If by “hacked” you mean known to and/or used by an attacker (hacker), credit cards can be “hacked” in a number of ways. I think they can be broken down into three main attack vectors.
- Attacks against the credit card user (e.g. you)
- Attacks against institutions that manage credit cards and personally identifiable information (PII) (e.g. your bank, Physical/online store)
- Hybrid attacks (e.g. Attacker learns sensitive information from you and opens a credit card in your name)
Let’s discuss potential attacks for each one of those scenarios.
Attacks against the credit card user
- Physical attacks. These take advantage of the card data stored visibly on the card or on the mag strip.
- Steal your card from your backpack
- Steal credit card data from a contactless bank card/NFC card with proximity reader
- Take a picture of your card
- Add a skimmer at the gas station pump
- Dumpster dive and take documents you threw away with card information or PII on it
- Social Engineering. These take advantage of our trust in other humans and desire to avoid confrontation.
- Send you a fake email from your bank asking for your bank credentials
- Call you under the pretext that they’re your bank and need your credit card info
- Sell you a fake raffle ticket at street fair and take your card info when you “purchase” it
- Virtual attacks. These take advantage of the fact they we use our credit cards on our computer.
- You accidentally download a virus that monitors what you type
- You accidentally download ransomeware malware that requires you provide a credit card to unlock your system
Attacks against institutions that manage credit cards and personally identifiable information (PII)
- “Hack” the a store that you shop at (e.g. Online store, brick and mortar store). These are outside of your control and require that the companies invest in good security programs
- Through various methods they gain access to the Point-of-sales (POS) systems and virtually “skim” credit cards from the system
- Or they gain access to a database with credit card numbers
Hybrid attacks. These take advantage of information they learn from you and from a third party.
- Attacker learns credit card number from hacking your local store and then calls you under the pretext that they’re your bank. They try to social engineer the CSV code from you so they can now make charges.
- “Hack” your a service provider and learn PII. An attacker can take this information and open a credit card in your name. Again, outside of your control and requires the company to invest in service desk security education
- This is often a social engineering attack against your cell phone company or utility company where an attacker tries to learn PII about you. E.g. “I’m now living at 1234 fake ave, what address do you have on file for me?” “I have a green card you shouldn’t have a SSN for me, what do you have?”
This is a short overview of how credit cards are “hacked”.
Take aways: There are many ways for your card to be stolen. Often your card issuing bank will send you a new card if they notice fraudulent charges. All you can do is monitor your statements and credit reports and be vigilant when using a card. Shred sensitive documents, always initiate sensitive communication with your bank (you go to their website, don’t click the email link, you call them and don’t provide info to people calling from your bank) and don’t be afraid of confrontation if you feel your personal information is at risk “Sorry I didn’t request a call. I’ll find your number on your website and give you a call” “I don’t feel comfortable providing this information”.
Probably many more ways to be safer but it’s about changing the way you think and your behavior will change with it. Do no implicitly trust sources. Verify them.
No comments:
Post a Comment