Monday, December 22, 2008

Skim Milks Bank Accounts Dry

I don't know how good of an idea it is to print stories like this.  Law enforcement is, in essence, admitting that these types of crimes are very difficult to solve. 

Criminal Minds have to be thinking that, compared to robbing a bank, for example, skimming  seems to provide less danger, (non-violent) a higher  take (not many bank robberies result in an $800k purse),  and the risk of getting caught is lower.  Scary thought, yes, but off base?  Me thinks not.  I covered this story back in July...the update is that there is no update.  They haven't made any headway as far as identifying who the culprits are...

Gas debit thieves still on the loose

Police still haven’t caught up with the scam artists who made off with half a million dollars this summer from debit card information stolen at two Pierce County gas stations. Local agencies are coordinating with police in California and with federal agents to stop what they believe is a crime spree that spans the West Coast. The patient and wily thieves are believed to have left a wake of at least 675 victims and $800,000 in losses, according to police and news accounts.

“We are in touch with multiple agencies up and down the West Coast and the FBI is involved,” Pierce County Sheriff’s Department spokesman Ed Troyer said Friday. “We’re swapping photos and other information.”

But despite those efforts, the thieves remain steps ahead of their pursuers.

“We haven’t really made any headway as far as identifying who these people are,” said Puyallup police detective Jason Visnaw said Thursday. His case alone has 283 victims with losses of more than $268,000.

The crimes have several common features:

• The thieves target ARCO stations, which take debit cards but not credit cards.

• They use card-reading devices placed on the payment machine to “skim” account and PIN information.

• They often wait for months after taking the card information before making withdrawals – which is long enough for surveillance video to be taped over.

• They raid their victims’ accounts over holiday weekends, when there’s a better chance the thefts will go undetected for an extra day.

The thieves drew on accounts stolen from the station at 1502 South Meridian St. over Memorial Day weekend. Over the July Fourth holiday, more than 125 people who used their debit cards at the ARCO at 11608 Meridian Ave. E in South Hill became victims; they had all used their cards at the station the previous August.

The July Fourth case was investigated by the Pierce County Sheriff’s Department. A total number of victims and losses was not immediately available. Earlier estimates placed Pierce County losses around $500,000.

A May San Jose Mercury News article said a group that had targeted stations in South San Jose and Los Altos was “likely the same group that has been targeting stations statewide.”

San Jose detective Patrick Ward told The News Tribune that his case alone involved another 190 victims and another $210,000 in losses. The Los Altos case has more than 80 victims and $100,000 in losses.

Los Altos detective Wes Beveridge said the case is being investigated by a high-tech task force composed of officers from several jurisdictions in northern California and the FBI.  “We’ve got one of the suspects identified,” he said, noting it was unclear how big the group is. “I’ve got six different suspects in my cases.”

The information police have gathered indicates the group may have been active in Florida and Arizona before making southern California its home base. Members of the group are thought to be from Eastern Europe and are likely sending the proceeds overseas, possibly to fund other illegal activities, Beveridge said.

A comprehensive estimate of victims and losses was not available. Photographs from several ATMs where the thieves made their withdraws have been released to the public.

“Right now we’re all kind of in the same boat,” Ward said. “We’re trying to contact as many local agencies as possible. At this time, we don’t know exactly what the entire scope of it really is. It’s still an ongoing investigation.”

Reblog this post [with Zemanta]

Who Says Crime Doesn't Pay?

According to Brian Krebs, a Computer Security journalist with the Washington Post, Cybercriime is a lucrative business and is growing exponentially.  He refers to McAfee's annual "Virtual Criminology Report" (pdf) which states that online scams quadrupled in the last quarter of 2008. 

Also, (see chart on left) the number of viruses/bots, trojans and potentially unwanted programs (PUPs) are not only on the rise, but almost off the charts.  Why is this relevant?  Because (see 3 Key Findings illustration below) based on the report, law enforcement is "ill-equipped" to cope with this growing (insurmountable?) surge in PC attacks designed to steal personal information. 

So apparently "Crime Does Pay" least cybercrime. 

Put in simple terms,  software is soft... which is why HomeATM's Internet PIN debit approach is hardware based.  As long as hardware isn't tampered with (I  would find it highly unlikely that anybody's going to break into one's home to tamper with HomeATM 's Personal Card Swiping Device) it's the safest, most secure way to transact.  It's more convenient too...just swipe versus type!  But convenience takes a back seat to security, and if you have any doubts about how easy it is for cybercriminals to see what you type, then Google "PC Hijacking" or "keylogging." 

He's a snippet from Mr. Krebs article.

Report: Cybercrime is Winning the Battle Over Cyberlaw

Law enforcement agencies worldwide are losing the battle against cyber crime at a time when criminals are increasingly using the global economic downturn to make headway in recruiting more computers and computer users to further illegal online activities, a scathing new report from security vendor McAfee concludes.

McAfee's annual "Virtual Criminology Report" (PDF) notes that the number of compromised PCs used for blasting out spam and facilitating a host of online scams has quadrupled in the last quarter of 2008 alone, creating armies of spam "zombies" capable of flooding the Internet with more than 100 billion spam messages daily.

In an increasing number of cases, those missives are playing on public fears over the battered economy, pitching recipients on too-good-to-be-true job offers aimed to enlist them in cybercrime operations, McAfee said.

"Cybercriminals are cashing in on the fact that the economic downturn is causing people worldwide to increasingly turn to the Web to seek the best deals and jobs, and to manage their finances," the report charges. "They are preying on fear and uncertainty and taking advantage of the fact that consumers are often more easily duped and distracted during times of difficulties. In fact, opportunities to attack are on the rise."

At the forefront of this worsening problem are so-called "money mule" scams, in which criminals make use of third parties -- often unsuspecting consumers -- to launder stolen funds. Mule recruitment is an integral part of many cybercrime operations because money transferred directly from a victim to an account controlled by criminals is easily traced by banks and law enforcement.

The mules, therefore, serve as a vital buffer, making it easier for criminals to hide their tracks. However, criminals tend to view money mules as expendable resources, because those unwitting accomplices usually either are confronted by authorities or lose money as a result of their participation in the scams.

In most cases, money mules are recruited via online job postings touted in spam. McAfee said that some 873 money-mule recruitment Web pages were detected in Britain alone in the first half of 2008, a 33 percent increase over the first half of 2007. That data was gathered by APACS, the United Kingdom's payment-industry trade group.

An investigation by earlier this year into a money mule network uncovered a database of thousands of U.S. citizens who had responded with interest to a single money mule scam e-mail campaign.

(continue reading at the Washington Post) or go to the McAfee Report here

Reblog this post [with Zemanta]

Gemalto Wants EMV in USA

In an article written by Kirk Ladendorf of the American Statesman, he talks about Gemalto's preference to do away with  the magnetic stripe.  Most of Europe has already converted from magstripe to Chip and PIN, as has Australia and Canada...along with many other parts of the world.  The USA is the last vestibule for Gemalto, and they believe America will convert to EMV in the next 5 to 6 years.  At least one analyst does anyway. 

"The world's largest smart-card supplier shipped 1.2 billion of its cards last year and has more than 1 billion users around the world. It recorded sales last year of 1.6 billion euros (about $2.2 billion U.S.). The company says its growth this year is running about 10 percent in the face of a weakening economy.

Now, the Amsterdam, Netherlands-based company is looking for new worlds to conquer, including the United States, which traditionally has been a smart-card laggard. The company is relying on its 150-person marketing and engineering team in Austin to develop products, services and business alliances that help keep its revenue growing.

North America is a comparatively undeveloped market for Gemalto in part because many of the big banks here remain wedded to old-fashioned "magnetic stripe" bank credit cards and debit cards, rather than to smart cards, which predominate in Europe and other parts of the world.

Despite some reports of increased fraud cases involving magnetic stripe cards, many U.S. banks are hesitant to change because of their heavy investment in the technology, said analyst Ed Kountz with Jupiter Research.

"Our (banks') willingness to make a change is somewhere between kicking and screaming on the payment side of things," Kountz said.

Smart cards can contain 1,000 times as much information as a magstripe card and can contain multiple software applications that enable them to handle more functions. More data and more software translates into more security and more functionality, Gemalto says.

As the rest of the banking world adopts smart cards, the analyst expects U.S. banks will eventually follow in the next five or six years.

If the banks are slow to move, other U.S. customers, including the federal departments of Defense and State, have moved faster. Gemalto is one of two main suppliers of smart cards that go into the State Department's new e-passports, which began in 2006. It has also won over big security-conscious corporate customers including Boeing Co., Chevron Corp. and drugmaker Pfizer Inc..

Some of those companies have begun using a new Austin-developed product, the Smart Enterprise Guardian, that can be used to authorize user access to computer networks, the secure transport of stored digital files and digital signatures for e-mail documents to make an official record.

Pfizer is using the "digital signature" feature to reduce the logistical requirements, money and time involved in creating an official record for its complex drug development process.

The SEG was developed to work with Microsoft Corp.'s Windows operating system.Gemalto's technical team in Austin keeps close ties to Microsoft's operating system developers.

"Microsoft is a huge supporter of Gemalto because we are the largest provider of secure devices in the world," said Paul Beverly, who heads the company's North American operations and also serves as the global company's executive vice president for marketing. "What we are seeing is, we are in a position where things are evolving in our direction. The pressure is coming from various mandates for increased security, and there is a lowering of the technical barriers to adoption."

Microsoft founder Bill Gates has said that one of the major points of vulnerability to computer networks lies in its heavy dependence on passwords as the main form of authorization for users. Passwords can be stolen or lost, and they can create an administrative burden to manage.

Gemalto says it offers a way around the problem.

"We all realize that we can make the world more secure and more convenient if we can get rid of the damned password," Beverly said. "That is our mission, to get rid of the password, because it creates so many problems" for computer systems administrators...

(continue reading in a new window)

Reblog this post [with Zemanta]

Disqus for ePayment News