Slashdot Mirror
Huge Credit Fraud Ring Sends Europeans' Data To Pakistan
marshotel excerpts from a story at the Wall Street Journal: "European law-enforcement officials uncovered a highly sophisticated credit-card fraud ring that funnels account data to Pakistan from hundreds of grocery-store card machines across Europe, according to U.S. intelligence officials and other people familiar with the case. Specialists say the theft technology is the most advanced they have seen, and a person close to British law enforcement said it has affected big retailers including a British unit of Wal-Mart Stores Inc. and Tesco Ltd."
To hell with credit cards and plastic. This kind of danger is why I only use cash and keep all my money in a Washington Mutual bank account, where it's safe...
A-Bomb
... why my local Tesco changed every one of its chip-and-PIN readers to a new make and model about 2 months ago. At this point you're probably wonding which make the old devices were, and I can't for the life of me remember. Sorry.
...shame my RSS feed still has it as "European's". I was wondering who this poor unlucky chap was, why defrauding him was so huge and quite how it managed to be a ring with only one person..
--- Band: Joey Ultra
I've been saying for years, since I first saw one in the 1990s here in NYC, that giving my PIN to some random ATM in some random "convenience" store to get quick cash is an unacceptable security risk. Especially some random ATM that I use at 2AM after running out of cash drinking in a bar, lost among all the ATMs in the neighborhood in my hazy hangover recollection, to be searched for months or years later when they, or someone else along the line, replay my PIN.
Every login to my account from an insecure location (which might exclude my home and office PC, if they've got certificates installed) should consume a one-time password that cannot be replayed for some later, unauthorized transaction. In fact each OTP should be attached to a specific dollar amount and recipient, with an expiration on the transaction after which even that transaction cannot claim money, or get any access at all.
Attempts to replay the transaction should automatically notify the FBI and the bank's security. I should get a notice of any risk warning above some level that I set, and a security statement listing the notices and their resolution with each monthly bill.
Eventually, people whose ID has been pirated will routinely get that security regime alternative after finding someone liable to pay for it. We should all move to that regime ASAP, rather than wait for the damage to force our hands.
--
make install -not war
Or (here in the UK) for purchasing anything over the value of £100, as if said purchase is in any way faulty the credit card company is just as liable as the retailer and\or manufacturer. Buy a broken computer\fridge\TV etc.? Sue the credit card company for your money back, and let them find out who was at fault for the broken goods, it's not your problem (Yay for British consumer protection laws).
If I have nothing to hide, you have no reason to search me
...it was Diebold?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
The article doesn't say where the rogue devices were installed, although they insinuated they may have been placed there in a Chinese factory. The limited number of devices containing the bug and the spread across various retailers hints that they probably weren't placed there by employees of the retailers: they may have been installed during manufacturing, packaging, or possibly during maintenance.
These retailers are big enough that they all likely contract with a third party to perform their hardware repairs. It's possible that a corrupt repair person was responsible for installation of the bugs.
John
How kind of your bank to not debit your account for transactions you didn't authorise :) Seriously, you don't need insurance against *them* being defrauded. If someone asks your bank to give them money while pretending to be you, it is the *bank* who has been defrauded, not you. "Identify theft" is a cute term the banks invented to turn the poor security architecture in their payments network into their customers' problem
Matthew @ Bytemark Hosting
In America, the credit liability laws limit the consumer's exposure for fraudulent use of a card to $50. In practice, I've found most banks actually cover their customers 100%. You have to swear that it was theft, of course, and perhaps sign an affidavit, and if turns out that you were the "thief" you will be prosecuted for fraud.
Some cards here do offer no-questions-asked protection plans (I know American Express does) against defective goods. For the rest of them, if you are unsatisfied with a credit transaction you can withhold payment from your credit company while you dispute the transaction, but there's paperwork involved. It's not particularly easy, and it's likely to go on your credit report.
Notice that there are no liability limits on debit card fraud, however. If a thief steals your card and drains $10,000 from your account, you now have $10,000 less than you did before you were robbed. The bank does not have a statutory obligation to return your money. Debit cards are horribly risky devices.
John
My credit card has been ripped in the past. I lost £50 and the rest was refunded. I get the distinct impression that the banks do not care to catch the perpetrators or in fact, stop fraud. It is more cost effective to do the minimum required and get us to fund the losses. Think about it, spend wads of cash on security or just increase bank charges etc to pay for loses. Banks are not interested in fraud. They have already run the numbers.
Don't make your problems my problems!