Fraud and Scam News

Photo by: jaycoxfilm

In 2006, it was TJ Maxxx. Last year, it was the Hannaford Bros hack-in that alarmed shoppers. Now, police have revealed that a major credit card fraud was going on at the 50-location strong Dave and Buster restaurants, between April and September last year. Police arrested three individuals separately after investigating into complaints regarding card fraud.

While Maksym Yastremskiy (aka Maksik), a Ukrainian national, was held in Turkey, Aleksandr Suvorov (aka jonnyhell), from Estonia was detained in Germany. Albert Gonzalez, who allegedly made the program that hacked into the store’s network, was arrested sometime in the last two weeks. Yastremskiy, said to be one of the largest reseller of stolen identities online, has been on the police radar for a while. The trio, are alleged to have waylaid customer credit card data at POS terminals in different store locations when it was on its way to company headquarters.

The TJ Maxxx fraud, it is now estimated, put 94 million accounts at risk! The Hannaford fraud was said to have compromised identities of 4.2 million customers. In the Dave and Buster case, fraudsters are claimed to have stolen 5000 identities from its New York store alone. They are alleged to have amassed $600,000 using 675 identities from this kitty of stolen identities. The numbers are sure to get larger as the official investigation travels its course.

Dismal Online Security Measures in place

Busting of the third major case in the last three years prompts one to ask whether superstores and mega marts really care a fig for their network security. It appears to show a lackadaisical approach in providing cover for confidential customer data.

Roger Nebel, a professional PCI DSS auditor and consultant, concluded in a news report

“There’s nothing new here. Dave & Buster’s was deficient in its security.”

The hack-in should not have been so easily accomplished.

It only took decade-old technology and programming skill-levels taught in universities to dismantle the security of a network that was supposed to be professional. Moreover, Gonzalez’s program itself was said to be amateurish and was beset with problems from the start. It initially refused to work at all. Later on, even when it executed, it failed to restart whenever the POS terminals where it was lodged, rebooted.

Credit card data is notorious for its vulnerabilities. The data, which is recorded in the magnetic stripe at the back of the cards, is vulnerable because it is stored in an unencrypted form and in plain text. This makes them easy to be copied and reloaded onto fake credit cards, which can then be used to make purchases on the stolen card accounts.

Stores do not usually resort to physical verification of the card each time it’s presented. Staff manning the counters usually match names mentioned in the credit card and in the driving license of the person who presented the card. Fraudsters can handle this easily by taking stolen data out on a fake card carrying their name.

Significantly, cards record only three details: card account number, PIN and expiry date. This means personal information of card holders like name, address, or, perhaps, the answer to a security question can be used to verify whether the card is being used by the original card holder or not.

Online stores use a system based on this technique called Address Verification System (AVS) to verify online transactions. However, the system has shown up several faults ever since it was introduced. It is estimated to work 35% of the time and is known to give a considerable number of false warnings. This can have the effect of a customer turning away from the business altogether.

Experts recommend a layered approach to network security. They endorse using more than one system to secure a network. While, I think, this may cause a bit of hassle in a practical situation, it is any day better than being burgled of your hard-earned money right under your nose.

Source: Brian Krebs Blog (Washington Post)

Related posts:

1. Card Skimming: Herkimer Police seem to have netted a big one
2. ThreatSeeker to help Websense products grow more teeth
3. Smart employees help police catch identity thieves
4. EPPICard Scam Wants You to Pour Out Your Social Security Benefits Down its Throat!
5. New online payment systems: Banks wary of backing them