The owner of a Redmond, WA tobacco shop was sentenced to less than three years in prison for skimming $300,000 off more than 300 credit cards. That's a little harsher than $200 bucks and get outta town" (see Saturday's post) but not as harsh of a sentence as the same crime will see in the future.
Here's the U.S. Attorney's Office news release:
HRANT "MIKE" ASLANYAN, 38, of Redmond, Washington, was sentenced today in U.S. District Court in Seattle to 33 months in prison, five years of supervised release and over $214,000 in restitution for Bank Fraud. ASLANYAN, the owner of a small tobacco and convenience store, pleaded guilty on June 13, 2008, admitting that he skimmed the debit and credit card numbers of more than 300 of his store customers. Those stolen numbers were used to steal money or incur credit from seventeen different banks. At sentencing U.S. District Judge Ricardo S. Martinez said, "This type of crime victimizes totally innocent people who are just going about their daily business." Judge Martinez ordered ASLANYAN taken into custody immediately to begin serving his sentence.
According to the Seattle Times Police Blotter: In late 2004 though early 2006, law enforcement investigated a rash of reports of compromised credit and debit cards. Dozens of people had their credit and debit cards used, without their permission, to withdraw money in the Las Vegas, Nevada and Los Angeles, California areas. Some seventeen financial institutions were hit for about $300,000. Some 300 Redmond area accounts were accessed. (Editor's Note: Just think how much more he could've made if Bill Gates was a smoker!) The place where each of the victims had used their credit or debit card, was "Smokers Choice" a small tobacco and convenience store in Redmond. Thirty-five of the victims specifically identified ASLANYAN as the person who had run their credit or debit card. The skimmer that records credit or debit card information was never recovered.
ASLANYAN has refused to assist law enforcement by identifying his co-conspirators who used the information to incur credit charges or raid victim bank accounts.
In asking for 33 months of imprisonment, Assistant United States Attorney Vince Lombardi argued that the victims go beyond the banks that lost money, to the people whose accounts were violated. "It is difficult to overstate the feeling of victimization felt by individuals who find their identity and account information stolen, merely because they chose to entrust Defendant with their debit or credit card when buying cigarettes or other items... Identity theft and related fraud crimes have been an epidemic in this judicial district ... this particular crime impacted hundreds of individuals," Mr. Lombardi wrote in his sentencing memo.
The case was investigated by the U.S. Secret Service, the Redmond Police Department, the Bellevue Police Department, and the Duvall Police Department.
Comment:
January 17, 2009 at 9:43 AM
$300,000 stolen, yet only $214,000 restitution ... how come not the whole $300,000 ?.. only 33 months in prison?? must have been some pretty heavy plea bargening going on here.. this sleeze should be made to pay back the WHOLE thing and do at least 10 years.. especially since he refused to co-operate with the investigators in naming his partners.. something here has gotta change in our "justice" system...
The Pulse Index is an annual tracking of online shopping activity during the holiday season. From November through January, Chase Paymentech monitors the daily activity of 25 of the largest 150 Internet retailers. The data includes the total number of payment transactions and total dollar value processed. The data is taken from transactions crossing Chase Paymentech's global processing platform. Final Results for Cyber Holiday Pulse Index
"The Pulse Index was remarkable this year," said Mia Shernoff, marketing executive for Chase Paymentech. "Because it tracks actual transactions on a daily basis for such a large number of major e-commerce merchants, the Index provided unique insight into the behavior of online shoppers and how the economic climate affected their buying patterns." Online Holiday Shopping 2008 - A Mixed Bag
For the 2008 holiday shopping season, the Pulse Index results represent online purchases beginning on November 1, running through December 31. While sales volume and transaction count both show an increase, the average ticket, or amount per sale, declined.
The statistics indicated:
Sales volume for the holiday season was up a modest 4.5 percent versus 2007.
Transaction count was up a significant 16.5 percent.
Average value per transaction was down an unanticipated 10.3 percent.
According to Forrester Research Principal Analyst Sucharita Mulpuru, the mixed e-commerce news highlights the environment faced by retailers this year. "This holiday season challenged all retailers," she said. "Web transaction volume was up significantly from last year, but the relatively lower revenue numbers point to aggressive discounting by retailers and eager deal-hunting by shoppers."
The tough shopping season, however, was an opportunity for some e-commerce merchants. Said Mulpuru, "A few branded retailers with very favorable pricing strategies were able to take advantage of the holiday season's circumstances and increase their market share. There should be a shakeout of Web retailers, but that will leave the remaining players more favorably positioned for growth into 2010 and beyond."
Additional highlights of the 2008 Pulse Index included:
The peak shopping season (the period between Thanksgiving and Christmas) sales were down 4.5 percent, but transaction volume was actually up 5.2 percent - this despite five fewer shopping days during this period versus 2007.
The largest day for transactions was Tuesday, December 16, with 3.96 million transactions. This was only slightly higher than Wednesday, Dec 17, which saw 3.95 million transactions.
The largest day for sales was Tuesday, December 2, with more than $218 million, topping Wednesday, December 17, which saw more than $217 million.
Said Aaron Press, director of market research for Chase Paymentech, "The practical lesson we took from this year's Pulse Index is that all of the hype surrounding Cyber Monday, is just that: hype. Merchants looking to capture additional sales or attract new customers should consider focusing their discounts and promotions on the middle of the week. Tuesday through Thursday is the peak shopping time for online consumers."
Mia Shernoff concluded, "There is a lot of value in being able to see the information and trends reflected in an index representing actual transactions among e-commerce merchants. It helps companies with everything from allocating resources to scheduling promotions during a crucial time."
Data and charts are updated daily, with weekly commentary to explain any trends, offer historical insight and provide context. Guest commentary will be provided by Sucharita Mulpuru from Forrrester and Aaron Press, Director of Market Analysis for Chase Paymentech. Visit the Pulse Index every business day at 2:00 P.M. EST to see the daily numbers, or subscribe to our weekly commentary via RSS. Media inquiries should be directed to James Wester, Director of Corporate Communications for Chase Paymentech at 877.843.5631 www.chasepaymentech.com
Back on November 11th, in a post I called "Short Circuit in Gift Cards?" I stated:
"If You've got a Circuit City Gift Card, Use it Now!
...Circuit City tried to reassure shoppers that it would be business as usual despite its Chapter 11 bankruptcy filing. I wouldn't be the least bit surprised, if and when the Circuit City gift cards do indeed short-circuit, to see the gift card landscape vastly affected forever. There needs to be either new regulation introduced or someone will have to come up with an improved program... otherwise consumers will shy away, from, especially the "closed loop" gift cards. So if you have a Circuit City gift card use it immediately..."
Hope you did, because yesterday Circuit City announced they are "shuttering" all 567 stores. If you haven't used them, there's no rush...you can shop at CircuitCity.com through tomorrow. (January 18th) Store liquidations begin as early as today and last until...?
According to the Chicago Tribune, "The sooner consumers use their gift cards, the better. Circuit City's group of liquidators have agreed to honor gift cards for at least the first few weeks. Deadlines for gift card use are expected to be posted in stores within the next couple of days."
"We are extremely disappointed by this outcome,” said James A. Marcum, acting president and chief executive of Circuit City Stores. He called the liquidation “the only possible path” for the 60-year-old company."
The NY Times writes: "The demise of Circuit City, while not surprising given its declining sales, is part of a radical shift (Editor's Note: call it "radical" but I say "paradigm") taking place in retailing. Weak chains — unable to weather the freeze-up in consumer spending and choked by tight credit markets — are closing.
Hmmm, I always thought that age-old line was "Don't do the crime if you can't do the time." Apparently that's not true in West Vancouver.
"Don't Refrain if You Can Gain" seems to be more applicable..
$200 bucks? Heck, go 72 mph in a 65 zone here and you'll be penalized more than that...
Here's a story from CTV British Columbia where they tell the tale of a PIN Pad thief who got fined $200 bucks and has to leave town by "high noon." Unbelievable. I've reproduced the comments from their site, and as you can read, people are getting fed up with these types of crimes. As I've posted in the past...why rob a bank? That's 20 years...this is $200 bucks. If he didn't get caught "red-handed" what would his take be? IMHO, the judge got this one "way wrong." At least the message he's sending is...
Here's the story: CTV British Columbia- PIN pad thief gets $200 fine and deportation order - CTV News, Shows and Sports -- Canadian Television
PIN pad thief gets $200 fine and deportation order Updated: Fri Jan. 16 2009 18:32:54 Darcy Wintonyk, ctvbc.ca
Police in West Vancouver have caught a PIN pad thief red-handed -- and kicked him out of the province. On Tuesday night, the owner of a Park Royal area juice bar called police after someone stole the PIN pad from the counter. He had just serving two customers and noticed that the device was missing.
Editor's Note: Notice the pic of the PIN Pad (below right) with a steel tether to prevent it from getting stolen...
Police apprehended the men shortly after near Marine Dr. and 14th St. after being alerted by a transit operator. After a brief investigation, police recovered the pad from a rental car parked nearby. On Thursday, 23-year-old Quebec native Jonathan Ramirez-Dionne pled guilty to theft under $5,000 in a North Vancouver courtroom.
"He was sentenced to one year probation and a $200 fine," says Const. Jeff Palmer.
But that's not all. The judge has also given the unusual order for him to leave the area. "An interesting aspect of his probationary requirement the judge has ordered him to leave British Columbia by four o'clock Friday afternoon and he's not to be found in British Columbia during the term of his probation."
The owner of the juice bar doesn't think the penalty is heavy enough. "It's funny because if I was caught speeding, it would be a bigger fine, and you know it's less of a heinous crime per say, and they get $200 which is a little bit bizarre," says Blake Goddard.
Police advise merchants to securely attach pin pads to counters at and to train staff to regularly check the devices. This isn't the first time Park Royal mall has been hit by debit thieves. Last March, police warned customers to change their PIN numbers after two La Senza's and an Aldo store had their PIN pads stolen. PIN pads don't normally record PIN numbers, but the devices can be modified to take in personal information. In August 2007, phony PIN pads turned up at four retail stores, including and thieves used the stolen information to withdraw money from hundreds of accounts.
Please Add Comments(7) Don I like that the judge told him to get out of BC. I think 200 dollars is pretty light as a fine for this type of crime though. Pat in the Valley What kind of justice is this - first he breaks the law, can steal potentially mega bucks and all he gets is the boot from the Province. When will the Justice System finally get it? and hand out appropriate sentencing and not just another "slap on the wrist". Christine That is ridiculous! $200 fine, what a joke! How will we know that the guy is actually leaving the Province and who is going to keep track of him? Ashley What a joke that is! Apparently in BC and in Canada it pays to lead a life of crime. Wasn't too impressed to be watching this story on the 6pm news on CTV and watched the report show the viewers exactally how to remove it. I know its not rocket science but come on.. C Umm... I agree with your statement "PIN pads don't normally record PIN numbers, but the devices can be modified to take in personal information." but your on-air story is misleading viewers that PIN pads ARE storing information when they DO NOT. Only counterfeit PIN pads store/steal information. Aden Thats awsome thats what you get when you steal from our province Au revouir frenchy Bangedup what a joke - time to change the laws
According to CardTrak.com credit card balance payments saw their largest drop ever, from October to November. (Guess December's data hasn't arrived yet...)
The amount that consumers pay on their monthly credit card balances dropped like a rock in November to a record low. Generally cardholders, including those who pay the minimum due and those who pay the full balance off each month, pay on average, about 18% to 20% of their monthly outstanding balances.
During October cardholders paid 18.42% of their balances which collapsed to 15.96% in November, Clearly, the credit squeeze that began in mid-Septembertrickled down much faster than expected. The impact of job losses cannot be understated. In December, the number of unemployed persons increasedby 632,000 to 11.1 million and the unemployment rate rose to 7.2%. Since the start of the recession in December 2007, the number of unemployedpersons has grown by 3.6 million, and the unemployment rate has risen by2.3 percentage points.
PAYMENTS June 08: 19.54% July 08: 19.54% August 08: 19.21% Sept. 08: 18.57% Oct 08 18.42% Nov 08: 15.96%
eMarketer reports that the recession may be contributing to increasing usage of the Internet among leisure time activities.
Of course, by the same token, one could argue that the recession, which has cause many job losses, could "reduce" the percentage of "leisure time" spent online, as people would be an additional 10 hours per day of leisure.
That would equivocate to needing to spend an additional 3 hours per working day (15 hours per week) online in order to retain the 30% level that US Internet users are now at. When looking at the chart on the right, I'd be interested in hearing theories behind the 72% spike in usage from 2006 to 2007. Internet Users Spending Even More Time on Web - eMarketer (click to read entire story)
"According to eMarketer, US adults are not world leaders in spending leisure time online. That distinction goes to Internet users in China, who spent 44% of their leisure time on the Internet in 2008, according to TNS Global. The company found that Americans ranked fifth worldwide, at 30% of leisure time spent online virtually tied with Italy (31%), Spain and Australia (29% each)." (Click Graph on Left, To Enlarge)
The study also found that many activities which we traditionally did in our spare time are now being done online. Three-quarters of Britons have used the internet for banking in the past month and two-thirds have also paid bills online. Seventy-five per cent of British respondents had read news online in the past month, while 62% had checked the weather. More Britons (55%) had watched a video clip on sites like YouTube than had listened to audio (44%) or participated in an online auction (39%). Social networking sites had been visited by 37% of people, while 32% had downloaded music.
Seven per cent of Britons called themselves bloggers, with 16% saying they had "viewed or contributed" to a blog, compared with 88% of Chinese respondents.
The poll of more than 27,500 people in 16 countries found that housewives in the UK spend 47% of their leisure time on the web, compared with 39% for students and 32% for the unemployed. Globally, the average across all occupations was 29%.
Of the 16 nationalities surveyed, Scandinavians seemed the least inclined to while away their free time in front of the computer - Danes spent an average of 15% of their non-work hours on the net, with Swedes at 18% and Norwegians at 22%.
Arno Hummerston, managing director of TNS Global Interactive, said: "If our leisure time is so precious, then why do we on average spend almost a third of it using the internet? We believe it is because we are making more efficient use of our valuable time, specifically by using the internet - thereby allowing us to fit more into our lives...
On Monday, in a post entitled "Gaza Strip(s) PC of Financial Data" I talked about a new(s) attack. "Using mainstream news headlines regarding recent events in Gaza, it lures people to a site that appears to be CNN. The bad news is, it isn't CNN...it's a clone, and there is nothing which clearly indicates that you've been duped." It then downloads a trojan which sweeps your hard drive looking for data relating to financial institutions.
In a post, earlier this month, (E-Commerce and Browsers Don't Mix) I talked about browser weaknesses. With the emergence of these two "new attacks" (the other one being "in-session phishing"...see "Phishing 2.0 - PAN Fried, not even 15 days into the New Year, it's becoming clearer that financial transactions need to be done outside the browser space.
Last night, I noticed that Gartner's Avivah Litan did an analysis on the Gaza Cease-Fire Trojan. Based on the title of her post, (and her bullet point, both of which I outlined in yellow) it's safe to assume that she feels along the same lines as we do, regarding the weaknesses inherent in web browsers.
Avivah Litan VP Distinguished Analyst Potomac, MD USA
Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, identity theft, fraud detection and prevention applications and other areas of information security and risk. She also covers payment systems and financial flows in the business-to-consumer and business-to-business markets.
A new trojan attack shows that seemingly "safe" Web sites can be used in financially targeted attacks. Enterprises need to take a layered approach to these attack vectors, which mostly lie outside their control.
Event
On 7 January 2009, the RSA FraudAction Research Lab discovered a trojan attack, identified as the Cease-Fire Trojan Attack, that used phishing e-mail supposedly offering Al Jazeera video on CNN of the war in Gaza to divert recipients to an imposter news Web site. Recipients who clicked on a "video" link were told they need to update their media players to run the video. When they tried to do so, a "Secure Sockets Layer (SSL) stealer" trojan was downloaded to their desktops.
"The trojan resides in the end user's Web browser, waking up when SSL encryption is invoked via the HTTPS protocol typically used for online financial transactions such as payments and banking. The trojan then tracks the user's keystrokes to steal transaction information."
RSA reports that it shut down the attack, which was staged at a registrar in China, and that it discovered and took down a second wave of attacks — staged on five other domains on 9 January — within four hours.
Analysis
Trojans delivered via phishing attacks are certainly not a new phenomenon, and security providers report that the frequency of these attacks is increasing rapidly. This particular attack is significant because it offers a clear demonstration of:
A comparatively new type of combined phishing/trojan attack that uses social engineering to prey on sympathies and interests (in this case, promising graphic images of war)
An attack using brands (for example, those of news organizations) that attackers rightly believe are less likely to be the targets of phishing attacks than financial service providers and therefore less likely to take proactive action against them
Criminals' ability to place programs inside browsers, making it possible to bypass the security protections offered by SSL encryption and by strong authentication techniques going through a user's browser
It is important to note that RSA shut down this attack as a public service, and that there is no guarantee that security providers will perform such services in the future. Enterprises must take action to protect themselves and their customers, clients, partners and other stakeholders against attacks of this type. Recommendations
Enterprises that store customer information, financial accounts, transaction information or other sensitive data:
Recognize that customer account credentials can be compromised and that many criminal attack vectors are outside your domain and your control.
Deploy a layered security strategy that includes fraud detection, stronger user authentication and out-of-band transaction verification for high-risk transactions.
Deploy browser-based "on demand" desktop security services to your customers, because these can, when used in conjunction with better local browser rules and recognition of high- assurance certificates, help to protect customers accessing your Web sites.
Internet infrastructure and security providers:
Consider pooling your resources and launching a joint phishing/malware detection and site-takedown service that can be offered on a pro bono or as-needed basis. This approach would make it possible to quickly block attacks against real or fictitious brands that are detected in the course of normal "cybersurveillance" services, even if no specific financial incentive to do so exists.
In an attempt to dispel myths regarding Interchange, MasterCard has put together a brochure (PDF) designed to show how priceless Interchange is.
They have also created several documents trying to "discount" charges that interchange is too high.
It all makes for some interesting reading. Below I have included links from their website, followed by their press release.
From MasterCard.com
Every business establishes a price for the goods and services it provides, and the electronic payments business is no exception. As one element of the cost of acceptance, interchange is a small fee in relation to the enormous value merchants receive for accepting MasterCard payment cards.
For almost 40 years, MasterCard has established default interchange fees that have proven to be the most efficient way to balance costs in the system and promote a strong, competitive payments industry that benefits cardholders, merchants and financial institutions. Today, some 25,000 financial institutions provide the cards and services that allow hundreds of millions of consumers and 25 million merchants around the world to benefit from the convenience and security of electronic payments.
Learn more about interchange from the information below:
MasterCard dispels myths, highlights benefits of payment networks
Purchase, N.Y., Jan 15, 2009 -- In light of the ongoing discussion and debate about the role of credit in today's economic environment, MasterCard Worldwide has issued a paper that dispels misperceptions (Editor's Note: shouldn't it be "misconceptions" or am I "misperceiving" this?) about payment systems and explains the tremendous economic value that electronic payments bring to the economy as a whole and their role in advancing commerce.
The paper, entitled "Benefits of Open Payment Systems and the Role of Interchange," underscores the enormous benefits delivered by electronic payments, which have become so ingrained in everyday life they are often taken for granted or misunderstood. Few people ever stop to consider the complex and sophisticated system that allows transactions to occur within seconds, almost anywhere in the world.
"Perhaps the easiest way to grasp the value of electronic payments is to envision a world without them. Clearly, if electronic payments came to a sudden halt, many facets of commerce - travel, trade and the Internet just to name a few - would face dire consequences," MasterCard President and CEO Robert W. Selander says in the introduction.
The paper also discusses the role of interchange - a relatively small fee paid for the benefits merchants get from card acceptance. Interchange is critical to ensuring the system provides maximum benefits to all participants, including consumers and merchants in a fiercely competitive marketplace.
MasterCard Worldwide advances global commerce by providing a critical economic link among financial institutions, businesses, cardholders and merchants worldwide. As a franchisor, processor and advisor, MasterCard develops and markets payment solutions, processes over 18 billion transactions each year, and provides industry-leading analysis and consulting services to financial institution customers and merchants. Through its family of brands, including MasterCard®, Maestro® and Cirrus®, MasterCard serves consumers and businesses in more than 210 countries and territories. For more information go to www.mastercard.com .
Google Checkout adoption is dropping. Maybe they ought to start "searching" for ways to increase market share. Maybe a globally patented PIN debit application from HomeATM would help...
The adoption of Google Checkout by online retailers is stalling, according to a study by interactive agency Rosetta.
The report states that 37% of 100 leading online retailers surveyed currently offer alternative payment methods, a 23% increase since November 2007.
Of those, Bill Me Later is most popular at 26%, with PayPal now nearly tied at 25%. Google Checkout showed a tiny increase from 10% in 2007 to 11%. Only 7% of the retailers examined offer all three methods.
“Even though it boasts high consumer confidence, Google Checkout is struggling in retailer adoption,” said Adam Cohen, a partner at Rosetta's consumer goods and retail practice, which conducted the study last month. “Adoption of the service started out very strong last year, but has stagnated in the last 12 months."
The discontinuation of incentives for retailers during the holiday season is likely to negatively impact Google Checkout adoption on an ongoing basis, he said.
CreditCards.com has provided an interactive guide to show how merchants and banks process cards purchases. For the interactive guide click here, (or the graphic on the left)
For a printable version, click the PDF link at the bottom of this post.
How credit card transactions work Interactive guide shows how merchants, banks process card purchases
By Tyler Metzger - CreditCards.com
More than 23 billion credit cards transactions were processed in the United States in 2007, and they are projected to grow by 26 percent over the next five years, according to the Nilson Report. But have you ever wondered what exactly happens after your card is swiped? Use this guide to to find out how your credit card transactions are processed. PDF
On November 24th, I posted about Symantec's release of a detailed report called the "Internet Security Threat Report." That report is now available to anyone who wishes to download the whitepaper.
This from their website. For your convenience, I have included links to more detailed information. Click any of the graphics to enlarge.
The Symantec Report on the Underground Economy examines activity on underground economy servers observed by Symantec between July 1st, 2007 and June 30th, 2008. It includes analysis and discussion of the goods and services advertised, advertisers participating in the economy, the servers and channels that host the trading, and a snapshot of piracy activity observed.
As I previously stated, this report, is now available to the general public for free download.
Symantec Weblog: Postings on the Underground Economy Learn more
Report Highlights
"The underground economy has matured into a global market with the same supply and demand pressures and responses of any other economy. There are a great many servers and channels available to advertisers to market their wares, which they do, and often. Most people associate identity theft with money because most reported cases involve criminals using the identity for activities such as obtaining credit cards, applying for loans, obtaining expensive medical or pharmaceutical treatments, or even stealing house titles. Symantec estimates the value of total advertised goods on underground economy servers was over $276 million between July 1, 2007 and June 30, 2008.
During the reporting period, Symantec monitored 44,752 unique samples of sensitive information publicly posted on underground economy servers, which accounted for 10 percent of the total distinct messages. Sellers often publicly post samples of their goods in the channels on underground economy servers. These samples serve several purposes: to prove that sellers actually have the goods in their possession; to show potential buyers the quality of goods they can expect; to enhance their credibility, and; to allow users to validate the information. The table (above left) identities the top samples of information posted:
Credit card information may rank high because there are many ways it can be obtained and used forfraud. This includes phishing schemes, monitoring merchant card authorizations, the use of magnetic stripe skimming devices, or breaking into databases and other data breaches that expose sensitive information.
Another explanation may simply be that there is a high frequency use of credit cards.
For example, the 22 billion credit card transactions in the United States in 2006 represent a growth of eight percent over the previous year. High frequency use and the range of available methods for capturing credit card data would generate more opportunities for theft and compromise and, thus, lead to an increased supply on underground economy servers.
Credit card information may be in such demand because using fraudulent credit card data for activities such as making online purchases is relatively easy. Online shopping can be easy and fast, and a final sale often requires just credit card information. Someone knowledgeable enough could potentially make many transactions with a stolen card before the suspicious activity is detected and the card is suspended.
The second most common category of goods and services advertised was financial accounts, with 20 percent of the total. This category includes bank account credentials, magnetic stripe skimming devices, online payment services, online currency accounts, and online stock trading accounts. This category ranked third for advertised requests, with 18 percent of the total. By far the major contributor to the popularity of the financial accounts category was bank account credentials, which accounted for 18 percent of all goods and services advertised for sale.
Financial accounts are attractive targets because of the opportunity to withdraw currency directly. Although this may involve more steps than using stolen credit card data to make online purchases, the process of cashing out financial accounts can be easier than retrieving cash from credit cards because criminals would require a PIN for the card. Also, most ATMs have security cameras, which may deter criminals from using this medium. In addition, withdrawing currency from a bank account has the advantage of a more immediate financial reward than with online purchases, which would need to be sold to realize a purely financial reward.
Credit card information includes credit card numbers, credit cards with CVV2, and credit card dumps; financial accounts includes bank account numbers, magnetic stripe skimming devices, online payment services, online currency accounts, and online stock accounts; spam and phishing information includes email addresses, email passwords, scams, and mailers; withdrawal services include cash outs and drops that are used to withdraw money and items from purchases; identity theft includes full identities and Social Security numbers; server accounts are for file transfers and virtual networks; compromised computers includes hacked computers, bot-infected computers, and shells; website accounts include online accounts for access to specific websites such as social networking sites; malicious tools includesWeb-based attack tools and malicious code; and retail accounts includes gift cards for online stores and online auction accounts.
Magnetic stripe skimming devices are small machines designed to scan and retain data contained in the magnetic stripes on credit and debit cards. To cash out bank accounts, individuals can either use a reliable cashier or can assume the identity of the bank account owner to withdraw funds. Since many bank accounts can only be cashed out from within the issuing country, criminals may prefer the use of cashiers that specialize in extracting currency from these accounts. Such cashiers use a variety of methods to convert the information into true currency, transferring money either through wire transfers or to online currency exchange accounts. They can also hire an intermediary to receive the transfer in person using a fake identity. Symantec observed requests on underground economy servers for cashiers in specific locations and of a particular gender (as matchingthe cashier’s gender to the identity of the bank account holder is essential to not raise suspicion when withdrawing funds).
US financial institutions were hit by 78 reported data breaches last year, a 47% increase and now own a 70% larger piece of the pie.
Reported data breaches in the US during 2008 were up 47% on the previous year, to 656, of which 78 affected financial institutions, according to a study from the Identity Theft Resource Center (ITRC).
Financial services accounted for 78 breaches, which is 11.9% of the total. Whereas last year, Financial services accounted for 7% of the total in 2007 it's 11.9% total this year represents a 70% bigger piece of the pie than they had last year. According to Finextra, ...
"The ITRC says at least 35.7 million records were potentially breached but the true figure is likely to be far higher because 41.9% of cases went unreported or undisclosed.
Financial services accounted for over 18.1 million compromised records, 52.5% of the total.
This is largely down to the biggest single breach last year, which saw BNY Mellon Shareowner Services losing around 12.5 million records - including social security numbers, names and addresses - when a box containing unencrypted customer data tapes went missing in transit in February.
In addition, RBS WorldPay was hit by a breach affecting 1.5 million records and Countrywide had two million compromised last year.
Most of the financial sector breaches were the result of hacking, followed by insider theft. Of all breaches across all sectors, 3.5% are attributable to hacking at financial firms, 2.4% to insider theft, 1.7% to data on the move, 0.8% to accidental exposure and 0.8% to subcontractors.
Electronic breaches account for 82.3% of the total, compared to 17.7% for paper. Despite this, just 2.4% of all breaches had encryption or other strong security methods in use and only 8.5% even had password protection." - Finextra
For those interested, I have included links to the following 2008 Year End Reports from the ITRC website:
BANGKOK: A Malaysian man wanted in the United States for credit card fraud amounting to US$150mil (RM540mil) was arrested by Thai authorities and US Secret Service agents in Nonthaburi on the outskirts of Bangkok on Tuesday. Local media reported that the 43-year-old man had a warrant of arrest issued for him by a US court for illegal possession of data access device, hacking into computers and stealing data.
Crime Suppression Division police chief Supisal Pakdinaruenar said the man was a prominent member of a credit card fraud gang operating in the United States for the past three years and was believed to have fled to Thailand to evade arrest. He was arrested in a house in the Pak Kret district where he was staying with his Thai wife.
The group is believed to be involved in stealing credit card transaction data from people patronizing major restaurants and retail outlets like TJX, WalMart and Office Depot, and selling the information to other groups making counterfeit cards.
According to Supisai, the man had denied all the charges and was currently facing extradition to the United States. - Bernama
Macy's Own Software Caused Its Holiday Debit Card Glitch
In a follow up story written by Fred Aun and Evan Schuman at StoreFrontBackTalk.com, they report that Macy's has determined an internal glitch caused some 8000 debit cards to be double and triple charged. He's an excerpt:
"After initially suspecting that one of its third-party payment card processors had caused a December 20 mess where some 8,000 Macy's customers had their debit cards charged as many as three times for one transaction, the chain's payment management has now concluded that the fault lied solely within their internal software.
"We were looking at the processor and the bank networks, trying to determine whether this was an issue with specific banks," Mike Gatio, president of Macy's credit and customer services division, said in a Wednesday (Jan. 14) interview. "We've now narrowed it down to our own gateway. We deal with a number of processors, but it's not their issue. It's ours."...
So, if you're like me, you're probably starting to get the "pheeling" that browsers are an extremely unreliable platform for ecommerce.
That said...let me put it another way.
I'm sure that you would agree that most of the time browser's are not even safe for browsing, let alone typing in our PAN or PIN's...
It seems like almost everyday, we read about how hackers are getting more sophisticated in the ways they try to obtain your personal information from financial sites:
Now, comes a story from Kelly J. Higgins published by Dark Reading which explains how the next generation of phishing attacks are so-phisticated that it targets users in real time . (they call it "In Session Phishing," because it targets online banking sessions with phony popups...but I'll call it PAN Fried - Phishing 2.0)
Here's a portion of the story from Dark Reading. Click the link below to read it in it's entirety...
'In-session phishing' the latest Web-based method for phishers to steal users' banking credentials
Researchers have discovered a sophisticated, new method of phishing that targets users while they are banking (thus making payments) online -- sending phony "pop-up "messages pretending to be from their banks/payment providers. (So I guess the only thing "that's safe"to say about pop-ups is that they're "not safe"...and I'll bet you're glad I didn't say there's something fishy about them...were you not?)
The so-called "in-session phishing" attack prompts the victim to retype his username and password for the banking site because the online banking session "has expired," for instance, via a pop-up that purports to be from the victim's bank site, according to researchers at Trusteer, which today published an advisory (PDF) on their findings about the potential for such a phishing attack.
From Trusteer's PDF:
"This is the next generation of sophisticated phishing attack," Klein says. "It combines an online vector -- the attacker waits for user to come to a genuine site that's hacked -- and browser shortcomings to detect which site the user is logged into in a different window or tab. This provides a very powerful avenue to conduct a sophisticated attack."
The popup message could take other forms according to the researchers (such as a Graphical User Interface I have to wonder out loud?) -- anything that could dupe the user into handing over credentials. In order for in-Session phishing attacks to succeed the following conditions are required:
1. A base website must be compromised from which the attack can be launched
2. The malware (injected on the compromised website) must be able to identify which website the victim user is currently logged on to.
The first condition is easily achieved, since more than two million legitimate websites are known to be compromised by criminals, and hundreds more are being compromised every day. Each one of them can be used as a base for this attack.
Once the website is compromised, the attacker injects code into the website. This code does not change the appearance of the website and does not download malware to the user’s PC.
Therefore it is very hard to detect. This code is designed to search for online banking websites that visitors are currently logged onto, and present them with a pop-up that claims to be from the banking website they are logged on to. These pop ups ask for log-in and personal information.
Therefore once again, I state for the record: "NEVER type your PAN or your PIN into a web browser...
Skimmer Now Jail Bird ![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ttbZGG_QurbFTFmuNvN3unmXrJNIOWU7QkT_zvzowok9cU3O9U-OMEUZscXBRgy5Y2ikr2f9Pp-RP8jRy93HMINO__jA9GCiJysXhzxCi78TAiK4pL3yaYdX7jGdJYOAWf22hzMTYYcrVfMKZiru4=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_upeiJDKPO-1qCbADc-0BXURKum0aucm0ro5PxiOVzGrp2B6vH5CUcRBbDD3T9ltGcdMgBi3t_yfaFjES_Zbg5HtYLW-s7kXdwZHypQ84fpe8EE0d_XV-tE_dhgIBm8ejnDEJgqYmVFyca4mW02qe8=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uH571BhgMrUR5tqGzrL6S4XyDSTY2ninPNrcChasIiDtfID-6NrkuVQJ486GO5jGO9gb5j77VLl3mm60rxwweqdKDmyJnPBjAxvCQ3M-s-LDR3_SHfhVHE_JgNgmupwRbUHtfngIuRpoE7PKuNaLY=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_teazbdt7TP2h_tZOxm6ChqnIyRF185OAjxesu5ZmfUgsRH_6o8TLyH3Oc7XLgFldxq84MiMz0HrNyl-ERN7RVe-hA98CyNe2FNbY4AV1FVtjiJqjxJkOvsA5KmWl5F9SS3tQdeZw1OUnwzfGcOGRrf=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tnAmq1mEWTFDf2pYLfhrw2D4I_x6koHvnspKp8-Aapb2hIjURxio3wvl_Z8dpGSntaWiLfTSbtFbDiYaevHyoMCrzICq5uYCLEIl4EGeXlho3ziLCmysYaqlz4-CM4Yz0-liB3fvavyQhSmbLft7KU=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_s-hiIvubmVP7F2s5n8qWWBGfmI7XijShsJO6LypSGq6SVkgVnTco07V3PWZcHf0I0bDhSWnaDB1yLB9p71Gxt6LXbIptDNo26Tp7fnYGcUUOVOKs-2PMMHR0j-fscD5YQQ4Io7t7KuMn0VEVVlzLk=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ttvcYBshWUD59ExH3f5beIt83JXe_6Pp79hv-KTy1DgnTWA3JUVTrdMVkGmJdzdeyYXUJKWo4DKRhEnYQoxBbmjHaUTX2PKeYH0IluPRxQ_KPPgNFHy6Btpf8eo__gAsPYzYDvuWPXhdFxUlEd98Zf=s0-d)
In an attempt to dispel myths regarding Interchange, MasterCard has put together 
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ti4x6a4S-futvqkYEu9FuH7kkwidDq87b1gsfaPx-cMl9cuvgZU-zOs0-akbi7ituwZ4CIapqxCbwSGklr7Au1ylqQgZOizj-gmOZwPrq_Ss52iddoWK8Ur2iFKTeZnq04DSza_dbyPdEI4QIqMlzI=s0-d)
Google Checkout adoption is dropping. Maybe they ought to start "searching" for ways to increase market share. Maybe a globally patented ![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ugUNeRIkcbQ88xjQHmDLxtPql3AOHU0BTGebt_v0WjU6P4JR9FBKtdWzSNpEoSVLx6QlyOeHLMuXuoBmPvLkyGxbAAWl2TxXHwqQHNBy5RJhSGgXXk9L0X5_C1gUvCg7cDp07EhKpv_QpK6_jmvhM=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_utWSOrRHRKSgvRaTSXc2CWDmk0iw7XRS-iq6AtHBRPIgs-x0DFiFHkDirMAZLc8E3JIRlfiAm5MyQfYf3g72UbPEHrjpb9HVC5i-d7MUlk2EAckYtXVoVG77JHJtgtipA2xRJDd5yqaz8dDJ3CCeA=s0-d)
Reported data breaches in the US during 2008 were up 47% on the previous year, to 656, of which 78 affected financial institutions, according to a study from the 
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_slDSd1ijyTbYnZj8TkcdR0oS9TB3IOoCuy4TissQPMQH-7QMPIFVcI4-4PSvRek1uEoyJm9-jsbZZxggVm_S6MtOciG7XRaGV0bJ6VCvu-3ukAupGY48vFxINrahkrtxLKRN1ZkP6QgEHsnN9tExG2=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vSltzMnLcyayU4VbJPz5gpLKEnSlvLpx9f6qlyM1SFJ9Zw9VWZnjtT7G8XzibKotwQslnTRA-xbsTBFTVcmdKdwMxDnKvZdTxQCBEfRzHYHfT47mnGqWY3SBl1ScULDc_OgvftLijPHOLk-b4rWUI=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tpXuFA4Yd-zSPg2nV91thSWT7t9iA61lyMuuu7UW3Steh3gWVGf8ksfNyBPJWqfwakvVpqJPIefO9VN3fm8GlWSEZshf29GT_xkQmSM9V2VqHWSXFemWLIw3kv0j3PNQeb_wMefPoPfkQTV8PjYP0=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uDa3gjaiPI4mGuwX9lbQ99o-mhCAkwM_kOMEdmp49-ynQzJY8JwNwVNt3K_2x1gBp5EzaLTUWwlIwcolcQNVcvVVGxU2K92vzH3IsfPK700Wt1NKJLS1K2MwkhiDXmW4vql7m31nmc6MpRCdoZQyPz=s0-d)
January 17, 2009 at 9:43 AM