International Phishing Gang, nailed with a little teamwork!

I suppose it's big news when a phishing gang gets caught. Sadly, few of them ever seem to get nabbed, or prosecuted. Phishing is a crime that is committed across borders with the click of a mouse, or "bot," which makes investigating and prosecuting this type of crime, slightly challenging.

Saying that, the times might be changing, especially (more and more) when U.S. citizens are targeted. Besides this latest series of arrests, the FBI recently conducted a very successful operation against bot-herders in an effort dubbed "Operation Bot Roast."

Bot-herders, who run botnets are behind growing amounts of spam. Spam is the preferred method of spreading scams and other questionable activity across cyberspace.

According to the DOJ press release, 33 phishermen have been hooked, in an operation that was truly International in nature:

A federal grand jury in Los Angeles charged 33 individuals in a 65-count indictment unsealed today for their alleged participation in an international racketeering scheme that used the Internet to defraud thousands of individual victims and hundreds of financial institutions. Seven individuals were charged in a District of Connecticut indictment for their roles in an Internet phishing scheme, including two who were also charged in the Los Angeles case.

U.S. law enforcement authorities are executing nine arrest warrants in the Los Angeles area and Romanian law enforcement authorities are executing search warrants in Romania today in connection with the racketeering indictment.

Supporting the "global theory" of this activity, these phishermen operated from six different countries. They also claimed citizenship from several different countries:

The individuals named in the indictment operated from locations in the United States and abroad including Canada, Pakistan, Portugal and Romania, and include both U.S. citizens and foreign nationals. Sonny Duc Vo, Alex Chung Luong and Leonard Gonzales are U.S. citizens. Nga Ngo, Thai Hoang Nguyen, Loi Tan Dang and Dung Phan are permanent legal residents of Vietnam. Hiep Thanh Tran is a U.S. permanent resident from Vietnam. Caroline Tath is a permanent legal resident of Cambodia. Hassan Parvez is a citizen of Pakistan. Rolando Soriano is a Mexican citizen and is currently charged in Los Angeles with illegal entry by an alien following deportation. Ovidiu Ionut Nicola-Roman; Petru Bogdan Belbita; Stefan Sorin Ilinca; Sorin Alin Panait; Costel Bulugea; Nicolae Dragos Draghici; Florin Georgel Spiru; Marian Daniel Ciulean; Irinel Nicusor Stancu; Didi Gabriel Constantin; Mihai Draghici; Marius Sorin Tomescu; Lucian Zamfirache; Laurentiu Cristian Busca; Dan Ionescu; Marius Lnu; Alex Gabriel Paralescu; and Andreea Nicoleta Stancuta are Romanian citizens. An additional four individuals known only by their aliases, “Cryptmaster”; “PaulXSS”; “euro_pin_atm” and “SeleQtor” are believed to be Romanian citizens.

According to an article in PC World by John E. Dunn, stolen financial details (mostly payment card numbers) were stolen using a fake website. The stolen financial details were then sent via SMS (text) messaging to their cohorts in the United States and counterfeit payment (credit/debit) cards were produced.

After the counterfeit cards were produced, we can assume "runners" went to ATM machines and drained the accounts.

Financial institutions targeted included "People’s Bank, Citibank, Capital One, JPMorgan Chase & Co., Comerica Bank, Wells Fargo & Co., and PayPal," according to the DOJ press release. Although, not a financial institution, the DOJ press release mentioned eBay was a phishing target, also.

Two good resources, largely from the private sector that study phishing and provide a lot of relevant information about the activity are the Anti-Phishing Working Group and Artists Against 419. Besides goverment resources, there are private warriors out there dedicated to taking down phishing sites, also. The PIRT Phishing Incident Reporting and Termination Squad run by CastleCops, a site dedicated to computer and internet security, is a leader in this private effort to curb phishing. PIRT goes after phishing as it occurs in the "wild," or on the Internet.

Most of the information gathered by these groups is provided and used as intelligence by law enforcement resources. As a disclaimer, in this case, it is unknown what private resources might have contributed intelligence to this effort.

Law enforcement resources on a local, national and international level contributed to this latest series of arrests. Most experts agree that cybercrime has flourished in the past because of the inability of members of the "white side of the fence" to come together as a team. Sadly, the members of the "black side of the fence" have seemed to embrace teamwork and the result has been devastating, to say the least.

Last month, Attorney General Mukasey announced a "Law Enforcement Strategy to Combat International Organized Crime." This strategy was developed to combat a growing threat to the stability of U.S. interests posed by organized crime groups.

DOJ press release, here.

Symantec releases Internet Threat Security Report

Symantec recently issued it's Internet Security Report, which covers the second half of 2007. The key findings in the report are that malicious activity has become web based, attackers are going after end users rather than computers, the underground community is maturing and consolidating and the bad guys are getting better at improvising and adapting.

The report confirms that hacker tool kits are increasingly making it easier for less sophisticated types to effective commit technical crimes. Symantec also believes that these tool kits are being professionally developed, which supports the deduction that the underground community is maturing and consolidating.

Perhaps the availability of tool kits is the reason that a 559 percent increase in phishing websites has been noted?

The report also shows that the bad guys are going after "trusted" sites, such as social networking sites.

The underground economy in stolen financial details is also on the increase. These details, which are sold in Internet forums are getting cheaper. With all the phishing going on coupled with a record amount of data breaches an over abundant supply of stolen information is likely the reason for this. The report found a wide variety of pricing on payment card numbers, ranging from .40 cents to $20 per card.

The easy availability of encoders and other portable payment card technology makes it "too easy" to counterfeit the numbers into realistic looking plastic. In addition to this, there is a thriving market in counterfeit documents, which provides a wide-array of realistic counterfeit identification to vet the counterfeit financial instruments.

Besides identities and payment card details, stolen bank accounts are becoming increasingly available. Symantec attributes the increase in bank account information to a mirror increase in banking trojans over the second half of 2007.

Besides being used to clean out an account, bank account details are useful to criminals when they commit check fraud. Anyone, who follows scams on the Internet, knows that counterfeit checks are being delivered to unsuspecting mules to cash in a variety of advance fee (419) type scams. Please note there are organized gangs, who move from area to area committing check fraud using mules, who know exactly what they are doing, also.

Recently, an International task force monitored the mail and discovered large amounts of counterfeit checks being shipped throughout North America and the European Union.

All in all this report is a very interesting read. If you are a more visual type, Symantec also did a very nice flash presentation on this, which can be seen on the page linked to in the previous sentence.

Self service stamp machines targeted by credit card thieves

Photo courtesy of Leff at Flickr

New scams are invented daily. Here is one, where self-service stamp machines (the kind that accept payment cards) are being targeted at Post Offices.

David Bowermaster at the Seattle Times is reporting:

In mid-July, three men left their homes near Los Angeles and traveled to Seattle to buy postage stamps.

But these were no ordinary collectors. Armed with at least 27 stolen credit-card numbers, federal prosecutors say, Artem Danilov, Stephan Melkonyan and Karapet Kankanian fraudulently purchased more than 3,200 books of stamps worth nearly $24,000 from Seattle-area post offices in just more than a week. A federal grand jury Thursday charged the men with an assortment of crimes.

Following a pattern that Postal Service investigators have uncovered in at least five Western states, the men made mass purchases of stamps after normal working hours from automated postal machines, which are accessible 24 hours a day in the lobbies of many post offices around the country, prosecutors allege.

While these three were caught (two Russians and an Armenian), it appears this activity has been occurring throughout the Western United States.

The illegal stamp-buying scheme appears to be a novel breed of identity theft, one that blends high-tech thievery, online commerce and the retro currency of the U.S. mail.

James Vach, a spokesman for the U.S. Postal Inspection Service in Seattle, said investigators first encountered a wave of fraudulent stamp buys in the Los Angeles area late last year.

Since then, the Postal Service has uncovered illegal stamp-buying schemes in Washington, Oregon, Arizona and Colorado.

The Postal Inspectors suspect a larger ring is involved and some of the stolen credit card numbers used have been traced to a car wash in Southern California.

According to the article, here is how the suspects were using the stolen credit card numbers:

Danilov, Melkonyan and Kankanian allegedly used a credit-card reader to embed the stolen credit-card numbers onto the magnetic strips of gift cards from a variety of retailers, Brown said, a process that allows the gift cards to function like credit cards.

They then used the adulterated gift cards to repeatedly buy books of stamps from postage machines in one post office after another. Customers used to be able to buy dozens of books of stamps per transaction from the automated postage machines, but the Postal Service has since limited the number to try to fight such fraud.

Although the authorities don't know where all the stamps were being sold, according to a assistant U.S. Attorney, some of them are being fenced on eBay.

A lot of stolen merchandise is fenced on eBay and other auction sites. A lot of this stolen merchandise is purchased with fraudulent credit/debit card information.

Out of curiousity, I decided to see if new stamps (the kind used for postage) could be found on eBay. Amazingly enough, I found what I consider a large selection with offers of free shipping and discounted prices. What I found can be seen, here.

Of course, at a glance, it can be hard to tell what is legitimate and what is not on an auction site.

A lot of stolen gift cards (used in this instance to clone the cards used) are also fenced on auction sites. I wonder if the value on them had already been used, or if our suspects lifted them at a retailer before a dollar value was loaded on them at a point-of-sale (register)?

Seattle Times story, here.

If you spot this type of activity during a visit to the Post Office, you can report it to the Postal Inspectors, here.

Although two of the suspects apprehended were Russian, the U.S. resident was an Armenian from Southern California. Recently, Armenians (from Southern California) have been tied into similar type activity. The previous posts, I've done on these stories can be seen, here.

San Diego Regional Fraud Task Force releases photos of suspected ATM skimmers

Devices to skim payment card information have become a big problem, whether they are portable devices used by dishonest employees at restaurants, PIN pads replaced at merchants, or devices mounted on ATM machines.

Many of the devices used recently -- use wireless technology -- and the card details are transmitted to fraudsters, normally sitting in a vehicle with a laptop.

The San Diego Regional Fraud Task Force is hot on the trail of two suspects, photographed using some of the cloned cards. Cloned cards are counterfeit devices made with the information skimmed from legitimate (credit/debit) payment cards.

Unfortunately, most of the equipment to do this, can be purchased, legally. Some of this equipment is even being sold over the Internet. Loose controls on the sale of this technology -- enables a lot of criminal activity, makes it harder for law enforcement to investigate -- and a lot of people are being victimized by it.


SignOnSanDiego.com reports:

Police are warning ATM users that scammers are using high-tech devices to steal their bank account information, including debit and credit cards numbers and personal identification codes.

Police have released photos taken from surveillance video of two suspects. Anyone with information about either man is asked to call the task force at (619) 744-2534 or the U.S. Secret Service at (619) 557-5640.

The pictures of the current people of interest in this case are featured above (to the left).

I did a post with some interesting pictures of an ATM skimming device, which are pretty educational, can be seen, here.

For other articles about payment card skimming, click here.

SignOnSanDiego.com story, here.

A lot of the skimming in the United States seems to be tied into Armenian organized crime. Glendale, which is a couple of hours North of San Diego, seems to be where a lot of this activity originates.

Maybe someone should post these pictures in the Glendale area?



Skimming device discovered at a gas (petrol) station in the United Kingdom (Courtesy of Flickr). The expression on the employee's face is worth a thousand words.

Is Target's payment card and new refund procedure stopping retail criminal activity?

Will stricter return policies drive Target's customers, elsewhere? Some are saying their new return policy (which will require a receipt for cash returns of $20 or more) -- isn't very customer friendly --and might do just that. Some are also questioning, whether another policy (how they verify plastic transactions) is enabling fraud to occur within their four walls.

So far as the new refund policy, Target's response is that this will affect a very small amount of its customers. Chris Serres, Star Tribune, Minneapolis - St. Paul gives Target's rationale for this:

Target officials said the new limits affect fewer than 5 percent of its customers. Shoppers who have bought products with credit cards, debit cards or checks can still return them without receipts, without having to worry about the new limits.

"While we expect the changes to ... impact a very small number of guests, our goal is to minimize losses regardless of amount," said Amy von Walter, a Target spokeswoman.

Law enforcement officials have a different take on this:

Target's practice of not checking the IDs of credit card holders has made it a target for more sophisticated fraudsters, said Brandon Deshler, an officer with the Edina Police Department and a detective with the Minnesota Financial Crimes Task Force, a state law enforcement agency. "There is a real inconsistency here," he said.

Sophisticated fraudsters are becoming the norm with data breaches, carder forums, and do it yourself (DIY) crime kits being marketed via the Internet.

I keep reading about how identity theft is tied into methamphetamine use, but in reality, it might also be tied into heroin use, or any other narcotic that people get addicted to. Addicts often turn to retail crime to support their habits, also.

Before the Internet made sophisticated fraud pretty easy to accomplish, addicts did a lot of shoplifting (boosting) to support their habits.

As time went on, retailers got smarter. They started locking up high value (shrink) merchandise and tightened up their return policies. To get past this, many retail criminals use fraudulent payment devices, which are pretty easy to obtain.

Organized criminals now make their "cut" selling the information and devices to less sophisticated crooks, who do all the dirty work for them. Deals are made on the Internet with a click of a mouse, and these devices are (normally) shipped from foreign sources, where it is hard to identify the criminals behind it.

Fraudulent devices are ordered in chat rooms, paid for by wire transfer or PayPal, and shipped to these (questionably) sophisticated criminals UPS, or Fedex, worldwide. Sometimes, they are shipped in bulk to one location and then redistributed. This is another method used to make tracking these devices to their original source, difficult.

Because of the growing availability, retail criminals are using fraudulent payment devices to obtain and then refund merchandise.

If customers using credit cards, debit cards and checks are still allowed to return them without receipts, I'm guessing a lot of refund fraud will still occur.

I wondered how customers, using payment devices (checks, credit cards, debit cards) could get a refund without a receipt? Just to make sure, I called my local Target and told them I lost my receipt from a credit card purchase. I was told to bring my credit card in and they could look up the information.

In light of the many recent data breaches, such as TJX -- where at least 45 million customers were compromised -- this thought scared me. Even if their systems are completely safe (not sure if any really are), does this mean that a dishonest employee could access my information? Employee dishonesty has long been (and still is) a major problem at most businesses.

The best thought out security can be beat by one person with access to it!

One of the systems compromised at TJX was their refund authorization system. Not allowing easy access, or even maintaining personal and financial information is the recommended way to prevent data theft.

Besides that, I often wonder how accurate the data is in some of these refund systems. These days, crooks use a lot of other people's information.

Since Target relies on electronic authorization systems (they don't even require their staff to check ID) on credit/debit card transactions, the law enforcement official quoted above might have a very valid concern.

But this isn't the only time, I read about this concern in the past week.

An article came out from Washington about an enraged identity theft victim, who after realizing no one was doing anything with her case, decided to beat the pavement (investigate), herself. Working with a reporter, she did her own check of retailers and here is what happened at Target (as reported on KOMOTV.com):

We did the same thing at Target. This time, we included wine in our purchase thinking some stores require an ID check when buying alcohol. At no point during our checkout did the Target clerk even ask to see the credit card. The clerk never asked for an identification check.

In a statement, Target says it does not require its clerks to handle or inspected credit cards.

Instead the store relies on an electronic authorization system where the customer swipes their own credit card through a reader."Electronic authorization is faster and more accurate than relying on visual inspection of verification of written signatures," says Brie Heath of Target.

Even with these systems, where a customer swipes their own card, a lot of retailers require that the clerk check identification AND inspect the card on signature transactions. In fact, a lot of pos (point-of-sale) systems prompt the customer and the clerk to do so.

Counterfeiting payment cards has become so easy to do that it's now done in garages with hardware that can (unfortunately) be bought over the Internet. Granted, identification can also being counterfeited, but at least visual inspection is going to making it a little harder to commit payment (debit/credit) card fraud.

The truth is that electronic verification systems read data, and in the case of debit and credit card data, it's being transferred (counterfeited) all the time.

Many might ask why Target would rely on an electronic system with so much fraud going on out there? One reason might be that when a card is "swiped" (electronically authorized), it is pretty hard for the bank to charge it back to Target.

When this happens, I'm guessing that Target isn't the one taking the loss, the bank does.

Chargebacks are becoming a huge issue, and many merchants (especially e-commerce merchants) are saying they are unfair to them, also. These merchants claim the rules favor the banks, who are passing off the costs of fraud to them. With the recent TJX data breach, and the realization of how expensive information theft has become, we can expect to see more controversy on this issue.

It's sad that businesses seem to be spending more time going after each other than the criminals behind the activity (my emphasis).

We also need to consider the considerable grief, victims go through in this process. Victims can be held liable for losses, have their credit ruined, and are even charged with crimes they didn't commit. Some of these victims are undoubtedly past, present, or future customers.

It's pretty easy for me to understand law enforcement officials and identity theft victims might be a little frustrated with Target's policies.

There is no doubt that the amount of refund and payment device fraud is growing. Businesses do have the right to protect themselves, but passing the financial loss to another business, and ultimately (all of us) does little to stop the problem. In fact, it might be one of the reasons this type of fraud is growing.

It would be unfair to single out Target on these issues. Other retailers need to be looking at them, also. Retailers are sold expensive security technology and too often (my emphasis) find that someone has figured out a way to exploit it.

Systems get defeated by human beings all the time. The best defense against this are other human beings. Removing human interface from the equation makes it easier to commit fraud (my emphasis).

Star Tribune article, here.

KOMOTV.com article about the identity theft victim doing her own investigation, here.

Airline employees and correctional officer arrested for credit card fraud

A lot of payment (credit/debit) card fraud is caused by dishonest employees, who skim the information from cards; or might even simply forget to return them to you. And when they "forget" to return them, it might be intentional!

The New York City District Attorney's Office announced:

Manhattan District Attorney Robert M. Morgenthau announced today the arrest of four JetBlue employees and a New York City Department of Corrections Officer for the unauthorized use of credit cards from Jet Blue customers.

Press release, here.

Pretty scary, that Jet Blue (airline) personnel and a correctional officer, who should be people that can be trusted, seem to have given a black eye to their professions.

I saw this story the day after I had to go back to a Del Taco, who failed to return my card to me. After going to considerable trouble to get my card back (which I should probably cancel), I was amazed that no one apologized to me for what had occurred.

They even charged me for the ice tea, I ordered when returning to get the card.

On a more serious note, businesses should always make sure lost payment devices and identification are properly secured. They should only be maintained for a short period of time, then destroyed to prevent someone compromising (using) them.

Many people would be shocked at how often these lost and found items are maintained (sometimes for years) in not very secure places, such as an unlocked drawer.

At least, the Del Taco manager did make me show ID to get my card back, but she didn't do very much to make me rave about their customer service. A kind, or sympathetic word can do a lot of smooth out an unfortunate situation, like this one!

So far as restaurant employees involved in credit card fraud, a lot has been written about this, recently.

Here is my version of what a lot of people have been writing about:

Why it's become TOO easy for restaurant workers to skim payment cards

Please note, it's probably not fair to single out restaurant workers, this can occur at any business that accepts plastic, or even checks.

While everyone sues TJX, the criminals are laughing all the way to the bank

Here is a great example of why there is so much identity theft. In Ontario, a man and his wife went right back committing identity theft, while on bail for running a payment card (debit/credit card) skimming operation. As you will see, they were by no means, small operators.

From newsregiondurham.com, Jeff Mitchell reports:

Hundreds of new charges have been laid against a fraud suspect and his wife after Durham cops busted the two as they allegedly broke his bail conditions.

Police say they found evidence of widespread fraud when they searched the King City home of the man, arrested here last fall in connection with a credit and debit card skimming operation at a north Oshawa gas bar.

One fraud investigator said lists of debit and credit card numbers found in the home amounted to "an encyclopedia" of apparently stolen data.

Here is what they got caught with, while on bail for victimizing (probably) thousands of people:

During the arrest both occupants of the car were found to have counterfeit credit cards in their possession, police said. A subsequent search of their home resulted in the seizure of credit card writing equipment, 200 phoney credit cards and hundreds of pages of credit and debit card data, police said.

Police also seized the BMW, claiming it's proceeds of crime.

I guess no one figured out the BMW was paid for by theft, the first time around?

And meanwhile, lawyers and the banking industry are organizing law suits against TJX for their recent data breach.

Unless, we start making it dangerous for the criminals to commit financial crimes, the problem will keep growing!

While a lot of people focus on civil remedies, the criminals are laughing all the way to the bank. After all, they aren't being sued. AND the sad truth is that not very many of them are being caught.

The costs of litigation and fraud are both normally passed on to the consumer. Simple economics dictates that if they were not, the business would cease to exist. The fact that the banking industry (which could also be criticized for enabling some of this problem) is behind some of this litigation, bothers me!

Someone once said, "it isn't wise to throw stones when you live in a glass house."

Maybe I should do a few posts about how the banking industry makes it too easy to commit some of these crimes? For starters, we could discuss how easy it has become to counterfeit their payment devices, which is how the information is being turned into cash (what the criminals are after). We could also discuss how little they do to verify information, when issuing a credit card and all the unsolicited offers for credit (which are routinely stolen) out of the mail.

Thinking of that, I did a post about how easily criminals can manipulate this:

Ever wonder how well you are protected from credit card fraud?

Another thing to consider is that merchants already bear a lot of the cost of fraud becaue of chargebacks. This is where the bank charges back the fraud to the merchant. Many merchants feel strongly that they are already bearing the brunt of paying for all the fraud because of this practice.

For more information on this subject, visit Merchant911.org, here.

There is no doubt that the true victims of identity theft deserve compensation, but to me some of this litigation is designed (my emphasis) to pass the buck. As I stated earlier, when the buck is passed, it gets charged to the consumer (in the end), anyway.

When is someone going to start addressing the real problem? The facts are that it's too easy to commit payment card fraud, not very many criminals are getting caught, and when they are -- the consequences are pretty minimal.

Full story from newregiondurham.com (about the crooks out committing crime on bail), here.

Why it's become TOO easy for restaurant workers to skim payment cards

We seem to be seeing a record amount of credit/debit (payment) card fraud recently. The latest is a $3 million scheme -- where restaurant servers were recruited to steal their customer's financial information -- using portable skimming devices, which seem to be easily purchased over the Internet.

Samuel Maull of the Associated Press is reporting:

Thirteen people were indicted Friday on charges stemming from their roles in the credit card fraud, prosecutors said.

The credit card account information was stolen from customers who visited restaurants in Manhattan's Chinatown and other parts of the New York metropolitan area, as well eateries in Florida, New Hampshire, New Jersey and Connecticut.

Full AP story, courtesy of the Washington Post, here.

The Manhattan DA's site has a lot more information on this case, which reveals most of the defendants appear to have worked in Asian restaurants, were extremely organized and traveled the country buying high-end electronics.

The DA press release shows how they were turning the stolen merchandise into cash, which is the goal of most of these criminals:

THOMAS JUNG, JOON HEE KIM, JUN SHOJI, RICHARD LEE, JENG SEAK LEE, PHIL ANG, ALEX KIM and others in small groups to areas within and outside of New York State to purchase high-end electronics merchandise – such as laptop computers, Sony Play Stations, GPS navigation systems, high-end digital cameras and IPods.

PAO provided each shopper with 20 to 40 counterfeit credit cards with the expectation that each “shopper” would make fraudulent purchases in an amount that averaged $1,000 per counterfeit card. If a “shopper” was provided with 30 counterfeit credit cards, the “shopper” was expected to make $30,000 in fraudulent purchases. PAO made the travel arrangements for the “shoppers,” which included airline flights, car rentals, and hotel rooms for shopping trips in New York, New Jersey, Connecticut, Illinois, California, Oregon, Washington, Ohio,
Pennsylvania, and North Carolina.

The “shoppers,” who were paid approximately 15% of the retail value of the merchandise they bought, delivered the merchandise to PAO, who then sold the stolen goods to defendant JOHN DOE. In turn, DOE sold the goods to electronics and computer stores in Queens.

You can read the full press release, here.

Unfortunately, this problem is enabled by portable devices, which are too easy to obtain. A website, I found recently (called Hackers Homepage) seems to openly sell everything a wannabe card skimmer would need to do this. They even sell the high-quality card blanks - with the ability to place holograms on them - right over the Internet!

Of note, this site (which I hope is under surveillance) also sells more sophisticated skimming devices designed to be placed on point of sale systems, and advertises other devices and publications that would appear to enable a lot of different financial crimes.

A lot of this stuff can also be purchased on auction sites (like eBay) as demonstrated, here.

Perhaps, if we want to see a decrease in this activity, we need to enact laws that will control some of the technology, which makes it TOO easy for anyone to do.

This along with DIY (do it yourself) auction fraud and phishing kits, also being sold over the Internet, make it too easy for ANY criminal to commit pretty sophisticated crimes.

Throw in carder forums, which sell all the information being stolen, and there is no wonder why this has become a rapidly growing PROBLEM.

The bottom line is that easily purchased technology is making the problem worse, and the problem is spreading so rapidly, law enforcement has a hard time keeping up with it.

This IS NOT a victimless crime, just ask any of the people having their information stolen, or one of the businesses that have lost money from it. Of course, when businesses lose money, they have to raise prices, which means we are all paying for it.

To watch a pretty telling video on YouTube about how restaurant workers skim payment cards, link here.

Did we waste too much time last week blaming TJX for the dark side of the Information Age?

With the (estimated) 45.7 million records being compromised in the TJX breach, everyone seems focused on placing blame on the retail industry.

We seem to quickly forget that others, including institutions of higher learning, the financial services sector and even the government have been compromised pretty frequently, also. And even though massive data-breaches facilitated by hackers makes good press, the truth is that information is stolen on a less newsworthy basis, daily.

Brad Dorfman (Reuters) might have put it all in perspective when he wrote:

Consumers who want to be sure about protecting their personal data and preventing identity theft might need to pay solely with cash, shun retailer loyalty programs and only make returns when they have a receipt.

They might also need to stop paying taxes, serving their country and getting an education (my emphasis).

Brad's story about why retailers are one (my emphasis) of the targets, here.

Meanwhile the retail and financial services industries seem on the verge of fighting a battle of who should be (financially) responsible for all of this. Of course in the bigger picture, I can think of a few other industries to push the blame towards, also.

We spend a lot of effort and resources trying to spread out the financial burden of information theft. While this might be enabling some of those concerned (industries starting to point fingers) to keep writing the costs of information theft off, it isn't stopping very many of the facilitators.

I sometimes wonder how much better we might be off if we went after the facilitators more aggressively? Resources to do this are minimal and if you don't believe me ask any victim, who tried to get something done with their individual case. Even better, ask someone who has the unfortunate job of trying to help some of these victims.

Until we make stealing information harder to do and start punishing the facilitators, problems associated with the dark side of the information age are probably going to continue have a ever growing financial burden.

In the criminal world, the 45.7 million compromised records, were yesterday's opportunity. What opportunity are they exploiting right now?

(Update: TJX data confirmed as used in Florida Case) Is the information being sold in carder forums being used in organized retail crime?

Underground carder forums (selling personal and financial information) are making it too easy to commit financial crimes. Symantec released a report showing that a credit-card number (with verification number) is sold for as little as $1 to $6. Complete information to take over an identity (government ID, social security number, bank account number, date of birth, etc.) costs about $14 to $18.

Here is an example of how this stolen information might be used by criminals. I happened to run across a good example of this in the News-Press (Southwest Florida):

Six people suspected of using stolen credit cards to purchase an estimated $8 million in WAL-MART and Sam’s Club gift cards were arrested in by Gainesville Police in a four-month ongoing investigation, according to a report released Monday by the Florida Department of Law Enforcement.

The bogus credit-cards were being used to purchase high-end electronic merchandise and gift cards.

News-Press story, here.

*Update (3/23/07): An article from InfoWorld is stating that the data used in this scheme is part of the TJX data breach. InfoWorld story, here. It still isn't clear how the culprits obtained the information, or how they, had the information made into counterfeit instruments.

Symantec's report covers all the different methods information is being stolen. One of the more common methods is referred to as phishing. This normally happens when a person clicks on a link from a spam e-mail sending them to a fake site (requesting personal information).

Note that sometimes the fake sites only ask for your personal and financial details (referred to as social-engineering), but more and more, computers are infected with malware when someone is tricked into clicking on a link they shouldn't have.

Malware records people's personal details (automatically) and sends them back to the scammers.

Symantec's press release on their report, here.

If you are wondering why the retail crooks were buying gift cards. Here is a previous post, I did on that subject:

Why Buying Gift Cards on Auction Sites isn't a Good Idea

PIN pads replaced at Wendys to steal payment card details

More payment cards have been skimmed (financial details hijacked) as a result of PIN pads being replaced. This time the breach occurred at a Wendys in a busy part of Edmonton, Canada.

A "Bluetooth" device was used in the phony PIN pads to transmit all the card details, using a wireless connection.

The fraud was discovered when a large number of Edmonton cards started showing up with unusual activity in Montreal.

According to the Edmonton Police, about 400 cards have been identified as having been compromised and used (cloned), but there could be more. They also stated that they don't believe there was employee involvement in the scheme.

One person was arrested in Montreal, but the authorities are saying they don't believe this person was a "major player."

This activity is probably being accomplished with a device known as a point-of-sale (POS) data logger. The stated legitimate purpose of this device (found on a webpage called hackershomepage.com) is to back up data in case of a power failure. It even advertises that it will capture PIN numbers when they are entered on a keypad.

The advertising jargon for this particular device states:

Once the data is logged, the device can be EASILY AND QUICKLY removed (takes about 2 seconds for installation or removal) from the store POS machine and plugged into another computer where you can download and save the data.

Hackers Homepage (who claims they are the only ones selling these devices) offers them for $395 each. IF you buy 100 of them, they will sell them to you for $9,999 (a savings of $30,000 off retail).

I'm amazed that these devices are for sale right over the Internet. Maybe someone in law enforcement will read this and do a little checking on this e-commerce enterprise.

Recently in Rhode Island (United States), a similar scheme was uncovered at Stop and Shop stores. Four males from California were eventually arrested after being spotted by employees tampering with a PIN pad.

Edmonton Police press release, here.

Here is my previous post on the Rhode Island scheme:

Could the arrests in the Stop and Shop data breach indicate a tie to Armenian Mobsters?

Ruby Tuesday serves a blow to credit card skimmers

Ruby Tuesday is doing something about credit card fraud. They announced yesterday that they will be introducing an ultra-secure (encrypted) credit card system to protect their customers from fraud.

The AP is reporting:

The system, which is expected to be in all the restaurant chain's 900 locations by April, leaves no credit card information at the restaurant and is instead sent to the bank in encrypted form. The system is said to help prevent identity theft.

Criminals (some say of the organized type) have been targeting a lot of unprotected information, recently. Some of this information is bartered in underground chat rooms set up for this purpose.

Of note, Visa International commented that the new system is fully compliant with PCI data protection standards.

AP story, here.

If you would like to see the sheer volume of recent data breaches, Attrition.org has a chronology, here.

If you would like to see how easy it is for your payment card information to get skimmed at a restaurant - you can view an interesting video, here.

India Deals with the Problem of Credit/Debit Card Cloning

We read a lot of stories about credit/debit card skimming in the West, but see very few stories about it in other parts of the world.

India, which has become a giant in IT circles is now being victimized by the problem.

In May, I did a post about cloned credit/debit cards showing up in India. Since then I've had the pleasure of corresponding with a "security person," who is sharing information with me regarding the scope of the problem.

In November, in another case, there were more arrests in three Indian cities - 6 skimmers, laptops, a desktop and cards were seized.

The activity was facilitated with the collusion of waiters and shop-keepers.

According to my "source," more card-skimming has been uncovered and the Indian authorities are hot on it's trail. We can probably expect to see a few more criminals arrested in the not so distant future.

Until recently, cloned cards were normally sent in the mail from other destination points in Asia.

Recently, the news media was awash with stories of information being compromised at call centers in India. The industry and the government in India have quickly moved to enact legislation to counter this threat.

The stories got a lot of attention (probably because it happened in India), but in reality, information and data breaches are happening (with too much frequency), worldwide.

India seems to be proactive (refreshing) in taking legal measures, which are far more effective that technological countermeasures, to protect it's citizens and the industry, itself.

Of note, the recent skimming/cloning activity seems to have been introduced by British based gangs and the UK is suffering a "large" issue with this type of activity.

Video (interesting) on skimming in India from IBN, here.

Interesting and "informative" discussion about cyber-law in India by Praveen Dalal, here.

Romanian Illegal Immigrants Install ATM (Fraud) Machines

(Older picture of a skimming device)

Illegal immigration isn't a "victimless crime" and the work they are performing doesn't always help the economy. Apparently Romanian illegal immigrants are installing fake ATM fronts - used to steal debit-card details - for the very same criminal organizations that helped them get into the United Kingdom, illegally.

Justin Penrose of the Sunday Mirror (UK) is reporting:

They have developed a high-tech ATM front which looks exactly like the original - and it steals a victim's details in seconds.

The new cashpoint fascia is so convincing that gangs are selling it to other crooks for £10,000 a time.

The covers even have a sticker which warns customers to watch out for fraudsters. When a victim uses an ATM it records details while a camera videos the pin number. Within seconds these details are sent to a laptop and a cloned card is made. Several wealthy Romanian "godfathers" run crooked empires from their mansions in the Balkans.

Sunday Mirror story, here.

The article also states that these new and very convincing ATM fronts are being produced and sold to other criminal organizations.

I wonder how long it will be before this new "skimming device" is exported from the United Kingdom? In the past couple of years, debit-card fraud has become a worldwide problem.

This reminds me that the best defense against ATM skimming is to always cover your PIN when doing a transaction!

Here is a previous post about the growing problem of debit-card fraud:

Debit Card Breaches, A Growing Problem

And here is an older post, I did (with pictures) of a skimming device:

ATM Machines That Clone Your Card

If anyone has a picture of one of these new devices, please send it to EdwardDickson@SBCGlobal.net.

Chip and PIN, Another Chapter in the Attack on Debit Cards

The Daily Mail is reporting that Lloyds is admitting that there is a flaw in chip and PIN technology. The flaw is that the cards can still be remotely encoded and used in ATM's that accept older versions of debit cards.

The article states that the reason criminals are using the cards in other countries is because it takes longer for transactions to post and therefore escapes the "fraud detection" systems already in place.

Also contained in the article are a lot of reader comments, which are very enlightening.

The bottom line is that chip and PIN works, but only in machines that are set up to deal with the technology. This means that until we can create a "global" effort to curtail debit card fraud, newer technologies are going to have a limited effect.

Link to the article by the Daily Mail, here.

As a "Yank," I'm impressed with the fact that Lloyds is being up front with the problem. It's also refreshing to see the mainstream media working with the banks to get the word out.

Financial institutions in the United States haven't been as forthcoming with information. Even to this day, they still aren't admitting to the root causes of recent debit card breaches over here.

They might claim "zero liability" and offer free "identity theft monitoring," but they are in the business of making money. The cost of all of this is ultimately passed on to the customer.

Even though, there were many in the press and from blogs like Boing Boing that were getting the word out, the sources seemed to have either been victims, or confidential. I keep hoping to discover that the reason for this was an "investigation" that put a lot of the culprits -- where they belong -- or behind bars.

The bottom line is that the criminals seem to be very aware of the flaws that allow this to happen. Being up front about the flaws they are exploiting only serves to protect the public, who through their awareness, might spot the activity and report it.

Awareness might also help people from becoming victims, which is the best argument out there for laws forcing this activity to be "disclosed" to the public.

Fraudster Gangs Deal a Blow to Chip and PIN

Picture of ATM skimming device using a hidden camera.

While North America was under attack in the Debit Card breach a few months ago, Britain rolled out Chip and PIN technology. At the time, the experts promised "Chip and PIN" cards would stop fraud dead in it's tracks.

Criminals are already beating this technology with skimming devices, which are mounted on ATM machines. AND it gets even scarier, the latest devices don't need cameras to record a PIN and can be built from parts ordered over the Internet.

Wikipedia already has an extensive section on Chip and PIN. I was amazed to discover that they were very up to date regarding potential security issues.

Chip and PIN is the name given to the initiative in the UK but countries worldwide are launching their own initiatives based on the EMV standard, which is a group effort between Europay, MasterCard and VISA. By the end of 2004, 100 countries will be using compatible systems based on this standard, and France aims to migrate its existing systems to be compatible with the new cards.

Sean Poulter of the Daily Mail reports on the recent Chip and PIN fraud:

Cloned cards belonging to Britons have been used to withdraw more than £1million in cash from machines in the UK, Paris, Sri Lanka, India and Hong Kong.

One card holder is believed to have lost as much as £25,000.

The police and banks have suggested that the problems at Shell petrol stations, which have centered on Surrey, emerged over the last eight weeks.

However, one Daily Mail reader from that area said his card details were cloned - he believes at a Shell outlet - in July last year.

Other readers believe their card details, including PINs, were stolen at garages operated by other companies, including BP and Esso. Cards have also been cloned at cash machines on at least one Total forecourt and at Tesco stores.

Full story, here.

Reading this, I had to reflect on the recent Debit Card breaches in North America. Early in the story, skimming devices were brought up a potential source. As the compromise spread across the continent, we heard rumors (still never confirmed) that retail systems were hacked. In the end, a few people were arrested and the story faded away.

Quite simply, it seems that the financial industry isn't commenting.

Whether the intention of not commenting is to protect the public, or the financial industry; it is clear that something needs to be done about this in the near term. Hopefully, the lack of information being released on these cases is because a strong investigative effort is underway.

It will be interesting to see what information is released on this latest case and how many more victims this latest caper will claim.

Here is a previous post, I did on the Debit Card breach:

Debit Card Breaches, A Growing Problem

ATM Machines That Clone Your Card

I received an e-mail showing how ATM skimming (stealing card information complete with PIN) has become more advanced with the advent of portable devices and wireless technology. Being leery of e-mail, I researched recent articles to validate this activity.

One of the articles, I researched was from NewsMax.com by Bruce Mandelblit, which can be seen, here.

Here is the text of the e-mail, I received:

"A team of organized criminals are installing equipment on legitimate bank ATM's in at least 2 regions to steal both the ATM card number and the PIN. The team sits nearby in a car receiving the information transmitted wirelessly over weekends and evenings from equipment they install on the front of the ATM (see photos).

If you see an attachment like this, do not use the ATM and report it immediately to the bank using the 800 number or phone on the front of the ATM."

The equipment used to capture your ATM card number and PIN are cleverly disguised to look like normal ATM equipment. A "skimmer" is mounted to the front of the normal ATM card slot that reads the ATM card number and transmits it to the criminals sitting in a nearby car. At the same time, a wireless camera is disguised to look like a leaflet holder and is mounted in a position to view ATM PIN entries.

The thieves copy the cards and use the PIN numbers to withdraw thousands from many accounts in a very short time directly from the bank ATM."

I also found the pictures of this on Snopes.com. Snopes is a site that reports on urban legends and whether, or not they are true. They list this one as true and based on my independent research, I believe they are right. Note that this method is being reported in Europe, South America, North America and Asia.

When going to this site, I also realized that the author of the e-mail had obtained their information from Snopes. Please note, Snopes claims to have gotten their information from the internet, also.

Snopes post, here.

This activity has been around for a few years. In the past, it was primarily done in small retailers, where the skimming device was behind the counter and the camera was over the keypad. It was also done by setting up ATM machines that were completely fake. It's always a GOOD IDEA to conceal your actions when entering your PIN. When you do this, the camera doesn't record your PIN number and they can't clone your card.

I've written a little about this phenomonen (skimming), which I update every so often. All the posts can be viewed, here.

Here is a picture of a ATM Machine after being compromised.















They attach a device over the card slot on the legitimate ATM, which reads the magnetic information. Using the latest wireless technology, it is normally transmitted to fraudsters in a nearby vehicle.
















Your ATM is protected by a PIN, but these criminals have a solution for this too. They install a hidden camera, again using the latest technology (wireless) and the PIN is digitally recorded.















Here is a picture of the compromised ATM with the camera installed.