Q: How can thieves steal a brand new credit card I’ve never used?
A: Anyone with a debit or credit card has likely experienced the troubling fraudulent transaction notification, which leads to wondering what they did to make it happen.
The obvious assumption is that a recent transaction with a compromised retailer or an unscrupulous employee used a card skimmer to capture the card details.
Many retailers or restaurants are falsely accused of being responsible for the compromise because a fraudulent transaction was reported immediately after the transaction was made with them.
Your situation, where the card was never used, clearly shows why jumping to conclusions about a recent transaction can be wrong.
Massive rate attacks
There is a form of “card cracking” in which computers and online bots guess your card number, expiration date, or the three-digit CVV (card verification value) on the back.
Let’s start with the 16-digit card number, which may be difficult to guess, but you don’t have to guess all the numbers.
The first 6 digits denote the card network and issuing bank, which is clearly explained online. Look at your credit cards and you will see that a Visa card begins with a 4. Mastercard starts with a 5 and American Express starts with a 3.
Knowing which numbers are standard and which need to be guessed, the cyber thieves set up large online bots that can send small transactions using the guessed numbers to thousands of e-commerce websites to see which ones will be accepted .
Because of this, one often hears about a massive scam that only targeted customers of a specific bank.
Another way their guesses are made is by compromising a less secure credit card processing system that gives them the ability to run thousands of transactions per second to quickly discover legitimate card numbers.
Known credit card numbers can also be purchased from the dark web to bypass the need to guess them in the first place.
Once they have determined legitimate card numbers, the rest is quite easy from a mathematical point of view.
The expiry date is one of the easiest to guess as the date is only up to 5 years or 60 different values. Your 3-digit CVV only has 1000 possible combinations, which is nothing considering bots can transmit thousands of transactions in a very short time.
I recently chimed in on a message from Arizona alerting a large number of Wells Fargo customers (including a close relative) to an attempted fraudulent transaction with an incorrect expiration date.
A small computer shop in Alabama attempted to process 560,000 transactions in the middle of the night, with many of the transactions being rejected due to an incorrect expiration date.
The thieves clearly obtained a list of valid credit card numbers from Wells Fargo customers in the Phoenix area and used the small Alabama store’s credit card processor to conduct their massive guessing program.
Until the credit card industry changes their current methods, this very effective method of cracking cards will continue to be a nuisance to all of us.