Slashdot Mirror

← Back to Stories (view on slashdot.org)

178 Arrested In US/EU Credit Card Cloning Ops

Posted by timothy on from the spreading-the-wealth dept.

eldavojohn writes with this report from Brian Krebs: "Authorities have moved in on 178 people accused of working in credit card cloning labs across the USA and Europe, but with the bulk of the work apparently operating out of Spain. The source states that 'Police in 14 countries participated in a two-year investigation, initiated in Spain, where police have discovered 120,000 stolen credit card numbers and 5,000 cloned cards, and arrested 76 people and dismantled six cloning labs. The raids were made primarily in Romania, France, Italy, Germany, Ireland, and the United States, with arrests also made in Australia, Sweden, Greece, Finland, and Hungary. The detainees are also suspected of armed robbery, blackmail, sexual exploitation, and money-laundering, the police said.' Krebs notes a new credit card debuting at Turkish banks that appears to have a built-in LCD that has a random six-digit number associated with each transaction much like RSA SecurID keys used for computer logins."

21 of 103 comments (clear)

  1. lol stealing from investment banks by Anonymous Coward · · Score: 2, Funny

    if you are going to steal from someone, don't steal from professional thieves.

  2. Doesnt sound very profitable. by Rivalz · · Score: 4, Insightful

    Close to 200 employees spanning multiple countries. And they take in only 25mil? Not just that but getting cash out of credit card companies I thought was a pain in the ass. Is it 25 mil per year or total? Because if it is total that seems like a shitty business investment. They should just stick to guns, drugs, and prostitution.

    1. Re:Doesnt sound very profitable. by mujadaddy · · Score: 4, Funny

      They should just stick to guns, drugs, and prostitution.

      Intrigued, newsletter, etc., etc.

      --
      Populus vult decipi, ergo decipiatur...
      "Force shits upon Reason's back." - Poor Richard's Almanac
    2. Re:Doesnt sound very profitable. by Hatta · · Score: 5, Insightful

      Most of these people aren't doing it because it's lucrative. They do it because they have no legitimate options. The lowest rungs of any criminal enterprise gets paid shit wages just like any business. 200 people at 20k a year is 4 million for payroll. That leaves over 20 million for the boss.

      --
      Give me Classic Slashdot or give me death!
    3. Re:Doesnt sound very profitable. by sznupi · · Score: 4, Insightful

      For many people in those ops 20k a year might be actually a quite decent level of income; compared to, say, the average at the place they are or from which they are.

      --
      One that hath name thou can not otter
    4. Re:Doesnt sound very profitable. by guruevi · · Score: 2, Interesting

      Which in Europe is still pretty good wages though. If you don't work (or don't report that you work), you still get paid a minimum wage, your housing and utility costs become subsidized and healthcare is practically free. If you have kids, you get free food and clothing for them. So you get 20k on top of that.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    5. Re:Doesnt sound very profitable. by drspliff · · Score: 2, Interesting

      I'm on less than £20k per year and it's plenty enough to live on.

    6. Re:Doesnt sound very profitable. by Hatta · · Score: 2, Interesting

      Perhaps their conscience feels better stealing from credit card companies instead of average taxpayers.

      --
      Give me Classic Slashdot or give me death!
    7. Re:Doesnt sound very profitable. by WillDraven · · Score: 3, Interesting

      Any countries let you flee from the USA yet?

      --
      This is my sig. There are many like it but this one is mine.
  3. T'riffic. by blair1q · · Score: 2, Interesting

    Terrific. 6 more ways for a mouth-breathing cash-register operator to fuck up your transaction...

    1. Re:T'riffic. by Anonymous Coward · · Score: 3, Insightful

      Terrific. 6 more ways for a mouth-breathing cash-register operator to fuck up your transaction...

      You're perfectly welcome to do the job yourself and do it better than they do. Step right up.

      What's that? You're not willing to lower yourself to their level? That work's beneath you? You've got too much dignity? You're not willing to see what the little guy has to do to get by? You never had to work a day of retail in your pampered, high-class life? Well, by all means, you can STFU, ass.

  4. False security by girlintraining · · Score: 3, Insightful

    178 people. Remember that number.

    Unless the card is radioactive it's not "random"... it's pseudorandom, and therefore based on an algorithm. Figure out the seed (initial vector) and other inputs, and you're right where you started, only your clients feel more secure and the criminals have to spend an extra few bucks. Given that there are multinational laboratories churning out thousands of dup cards, and assuming they have an active distribution network... it's safe to say these aren't the only guys or the first.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:False security by girlintraining · · Score: 2, Informative

      Apparently it's more complicated than some hand waving at "other inputs" or nobody would use the RSA security cards that operate on the same principal.

      No, it is not complicated: There's a number being displayed on the card every six seconds. For it to have any value in authentication, that number needs to be somewhere else every six seconds too. Which means it's not "random". It might pass every test for random, but it isn't. Which means there is an algorithm in place. That algorithm requires two things: First, that it stay syncronized (time), and second that there's a reference point shared between the circuitry on the card and the bank where that number is validated.

      Those requirements all lead to one conclusion: PRNG. The seed is probably a key of some kind plus time. There are at least two places that key is kept: On the card, and at the bank, and probably more places. Access any of them, and you recover the key. It's just a question of cost.

      Now here's the kicker: 100,000 credit cards linked to a random cross-section of the population is worth a fair amount of money. Probably more than the cost of cracking that protection. And that means it's still profitable and practical to crack it.

      --
      #fuckbeta #iamslashdot #dicemustdie
  5. Re:Random? by Speare · · Score: 5, Informative

    SecurID is pretty much the exact opposite of a random number.

    Er, a reasonable working definition of "random" is "you can't predict it." The card changes its displayed number every N seconds. The card's pseudo-random number generator has an algorithm and a seed value which are generally unknown to the user, and unknown to the merchant. It was produced in sync with the server, and continues to compute the numbers in parallel with the server. Even if the thief knows the algorithm, they would require significant time (an understatement) to acquire enough samples to accurately predict the next number that the server is expecting. So, for all practical purposes, yes, it's random.

    --
    [ .sig file not found ]
  6. Re:Spain, Really? by blair1q · · Score: 4, Insightful

    Actually, innovating with new forms of income is why nations are going broke these days.

    They're pretending that speculation is investment, borrowing is income, and money-multiplication through circular lending is economic growth.

    And hidden among these obvious insanities is a much more subtle one that will snap the rubber band: they track money borrowed to speculate as risk at the interest rate of the loan, not at the rate-of-ruin of the speculation.

    The United States was as usual the most innovative, and therefore led the world. To a precipice and beyond. As usual by setting a good example.

  7. Re:Random? by Beardo+the+Bearded · · Score: 2, Informative

    Except that it's not a random number or a random number generator.

    It's a cipher generator, which is what Stradenko is getting at -- it's also what you're getting at, ironically. If the numbers were totally random, they would be useless. What it's doing is applying the downside of PRNGs - namely, their predictability - to create a sequence that is known to the computers in question, but appears random to the observer. If you seed multiple generators, all with the same algorithm, then you'll get the same sequence. That's terrible if you're running a lotto, but pretty good if you're trying to get two things to sync up.

    People have won millions by successfully outguessing PRNGs. I am not sure if this will add more security or if this is just security theater. Given the banking industry's track record, I'm going to go out on a limb and suggest that it's WIWTF security.

    --

    ---
    ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
  8. Re:Random? by interval1066 · · Score: 2, Funny

    "Even if the thief knows the algorithm, they would require significant time (an understatement) to acquire enough samples to accurately predict the next number that the server is expecting. So, for all practical purposes, yes, it's random."

    Yep, digital security, almost always infallible. When was the last time a digitally secure system was broken? About 15 minutes ago? Well, I'll be sleeping easier tonight, surely.

    --
    Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
  9. Re:Random? by spacerog · · Score: 2, Interesting

    "This short paper will examine several discovered statistical irregularities
    in functions used within the SecurID algorithm: the time
    computation and final conversion routines. Where and how these irregularities
    can be mitigated by usage and policy are explored."

    http://www.linuxsecurity.com/resource_files/cryptography/initial_securid_analysis.pdf

    My point is just because it is encased in plastic does not mean that the number can not be determined.

    - SR

  10. Re:Random? by synackpshfin · · Score: 2, Informative

    Hi. SecurID tokencode is calculated from current time + seed fed to the (AES) crypto algorithm. I believe that without knowing the seed it is quite hard to predict next tokencode...

  11. Re:Random? by Hognoxious · · Score: 3, Funny

    a reasonable working definition of "random" is "you can't predict it."

    No, it's that nobody can predict it.

    You haven't got a hope in hell of predicting the next number I write down, but for me it's a certainty.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  12. Re:Spain, Really? by quenda · · Score: 2, Interesting

    TFA is to PC to say it outright, but putting Romania at the head or the list says it is a Gypsy operation.
    These are multi-generational career criminal families. And the Spanish police seem unable to do anything about it.
    There was a good documentary on the BBC:

    How Gypsy gangs use child thieves