6 tactics used by criminals to steal your credit card information

Updated at: Jul 01, 2020
By Gatefy

Man stealing credit card.

The sad thing about credit card information theft is that, most of the time, you'll only discover the fraud days later. That is, when the card has been used one or more times. By the way, this is one of the few signs that you've had your card stolen.

What's worse is that there are several types of scams that are used by criminals to capture your information, such as phishing, formjacking, skimming and even the use of malware and spoofing.

We'll talk more about them in this post. But first I would like to introduce Luhn's algorithm.

How your credit card number is validated

Let's picture the following scene. Imagine you received an email that apparently comes from your bank. The message contains a link and states that you need to update some information, including credit card details. You are in doubt, but click on the link.

The site looks legitimate. To test it, you enter a credit card number different than yours, a number that doesn't exist. The site then says the information is invalid. Now you feel safe and provide the real numbers. And of course, you just fell victim to a scam.

The question that comes up then is: and how did the malicious website manage to check my card numbers? The answer is the Luhn algorithm, which is also known as Mod 10.

This algorithm was created by Hans Peter Luhn in 1954. Luhn was a German computer science researcher and was an IBM employee. The algorithm created by him serves to validate a certain set of numbers.

The model worked so well that it was soon used to generate most credit card numbers. Basically, the algorithm consists of a series of calculations that ultimately needs to get a multiple of 10. That's why it's also called Mod 10.

Unfortunately, cybercriminals got hold of the model, making it work for the dark side of the force. So now bad guys are able to use it to develop more advanced and efficient attacks.

Luhn's algorithm, however, is only used to validate or check credit card numbers. There are other important information on a card, such as the cardholder's name, expiration date, and security code (CSC, CVV, or CVC). This point takes us to the next topic.

6 tactics used to steal your credit card

1. Phishing

Let's start by talking about phishing scams because we already used an example in the post when we created our scene about your bank's fake email.

Phishing remains one of the top threats to the cyber world and one of the most widely used ways to steal credit card information. It happens when cyber crooks try to impersonate a trusted person, brand or company.

The goal is to deceive and persuade the victim. In the vast majority of cases, phishing scams are performed by email. But they can also be done by phone and SMS, and may be called vishing and smishing in these cases.

According to the FBI's Internet Crime Report, phishing scams caused losses of more than USD 57 million in 2019.

2. Malware

Yes, different types of malware can be used to infect your device and capture your credit card information. And you may not even know they are there.

For example, trojan, spyware and keylogger are types of malware that can log your keystrokes or even allow the hacker to access your system, reporting all your activities to him. Malware infections are usually caused by malicious files that arrive via email or are downloaded from suspicious websites in the guise of a legitimate file.

The use of malware in data breaches is present in 17% of cases, according to Verizon's 2020 Data Breach Investigations Report (DBIR).

3. Website spoofing

Website spoofing is a tactic used by criminals, including in phishing scams. It's about creating a fake site that looks a lot like the legitimate one.

Practically everything is copied: the colors, the logo, the menu and even the URL are almost identical.

And how do you access this type of website? Usually by clicking on links that arrive by email or appear on the timeline of one of your social networks. So you think you just won an incredible discount, but it was just a scam to hijack your card information.

The FBI says that, in 2019, there were 25,789 complaints involving spoofing with losses estimated at USD 300 million. By victim loss, it's the third top cybercrime type.

4. Data breach

Hackers can also steal your information by hacking a company that has registered your credit card. Data breaches are much more common than you might think.

Cases that are reported in the media usually involve big business and thousands of exposed data. But what about minor data breaches? Those happen almost daily and nobody knows. Your information might indeed be leaked this way.

According to Verizon, 28% of breaches involved small business victims in 2019. In these cases, the most leaked types of data are credentials, personal data, and internal company data.

5. Formjacking

Formjacking is a type of data breach and can also be called virtual skimming.

It happens when the cybercriminal collects personal information about you directly from an e-commerce platform. That is, from a retailer's website.

It works like this: malicious code is entered into the website and once you make a purchase, your data is intercepted by the hacker. What's worse is that the only person who knows what's going on is the cybercriminal, since you don't know and the store doesn't either.

6. Skimming

Obviously, the internet is not the only way to have your credit card details stolen.

I myself had my card cloned at a gas station in California. I only found out almost a month later, when purchases began to be made in Canada. This type of scam is called skimming.

Skimmers are small devices used to record and capture your credit card information. They are installed on different types of card readers such as ATMs.

My credit card was stolen. Now what?

With your data in hands, the criminal faces two options. The first is to use your personal and confidential information to make purchases online. The second is to sell this information on the black market.

To give you an idea, the value of a credit card on the deep web or dark web can range from an average of USD 15 to 30, and may even cost more depending on the type of information provided. But, let's face it, these are insignificant values in the face of the damage that a card theft can cause.

In the event of theft or if you see any suspicious transactions, notify the card issuer immediately. The sooner you report the event, the sooner the irregular transactions will be investigated and you'll be compensated.

You may also need to check if your computer has been infected with malware (download an antivirus, if you don't already have one, and run it). Plus, you might have been a victim in a data breach, so make sure you change your email and social media passwords.

The website haveibeenpwned.com is a good place to start in order to know if your email account has been compromised.

How to protect my information and my card

Unfortunately, everyone who uses a card is at risk. Therefore, our most important tip for protecting your information is: have control over your transactions. As we said before, the sooner you notice and report a credit card fraud, the better.

Also, take basic general safety measures. This includes using secure internet connections and strong passwords, carefully analyzing URLs and emails, being suspicious of amazing and last minute promotions, and not leaving your card information stored in your browser.

This way, you can now ensure more security for your personal information, including your card. If you have a company and want to better protect your customer data, get to know Gatefy's secure email gateway solution and anti-fraud solution.