How Hacks Happen

Hacks, scams, cyber crimes, and other shenanigans explored and explained. Presented by cyber security teacher and digital forensics specialist Michele Bousquet.

All Episodes

How Hacks Happen

Credit Card Fraud: 2024 Update

November 13, 2024 • Many Worlds Productions • Season 3 • Episode 3

Credit card fraud is on the rise, but not in the usual way: hackers are cobbling together synthetic accounts from real and fake names, addresses, social security numbers, and credit histories. Children's social security numbers are particularly at risk. Find out how it all works, and what you can do to help prevent synthetic account fraud, and help with inflation in the process.

Resources

Send us a text

Everyday AI: Your daily guide to grown with Generative AI
Can't keep up with AI? We've got you. Everyday AI helps you keep up and get ahead.

Listen on: Apple Podcasts Spotify

Support the show

Join our Patreon to listen ad-free!

Hey folks, in this episode we’re going to revisit the topic of credit cards. I did an episode on credit card fraud in an earlier season, namely Season 1, Episode 3. This has been by far the most listened-to episode in the entire history of How Hacks Happen, but it was three years ago, and the threat landscape has changed in some pretty significant ways. So I thought it would be worth visiting the subject again.

So let’s take a look at credit card fraud, and what the current threats are. And how you can protect yourself from them. I’m Michele Bousquet, the host of How Hacks Happen, a cybersecurity researcher, author, and teacher who’s passionate about sharing knowledge that can help keep you safe from hackers and scammers.

So let’s get down to it.

Roughly speaking, there are two types of credit card fraud that might affect you directly.

The first kind of credit card fraud happens when someone uses your existing credit card to make purchases. Those are pretty easy to spot. I mean, you know whether you’ve been to Cancun recently, or if you bought a kitted-out Harley from Mary Jane’s Motorcycle Market. All you have to do is check your statement, and make sure you recognize all the charges. If someone else has used your credit card, you can always get the charges reversed, and then cancel that card and get a new one. When someone else uses your card like this, it’s inconvenient to deal with it, but it’s not going to ruin your life.

The second kind of credit card fraud that can affect you personally is when someone steals your identity to open new credit cards in your name. This, you won’t find out about until you start getting nasty letters in the mail about overdue payments. This kind can be pretty awful, because it can go on for months or even years without you knowing. There’s a way to guard against this too which is basically freezing your credit. And I talk about this alot in the social security numbers episode. Just freeze your credit and no one can take out credit cards in your name. That’s it.

And even though credit card fraud has been around for decades, it really soared during the pandemic, which probably had an impact on inflation. Because money has to come from somewhere if a merchant has to return money or the credit card company has to absorb some fees, the money is gonna come from somewhere. And that’s usually from higher costs and fees that get past on to you and me. If you’re upset about the high inflation rates in your country since the pandemic, it’s worth exploring a few ways you can help cut down on this type of fraud, if only to benefit your own country’s economy, and maybe your grocery bill will finally go down instead of up.

You might think that a solution is to institute severe punishments for these fraudsters, but the problem is, it’s usually next to impossible to catch them, especially if it was all done online, or if they’re not in the country where the fraud took place. And even if they do get caught, which is rare, the penalty isn’t terribly severe, maybe a few months in jail. And even then, the money isn’t going to be returned, because it’s already gone.

So having said all that, let’s talk about some other kinds of credit card fraud, ones that may or may not affect you directly, but maybe might affect you directly. Thieves are doing things like, applying for new credit cards, new accounts, with fake names and social security numbers. Maybe the social security number belongs to a child, or a deceased person, or maybe it’s just made up altogether. This is called synthetic account fraud, and it’s currently more popular than just straight-up credit card fraud. In 2024, the total cost of credit card fraud is projected to reach over $10 billion, with synthetic account fraud accounting for more than half of that. I don't know about you, but I can think of better things our economy could do with $10 billion. And while this might not impact your credit score (or your life) directly, it does cost somebody money, whether it’s the merchant who got scammed or the credit card service that had to issue refunds to merchants. And the money to cover this has to come from somewhere, which means higher prices that get passed on to you and me when we go to the checkout counter.

I’ll talk a lot more about synthetic account fraud later in this episode, because it actually can affect you directly. But first, let’s look at what the fraud landscape used to look like, and compare it with the current state of affairs.

In the original episode about credit card fraud three years ago, I talked a lot about skimming and shimming, where a scammer goes to a store and puts a fake plastic cover over a real credit card reader. The cover itself looks a lot like the real thing, but it contains a chip that records all the transactions that go through it. When you swipe or insert your card, the transaction goes through for reals and the store get s their money, but the chip in the cover also captures your credit card information. At some point, the scammer comes back to retrieve the cover and the chip, and walks away with the credit card details of everyone who inserted their card for payment.

The information that the chip gets comes off of the credit card’s magnetic stripe, or off of the chip at the tip of the card. If it pulls the info off the stripe, it’s called skimming. If it pulls it off the chip, it’s called shimming. The fake cover is called a skimmer or shimmer, depending on which type it is.

But there are some pretty serious limitations to skimming and shimming, from a scammer’s point of view. For one thing, the scammer has to physically show up at the business and put the skimmer or shimmer over the card reader. If they’re trying to get enough credit card information to make it worth their while, they’ll need to do this at multiple businesses, and that takes a lot of time. Even after traveling to the business, they might have to wait a few minutes until the cashier isn’t looking, so they can put on the fake cover without the cashier noticing. Plus all these places have security cameras, which makes it even more dangerous. Then they have to come back later and retrieve the cover, again without getting caught. And in the meantime, the skimmer or shimmer might have been discovered and removed from the card reader, in which case the scammer gets nothing.

And in the past few years, many store credit card readers have been updated with tap-to-pay technology, which doesn’t have the same vulnerability. If you tap instead of inserting your card, you can’t get skimmed or shimmed–the transaction is perfectly safe from that kind of scam. This has made skimming and shimming a lot less profitable for scammers than they used to be, so they’ve mostly moved on to other ways to steal credit cards, that give them more bang for their buck. You might still see the odd skimmer or shimmer here and there, but the reports are far fewer than they used to be.

So nowadays, credit card fraudsters do it in a way that’s much more convenient for them–they do it remotely!

Step right up, folks! You can now scam from the comfort of your own home! Fire up your Tor browser and buy up a bunch of stolen credit cards. Sell them, trade them, use them to buy a Lamborghini! Use them to open new accounts, and let the money roll in.

Results not guaranteed. Restrictions apply. This is actually illegal and you could go to jail. Offer good wherever credit cards are sold.

Yep, that’s right. There’s a brisk business in stolen credit card information, and it’s not coming from someone stealing information off your physical credit cards, the ones you keep in your wallet. It’s all coming from the world wide web.

The trend for a number of years was for scammers to buy credit card information off of hackers, information that hackers had stolen from businesses by hacking into their databases, where the credit card info is stored. Lots of businesses store credit card information when you make a purchase. The idea is that you won’t have to enter it all every time you pay for something. I’ve noticed that online retailers like Amazon and Walmart seem to have an encyclopedic knowledge of every credit card I’ve ever used, even old expired ones, or ones I’ve closed. And Airline websites too, they always have my credit cards on file, so when I buy a ticket I don’t have to enter the information again. And any website where you have a subscription, they have your credit card so they can bill you monthly or annually.

Your credit card information is in a lot of places, and there’s not much you can do about it, except to never buy anything with a credit card, ever. And let’s face it, that’s not happening anytime soon, right? We do like our modern conveniences, our software and subscriptions and convenient packages in the mail.

And many, if not all, of these companies have been breached at some point, whether they know it or not. In the words of some of the greatest experts on this subject, “of the world's biggest firms, there are just two kinds: those that know they've been compromised, and those that still haven't realized they've been compromised.” This came from Dmitri Alperovitch, a former Chief Technology Officer at CrowdStrike. Remember CrowdStrike, the company that provides cybersecurity solutions to thousands of companies around the world? They did have a little implementation blip earlier this year, not a breach, which we covered in Season 2, Episode 13. And this sentiment has been echoed by numerous experts, such as John Chambers, CEO of Cisco, and Robert Mueller of the FBI, too. They say every business has either been hacked or will be hacked.

On top of that, many companies don’t even realize they’ve been hacked! I’ve seen plenty of interviews with hackers who talk about breaching some company’s network just for fun, poking around, maybe stealing some stuff but then deleting it later. Apparently, it’s not that hard to do. So just because you never got a breach notice from a company, doesn’t mean they haven’t been breached.

With all this in mind, it’s reasonable to assume that your credit card data is already in the hands of some hacker out there, and for sale in some corner of the dark web. And the sooner you approach your personal security efforts as if it is true, the better.

The good news is that credit card processing services like Visa and Mastercard have gotten really good at spotting fraudulent purchases, which has cut down a lot on fraudulent credit card purchases with existing credit cards. These services use sophisticated algorithms, and AI, to look at your spending patterns, and also at the kinds of places scammers are likely to spend money. For example, buying $50 worth of gas and sodas at a truck stop two hours from your home probably won’t raise any eyebrows, while the purchase of a $2000 Gucci purse in another country, will probably get flagged.

I’ve experienced this plenty of times myself, on both ends. I once drove to Florida for a girls’ weekend, and my friend and I treated ourselves to a spa day, on my dime. That got me a fraud alert that I needed to respond to. This was pretty understandable, since I hardly ever go to spas, and I don’t live in Florida.

On the flip side, I once got a text asking if this one particular purchase, going on right at that moment in Costa Rica, was actually me. It was just a few dollars at a convenience store. But when I got the text, I was physically in the United States, where I live. I responded, Nope, not me. The credit card company declined the charges, canceled the card, and sent me a new one.

I imagine the credit card company’s algorithm was able to easily detect the fraud because about 45 minutes before someone tried to buy a packet of potato chips and a coke in Costa Rica, I had bought a couple of adult beverages at a bar in New Orleans. Smart, those AI bots, picking up on that. The Costa Rica scammer probably figured a convenience store wouldn’t come up on their radar because it was such a small purchase, but they didn’t take into account that I was out and about with friends, and it was my turn to buy the next round. Sorry, scammer!

Getting these occasional alerts is just a part of life these days. But it also points up one of the things you can do to keep from having your credit card abused: sign up for fraud text alerts. If the charge is legit, you can just answer Yes. And if it’s not, you’ll catch it right away.

If you have some kind of back-off from signing up for text alerts, I’m going to take a guess and say you use your credit card to pay for some things that are deeply personal, private things, like, say, subscribing to an OnlyFans, or paying for tickets to a Furries Convention, or buying…adult toys online. Or even signing up for a secret rock and roll music camp, where you get to live out your fantasies of being a rockstar. Maybe you don’t want your friends to know about these purchases, but I can assure you that the credit card company doesn’t care. They just want to know that the charge is legit, so they can approve or decline it. Do you think you’re the only one doing these things? Come on. Believe me, they’ve seen it all, and they don’t care.

And most likely, it’s a bot sending you the text notice, not a real person. If you call up to talk about it, then a real person will look it up and see the charge. Otherwise, the bot will just accept your answer. Do you think the bot cares? No, it does not. The bot has no opinions, because… it’s a bot. And employees at credit card companies have better things to do than look for embarrassing or personal purchases so they can snigger over them. Seriously. They have much better things to do.

So that’s the first thing you can do, to combat fraud on your credit card–sign up for fraud alerts via text. The other thing you can do requires a little more work, but it’s definitely worth it. And that’s to check your credit card statements every week, or at least, every month.

If you have more than 5 or 6 credit cards, this can be a lot of work. But you can use a service like RocketMoney.com to aggregate all your credit card transactions in one place. Then you can just page through them, and look for anything that isn’t familiar. This is also a great way to spot subscriptions you’ve forgotten about. Rocketmoney even has a service that will detect subscriptions. In previous episodes I’ve talked about Mint.com, but they’re now Rocketmoney, and it’s one of the best free services out there for managing your credit cards. They didn’t pay me to say this. I just think it’s a really great service.

Another thing you can do is put the credit card into a wallet app on your phone. All transactions on that card will then show up on your phone, and even send you a notification when there’s a new charge. As long as you check them every few days, you’ll be good.

Because of protections like this, it’s so much easier to detect fraud like this on an existing credit card than it was a few years ago. And for that reason, fraudsters have turned to a new scam: synthetic account fraud.

A synthetic account is a whole new identity that a hacker creates. They use a combination of real and fake information, combining real credit card numbers, and real or fake names and addresses and social security numbers, to fabricate an identity for a person who doesn’t exist.

An example is taking a real social security number from a child, someone under the age of 18 who doesn’t have any credit history at all, or maybe a deceased person, and combining it with credit card numbers to put together a bogus financial history. Like for example, the hacker could sign up for some retail account, like at Walmart or Target, and put in your credit card as a form of payment for future purchases, without actually using the credit card to buy anything. This makes it look like that fake person actually has control of that credit card.

Then the hacker applies for real credit cards, and actually uses them responsibly for a while. They buy groceries, pay for this and that, nothing major, but they build up really good credit for this fake person.

After a while, boom! The hacker applies for something really big, like a car loan, or a personal loan, or a credit card with a high limit, or even a mortgage. And right after the big payout comes in, you guessed it, they disappear. The bills don’t get paid, but there’s no one to collect from, because that person… doesn’t exist.

Synthetic account fraud actually accounts for the majority of credit card fraud going on today. And that’s a direct result of credit card companies getting better at spotting real credit card fraud, so hackers and scammers had to come up with something. And now, financial institutions and credit bureaus are focusing on better ways to spot synthetic account fraud, like using AI to detect inconsistencies, like a name that doesn’t match a social security number. And things like, applying for a business loan for a business that closed down ten years ago.

Another thing I wanted to point out about synthetic account fraud, is that hackers often use children’s social security numbers. In fact, the FTC estimates that around 50% of the social security numbers used in synthetic account fraud are those of children living in the good old US of A right now. 50%!

And synthetic account fraud costs all of us money. For every fake loan, or fake credit given, somebody loses money, usually a company or merchant. And who do you think pays for that? Do you think the CEO reaches into his pocket and covers the losses? Uh-uh. It’s you and me, with higher prices and higher fees.

For this reason alone, we should all be doing our part to help prevent synthetic account fraud.

It might feel like there isn’t much you can do to help combat synthetic account fraud. I mean, if it’s fake names and social security numbers that you don’t even know about, and they’re not making any bogus purchases on your credit card, how are you supposed to know what to protect?

There actually are a few ways you can do your part, and protect yourself and your family from the fallout.

In the recent episode about Social security numbers, I talk about freezing your credit. A freeze makes it impossible for a financial institution to check your credit score, which means they won’t issue new credit in your name, for your social security number. This is a good practice for anyone to follow, but here’s how it extends to preventing synthetic account fraud.

If you have children, you should seriously consider freezing their credit, too. That’s right, freeze your two-year-old’s credit! This will help keep their social security number from being used for synthetic account fraud. It’s even more important if your child is older, like within a few years of becoming an adult.

Imagine, you’ve done your best to teach your child financial responsibility, and they’re finally old enough to get their first credit card or apply for a car loan. You proudly help them fill out the forms, then boom! You find that their credit score got ruined years before, when some scammer used their social security number to take out 6 credit cards and a car loan for a Ferrari, then skedaddled without paying it off. You can probably clear it up, but it will take a whole lot of letters and phone calls and will be such a pain in the you-know-what. Avoid all this just by freezing your child’s credit.

Remember, a credit freeze is temporary, but identity theft is forever. Sure, you can deal with the symptoms of identity theft and get your good credit score back, but because that scammer still has all your details, you have to be super vigilant for the rest of your life. Let’s not put our children through that, shall we? Freeze their credit now, and help them avoid being the victim of synthetic account fraud.

There are also ways to keep hackers from using your personal information as part of a synthetic account. For one thing, stop answering those ridiculous questions and quizzes on social media. That Facebook account with all the fun memes and questions, is just mining for your data. They don’t care what your favorite Beatles song is, or your favorite memories from the TV show Full House. They’re just using these questions to find out your age, gender, location, and a bunch of other stuff that they can sell or use to open synthetic accounts.

And while changing your passwords on your random online accounts might not seem to be related to synthetic account fraud, doing this can actually help prevent this type of fraud. Hackers need to gather their semi-true information from somewhere, so they’ll grab it from the websites you belong to. Now, I’m not talking about hackers grabbing credit card information here. It’s more something like, your membership to an exercise service, or a forum you belong to where you discuss the best flea treatments for dogs, or any of the other zillions of websites out there. Remember that hackers don’t go around targeting these little websites, but if their hackbots find a website with poor security, they’ll steal the password lists and crack them, use those passwords to try and log into other sites like banks. And if you use the same password on your dog flea treatment forum and your bank’s website, hackers will use your password to grab your bank account number, to help provide a plausible background for their synthetic account. They probably won’t even steal any money out of your bank account, because you’d notice, and they might get caught. They’ll just use the information to quietly make a more plausible identity.

A good overall practice for keeping your data out of the hands of hackers is an Identity Theft Protection service. I hear a lot about a service called Aura, which has a #1 rating from Forbes magazine. Again, not paid to say this, I just think it’s a great service. There are other ones out there too, and besides monitoring your credit and helping you freeze it, they also provide anti-virus software, and will search around for your identity being used in weird places, and scour the dark web to see if any of your passwords have been compromised.

I hope this episode of How Hacks Happen has made you feel safer and more informed about credit card fraud, particularly synthetic accounts. Hackers are always lurking around out there, but if you know their tricks, you can slow them down and even stop them in their tracks with a few simple actions.

Shout-out to Katie Haze of Katie Haze Productions for producing this episode. Stay safe out there, everyone!