Fraudsters in northeast Ireland posing as authorized bank service personnel replaced credit card readers in retailers' stores with their own, capturing data that can be used to empty bank accounts and make purchases.
As many as 10,000 credit and debit cards may have been compromised by the time authorities became aware of the scam late last week, said Jennie Chamberlaine, marketing manager for the Irish Payment Services Organization, on Monday.
Those whose details have been stolen will be notified by banks, and it is possible card details have already been used for fraud Chamberlaine said.
Financial institutions such as the Bank of Ireland reacted by shutting down some cards while also limiting overseas withdrawals to as little as €100 (US$146). An investigation is under way by Ireland's National Police Service. Few other details were immediately available.
Overseas withdrawals are limited because the scammers can take the data they've captured from the magnetic stripe on the back of the card and encode it on a dummy card. That card can then be used to withdraw cash overseas.
The scammers can't take out cash at ATMs in Europe that use the "chip-and-pin" system. European credit and debit cards have an embedded microchip that is checked at the ATM; cards that should have the chip but don't are rejected. Criminals have yet to successfully replicate those microchips.
The chip-and-pin system also requires a PIN (personal identification number) to be entered during a purchase rather a customer signature as is accepted in the U.S. and many other countries.
The European system has caused a marked dropped in fraudulent transactions from lost and stolen cards, but resulted in an interesting change in fraud.
Chip-and-pin's greatest weakness is the lack of its worldwide use. Criminals now clone cards and go to countries that don't have ATMs that verify the presence of the microchip, fueling a transnational trade in credit and debit card details.
Chip-and-pin also doesn't affect "card not present" fraud, where data is used to make online purchases. That data is often captured through phishing, or frauds where a fake Web site is built in order to trick people into divulging sensitive information.
"Card fraud has tended to move to the weakest link," Chamberlaine said.