Huge Credit Fraud Ring Sends Europeans' Data To Pakistan

marshotel excerpts from a story at the Wall Street Journal: "European law-enforcement officials uncovered a highly sophisticated credit-card fraud ring that funnels account data to Pakistan from hundreds of grocery-store card machines across Europe, according to U.S. intelligence officials and other people familiar with the case. Specialists say the theft technology is the most advanced they have seen, and a person close to British law enforcement said it has affected big retailers including a British unit of Wal-Mart Stores Inc. and Tesco Ltd."

Which probably explains....

[Angostura]

... why my local Tesco changed every one of its chip-and-PIN readers to a new make and model about 2 months ago. At this point you're probably wonding which make the old devices were, and I can't for the life of me remember. Sorry.

Re:One-Time Passwords for Transactions

[ScrewMaster]

Well, ATM security is based around the idea of limiting or preventing losses due to external access, having no benefit whatsoever if the system itself is compromised. Also, given how easy it is for anyone (even an ex-con who was put away for wire fraud and helped with an MSNBC expose on the subject) to buy an ATM machine directly from the manufacturer and get it tied into the banking network ... well. There was a big theft ring with several hundred compromised ATMs that was busted up in New York a few years ago, millions of dollars in losses. I thought then that it was only the tip of the iceberg, and it appears I was right.

The things aren't exactly trustworthy to begin with, and given the security track record of companies like Diebold, I find ATMs a risky way to get money. I will sometimes use the one inside my bank, but it's not that hard to go the cashier or the drive-up and get cash. Forget about using the "Money Machine" at the local gas station.

PCI Law

[Benjamin_Wright]

A quote in the WSJ article says the hackers are performing at a level of sophistication that rivals foreign intelligence services. The implication: Payment card data security requires much, much more than just forcing merchants to lock down data and comply with the PCI (payment card industry data security standard). Card data security is a national security issue. It requires wholesale rethinking of the credit card system. The Federal Trade Commission misunderstands the magnitude of the problem. The FTC is locked in an old-fashioned belief that data in-security is due to stupid merchants (like TJX) treating consumers (and their privacy) "unfairly" by failing to secure their systems. We need fresh thinking and better leadership on this issue from the FTC. --Ben

A more interesting thought

[kilodelta]

We had this happen here in RI about a year or so ago. Except in our case the ring was being run by Armenians.

In that case they had posed as repairmen and then rigged the card machines. It forced Stop & Shop to replace all their credit card readers. But then it brings up another point.

What if these rings manage to get to the card readers before they're delivered to the merchants. I bet that is what happened here.

Re:Credit cards are evil.

[innocent_white_lamb]

I get 10% on my gasoline purchases from our friendly local Co-op.

Re:Credit cards are evil.

[zippthorne]

Notice that there are no liability limits on debit card fraud, however. If a thief steals your card and drains $10,000 from your account, you now have $10,000 less than you did before you were robbed. The bank does not have a statutory obligation to return your money. Debit cards are horribly risky devices.

Although they do not have a statutory obligation, many banks do offer a contractual obligation that appears at first glance to exceed the statutory one for CCs. It's been a few years and there haven't been any big exposees on debit card weaselly contracts, so I'd condsider switching from debt based plastic to debit.

Any lawyers who've examined some of the basic debit card agreements?

No questions asked, but you can go too far...

[AliasMarlowe]

Some cards here do offer no-questions-asked protection plans (I know American Express does) against defective goods.

A couple of decades ago, American Express pioneered the concept of "money back, no questions asked" if a product bought with AmEx became broken for any reason during the first 30 days after purchase. They had some dumb commercial on TV featuring a kid feeding porridge into a VCR, and a refund being given for the gummed-up VCR.

A colleague of mine perpetually travelled and regularly put more than $20k per month through his AmEx, so they automatically accepted almost any charge from him. Skipping a long and tortuous story, he bought a used airplane in Australia as part of some hare-brained get-rich-quick scheme (probably caused by alcohol). It was charged to his AmEx! His partner in the scheme was the pilot, who pranged the airplane on the first take-off. He survived, but the plane was a complete write-off.

Rather than accept the partial payment from their basic insurance coverage, my colleague called American Express, since the plane had been bought only a week or so previously. Contrary to their advertising, they asked a great many questions, and wriggled like mad in vain attempts to avoid the refund. Eventually, they cancelled the charge.

American Express tried to impose an inadequate monthly charge limit on him after that, but our mutual boss stood up to them, by threatening to cancel the corporate reliance on AmEx if there were any restrictions. We had almost a hundred perpetual travellers and a couple of hundred regular travellers (I occasionally exceeded US$10k on AmEx in a month). AmEx backed down.