Here’s How You Can Prevent Credit Card Cloning

How Does Credit Card Cloning Happen?

Credit card cloning — also called skimming — copies data from a legitimate card’s magnetic stripe onto that of a duplicate card.

Excising your credit card information is easier than it seems. One way is to fasten a skimming device onto a card reader. Any time someone swipes their card, the skimmer collects the magstripe data flowing through it.

Two men hacked hundreds of credit cards this way, placing skimmers at gas stations all over Fresno and Southern California [*]. They stole more than $195,000 from victims, using these cloned credit and debit cards.

Card cloning scams like these boil down to two steps:

1. Scammers obtain credit card information — through skimmers or other means

• ‍‍Some thieves inject malware into point-of-sale (POS) terminals. Others insert shims — thin, card-sized devices with a microchip — into chip readers in order to copy EMV card data.
• Or they sell faulty payment processing software to e-commerce merchants, lifting card numbers from every online transaction [*].

2. They create fake cards

• Crooks reprint stolen data onto counterfeit cards and use them as fast as they can. Until a victim’s bank catches on, scammers buy prepaid gift cards (a process called “carding”), get cash advances, or make other unauthorized purchases.

In South Carolina, two men were arrested after police found 15 cloned credit cards while searching their vehicle [*]. The men had already used the cards to buy $5,000 worth of merchandise.

{{show-toc}}

Don’t EMV Chips Help?

EMV, short for Europay, Mastercard, and Visa, is a worldwide standard for smartcard payment. Before EMV existed, all of a credit or debit card’s data was secreted in its magnetic stripe. With the right equipment, anyone — including scammers — could read it and reproduce your card.

EMV cards prevent credit card fraud by storing card numbers and Card Verification Values (CVVs) in a special microchip. This method offers two layers of security:

• The first is that the chips mask your name, credit card number, and the card’s expiration date. Plus, instead of sharing all of your data like a magnetic stripe does, chips send encrypted, one-time access codes to process payments.
• The second layer of security has to do with your card’s CVV. CVV1 on magnetic stripe cards is different from the internal CVV (iCVV) on EMV cards  [*]. And the three or four-digit CVV displayed on a physical card (CVV2) is also separate.

Most financial institutions use the combination of CVV1 and iCVV to verify each transaction. Since iCVVs change with each transaction, banks look for mismatches to spot fraud.

But not all banks use this verification system

While scammers can’t clone an actual EMV chip, they can still produce counterfeit cards and peddle them on the Dark Web.

Shimmers — skimmers for EMV cards — steal unique card identifiers called Track2 Equivalent values. Scammers print these values onto the magnetic stripes of fake, new cards.

When they use the counterfeit cards, they claim that their chip “doesn’t work” — so the merchant swipes the card instead.

Other scammers use pre-play and replay attacks

Criminals use a hacked payment terminal to capture special security codes that EMV chip cards send. These codes can be back-dated to allow new transactions; scammers don’t even need to present a physical card.

“Pre-play attacks” are common, too. In this credit card scam, a hacked terminal doesn't repeat codes but can predict them.

While these tactics seem far-fetched, they produce very real results. Using similar techniques, researchers at ZDNET cloned four out of 10 EMV cards, all of which were from different banks [*].

{{show-cta}}

How To Safeguard Your Credit Card

Scammers are always looking for new ways to snatch and exploit credit card data. Here’s how to spot and avoid credit card skimmers:

Do a visual and physical check before inserting a card

Skimmers are widely used for credit card cloning. In the first half of 2023, there was a 77% spike in the number of cards impacted by skimming [*]. Roughly 185 cards were affected per attack.

Always look inside a card reader before using it. If it seems like another card is already inserted, you’re probably looking at a shimmer.

Move the reader around a bit, too. Loosely attached readers may indicate tampering. If you’re at a gas station, compare your reader to the others to make sure they match.

Sign up for credit card transaction alerts

Most American banks offer their customers large purchase, high balance, and suspicious activity alerts.

Bank of America, for example, gives users the option to monitor whether their credit or debit card is being used online [*]. Opt in to email, text, or mobile app alerts in your bank account settings.

Only use known bank ATMs

Bank ATMs have more security measures in place than the ones at malls or other high-traffic areas. The Federal Deposit Insurance Corporation (FDIC) advises examining ATM personal identification number (PIN) keypads for sticky keys, as well as looking for hidden cameras and checking for loose wires or seams [*].

Switch to contactless payments

Apple Pay and Google Pay aren’t as susceptible to physical card skimming or shimming. The downside is that a scammer can still use your stolen credit card via a mobile wallet.

Most terminals that accept contactless payments don’t need PIN codes or signatures on receipts. This makes tap and go — or no cardholder verification method (CVM) fraud — easy [*].

As of February 2023, Mastercard has a $100 CVM limit per contactless card payment in the United States [*]. Visa and American Express can process up to $200 per transaction. Please note that this limit varies by country.

Use secure networks for financial transactions

Hackers can also use unsecured Wi-Fi networks to spy on your activity — stealing your card number as you browse. If you must access the internet via public Wi-Fi, use a virtual private network (VPN) to encrypt your connection.

Suspect Card Cloning? Do This:

Follow these steps if you’ve lost your credit card or think someone else has used it.

• Contact your credit card issuer. Call your bank’s official support phone number, and explain how and when your card number was stolen. They’ll cancel your credit card, send you a brand-new card, and open a fraud investigation. Under the Fair Credit Billing Act (FCBA), you have 60 days to contest unauthorized transactions with your bank before you’re responsible for any charges [*].
• File a Federal Trade Commission (FTC) identity theft report. Stolen credit card numbers can be easy conduits to identity theft — especially if a scammer has other bits of your personally identifiable information (PII). Reporting your case helps authorities catch the perpetrator and helps you dispute fraudulent charges. First, visit IdentityTheft.gov. Select “Someone has my information or tried to use it, and I’m worried about identity theft,” and then click on “Debit or credit card information.” From there, fill out a description of your case and provide as much detail as possible.
• File a police report. If you know who swiped your card or where your credit card number was stolen, head to your local police station and file a report. Be ready to show your photo ID and proof of address. Bring with you a copy of your most recent credit card statement and your FTC identity theft report.
• Consider a credit freeze and/or fraud alert. Credit freezes cinch access to your credit report, preventing fraudsters from opening new credit accounts in your name. Fraud alerts force businesses to confirm your identity before issuing any new credit. You may enable both, but a credit freeze offers better protection because fraud alerts expire. 
• Contact credit bureaus about removing fraudulent charges. If identity thieves opened new lines of credit, chances are this will show up on each bureau’s credit report. Start by filling out Experian, Equifax, and TransUnion dispute forms, and then attach copies of documents that support your disputes (like police or identity theft reports). If you’re having trouble filling out the forms, the FTC has a sample letter that you can use as a template. After you submit your claims, the credit bureaus have 30 days to investigate them.
• Check to see if your credit card information is circulating on the Dark Web. Use free leaked password scanners and Dark Web checkers to see if any of your data has been compromised. Delete any old and/or exposed accounts, and update all of your credentials with long, complex passwords.
• Sign up for credit card monitoring. Unfortunately, most victims of card cloning or identity theft become victims again. An always-on credit monitoring service alerts you to any suspicious activity, allowing you to lock down your accounts and stop identity theft.

Aura is consistently rated a top credit monitoring and identity theft provider by consumers just like you.

Get near-immediate fraud alerts, a built-in Dark Web scanner, instant Experian credit lock, and a $1,000,000 insurance policy for every adult on your Aura plan in case of identity theft. Aura can help — even if your credit card gets lost or stolen.

It’s surprisingly easy to be more secure online. Try Aura today.