Know and understand card fraud including shoulder surfing, card cloning, key logging

Safety and Security – Card Fraud and Wider e‑Safety Threats

Card fraud is one of the many e‑safety threats listed in the Cambridge IGCSE ICT (0417) syllabus. It sits alongside phishing, smishing, vining, pharming, viruses, malware and other data‑security risks. Understanding how card‑fraud techniques work, how they relate to other threats, and which technical, legal and organisational safeguards exist, enables learners to protect their own data and the data of any organisation they use.

1. Personal Data & Safe Online Behaviour (Syllabus 8.2)

  • Never share your PIN, password or card number in e‑mail, instant‑messaging, or social‑media posts.

  • Use strong, unique passwords for online banking and avoid re‑using them on other sites.

  • Be cautious when clicking links or opening attachments – they may be part of a phishing or malware attack that ultimately leads to card fraud.

  • Cover the keypad or screen when entering a PIN or card details.

  • Report any suspicious activity (e.g., unexpected ATM behaviour, unknown charges) to your bank and, where appropriate, to school or workplace ICT staff.

2. Card‑Fraud Techniques

2.1 Shoulder Surfing

Direct visual observation (or hidden camera recording) of a user entering confidential information such as a PIN, password or card details.

  • How it occurs: The fraudster stands close enough to see the keypad or screen, or uses a concealed camera/micro‑camera.

  • Typical environments: ATMs, point‑of‑sale (POS) terminals, public computers, crowded transport hubs, cafés.

  • Prevention measures:

    • Cover the keypad with your hand while typing a PIN.

    • Use privacy screens on laptops, tablets and smartphones.

    • Stay aware of people standing unusually close; step back if necessary.

    • Report suspicious behaviour to staff or security personnel.

2.2 Card Cloning (Skimming)

Creation of a duplicate payment card by copying data from the magnetic stripe or chip of the original card.

  • How it occurs: A hidden skimming device reads the stripe/chip data; a separate camera or fake keypad overlay captures the PIN (often combined with shoulder surfing).

  • Key components of a skimmer:

    • Card‑reader overlay that records magnetic‑stripe or chip information.

    • Mini‑camera or fake keypad overlay to capture the PIN.

  • Prevention measures:

    • Inspect ATMs and POS terminals for loose or unusual parts before use.

    • Prefer chip‑enabled (EMV) cards over magnetic‑stripe cards.

    • Enable real‑time transaction alerts from your bank.

    • Report any damaged or tampered equipment immediately.

2.3 Key Logging

Recording of every keystroke made on a computer or mobile device, allowing attackers to capture usernames, passwords and card numbers.

  • Types of key loggers:

    • Hardware – tiny devices inserted between the keyboard and computer.

    • Software – malicious programs installed silently on the system.

  • How they are installed:

    • Phishing e‑mails with malicious attachments or links.

    • Downloading software from untrusted or pirated sources.

    • Physical access to the device (e.g., in public computer labs).

  • Prevention measures:

    • Keep operating systems, browsers and anti‑virus software up to date.

    • Do not open files or click links from unknown senders.

    • Use strong, unique passwords and change them regularly.

    • Inspect USB ports and keyboard connections for unexpected devices.

3. Other Common Threats to Personal Data (Syllabus 8.3 – Threats to Data)

ThreatHow it worksPrevention tip
PhishingFraudulent e‑mail that appears to come from a legitimate organisation, asking the recipient to “confirm” card details via a fake web‑form.Check the sender’s address, hover over links to see the real URL, and never enter personal data on an unexpected page.
SmishingPhishing via SMS; a text message claims there is a problem with your account and asks for card details or a click‑through link.Do not reply to unsolicited messages; verify the claim by contacting the bank using a known phone number.
VishingVoice‑phishing; a caller pretends to be from a bank or retailer and requests card number, PIN or OTP.Hang up and call the organisation back on the official number printed on your card or statement.
PharmingDNS or hosts‑file manipulation redirects you to a fake website that looks genuine, where you enter card details.Check the URL for “https://” and the lock icon, and use reputable DNS services or VPNs.
Viruses & MalwareMalicious software installed on a device can steal stored card data, log keystrokes, or create a back‑door for remote access.Run regular anti‑malware scans, keep software patched, and avoid downloading from untrusted sites.
Key Logging (see 2.3)See section 2.3.See section 2.3.

4. Technical Safeguards (Syllabus 8.3 – Protection of Data)

  • SSL/TLS (HTTPS): Encrypts data transmitted between a web browser and a server, protecting card details during online purchases.

  • Encryption of stored data: Card information saved on a device or server should be encrypted (e.g., AES‑256) so that stolen files are unreadable.

  • Two‑Factor Authentication (2FA): Requires something you know (password) plus something you have (one‑time code, token, or biometric) before granting access to online banking.

  • Biometrics: Fingerprint or facial recognition can replace or supplement a PIN, making it harder for a shoulder‑surfer or key logger to gain access.

  • Firewalls: Control inbound and outbound traffic, helping to block malicious connections that might deliver key‑logging malware.

  • Password hashing & salting: Stored passwords or PINs should be hashed (e.g., SHA‑256) and salted so that even if the database is stolen the values cannot be reversed.

  • Regular software patching: Apply operating‑system, browser and application updates promptly to close known vulnerabilities.

  • Reputable anti‑malware: Use recognised antivirus/anti‑spyware solutions and schedule regular scans.

  • Secure backup practices: Keep encrypted backups of important data on a separate medium or cloud service.

5. Access‑Control Principles (Syllabus 8.3 – Protection of Data)

  • Least privilege: Users should have only the access rights they need to perform their tasks.

  • Role‑based access control (RBAC): Permissions are assigned to roles (e.g., “student”, “staff”) rather than to individuals.

  • Automatic lock‑out / screen lock: Devices should lock after a short period of inactivity and require a password or biometric to re‑enter.

  • Regular review of permissions: Periodically check that accounts still need the rights they have.

6. Data‑Protection Legislation (Syllabus 8.3 – Data‑Protection Act)

Unauthorised acquisition or use of card details breaches the Data‑Protection Act 2018 (UK) and the broader GDPR framework. The regulator responsible for enforcing the law is the Information Commissioner’s Office (ICO).

  • Individuals have the right to have their personal data kept secure.

  • Organisations must report data‑breaches to the ICO (and to affected individuals) within 72 hours of becoming aware of the breach.

  • Reporting suspected fraud helps organisations meet their legal obligations and protects others from further attacks.

7. Communication & Copyright (Syllabus 10 – Communication)

  • Email etiquette / netiquette: Use a clear subject line, professional greeting, concise body, and sign‑off. When sharing the Card‑Fraud Safety Guide, attach the PDF, avoid “Reply‑All” unless necessary, and use BCC for large distribution lists.

  • Audience awareness: Tailor language, tone and visual style to the intended readers (e.g., Year 9 students, parents, staff).

  • Copyright compliance: Use only royalty‑free icons or images, or obtain permission and provide appropriate attribution. Cite any external sources used in the guide.

8. Comparison of Card‑Fraud Techniques

TechniqueMethod of Data CaptureTypical TargetsKey Prevention Strategies
Shoulder SurfingVisual observation (or hidden camera) of PIN / card detailsATMs, POS terminals, public computers, transport hubsCover keypad, use privacy screens, stay aware of surroundings, report suspicious behaviour
Card Cloning (Skimming)Skimmer reads magnetic stripe / chip; camera or fake keypad captures PINATMs, fuel pumps, unattended payment terminalsInspect equipment, use chip cards, enable transaction alerts, report tampering
Key LoggingHardware or software records every keystrokeHome computers, laptops, tablets, public labsUpdate OS/antivirus, avoid unknown downloads, use strong passwords, check for rogue devices

Suggested diagram: Flowchart showing the steps of a typical card‑cloning attack – from skimmer installation, data capture, PIN acquisition (via shoulder surfing), to the fraudulent transaction.

9. Summary Checklist for Learners

  1. Identify the three main card‑fraud techniques: shoulder surfing, card cloning, key logging.

  2. Explain how each technique obtains card or PIN information.

  3. List at least three practical ways to prevent each type of fraud.

  4. Recall the other common threats (phishing, smishing, vishing, pharming, viruses/malware) and give one example of how they work and one prevention tip for each.

  5. Understand technical safeguards such as SSL/TLS, encryption, 2FA, biometrics, hashing, regular patching and secure backups.

  6. Know the key access‑control principles (least privilege, RBAC, automatic lock‑out) and why they matter.

  7. State why card fraud breaches the Data‑Protection Act 2018, name the ICO, and describe the legal requirement to report breaches within 72 hours.

  8. Apply appropriate email etiquette, audience awareness and copyright practice when creating and sharing a safety guide.

10. Practical Task – AO2 (Apply Knowledge to Produce an ICT‑Based Solution)

Task: Using a word‑processor, presentation software, or a simple graphic‑design tool, create a one‑page “Card‑Fraud Safety Guide”. The guide should:

  • Summarise the three card‑fraud techniques and give at least one prevention tip for each.

  • Include a short section on related e‑safety threats (phishing, smishing, vishing, pharming, malware) with a brief “how it works” and a prevention tip.

  • Show one technical safeguard (e.g., a screenshot of a HTTPS lock icon, a 2FA prompt, or a hash‑symbol illustration) and explain its role.

  • Demonstrate audience awareness (e.g., language suitable for Year 9 students) and use only royalty‑free icons or properly cited images.

  • Apply correct email/netiquette when you later share the PDF – use a clear subject line, professional greeting and appropriate attachment etiquette.

  • Save the file as a PDF and be prepared to share it with the class or upload it to the school’s learning platform.

This activity assesses AO2 by requiring learners to produce a useful ICT artefact that promotes safe online behaviour while meeting the full range of syllabus requirements.