Card Cloning

What Is Card Cloning?

Credit card cloning or skimming is the illegal act of making unauthorized copies of credit or debit cards.

This enables criminals to use them for payments, effectively stealing the cardholder’s money and/or putting the cardholder in debt.

To do this, thieves use special equipment, sometimes combined with simple social engineering. Card cloning has historically been one of the most common card-related types of fraud worldwide, to which USD 28.65bn is lost worldwide each year – projected to increase to USD 38.50bn by 2023, according to Nilson Report.

How Does Card Cloning Work?

Card cloning is a fairly elaborate criminal scheme. More specifically:

  1. An accomplice is recruited – someone with physical access to credit cards e.g. a cashier, restaurant server etc.
  2. They are given a skimmer – a compact machine used to capture card details. This can be a separate machine or an add-on to the card reader. 
  3. The customer hands their card to the accomplice, as payment.
  4. The accomplice swipes the card through the skimmer, in addition to the POS machine used for normal payment.
  5. The accomplice hands back the card to the unsuspecting customer.
  6. The thief transfers the details captured by the skimmer to the magnetic strip a counterfeit card, which could be a stolen card itself.
  7. The counterfeit card can now be used in the way a legitimate card would, or for additional fraud such as gift carding and other carding.

There are, of course, variations on this. For example, some criminals will attach skimmers to ATMs, or to handheld card readers. As long as their users swipe or enter their card as usual and the criminal can return to pick up their device, the result is the same: Swiping a credit or debit card through the skimmer machine captures all the information held in its magnetic strip. 

Additionally, the thieves may shoulder-surf or use social engineering techniques to find out the card’s PIN, or even the owner’s billing address, so they can use the stolen card details in even more settings.

4 Ways to Prevent Card Cloning 

Strategies deployed by the finance industry, authorities and retailers to make card cloning less easy include:

1. EMV microchips instead of magnetic stripes 

These contain more advanced iCVV values compared to magnetic stripes’ CVV, and they cannot be copied using skimmers.

However, criminals have found alternative ways to target this type of card as well as methods to copy EMV chip data to magnetic stripes, effectively cloning the card – according to 2020 reports on Security Week.

Credit and debit cards can reveal more information than many laypeople might expect. You can enter a BIN to find out more about a bank in the module below:

Free bin lookup!

Enter the first 6 or 8 digits of a card number (BIN/IIN)

Bank Name
···· ····

Text here

Cardholder name
Bank
Brand
Type
Level
Country
Phone

2. Customer profiles

By building customer profiles, often using machine learning and advanced algorithms, payment handlers and card issuers acquire valuable insight into what would be considered “normal” behavior for each cardholder, flagging any suspicious moves to be followed up with the customer.

A simple version of this is a consumer receiving a call from their bank to confirm they have swiped their card in a part of the country they haven’t been active in before. 

3. Educating the public

Making the general public an ally in the fight against credit and debit card fraud can work to everyone’s advantage. Major card companies, banks and fintech brands have undertaken campaigns to alert the public about card-related fraud of various types, as have local and regional authorities such as Europol in Europe. Interestingly, it seems that the public is responding well.

In July 2021, industry insider Elena Emelyanova, Fraud Manager at Wargaming, explained in an episode of our Cat and Mouse Podcast:

People have become more sophisticated and more educated. We have some cases where we see that people know how to fight chargebacks, or they know the restrictions from a merchant side. People who didn’t understand the difference between refund and chargeback. Now they know about it.”

4. Accountability, laws and regulations

Owing to government regulations and legislation, card providers have a vested interest in preventing fraud, as they are the ones asked to foot the bill for money lost in the majority of situations.

For banks and other institutions that provide payment cards to the public, this constitutes an additional, strong incentive to safeguard their processes and invest in new technology to fight fraud as efficiently as possible.

Actual legislation for this varies per country, but ombudsman services can be used for any disputed transactions in most locales, amping up the pressure on card companies. For example, the UK’s Financial Ombudsman received 170,033 new complaints about banking and credit in 2019/2020, by far the most frequent type, going on to state, in their Annual Complaints Data and Insight Report:

We’ve been clear that we expect businesses to apply relevant rules and guidance – including, but not limited to, the CRM code. If complaints arise, businesses should draw on our guidance and past decisions to reach fair outcomes.” 

Is Card Cloning Still a Threat? 

With payment card issuers and networks ramping up security and introducing new technologies, and consumers getting savvier, card skimming is believed to be on the decrease, with counterfeit cards only amounting to 2% of card fraud losses in 2019 compared to 13% in 2010, per a 2020 report by UK Finance.

It seems that the focus has shifted to different methods, such as card not present (CNP) attacks and using NFC technology to obtain the details of contactless-enabled cards.

Nevertheless, this does not mean that card cloning has stopped. For instance, in January 2021 the debit card data of over 500 customers was stolen using card cloning in India. The authorities arrested four men and recovered three credit card skimmers, with which they had made payments of INR 150,000. 

Together with its more recent incarnations and variations, card skimming is and ought to remain a concern for organizations and consumers.

Sources

Nilson Report: Card Fraud Losses Dip to $28.58 Billion

Security Week: Cybercriminals Could Be Cloning Payment Cards Using Stolen EVM Data

European Association for Secure Transactions (EAST): Black Box attacks increase across Europe

Europol: Payment Card Fraud Prevention Alert

Financial Ombudsman Service UK: Annual complaints data and insight 2020/21

Times of India: Card cloning: Data of 500 customers stolen,

UK Finance: FRAUD – THE FACTS 2020

Related Terms

Related Articles

Contact Us for a Demo

Feel free to reach out to us for a demo!