Crooks Use Card Tumbling Programs to Guess Your Number

High speed card tumbling trick is latest route to credit card fraud: Internet Scambusters #788

Card tumbling is the latest high-tech tactic used by scammers to literally guess your credit card number by trying every option.

In this week’s issue we’ll tell you how it works and who is most at risk from this crime.

We also have a warning about fake donations to churches that can turn out to be very costly.

Let’s get started…


Crooks Use Card Tumbling Programs to Guess Your Number


It used to be that with credit card fraud, a thief had to know your credit card number. But now, thanks to lax security on some websites, they can guess it through a process called card tumbling.

Think of how a safe-cracker listens to the tumblers falling into place as he shifts the dial back and forth.

Card tumbling works pretty much the same way. Scammers try every possible permutation of a card holder’s number until they get the right one.

In a recent incident, they fired 23,000 numbers on a single website until they hit the jackpot.

They use fast computers and mathematical programs called algorithms to perform these multi-thousand-number checks in a matter of minutes or even seconds. All they need is a name, any name chosen at random, to run their card tumbler.

The organization concerned, a charity, received a bill for more than $8,000 from its transaction handler. In other words, every time the crooks tried a number, the charity was charged a transaction fee.

And, of course, once the crooks get the right number, they go on to max out the credit card. They use the stolen card number to buy expensive items like electronics, which they then sell online.

Card tumbling succeeds because some organizations, notably charities and other non-profits, have limited security on their websites, which allows people to try as many credit card numbers as they like.

Retailers, especially the big ones like Amazon, won’t allow you to keep inputting numbers until you get a hit.

Lessons of Tumbling

What are the lessons that card tumbling teaches?

First, if you’re in business, charities or any other organization that processes transactions through a website, clamp down on crooks’ ability to run unlimited multiple attempts at entering a card number.

Speak to whoever provides your transaction software about curbing what’s called in the industry “excessive carding.” This can be done by limiting the number of attempts that can be made before the shopper is locked out and the transaction voided.

There are ways for crooks to get around this, which we won’t go into here, but they would have to adopt their tumbling algorithms, which likely would be just too much trouble.

If the software provider is not the same as your transaction handler, speak to the handler about setting up alerts or imposing their own block on multiple carding attempts.

The sad fact is that charities and non-profits are not only the most vulnerable to this crime, they’re also the ones that can least afford the consequences.

Fortunately, in the case reported above, the transaction handler rescinded the $8,300 fee, but you can’t count on yours to be as understanding. There’s no legal requirement for them to do so because, from their point of view, they had to process each one of the attempted transactions.

Consumer Perspective

From a consumer perspective, the lesson is to realize that credit card fraud is not just down to the many huge data breaches we’ve been reading about in recent months.

There are all sorts of other ways for crooks to get hold of your number — like phishing, using skimmers in ATMs, rescanning your card into another device when it’s taken from you in a restaurant, or simply using hidden cameras in spots where cards are frequently used.

In a way, these tricks are more dangerous than card theft via data breaches. At least when your card number has been stolen in a hack, you generally get to know about it.

But when your number is stolen via card tumbling or the other tactics we’re mentioned, you often don’t know it’s out there “in the wild” so to speak.

In fact, there’s a much greater chance of your stolen card number being used by crooks after they specifically set out to find it, rather than when crooks buy a huge list of numbers in the underworld, which is what usually happens with data breaches.

This emphasizes the importance of checking your credit card account online every day if you can. That’s the only way you’re likely to find that your card is being used fraudulently, enabling you to alert your card company using the phone number on the back of the card.

And, while we’re on that subject, beware of one of the most common card fraud tricks used by crooks who already have your number.

They phone or email you posing as security people from your card issuer, claiming that they believe your number is being used fraudulently. They make it sound official and may issue a case number, but they always end up asking you for the three- or four-digit security number on the back (most cards) or front (American Express) of your card.

That’s the final piece of the jigsaw they need to enable them to go crazy with your money.

Credit card companies don’t operate this way. Never give your security code to someone who makes an incoming, unsolicited call to you.

And now that you know, be alert to the risks of card tumbling crooks.

Alert of the Week

If you belong to a church, watch out for fake donations.

Scammers are using the well-known trick of overpaying — in this case making a donation of thousands of dollars, then saying they made a mistake and asking for most of it to be returned via a money-wire service.

In a recent example, they paid a church $4,500 then claimed they meant to give just $45. Unfortunately, the church wired back the $4,450 balance before the scammers check was declared a fake.

That’s it for today — we hope you enjoy your week!