Card fraud involves the illegal acquisition and use of payment‑card information. The most common techniques examined at IGCSE level are shoulder surfing, card cloning and key logging. Understanding how each method works and how to prevent it is essential for protecting personal and organisational data.
1. Shoulder Surfing
Shoulder surfing is the direct observation of a user entering confidential information, such as a PIN, password or card details, by looking over the user’s shoulder or using a hidden camera.
How it occurs: The fraudster positions themselves close enough to see the keypad or screen while the victim types.
Typical environments: ATMs, point‑of‑sale terminals, public computers, crowded transport hubs.
Prevention measures:
Cover the keypad with your hand while entering a PIN.
Use privacy screens on laptops and mobile devices.
Be aware of your surroundings; step away if someone is too close.
Report suspicious behaviour to staff or security personnel.
2. Card Cloning
Card cloning is the creation of a duplicate payment card by copying the data stored on the magnetic stripe or chip of an original card.
How it occurs: A fraudster uses a skimming device (often hidden on ATMs or POS terminals) to read the magnetic stripe data, then writes that data onto a blank card.
Key components of a skimmer:
Card reader overlay that captures stripe data.
Camera or keypad overlay to capture PINs (often combined with shoulder surfing).
Prevention measures:
Inspect ATMs and POS terminals for loose or unusual parts before use.
Use chip‑enabled cards rather than magnetic stripe cards where possible.
Enable transaction alerts from your bank.
Report any damaged or tampered equipment immediately.
3. Key Logging
A key logger (or keystroke logger) records every keystroke made on a computer or mobile device, capturing usernames, passwords and card numbers.
Types of key loggers:
Hardware key loggers – small devices inserted between the keyboard and computer.
Software key loggers – malicious programs installed silently on the system.
How they are installed:
Through phishing emails that contain malicious attachments.
By downloading software from untrusted sources.
Physical access to the computer (e.g., in public labs).
Prevention measures:
Keep operating systems and anti‑virus software up to date.
Do not download or run files from unknown sources.
Use strong, unique passwords and change them regularly.
Inspect USB ports and keyboard connections for unexpected devices.
Comparison of Card Fraud Techniques
Technique
Method of Data Capture
Typical Targets
Key Prevention Strategies
Shoulder Surfing
Visual observation of PIN or card details
ATMs, POS terminals, public computers
Cover keypad, use privacy screens, stay aware of surroundings
Card Cloning
Skimming device reads magnetic stripe/chip data
ATMs, fuel pumps, unattended payment terminals
Inspect equipment, use chip cards, enable transaction alerts
Key Logging
Hardware or software records keystrokes
Computers, laptops, tablets in homes or public venues
Update security software, avoid unknown downloads, check for rogue devices
Suggested diagram: Flowchart showing the steps of a typical card cloning attack, from skimmer installation to fraudulent transaction.
Summary Checklist for Learners
Identify the three main card‑fraud techniques: shoulder surfing, card cloning, key logging.
Explain how each technique obtains card or PIN information.
List at least three practical ways to prevent each type of fraud.
Understand the importance of reporting suspicious equipment or behaviour.
Recognise the role of strong passwords and up‑to‑date security software in preventing key logging.