Tag Archives: Payment systems

Malware Inside the Credit Card Machine

image

(Update, July 2009: A BusinessWeek article puts the company’s side; maybe I was a little too harsh on them in this post.)

This gives you an idea of how bad malware is getting, and how much we’re underestimating it: a U.S.. company that processes credit card transactions has just revealed that malware inside its computers may have stolen the details of more than 100 million credit card transactions. That would make it the biggest breach in history.

Heartland Payment Systems, one of the fifth largest U.S. processors in terms of volume, began receiving reports of fraudulent activity late last year. But it took until last week to find the source of the breach: “A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients,” according to Brian Krebs of The Washington Post.

Revealed were credit/debit card numbers, expiry dates and names of customers to some, or all, of more than a quarter of million retail outlets. Bad guys could make fake cards based on this data, but they probably couldn’t use it to buy stuff online, the company said. (At least one observer has characterized this as garbage, opining that a lot of eCommerce merchants turn off their Address Verification System because of errors, and fears of losing the customer.)

That it took so long is pretty extraordinary in itself—these are, after all, the company’s own computers. We’re not talking about investigators having to track down malware on one of its customers computers, or somewhere in between. But that’s not all that’s remarkable: It looks like the certification that these kinds of operations rely on, the Payment Card Industry Data Security Standard, or PCI DSS, was issued last April  (here’s the proof. Certificates are valid for a year). This suggests according to Digital Transaction News, that the bad guys have found a way around the industry standard level of protection.

Also remarkable is this: The company chose to release the news on Inauguration Day, a fact that has rightly prompted accusation the company is burying the news. The company has played down the seriousness of the breach, saying that not enough information was revealed about individual cards for identity theft to be an issue, while at the same time suggesting that it’s part of a wider “cyber fraud operation.” I’m not sure it can have it both ways.

The company but has set up a website for concerned individuals at 2008breach.com. (Note the cute use of last year to make it seem like something of historical interest only—or maybe 2009breach.com was already taken? That doesn’t seem to have stopped worried customers trying to log on; as of writing the website, and those of the company, are down—possibly because of visitor traffic.)

Apart from the insubstantial response of HPS itself, it’s worth pointing out that this kind of attack is not new. CardSystems, another processor was breached in 2005—apparently via malware which grabbed data it was storing (rather than processing.)

I was kinda skeptical back then of the way it was handled—the company itself delayed release of the information for a month. More digging suggested that the information had been available far longer. It was perhaps understandably coy, given these things never end prettily: Within a few months what was left of CardSystems was acquired by Pay By Touch, also known as Solidus Networks, just in time for it be slapped down by the FTC. Pay By Touch itself closed down last year and its website is no longer active.

What this new breach seems to tell us is that the bad guys are—and probably always have been—smarter than the good guys. Data within a payment processor like HPS does not need to be encrypted—indeed, the company argues it can’t be encrypted, because it needs to be processed—so while CardSystems was clearly in breach of the rules by storing data, HPS is arguing that it’s not.

But all this tells us is that the security measures in place to protect our data are not enough. God knows how that malware got into their computers. And why it was so hard to trace once it—or something–was known to be there. But the lesson from this miserably handled episode has to be that security and oversight need to be tightened, while transparency towards customers—the individuals who have to pick up the pieces, by scanning their monthly statements for months to come for possible fraud—has to be seriously improved.

The bigger issue, of course, is to finally wake up to the fact that malware is no longer some obscure corner of security matters, but something that affects all of us.

Image: Screenshot of the inaccessible 2008breach.com website.

Goertzel, Rugby and the Sweet-talking Scam

The South China Morning Post reports (I’ve got the hard copy here; everything there is behind a subscription wall, so no full link I’m afraid) of a clever scam where the bad guys steal just enough stuff — cards + identity — from a victim to be able to social engineer their way into trust, but not enough for the mark to realise there’s anything missing before the sting. This takes some doing.

This is how it works: The fraudsters swipe a wallet or handbag from under chairs and tables at a weekend sporting event in Hong Kong. They remove bank ATM card and a business card of the owner and replace everything else. They then research the individual (presumably online, though they may have access to other information, I guess, from associates on the inside at a bank?).

They then wait a day and then call up the mark, identifying themselves as from the victim’s bank, asking some personal details and then asking if they’ve lost their ATM card. This may be the first time the mark has realised the card is lost. Along with a professional and comforting tone, and any personal details that the fraudster has been able to unearth online, this would further lure the victim into a false sense of security.

It’s then the fraudster would say he will cancel the cards and provide a temporary password once the account holder has typed their PIN into the phone. I like this bit; it would be easier and tempting, as in other scams (like this one in the UK) to try to persuade the victim to just give out their PIN verbally. But asking them to enter it into the keypad of their phone adds to the ‘illusion of formal procedure’ that social engineering relies so heavily on. The fraudster, of course, is easily able to attach a device to their phone to capture the tones of the PIN and decode it. They could even just record the tones and play them back against a set of tones. (Each digit has a different tone, according to something called dual tone multifrequency, or DTMF. Tones can be decoded using the Goertzel algorithm, via software like this.)

Once the PIN is handed over, the account is emptied. In the case cited in the SCMP, some HK$47,000 was removed with 82 minutes of the fraudster obtaining the PIN.

So, the obvious and slightly less obvious go without saying:

  • Never give your PIN to anyone, even a smooth-talking fella calling himself “Peter from HSBC.”
  • Regularly check your purse to see whether all your cards are there. If not, cancel them immediately.
  • Don’t put your name cards, or other revealing personal details, in the same place as your credit cards.
  • Don’t ever accept a call from your bank without taking down the person’s name and number and a telephone number you can verify independently (on statements or online.) Then call the bank back. Banks don’t like to do this, because it might mean you call them up when they don’t want to, but tough.
  • Give your bank hell every time they call you up and start asking you questions like “you have a credit card with us, is that right, sir? Would you like to up the limit on that card?” This is just asking for trouble, since calls like that are one small step away from a social engineering attack “Please just give me the card details and some personal information and we’ll increase that limit rightaway, sir”. If not that, it at least sows the idea in the customer’s mind that their bank phones them, and that somehow that’s OK.
  • Be aware that Google et al can, when combined, a pretty clear picture of who you are, even if you’re not a blogger or other form of online exhibitionist. So don’t be lulled by someone calling who seems to know enough about you to be able to pretend to be someone official. 

Anyone at the Rugby Sevens this weekend, take note.

Elitism’s Big Security Hole

You would expect that if you choose an elite, premium product or service that it was more secure than its lesser, bog standard one. But after an incident today I’m not so sure.

I happen to have a fancy premium account at my bank. I didn’t really want it, and object to such things on champagne socialist grounds, but it happened that way. So I arrive in town, and am looking for an ATM. I espy the logo of my bank on the airport concourse and head that way. Three members of staff stand around the branch entrance, doing that half-welcoming, half-bouncer thing that staff do. I asked if there was an ATM inside, and they said yes, but instead of letting me in, pointed me back across the vast concourse to the railway terminus. “None in here?” I asked, surprised. By then I was fishing inside my wallet for my ATM card and they caught a glimpse of its fancy charcoal greyness. Their attitude changed in a flash to one of abject obeisance. “This way, kind sire,” they said (or something like that) and ushered me inside the darkened interior, round a couple of corners to my very own ATM machine, before withdrawing to a discreet but accessible distance. Butlers passed bearing flutes of champagne; customers carrying men’s purses perused glossy brochures with names like “Managing Your Family’s Wealth So You Can Have Trouble-free Weekends in Your Phuket Condo With An Office Secretary” or something.

Offputting, but I was happy to get some my hands on some cash. Until I realised I had forgot my PIN. No problem, one of the staff said, and led me around more corners to a bank of eager customer advisor executives, or something, all with perfect teeth and wide smiles. They happily gave me cash and balances, none of it requiring any proof of identity on my part. I got to suck a sweet while they did. The three bouncers led me outside as if I was the King of Siam collecting tribute.

I was happy with all the deference and genuflecting, but it made me realise that premium service isn’t really about premium service; it means paying through the nose not to be troubled by impertinent little serfs asking me for proof of identity when I want to move millions of dollars around/see my jewelry collection in a bank vault/pass through immigration. It’s actually about dismantling security, not about enhancing it.

It’s a simple equation: Companies charge more fees to these kinds of people, providing what looks like a Rolls Royce service. People love getting star treatment, assuming that fake veneer and snow-white smiles equate quality. Of course all it really means is that the basic service — in this case the ATM machine — has been moved off to a remote corner for the unwashed who refuse to pay for the premium service. But more importantly, the actual quality that should be a feature of the improved service is severely compromised, if not entirely absent, since the implicit agreement is that customers won’t be asked for proof of identity. That may seem like an advantage to the customer, but if someone had stolen my wallet they would have been able to empty my account without breaking a sweat. They might even have been offered a shoulder massage while the staff counted the money.

There must be a name for this skewed security thinking. And it must apply to all sorts of services.

Me? I’m downgrading my account and rejoining the plebs. It’s safer there: They won’t let me in the branch without flashing my ID card.

Cash With a Human Face

Here’s a useful innovation for foiling scammers stealing money from ATMs with their heads covered to avoid identification: a system which “can distinguish between someone whose face is covered or uncovered, and only grant access to those who bare their faces.”

No face, no dosh

No face, no dosh

According to Taiwan’s Central News Agency (no story URL available; first paragraph here), the system was developed by a research team headed by Lin Chin-teng, dean of the College of Computer Science, National Chiao Tung University in Hsinchu, “and can deny ATM access to users who have their faces covered”:

The system’s developers said they hoped the device would assist law enforcers in stopping a common crime involving ATMs: thieves disguise their face with motorcycle helmets or masks, even while their images are being captured by ATM surveillance cameras.

Phishers Force UK Banks To Delay Transfers

Another sign that phishing is taking its toll on the quality of service banks can offer online customers: The Times reports that UK banks are introducing delays in intra-bank payments to try to combat fraudulent transfers caused by phishing attacks:

This week Barclays introduced a one-day delay for transfers. A spokeswoman said: “This delay enables us to carry out checks that seek to prevent fraud.” Halifax also introduced delays in the processing of payments this week, as have Royal Bank of Scotland and NatWest, The Times reports today.

Interesting. Inevitable, perhaps, but this degradation in service can only force some customers back to the physical banks, or to less appealing and less cost-effective services like phone-banking. Running checks on every Internet transfer is going to be time-consuming and expensive for banks. What does this do to banks’ hopes that online banking would effectively replace the high street bricks-and-mortar model?

Cellphone Terrorism

My old colleague Nick Cumming-Bruce writes in today’s IHT on Thailand’s demand that prepaid cellphone users register before they get a SIM card as police continue on the trail of cellphone terrorists.

Interesting piece: the basic idea is that you must hand over your name and address before getting a phone number as a measure to deter terrorists, who have been shown in Thailand and elsewhere to use phones to organise attacks and trigger bombs. Roaming customers visiting Thailand may also have to register.

But how effective is this going to be? First off, I think the practice of prepaid registration is more widespread than this. When I was in Australia last year I had to submit to questioning over the phone by a network employee, who disarmingly assessed whether I was who I said I was before he activated the card.

The other thing is that there’s no way this kind of thing would work except in places where the cost of a prepaid card is high enough to deter fraud, and even then it probably wouldn’t. In a place like Indonesia — where cellphones have been widely used by terrorists to plan, coordinate and trigger attacks — people buy SIM cards for as little as $2; what’s to stop a thriving gray or black market of these cards appearing, as folk offer themselves as registrants. Needless to say, there are 100 reasons why people don’t want others to know — especially, but not only the government — what number they’re using, and they may have nothing to do with blowing things up.

Wrong solution to a problem, I think. If you really wanted to do this properly, I would go for the credit card solution: Use software to track usage patterns and look for unusual behaviour. Cellphone data must be massive but it must also reveal all sorts of interesting data that is not necessarily personally intrusive: where someone is, how they use their phone — voice, SMS, MMS, GPRS — and how often they use it. Monitoring this kind of data would take some time, but it might reveal patterns of usage that expose terrorist-like behaviour.

Terrorists, for example, tend to keep a phone for just certain calls, so usage is very low. Of course, that also describes grandmothers given a phone for emergencies, but coupled with location data — terrorists tend to move around quite a lot — and other data might offer some revealing glimpses.

Maybe this is already being done. For sure, security agencies must have been mining the historical data of phones used by captured terrorists: Interesting patterns may be contained therein. But my tupennies’ worth is that by forcing folk to register their SIM cards is not going to deter terrorists: It’s just going to force them to use a more clandestine channel. Much better to keep them in the open and find a better way of looking for clues there.

Email For A Survey

AlienCamel, the email service that does a pretty good job of keeping out spam and viruses I’ve mentioned in the past, is offering a year’s Clean Email in return for feedback:

We are looking for 50 special users who are willing to give us some feedback about our email service from time to time. In return, we will give you a year’s subscription to AlienCamel’s “Clean Email” service for free.

You must sign up, however, which means having a PayPal account.

A New Phish?

Not sure if this is new but I’ve not seen it before: A clever new piece of social engineering in a phishing email.

You have added phoneseller@yahoo.com as a new email address for your PayPal account.

If you did not authorize this change or if you need assistance with your account, please contact PayPal customer service at:

https://www.paypal.com/row/wf/f=ap_email

Thank you for using PayPal! The PayPal Team

Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the “Help” link in the header of any page.

Of course, viewed in plain txt the address is not PayPal at all, but some Czech corner of the dark web, but the idea that someone may have gotten into your PayPal account and added or changed your email address might just be enough to get you to click on the link without scrutinizing it too carefully.