Posts

Carders cashing out on Magstrip Cards

Two thousand credit card payment terminals stand to become infected with malware called Trinity point of sales.

2CTen million credit cards were stolen by hackers, called Fin6, who may end up scoring $400 million. The cards were stolen from retail and hospitality businesses. If each card sells for $21 on secret carder shops, you can see how the hackers will rake in hundreds of millions of dollars.

As you may know, the U.S. is gradually switching over to chip cards. But it will be a while—a very long while—before magnetic strip cards are non-existent in America. Until then, these types of cards remain a favorite target for cyber thieves.

The methods that Fin6 used are technical, but suffice it to say, these hackers are pros. At this point, there has not been any way to stop this hacking group.

This is yet another example of the inherent vulnerability of the magnetic strip card, which, unlike in other industrialized nations, continues to be the main type of credit card in use in the U.S.

Protect yourself:

  • Go to “alerts/notifications” at your bank/cards website and sign up for emails/texts for every charge made.
  • Download your bank/cards mobile app and sign up for emails/texts for every charge made.
  • Check your statements frequently.
  • Federal law protects you from unauthorized charges made with your credit card number but you still have to dispute the charges.
  • In the event the credit card is in a thief’s hands, you’ll be liable, but only for a maximum of $50, provided you report the problem to the credit card company. However, in many cases a “zero liability” policy may kick in.
  • Debit cards fall under a different federal law than credit cards. Regulation E, the Electronic Fund Transfer Act, says after two days, you could be liable for up to $50. After 2 days liability jumps to 500.00. Beyond 60 days, you could be liable for all unauthorized transactions. Otherwise, federal rules are on the bank’s side.
  • Beyond 60 days, there’s likelihood you’ll never see your money again.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Top 5 Vishing Techniques

“Vishing” occurs when criminals call victims on the phone and attempt to lure them into divulging personal information that can be used to commit identity theft.

The name comes from “voice,” and “phishing,” which is, of course, the use of spoofed emails designed to trick targets into clicking malicious links. Instead of email, vishing generally relies on automated phone calls, which instruct targets to provide account numbers.

Vishing techniques include:

Wardialing: This is when the visher uses an automated system to call specific area codes with a message involving local or regional banks or credit unions. Once someone answers the phone, a generic or targeted recording begins, requesting that the listener enter bank account, credit, or debit card numbers, along with PIN codes.

VoIP: Voice over Internet Protocol, or VoIP, is an Internet-based phone system that can facilitate vishing by allowing multiple technologies to work in tandem. Vishers are known to use VoIP to make calls, as well as to exploit databases connected to VoIP systems.

Caller ID Spoofing: This is the practice of causing the telephone network to display a false number on the recipient’s caller ID. A number of companies provide tools that facilitate caller ID spoofing. VoIP has known flaws that allow for caller ID spoofing. These tools are typically used to populate the caller ID with a specific bank or credit union, or just with the words “Bank” or “Credit Union.”

Social Engineering: Social engineering is a fancier, more technical form of lying. Social engineering (or social penetration) techniques are used to bypass sophisticated security hardware and software. The automated recordings used by vishers tend to be relatively professional and convincing.

Dumpster Diving: One time and tested “hack” is simply digging through a bank’s dumpster and salvaging any lists of client phone numbers. Once the visher has the list, he can program the numbers into his system for a more targeted attack.

To protect yourself from these scams, educate yourself. Knowledge is the key to defending yourself from vishing. The more you understand it, the better off you’ll be, so read up on vishing incidents, and if your bank provides information about vishing online or in the mail, sit up and pay attention. As this crime becomes more sophisticated, you’ll want to be up to date.

If you receive a phone call from a person or a recording requesting personal information, hang up. If the call purports to be coming from a trusted organization, call that entity directly to confirm their request.

Don’t trust caller ID, which can be tampered with and offers a false sense of security.

Call your bank and report any fraud attempts immediately. The sooner you do, the more quickly the scam will be squashed.

Document the call, noting what was said, what information was requested, and, if possible, the phone number or area code of the caller, and report this to your bank.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses scammers and thieves on The Big Idea with Donnie Deutsch. (Disclosures)

How Much Longer Does the Magstripe Have?

Every U.S.-based credit card has a magnetic stripe on the back. This stripe can be read and rewritten like a rewritable burnable CD, using card burners that are easily available online.

The simplicity of the magstripe’s design, coupled with the availability of card reading and writing technology, results in billions of dollars in theft and fraud.

EAST, the European ATM Security Team, recently released European ATM crime statistics for January through June of 2010. Apparently, skimming at European ATMs increased by 24%, with 5,743 attacks reported in the first six months of 2010, compared with 4,629 during the same period in 2009. There haven’t been so many skimming attacks since EAST began measuring these statistics in 2004.

During this same time frame, however, while incidents of skimming have risen, the associated financial losses have dropped. This is because the cards being skimmed have an additional layer of security known as chip and PIN technology, or EMV, which stands for Europay MasterCard Visa.

But because these cards still have magnetic stripes, they are still being skimmed. The stripe is there for the convenience of cardholders who travel to the United States or the handful of other countries that still rely on the magstripe technology. Chip and PIN cards without magstripes are standard in Europe.  As skimming continues, the issue of whether to discontinue the magstripe is bound to come to a head. The European Central Bank’s most recent progress report states:

“In line with Europol’s stance on the future of the magnetic stripe and in support of the industry’s efforts to enhance the security of cards transactions by migrating from the “magnetic stripe” to “EMV chip” cards, the Eurosystem considers that, to ensure a gradual migration, from 2012 onwards, all newly issued SEPA cards should be issued, by default, as “chip-only” cards.”

In the United States the United Nations Federal Credit Union has adopted  chip and PIN technology and Walmart is demanding it. Further, Travelex, the world’s largest non-bank foreign exchange currency provider, introduced America’s first prepaid foreign “currency cards” available in Euros and British Pounds that utilizes chip & PIN technology.  And based on what is happening in Europe, change is in the air.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit card fraud on NBC Boston. (Disclosures)