New Fraud Technique Targets Unused Cards Silently, Breaking Through Any Security

Unauthorized use of credit cards has been steadily increasing in recent years. According to the “Status of Credit Card Fraud Victims” published by the Japan Credit Association, the amount of damage caused by fraudulent use reached a record high of 55.5 billion yen in fiscal year 2024. From January to March 2025 alone, the damage amounted to 19.32 billion yen, surpassing the previous year’s figure of 12.41 billion yen for the same period.

Credit card fraud occurs when criminals obtain card numbers and security codes by some means and misuse them. Although credit card companies have implemented countermeasures, these have yet to prove fully effective. There have even been cases where victims discovered unexpected fraudulent use.

A card you don’t usually use was fraudulently used!

A man in his 30s shared his experience of an unexpected fraudulent use. The card that was compromised wasn’t his regularly used card, but a secondary card mainly used for paying fixed monthly expenses, with almost no new transactions.

According to major credit card companies JCB and Mitsui Sumitomo Card, the common methods of fraud include loss or theft of the card, skimming (counterfeiting), phishing scams, and information leaks through unauthorized access. Many of these involve fake emails impersonating financial institutions or government agencies, and fraudulent shopping on scam websites. However, the method used in this man’s case did not match any of these.

“At the beginning of June, I suddenly couldn’t access Netflix. When I checked my email inbox, I found a message saying payment failed, and that’s when I realized something was wrong. This card is used mainly for monthly payments like Amazon Prime, Netflix, and Docomo. Apart from the occasional use at a nearby supermarket, there were hardly any new transactions.

Since my credit limit still had room, I thought it was strange that payments were being declined. When I contacted the card company, they told me that a payment of 46 yen from overseas was made, so the card was temporarily suspended. Since the charge seemed suspicious, they automatically stopped the card. I had no idea about this 46-yen charge, and that’s when I found out my card had been fraudulently used,” he said.

While there’s a possibility that skimming occurred during a supermarket purchase, he rarely took out the card otherwise and used a different card for online shopping. Therefore, he says, “I can’t imagine how my card number was compromised.”

The new method was a classic brute-force technique

When asked about the incident, credit card expert and writer Yusuke Yamano pointed out that a classic technique was likely used. He even said, “With this method, virtually any card can be cracked.”

“I believe the method used was what’s known as a Credit Master technique. It’s also referred to as a Credit Master Attack or simply Cremas. This involves a program that mechanically generates credit card numbers and then breaks through by guessing the card number and security code.

It was probably combined with what’s known as a brute-force attack. Brute-force means trying every possible combination until the right one is found—like trying every number from 001 to 999 to unlock a 3-digit combination lock. The attacker keeps going until they figure out the 4×4-digit card number, expiration date, and 3-digit security code.

Another method used in combination is known as reverse brute-force. While brute-force involves attacking one card with countless number combinations, reverse brute-force fixes a card number and attacks countless cards. Think of it as trying the combination 111 on as many different locks as needed until one of them opens.

Although these are old techniques, the increase in credit card users and the improvement in computer power for random number generation have likely led to the recent surge in damage.” (Mr. Yamano)

Criminal organizations also sell card numbers on the dark web

Even though the 16-digit number may appear random, it contains an INN (Issuer Identification Number), which allows identification of the card type based on the first six digits. Digits seven to fifteen represent the account number, which identifies the cardholder. Credit card numbers follow a certain pattern, and the actual pool of numbers used for fraudulent activity is smaller than one might expect.

“As for the 46-yen microtransaction, it’s actually a recent trend. High-value fraudulent transactions are easy to spot on a statement, but smaller amounts are often overlooked or can be disguised among regular monthly charges. The aim is to delay detection and continue exploiting the card over time.

There are also criminals who intentionally make small transactions to test if the card works. If successful, they sell the card information on the dark web. These are organized groups specializing in hacking,” the same source added.

Many people have signed up for credit cards on a whim due to promotional offers. Previously, unused cards were considered safe from fraud. However, nowadays, it’s possible that significant amounts are being charged to such dormant cards without the owner’s knowledge. To act swiftly, it’s crucial not to create unnecessary cards and to regularly check transaction histories.