As they say in the movies. We have a leak.

So my PayPal MasterCard somehow got cloned in Nov. It was used in Quebec in petrol stations and pharmacies. Shut down within a few hrs and replacement issued.
This week the exact same thing happened.

Any tips on finding the leak appreciated. I’ve malware checked my PC with malwarebytes. Clean. Thoughts appreciated.

Assuming you only use the card on PayPal, did you change your PayPal password?

Its details aren’t in my PayPal account its supplied by some company for PayPal. It gets used out in the wild so to speak.

any petrol station in Bradford.

could be anything.

one of mine was that famous mass cloning c/o an online bike store in northern ireland.

another (ie brand new replacement card, with new number) was cloned after one single use on paypal and one use on an otherwise reputable hotel booking site.

I treat that 3 digit code on the back like a PIN that’s printed on the card.

Always worth checking for malware (keyloggers etc.) anyway. Does no harm.

I just thought it odd that the details ended up in Canada both times

A PayPal Mastercard? That’s a new one on me. Run a malware check on your laptop.

To clone a card you just need the front and back numbers. Thieves get these in many ways – direct from the manufacturer, postal intercept (so the card i put back in the envelope and you don’t know its been cloned), dodgy employees who copy the numbers whilst you’re paying, dodgy websites, good websites that aren’t secure enough to stop dodgy employees…..

There’s been some card “shimming” going on in Canada. Tiny devices in the card slot in shop payment terminals that you can’t see and they read the chip and intercept the PIN.

http://coquitlam.bc.rcmp-grc.gc.ca/ViewPage.action?siteNodeId=2115&languageId=1&contentId=49796

Though seems to depend on how the card issuer does checks to authorise transactions.

https://krebsonsecurity.com/2017/01/atm-shimmers-target-chip-based-cards/

There have been lots of BIN level attacks recently, just guessing card numbers starting with a known first 6 digits. With e-commerce sites, you can verify your guess easily. See recent Newcastle University paper.

As others have said there are so many possibilities, from atm skimming, to website hacking. Unfortunately even the banks’ fraud teams often struggle to find the leaks.

The reason that the cards are often used in the USA and Canada is because they don’t use chip & pin. The chip of a card is said to be impossible to clone, hence its the mag strip they are cloning.

We do this for a living (not cloning cards but PCI DSS) lots of ways to get details probably as detailed by JI further up the thread. Low level card data theft accounts for a lot of this type of compromise.

bennyball – Member 
The chip of a card is said to be impossible to clone, hence its the mag strip they are cloning

As the above reports about “shimming”, where chip & pin terminals are used they’re still able to get the same data that they get off the mag strip, just from the chip. They can’t clone the chip but they can make a clone with enough data for a magnetic strip and then go use it in places where they don’t use chip & pin.

Amazon used to be a common place to make fraud payments or test cards for it, particularly as you used to be able to register with just card number and expiry date. I’ve had cards hit a few times and they’ve used Amazon to test the card details.

US restaurants worry me also. Bill comes, give them the card and the disappear with it, then back with receipt which you sign not in their presence and they don’t check the signature.

Oh, and at least one time my card got hit I’m pretty sure it was a particular Australian online DVD retailer who years ago got hacked and all card details stolen, including mine. Shortly after a load of small Amazon transactions that weren’t mine.

globalti – Member
A PayPal Mastercard? That’s a new one on me. Run a malware check on your laptop

Classic

Just don’t use your card to pay at an Indian restaurant in Holcombe, Bury, with a name that means “bad” in Spanish. A certain Mrs Baig got a copy of our card and spent £1700 on having fun with it just before Christmas.