This story begins early last week with a phone call from a bank I hold accounts with. I didn’t actually answer the call but a polite voice mail informed me of possible fraudulent activity and stated I should call them back as soon as possible. First and foremost I thought this part of my story was a social engineering exercise, but I quickly validated the phone number as being legit, unless of course this was some fantastic setup that was either man-in-the-middling the bank’s site (which would allow them to publish the number as valid) or the number itself had been hijacked. Tinfoil hat aside, I called the bank.
A friendly fraud services representative handled my call and in less than twenty minutes we had both come to the conclusion my card for the account in question was finally compromised. By finally, I mean roughly seven years as being my primary vehicle for payment on a daily basis. But this, ladies and gentlemen, is not where the fun started. No, I had to wait for the mail for that.
Fast forward five to seven business days, when a replacement card showed up in my lockbox which, interestingly, is an often-ignored benefit of living in a high density residence. This particular day I received a rather thick stack of mail that included half a dozen similarly sized envelopes. Unfortunately, I quickly knew (without opening any of them) which one contained my new card – and it wasn’t based on feel.
One would think a financial institution might go to trivial lengths to protect card data within an envelope, but clearly not in this case. The problem I had was that four of the sixteen numbers were readable because, and I’m assuming here, some automatic feeding mechanism at the post office put enough pressure on the embossed card number to reprint the number on the outside of the envelope. It was like someone had run that part of the card through an old-school carbon card copy machine. At this point my mail turned into a pseudo scratch lottery game and I was quickly to trying household items to finish what had already been started. I was a winner on the second try (the Clinique “smoldering plum – blushing blush powder brush” was a failure – my fiance was not impressed, and clearly I’ve watched too much CSI: Miami).
Turns out a simple brass key is all that is needed to reveal the rest of the numbers, name, and expiration. At this point I’m conflicted, with two different ideas:
- Relief and confusion: The card security code isn’t embossed. So why must the rest of it be?
- Social engineering: If obtaining card data like this was easy enough, I could devise a scheme where I called recipients new cards with enough data to sound like the bank for many people to give me the security codes.
After considerable thought I feel it’s safe to say that the current method of card distribution poses a low but real level of risk, wherein a significant amount of card data can be discerned short of brute force on the envelope itself. Is it possible? Surely. Is it efficient? Not really. Would someone notice the card data on the back of the envelope? Maybe. But damn – now it really makes sense that folks just go after card data TJX-style, considering all the extra effort in this route.
Reader interactions
5 Replies to “Hacking Envelopes”
Just out of curiosity, how does this compare to the “steaming the envelope open with an iron” technique? (I also watch too much tv! 🙂
I guess this falls into the “Insecurity through backwards compatibility” category.
I haven’t *seen* a carbon machine in years.
I don’t think my daughters would even know what they are!
David, you would make the most interesting but least successful criminal ever.
I picture David building a super-high powered magnet that can steal copper coins through the gap under someone’s door.
Yep. Cards have to be embossed because imprinting on carbon paper is still a viable method of proving that the card was physically present for a transaction when magnetic readers are not available. Go to almost any retail or dining establishment, and in the cash office there will be at least one card imprinting machine on hand. As Steve mentioned, cab drivers also use imprinters. When I was doing pizza delivery, I was also forced to use my pen with NCR paper to take an imprint of credit cards. Placing some cardboard over the card, or placing it with the embossed side facing the inevitable pile of folded paper would certainly help a bit, but you might be able to reverse-emboss it if the card back is directly against the envelope.
The numbers are embossed due to the fact that some people still use the old-school carbon card copy machine. It seems to happen to me when I use a cab sometimes.
Leave the brass key alone. Just swipe the card/envelope combo through a magnetic stripe reader and you have all the info you need!