Huge Credit Fraud Ring Sends Europeans' Data To Pakistan

marshotel excerpts from a story at the Wall Street Journal: "European law-enforcement officials uncovered a highly sophisticated credit-card fraud ring that funnels account data to Pakistan from hundreds of grocery-store card machines across Europe, according to U.S. intelligence officials and other people familiar with the case. Specialists say the theft technology is the most advanced they have seen, and a person close to British law enforcement said it has affected big retailers including a British unit of Wal-Mart Stores Inc. and Tesco Ltd."

Credit cards are evil.

The ONLY reason you actually need one is to travel.

Re:Credit cards are evil.

[TheLink]

Lots of smart people have recently proven to the world that it's best to risk OTHER people's money. And that is why credit cards are better than debit cards.

Seriously: With credit cards when stuff goes wrong, it's not YOUR money that's gone. It's other people's money. They may try to get it from you, but it's still YOUR money till they succeed.

With debit cards, when stuff goes wrong, it's YOUR money that's gone. You may try to get it from the bank, but meanwhile you do NOT have that money till they decide to give it to you.

That is a big strategic difference. If you do not see the difference, may I borrow lots of money from you? I promise to pay you back eventually.

Awkward language

"a British unit of Wal-Mart Stores Inc." means Asda to any Brits reading this.

I'm impressed.

Milkpowder or card readers, the lesson stays the same: Don't trust the Chinese.

One-Time Passwords for Transactions

[Doc+Ruby]

I've been saying for years, since I first saw one in the 1990s here in NYC, that giving my PIN to some random ATM in some random "convenience" store to get quick cash is an unacceptable security risk. Especially some random ATM that I use at 2AM after running out of cash drinking in a bar, lost among all the ATMs in the neighborhood in my hazy hangover recollection, to be searched for months or years later when they, or someone else along the line, replay my PIN.

Every login to my account from an insecure location (which might exclude my home and office PC, if they've got certificates installed) should consume a one-time password that cannot be replayed for some later, unauthorized transaction. In fact each OTP should be attached to a specific dollar amount and recipient, with an expiration on the transaction after which even that transaction cannot claim money, or get any access at all.

Attempts to replay the transaction should automatically notify the FBI and the bank's security. I should get a notice of any risk warning above some level that I set, and a security statement listing the notices and their resolution with each monthly bill.

Eventually, people whose ID has been pirated will routinely get that security regime alternative after finding someone liable to pay for it. We should all move to that regime ASAP, rather than wait for the damage to force our hands.

Re:One-Time Passwords for Transactions

I've been saying for years, since I first saw one in the 1990s here in NYC, that giving my PIN to some random ATM in some random "convenience" store to get quick cash is an unacceptable security risk. Especially some random ATM that I use at 2AM after running out of cash drinking in a bar, lost among all the ATMs in the neighborhood in my hazy hangover recollection, to be searched for months or years later when they, or someone else along the line, replay my PIN.

No need for that. What would be nice is a smartcard with keypad and an RSA certificate on the card, signed by a certificate authority (the bank), that connects to the home bank's server. You enter the PIN on the card itself. The ATM is just a conduit for the RSA key exchange. The transaction won't work unless both the smartcard and the bank see signed certificates.

It's trivial to add replay protection, and you can't break this without breaking SSL, cloning the bank's certificate authority, or cloning the RSA certificate on the card and observing the PIN.

Re:Once a grocer

[plover]

The article doesn't say where the rogue devices were installed, although they insinuated they may have been placed there in a Chinese factory. The limited number of devices containing the bug and the spread across various retailers hints that they probably weren't placed there by employees of the retailers: they may have been installed during manufacturing, packaging, or possibly during maintenance.

These retailers are big enough that they all likely contract with a third party to perform their hardware repairs. It's possible that a corrupt repair person was responsible for installation of the bugs.

The banks/we are funding the terrorists.

[sygin]

My credit card has been ripped in the past. I lost £50 and the rest was refunded. I get the distinct impression that the banks do not care to catch the perpetrators or in fact, stop fraud. It is more cost effective to do the minimum required and get us to fund the losses. Think about it, spend wads of cash on security or just increase bank charges etc to pay for loses. Banks are not interested in fraud. They have already run the numbers.

One-factor security

[Jimmy_B]

Something you have, something you know, and something you are. Security means using at least two out of the three security factors. ATM cards are supposed to be "something you know" (a PIN number) and "something you have" (a card), but unfortunately, the card's only purpose is to hold another number, so it's really "two things you know, one of which must be written in invisible ink". Until we replace all bank and credit cards with electronics that can do public-key cryptography, fraud will continue to rise.

By the way, there's no evidence that anyone from Pakistan has anything to do with this. Most likely, the information is being sent to a compromised server, to conceal the real perpetrators, who could be anywhere.