Huge Credit Fraud Ring Sends Europeans' Data To Pakistan

marshotel excerpts from a story at the Wall Street Journal: "European law-enforcement officials uncovered a highly sophisticated credit-card fraud ring that funnels account data to Pakistan from hundreds of grocery-store card machines across Europe, according to U.S. intelligence officials and other people familiar with the case. Specialists say the theft technology is the most advanced they have seen, and a person close to British law enforcement said it has affected big retailers including a British unit of Wal-Mart Stores Inc. and Tesco Ltd."

Wal-Mart UK?

[Anonymous Coward]

big retailers including a British unit of Wal-Mart Stores Inc.

Meaning Asda, I guess?

Re:

[Soruk]

Yes - TFA says as much.

Credit cards are evil.

[Anonymous Coward]

The ONLY reason you actually need one is to travel.

Re:

[Anonymous Coward]

But I like my cash rewards, nearly two percent of my total bill that I pay off in full every month, so I make a couple hundred bucks a year. I also enjoy the convenience of almost never having to deal with cash. (Mark of the beast, here I come!)

Re:

[Anonymous Coward]

So you're the asshat that's making everything I purchase cost two percent more. I'll get you! I'm going to make stupid and risky investments and make you bail me out! Hahahahahah!

Re:

[innocent_white_lamb]

I get 10% on my gasoline purchases from our friendly local Co-op.

Re:Credit cards are evil.

[VJ42]

Or (here in the UK) for purchasing anything over the value of £100, as if said purchase is in any way faulty the credit card company is just as liable as the retailer and\or manufacturer. Buy a broken computer\fridge\TV etc.? Sue the credit card company for your money back, and let them find out who was at fault for the broken goods, it's not your problem (Yay for British consumer protection laws).

Re:Credit cards are evil.

[Naughty Bob]

Over £100, but under £30,000.

And you don't have to 'Sue', so much as prove to the CC company that you are due the cash.

Agreed though, on the Yay for the consumer protection laws. It's not just good for the consumer either- I regularly use my credit card when I don't technically need to, specifically for this guarantee. I am not alone.

Consequently, the CC companies benefit hugely from this.

Re:

[negRo_slim]

And you don't have to 'Sue', so much as prove to the CC company that you are due the cash.

Isn't there a similar system in the US? To where you can dispute charges? I assumed this to work for any instance in which the seller was at fault. Although I am not well versed in US credit, I tend to buy locally, with cash, and get those preloaded MasterCard/Visa's for internet purchases.

Re:

[Achromatic1978]

Nothing to do with 'bogus transactions'. If the goods are not working as intended, and you're getting the slightest bit of grief, even down to unreasonable "6-8 weeks for replacement", you just cancel the transaction and buy it somewhere else.

Re:

[IdleTime]

Ahh no...
Here in the US, the consumer is at fault in those cases. No protection exists. Shit out of luck!

It's the wonders of unregulated consumption credit card run economy. Here the credit card companies actually bribed some states into lowering the requirements on the companies and gave them free hands to take whatever interest they want. Here in the US, the credit card companies makes the rules and the consumer is fucked.

It's also funny to hear all the idiots who think they get free money from the

Re:

[xaxa]

If you buy flights from a crappy airline on a credit card in the UK, and the airline then goes bankrupt, you can claim the money back from the credit card company -- it's then their problem to claim back from the bankrupt airline (good luck to them...).

(Just one example of the CC company being responsible for the goods/services.)

Re:Credit cards are evil.

[plover]

In America, the credit liability laws limit the consumer's exposure for fraudulent use of a card to $50. In practice, I've found most banks actually cover their customers 100%. You have to swear that it was theft, of course, and perhaps sign an affidavit, and if turns out that you were the "thief" you will be prosecuted for fraud.

Some cards here do offer no-questions-asked protection plans (I know American Express does) against defective goods. For the rest of them, if you are unsatisfied with a credit transaction you can withhold payment from your credit company while you dispute the transaction, but there's paperwork involved. It's not particularly easy, and it's likely to go on your credit report.

Notice that there are no liability limits on debit card fraud, however. If a thief steals your card and drains $10,000 from your account, you now have $10,000 less than you did before you were robbed. The bank does not have a statutory obligation to return your money. Debit cards are horribly risky devices.

Re:Credit cards are evil.

[zippthorne]

Notice that there are no liability limits on debit card fraud, however. If a thief steals your card and drains $10,000 from your account, you now have $10,000 less than you did before you were robbed. The bank does not have a statutory obligation to return your money. Debit cards are horribly risky devices.

Although they do not have a statutory obligation, many banks do offer a contractual obligation that appears at first glance to exceed the statutory one for CCs. It's been a few years and there haven't been any big exposees on debit card weaselly contracts, so I'd condsider switching from debt based plastic to debit.

Any lawyers who've examined some of the basic debit card agreements?

Re:

[TheLink]

Lots of smart people have recently proven to the world that it's best to risk OTHER people's money. And that is why credit cards are better than debit cards.

Seriously: With credit cards when stuff goes wrong, it's not YOUR money that's gone. It's other people's money. They may try to get it from you, but it's still YOUR money till they succeed.

With debit cards, when stuff goes wrong, it's YOUR money that's gone. You may try to get it from the bank, but meanwhile you do NOT have that money till they decide t

No questions asked, but you can go too far...

[AliasMarlowe]

Some cards here do offer no-questions-asked protection plans (I know American Express does) against defective goods.

A couple of decades ago, American Express pioneered the concept of "money back, no questions asked" if a product bought with AmEx became broken for any reason during the first 30 days after purchase. They had some dumb commercial on TV featuring a kid feeding porridge into a VCR, and a refund being given for the gummed-up VCR.

A colleague of mine perpetually travelled and regularly put more than $20k per month through his AmEx, so they automatically accepted almost any charge from him. Skipping a long and to

Re:

[X0563511]

... who pranged the airplane...

What does that mean?

Re:prang

[AliasMarlowe]

"prang" is a verb meaning crash. It originated in Britain in the early days of aviation to describe an airplane coming into contact with the ground (crashing or landing poorly) such that the airplane is damaged or destroyed. It's commonly used in aviation circles, but is also encountered in Britain in connection with crashing other types of vehicle.

Re:

[X0563511]

Thanks!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[gilgongo]

The ONLY reason you actually need one is to travel.

Well, that and to make money, if used in the following way:

1. Open a card account that lets you get cash out into a bank account for free (there are a couple of those here in the UK)

2. Apply for a credit card with a 0% introductory "balance transfer" offer (there are many of these, some charging no fees for the transfer, others about 2-3%)

3. Pretend you have massive debt. Until recently most companies would lend you about £10K if you had a decent credit rating.

4. Get them to "pay off" the card y

Re:

[asc99c]

I'd have said credit cards are great but some people are idiots.

You can choose to set up a direct debit to pay off the full card balance every month. Then you get to keep 1 to 2 months interest on money you've already spent, get protection on the things you've bought, maybe get cashback or airmiles or other rewards, and don't have to pay a penny for the privilege.

I put my work expenses on a 0% credit card and when my company pays the expenses, I put the money in a savings account. The interest over the ye

Once a grocer

[G3ckoG33k]

"Once a grocer, always a grocer."

Said by Penelope Keith (as Audrey fforbes-Hamilton) in "To The Manor Born" (http://en.wikipedia.org/wiki/To_the_Manor_Born) to Marjory Frobisher (played by Angela Thorne) about Richard DeVere (played by Peter Bowles) a nouveau riche millionaire supermarket owner.

How that applies here too!

Re:

[hobbit]

How does it apply? Presumably this fraud is not perpetrated by Tesco or Wal-mart; they have simply employed people who have inserted rogue devices into credit card readers.

Re:Once a grocer

[plover]

The article doesn't say where the rogue devices were installed, although they insinuated they may have been placed there in a Chinese factory. The limited number of devices containing the bug and the spread across various retailers hints that they probably weren't placed there by employees of the retailers: they may have been installed during manufacturing, packaging, or possibly during maintenance.

These retailers are big enough that they all likely contract with a third party to perform their hardware repairs. It's possible that a corrupt repair person was responsible for installation of the bugs.

Awkward language

[Anonymous Coward]

"a British unit of Wal-Mart Stores Inc." means Asda to any Brits reading this.

Re:

[zippthorne]

I've never been good with British units. What's the SI unit for Wal-Mart Stores, Inc?

Re:

[mspohr]

Four Wal-Marts equal one Library of Congress.

Re:

[xaxa]

Libraries of Congress aren't SI, I think you meant BibliothÃque nationale de France.
1 Library of Congress ~= 0.1 BibliothÃque nationale de France.

Re:

[mspohr]

d'accord

I'm impressed.

[Anonymous Coward]

Milkpowder or card readers, the lesson stays the same: Don't trust the Chinese.

Re:

[Yvan256]

Cartman, is that you [wikipedia.org]?

Re:

[larry bagina]

don't forget about the dog food and toothpaste.

Re:

[grub]

WHY DO YOU HATE AMERICA?!

Because I'm Canadian?! :)

Anyhow, this was at a Toys-R-Us, not WalMart (they aren't the same company, are they?)

Re:

[Arthur B.]

(Wal-Mart are required by US law to maximise their shareholders' profits...)

Nope. The management has a contractual agreement with the shareholders.

Re:

[mr100percent]

It's not required by law, though the shareholders can replace the board if they do not maximize profit (look at what happened to Yahoo)

Bank insurance + separate account.

[Janek Kozicki]

Well, I'm just glad that my current bank provides free insurance up to 50k EUR (while maximum I had on my account is 10 times less than that ;). This insurance works in a very nice way - I can come at a maximum a week later and tell them that some transaction was bogus (means that I discovered that some money disappeared from my account without my authorization). And they will revert that transaction if it's below 50k EUR. I don't know how it works - never tried. Probably I will need to prove it somehow, ot

Y'know what...

[Colin Smith]

Cash is easier and anonymous too.

 

Re:

[FooAtWFU]

Cash is not necessarily easier. Large sums of money are not safe to carry around as cash, as they can be lost/stolen. You will have even less security from such theft/fraud than you would from a credit card (although potentially more-limited exposure). Monitoring how much cash you have on you becomes necessary. Retrieving cash from ATMs may be inconvenient (or, for certain more-convenient ATMs, involve a fee) while retrieving cash from a bank teller will probably be even less convenient (requiring you to vi

Re:

[cayenne8]

"Cash is not necessarily easier. Large sums of money are not safe to carry around as cash, as they can be lost/stolen..."

Well, you know....cash worked pretty darned well for a few thousand years before the advent of credit cards. We didn't have so many people living beyond their means back then as we do now.

And at the very least...I prefer to pay in cash as much as possible because it really sets in my head how much I am spending. A credit card, much like chips in a casino, abstracts from how much you ar

Re:

[Arthur B.]

Well, you know....cash worked pretty darned well for a few thousand years before the advent of credit cards. We didn't have so many people living beyond their means back then as we do now.

a) People didn't have internet access for thousand of years either... so ?

b) Grandparent makes no mention of credit. Electronic payment != credit. In most parts of the world the cards are debit cards.

The grandparent has a very good point about the trail, this is the #1 reason I almost never use cash. I want to know how muc

Re:Bank insurance + separate account.

[mattbee]

How kind of your bank to not debit your account for transactions you didn't authorise :) Seriously, you don't need insurance against *them* being defrauded. If someone asks your bank to give them money while pretending to be you, it is the *bank* who has been defrauded, not you. "Identify theft" is a cute term the banks invented to turn the poor security architecture in their payments network into their customers' problem

the problem is PROOF

[RMH101]

...the bank can turn around and say "you must have disclosed your PIN". Much as with keylogging trojans, they can pass the blame to you. (I'm not saying yours *would*, just that they *can*).
In the case of keylogging trojans, it's not strictly speaking the banks fault that your PIN was captured. Similarly, it's not necessarily their fault you used a hacked card reader, like the Ingenico 3300 ones widely used in the UK recently found to be fitted with internal cellular data devices for sniffing.

Sure, yo

Screw credit cards...

[Bombula]

To hell with credit cards and plastic. This kind of danger is why I only use cash and keep all my money in a Washington Mutual bank account, where it's safe...

Re:

[the_bard17]

Ppppphhhhhhttttt.

I've found it's simply safer to spend it just after it hits my bank account. Then I don't have to worry about having it stolen. ;oD

Re:Screw credit cards...

[ScrewMaster]

Ppppphhhhhhttttt.

I've found it's simply safer to spend it just after it hits my bank account.

Yeah, most Americans do that. It goes awful fast nowadays. Like the old Depression-era joke:

Two men are sitting next to a hot dog stand having lunch. One looks down at his meal and says, "You know, one end of this thing tastes like hot dog, and the other tastes like bread."

The other guy responds with "Yeah ... these days it's hard to make both ends meat."

Re:

[Cyberax]

Sir? I'm sorry sir, but there was a call. Your house has burned down.

Re:

[FooAtWFU]

Yes! And isn't it nice to know that your WaMu bank account* is safe? Unlike, say, your WaMu stock.

(*Now a JPMorgan Chase bank account. Safe up to $100,000 - er, I mean, $250,000.)

Re:

[Achromatic1978]

You realize that the FDIC currently has $52B deposited with it... enough to cover less than two per cent of the amount covered under FDIC insurance for all deposits. When IndyMac bank went bankrupt, they chewed through $9B of that alone.

In regards to the above issue, too, the FDIC does not insure against theft or fraud at the institutional level, nor securities and other things.

ohmygod!!

[thermian]

Well obviously every European is a terrorist. Excuse me, I have go go get myself a firing squad appointment.

Which probably explains....

[Angostura]

... why my local Tesco changed every one of its chip-and-PIN readers to a new make and model about 2 months ago. At this point you're probably wonding which make the old devices were, and I can't for the life of me remember. Sorry.

Re:

[Soruk]

Yes, I'd noticed that too, in both the store near where I live and the one where I work. I wondered what was happening.

And, likewise unfortunately I can't remember what the old ones were.

Any chance...

[jd]

...it was Diebold?

Re:

[X0563511]

Probably not. I don't think they make pinpads.

If it was a Verifone, it was probably an Everest [sbme.net] pinpad. They are simple dumb terminals, with nothing but an encryption key in them basically.

They should be going away soon, they are not PCI/DSS/PABP compliant. I think the recommended replacement is one of the MX800 series [verifone.com] pads, which believe it or not run Linux under the hood.

Good quick title edit..

[pcardno]

...shame my RSS feed still has it as "European's". I was wondering who this poor unlucky chap was, why defrauding him was so huge and quite how it managed to be a ring with only one person..

Re:

[Dirtside]

Well, if you're a small-time fraudster, it only takes a one-man ring to rule the mall.

Bah. Typically pointless article summary

[sudog]

Why bother summarising the article if you're not going to do an actual summary?

One-Time Passwords for Transactions

[Doc Ruby]

I've been saying for years, since I first saw one in the 1990s here in NYC, that giving my PIN to some random ATM in some random "convenience" store to get quick cash is an unacceptable security risk. Especially some random ATM that I use at 2AM after running out of cash drinking in a bar, lost among all the ATMs in the neighborhood in my hazy hangover recollection, to be searched for months or years later when they, or someone else along the line, replay my PIN.

Every login to my account from an insecure location (which might exclude my home and office PC, if they've got certificates installed) should consume a one-time password [wikipedia.org] that cannot be replayed for some later, unauthorized transaction. In fact each OTP should be attached to a specific dollar amount and recipient, with an expiration on the transaction after which even that transaction cannot claim money, or get any access at all.

Attempts to replay the transaction should automatically notify the FBI and the bank's security. I should get a notice of any risk warning above some level that I set, and a security statement listing the notices and their resolution with each monthly bill.

Eventually, people whose ID has been pirated will routinely get that security regime alternative after finding someone liable to pay for it. We should all move to that regime ASAP, rather than wait for the damage to force our hands.

Re:One-Time Passwords for Transactions

[ScrewMaster]

Well, ATM security is based around the idea of limiting or preventing losses due to external access, having no benefit whatsoever if the system itself is compromised. Also, given how easy it is for anyone (even an ex-con who was put away for wire fraud and helped with an MSNBC expose on the subject) to buy an ATM machine directly from the manufacturer and get it tied into the banking network ... well. There was a big theft ring with several hundred compromised ATMs that was busted up in New York a few years ago, millions of dollars in losses. I thought then that it was only the tip of the iceberg, and it appears I was right.

The things aren't exactly trustworthy to begin with, and given the security track record of companies like Diebold, I find ATMs a risky way to get money. I will sometimes use the one inside my bank, but it's not that hard to go the cashier or the drive-up and get cash. Forget about using the "Money Machine" at the local gas station.

Re:

[ScrewMaster]

My bank doesn't go as far as you're talking about, but at least they signature every machine allowed to connect to my account. I'm not sure what it is that they do, exactly. I know there's a bunch of cookies involved (I think. Just for grins, I tried copying them to my laptop to see if it would let me in but it wouldn't.

Yeah, there's any number of better approaches to financial security than are being used now, none of which are free, and none of which banks really see a reason to spend money on. It's pr

Re:

[Anonymous Coward]

I've been saying for years, since I first saw one in the 1990s here in NYC, that giving my PIN to some random ATM in some random "convenience" store to get quick cash is an unacceptable security risk. Especially some random ATM that I use at 2AM after running out of cash drinking in a bar, lost among all the ATMs in the neighborhood in my hazy hangover recollection, to be searched for months or years later when they, or someone else along the line, replay my PIN.

No need for that. What would be nice is a sma

Re:

[plover]

If an American bank were to issue Visa smart cards with a pocket-carried one-time-PIN generator [vasco.com], would you really switch to them? What if their interest rate or cash-back bonuses weren't quite as competitive as your current bank?

Re:

[icknay]

The point is ... the vendor that uses tech to eliminate fraud will have more money, so they can pay *better* interest or rewards or whatever.

Public key crypto is, what, 15 years old now? I a little baffled that credit cards and atm cards remain so primitive.

Re:

[X0563511]

http://en.wikipedia.org/wiki/Derived_unique_key_per_transaction [wikipedia.org]

It's not as simple-minded as you expect.

Re:

[mpe]

If an American bank were to issue Visa smart cards with a pocket-carried one-time-PIN generator, would you really switch to them?

Arn't all US banks now effectivly owned by the US Government anyway...

Re:

[plover]

The OTP card would indeed work at any ATM or cash register that takes PIN-based debit cards. You put your card in the pocket generator and generate a PIN. You then put your card in the ATM or the register where it reads your mag stripe, and enter the PIN still displayed on the pocket generator.

The ATMs or the registers don't know the real PIN, and they don't have to read the smart card. They can just use the mag stripe, and you don't have to care.

The point is now even if the ATM is run by Tony Sopra

Re:

[mpe]

In fact, since these banks should be competing with each other, especially now that they've got so much less to offer (as they've burnt down their advantages into the current crisis), their lowered costs from better security should enable them to market themselves to me with a better net income to me.

It might help if national governments were a little more reluctant to bail them out though :)

Re:

[plover]

OK, so I'll re-ask the question. If a bank offered a card with an OTP generator and the exact same terms as your current bank, would you switch? (I'm assuming you'd switch for other reasons if the OTP bank offered you better terms.)

I'm really trying to gauge if people like you are serious about your own personal security, or if you'd rather not worry much about it and let the $50 limits on liability take care of you. I agree that it should be cheaper for you if the costs of theft are less expensive fo

OTP not the solution.

[SharpFang]

There are trojans in the wild, that hijack the HTML renderer component. The certificate matches, the secure connection matches, the OTP code matches, it's just the amount entered and the target account number that differs between what is displayed on the confirmation screen and what is being sent over the net. You think you're signing a $10 ebay transaction, while what you just signed is $10k for an account in Philippines.

In other words: computer display and keyboard are not trusted devices anymore. You typ

Re:

[mpe]

I've been saying for years, since I first saw one in the 1990s here in NYC, that giving my PIN to some random ATM in some random "convenience" store to get quick cash is an unacceptable security risk. Especially some random ATM that I use at 2AM after running out of cash drinking in a bar, lost among all the ATMs in the neighborhood in my hazy hangover recollection, to be searched for months or years later when they, or someone else along the line, replay my PIN.

The 3 digit cardholder verification number

Re:

[mpe]

you are NOT allowed in any case to store the cardholder verification number.

That's really going to stop someone (individual or corporation) from misusing credit card details if they can get their hands on them.

Re:

[hobbit]

This is the TLA police; we're doing the WWW rounds tonight and you're SOL.

Re:

[mpe]

nobody is able to clone your card and the PIN is useless without the card

Assuming the bank knows how to use cryptography correctly.

There's still issues like a bank employee attaching extra cards to your account. Which turned out to be behind so called "phantom withdrawls". Thus you need a mechanism to make this difficult easily detectable.

outwitted?

[El_Muerte_TDS]

Specialists say the theft technology is the most advanced they have seen

So, it's better that the technology they have in place?

Re:

[jd]

If the experts were from AT&T, a fully-pwned subsidiary of the NSA Corporation, worry.

fear not...

[owlnation]

In the UK. We're fine. Most of our data has already been stored in a government hard drive and left on a train seat somewhere, and it's not like we have any money in our bank accounts anyway.

Re:

[legirons]

In the UK. We're fine. Most of our data has already been stored in a government hard drive and left on a train seat somewhere, and it's not like we have any money in our bank accounts anyway.

You mean, you had 10000 in your bank account before the government decided to "insure" it at a cost to each tapayer of 10000?

well it should prove *very* easy for them to insure the remainder....

Re:

[jd]

I have to say I'm impressed. Ever since they started with Group 4 for prisoners and nuclear waste (at the same time and possibly in the same vehicle), they have managed to pick with 100% accuracy every incompetent on the planet. Name me one country in the world, just one, that can boast a track record as perfect as that.

The banks/we are funding the terrorists.

[sygin]

My credit card has been ripped in the past. I lost £50 and the rest was refunded. I get the distinct impression that the banks do not care to catch the perpetrators or in fact, stop fraud. It is more cost effective to do the minimum required and get us to fund the losses. Think about it, spend wads of cash on security or just increase bank charges etc to pay for loses. Banks are not interested in fraud. They have already run the numbers.

PCI Law

[Benjamin_Wright]

A quote in the WSJ article says the hackers are performing at a level of sophistication that rivals foreign intelligence services. The implication: Payment card data security requires much, much more than just forcing merchants to lock down data and comply with the PCI (payment card industry data security standard). Card data security is a national security issue. It requires wholesale rethinking of the credit card system. The Federal Trade Commission misunderstands the magnitude of the problem. The F

Re:

[bobbozzo]

Assuming Wal-Mart and Tesco are PCI-DSS compliant, this invalidates the recent claim by the PCI group that there have been no breaches of PCI compliant merchants.

How did they get in there? At the factory?

[AaronLawrence]

To be on such a large scale they must have been inserted by someone closely involved - perhaps a distributor but more likely the factory? They are supposed to be tamper resistant.
Of course this is one reason that chip-and-pin is coming, because smartcard data can't be intercepted so easily. OTOH, as they say: if you have physical access other security is irrelevant...

A more interesting thought

[kilodelta]

We had this happen here in RI about a year or so ago. Except in our case the ring was being run by Armenians.

In that case they had posed as repairmen and then rigged the card machines. It forced Stop & Shop to replace all their credit card readers. But then it brings up another point.

What if these rings manage to get to the card readers before they're delivered to the merchants. I bet that is what happened here.

Re:

[mpe]

What if these rings manage to get to the card readers before they're delivered to the merchants. I bet that is what happened here.

In which case you should have at least some of these emitting electromagnetic radiation they should not be. Including trying to make an RF connection when there is nothing they could connect to. (As well as potentially being in range of enterprise grade WIFI kit is capable of detecting and triangulating "rogue devices").
Effectivly these machines come with an inbuilt "neon sign"

Re:

[kilodelta]

Indeed. And it goes further, what if they manage to change the embedded code on a device. You'd never even know it was done. Look at the Diebold mess for a clear example.

Re:

[mpe]

And it goes further, what if they manage to change the embedded code on a device. You'd never even know it was done.

Until the first such device is found.

Look at the Diebold mess for a clear example.

The difference is that it is often fairly easy for people to take their custom to a different supermarket.

At what point...

[tkrotchko]

At what point will the card issuers finally go to 2-factor authentication? The fact that credit cards still "mean" something in 2008 is a joke. It could be fixed, it would be expensive, but it's going to be less expensive than these multi-billion dollar losses.

There's no excuse for this lack of sophitication today. We could do so much better.

One-factor security

[Jimmy_B]

Something you have, something you know, and something you are. Security means using at least two out of the three security factors. ATM cards are supposed to be "something you know" (a PIN number) and "something you have" (a card), but unfortunately, the card's only purpose is to hold another number, so it's really "two things you know, one of which must be written in invisible ink". Until we replace all bank and credit cards with electronics that can do public-key cryptography, fraud will continue to rise.

By the way, there's no evidence that anyone from Pakistan has anything to do with this. Most likely, the information is being sent to a compromised server, to conceal the real perpetrators, who could be anywhere.

Re:

[xelah]

but unfortunately, the card's only purpose is to hold another number,

Not a Chip and PIN card (not the kind of number you're thinking of, anyway). The chip does proper security, and has to sign a transaction certificate. That's why a lot of stolen UK credit card numbers are used abroad where there's no chip and PIN. This doesn't make the devices trustworthy, of course...but making a fake device that records numbers and also accepts the transaction being recorded is harder than it used to be (the devices need their own certificate to authenticate themselves as certified device

Everyone in the Credit Card Industry Incompetent?

[cc_pirate]

I can only assume so. This stuff keeps happening over and over again and they don't seem to be bothered enough to keep it from occurring.

There are plenty of ways to stop this sort of thing as other posters have mentioned... but no, the CC industry just can't be bothered.

Of course since most of the banks running them seem to be going out of business, maybe they have more important things on their minds nowadays.

Re:Everyone in the Credit Card Industry Incompeten

[RickRussellTX]

> they don't seem to be bothered enough
> to keep it from occurring

They will do something about it when customers start to walk away.

I originally got an AMEX Blue card because it had an embedded security chip in it, and AMEX claimed vendors would be required to add chip readers, then you could set your account to only allow transactions on presentation of the physical card. They also promised a USB reader dongle for home use that would verify your physical possession of the card when making online purc

Re:

[jonbryce]

Walk away to where exactly? They are all the same.

I don't believe it!

[EnglishTim]

But when the Chip & Pin system came into force Patrick Stewart himself was assuring us on TV ads that there was 'Safety in Numbers'!

He was Jean-Luc Picard in Star Trek and Gurney Halleck in Dune! HOW CAN HE BE WRONG?

Original article

[mpe]

Quite a few things don't make much sense.
Like needing sensitive scales to detect a "small bug" weighing 4oz (possibly they actually ment 4 grammes).
There's also the issue of the wireless communications. Are there really this many unsecured wireless access points near supermarkets?
As well as these communications can't exactly be described as "untraceable" when it's possible to track the destinations down to one city.
Two obvious law enforcement approaches spring to mind.
The first is to block (or at least moni

Re:

[imsabbel]

They use wireless, in the form of cell phone network.

They used scales not becaue of precission, but because weighting was the quickest way to check a large number of devices without disassembly.

Chip & PIN, eh? Well secure!

[gilgongo]

It seems like only last week when they forced us all to use chip & pin, telling us how it would be soooo much better than the old magnetic swipe system. I even heard some people saying it would *reduce* credit card fraud. In fact, I think the level of non-Internet fraud hasn't changed much - may have even gone up a bit since then.

Re:

[jonbryce]

If it is not a properly designed cellphone perhaps?

Re:

[mpe]

This is very interesting if you start thinking about how they have accomplished this. "Examining the store's credit-card readers, investigators discovered a high-tech bug tucked behind the motherboard. It was small card containing wireless communication technology. The bug would read an individual's card number and the corresponding personal identification number, then package and store the data. The device would once a day call a number in Lahore to upload the data to servers there and obtain instructions

Re:

[kdemetter]

:-)
( Wish i had mod points )

Re:

[toriver]

You sure live up to the "Coward" family name, there.

Maybe, just maybe, if the U.S. hadn't completely FUCKED UP them Middle East during its penis contest with the Russians - incuding supplying Islamists - we would not have this problem, or what? Maybe YOU could have taken in some of the refugees from the regional wars instead of just selling legal and illegal weapons to them, the balance would have been better? Fool.