Slashdot Mirror

← Back to Stories (view on slashdot.org)

Huge Credit Fraud Ring Sends Europeans' Data To Pakistan

Posted by timothy on from the we-keep-our-biggest-credit-thieves-in-d.c. dept.

marshotel excerpts from a story at the Wall Street Journal: "European law-enforcement officials uncovered a highly sophisticated credit-card fraud ring that funnels account data to Pakistan from hundreds of grocery-store card machines across Europe, according to U.S. intelligence officials and other people familiar with the case. Specialists say the theft technology is the most advanced they have seen, and a person close to British law enforcement said it has affected big retailers including a British unit of Wal-Mart Stores Inc. and Tesco Ltd."

166 comments

  1. Walmart & Tesco by Anonymous Coward · · Score: 0

    Walmart & Tesco are the same thing. If it means making more money they'd happily sell the info to Pakistan

    1. Re:Walmart & Tesco by Anonymous Coward · · Score: 0, Troll

      Those filthy arab sandniggers are the source of the world's problems and they should be exterminated.

    2. Re:Walmart & Tesco by Anonymous Coward · · Score: 1, Funny

      Hey now Walmart isn't that bad. Sometimes you can find a good sale.

    3. Re:Walmart & Tesco by kdemetter · · Score: 1

      :-)
      ( Wish i had mod points )

      --
      Slipping shoelaces ?
    4. Re:Walmart & Tesco by Ambient+Sheep · · Score: 1
      > Walmart & Tesco are the same thing.

      Yeah, only they're not. Wal-Mart own Asda. Tesco is a completely different company.

      They ARE arch-rivals, though.

  2. Wal-Mart UK? by Anonymous Coward · · Score: 2, Informative

    big retailers including a British unit of Wal-Mart Stores Inc.

    Meaning Asda, I guess?

    1. Re:Wal-Mart UK? by Soruk · · Score: 3, Informative

      Yes - TFA says as much.

      --
      -- Soruk
    2. Re:Wal-Mart UK? by Anonymous Coward · · Score: 0

      Yup. Although last I heard (which was a lil while ago and through completely unreliable sources) Walmart was trying to unload Asda because of a lack of profit. Having worked at a few of their stores across the country this doesn't surprise me in the slightest due to the amazing amount of managers only there to make themselves feel important, and the complete lack of organisation and communication between all parts of the company.

  3. Credit cards are evil. by Anonymous Coward · · Score: 2, Insightful

    The ONLY reason you actually need one is to travel.

    1. Re:Credit cards are evil. by Anonymous Coward · · Score: 1, Informative

      But I like my cash rewards, nearly two percent of my total bill that I pay off in full every month, so I make a couple hundred bucks a year. I also enjoy the convenience of almost never having to deal with cash. (Mark of the beast, here I come!)

    2. Re:Credit cards are evil. by VJ42 · · Score: 4, Informative

      Or (here in the UK) for purchasing anything over the value of £100, as if said purchase is in any way faulty the credit card company is just as liable as the retailer and\or manufacturer. Buy a broken computer\fridge\TV etc.? Sue the credit card company for your money back, and let them find out who was at fault for the broken goods, it's not your problem (Yay for British consumer protection laws).

      --
      If I have nothing to hide, you have no reason to search me
    3. Re:Credit cards are evil. by Anonymous Coward · · Score: 2, Funny

      So you're the asshat that's making everything I purchase cost two percent more. I'll get you! I'm going to make stupid and risky investments and make you bail me out! Hahahahahah!

    4. Re:Credit cards are evil. by Naughty+Bob · · Score: 3, Informative

      Over £100, but under £30,000.

      And you don't have to 'Sue', so much as prove to the CC company that you are due the cash.

      Agreed though, on the Yay for the consumer protection laws. It's not just good for the consumer either- I regularly use my credit card when I don't technically need to, specifically for this guarantee. I am not alone.

      Consequently, the CC companies benefit hugely from this.

      --
      "Be light, stinging, insolent and melancholy"
    5. Re:Credit cards are evil. by negRo_slim · · Score: 1

      And you don't have to 'Sue', so much as prove to the CC company that you are due the cash.

      Isn't there a similar system in the US? To where you can dispute charges? I assumed this to work for any instance in which the seller was at fault. Although I am not well versed in US credit, I tend to buy locally, with cash, and get those preloaded MasterCard/Visa's for internet purchases.

      --
      On the Oregon Cost born and raised, On the beach is where I spent most of my days
    6. Re:Credit cards are evil. by plover · · Score: 5, Informative

      In America, the credit liability laws limit the consumer's exposure for fraudulent use of a card to $50. In practice, I've found most banks actually cover their customers 100%. You have to swear that it was theft, of course, and perhaps sign an affidavit, and if turns out that you were the "thief" you will be prosecuted for fraud.

      Some cards here do offer no-questions-asked protection plans (I know American Express does) against defective goods. For the rest of them, if you are unsatisfied with a credit transaction you can withhold payment from your credit company while you dispute the transaction, but there's paperwork involved. It's not particularly easy, and it's likely to go on your credit report.

      Notice that there are no liability limits on debit card fraud, however. If a thief steals your card and drains $10,000 from your account, you now have $10,000 less than you did before you were robbed. The bank does not have a statutory obligation to return your money. Debit cards are horribly risky devices.

      --
      John
    7. Re:Credit cards are evil. by Anonymous Coward · · Score: 0

      lol i get 5% on gas :P

    8. Re:Credit cards are evil. by Anonymous Coward · · Score: 0

      Yes, we have that in the US as well. All of the major cards - Visa, MC, AmEx, Discover - will credit your account within a couple of days if you notify them of a bogus transaction.
      Don't really need any proof either - the vendor gets a "Chargeback Notice" and gets to attempt to prove their case that the sale was legit and was made to the correct person. If they can't, well, they lose. If they can, however, the card company will charge your account again and/or bill you for it.

    9. Re:Credit cards are evil. by Anonymous Coward · · Score: 0

      The particular bank I do business with actually DOES cover me in the case of ID theft. They have a program that costs about 3 dollars a month. Said program means that within 24 hours any money fraudulently removed from my account (All I have to do is go into a branch and sign an affidavit that I didn't authorize the charges) will be returned. *Shrugs* And this is why I don't bank with the big huge banks.

    10. Re:Credit cards are evil. by hairyfeet · · Score: 1

      Yep,same here. I just got to use mine recently as I bought a cheap PC for a client during one of those labor day sales and the company double dipped(charged me twice for one order) and all I had to do was talk to one of the nice gals at the bank and my money was back in 24 hours along with an apology for taking a whole day! She even called me personally to apologize and let me know the money was back in my account! I agree,why anyone would want to use one of the big banks where you are just a number to them I'll never know. I'll never go back to the big banks ever again.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    11. Re:Credit cards are evil. by innocent_white_lamb · · Score: 2, Interesting

      I get 10% on my gasoline purchases from our friendly local Co-op.

      --
      If you're a zombie and you know it, bite your friend!
    12. Re:Credit cards are evil. by Achromatic1978 · · Score: 1

      Nothing to do with 'bogus transactions'. If the goods are not working as intended, and you're getting the slightest bit of grief, even down to unreasonable "6-8 weeks for replacement", you just cancel the transaction and buy it somewhere else.

    13. Re:Credit cards are evil. by Anonymous Coward · · Score: 0

      The reason you don't have to sue is because they know it is their responsibility.

      I'm not sure of the whole 30k top limit though, we weren't taught that in undergrad law?

      Perhaps the card companies are willing to bother going to court on the off chance they wont have to pay 30k or more?

    14. Re:Credit cards are evil. by zippthorne · · Score: 3, Interesting

      Notice that there are no liability limits on debit card fraud, however. If a thief steals your card and drains $10,000 from your account, you now have $10,000 less than you did before you were robbed. The bank does not have a statutory obligation to return your money. Debit cards are horribly risky devices.

      Although they do not have a statutory obligation, many banks do offer a contractual obligation that appears at first glance to exceed the statutory one for CCs. It's been a few years and there haven't been any big exposees on debit card weaselly contracts, so I'd condsider switching from debt based plastic to debit.

      Any lawyers who've examined some of the basic debit card agreements?

      --
      Can you be Even More Awesome?!
    15. Re:Credit cards are evil. by xaxa · · Score: 1

      If you buy flights from a crappy airline on a credit card in the UK, and the airline then goes bankrupt, you can claim the money back from the credit card company -- it's then their problem to claim back from the bankrupt airline (good luck to them...).

      (Just one example of the CC company being responsible for the goods/services.)

    16. Re:Credit cards are evil. by TheLink · · Score: 2, Insightful

      Lots of smart people have recently proven to the world that it's best to risk OTHER people's money. And that is why credit cards are better than debit cards.

      Seriously: With credit cards when stuff goes wrong, it's not YOUR money that's gone. It's other people's money. They may try to get it from you, but it's still YOUR money till they succeed.

      With debit cards, when stuff goes wrong, it's YOUR money that's gone. You may try to get it from the bank, but meanwhile you do NOT have that money till they decide to give it to you.

      That is a big strategic difference. If you do not see the difference, may I borrow lots of money from you? I promise to pay you back eventually.

      --
    17. Re:Credit cards are evil. by gilgongo · · Score: 1

      The ONLY reason you actually need one is to travel.

      Well, that and to make money, if used in the following way:

      1. Open a card account that lets you get cash out into a bank account for free (there are a couple of those here in the UK)

      2. Apply for a credit card with a 0% introductory "balance transfer" offer (there are many of these, some charging no fees for the transfer, others about 2-3%)

      3. Pretend you have massive debt. Until recently most companies would lend you about £10K if you had a decent credit rating.

      4. Get them to "pay off" the card you opened in Step 1.

      5. Move that money from the card in Step 1 into a high-interest bank account for the duration of the introductory offer (usually about 5-12 months)

      6. Give the money back at the end of the period, and keep the interest. Rinse and repeat. You should be able to build up a huge amount of "debt" secretly making you money.

      Of course, it kills your credit rating, and if you bank collapses, you may be utterly screwed if you're due to hand back a lot money, but it should pay for the odd plasma TV or quad bike now and then.

      --
      "And the meaning of words; when they cease to function; when will it start worrying you?"
    18. Re:Credit cards are evil. by Ambient+Sheep · · Score: 1

      I thought step 4 was illegal, in that you're not allowed to do a balance transfer that would result in the target card ending up in credit? I remember a couple of years ago when I paid off one credit card with another (that had a much lower interest rate, but not zero), I had to make very sure that I didn't accidentally pay too much off. Do they really not check the balance of the target card?

    19. Re:Credit cards are evil. by IdleTime · · Score: 1

      Ahh no...
      Here in the US, the consumer is at fault in those cases. No protection exists. Shit out of luck!

      It's the wonders of unregulated consumption credit card run economy. Here the credit card companies actually bribed some states into lowering the requirements on the companies and gave them free hands to take whatever interest they want. Here in the US, the credit card companies makes the rules and the consumer is fucked.

      It's also funny to hear all the idiots who think they get free money from the credit card companies in form of rewards. It's the best scam these credit card companies have come up with so far.

      --
      If you mod me down, I *will* introduce you to my sister!
    20. Re:Credit cards are evil. by IdleTime · · Score: 0, Troll

      Other peoples money means that money is my money. And I like my money and have no interest in you scamming me out if with your stupid greed.

      Only an idiot like you would think other peoples money is nobody's money. Why should I pay for you?

      --
      If you mod me down, I *will* introduce you to my sister!
    21. Re:Credit cards are evil. by asc99c · · Score: 1

      I'd have said credit cards are great but some people are idiots.

      You can choose to set up a direct debit to pay off the full card balance every month. Then you get to keep 1 to 2 months interest on money you've already spent, get protection on the things you've bought, maybe get cashback or airmiles or other rewards, and don't have to pay a penny for the privilege.

      I put my work expenses on a 0% credit card and when my company pays the expenses, I put the money in a savings account. The interest over the year adds up to about £600 (over $1000).

      Obviously, this takes some discipline. There's a 5-figure savings account with my name on it - but it's not my money.

  4. Once a grocer by G3ckoG33k · · Score: 2, Funny

    "Once a grocer, always a grocer."

    Said by Penelope Keith (as Audrey fforbes-Hamilton) in "To The Manor Born" (http://en.wikipedia.org/wiki/To_the_Manor_Born) to Marjory Frobisher (played by Angela Thorne) about Richard DeVere (played by Peter Bowles) a nouveau riche millionaire supermarket owner.

    How that applies here too!

    1. Re:Once a grocer by hobbit · · Score: 1

      How does it apply? Presumably this fraud is not perpetrated by Tesco or Wal-mart; they have simply employed people who have inserted rogue devices into credit card readers.

      --
      "Wise men talk because they have something to say; fools, because they have to say something" - Plato
    2. Re:Once a grocer by Anonymous Coward · · Score: 0

      As vas alzo ze case in old Czechoslovakia.

      Sincerely,

      Mrs. Poo

    3. Re:Once a grocer by plover · · Score: 4, Insightful

      The article doesn't say where the rogue devices were installed, although they insinuated they may have been placed there in a Chinese factory. The limited number of devices containing the bug and the spread across various retailers hints that they probably weren't placed there by employees of the retailers: they may have been installed during manufacturing, packaging, or possibly during maintenance.

      These retailers are big enough that they all likely contract with a third party to perform their hardware repairs. It's possible that a corrupt repair person was responsible for installation of the bugs.

      --
      John
  5. Awkward language by Anonymous Coward · · Score: 1, Insightful

    "a British unit of Wal-Mart Stores Inc." means Asda to any Brits reading this.

    1. Re:Awkward language by zippthorne · · Score: 1

      I've never been good with British units. What's the SI unit for Wal-Mart Stores, Inc?

      --
      Can you be Even More Awesome?!
    2. Re:Awkward language by mspohr · · Score: 1

      Four Wal-Marts equal one Library of Congress.

      --
      I don't read your sig. Why are you reading mine?
    3. Re:Awkward language by xaxa · · Score: 1

      Libraries of Congress aren't SI, I think you meant BibliothÃque nationale de France.
      1 Library of Congress ~= 0.1 BibliothÃque nationale de France.

    4. Re:Awkward language by mspohr · · Score: 1

      d'accord

      --
      I don't read your sig. Why are you reading mine?
  6. I'm impressed. by Anonymous Coward · · Score: 1, Insightful

    Milkpowder or card readers, the lesson stays the same: Don't trust the Chinese.

    1. Re:I'm impressed. by Yvan256 · · Score: 2, Funny

      Cartman, is that you?

    2. Re:I'm impressed. by larry+bagina · · Score: 1

      don't forget about the dog food and toothpaste.

      --
      Do you even lift?

      These aren't the 'roids you're looking for.

    3. Re:I'm impressed. by grub · · Score: 1


      We were getting at Toys-R-Us the other day picking up a small child's birthday gift. In the cash line there were some Hanna Montana cookies ("Hand Decorated") on the impulse-buy racks. I looked at one: "MADE IN CHINA"

      What the fuck? Surely Disney has enough money that they could have FUCKING COOKIES made by someone on this side of the ocean. But no, surely some businessman found they could save a few cents per cookies to have them made there.
      bR

      --
      Trolling is a art,
    4. Re:I'm impressed. by hobbit · · Score: 1

      WHY DO YOU HATE AMERICA?!

      (Wal-Mart are required by US law to maximise their shareholders' profits...)

      --
      "Wise men talk because they have something to say; fools, because they have to say something" - Plato
    5. Re:I'm impressed. by grub · · Score: 3, Funny


      WHY DO YOU HATE AMERICA?!

      Because I'm Canadian?! :)

      Anyhow, this was at a Toys-R-Us, not WalMart (they aren't the same company, are they?)

      --
      Trolling is a art,
    6. Re:I'm impressed. by Anonymous Coward · · Score: 0

      Fuck Canadia?! :)

    7. Re:I'm impressed. by Arthur+B. · · Score: 1

      (Wal-Mart are required by US law to maximise their shareholders' profits...)

      Nope. The management has a contractual agreement with the shareholders.

      --
      \u262D = \u5350
    8. Re:I'm impressed. by mr100percent · · Score: 1

      It's not required by law, though the shareholders can replace the board if they do not maximize profit (look at what happened to Yahoo)

  7. Bank insurance + separate account. by Janek+Kozicki · · Score: 1

    Well, I'm just glad that my current bank provides free insurance up to 50k EUR (while maximum I had on my account is 10 times less than that ;). This insurance works in a very nice way - I can come at a maximum a week later and tell them that some transaction was bogus (means that I discovered that some money disappeared from my account without my authorization). And they will revert that transaction if it's below 50k EUR. I don't know how it works - never tried. Probably I will need to prove it somehow, otherwise I could be buying stuff all around and revert those transactions all time.

    But that's in fact my temporary bank account, and for my primary bank account I will never allow to have an online-capable credit card. It's just too easy to get id stolen. Buying stuff online is very useful, but (unfortunately) for safety it requires a separate bank account (in my case with VISA) which has less money and is easier to control.

    --
    #
    #\ @ ? Colonize Mars
    #
    1. Re:Bank insurance + separate account. by Anonymous Coward · · Score: 0

      Speaking of "insurance", wonder if they have enough customers account data to institute an organized bank run across a multitude of banks? Many banks might be highly susceptable to such an attack with the current economic situation.

    2. Re:Bank insurance + separate account. by mattbee · · Score: 4, Informative

      How kind of your bank to not debit your account for transactions you didn't authorise :) Seriously, you don't need insurance against *them* being defrauded. If someone asks your bank to give them money while pretending to be you, it is the *bank* who has been defrauded, not you. "Identify theft" is a cute term the banks invented to turn the poor security architecture in their payments network into their customers' problem

      --
      Matthew @ Bytemark Hosting
    3. Re:Bank insurance + separate account. by mgcarley · · Score: 1

      I may be remembering a few details incorrectly, but the 50k EUR limit is kind of an arbitrary too.

      A standard IBAN transfer to any of the Eurozone countries can't exceed 50k EUR without having to go through some other process anyway.

      I can send even less if I'm trying to send outside the EU (I think it's 12,500 EUR), and in any case, transactions over a given limit usually have to be reported (the amount varies by country).

      For this reason, if someone does gain access to an "average joe" account, the "magic number" is between 1,500 EUR and 1,800 EUR per transaction - too much higher than that (eg 5,000 EUR) and someone will notice, the recipient won't be allowed to pick up their cash because the computers will red-flag it and freeze the recipients account: that is, unless the account has transactions of that size all the time, but then it's probably not an "average joe's" account.

      --
      Founder & COO, Hayai India (hayai.in) / USA (hayaibroadband.com) // t: @mgcarley
  8. Screw credit cards... by Bombula · · Score: 5, Funny

    To hell with credit cards and plastic. This kind of danger is why I only use cash and keep all my money in a Washington Mutual bank account, where it's safe...

    --
    A-Bomb
    1. Re:Screw credit cards... by the_bard17 · · Score: 1

      Ppppphhhhhhttttt.

      I've found it's simply safer to spend it just after it hits my bank account. Then I don't have to worry about having it stolen. ;oD

    2. Re:Screw credit cards... by ScrewMaster · · Score: 5, Funny

      Ppppphhhhhhttttt.

      I've found it's simply safer to spend it just after it hits my bank account.

      Yeah, most Americans do that. It goes awful fast nowadays. Like the old Depression-era joke:

      Two men are sitting next to a hot dog stand having lunch. One looks down at his meal and says, "You know, one end of this thing tastes like hot dog, and the other tastes like bread."

      The other guy responds with "Yeah ... these days it's hard to make both ends meat."

      --
      The higher the technology, the sharper that two-edged sword.
    3. Re:Screw credit cards... by Cyberax · · Score: 1

      Sir? I'm sorry sir, but there was a call. Your house has burned down.

    4. Re:Screw credit cards... by FooAtWFU · · Score: 1

      Yes! And isn't it nice to know that your WaMu bank account* is safe? Unlike, say, your WaMu stock.

      (*Now a JPMorgan Chase bank account. Safe up to $100,000 - er, I mean, $250,000.)

      --
      The World Wide Web is dying. Soon, we shall have only the Internet.
    5. Re:Screw credit cards... by Anonymous Coward · · Score: 0

      To hell with credit cards and plastic. This kind of danger is why I only use cash and keep all my money in a Washington Mutual bank account, where it's safe...

      Even after Washington Mutual has busted into bankruptcy and is being bought by another bank?

    6. Re:Screw credit cards... by Anonymous Coward · · Score: 0

      Dude. It's called the FDIC. Maybe you've heard of it?!

    7. Re:Screw credit cards... by Achromatic1978 · · Score: 1
      You realize that the FDIC currently has $52B deposited with it... enough to cover less than two per cent of the amount covered under FDIC insurance for all deposits. When IndyMac bank went bankrupt, they chewed through $9B of that alone.

      In regards to the above issue, too, the FDIC does not insure against theft or fraud at the institutional level, nor securities and other things.

  9. Payback by mildbrew · · Score: 0, Flamebait

    Seems a small compensation for 150 years of British Grand theivery of India among many other nations. Britain is built upon stolen loot mainly from India, so let them bring the wealth back one credit card at a time.

    btw while you all are at it, can you try to recover the Koh-i-Noor diamonds stolen by the Queen of thieves.

    ttfn

    1. Re:Payback by Anonymous Coward · · Score: 0, Funny

      fuck off back to curry land

    2. Re:Payback by Anonymous Coward · · Score: 1, Funny

      Burnley?

  10. ohmygod!! by thermian · · Score: 0, Flamebait

    Well obviously every European is a terrorist. Excuse me, I have go go get myself a firing squad appointment.

    --
    A learning experience is one of those things that say, 'You know that thing you just did? Don't do that.' - D. Adams
    1. Re:ohmygod!! by Anonymous Coward · · Score: 0

      What are you getting defensive about exactly?

  11. Which probably explains.... by Angostura · · Score: 4, Interesting

    ... why my local Tesco changed every one of its chip-and-PIN readers to a new make and model about 2 months ago. At this point you're probably wonding which make the old devices were, and I can't for the life of me remember. Sorry.

    1. Re:Which probably explains.... by Soruk · · Score: 1

      Yes, I'd noticed that too, in both the store near where I live and the one where I work. I wondered what was happening.

      And, likewise unfortunately I can't remember what the old ones were.

      --
      -- Soruk
    2. Re:Which probably explains.... by g_attrill · · Score: 1

      My local Sainsbury's recently changed all their readers from Dione to (I think) a VeriFone device. The Dione PEDs didn't seem to stand up to the volume of usage though, the rubber buttons often didn't work, and a few times they had actually come out of the unit and needed pushing back in.

    3. Re:Which probably explains.... by ChrisRed · · Score: 1
      I'm pretty sure the old ones were Dione keypads - they were dark grey, quite blocky in style, and with an old-fashioned looking screen. The keys on them were also really prone to wearing out, especially the zero key for some reason.
      These ones - http://www.epos-epos.co.uk/retail_till_systems/chip_and_pin_card_reader_terminals.htm
      The new ones are much sleeker looking, but look as though they have equally dodgy keys. I can't find a picture of them though.

      As an aside, I was in a Tesco store recently when the staff were going around disconnecting all the chip and pin readers and weighing them. I overheard them chatting at the customer service desk, and they weren't sure why but they were looking for any which didn't weigh the same as the rest.

  12. Good quick title edit.. by pcardno · · Score: 4, Funny

    ...shame my RSS feed still has it as "European's". I was wondering who this poor unlucky chap was, why defrauding him was so huge and quite how it managed to be a ring with only one person..

    --
    --- Band: Joey Ultra
    1. Re:Good quick title edit.. by Dirtside · · Score: 2, Funny

      Well, if you're a small-time fraudster, it only takes a one-man ring to rule the mall.

      --
      "Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
  13. Bah. Typically pointless article summary by sudog · · Score: 0

    Why bother summarising the article if you're not going to do an actual summary?

  14. One-Time Passwords for Transactions by Doc+Ruby · · Score: 4, Insightful

    I've been saying for years, since I first saw one in the 1990s here in NYC, that giving my PIN to some random ATM in some random "convenience" store to get quick cash is an unacceptable security risk. Especially some random ATM that I use at 2AM after running out of cash drinking in a bar, lost among all the ATMs in the neighborhood in my hazy hangover recollection, to be searched for months or years later when they, or someone else along the line, replay my PIN.

    Every login to my account from an insecure location (which might exclude my home and office PC, if they've got certificates installed) should consume a one-time password that cannot be replayed for some later, unauthorized transaction. In fact each OTP should be attached to a specific dollar amount and recipient, with an expiration on the transaction after which even that transaction cannot claim money, or get any access at all.

    Attempts to replay the transaction should automatically notify the FBI and the bank's security. I should get a notice of any risk warning above some level that I set, and a security statement listing the notices and their resolution with each monthly bill.

    Eventually, people whose ID has been pirated will routinely get that security regime alternative after finding someone liable to pay for it. We should all move to that regime ASAP, rather than wait for the damage to force our hands.

    --

    --
    make install -not war

    1. Re:One-Time Passwords for Transactions by Anonymous Coward · · Score: 0

      Good luck with that. I can't even get my back to give me separate PINs for ATM and POS transactions.

    2. Re:One-Time Passwords for Transactions by hobbit · · Score: 2, Funny

      This is the TLA police; we're doing the WWW rounds tonight and you're SOL.

      --
      "Wise men talk because they have something to say; fools, because they have to say something" - Plato
    3. Re:One-Time Passwords for Transactions by ScrewMaster · · Score: 3, Interesting

      Well, ATM security is based around the idea of limiting or preventing losses due to external access, having no benefit whatsoever if the system itself is compromised. Also, given how easy it is for anyone (even an ex-con who was put away for wire fraud and helped with an MSNBC expose on the subject) to buy an ATM machine directly from the manufacturer and get it tied into the banking network ... well. There was a big theft ring with several hundred compromised ATMs that was busted up in New York a few years ago, millions of dollars in losses. I thought then that it was only the tip of the iceberg, and it appears I was right.

      The things aren't exactly trustworthy to begin with, and given the security track record of companies like Diebold, I find ATMs a risky way to get money. I will sometimes use the one inside my bank, but it's not that hard to go the cashier or the drive-up and get cash. Forget about using the "Money Machine" at the local gas station.

      --
      The higher the technology, the sharper that two-edged sword.
    4. Re:One-Time Passwords for Transactions by ScrewMaster · · Score: 1

      My bank doesn't go as far as you're talking about, but at least they signature every machine allowed to connect to my account. I'm not sure what it is that they do, exactly. I know there's a bunch of cookies involved (I think. Just for grins, I tried copying them to my laptop to see if it would let me in but it wouldn't.

      Yeah, there's any number of better approaches to financial security than are being used now, none of which are free, and none of which banks really see a reason to spend money on. It's pretty obvious at this point that any collateral damage caused by poor security is acceptable to them. Maybe a bit rough on the rest of us though.

      --
      The higher the technology, the sharper that two-edged sword.
    5. Re:One-Time Passwords for Transactions by Anonymous Coward · · Score: 0

      Goddamn POS transactions.

    6. Re:One-Time Passwords for Transactions by Anonymous Coward · · Score: 2, Insightful

      I've been saying for years, since I first saw one in the 1990s here in NYC, that giving my PIN to some random ATM in some random "convenience" store to get quick cash is an unacceptable security risk. Especially some random ATM that I use at 2AM after running out of cash drinking in a bar, lost among all the ATMs in the neighborhood in my hazy hangover recollection, to be searched for months or years later when they, or someone else along the line, replay my PIN.

      No need for that. What would be nice is a smartcard with keypad and an RSA certificate on the card, signed by a certificate authority (the bank), that connects to the home bank's server. You enter the PIN on the card itself. The ATM is just a conduit for the RSA key exchange. The transaction won't work unless both the smartcard and the bank see signed certificates.

      It's trivial to add replay protection, and you can't break this without breaking SSL, cloning the bank's certificate authority, or cloning the RSA certificate on the card and observing the PIN.

    7. Re:One-Time Passwords for Transactions by Anonymous Coward · · Score: 0

      Well, ATM security is based around the idea of limiting or preventing losses to the bank

      Fixed that for you

    8. Re:One-Time Passwords for Transactions by plover · · Score: 1

      If an American bank were to issue Visa smart cards with a pocket-carried one-time-PIN generator, would you really switch to them? What if their interest rate or cash-back bonuses weren't quite as competitive as your current bank?

      --
      John
    9. Re:One-Time Passwords for Transactions by Anonymous Coward · · Score: 0

      What about online and phone transactions?

      Unfortunately, a twenty digit number + security code is about the limit of reasonableness as far as filling in online forms and calling in infomercials. And systems going offline is still a very real issue--companies need to be able to accept credit orders even when their network kicks (which involves calling up the credit card company and dialing in the credit card number). Not to mention orders which are not billed until the items are shipped, monthly debits (such as for an online game or netflix), and onsite services. (pest control or plumbers will frequently take down your credit information but bill it later)

      It's important to remember that the goal here is not to eliminate fraud, but to minimize the net cost, which includes both fraud and technology upgrades. It will probably be a fair while before it is more reasonable to switch everything over to 256-bit rolling codes than it is to simply reimburse a small margin of customers for fraudulent transactions.

    10. Re:One-Time Passwords for Transactions by icknay · · Score: 1

      The point is ... the vendor that uses tech to eliminate fraud will have more money, so they can pay *better* interest or rewards or whatever.

      Public key crypto is, what, 15 years old now? I a little baffled that credit cards and atm cards remain so primitive.

    11. Re:One-Time Passwords for Transactions by Doc+Ruby · · Score: 0

      My OTP card wouldn't work on all those random convenience store ATMs. I might as well just avoid them. At my own bank, whose ATMs would take my OTPs, I basically trust them not to screw up the security, because they have so many other opportunities to screw me, too. Once I trust them at that level, as I must, I might as well trust their ATMs with my PIN each time.

      Until all those random ATMs take the OTPs, we're SOL.

      --

      --
      make install -not war

    12. Re:One-Time Passwords for Transactions by Doc+Ruby · · Score: 0

      The true cost over the past 10 years of not switching at least most ATMs to OTPs now includes the cost of this "huge credit fraud ring", and any others as yet unreported. To say nothing of the next 5 years, before they could be sufficiently rolled out. Especially with all that extra money the banks have lying around now to invest in longterm benefits :P - the last 5 years they were rolling in it, and didn't bother.

      --

      --
      make install -not war

    13. Re:One-Time Passwords for Transactions by plover · · Score: 1

      The OTP card would indeed work at any ATM or cash register that takes PIN-based debit cards. You put your card in the pocket generator and generate a PIN. You then put your card in the ATM or the register where it reads your mag stripe, and enter the PIN still displayed on the pocket generator.

      The ATMs or the registers don't know the real PIN, and they don't have to read the smart card. They can just use the mag stripe, and you don't have to care.

      The point is now even if the ATM is run by Tony Soprano and has a card skimmer and PIN-pad skimmer built right in, they cannot reuse your PIN to authorize a second transaction. That mag stripe is useless to them.

      --
      John
    14. Re:One-Time Passwords for Transactions by Doc+Ruby · · Score: 0

      OK.

      The costs at that bank of doing business should be lower than banks with worse security, as the OTP system is a lot cheaper than the losses. So my banking with them shouldn't cost any more, or earn me any less, with the security.

      If the OTP client were software for my phone, instead of carrying a separate dongle, I might be willing to pay extra for it, even though that would also lower the bank's costs, which should be passed on to me.

      In fact, since these banks should be competing with each other, especially now that they've got so much less to offer (as they've burnt down their advantages into the current crisis), their lowered costs from better security should enable them to market themselves to me with a better net income to me. If they're not, that's more evidence that the banking system is still rigged to protect the banks from their own bad decisions, and force customers to always bear their costs of stupidity.

      --

      --
      make install -not war

    15. Re:One-Time Passwords for Transactions by mpe · · Score: 1

      I've been saying for years, since I first saw one in the 1990s here in NYC, that giving my PIN to some random ATM in some random "convenience" store to get quick cash is an unacceptable security risk. Especially some random ATM that I use at 2AM after running out of cash drinking in a bar, lost among all the ATMs in the neighborhood in my hazy hangover recollection, to be searched for months or years later when they, or someone else along the line, replay my PIN.

      The 3 digit cardholder verification number has the same issue. Any transaction can give the entity you transact with all the information they need to make other transactions against your card. If they store this information in an insecure way (e.g. Best Western, TK/J Maxx, etc) then things get worst. There really isn't any good reason to be storing this information at all. Arguments that this is for "customer convenience" just don't add up, even for frequent customers.

      Every login to my account from an insecure location (which might exclude my home and office PC, if they've got certificates installed) should consume a one-time password that cannot be replayed for some later, unauthorized transaction.

      It makes more sense for such a system to be used for every transaction. Assuming that a communication is secure when it is not is a big risk. But assuming that it is insecure when it actually is secure isn't really a problem.

      In fact each OTP should be attached to a specific dollar amount and recipient, with an expiration on the transaction after which even that transaction cannot claim money, or get any access at all.

      You'd need this one time authority to be compatable with existing systems. Also if you want the history of usage stored there may be issues with how how many unique ID's the card issuer can generate.

    16. Re:One-Time Passwords for Transactions by mpe · · Score: 1

      If an American bank were to issue Visa smart cards with a pocket-carried one-time-PIN generator, would you really switch to them?

      Arn't all US banks now effectivly owned by the US Government anyway...

    17. Re:One-Time Passwords for Transactions by mpe · · Score: 1

      In fact, since these banks should be competing with each other, especially now that they've got so much less to offer (as they've burnt down their advantages into the current crisis), their lowered costs from better security should enable them to market themselves to me with a better net income to me.

      It might help if national governments were a little more reluctant to bail them out though :)

    18. Re:One-Time Passwords for Transactions by Doc+Ruby · · Score: 0

      If US banks were actually bought by the Federal government, there'd be fewer shareholders opposing remaking those banks more in the public interest after the public rescues them.

      Many, if not most, US banks eligible for the original (or Senate revised) Paulson bailout are refusing its terms even on the requirement that their execs (who ran this catastrophe) take any kind of pay cut or other hit. Their shareholders (and the Congressmembers who love their bribes) are even more against government buyouts of their equity. Not when they're after government buyouts of merely their unsaleable assets instead. But perhaps the younger generations of Obama and the cohort of people who are putting him in office, as well as voting downticket in the House and Senate, will actually respond to the longer term requirements at this extraordinary (usually once in a century) opportunity.

      We will see. But not right away. Even the bailout bills passed last week, (over $800B, at an interest-included cost of over $1.2T) spend zero dollars other than the already spent AIG/MerrillLynch/Lehman/BearSterns interventions until after the November election. The 1929 crash required the 1930 House/Senate election, then the 1932 House/Senate/president election, and then 2 years of the reversal from 1920s Republican party monopoly in those three chambers to a Democratic one, before reregulation was passed in 1934 (which held until 1994-8). This time we've got much more at stake, a much more fluid and sophisticated financial system, and the benefits of generations of hindsight into what has been similar in the past, what has worked, what hasn't and what hasn't been tried (and why not). I expect that the 2010 elections will be cast on the basis of the success of the Democratic administration of the financial system for the next 2 years.

      Democrats will be running probably to keep or get a 60-vote filibuster proof Senate majority, amidst an advantage in more Republican than Democratic seats to defend (or to take). The president will be an elevated Democratic senator, Obama, with another one, Clinton, sitting in New York along with the other NY senator, Schumer, having run the overall Senate takeover campaigns in 2006 and 2008 (and probably again in 2010, especially if he gets to 60 seats in 2008). The VP presides over the Senate (technically only breaking tie votes, which will rarely happen, but in practice wielding lots of informal influence, just by running go-between), and has spent practically his entire life, since Watergate, representing Delaware, by far the most corporate (especially banking) state in the country. A senator's role in the US government is to represent their state's government to the Federal government in their person, not to represent the people (that's the House rep's job), and each bank is chartered and governed by a state, both in its incorporation and its banking license, so senators are the people through whom all deals must pass in governing banks, and the Federal Reserve & Treasury that funds and further governs them. Meanwhile, one of the senators in the dwindling Republican minority (therefore a larger percentage of that smaller minority, perhaps 2.5% of their 40 seats) is alienated from his party, both as an insistent "maverick" running against his party's long rule, and as a loser, further damaged by his fruitlessly negative campaign - a lame duck who will retire in 2010, probably replaced by a Democrat (like Democratic AZ governor Napolitano).

      I'm unhappy that the Senate is the focus, because it's the chamber least accountable to the people (again, it represents state governments, not the state's people). But that's the system we've got, and despite the solid wave voting Democrats a mandate this year, long term strategy is usually risky when presented to the masses in a single election (or even 2, including 2010). The striving for 60+ votes at least puts the power in voters' hands to bait senators to respond to the people, balanced against their other interests (which include simple stabi

      --

      --
      make install -not war

    19. Re:One-Time Passwords for Transactions by Doc+Ruby · · Score: 0

      If they are reluctant to bail out, they have the power to fix them with other means.

      Like taxing the banks, bankers and the recipients of their artificially high returns on public investments (like Federal credit, guarantees and insurance) to recover some of that unwisely redistributed public money back into recapitalizing the public funds needed to administer the reconstruction. And multiplying the bankruptcy courts to renegotiate individual financing terms that are better for the public than a wave of homeless and jobless families, though with a "credit scarlet letter" that makes them pay off their literal debt to society with higher interest rates for some time. And suspending constraints on IRAs, 401(k)s, and other tax deferred investments if the money is invested in primary housing, rather than waiting for a retirement that might now never come. And so many more fair and effective coordinations rewiring our economy into one that's cultivated, not run amok and into the ground.

      --

      --
      make install -not war

    20. Re:One-Time Passwords for Transactions by X0563511 · · Score: 1

      http://en.wikipedia.org/wiki/Derived_unique_key_per_transaction

      It's not as simple-minded as you expect.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    21. Re:One-Time Passwords for Transactions by plover · · Score: 1

      OK, so I'll re-ask the question. If a bank offered a card with an OTP generator and the exact same terms as your current bank, would you switch? (I'm assuming you'd switch for other reasons if the OTP bank offered you better terms.)

      I'm really trying to gauge if people like you are serious about your own personal security, or if you'd rather not worry much about it and let the $50 limits on liability take care of you. I agree that it should be cheaper for you if the costs of theft are less expensive for the bank, but that's not what I'm trying to discover.

      Or maybe you've already given me my answer: you care exactly 0% about the security, and 100% about the costs. And that's telling, because if a security-conscious person such as yourself isn't willing to spend an extra dime, there is no way in hell a Joe Sixpack is going to care about an OTP solution.

      And I know it sounds convenient, but for security reasons you should not want the OTP to be a part of your phone. If it were integrated, there is no longer an "air gap" between your PIN entry device and a hackable machine. The OTPs that are offered by companies like Vasco have no network connections, no upgradability, and no user maintainable components. This is by design. If a hacker gets on your OTP-equipped phone and installs some kind of keysniffer, you lose.

      With no external interface other than the battery, the keyboard, and the screen, the Digipass devices cannot be remotely hacked, and would have to be "hardware hacked". This is not an attack vector that scales well -- a bad guy has to physically go to each device to hack it. A phone hack could potentially be done over the network, Bluetooth, by a virus, or other malware, and attack thousands of OTPs.

      --
      John
    22. Re:One-Time Passwords for Transactions by Gunstick · · Score: 1

      you are NOT allowed in any case to store the cardholder verification number.
      Unfortunately there are still lots of places where you can do transactions only with the CC number and expiration date.

      --
      Atari rules... ermm... ruled.
    23. Re:One-Time Passwords for Transactions by mpe · · Score: 1

      you are NOT allowed in any case to store the cardholder verification number.

      That's really going to stop someone (individual or corporation) from misusing credit card details if they can get their hands on them.

    24. Re:One-Time Passwords for Transactions by Gunstick · · Score: 1

      if those informations are generally not stored it's becoming more difficult to just walk/hack in and take millions of cards.
      That's probably why the TJX hack was done using online sniffing during several months.

      --
      Atari rules... ermm... ruled.
  15. outwitted? by El_Muerte_TDS · · Score: 1

    Specialists say the theft technology is the most advanced they have seen

    So, it's better that the technology they have in place?

    1. Re:outwitted? by jd · · Score: 1

      If the experts were from AT&T, a fully-pwned subsidiary of the NSA Corporation, worry.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  16. fear not... by owlnation · · Score: 3, Funny

    In the UK. We're fine. Most of our data has already been stored in a government hard drive and left on a train seat somewhere, and it's not like we have any money in our bank accounts anyway.

    1. Re:fear not... by legirons · · Score: 1

      In the UK. We're fine. Most of our data has already been stored in a government hard drive and left on a train seat somewhere, and it's not like we have any money in our bank accounts anyway.

      You mean, you had 10000 in your bank account before the government decided to "insure" it at a cost to each tapayer of 10000?

      well it should prove *very* easy for them to insure the remainder....

    2. Re:fear not... by jd · · Score: 1

      I have to say I'm impressed. Ever since they started with Group 4 for prisoners and nuclear waste (at the same time and possibly in the same vehicle), they have managed to pick with 100% accuracy every incompetent on the planet. Name me one country in the world, just one, that can boast a track record as perfect as that.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    3. Re:fear not... by Anonymous Coward · · Score: 0

      Joking, right? UK is still one of the richest

    4. Re:fear not... by Anonymous Coward · · Score: 0

      yea, there are more than 20 of me around the world already, curiously most of my are located in Nigeria, Russia and Pakistan

      I some of my commit a crime ,I just blame the others:)

  17. IT'S NOT OUR FAULT!!! by Anonymous Coward · · Score: 0

    I love how the bankers and politicians and other utter cunts of this world are now rushing to accuse t3h 3val h4x0rz in China and Pakistan for the fuck-ups of bankers, politicians and other utter cunts. The Global Economic Meltdown was caused by those yellow and brown people over there, not by our own greedy, irresponsible and predatory financial practices! Seriously!

  18. covert by Master_stghm · · Score: 1

    This theft incident sounds cooler than the TJX one. That was just some guys in a van in the parking lot to a TJ Maxx or Marshalls cracking the WEP key on the Wi-Fi. This actually makes me imagine a whole covert operation to get the technology into the card readers. I wonder what's next!

  19. It has been done before by Anonymous Coward · · Score: 0

    I remember a year or two ago where some old terminals(which were only used with a local debit card) were fitted with a cell phone and a interface to it and then transmitted the information for each card.(at least that was what they said in the news)
    The shops had breakins but not much if anything were missing. There were reports that some had their terminals stolen. And even once it was returned, again this was what the news said, but it sounds strange if people would not catch on.

    It was in a old terminal which where about 25 years old. I don't know if the hardware inside had been upgraded in that time, perhaps to something taking up less space. I know the big shield over the keypad was added many years later.

    Picture here: http://www.point.dk/upload/Denmark/Billeder/Gamle%20terminaler/DKT_1.jpg

    These terminals are not used anymore, the new ones seems to compact to pull the same stunt.

  20. muslims are thieves by Anonymous Coward · · Score: 0, Troll

    fucking euros are too dumb to see that islam has it's claws in their society. they will succumb to mohammad.

    1. Re:muslims are thieves by toriver · · Score: 1

      You sure live up to the "Coward" family name, there.

      Maybe, just maybe, if the U.S. hadn't completely FUCKED UP them Middle East during its penis contest with the Russians - incuding supplying Islamists - we would not have this problem, or what? Maybe YOU could have taken in some of the refugees from the regional wars instead of just selling legal and illegal weapons to them, the balance would have been better? Fool.

    2. Re:muslims are thieves by Anonymous Coward · · Score: 0

      Now now dear, just sit quietly and have a nice drink and relax, and the man in the white coat will come and take you back to your padded cell.

  21. Y'know what... by Colin+Smith · · Score: 1

    Cash is easier and anonymous too.

     

    --
    Deleted
    1. Re:Y'know what... by FooAtWFU · · Score: 1
      Cash is not necessarily easier. Large sums of money are not safe to carry around as cash, as they can be lost/stolen. You will have even less security from such theft/fraud than you would from a credit card (although potentially more-limited exposure). Monitoring how much cash you have on you becomes necessary. Retrieving cash from ATMs may be inconvenient (or, for certain more-convenient ATMs, involve a fee) while retrieving cash from a bank teller will probably be even less convenient (requiring you to visit the branch during banker's hours). Receiving and cashing paper checks instead of electronic direct deposits is definitely not convenient. Keeping track of change and small bills amongst your cash may become inconvenient, without change-purses or wallets which are designed for purses and handbags (not back-pockets).

      Credit card / debit card / check card transactions also have benefits in that they can provide you with an electronic auditing trail of exactly where you spent your money. (Quicken. Mint. MS Moneys.) This can be very convenient.

      --
      The World Wide Web is dying. Soon, we shall have only the Internet.
    2. Re:Y'know what... by cayenne8 · · Score: 1
      "Cash is not necessarily easier. Large sums of money are not safe to carry around as cash, as they can be lost/stolen..."

      Well, you know....cash worked pretty darned well for a few thousand years before the advent of credit cards. We didn't have so many people living beyond their means back then as we do now.

      And at the very least...I prefer to pay in cash as much as possible because it really sets in my head how much I am spending. A credit card, much like chips in a casino, abstracts from how much you are really spending..it is 'toy' money. Whereas...when I take out like $300-$400 for a week...and I start seeing how little I have as the week goes on, I am MUCH more aware of how much I'm spending, than I am with a credit card. I keep up in my head pretty well what I spend on CC's, but, it really hits home with much more reality when I know what cash I started with, and what I end up with at the end of the week.

      And, no one says you have to carry ALL you cash with you at all times. I personally, make sure that I bank with a bank that has a number of ATM's conveniently located around town. I can't stand to pay a fee for my own money.

      But really...it isn't that hard. The only advantage I can see really of using CC's...is if you get cash back or some kind of reward points with real value.

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    3. Re:Y'know what... by Arthur+B. · · Score: 1

      Well, you know....cash worked pretty darned well for a few thousand years before the advent of credit cards. We didn't have so many people living beyond their means back then as we do now.

      a) People didn't have internet access for thousand of years either... so ?

      b) Grandparent makes no mention of credit. Electronic payment != credit. In most parts of the world the cards are debit cards.

      The grandparent has a very good point about the trail, this is the #1 reason I almost never use cash. I want to know how much I spent on movies, restaurants, etc.

      Of course I'd rather have perfectly anonymous transaction with cryptographic cash. But that's just not yet.

      --
      \u262D = \u5350
  22. Any chance... by jd · · Score: 4, Funny

    ...it was Diebold?

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    1. Re:Any chance... by X0563511 · · Score: 1

      Probably not. I don't think they make pinpads.

      If it was a Verifone, it was probably an Everest pinpad. They are simple dumb terminals, with nothing but an encryption key in them basically.

      They should be going away soon, they are not PCI/DSS/PABP compliant. I think the recommended replacement is one of the MX800 series pads, which believe it or not run Linux under the hood.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  23. Not all bad news by I_Voter · · Score: 1
    It's not all bad news if you favor the people vs the state.

    From the article:
    "Pretty small but intelligent criminal organizations are pulling off transnational, multicontinent heists that only a foreign intelligence service would have been able to do a few years ago," said Joel F. Brenner, the U.S. government's top counterintelligence officer.

    And your willing to believe what the U.S. government's top counterintelligence officer said.

    WEB SITE:(under construction)
    Political Power in the U.S.
    http://tinyurl.com/2sdtvk

  24. The banks/we are funding the terrorists. by sygin · · Score: 4, Insightful

    My credit card has been ripped in the past. I lost £50 and the rest was refunded. I get the distinct impression that the banks do not care to catch the perpetrators or in fact, stop fraud. It is more cost effective to do the minimum required and get us to fund the losses. Think about it, spend wads of cash on security or just increase bank charges etc to pay for loses. Banks are not interested in fraud. They have already run the numbers.

    --
    Don't make your problems my problems!
    1. Re:The banks/we are funding the terrorists. by Anonymous Coward · · Score: 0

      I once had a job as a motorcycle courier, and one of my main jobs was delivering new and replacement American Express cards to customers.

      One day I delivered one to a customer who turned out to be a fraudster. I was the only person to see him, but though the police were informed, nobody asked me for a description or even asked to interview me.

      The banks do not bother trying to track down criminals unless the case is a high profile one, or the information they need to prosecute is dumped in their lap.

      To them, it's just a business cost, and the honest customers are expected to make up the difference.

    2. Re:The banks/we are funding the terrorists. by Anonymous Coward · · Score: 0

      Mod parent up. Likewise chip and pin is NOT intended to protect consumers from fraud, it's to reduce the banks fraud losses. It becomes very difficult to dispute a transaction that was made with your PIN, which couldn't possibly have been stolen from the "secure" chip and pin system. The readers do have some tamper-resistance features, but it's not enough ... components can be piggybacked on the unencrypted internal bus as in this case, or replaced entirely for a nice game of tetris.

  25. PCI Law by Benjamin_Wright · · Score: 2, Interesting

    A quote in the WSJ article says the hackers are performing at a level of sophistication that rivals foreign intelligence services. The implication: Payment card data security requires much, much more than just forcing merchants to lock down data and comply with the PCI (payment card industry data security standard). Card data security is a national security issue. It requires wholesale rethinking of the credit card system. The Federal Trade Commission misunderstands the magnitude of the problem. The FTC is locked in an old-fashioned belief that data in-security is due to stupid merchants (like TJX) treating consumers (and their privacy) "unfairly" by failing to secure their systems. We need fresh thinking and better leadership on this issue from the FTC. --Ben

    --
    Benjamin Wright, Dallas, Texas, benjaminwright.us
    1. Re:PCI Law by bobbozzo · · Score: 1

      Assuming Wal-Mart and Tesco are PCI-DSS compliant, this invalidates the recent claim by the PCI group that there have been no breaches of PCI compliant merchants.

      --
      Nothing to see here; Move along.
    2. Re:PCI Law by Gunstick · · Score: 1

      TJX was PCI-DSS !

      --
      Atari rules... ermm... ruled.
  26. How did they get in there? At the factory? by AaronLawrence · · Score: 1

    To be on such a large scale they must have been inserted by someone closely involved - perhaps a distributor but more likely the factory? They are supposed to be tamper resistant.
    Of course this is one reason that chip-and-pin is coming, because smartcard data can't be intercepted so easily. OTOH, as they say: if you have physical access other security is irrelevant...

    --
    For every expert, there is an equal and opposite expert. - Arthur C. Clarke
    1. Re:How did they get in there? At the factory? by Anonymous Coward · · Score: 1, Informative

      This IS data from chip-and-pin cards. We've used chip-and-pin almost exclusively in the UK for several years now.

  27. A more interesting thought by kilodelta · · Score: 2, Interesting

    We had this happen here in RI about a year or so ago. Except in our case the ring was being run by Armenians.

    In that case they had posed as repairmen and then rigged the card machines. It forced Stop & Shop to replace all their credit card readers. But then it brings up another point.

    What if these rings manage to get to the card readers before they're delivered to the merchants. I bet that is what happened here.

    1. Re:A more interesting thought by mpe · · Score: 1

      What if these rings manage to get to the card readers before they're delivered to the merchants. I bet that is what happened here.

      In which case you should have at least some of these emitting electromagnetic radiation they should not be. Including trying to make an RF connection when there is nothing they could connect to. (As well as potentially being in range of enterprise grade WIFI kit is capable of detecting and triangulating "rogue devices").
      Effectivly these machines come with an inbuilt "neon sign".

    2. Re:A more interesting thought by kilodelta · · Score: 1

      Indeed. And it goes further, what if they manage to change the embedded code on a device. You'd never even know it was done. Look at the Diebold mess for a clear example.

    3. Re:A more interesting thought by mpe · · Score: 1

      And it goes further, what if they manage to change the embedded code on a device. You'd never even know it was done.

      Until the first such device is found.

      Look at the Diebold mess for a clear example.

      The difference is that it is often fairly easy for people to take their custom to a different supermarket.

  28. At what point... by tkrotchko · · Score: 1

    At what point will the card issuers finally go to 2-factor authentication? The fact that credit cards still "mean" something in 2008 is a joke. It could be fixed, it would be expensive, but it's going to be less expensive than these multi-billion dollar losses.

    There's no excuse for this lack of sophitication today. We could do so much better.

    --
    You were mistaken. Which is odd, since memory shouldn't be a problem for you
  29. One-factor security by Jimmy_B · · Score: 3, Insightful

    Something you have, something you know, and something you are. Security means using at least two out of the three security factors. ATM cards are supposed to be "something you know" (a PIN number) and "something you have" (a card), but unfortunately, the card's only purpose is to hold another number, so it's really "two things you know, one of which must be written in invisible ink". Until we replace all bank and credit cards with electronics that can do public-key cryptography, fraud will continue to rise.

    By the way, there's no evidence that anyone from Pakistan has anything to do with this. Most likely, the information is being sent to a compromised server, to conceal the real perpetrators, who could be anywhere.

    1. Re:One-factor security by xelah · · Score: 1

      but unfortunately, the card's only purpose is to hold another number,

      Not a Chip and PIN card (not the kind of number you're thinking of, anyway). The chip does proper security, and has to sign a transaction certificate. That's why a lot of stolen UK credit card numbers are used abroad where there's no chip and PIN. This doesn't make the devices trustworthy, of course...but making a fake device that records numbers and also accepts the transaction being recorded is harder than it used to be (the devices need their own certificate to authenticate themselves as certified devices to the acquirer).

  30. OTP not the solution. by SharpFang · · Score: 1

    There are trojans in the wild, that hijack the HTML renderer component. The certificate matches, the secure connection matches, the OTP code matches, it's just the amount entered and the target account number that differs between what is displayed on the confirmation screen and what is being sent over the net. You think you're signing a $10 ebay transaction, while what you just signed is $10k for an account in Philippines.

    In other words: computer display and keyboard are not trusted devices anymore. You type one thing, see the same thing appear, but a different thing is being sent.

    The solution is one-time confirmation code sent as SMS, including some signed transaction details (amount and some digits from the target account number). It's about impossible to hijack both the computer and the GSM transmission.

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  31. Ugh by Anonymous Coward · · Score: 0

    This is the shill with 20+ Slashdot accounts that works for Roy Schestowitz and his corporate overlords. Pay no attention to him.

  32. Everyone in the Credit Card Industry Incompetent? by cc_pirate · · Score: 1

    I can only assume so. This stuff keeps happening over and over again and they don't seem to be bothered enough to keep it from occurring.

    There are plenty of ways to stop this sort of thing as other posters have mentioned... but no, the CC industry just can't be bothered.

    Of course since most of the banks running them seem to be going out of business, maybe they have more important things on their minds nowadays.

    --

    "There are laws that enslave men, and laws that set them free. " - Sean Connery as King Arthur

  33. Re:Everyone in the Credit Card Industry Incompeten by RickRussellTX · · Score: 1

    > they don't seem to be bothered enough
    > to keep it from occurring

    They will do something about it when customers start to walk away.

    I originally got an AMEX Blue card because it had an embedded security chip in it, and AMEX claimed vendors would be required to add chip readers, then you could set your account to only allow transactions on presentation of the physical card. They also promised a USB reader dongle for home use that would verify your physical possession of the card when making online purchases.

    None of it went anywhere, as far as I know. I've never seen a device that can read the chip.

  34. Pakistan = Taliban + Al Qida towelies by Anonymous Coward · · Score: 0

    Nuke 'em, nuke 'em now. Get india involved. They'll wipe out those pesky pakstaners.

    1. Re:Pakistan = Taliban + Al Qida towelies by CarneAzada · · Score: 0, Offtopic

      Wow, that was ignorant.

  35. Design Speculations. by splashmaker · · Score: 1

    This is very interesting if you start thinking about how they have accomplished this. "Examining the store's credit-card readers, investigators discovered a high-tech bug tucked behind the motherboard. It was small card containing wireless communication technology. The bug would read an individual's card number and the corresponding personal identification number, then package and store the data. The device would once a day call a number in Lahore to upload the data to servers there and obtain instructions on what to steal next." So it was wireless - definitely cellular. So each of these bugs would have a subset of a cell phone capable of sending and receiving text/SMS messages and must have a SIM card(as GSM is universal in Europe) to communicate over the local network perhaps using roaming capabilities. Its extremely inexpensive to buy a SIM card in Pakistan with roaming capabilities - I believe its just a couple of dollars and if the attacker can top up the card remotely so it can sustain these devices forever. Though I do not understand how a cellular device will create strange noises in an other cellular device? "Meanwhile, a security guard at a U.K. grocery store noticed suspicious static on his cellphone and alerted authorities."

    1. Re:Design Speculations. by jonbryce · · Score: 1

      If it is not a properly designed cellphone perhaps?

    2. Re:Design Speculations. by mpe · · Score: 1

      This is very interesting if you start thinking about how they have accomplished this. "Examining the store's credit-card readers, investigators discovered a high-tech bug tucked behind the motherboard. It was small card containing wireless communication technology. The bug would read an individual's card number and the corresponding personal identification number, then package and store the data. The device would once a day call a number in Lahore to upload the data to servers there and obtain instructions on what to steal next." So it was wireless - definitely cellular. So each of these bugs would have a subset of a cell phone capable of sending and receiving text/SMS messages and must have a SIM card(as GSM is universal in Europe) to communicate over the local network perhaps using roaming capabilities.

      You'd think someone would notice a "phone" which regularly registers with the network, makes an international call then degregisters. Especially if it's a foreign phone, dosn't appear to move and does this at the same time each day. Even more so if it's lots of "phones" showing this kind of behaviour.

      Its extremely inexpensive to buy a SIM card in Pakistan with roaming capabilities - I believe its just a couple of dollars and if the attacker can top up the card remotely so it can sustain these devices forever.

      It isn't going to be so cheap to make data calls, even to send SMS messages. Using a sythesised voice definitly should get the attention of the GCHQ people.

    3. Re:Design Speculations. by Ambient+Sheep · · Score: 1

      Perhaps the guard noticed the interference on his cellphone...when he was using it to listen to FM Radio, as some of them are capable of doing? Or perhaps it wasn't his cellphone at all, but just his in-store walkie-talkie, and the article has it slightly wrong. Or maybe it really was his cellphone and he just has a very good ear for interference!

    4. Re:Design Speculations. by Swave+An+deBwoner · · Score: 1

      Why a cellular phone? Aren't these machines usually connected to a landline so that they can phone in to verify the card before processing the transaction, and to actually store the transaction in the store's computer?

    5. Re:Design Speculations. by splashmaker · · Score: 1

      The original news item indicates that these were wireless devices!!!! - thus also the issue with interference, landlines will be rather silent. But as you said vast majority of them also use landlines, however any sizable store usually uses a network connection to authenticate and validate card data - simply because it will be too slow and there will too much overhead to have separate telephone lines for each of their POS terminals. And as these were walmart partnered stores I believe they all had more than one POS at each location. Now these could have send data over the network but that would easily and quickly identified.

  36. Much simpler solution by a_claudiu · · Score: 1

    A much simpler solution:
    1. No more magnetic stripe
    2. Make the chip in the card (not the ATM) sign a transaction with a private key stored in the chip and the bank will check with a public key stored in their DB.
    3. Sign the transaction with the correct key only when the correct PIN is used or else sign it with a dummy key. This is done for avoiding a rogue machine attempt a brute force attack on your card. Checking if signing was OK a request to the bank is needed and repeated requests will trigger an alarm. This can be done also with a small delay for the response in the chip itself.

    Advantages over one time password:
    - you don't carry around a one time password generator.
    - even if somebody is stealing the data from the bank they do not know the private key only the public one.
    - nobody is able to clone your card and the PIN is useless without the card

    Is still possible to have a rogue machine that is charging you more than what is displayed but the situation is like this now anyway.

    1. Re:Much simpler solution by mpe · · Score: 1

      nobody is able to clone your card and the PIN is useless without the card

      Assuming the bank knows how to use cryptography correctly.

      There's still issues like a bank employee attaching extra cards to your account. Which turned out to be behind so called "phantom withdrawls". Thus you need a mechanism to make this difficult easily detectable.

  37. I don't believe it! by EnglishTim · · Score: 1

    But when the Chip & Pin system came into force Patrick Stewart himself was assuring us on TV ads that there was 'Safety in Numbers'!

    He was Jean-Luc Picard in Star Trek and Gurney Halleck in Dune! HOW CAN HE BE WRONG?

    1. Re:I don't believe it! by Anonymous Coward · · Score: 0

      HOW CAN HE BE WRONG?

      Because he was also Captain Ahab.

  38. security guard? by DaveGod · · Score: 1

    a security guard at a U.K. grocery store noticed suspicious static on his cellphone and alerted authorities

    props to that guy.

  39. Re:Everyone in the Credit Card Industry Incompeten by jonbryce · · Score: 1

    Walk away to where exactly? They are all the same.

  40. No questions asked, but you can go too far... by AliasMarlowe · · Score: 2, Interesting

    Some cards here do offer no-questions-asked protection plans (I know American Express does) against defective goods.

    A couple of decades ago, American Express pioneered the concept of "money back, no questions asked" if a product bought with AmEx became broken for any reason during the first 30 days after purchase. They had some dumb commercial on TV featuring a kid feeding porridge into a VCR, and a refund being given for the gummed-up VCR.

    A colleague of mine perpetually travelled and regularly put more than $20k per month through his AmEx, so they automatically accepted almost any charge from him. Skipping a long and tortuous story, he bought a used airplane in Australia as part of some hare-brained get-rich-quick scheme (probably caused by alcohol). It was charged to his AmEx! His partner in the scheme was the pilot, who pranged the airplane on the first take-off. He survived, but the plane was a complete write-off.

    Rather than accept the partial payment from their basic insurance coverage, my colleague called American Express, since the plane had been bought only a week or so previously. Contrary to their advertising, they asked a great many questions, and wriggled like mad in vain attempts to avoid the refund. Eventually, they cancelled the charge.

    American Express tried to impose an inadequate monthly charge limit on him after that, but our mutual boss stood up to them, by threatening to cancel the corporate reliance on AmEx if there were any restrictions. We had almost a hundred perpetual travellers and a couple of hundred regular travellers (I occasionally exceeded US$10k on AmEx in a month). AmEx backed down.

    --
    Those who can make you believe absurdities can make you commit atrocities. - Voltaire
    1. Re:No questions asked, but you can go too far... by X0563511 · · Score: 1

      ... who pranged the airplane...

      What does that mean?

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    2. Re:No questions asked, but you can go too far... by Ambient+Sheep · · Score: 1
      "Crash", basically.

      http://en.wiktionary.org/wiki/prang http://dictionary.reference.com/browse/prang

  41. Original article by mpe · · Score: 1

    Quite a few things don't make much sense.
    Like needing sensitive scales to detect a "small bug" weighing 4oz (possibly they actually ment 4 grammes).
    There's also the issue of the wireless communications. Are there really this many unsecured wireless access points near supermarkets?
    As well as these communications can't exactly be described as "untraceable" when it's possible to track the destinations down to one city.
    Two obvious law enforcement approaches spring to mind.
    The first is to block (or at least monitor) communications to the destination IPs. i.e. instead of random/comprehensive monitoring of Joe Public use the appropriate tools against machines used by criminals. Or are ISP's only interested in doing this sort of thing for big entertainment companies, rather than the likes of Scotland Yard.
    The other thing to do is to use criminals' own system to put some card details into the system which will be flagged if anyone attempts to use them. Maybe without any warning to the person using them except that instead of a courier delivering their stuff from Amazon they find they have instead won a "free ride in a real police car" or that they enjoy a nice flight (or at least as nice as flying can be these days) but find that when they arrive at their destination there's an interrogation room waiting for them.
    Credit card companies also have their own fraud detection systems, which have been known to give holiday makers who have not told their card company where they are going problems. As well as checking if the delivery address for a "cardholder not present" transaction is an address the cardholder has told the issuer about. Since the transactions being bugged are "cardholder" present where are the crooks going to get this information from?

    1. Re:Original article by imsabbel · · Score: 1

      They use wireless, in the form of cell phone network.

      They used scales not becaue of precission, but because weighting was the quickest way to check a large number of devices without disassembly.

      --
      HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
  42. Chip & PIN, eh? Well secure! by gilgongo · · Score: 1

    It seems like only last week when they forced us all to use chip & pin, telling us how it would be soooo much better than the old magnetic swipe system. I even heard some people saying it would *reduce* credit card fraud. In fact, I think the level of non-Internet fraud hasn't changed much - may have even gone up a bit since then.

    --
    "And the meaning of words; when they cease to function; when will it start worrying you?"
  43. Interesting... by Anonymous Coward · · Score: 0

    I was just at the store the other day wondering just how much damage could be caused if a wage slave strategically installed a wifi point on the network. I guess I have the answer.

  44. Re:prang by AliasMarlowe · · Score: 1

    "prang" is a verb meaning crash. It originated in Britain in the early days of aviation to describe an airplane coming into contact with the ground (crashing or landing poorly) such that the airplane is damaged or destroyed. It's commonly used in aviation circles, but is also encountered in Britain in connection with crashing other types of vehicle.

    --
    Those who can make you believe absurdities can make you commit atrocities. - Voltaire
  45. the problem is PROOF by RMH101 · · Score: 1
    ...the bank can turn around and say "you must have disclosed your PIN". Much as with keylogging trojans, they can pass the blame to you. (I'm not saying yours *would*, just that they *can*).
    In the case of keylogging trojans, it's not strictly speaking the banks fault that your PIN was captured. Similarly, it's not necessarily their fault you used a hacked card reader, like the Ingenico 3300 ones widely used in the UK recently found to be fitted with internal cellular data devices for sniffing.

    Sure, you can say that they should have higher standards of device certification and maybe a SecurID-RSA-type online bank security system, but that's not going to help you if you're hit by either scenario and your bank decides to play hardball.

  46. Re:prang by X0563511 · · Score: 1

    Thanks!

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  47. Joel Brenner = only source by Anonymous Coward · · Score: 0

    The National Counterintelligence Executive and Mission Manager for Counterintelligence Joel Brenner is the only source for the whole story. The Times of London writes: "The bugs transmit the information by wireless technology to Lahore, Pakistan, according to a senior American counter-intelligence official. (...) The fraud was revealed by Joel Brenner, the American government's top counter-intelligence officer." The British on the other hand say: Lahore is unconfirmed; Chinese link is unconfirmed, issues with chip and pin machines being compromised at the point of manufacture unconfirmed alltogether (see Times and Telegraph). A contradiction?