Fraud techniques revealed in recent debit card case

On May 9, 2013, Federal prosecutors issued indictments against eight individuals for hacking and theft.  The case revealed the methods used by hackers to gain access to debit card numbers that were ultimately used to withdraw $45 million.

Hackers gained unauthorized access to credit card processing companies and conducted what hackers term ÔÇ£unlimited operationÔÇØ.┬á Unlimited operation is an attack where debit cards account balances and withdrawal limits are removed.┬á In this case, attackers performed unlimited operation on several prepaid MasterCard debit cards and then distributed the card numbers and pins to groups around the world.┬á These groups recoded gift cards and hotel entry cards with the stolen card numbers and then coordinated withdrawals from ATM machines.

I have spoken of the increase in coordination of cyber-attacks many times and this is an excellent example.  In a little over two hours on December 22, 2012, the criminals were able to withdraw $400,000 from 140 ATMs across New York City.  A series of thefts in February resulted in the theft of almost $2.4 million in 10 hours and the group is accused of stealing a total of $45 million by following this procedure for different card issuers and locations.

The banks involved in this case might have prevented the theft by monitoring for anomalous behavior such as the excessive use of a card number or the modifications required in unlimited operation attacks.  Anomalous behavior monitoring is valuable no matter where the next attack comes from and it is useful in other industries as well.

POS vulnerabilities via Dexter malware

Security researchers have identified a new malware called Dexter that specifically targets Point of Sale (POS) systems such as cash registers and scanning stations to obtain credit card numbers.  As of December 12, 2012, Dexter had infected systems in 40 different countries with the majority of infected systems residing in North America and the United Kingdom.  The malware infected machines a few months ago, just in time to steal data from many of the holiday shoppers.

Dexter steals credit card data by recording downloaded files from the POS device and retrieving information from memory.  More specifically, it looks for Track 1 or Track 2 data which is read by most POS devices and contains the account holder name, account number and security code for a credit card.  The malware stores the data and sends it in batches every five minutes to the malware operator who can then use it to make false purchases or clone credit cards.

Malware researchers are still trying to determine how Dexter is infecting POS systems but POS owners are not defenseless.  They can protect themselves from the malware by using devices that encrypt the credit card data from the point at which the card is scanned through the processing stage in what is known as Point-to-Point Encryption (P2PE).  P2PE encrypts the data before it is placed in memory and Dexter is currently unable to decrypt the data so P2PE effectively stops Dexter from harvesting credit card numbers on the POS device.

Fraud Alert: OscarÔÇÖs Exotic Fish

Last month my fish tank sprung a leak.┬á┬á I have a 75 gallon bow front aquarium so it made quite a mess.┬á I managed to save most of the fish; praise the Lord!┬á When the water settled and my floor was mopped, I began looking for a fish tank that would not break a seal like that.┬á I decided to get an acrylic aquarium without seals to break.┬á The only mistake I made was in my choice of stores.┬á OscarÔÇÖs Exotic Fish had the lowest price on the net but the worst service.┬á I ordered my aquarium on November 22 but by December 17, my aquarium still had not arrived.┬á My fish had been living in a quarantine tank for weeks and I was seriously concerned for their health.┬á In the mean time, I received my credit card bill to find that Oscar had billed me three times for an aquarium that never arrived.┬á I tried contacting Oscar right away.┬á First I emailed him and then called him.┬á I called him every day for a few days without a response.┬á I finally called my credit card and disputed the three payments.┬á I will not tolerate that kind of service.┬á Oscar, you should be ashamed of yourself.┬á

So how does the story end?  I ordered a different tank from Truly the Best and I am currently waiting for it to arrive.  I emailed them before placing the order and they verified that it will arrive in 14 to 21 days.  It is quite a beauty of a tank.  It is a 90 gallon SeaClear System 2.  It is all acrylic and it has a built in wet/dry biological filtration system built into the back of the aquarium.  The tank has a 350gph submersible pump so it is very quiet and the bio balls should keep the tank water very clean.  I will put my 200W compact lighting on top of it.  I am so excited. 

Fishtank9 Fishtank8 Fishtank7 Fishtank6 Fishtank5 Fishtank4 Fishtank3 Fishtank2 Fishtank1

[Edit]  The tank arrived last week and I got it all conditioned.  The fish were moved over yesterday.  Here are some pictures.  The tank looks great and the fish love it.