainly if you don’t watch your statement closely you could get burned, but I’ve never had my credit damaged by a stolen card.

    As for ‘new’ cards, the chips don’t provide any security, if it’s a bank in the U.S. it’s probably just ‘PayPass’ (put your card near the reader and it scans it). Europe uses Chip & PIN, but that’s a different user experience from swipe & sign.

  10. tundey says:

    I think if you are diligent with your finances, especially credit card bills, you’ll catch all fraudulent charges before they make it to your credit. Even if your cards are compromised, you’ll catch the charges on the next bill and report it stolen.

  11. It's not fun. It's not funny. says:

    Ban desktops!!!!

  12. esc27 says:

    Seems like credit card theft is almost a victimless crime. Customers are shielded and card companies just write off the loss.

    • Cerne says:

      Except those losses get passed on to merchants who pass it on to us consumers. Theft is never a victim-less crime

    • The Twilight Clone says:

      What ignorance.

      • RecordStoreToughGuy_RidesTheWarpOfSpaceIntoTheWombOfNight says:

        What daring! What outrageousness! What insolence! What arrogance!

    • morpheus4356 says:

      Kind of like punching someone in the dark.

    • bluevideo says:

      I’d also like to know how much in resources the FBI, Secret Service, and other anti-fraud units nationwide are wasting on tracking criminals which, if the banks didn’t have such an open barn door, wouldn’t have their lives be THIS easy.

      This is one reason why the EU and Canada twisted their banks’ arms to switch to EMV… and the EU’s thinking of moving to ban the magstripe altogether.

  13. midwestkel says:

    I like how the FBI gave them 50 credit cards numbers (I know they were all set up, but how do we really know?)

  14. Quake 'n' Shake says:

    Good for them, but a maddening hassle for the consumer who has to dispute the charges and clean up their ruined credit.

    I realize this site is not called, but still, let’s not forget the merchants too. They’re the ones who give up the money to the bank when a disputed charge is legitimate.

  15. JiminyChristmas says:

    I have twice had credit cards cloned; one was a Discover, one was a Bank of America VISA. The cards themselves never left my possession, so the thieves must have gotten the numbers and made cards with them.

    However, in both cases (one was in Tennessee, the other in Florida – I don’t live in either of those places) the thieves were foiled at the point of sale. The offered the card for payment, it was declined, and no charges ever posted to my account. The respective banks closed the accounts and reopened new ones for me.

    The NPR article makes it sound like you buy some numbers, get the right gear, and go shopping. Based on my experience, either some credit card fraudsters aren’t very good at it or it’s not actually that simple.

  16. RubyRedJess says:

    My card got skimmed and 1 hour later they were withdrawing hundreds of dollars from a bank 20 miles away. It’s amazing how fast they can get you.

    • Supes says:

      Wait…. you know the time your card was skimmed? Usually it’s pretty impossible to figure out, could be almost any restaurant (or ATM, or place you used the card).

      If you knew and an hour later money was withdrawn, I’d say it’s just as much your fault for not reporting it right away (and I mean that literally… the second you found out).

      • Papa Midnight says:

        Well, depending on the number / volume of charges on your account – especially because most post with a timestamp which is easily checked at your online banking merchant portal – the difficulty in determining when and where something happened can vary greatly.

      • RecordStoreToughGuy_RidesTheWarpOfSpaceIntoTheWombOfNight says:

        Unless he found out through an investigation after the fact. Because, you know, that can happen.

  17. psm321 says:

    Watch this be fought by making magnetic strip writers illegal without a license….

  18. YouDidWhatNow? says:

    Just write “SEE ID” on the back of your CC instead of signing it and you’ll be safe.


  19. perfectly_cromulent says:

    I work in the fraud department at a large bank, and I’d beg to differ with those last few statements. We hate fraud. We hate how easy its become for people to steal your card numbers. They are working on changes, but its more than just us who have to change. If we change the way the cards work (which is in the works) merchants will have to change how they accept them, and so on.

    Also, just dealing with a stolen card#, not identity theft, does not affect your credit. We know its not your fault and that is not held against you. Fraud charges are credited, fees are reversed, and this shouldn’t get reported to credit agencies. Yes, it’s a pain of paperwork and getting a new card, but it’s not nearly as much of a hassle as ID theft.