X9.59 mailing list
x959 Postings and Posting Index,
- credit card & gift card fraud (from today's comp.risks)
- High-tech Thieves Snatch Data From ATMs (including PINs)
credit card & gift card fraud (from today's comp.risks)
Refed: **, - **, - **, - **, - **, - **
From: Lynn Wheeler
Date: 01/10/2002 01:13 PM
Subject: credit card & gift card fraud (from today's comp.risks).
other postings and recent info from comp.risks:
http://www.garlic.com/~lynn/aadsm9.htm#carnivore3 Shades of FV's Nathaniel Borenstein: Carnivore's "Magic Lantern"
http://www.garlic.com/~lynn/2002.html#19 Buffer overflow
http://www.garlic.com/~lynn/2002.html#20 Younger recruits versus experienced veterans ( was Re: The demise of compa
http://www.garlic.com/~lynn/2002.html#35 Buffer overflow
http://www.garlic.com/~lynn/2002.html#37 Buffer overflow
http://www.garlic.com/~lynn/2002.html#39 Buffer overflow
Date: Mon, 07 Jan 2002 20:07:25 -0500
From: David Farber <dave@xxxxxxxx>
Subject: Credit-card cloners' $1B scam
Homemade machines costing about $50 are being used to read credit-card
mag-stripes, without having to steal the cards. The information is then
e-mailed abroad, where cloned cards are fabricated. This has become a
[PGN-ed from Monty Solomon's e-mail to Dave's IP, subtitled Terrorists,
mobsters in on hacking racket, by William Sherman, NY Daily News
[The gadget was first demonstrated in maybe 1960s at Caltech as part of a
demo on how poor the mag-striped credit cards were. In spite of that, they
Date: Sat, 29 Dec 2001 09:59:00 -0600
From: Tim Christman <tjc@xxxxxxxx>
Subject: Mag-stripes on retail gift cards
Here's a link to an article on MSNBC that I found interesting --
Many retailers are replacing paper gift certificates with small plastic
cards containing magnetic stripes, similar to credit cards. Ideally, the
purchase of a gift card would result in a database being updated to reflect
the balance associated with the card's unique account number.
Some retailers are using sequential account numbers and have no provisions
to protect against a thief using a mag-stripe reader/writer to re-program a
stolen card or small denomination card so that it matches the account number
of a larger valued card purchased by someone else. Many retailers even
provide a convenient 1-800 number so that the thief, knowing many valid
account numbers, can "shop" for a card of significantly greater value.
The RISK: A form of fraud, difficult to trace, involving a minimal
investment in equipment by the thief. Also note that the thief only
requires the ability to query the back-end database (through the toll-free
number), not the ability to manipulate the records. Perhaps more ominously,
the risk is angry family members who find a zero balance on their gift
Solutions: One retailer, mentioned in the article, uses optical bar-coding
which can't be re-encoded without defacing the card. Another follows a
technique used by many credit card companies -- extra check digits are
included in the mag-stripe that are not visible on the face of the card. It
seems astounding that this isn't being done by all.
High-tech Thieves Snatch Data From ATMs (including PINs)
Refed: **, - **, - **, - **, - **, - **, - **
From: Lynn Wheeler
Date: 01/10/2002 03:29 PM
Subject: High-tech Thieves Snatch Data From ATMs (including PINs)
some previous skimming related postings:
http://www.garlic.com/~lynn/aepay6.htm#ccfraud2 "out of control credit card fraud"
http://www.garlic.com/~lynn/2001f.html#40 Remove the name from credit cards!
http://www.garlic.com/~lynn/aadsm10.htm#risks credit card & gift card fraud (from today's comp.risks)
http://www.garlic.com/~lynn/aadsm6.htm#digcash IP: Re: Why we don't use digital cash
http://www.garlic.com/~lynn/aadsm6.htm#terror12 [FYI] Did Encryption Empower These Terrorists?
http://www.garlic.com/~lynn/aadsm6.htm#pcards2 The end of P-Cards? (addenda)
http://www.garlic.com/~lynn/aadsm7.htm#idcard2 AGAINST ID CARDS
Thursday January 10 03:26 PM EST
High-tech Thieves Snatch Data From ATMs
By Paul Eng ABCNEWS.com
Thieves can steal an account number from an ATM or debit card, and
At the corner market, the skim is in the refrigerated milk - and
perhaps in the store's cash-dispensing ATM.
But this particular "skim" isn't good for customers since it involves
the poaching of an unsuspecting consumer's bank card data.
Thieves have found a way to steal not only someone's account number
from an ATM or debit card but also the person's seemingly secret
personal identification number. With this double dose of information,
thieves can electronically rob unsuspecting victims of their cash.
The scam has been reported in New York, Florida, California and points
The cybercrooks' technique is so clandestine that consumers often
don't know that they've become victims until they check their monthly
bank statements - or when checks start to inexplicably "bounce" due to
lack of available funds.
Suddenly Sapped of Cash
Chris Lundie, a 28-year-old market surveillance analyst with a Wall
Street investment firm, was one such victim.
Last month, Lundie and his fiancée checked their bank account online
in preparation to pay their Manhattan apartment rent. But, they
noticed two odd withdrawals - for $500 and $600 - made within hours of
each other at bank ATMs in Flushing, Queens.
"At first we questioned how this happened," says Lundie. "We don't
work in Queens and we've never been to those ATMs."
After calling his bank to stop further activity on the account, Lundie
called his local police precinct and discovered that he was the latest
victim of a high-tech crime ring that may have been targeting
automatic teller machine users for more than a year.
Detectives with New York City Police Department's Special Fraud Unit
wouldn't comment on the "ongoing investigation" into the ring. But
according to a recent report in the New York Post , the thieves may
have stolen as much as $1.5 million. Authorities told the Post they
suspected the scam was the work of the Russian mafia.
Snatching Data Clandestinely
Law enforcement officials did not disclose how the ring operated, but
industry sources gave ABCNEWS a hint at how the ring might have stolen
money from unsuspecting victims.
According to one source, the thieves may have targeted non-bank ATMs -
the stand-alone cash dispensers found at local grocers, bodegas, gas
stations, and shopping mall food courts. The machines are rigged with
tiny devices that can read a debit card's magnetic stripe as it is run
through the ATM's built-in reader. A special "logic board" or cover is
placed over the ATM's keypad and records when users enter their
four-digit PIN codes.
Both the card's magnetic data and the user's PIN information are
stored in a separate memory module. The thieves retrieve the memory
module and, using commercially available computer technology, encode
the stolen information onto their own blank cards. These "cloned"
debit cards can then be used with the captured PIN to withdraw money
from the victims' accounts using other ATMs.
Con artists have targeted debit cards and ATMs in the past in a
variety of scams. Most schemes, such as the so-called Lebanese Loop,
are fairly simple.
In that scam, robbers would purposely rig the card slot of the ATM to
physically capture a person's bank card. The scammer, posing as a good
Samaritan, would then suggest that the victim repeatedly enter their
secret PIN code in order to recover the stuck card from the
machine. When the effort fails, the victim often walks away - leaving
the con artist to retrieve the card and use it with the now-disclosed
ATMs: Tempting Targets
Experts believe that the thieves may have targeted non-bank ATMs for
For one, non-bank ATMs are typically owned and maintained by
independent operators who may not know that such skimming devices are
being added and removed from their cash dispensers.
Most of these stand-alone ATMs also lack built-in surveillance cameras
and are placed in locations that aren't monitored closely, leaving
police with very little evidence to work with during their
Rob Evans, marketing director for NCR, a leading ATM supplier, says
the industry has developed several technologies that can defeat these
clandestine card skimming setups. ATMs supplied to NCR's bank
customers, for example, can be equipped with enhanced card readers
that can scramble the card's data as it's being read.
"When a user puts his card in, it jitters the electronic signals so it
can't be picked up by a nearby illegal card reader," says Evans.
The banking industry is also looking into other high-tech measures
such as using software encryption and so-called smart cards that store
data on hard-to-duplicate microprocessors.
But industry officials such as Evans admits that it's a tough race
against cybercriminals. "You do what you can to make the ATM as
unappealing as you can to folks that want to use it for criminal
purpose," says Evans. But as ATMs - especially stand-alone versions -
proliferate, "The bad guys are going to keep coming at these things as
quickly as they can."
Enduring Losses and Lessons
And that's disheartening news for both consumers and the financial
institutions that absorb the estimated billions of dollars annually
lost to bank card fraud.
Citigroup and J.P. Morgan & Chase - two of the largest institutions
reportedly stung hard by this latest ring of thieves - wouldn't
comment on the amount lost in the latest scam. But Mark Rodgers,
spokesman for Citigroup, says, "No [customer] funds were at risk and
we regret any inconvenience that may have resulted [from this crime]."
Rodgers also says, "We've worked with customers to resolve the issues
on their account."
And that's good news for consumers such as Lundie. His undisclosed
financial institution restored the stolen funds to his account in
about two weeks. After all, "$1,100 is a lot of money living in [New
York] City," he says.
Still, he and his fiancée are keeping a close eye on their new
account. And he says: "I definitely make more of an attempt to use a
x959 Postings and Posting Index,