Fraudsters in Ireland posing as authorised bank service personnel replaced credit card readers in retailers' stores with their own, capturing data that can be used to empty bank accounts and make purchases.
As many as 10,000 credit and debit cards may have been compromised by the time authorities became aware of the scam late last week, according to Jennie Chamberlaine, marketing manager for the Irish Payment Services Organisation.
Those whose details have been stolen will be notified by banks, and it is possible card details have already been used for fraud Chamberlaine said.
Financial institutions such as the Bank of Ireland reacted by shutting down some cards while also limiting overseas withdrawals to as little as £79. An investigation is under way by Ireland's National Police Service. Few other details were immediately available.
Overseas withdrawals are limited because the scammers can take the data they've captured from the magnetic stripe on the back of the card and encode it on a dummy card. That card can then be used to withdraw cash overseas.
The scammers can't take out cash at ATMs in Europe that use the "chip-and-pin" system. Criminals have yet to successfully replicate those microchips.
Chip-and-pin's greatest weakness is the lack of its worldwide use. Criminals now clone cards and go to countries that don't have ATMs that verify the presence of the microchip, fuelling a transnational trade in credit and debit card details.
Chip-and-pin also doesn't affect "card not present" fraud, where data is used to make online purchases. That data is often captured through phishing, or frauds where a fake Web site is built in order to trick people into divulging sensitive information.
"Card fraud has tended to move to the weakest link," Chamberlaine said.