How cybercriminals steal funds from bank cards — and how to protect yourself from such theft

We investigate why chip cards are no panacea, and what precautions should be taken when making a payment.

How to protect funds being stolen from bank cards with a chip and NFC

Payment services have become both more convenient and more secure over recent years — but cybercriminals are still managing to steal funds from cards all around the world. What are the most common methods used for such theft, and how can you counteract them?

Card cloning

When cards only stored information on a magnetic strip, it was quite easy for fraudsters to produce an exact copy of a card and use it for payments in stores and withdrawals at ATMs. At first, the data was read with a special device — a skimmer that was mounted on an ATM or a terminal in a store. This was supplemented by a camera or a special pad on the terminal keyboard to find out the card’s PIN code. Having obtained a card dump and a PIN, fraudsters wrote the data to a blank card and used it at an ATM or in a store.

This technology still works in some parts of the world, but the advent of chip cards has greatly reduced its effectiveness. A card with a chip is not so easy to copy. That’s why criminals started infecting payment terminals with malicious code that copies some data from the card while processing a legitimate purchase. Subsequently, the scammers send cleverly generated payment requests using this information. In essence, they only send data that was previously recorded on the magnetic strip, but label the transaction as being conducted by the chip. This is possible where banks don’t cross-reference various transaction parameters in sufficient detail and incorrectly implement the EMV protocols that all chip-card actions must abide by.

With banks that don’t suffer from such laxity, attackers use an even more sophisticated trick. When the victim makes a legitimate payment, the infected payment terminal requests that the inserted card generates another fraudulent transaction. Thus, the card itself isn’t copied, but extra funds are deducted from it anyway.

How to protect yourself: try to use the contactless payment function on your phone, which is better protected. If you still need to insert a card into a terminal, carefully check the PIN-code panel for suspicious modifications. Also, cover the panel with your hand, purse or other object when entering the code. If the terminal suddenly does not accept contactless payment, unusual messages appear on its screen, or the PIN needs to be entered repeatedly, this is a reason to be suspicious and take additional protective measures. You could, for example, immediately check your account statement, or set a low limit for spending money on the card.

“Bulletproof” wallets
There are RFID-protected wallets and purses available to buy these days, which protect physical cards inside one from being read remotely, for example on public transport. There’s nothing wrong with such protection — it really does work. However, this attack scenario is virtually never used in practice. You can read only basic information from the card during such a quick scan, and that usually isn’t enough for making a payment. At the same time, it’s easy to find out the last locations and amounts of contactless payment, though!

Card data theft via the internet

Here, scammers are after bank-card details so they can make payments online. These usually include the card number, expiration date, and verification code (CVV/CVC); also, depending on the country, the cardholder’s name, zip code, or passport number may also be sought. There are at least three effective ways the scammers collect this data:

  1. Luring it out of the victim by organizing a fake online store, a phishing copy of a real online store, or under the guise of raising money for charity.
  2. Intercepting information by infecting either the web page of the actual online store (web skimmers) or the victim’s computer/smartphone (banking Trojan).
  3. Hacking into a real online store and stealing stored customer payment card information. Note that stores are not supposed to keep the full card information, but this rule is unfortunately sometimes breached.

Overall, this method of theft, though old, is here to stay; for example, according to our analysis, bank-data theft-attacks almost doubled in 2022.

How to protect yourself: first, get a virtual card for online payments. If it’s not too difficult or expensive, have a new virtual card issued and block the old one at least once a year. Second, set a low limit on your online payment card, or just keep a very small amount of money on it. Third, make sure that the bank always requires you to confirm online payments with a one-time code (using 3-D Secure or similar mechanisms). And fourth, carefully check the payment forms and addresses of the sites where you enter financial information. To worry less about this problem, use cybersecurity tools that safely protect online payments.

Old-fashioned card and phone theft

This is the most noticeable and blatant theft method, but it’s still common. Savvy criminals can use cards for online payments by finding an online store that doesn’t require entering additional verification codes. A simpler but no less effective way is to use a stolen card for a contactless payment that doesn’t require entering a PIN. There’s usually a limit for payments made this way, and in some countries after three to five such payments the card is blocked, but in the UK for example, a victim’s losses from this primitive method of theft can easily reach 500 pounds sterling (5 × £100). A phone is always valuable to thieves, and if it has Google Pay enabled, it’s possible to pay even from a blocked one within the allowable payment limit, causing additional loss to the victim.

Security researchers have shown that even if a card is blocked after entering the wrong PIN three times, it’s still sometimes possible to make contactless payments. An attacker could also exchange some data with a blocked phone and then use modified records of that exchange to make one-time fraudulent payments. Fortunately, both attack types have been detected by ethical researchers, so there’s hope that scammers aren’t using these methods yet.

How to protect yourself: it’s best to set relatively small spending limits on cards for daily use. If your bank allows it, you can separately set a low limit for contactless payments. Of course, you should make sure that you can increase the limit quickly should the need arise. Alternatively, you can have a virtual card issued with low limits and link Google/Apple/Samsung Pay to it. If the payment app can be set up to only allow payments from an unlocked phone, do so.

In conclusion, we note that rules are emerging in many countries whereby victims are partially or fully compensated for fraud. To take advantage of this, we recommend you to be careful with any card payments, set up the fastest way to be notified of them (push or SMS), and contact your bank as soon as possible if you see any suspicious transactions.