Huge Credit Fraud Ring Sends Europeans' Data To Pakistan

marshotel excerpts from a story at the Wall Street Journal: "European law-enforcement officials uncovered a highly sophisticated credit-card fraud ring that funnels account data to Pakistan from hundreds of grocery-store card machines across Europe, according to U.S. intelligence officials and other people familiar with the case. Specialists say the theft technology is the most advanced they have seen, and a person close to British law enforcement said it has affected big retailers including a British unit of Wal-Mart Stores Inc. and Tesco Ltd."

Wal-Mart UK?

big retailers including a British unit of Wal-Mart Stores Inc.

Meaning Asda, I guess?

Re:Wal-Mart UK?

[Soruk]

Yes - TFA says as much.

Credit cards are evil.

The ONLY reason you actually need one is to travel.

Re:Credit cards are evil.

[VJ42]

Or (here in the UK) for purchasing anything over the value of £100, as if said purchase is in any way faulty the credit card company is just as liable as the retailer and\or manufacturer. Buy a broken computer\fridge\TV etc.? Sue the credit card company for your money back, and let them find out who was at fault for the broken goods, it's not your problem (Yay for British consumer protection laws).

Re:Credit cards are evil.

So you're the asshat that's making everything I purchase cost two percent more. I'll get you! I'm going to make stupid and risky investments and make you bail me out! Hahahahahah!

Re:Credit cards are evil.

[Naughty+Bob]

Over £100, but under £30,000.

And you don't have to 'Sue', so much as prove to the CC company that you are due the cash.

Agreed though, on the Yay for the consumer protection laws. It's not just good for the consumer either- I regularly use my credit card when I don't technically need to, specifically for this guarantee. I am not alone.

Consequently, the CC companies benefit hugely from this.

Re:Credit cards are evil.

[plover]

In America, the credit liability laws limit the consumer's exposure for fraudulent use of a card to $50. In practice, I've found most banks actually cover their customers 100%. You have to swear that it was theft, of course, and perhaps sign an affidavit, and if turns out that you were the "thief" you will be prosecuted for fraud.

Some cards here do offer no-questions-asked protection plans (I know American Express does) against defective goods. For the rest of them, if you are unsatisfied with a credit transaction you can withhold payment from your credit company while you dispute the transaction, but there's paperwork involved. It's not particularly easy, and it's likely to go on your credit report.

Notice that there are no liability limits on debit card fraud, however. If a thief steals your card and drains $10,000 from your account, you now have $10,000 less than you did before you were robbed. The bank does not have a statutory obligation to return your money. Debit cards are horribly risky devices.

Re:Credit cards are evil.

[innocent_white_lamb]

I get 10% on my gasoline purchases from our friendly local Co-op.

Re:Credit cards are evil.

[zippthorne]

Notice that there are no liability limits on debit card fraud, however. If a thief steals your card and drains $10,000 from your account, you now have $10,000 less than you did before you were robbed. The bank does not have a statutory obligation to return your money. Debit cards are horribly risky devices.

Although they do not have a statutory obligation, many banks do offer a contractual obligation that appears at first glance to exceed the statutory one for CCs. It's been a few years and there haven't been any big exposees on debit card weaselly contracts, so I'd condsider switching from debt based plastic to debit.

Any lawyers who've examined some of the basic debit card agreements?

Re:Credit cards are evil.

[TheLink]

Lots of smart people have recently proven to the world that it's best to risk OTHER people's money. And that is why credit cards are better than debit cards.

Seriously: With credit cards when stuff goes wrong, it's not YOUR money that's gone. It's other people's money. They may try to get it from you, but it's still YOUR money till they succeed.

With debit cards, when stuff goes wrong, it's YOUR money that's gone. You may try to get it from the bank, but meanwhile you do NOT have that money till they decide to give it to you.

That is a big strategic difference. If you do not see the difference, may I borrow lots of money from you? I promise to pay you back eventually.

Once a grocer

[G3ckoG33k]

"Once a grocer, always a grocer."

Said by Penelope Keith (as Audrey fforbes-Hamilton) in "To The Manor Born" (http://en.wikipedia.org/wiki/To_the_Manor_Born) to Marjory Frobisher (played by Angela Thorne) about Richard DeVere (played by Peter Bowles) a nouveau riche millionaire supermarket owner.

How that applies here too!

Re:Once a grocer

[plover]

The article doesn't say where the rogue devices were installed, although they insinuated they may have been placed there in a Chinese factory. The limited number of devices containing the bug and the spread across various retailers hints that they probably weren't placed there by employees of the retailers: they may have been installed during manufacturing, packaging, or possibly during maintenance.

These retailers are big enough that they all likely contract with a third party to perform their hardware repairs. It's possible that a corrupt repair person was responsible for installation of the bugs.

Screw credit cards...

[Bombula]

To hell with credit cards and plastic. This kind of danger is why I only use cash and keep all my money in a Washington Mutual bank account, where it's safe...

Re:Screw credit cards...

[ScrewMaster]

Ppppphhhhhhttttt.

I've found it's simply safer to spend it just after it hits my bank account.

Yeah, most Americans do that. It goes awful fast nowadays. Like the old Depression-era joke:

Two men are sitting next to a hot dog stand having lunch. One looks down at his meal and says, "You know, one end of this thing tastes like hot dog, and the other tastes like bread."

The other guy responds with "Yeah ... these days it's hard to make both ends meat."

Re:I'm impressed.

[Yvan256]

Cartman, is that you?

Which probably explains....

[Angostura]

... why my local Tesco changed every one of its chip-and-PIN readers to a new make and model about 2 months ago. At this point you're probably wonding which make the old devices were, and I can't for the life of me remember. Sorry.

Good quick title edit..

[pcardno]

...shame my RSS feed still has it as "European's". I was wondering who this poor unlucky chap was, why defrauding him was so huge and quite how it managed to be a ring with only one person..

Re:Good quick title edit..

[Dirtside]

Well, if you're a small-time fraudster, it only takes a one-man ring to rule the mall.

One-Time Passwords for Transactions

[Doc+Ruby]

I've been saying for years, since I first saw one in the 1990s here in NYC, that giving my PIN to some random ATM in some random "convenience" store to get quick cash is an unacceptable security risk. Especially some random ATM that I use at 2AM after running out of cash drinking in a bar, lost among all the ATMs in the neighborhood in my hazy hangover recollection, to be searched for months or years later when they, or someone else along the line, replay my PIN.

Every login to my account from an insecure location (which might exclude my home and office PC, if they've got certificates installed) should consume a one-time password that cannot be replayed for some later, unauthorized transaction. In fact each OTP should be attached to a specific dollar amount and recipient, with an expiration on the transaction after which even that transaction cannot claim money, or get any access at all.

Attempts to replay the transaction should automatically notify the FBI and the bank's security. I should get a notice of any risk warning above some level that I set, and a security statement listing the notices and their resolution with each monthly bill.

Eventually, people whose ID has been pirated will routinely get that security regime alternative after finding someone liable to pay for it. We should all move to that regime ASAP, rather than wait for the damage to force our hands.

Re:One-Time Passwords for Transactions

[hobbit]

This is the TLA police; we're doing the WWW rounds tonight and you're SOL.

Re:One-Time Passwords for Transactions

[ScrewMaster]

Well, ATM security is based around the idea of limiting or preventing losses due to external access, having no benefit whatsoever if the system itself is compromised. Also, given how easy it is for anyone (even an ex-con who was put away for wire fraud and helped with an MSNBC expose on the subject) to buy an ATM machine directly from the manufacturer and get it tied into the banking network ... well. There was a big theft ring with several hundred compromised ATMs that was busted up in New York a few years ago, millions of dollars in losses. I thought then that it was only the tip of the iceberg, and it appears I was right.

The things aren't exactly trustworthy to begin with, and given the security track record of companies like Diebold, I find ATMs a risky way to get money. I will sometimes use the one inside my bank, but it's not that hard to go the cashier or the drive-up and get cash. Forget about using the "Money Machine" at the local gas station.

Re:One-Time Passwords for Transactions

I've been saying for years, since I first saw one in the 1990s here in NYC, that giving my PIN to some random ATM in some random "convenience" store to get quick cash is an unacceptable security risk. Especially some random ATM that I use at 2AM after running out of cash drinking in a bar, lost among all the ATMs in the neighborhood in my hazy hangover recollection, to be searched for months or years later when they, or someone else along the line, replay my PIN.

No need for that. What would be nice is a smartcard with keypad and an RSA certificate on the card, signed by a certificate authority (the bank), that connects to the home bank's server. You enter the PIN on the card itself. The ATM is just a conduit for the RSA key exchange. The transaction won't work unless both the smartcard and the bank see signed certificates.

It's trivial to add replay protection, and you can't break this without breaking SSL, cloning the bank's certificate authority, or cloning the RSA certificate on the card and observing the PIN.

fear not...

[owlnation]

In the UK. We're fine. Most of our data has already been stored in a government hard drive and left on a train seat somewhere, and it's not like we have any money in our bank accounts anyway.

Re:I'm impressed.

[grub]

WHY DO YOU HATE AMERICA?!

Because I'm Canadian?! :)

Anyhow, this was at a Toys-R-Us, not WalMart (they aren't the same company, are they?)

Any chance...

[jd]

...it was Diebold?

Re:Bank insurance + separate account.

[mattbee]

How kind of your bank to not debit your account for transactions you didn't authorise :) Seriously, you don't need insurance against *them* being defrauded. If someone asks your bank to give them money while pretending to be you, it is the *bank* who has been defrauded, not you. "Identify theft" is a cute term the banks invented to turn the poor security architecture in their payments network into their customers' problem

The banks/we are funding the terrorists.

[sygin]

My credit card has been ripped in the past. I lost £50 and the rest was refunded. I get the distinct impression that the banks do not care to catch the perpetrators or in fact, stop fraud. It is more cost effective to do the minimum required and get us to fund the losses. Think about it, spend wads of cash on security or just increase bank charges etc to pay for loses. Banks are not interested in fraud. They have already run the numbers.

PCI Law

[Benjamin_Wright]

A quote in the WSJ article says the hackers are performing at a level of sophistication that rivals foreign intelligence services. The implication: Payment card data security requires much, much more than just forcing merchants to lock down data and comply with the PCI (payment card industry data security standard). Card data security is a national security issue. It requires wholesale rethinking of the credit card system. The Federal Trade Commission misunderstands the magnitude of the problem. The FTC is locked in an old-fashioned belief that data in-security is due to stupid merchants (like TJX) treating consumers (and their privacy) "unfairly" by failing to secure their systems. We need fresh thinking and better leadership on this issue from the FTC. --Ben

A more interesting thought

[kilodelta]

We had this happen here in RI about a year or so ago. Except in our case the ring was being run by Armenians.

In that case they had posed as repairmen and then rigged the card machines. It forced Stop & Shop to replace all their credit card readers. But then it brings up another point.

What if these rings manage to get to the card readers before they're delivered to the merchants. I bet that is what happened here.

One-factor security

[Jimmy_B]

Something you have, something you know, and something you are. Security means using at least two out of the three security factors. ATM cards are supposed to be "something you know" (a PIN number) and "something you have" (a card), but unfortunately, the card's only purpose is to hold another number, so it's really "two things you know, one of which must be written in invisible ink". Until we replace all bank and credit cards with electronics that can do public-key cryptography, fraud will continue to rise.

By the way, there's no evidence that anyone from Pakistan has anything to do with this. Most likely, the information is being sent to a compromised server, to conceal the real perpetrators, who could be anywhere.

No questions asked, but you can go too far...

[AliasMarlowe]

Some cards here do offer no-questions-asked protection plans (I know American Express does) against defective goods.

A couple of decades ago, American Express pioneered the concept of "money back, no questions asked" if a product bought with AmEx became broken for any reason during the first 30 days after purchase. They had some dumb commercial on TV featuring a kid feeding porridge into a VCR, and a refund being given for the gummed-up VCR.

A colleague of mine perpetually travelled and regularly put more than $20k per month through his AmEx, so they automatically accepted almost any charge from him. Skipping a long and tortuous story, he bought a used airplane in Australia as part of some hare-brained get-rich-quick scheme (probably caused by alcohol). It was charged to his AmEx! His partner in the scheme was the pilot, who pranged the airplane on the first take-off. He survived, but the plane was a complete write-off.

Rather than accept the partial payment from their basic insurance coverage, my colleague called American Express, since the plane had been bought only a week or so previously. Contrary to their advertising, they asked a great many questions, and wriggled like mad in vain attempts to avoid the refund. Eventually, they cancelled the charge.

American Express tried to impose an inadequate monthly charge limit on him after that, but our mutual boss stood up to them, by threatening to cancel the corporate reliance on AmEx if there were any restrictions. We had almost a hundred perpetual travellers and a couple of hundred regular travellers (I occasionally exceeded US$10k on AmEx in a month). AmEx backed down.