X9.59 mailing list


x959 Postings and Posting Index,
next, previous - home



credit card & gift card fraud (from today's comp.risks)
High-tech Thieves Snatch Data From ATMs (including PINs)


credit card & gift card fraud (from today's comp.risks)

Refed: **, - **, - **, - **, - **, - **, - **
From: Lynn Wheeler
Date: 01/10/2002 01:13 PM
To: ansi-epay@xxxxxxxx,
cryptography@xxxxxxxx, dcsb@xxxxxxxx
Subject: credit card & gift card fraud (from today's comp.risks).
other postings and recent info from comp.risks:


https://www.garlic.com/~lynn/aadsm9.htm#carnivore3 Shades of FV's Nathaniel Borenstein: Carnivore's "Magic Lantern"
https://www.garlic.com/~lynn/2002.html#19 Buffer overflow
https://www.garlic.com/~lynn/2002.html#20 Younger recruits versus experienced veterans ( was Re: The demise of compa
https://www.garlic.com/~lynn/2002.html#35 Buffer overflow
https://www.garlic.com/~lynn/2002.html#37 Buffer overflow
https://www.garlic.com/~lynn/2002.html#39 Buffer overflow

========================================================

Date: Mon, 07 Jan 2002 20:07:25 -0500
From: David Farber <dave@xxxxxxxx>
Subject: Credit-card cloners' $1B scam

Homemade machines costing about $50 are being used to read credit-card mag-stripes, without having to steal the cards. The information is then e-mailed abroad, where cloned cards are fabricated. This has become a billion-dollar-a-year enterprise.

[PGN-ed from Monty Solomon's e-mail to Dave's IP, subtitled Terrorists, mobsters in on hacking racket, by William Sherman, NY Daily News
http://www.nydailynews.com/today/News_and_Views/City_Beat/a-137421.asp

[The gadget was first demonstrated in maybe 1960s at Caltech as part of a demo on how poor the mag-striped credit cards were. In spite of that, they won. Dave]

------------------------------

Date: Sat, 29 Dec 2001 09:59:00 -0600
From: Tim Christman <tjc@xxxxxxxx>
Subject: Mag-stripes on retail gift cards

Here's a link to an article on MSNBC that I found interesting --
http://www.msnbc.com/news/598102.asp?0dm=C216T&cp1=1

Many retailers are replacing paper gift certificates with small plastic cards containing magnetic stripes, similar to credit cards. Ideally, the purchase of a gift card would result in a database being updated to reflect the balance associated with the card's unique account number.

Some retailers are using sequential account numbers and have no provisions to protect against a thief using a mag-stripe reader/writer to re-program a stolen card or small denomination card so that it matches the account number of a larger valued card purchased by someone else. Many retailers even provide a convenient 1-800 number so that the thief, knowing many valid account numbers, can "shop" for a card of significantly greater value.

The RISK: A form of fraud, difficult to trace, involving a minimal investment in equipment by the thief. Also note that the thief only requires the ability to query the back-end database (through the toll-free number), not the ability to manipulate the records. Perhaps more ominously, the risk is angry family members who find a zero balance on their gift cards!

Solutions: One retailer, mentioned in the article, uses optical bar-coding which can't be re-encoded without defacing the card. Another follows a technique used by many credit card companies -- extra check digits are included in the mag-stripe that are not visible on the face of the card. It seems astounding that this isn't being done by all.

------------------------------


High-tech Thieves Snatch Data From ATMs (including PINs)

Refed: **, - **, - **, - **, - **, - **, - **, - **
From: Lynn Wheeler
Date: 01/10/2002 03:29 PM
To: ansi-epay@xxxxxxxx
Subject: High-tech Thieves Snatch Data From ATMs (including PINs)
some previous skimming related postings:
https://www.garlic.com/~lynn/aepay6.htm#ccfraud2 "out of control credit card fraud"
https://www.garlic.com/~lynn/2001f.html#40 Remove the name from credit cards!
https://www.garlic.com/~lynn/aadsm10.htm#risks credit card & gift card fraud (from today's comp.risks)
https://www.garlic.com/~lynn/aadsm6.htm#digcash IP: Re: Why we don't use digital cash
https://www.garlic.com/~lynn/aadsm6.htm#terror12 [FYI] Did Encryption Empower These Terrorists?
https://www.garlic.com/~lynn/aadsm6.htm#pcards2 The end of P-Cards? (addenda)
https://www.garlic.com/~lynn/aadsm7.htm#idcard2 AGAINST ID CARDS

==================================


http://dailynews.yahoo.com/htx/abc/20020110/bs/atmfraud020110_1.html

Thursday January 10 03:26 PM EST

High-tech Thieves Snatch Data From ATMs By Paul Eng ABCNEWS.com

Thieves can steal an account number from an ATM or debit card, and secret pin.

At the corner market, the skim is in the refrigerated milk - and perhaps in the store's cash-dispensing ATM.

But this particular "skim" isn't good for customers since it involves the poaching of an unsuspecting consumer's bank card data.

Thieves have found a way to steal not only someone's account number from an ATM or debit card but also the person's seemingly secret personal identification number. With this double dose of information, thieves can electronically rob unsuspecting victims of their cash.

The scam has been reported in New York, Florida, California and points in Canada.

The cybercrooks' technique is so clandestine that consumers often don't know that they've become victims until they check their monthly bank statements - or when checks start to inexplicably "bounce" due to lack of available funds.

Suddenly Sapped of Cash

Chris Lundie, a 28-year-old market surveillance analyst with a Wall Street investment firm, was one such victim.

Last month, Lundie and his fiancée checked their bank account online in preparation to pay their Manhattan apartment rent. But, they noticed two odd withdrawals - for $500 and $600 - made within hours of each other at bank ATMs in Flushing, Queens.

"At first we questioned how this happened," says Lundie. "We don't work in Queens and we've never been to those ATMs."

After calling his bank to stop further activity on the account, Lundie called his local police precinct and discovered that he was the latest victim of a high-tech crime ring that may have been targeting automatic teller machine users for more than a year.

Detectives with New York City Police Department's Special Fraud Unit wouldn't comment on the "ongoing investigation" into the ring. But according to a recent report in the New York Post , the thieves may have stolen as much as $1.5 million. Authorities told the Post they suspected the scam was the work of the Russian mafia.

Snatching Data Clandestinely

Law enforcement officials did not disclose how the ring operated, but industry sources gave ABCNEWS a hint at how the ring might have stolen money from unsuspecting victims.

According to one source, the thieves may have targeted non-bank ATMs - the stand-alone cash dispensers found at local grocers, bodegas, gas stations, and shopping mall food courts. The machines are rigged with tiny devices that can read a debit card's magnetic stripe as it is run through the ATM's built-in reader. A special "logic board" or cover is placed over the ATM's keypad and records when users enter their four-digit PIN codes.

Both the card's magnetic data and the user's PIN information are stored in a separate memory module. The thieves retrieve the memory module and, using commercially available computer technology, encode the stolen information onto their own blank cards. These "cloned" debit cards can then be used with the captured PIN to withdraw money from the victims' accounts using other ATMs.

Con artists have targeted debit cards and ATMs in the past in a variety of scams. Most schemes, such as the so-called Lebanese Loop, are fairly simple.

In that scam, robbers would purposely rig the card slot of the ATM to physically capture a person's bank card. The scammer, posing as a good Samaritan, would then suggest that the victim repeatedly enter their secret PIN code in order to recover the stuck card from the machine. When the effort fails, the victim often walks away - leaving the con artist to retrieve the card and use it with the now-disclosed PIN code.

ATMs: Tempting Targets

Experts believe that the thieves may have targeted non-bank ATMs for several reasons.

For one, non-bank ATMs are typically owned and maintained by independent operators who may not know that such skimming devices are being added and removed from their cash dispensers.

Most of these stand-alone ATMs also lack built-in surveillance cameras and are placed in locations that aren't monitored closely, leaving police with very little evidence to work with during their investigations.

Crafting Countermeasures

Rob Evans, marketing director for NCR, a leading ATM supplier, says the industry has developed several technologies that can defeat these clandestine card skimming setups. ATMs supplied to NCR's bank customers, for example, can be equipped with enhanced card readers that can scramble the card's data as it's being read.

"When a user puts his card in, it jitters the electronic signals so it can't be picked up by a nearby illegal card reader," says Evans.

The banking industry is also looking into other high-tech measures such as using software encryption and so-called smart cards that store data on hard-to-duplicate microprocessors.

But industry officials such as Evans admits that it's a tough race against cybercriminals. "You do what you can to make the ATM as unappealing as you can to folks that want to use it for criminal purpose," says Evans. But as ATMs - especially stand-alone versions - proliferate, "The bad guys are going to keep coming at these things as quickly as they can."

Enduring Losses and Lessons

And that's disheartening news for both consumers and the financial institutions that absorb the estimated billions of dollars annually lost to bank card fraud.

Citigroup and J.P. Morgan & Chase - two of the largest institutions reportedly stung hard by this latest ring of thieves - wouldn't comment on the amount lost in the latest scam. But Mark Rodgers, spokesman for Citigroup, says, "No [customer] funds were at risk and we regret any inconvenience that may have resulted [from this crime]." Rodgers also says, "We've worked with customers to resolve the issues on their account."

And that's good news for consumers such as Lundie. His undisclosed financial institution restored the stolen funds to his account in about two weeks. After all, "$1,100 is a lot of money living in [New York] City," he says.

Still, he and his fiancée are keeping a close eye on their new account. And he says: "I definitely make more of an attempt to use a bank ATM."



x959 Postings and Posting Index,
next, previous - home