Tag Archives: Credit card

Malware Inside the Credit Card Machine

image

(Update, July 2009: A BusinessWeek article puts the company’s side; maybe I was a little too harsh on them in this post.)

This gives you an idea of how bad malware is getting, and how much we’re underestimating it: a U.S.. company that processes credit card transactions has just revealed that malware inside its computers may have stolen the details of more than 100 million credit card transactions. That would make it the biggest breach in history.

Heartland Payment Systems, one of the fifth largest U.S. processors in terms of volume, began receiving reports of fraudulent activity late last year. But it took until last week to find the source of the breach: “A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients,” according to Brian Krebs of The Washington Post.

Revealed were credit/debit card numbers, expiry dates and names of customers to some, or all, of more than a quarter of million retail outlets. Bad guys could make fake cards based on this data, but they probably couldn’t use it to buy stuff online, the company said. (At least one observer has characterized this as garbage, opining that a lot of eCommerce merchants turn off their Address Verification System because of errors, and fears of losing the customer.)

That it took so long is pretty extraordinary in itself—these are, after all, the company’s own computers. We’re not talking about investigators having to track down malware on one of its customers computers, or somewhere in between. But that’s not all that’s remarkable: It looks like the certification that these kinds of operations rely on, the Payment Card Industry Data Security Standard, or PCI DSS, was issued last April  (here’s the proof. Certificates are valid for a year). This suggests according to Digital Transaction News, that the bad guys have found a way around the industry standard level of protection.

Also remarkable is this: The company chose to release the news on Inauguration Day, a fact that has rightly prompted accusation the company is burying the news. The company has played down the seriousness of the breach, saying that not enough information was revealed about individual cards for identity theft to be an issue, while at the same time suggesting that it’s part of a wider “cyber fraud operation.” I’m not sure it can have it both ways.

The company but has set up a website for concerned individuals at 2008breach.com. (Note the cute use of last year to make it seem like something of historical interest only—or maybe 2009breach.com was already taken? That doesn’t seem to have stopped worried customers trying to log on; as of writing the website, and those of the company, are down—possibly because of visitor traffic.)

Apart from the insubstantial response of HPS itself, it’s worth pointing out that this kind of attack is not new. CardSystems, another processor was breached in 2005—apparently via malware which grabbed data it was storing (rather than processing.)

I was kinda skeptical back then of the way it was handled—the company itself delayed release of the information for a month. More digging suggested that the information had been available far longer. It was perhaps understandably coy, given these things never end prettily: Within a few months what was left of CardSystems was acquired by Pay By Touch, also known as Solidus Networks, just in time for it be slapped down by the FTC. Pay By Touch itself closed down last year and its website is no longer active.

What this new breach seems to tell us is that the bad guys are—and probably always have been—smarter than the good guys. Data within a payment processor like HPS does not need to be encrypted—indeed, the company argues it can’t be encrypted, because it needs to be processed—so while CardSystems was clearly in breach of the rules by storing data, HPS is arguing that it’s not.

But all this tells us is that the security measures in place to protect our data are not enough. God knows how that malware got into their computers. And why it was so hard to trace once it—or something–was known to be there. But the lesson from this miserably handled episode has to be that security and oversight need to be tightened, while transparency towards customers—the individuals who have to pick up the pieces, by scanning their monthly statements for months to come for possible fraud—has to be seriously improved.

The bigger issue, of course, is to finally wake up to the fact that malware is no longer some obscure corner of security matters, but something that affects all of us.

Image: Screenshot of the inaccessible 2008breach.com website.

Goertzel, Rugby and the Sweet-talking Scam

The South China Morning Post reports (I’ve got the hard copy here; everything there is behind a subscription wall, so no full link I’m afraid) of a clever scam where the bad guys steal just enough stuff — cards + identity — from a victim to be able to social engineer their way into trust, but not enough for the mark to realise there’s anything missing before the sting. This takes some doing.

This is how it works: The fraudsters swipe a wallet or handbag from under chairs and tables at a weekend sporting event in Hong Kong. They remove bank ATM card and a business card of the owner and replace everything else. They then research the individual (presumably online, though they may have access to other information, I guess, from associates on the inside at a bank?).

They then wait a day and then call up the mark, identifying themselves as from the victim’s bank, asking some personal details and then asking if they’ve lost their ATM card. This may be the first time the mark has realised the card is lost. Along with a professional and comforting tone, and any personal details that the fraudster has been able to unearth online, this would further lure the victim into a false sense of security.

It’s then the fraudster would say he will cancel the cards and provide a temporary password once the account holder has typed their PIN into the phone. I like this bit; it would be easier and tempting, as in other scams (like this one in the UK) to try to persuade the victim to just give out their PIN verbally. But asking them to enter it into the keypad of their phone adds to the ‘illusion of formal procedure’ that social engineering relies so heavily on. The fraudster, of course, is easily able to attach a device to their phone to capture the tones of the PIN and decode it. They could even just record the tones and play them back against a set of tones. (Each digit has a different tone, according to something called dual tone multifrequency, or DTMF. Tones can be decoded using the Goertzel algorithm, via software like this.)

Once the PIN is handed over, the account is emptied. In the case cited in the SCMP, some HK$47,000 was removed with 82 minutes of the fraudster obtaining the PIN.

So, the obvious and slightly less obvious go without saying:

  • Never give your PIN to anyone, even a smooth-talking fella calling himself “Peter from HSBC.”
  • Regularly check your purse to see whether all your cards are there. If not, cancel them immediately.
  • Don’t put your name cards, or other revealing personal details, in the same place as your credit cards.
  • Don’t ever accept a call from your bank without taking down the person’s name and number and a telephone number you can verify independently (on statements or online.) Then call the bank back. Banks don’t like to do this, because it might mean you call them up when they don’t want to, but tough.
  • Give your bank hell every time they call you up and start asking you questions like “you have a credit card with us, is that right, sir? Would you like to up the limit on that card?” This is just asking for trouble, since calls like that are one small step away from a social engineering attack “Please just give me the card details and some personal information and we’ll increase that limit rightaway, sir”. If not that, it at least sows the idea in the customer’s mind that their bank phones them, and that somehow that’s OK.
  • Be aware that Google et al can, when combined, a pretty clear picture of who you are, even if you’re not a blogger or other form of online exhibitionist. So don’t be lulled by someone calling who seems to know enough about you to be able to pretend to be someone official. 

Anyone at the Rugby Sevens this weekend, take note.

Sideswiped by Skype

I love Skype and I write about it a lot, because I think it’s a great tool, especially for people in places where phone calls cost a lot. But those places tend to be developing countries where monopolies are powerful. Just those kind of places where credit card fraud is a problem. Like, say, Indonesia.

Which is why I think Skype has got to get its act together on accepting payments from places like Indonesia. It’s hard, sometimes impossible, to buy credit when in these places, and it doesn’t make good business sense. It’s also not nice to feel like a criminal to keep getting the following message:

Skype fail

Skype’s PR are very nice people and try to help, as do their tech support staff. But I hate to waste time trying to buy credit when it’s so, so easy to do the same thing when buying something off, say, Amazon. I can sympathise with small retailers unwilling to do business with anyone from an address where credit card fraud is a problem, but Skype is big enough, especially now it’s part of eBay, to set up systems that are flexible enough and smart enough to realise when they are dealing with a bona fide customer and a criminal.

After all, if a criminal does buy Skype Out credit with a stolen credit card, what is the worst that can happen before they’re found out? It’s going to take them a while to make €25.00 worth of phone calls. Almost 25 hours, actually, according to Skype. OK, I guess they may want to do that, but it strikes me as a somewhat bizarre crime: “Criminal steals SkypeOut credit, talks to mother for more than 24 hours. Mother, worn out by phone call, asks son to give self up to police”.

How Long Did The ‘Biggest Data Theft In History’ Go Unreported?

I continue to be intrigued, but somewhat perplexed, by the CardSystems security breach that happened nearly two months ago now. Who knew it first, and who told who, and when? And why did it take so long to tell the rest of us?

A U.S. company claimed it was its software that first spotted the breach last year, in a press release issued July 13:

ACI Worldwide (Nasdaq: TSAI), a leading international provider of enterprise payment solutions, today announced that its ACI Proactive Risk Manager™ software helped National Australia Bank (NAB) detect the recently revealed security breach at CardSystems Solution before any other bank or financial institution.

But did it? The press release from ACI quotes Australian Treasurer Peter Costello as having “recently told Parliament that National Australia Bank was actually the first bank in the world to uncover the fraud”:

“It was the NAB that uncovered this fraud out of all the domestic and international banks of the world and reported it to MasterCard and Visa in September 2004,” said Costello.

Wow. That’s eight months before anyone else, since CardSystems didn’t announce the fraud until May 22 2005. So what did the Australian media say about this?

AAP reported June 22 (sorry no links for these, they’re from Factiva) quoted Costello as saying:

“It was the NAB that uncovered this fraud out of all the domestic and international banks of the world, and reported it to Mastercard and Visa in Sept 2004,” he said. Mr Costello said the US Federal Bureau of Investigations began investigations soon after the fraud came to the attention of Visa and Mastercard.

He said the FBI declared the issue a crime scene only on June 1 this year. “During this investigation organisations were told by the FBI not to say anything publicly, and the FBI only allowed public comment on Thursday or Friday last week,” he said.

A Reuters report, covering the same press conference (or whatever it was; neither wire is clear on where Costello was speaking) quoted Costello as saying December, not September. An updated report from Reuters the same day adds comments from MasterCard and Visa that shed further light on this:

MasterCard spokeswoman Sharon Gamsin said, “We said from the beginning that it was reports of fraud from issuers that enabled us to do the analysis that led to CardSystems and led to the scope of this incident. One report of fraud would not necessarily have gotten us to that point.”

Visa spokeswoman Rosetta Jones said that when her company detects fraud, “banks are notified and accounts are closed. In this case, the National Australia Bank may have detected fraud late last year, but there was no clear indication that this fraud was part of a larger data compromise at that time.”

Finance Minister Nick Minchin said in an address to Australia’s parliament that Australia & New Zealand Bank Ltd. , Commonwealth Bank Ltd. and NAB had each been monitoring the fraud since December and had canceled and reissued cards where transaction were suspect.

An AAP story two days later adds further detail:

As long ago as December last year, round-the-clock fraud squads at the four big banks had picked up on a pattern of unauthorised transactions on their customers’ credit cards, originating out of the United States.

Treasurer Peter Costello told parliament this week that National Australia Bank was actually the first bank in the world to uncover the fraud, which has been traced to a security breach at a US company that processes transactions.

The Australian banks contacted about 2,000 affected customers and issued them with replacement cards months before MasterCard’s announcement this week.

This raises a host of issues that I’ve not seen addressed elsewhere. If the Australian banks saw this fraud so early, why did it take so long? The Australian Financial Review (subscription required) today pointed out these inconsistencies and the fact that California credit card holders have filed suit in San Francisco against CardSystems, Merrick Bank, Visa and MasterCard, claiming “the companies should take responsibility for the security data breach”:

CardSystems has claimed it did not discover the security breach until May 22, 2005. But it is now known MasterCard and Visa were alerted to fraud resulting from the data breach as early as January. The complaint also alleges Visa and MasterCard failed to take “prompt remedial action” or take steps to notify affected consumers.

“Defendants, by failing to timely disclose the security compromise or data theft to affected consumers and merchants, are attempting to shift the burden of discovering resultant fraud away from themselves, even though they are responsible and are in a better position to discover and prevent fraud to consumers and merchants.”

Visa and MasterCard have defended their handling of the incident, saying they had to be sure CardSystems was the source of the data spill before going public.

So, as far as we can deduce from this, NAB, via its fancy software, spotted some kind of fraud taking place. That information was passed on to Visa and MasterCard sometime between September 2004 and January 2005. The FBI passed this information onto CardSystems at some point, although why everyone decided to sit on the information is unclear. Their initial statements, which I illustrated in the original post, will probably require some finessing at some point as the suit passes through the legal system.

Phishing And The U.S.-Europe Link

A 23–year old man called Daniel A. Defelippi in the U.S. has pleaded guilty to three years of phishing and identity fraud, according to the the Democrat & Chronicle:

A Rochester man admitted Tuesday that he engaged in widespread identity theft, pilfering credit card numbers through fake Web sites and even collaborating with computer hackers in Eastern European countries.

So far there’s no more detail about the Eastern European angle, but attorneys are quoted as saying the fraud added up to about $400,000. Defelippi was arrested last December:

That arrest prompted a search of Defelippi’s Rochester-area business — Compumasters, at 3495 Winton Place — where the federal Secret Service unearthed evidence of a major identity-theft operation.

Among the items seized were devices to create counterfeit driver’s licenses and credit cards, and computers used to fabricate Web sites.

Defelippi, whose address was unavailable, admitted that he stole thousands of credit card numbers from unsuspecting people across the country.

It’s interesting to see how phishing and more traditional credit card fraud go hand in hand here, and how the phishing operation had a quite active U.S. end to it.

Napster’s Sleazy Front Door

I’m trying out some of the online music sites, and am presently playing around with Napster. What ticks me off about these services is they try to confuse the novice into handing over their credit card details before they can get into the service, even if they have already bought a pre-paid card. The offer is ‘we just need your credit card, but it’s a free trial, honest!’. This happens at least three times, and then another pop-up window with no button to click but the one that takes you to the ‘free trial’. Anyone not absolutely sure what they’re doing is bound to click on the wrong button at some point and, eventually just hand over their credit card details just to get to the dang music store.

Of course the unsuspecting punter finds they forget to cancel and bang! At the end of the month they’re getting charged. Given a lot of the users are youngsters, I think this kind of approach, though not unusual, is appalling. Is there no shame on the part of the folk who run these services, and no legal safeguards against this kind of thing? First bad mark against Napster.

Banks, Phishing And A Dereliction Of Responsibility

Online commerce suffers from one major flaw: It’s online. That means we need to use computers (or computer-like devices, such as cellphones). It means we need to use the Internet. Together this is a lethal cocktail. And for online banking, it just may mean it is fatal.

Online banking, for example, is not like using an ATM. Or a credit card. Or a cheque. Or even cash. All these types of transaction are vulnerable to fraud but they are relatively easy to protect yourself against. If you lend your credit card, cheque book or ATM card to strangers then you are probably not taking the right precautions. For banks, deciding whether you as a customer have taken ‘reasonable precautions’ is quite an easy calculation to make, and they will make it in assessing whether or not they will compensate you for losses.

But what about phishing? Online fraud is — and will become — a lot more complex than offline fraud. Firstly, most folk don’t really know what’s going on in their computer, so how can they take reasonable precautions? I bet, for example, that if you ask most people to identify the icons in their system tray they won’t be able to get all of them. Secondly, if you use broadband, you are connected to the Internet most of the time. It’s a bit like hanging out overnight on a street corner in a bad part of town: You can’t reasonably assume that you won’t attract the attention of some bad guy at some point.

These are calculations of risk the individual should make when he or she conducts any kind of transaction online. But they are hard. We can look around for suspicious type when we stand at an ATM machine, or hand over a credit card to a store clerk, but online we have no really easy way to measure our security and safety. Online banking is not the same as undertaking other transactions.

Which is why I think banks are wrong if they try to pretend it is. The BBC quotes Britain’s payments association, the Association for Payment Clearing Services (APACS) as saying that in a few years’ time “compensation could be denied if people had safety information but ignored it”. Apacs director of corporate communications Sandra Quinn is quoted thus: “What we have always said is that we won’t forever provide a guarantee. A good parallel might be with something like card fraud – if you act reasonably, you are covered.” The bottom line: where a customer had “not acted with care and been negligent”, the BBC quotes her as saying, banks in three or four years’ time could begin refusing refunds.

I’m sorry, but I think this is daft and the wrong way around. Banks were very, very slow to get off the mark over phishing. If I was a customer and had been phished I would have sued the pants off my bank for not warning me about it. Banks have a duty to monitor their website, their name, in fact the whole Internet, to protect their customers. For example, one company I spoke to gave me a list of website names registered that appeared designed to impersonate legitimate banks — Citibank was a favourite, with hundreds of names that could be mistaken for a legit Citibank site. Most banks, he told me, weren’t interested in subscribing to this service. Why? Because they didn’t feel monitoring these names — and the accompanying websites — was worth their time or their money. If I was a customer I would be livid: If a scammer set up a fake bank in the high street to defraud customers, you would hope the bank in question would be on top of it within seconds, warning customers everywhere to watch out and doing its damndest to close the operation down. The Internet is now the high street and banks need to start patrolling it, not ignoring it.

Sadly, I think banks still don’t get it. They think phishing is a static problem that will recede as more people know about it. But that’s not it at all. Phishing is the thin end of a new wedge that will lead to increasingly sophisticated efforts to use technology and social engineering to part consumers with their data and money. The banks’ role is not to put a few silly little warning notices on their website and set up silly little websites nobody visits (like this one) but to throw serious resources at protecting their customers: by building secure sign-on systems, by monitoring the bad guys, by offering well-staffed and accessible customer support hotlines. Anything less is a dereliction of responsibility.

A Glimpse Of A Tentacle From The Phishing Monster

Gradually the tentacles of the Russian gangs behind phishing are appearing. But we still have no idea how it really works, and how big the beast is.

The Boston Herald reports today on the arraignment of a “suspected Russian mobster” on multiple counts of identity fraud, having allegedly obtained personal information from more than 100 victims by phishing emails.

Andrew Schwarmkoff, 28, was ordered held on $100,000 cash bail after being arraigned in Brighton District Court on multiple counts of credit card fraud, identity fraud, larceny and receiving stolen property. He is also wanted in Georgia on similar charges, and is being investigated in New Jersey.

What’s interesting is that clearly phishing is tied in, as if we didn’t know, with broader financial fraud. Schwarmkoff — if that is his real name, since investigators are unsure if they have even positively identified him — was found with “$200,000 worth of stolen merchandise, high-tech computer and credit card scanning equipment, more than 100 ID cards with fraudulently obtained information and nearly $15,000 in cash,” the Herald says.

That would at least indicate that phishing is not just an isolated occupation, and that the data obtained is not necessarily just used to empty bank accounts, but to make counterfeit cards, ID cards and all sorts of stuff. What’s also clear is that the Russians (or maybe we should say folk from the former Soviet Union states) are doing this big time. The Herald quotes sources as saying “Schwarmkoff is a member of the Russian mob and has admitted entering the country illegally. “We know some things that we don’t want to comment about,” a source said, “but he’s big time.”

Schwarmkoff, needless to say, isn’t talking. “‘Would you?’ the Herald quotes the source as saying. “Schwarmkoff,” the Herald quotes him as saying, “is more content to sit in jail than risk the consequences of ratting out the Russian mob.” That probably tells us all we need to know.

Credit Card Fraud And Keeping The Customer In The Dark

Banks have failed customers over credit card fraud; why should they do any better over phishing?

Further to my piece on how banks had failed customers over phishing by continuing to communicate with them by email and failing to warn customers about possible breaches of security, here’s an example from the world of credit card fraud, which still remains the avenue of choice for most scammers.

Gartner reports in a recent ‘FirstTake’ briefing (no URL available) of the recent arrest of 28 members of an alleged cybercrime ring from seven countries. Gartner’s authors, Avivah Litan and Richard Hunter, reckon that the stated activities of the gang — 1.7 million credit card numbers stolen, with financial losses estimated at $4.3 million — doesn’t “give the entire picture”. The reason: Those figures translate to little more than $2.50 of fraud per stolen card. Much more likely, the two say, is that the gang used a small number of them to perpetrate big frauds, and the rest of the cards weren’t used, or were protected in some way by fraud detection software.

This, Gartner says, begs a question: If your credit card number is stolen, but no one successfully buys something with it, are you informed? No, Gartner says. Issuers “reason that they don’t know whether the card theft will ever result in fraud, and that it costs too much (about $10) and poses too much inconvenience to close an account and issue a new card.” This, sadly, is the same sort of fuzzy logic the bank in yesterday’s piece was using: ‘Our customers’ security has just been compromised but until something bad happens, let’s not worry them about it.’ As Gartner says: “The stolen card information will likely be used one day to commit either new account fraud or card fraud. Consumers would be better protected if they knew their card number had been stolen.”

My suspicion is that banks don’t want to inform customers of the problem, not just because of expense, but because they don’t want to scare them. Credit card fraud is a massive industry, processing, or attempting to process, millions of stolen card numbers a day. Most of those transactions don’t go through, for one reason or another. But how would you feel if your bank was not telling you that your credit card was out there, circulating on the darker corners of the Internet? My guess is you’d rather know about it, just as you’d rather know whether your account is vulnerable to phishers. Ignorance is not bliss.