Saturday, June 02, 2007

It is no wonder why skimming (credit/debit card fraud) is becoming a nasty problem!

Skimming credit and debit cards has become too easy with the irresponsible sale of technology. All the necessary techie devices to commit what many consider a "high tech crime" are being sold on the Internet - even on auction sites - such as eBay.

Yesterday, I read about an arrest of one of the Internet vendors by the Calgary Police, after they were tipped off by the United States Secret Service (USSS).

Here is what the press release from the Calgary Police Department said:
In January 2006, investigators with the U.S. Secret Service specializing in payment card fraud and Internet crime, identified a person using the Internet name of “Dron,” who was advertising skimming equipment for sale over the Internet.

A possible Calgary connection was identified and investigators assigned to the Calgary Police Service Commercial Crime Unit were involved in the investigation.

A joint, cross-border investigation was initiated. A Calgary resident was identified as the alleged manufacturer and exporter of devices which could be used for skimming data from debit and credit cards. With the assistance of other CPS units, the Calgary case has been successfully concluded.

There isn't a lot of information on how Dron was advertising his wares on the Internet, but the sad truth is he probably isn't the only vendor selling these devices.

I checked eBay (this morning) and devices that could be used to skim payment card details are being hawked (as usual) on the auction site.

In March, I wrote about a new variation (mutation) of skimming, where PIN pads were replaced at a Edmonton Wendys. The fake PIN pads are capable of transmitting card data and PIN numbers(using wireless technology) to fraudsters, who are probably sitting in a car in a parking lot.

I suspect the current fake PIN pads are being used to defeat PCI (payment card industry) data protection standards. The information is sent to the fraudster before it goes through the merchant's point of sale system.

PCI data protection standards have become a major concern lately, but it appears the criminals are already working on countermeasures that will get past them. Besides PIN pads, portable devices, used by dishonest insiders are a big problem right now, also.

Interestingly enough, even with all the media attention about PCI compliance, a large number of merchants have failed to implement them. A case to point at would be the recent TJX data breach, where at least 45 million records were compromised over a several year period.

In the Wendy's post, I identified a website called, which sells a lot of devices that can be used to commit financial crimes, including skimming. I just checked (and sadly) they are still up and open-for-business.

Of course, they publish a disclaimer on their page:
We WILL NOT answer emails from anyone asking about illegal activities, or how to use our products for illegal activities...they will automatically be deleted. All products are designed for testing and exploring the vulnerabilities of CUSTOMER-OWNED equipment, and no illegal use is encouraged or implied. We WILL NOT knowingly sell to anyone with the intent of using our products for illegal activities or uses. It is your responsibility to check the applicable laws in your city, state, and country.
This obviously is enough to keep them in business.
The PIN pad skimming variation has now been identified in both the Eastern and Western United States, as well as Canada.

Maybe if there were stricter controls on the sale of the devices that enable skimming, the problem wouldn't be so bad?

Meanwhile, expensive security technology (compliance) is being made mandatory. If history repeats itself, any technology designed (which is expensive in itself), will have a limited life span. I'm all for technological solutions, but if we don't back them up with consequences, they tend to have a limited effectiveness.

There needs to be more social solutions (laws) to bolster some of this expensive anti-fraud technology.

With millions of victims and billions of dollars being lost, I wonder why we allow this activity to be marketed over the Internet?

We are making hard working people, like USSS Agents and the Calgary Police, work pretty hard to fight a growing problem, which is victimizing a lot of PEOPLE and businesses!

Calgary Police press release, here.

No comments: