Thursday, February 26, 2009

Jewel Thieves

How To Steal a PIN

Chicago Sun Times

Two women police say were accomplices in a scam were arrested early Wednesday for allegedly stealing cash using a debit card PIN number in the self-checkout lines of a Near North Side Jewel grocery.

Belmont Area detectives issued a community alert Wednesday after a man met two women outside a River North bar last month and later discovered his bank debit card was missing and $8,600 was withdrawn from his account.

Neither of the women in custody, both 23, are believed to have been involved in the other incident.

The accomplices were spotted using an allegedly stolen credit card in the self-check out lanes and, using its PIN number, swiped it several times, each time asking $100 cash back for a small purchase like gum or soda.

In the alert, Belmont Area detectives said there have been numerous similar incidents downtown and on the Near North Side, where men have been approached by women "offering a ride or a good time."

The women convince the victims to withdraw cash from an ATM, and as he does so, they watch him enter his PIN. The women later take his credit/debit card without his knowledge and use it at self-checkout lanes at the Jewel groceries at 1224 S. Wabash Ave., 1210 N. Clark St. and Ohio and State.

In last month's incident, after the women got the man's card, they purchased a low-priced item at the South Wabash Jewel then depleted the man's bank account by $8,600 by withdrawing cash in $100 increments, the alert said. The women were seen by a witness driving away in a white Lincoln Continental.

Police advise men to be alert to suspicious people extending invitations to "go for a ride" or who offer a "good time." Additionally, police advise against carrying an excessive amount of cash and/or credit cards.

“It’s the perfect crime,’’ according to a police authority, who said the crimes are hard to prosecute for at least two reasons.

The victims often don’t want to come forward because they don’t want their names used, especially if they are married and the amounts are sometimes not comparatively very significant for the bank to aggressively seek action.

Reblog this post [with Zemanta]

United - No Cash..."Card Info"

In a Press Release from United Airlines, they announced No Cash...Visa!  So your Martini's, Dewars, Makers Mark and other in-flight purchases must be paid for with CASH only.

If the reasoning behind this is that they don't want their steward's to pocket cash, then they apparently are not aware of the potential danger this poses for their customers.   Hopefully people will be able to swipe their cards from their seat because it's highly unrecommended to hand over your card (and thus the Track 2 data on the magnetic stripe) to a waitress at a restaurant, let alone a waitress in the sky.  The opportunity, and thus temptation to "skim" the card information might be too great for some and the passenger can be taken a ride.


No Cash...Card

United Airlines introduces onboard credit/debit card acceptance beginning March 23

CHICAGO, Feb. 25 /PRNewswire-FirstCall/ -- United Airlines is making the search for exact change a thing of the past. With United's new EasyPurchase, customers will be able to use credit and debit cards for onboard purchases beginning March 23.

After a brief transition period through the spring break season, United will phase out cash and only accept credit and debit cards on flights within the United States (including Hawaii) and on flights to and from Canada, Mexico, Central America and the Caribbean.

United will continue to accept cash in addition to credit and debit cards on flights to and from Europe, Asia, the Middle East and South America.

On United Express flights, cash will continue to be the accepted form of payment.

"Our customers have responded very positively over the past year as we tested credit and debit card purchases on many flights including trans-continental routes," says Alex Marren, senior vice president - Onboard Service. "Whether customers want to enjoy an in-flight cocktail or a popular snackbox, our customers' purchases will soon be just a quick swipe away."

With EasyPurchase, customers will be able to use major credit cards, including Visa, MasterCard, American Express, Discover, and Diners Club, and debit cards bearing the Visa or MasterCard logos.

In addition, users of United Mileage Plus Visa cards from Chase will earn 10 miles for every dollar spent on in-flight purchases. Travelers who apply and are approved for a Chase Mileage Plus Visa card using the exclusive onboard application will earn 30,000 Mileage Plus bonus miles and receive $25 off their next United Airlines ticket, after their first purchase.

About United

United Airlines (Nasdaq: UAUA) operates more than 3,000* flights a day on United and United Express to more than 200 U.S. domestic and international destinations from its hubs in Los Angeles, San Francisco, Denver, Chicago and Washington, D.C. With key global air rights in the Asia-Pacific region, Europe and Latin America, United is one of the largest international carriers based in the United States. United also is a founding member of Star Alliance, which provides connections for our customers to 912 destinations in 159 countries worldwide. United's 49,500 employees reside in every U.S. state and in many countries around the world. News releases and other information about United can be found at the company's Web site at

*Based on United's flight schedule between Jan. 1, 2009, and Jan. 1, 2010.

SOURCE United Airlines

Reblog this post [with Zemanta]

Mystery Processor's Breach Timeline has released a comprehensive time-line on the Mystery Breach at one of our nation's prominent card processors.  Since the PIN Payments Blog has been following this closely,  we thought we'd share.  Kudos to for putting this together in a clear and concise way...

2009-02-26 by d2d

Here's a timeline of what we've seen surrounding this vaguely disclosed breach. First, some terms:

CAMS: This is an acronym for a Visa implemented system, the "Compromised Account Management System". Alerts are distributed via this system to banks and other financial institutions to facilitate card reissuing and fraud detection. Mastercard also issues similar alerts.

Card Not Present: This term means exactly what you think it does. The card was not physically present during the transaction. This is typical in online shopping, telephone sales, etc.

UPDATE | February 11th, 2009: VISA blasts out a CAMS notice, which has been contributed to OSF anonymously:

"Date: February 11, 2009 Entity Type: Acquirer Processor - Fraud Reported: Yes, elevated fraud rates on this event Visa Fraud Control & Investigations has been notified of a confirmed network intrusion that may have put Visa account numbers at risk. The reported incident involves confirmed unauthorized access to a U.S. acquirer processors settlement system of stored transaction information that included Primary Account Numbers (PANs) and expiration dates. No magnetic stripe track data has been identified at risk in this alert. Fraud analysis has revealed elevated card-not-present fraud rates on this incident. Even though it is not known if any account information was actually removed during the intrusion, we must still consider the data to be at risk because of the elevated fraud. Based on the forensic investigative findings, the entity began storing PANs and expiration dates in February 2008. The forensic investigation is ongoing. Any new material information will be provided in a CAMS update to better assist you with fraud and risk mitigation."

February 11th, 2009: Fiserv blasted out this alert to their customers (banks, credit unions, processors, etc). We were tipped on this by multiple sources. The statement reads:

"The Risk Office Team has received information from Visa and MasterCard regarding the confirmed compromise of a U.S.-based acquirer processor. Please note that the compromised card alerts for this event are not related to the Heartland Data Systems’ breach. Given that confirmation of the Heartland breach and this new compromise occurred in such close proximity, it’s possible that the same card numbers could appear on compromised card lists associated for both events. You may wish to take this into consideration as you execute your organization’s monitoring and/or reissue plans for recently compromised cards."

February 12th, 2009: The Community Bankers Association of Illinois posts a notice that included the following:

"Today, VISA announced that an unnamed processor recently reported that it had discovered a data breach. The processor’s name has been withheld pending completion of the forensic investigation..."

Between 2-11 and 2-13: The Tuscaloosa Federal Credit Union releases a notice regarding the incident that reads:

"On the heels of the Heartland Payment Systems breach, another U.S. acquirer-processor has confirmed a network intrusion exposing primary card numbers and card expiration dates for card-not-present (CNP) transactions. Unlike the Heartland Payment breach, this breach does not expose magnetic stripe track data. The reported incident involves confirmed unauthorized access to a U.S. acquirer processor’s settlement system of stored transaction information that included Primary Account Numbers (PANs) and expiration dates. As the entity involved has not yet issued a press release, Visa and MasterCard are unable to release the name of the merchant processor. It is important to note that this event is not related to the Heartland Payment Systems breach."

February 13th, 2009: The Independent Community Bankers of America releases this on their website:

"ICBA learned of another security breach involving a merchant processor. The breach appears to be large, but not as large or severe as the recent breach at Heartland Payment Systems. The name of the breached processor is unknown at this time, but ICBA knows that: All accounts and all brands were equally exposed; however, only card numbers and expiration dates were captured. No track data was captured. Because there is no evidence of skimming counterfeit and all known fraudulent transactions have been key entered, Visa's ADCR program will not cover losses. However, compliance and “card not present” (depending on status of VbyV/SecureCode) chargeback rights should apply. MC issuers must file via compliance as they always do. Alerts for this new incident are being reported under Visa series US-2009-088 and MasterCard series MCA0150-US-09."

February 13th, 2009: The Pennsylvania Credit Union Association released this statement which we've retrieved from google cache, as the content of the old notice is now displaying a new notice about something else. The old notice read:

"Earlier this week, Visa and MasterCard began issuing accounts involved in a merchant processor breach. The reported incident involves confirmed unauthorized access to a U.S. acquirer processor̢۪s settlement system of stored transaction information that included Primary Account Numbers (PANs) and expiration dates. No magnetic stripe track data has been identified at risk in this alert. As the entity involved has not yet issued a press release, Visa and MasterCard are unable to release the name of the merchant processor. It is important to note that this event is not related to the Heartland Payment Systems breach. While it has been confirmed that malicious software was placed on the processor̢۪s platform, there is no forensic evidence that accounts were viewed or taken by the hackers. Since the final forensic report has not been provided there is no estimate available at this time of the number of accounts involved in this event. Law enforcement is activity engaged in an investigation into this situation. Visa began releasing affected accounts on Monday, February 9, 2009 under CAMS event series US- 2009-0088-IC. They expect to have all accounts released by Friday, February 13. MasterCard began releasing accounts on Wednesday, February 11, 2009 under MC Alert series MCA0150-US-09. They have not provided any information as to when they expect to have all their accounts released. The current window of exposure provided by both card associations is from February 2008 through January 2009. The only data elements at risk are account number and expiration date. No track data, PIN, CVV2/CVC2 data or cardholder-identifying information was captured. As in all events, it is the issuer̢۪s decision whether or not a block and/or reissue decision is warranted. However, we would like to emphasize that this event carries a lower level of risk than the Heartland compromise."

February 13th, 2009: We posted a blog entry regarding what we've been hearing from tipsters, who are usually dead on about these things, but we did so only after corroborating that the tips we'd heard we're also being heard by others.

February 17th, 2009: The Alabama Credit Union posts a notice on their website that reads:

"Alabama Credit Union has been notified by VISA that some members' VISA credit card information may have been discovered during a breach at a card processor's site. VISA has not named the card processor."

February 17th, 2009: The Bankers' Bank of Kansas posts a notification which reads:

" Two large data compromises affecting credit and debit cards were announced the weeks of 1/21/09 and 2/09/09. BBOK BankCard actively monitors all alerts from Visa®, MasterCard®, and our processor for compromised card data...."

February 19th, 2009: The Alabama Credit Union follows up on their initial reporting with an update indicating how fraud is being committed as a result of this new breach, and it contains the following:

We have been notified by VISA that a lengthy list of VISA ATM/Debit Card numbers was included as part of a data breach at an unknown vendor's location. VISA has declined to name the vendor or processor. The fraudulent transactions are primarily characterized as purchases of prepaid phone cards, prepaid gift cards, and money orders from Wal-Mart, and usually occur in $100 increments.

February 22nd, 2009: We posted a follow-up to our original story, with new information (some of the above timeline items) gathered from

February 24th, 2009: News reports are released about St. Mary's Credit Union receiving notification regarding this breach. The article writes:

"A breach of a credit card processing system at St. Mary's Credit Union yesterday affected up to 4,300 customers and likely cost the business more than $20,000....The credit union does not know the name of the processing system, but Battista said the breach likely affected people across the country..."

End of Timeline

This is what we know. Of course, there is a lot of speculation as to who the unnamed is. Our mailboxes here are on fire with speculation, and you can read the comments on some of our previous posts on the topic to see examples of it. We have no solid information regarding who the affected organization is. We do know that we've had two other major breaches recently involving this type of data, namely: RBS Worldpay and Heartland Payment Systems. We also know that in a statement to the consumerist, Visa and Heartland is adamant that this new breach was not them.

Ultimately, I think the banks will demand to know, considering the costs are mostly their burden to bear. But in the meantime, we wait.

Reblog this post [with Zemanta]

500,000 Websites Hit by SQL Injection in '08

darkReading says that SQL Injection hit 500,000 Websites last year:

Report: More Than 500,000 Websites Hit By New Form Of SQL Injection In '08
New Web breach incident report finds the bad guys deploying more automated attacks, targeting customers rather than data on sites

Feb 25, 2009 | 02:52 PM
By Kelly Jackson Higgins

A new flavor of an old-school Web attack was responsible for compromising more than 500,000 Websites last year.

An automated form of SQL injection using botnets emerged as the popular method of hacking Websites, according to a newly released report from the Web Hacking Incidents Database (WHID), an annual report by Breach Security and overseen by the Web Application Security Consortium (WASC). The report also found that attackers increasingly are targeting a Website's customers rather than the sensitive information in the site's database.

"It used to be that mostly e-commerce sites were targeted, but now it's potentially any site, especially those with a large customer base," says Ryan Barnett, director of application security research for Breach Security. "The attackers say, 'You're going to become a malware-launching point for us.'"

The so-called Mass SQL Injection Bot attacks basically automate the infection process; the Nihaorr1 and Asprox botnets both deployed this method last year, according to the report. "In the past, they had to do some manual reconnaissance with SQL injection to send the initial queries," Barnett says. The automated approach sent one request with a script that automated all of those recon steps -- using bots to perform the attacks.

"While the initial attack vector was SQL Injection, the overall attack more closely resembles a Cross-Site Scripting methodology as the end goal of the attack was to have malicious JavaScript execute within victims' browsers," the WHID reports says. "The JavaScript calls up remote malicious code that attempts to exploit various known browser flaws to install Trojans and Keyloggers in order to steal login credentials to other web applications."

Continue "darkReading"

Reblog this post [with Zemanta]

Heartland Being Thoroughly Investigated

The SEC had launched an informal inquiry into the company and there is also a related investigation by the Department of Justice. The U.S. Department of the Treasury's Office of the Comptroller of the Currency (OCC), which regulates national banks and their service providers, has launched an inquiry, as has the FTC

Editor's Note:  Investigations by the FTC and DOJ are not uncommon. The SEC investigation has nothing to do with the breach, but with starting to sell 80,000 shares per month and it coinciding with the timeframe of the breach. 

What's rare is the OCC investigation.  Gartner Distinguished Analyst, Avivah Litan, has a take on why they are involved.

The Treasury's OCC may be taking an interest in the breach because it could be part of a larger problem for the banking industry, said Avivah Litan, an analyst with Gartner Research. "I think that the criminal gang that targeted Heartland is targeting multiple payment processors and it's a serious threat to the integrity of the payment systems," she said.

Yes, there is a serious threat to the integrity of the payment systems. It all has to do with information security/data encryption. Data traveling over the network should be securely encrypted from the point of data entry (the POS) to the point where the data is processed (V/MC).  Beginning-to-End Encryption (B2EE)
will be costly and time consuming to implement, but look at the alternative.  (and yes...there is a HomeATM pun "encrypted" with 3DES/DUKPT in there)

In recent months at least three credit-card processing companies, including Heartland, have been the victims of sophisticated criminal attacks resulting in millions of compromised payment cards. One of the other card processors, RBS WorldPay, lost data on 1.5 million customers. A third hack, at an unnamed payment processor, was disclosed last week.

In related news, Heartland announced yesterday that the President and Chief Financial OfficerRobert Baldwin will be participating at the Goldman Sachs Technologyand Internet Conference, February 26, 2009, at 6:20 PM at the SanFrancisco Marriott in San Francisco, California.

After thelive presentation the web cast will be archived on the Company’swebsite. Those who are interested can listen to a live web cast of thepresentation on the Investor Relations section of Heartland’s websiteat:

Reblog this post [with Zemanta]

Disqus for ePayment News