Equipment seized from a 'cloning lab'. Photo courtesy Spanish Ministry of Interior.
Police have arrested 178 people in Europe and the United States suspected of cloning credit and debit cards in an international scam worth over 20 million euro ($24.52 million), according to a report from Reuters and authorities in Spain.
The stories so far are all light on details or whether this bust was connected to specific fraud forums that facilitate the trade in stolen credit card data, but the wire reports include the following information:
Police in fourteen countries participated a two-year investigation, initiated in Spain where police have discovered 120,000 stolen credit card numbers and 5,000 cloned cards, arrested 76 people and dismantled six cloning labs.
The raids were made primarily in Romania, France, Italy, Germany, Ireland and the United States, with arrests also made in Australia, Sweden, Greece, Finland and Hungary. The detainees are also suspected of armed robbery, blackmail, sexual exploitation and money-laundering, the police said.
Source here. There is also quite a bit more juicy information in the press release from Spanish Ministry of Interior, a Google translated version of which is available here. For all you Spanish speakers, the original version is here.
Criminals can clone debit cards if they have access to the cardholder’s PIN as well as the data stored on the magnetic strip on the back of these payment cards. In some cases, crooks obtain these “dumps” by stealing the data (either in person or via hacking) online or main street merchants.
Another popular method of obtaining dumps and PINs is through the use of ATM skimmers, which I have written about extensively. According to Spanish police, as part of the raids Germany has arrested 16 people involved in skimming bank cards (look for another KrebsOnSecurity post on ATM skimmers sometime in the next week or so).
In related news, MasterCard announced it is trialing a new debit card that includes not only a computer chip but also a tiny digital display that produces a one-time password for each online transaction. But don’t expect to see these replacing regular, low tech credit and debit cards here in the U.S., at least not for a while. Slashgear.com reports that the devices are being trialed with Turkish bank for now.
Read more about the specs of this device, at this data sheet (PDF) from the manufacturer’s Web site.
Great story!! It’s essential to read the Spanish police report. The compartmentalization and job separation function indicate a VERY sophisticated organization and leadership. It will VERY interesting to see if this organization has any links Russian, Ukrainian, or Chinese criminal organizations which control malware writers.
Separate comment deliberate. Was the Google translation done with translation software, rather than by an actual, like, human translator? I hope so. The meaning of the ideas, sentence, paragraphs came through, but to describe the language as clumsy and inelegant is praise indeed!
Google translation is done with software. It is usually clumsy in any language.
@KFritz
Thank you for the additional info… indeed – very interesting.
OK, great news, but I can’t help feeling that it’s only the tip of the iceberg.
The fact that the investigation took TWO YEARS, while the network was allowed to operate so the police could gather evidence is very troubling. The current way that we do law enforcement is simply inadequate for this task. We need a way to take down these criminals much faster.
I guess the time element is a balance; act too quickly and you only ever catch the lowest people in the hierarchy; too long and you allow the group to gather money that can be used to protect itself with…
If they got the leaders (or close) then two years is OK; if not, it’s not.
Great article! As usual Brian! Just posting to track this discussion.
Interesting that with EMV smart chip widely deployed across Europe there are still enough fraud avenues available for magnetic stripe only cloning fraud (if that is all they were doing) which EMV was supposed to prevent.
Regarding the Mastercard electronic OTP card there are a number of factories producing these type of OTP cards for between $10-$15 each in the million order quantities. I have a few and to be honest the flexible screen technology isnt quite there yet. There are two methods they use for the display one is electro chromatic ink where the segment cells are liquid and a tiny electric charge darkens the electro chromic liquid to create the numbers. The second method is using e-ink where small dark particles are held in an opaque solution and then rise to the surface with a small charge. I am sure there will be lots of great applications for this technology but being embedded into payment cards is not one yet. While they have a usability security improvement over regular OTP tokens from point of view they wont be left unattended on office desks due to bulkiness the way normal tokens are the downside is that cards go into wallets which go into back pockets which get sat upon under all sorts of pressure and both screen technologies are sensitive to that sort of preassure. So while the photos look great and very hi-tech I have been able to permanently damage my sample cards relatively easily. I am sure with time the technology will harden but they have a strong issue remaining within ISO standards of .78mm thick so the cards will work in ATM machines etc and it is a difficult job from an electronic manufacturing point of view.
Of course this product doesnt prevent trojans like Zeus etc which MITB their way past OTP tokens so the online security benefits are relatively limited.
Another interesting version of these cards which has been around for awhile now is the Emue card technology (They were the first to develop this type of card token I believe and previously did trials with VISA in Europe) The Emue card has a full numeric keypad built into the card and does a type of challenge response OTP where the user enters a 6 digit code from the website into the card itself which generates a 6 digit response the user re-enters into their terminal. You can find their videos on YouTube.
Thanks for the link to the Spanish report.
Some of the pictures posted by the Spanish there look like molds for ATM skimmers. Anyone else notice that?
– SR
There needs to better security on credit cards these days…. 120,000 stolen credit card numbers?! That’s just ridiculous.
http://iindatabase.com free bank identification number (bin) database – Issuer Identification Number (IIN). Search for the Visa or MasterCard issuer.