PCI council releases third-party security assurance guidance
PCI council releases third-party security assurance guidance

Financial institutions were reportedly warned in a memo by the U.S. Secret Service of a new scam whereby thieves intercept debit cards in the mail, remove their chips and replace them with older or invalid ones, and begin using the stolen chips when their rightful owner activates the sabotaged card.

Security blogger Brian Krebs reported the scheme in a Apr. 5 blog post, noting that the reason the perpetrators don't just use the stolen cards as is, is because "presumably they lack the privileged information needed to do that. So, they change out the chip and send the card on to the legitimate account holder and then wait for it to be activated."

According to Krebs, the criminals are targeting cards sent to larger corporations because they obviously have access to more funds. The crooks separate chips from their cards using a heat source that warms the glue, and place them into an older payment card. The stolen card receives a replacement chip that does not work, and is repackaged and sent along to the intended recipient, which activates the card, thinking nothing is unusual. At this point, the thieves can begin emptying the victim company's account.

Krebs says the Secret Service memo does not indicate the point in the mail process where the criminals are taking possession of the cards. "It could well involve U.S. Postal Service employees (or another delivery service), or perhaps the thieves are somehow gaining access to company mailboxes directly," Krebs writes. "Either way, this alert shows the extent to which some thieves will go to target high-value customers."