Online Security Measures: Busting of Int’l scam brings into the open dismal security arrangements of Mega Stores
Photo by: jaycoxfilm
In 2006, it was TJ Maxxx. Last year, it was the Hannaford Bros hack-in that alarmed shoppers. Now, police have revealed that a major credit card fraud was going on at the 50-location strong Dave and Buster restaurants, between April and September last year. Police arrested three individuals separately after investigating into complaints regarding card fraud.
While Maksym Yastremskiy (aka Maksik), a Ukrainian national, was held in Turkey, Aleksandr Suvorov (aka jonnyhell), from Estonia was detained in Germany. Albert Gonzalez, who allegedly made the program that hacked into the store’s network, was arrested sometime in the last two weeks. Yastremskiy, said to be one of the largest reseller of stolen identities online, has been on the police radar for a while. The trio, are alleged to have waylaid customer credit card data at POS terminals in different store locations when it was on its way to company headquarters.
The TJ Maxxx fraud, it is now estimated, put 94 million accounts at risk! The Hannaford fraud was said to have compromised identities of 4.2 million customers. In the Dave and Buster case, fraudsters are claimed to have stolen 5000 identities from its New York store alone. They are alleged to have amassed $600,000 using 675 identities from this kitty of stolen identities. The numbers are sure to get larger as the official investigation travels its course.
Dismal Online Security Measures in place
Busting of the third major case in the last three years prompts one to ask whether superstores and mega marts really care a fig for their network security. It appears to show a lackadaisical approach in providing cover for confidential customer data.
Roger Nebel, a professional PCI DSS auditor and consultant, concluded in a news report
“There’s nothing new here. Dave & Buster’s was deficient in its security.”
The hack-in should not have been so easily accomplished.
It only took decade-old technology and programming skill-levels taught in universities to dismantle the security of a network that was supposed to be professional. Moreover, Gonzalez’s program itself was said to be amateurish and was beset with problems from the start. It initially refused to work at all. Later on, even when it executed, it failed to restart whenever the POS terminals where it was lodged, rebooted.
Credit card data is notorious for its vulnerabilities. The data, which is recorded in the magnetic stripe at the back of the cards, is vulnerable because it is stored in an unencrypted form and in plain text. This makes them easy to be copied and reloaded onto fake credit cards, which can then be used to make purchases on the stolen card accounts.
Stores do not usually resort to physical verification of the card each time it’s presented. Staff manning the counters usually match names mentioned in the credit card and in the driving license of the person who presented the card. Fraudsters can handle this easily by taking stolen data out on a fake card carrying their name.
Significantly, cards record only three details: card account number, PIN and expiry date. This means personal information of card holders like name, address, or, perhaps, the answer to a security question can be used to verify whether the card is being used by the original card holder or not.
Online stores use a system based on this technique called Address Verification System (AVS) to verify online transactions. However, the system has shown up several faults ever since it was introduced. It is estimated to work 35% of the time and is known to give a considerable number of false warnings. This can have the effect of a customer turning away from the business altogether.
Experts recommend a layered approach to network security. They endorse using more than one system to secure a network. While, I think, this may cause a bit of hassle in a practical situation, it is any day better than being burgled of your hard-earned money right under your nose.
Source: Brian Krebs Blog (Washington Post)
Related posts:
- Smart employees help police catch identity thieves
- Card Skimming: Herkimer Police seem to have netted a big one
- Shoppers in Ireland tipped of Card Skimming Scam
- Card Skimming Alert for Pierce County and Nearby Residents
- Three Rivers Federal Credit Union flooded by a phishing scam
December 8th, 2008 at 1:48 am
Do you know of a company that hires to check out information about companies, I received 6,000.00 in Cashier Checks and 300.00 in Money Orders. I was on the news to let the elderly and others know not to fall for the scam.
I was smart enouph to call about the cashier checks, took the Money Orders to the post office and they said they are getting better at making fake ones. I receive emails everyday from companies wanting me to cash checks and I keep 10%. I sent all information I had to the Attorney General in IL.
I would like to work as a scam buster.
Thanks
Cindy Malony