Equipment seized from a 'cloning lab'. Photo courtesy Spanish Ministry of Interior.

Police have arrested 178 people in Europe and the United States suspected of cloning credit and debit cards in an international scam worth over 20 million euro ($24.52 million), according to a report from Reuters and authorities in Spain.

The stories so far are all light on details or whether this bust was connected to specific fraud forums that facilitate the trade in stolen credit card data, but the wire reports include the following information:

Police in fourteen countries participated a two-year investigation, initiated in Spain where police have discovered 120,000 stolen credit card numbers and 5,000 cloned cards, arrested 76 people and dismantled six cloning labs.

The raids were made primarily in Romania, France, Italy, Germany, Ireland and the United States, with arrests also made in Australia, Sweden, Greece, Finland and Hungary. The detainees are also suspected of armed robbery, blackmail, sexual exploitation and money-laundering, the police said.

Source here. There is also quite a bit more juicy information in the press release from Spanish Ministry of Interior, a Google translated version of which is available here. For all you Spanish speakers, the original version is here.

Criminals can clone debit cards if they have access to the cardholder’s PIN as well as the data stored on the magnetic strip on the back of these payment cards. In some cases, crooks obtain these “dumps” by stealing the data (either in person or via hacking) online or main street merchants.

Another popular method of obtaining dumps and PINs is through the use of ATM skimmers, which I have written about extensively. According to Spanish police, as part of the raids Germany has arrested 16 people involved in skimming bank cards (look for another KrebsOnSecurity post on ATM skimmers sometime in the next week or so).

In related news, MasterCard announced it is trialing a new debit card that includes not only a computer chip but also a tiny digital display that produces a one-time password for each online transaction. But don’t expect to see these replacing regular, low tech credit and debit cards here in the U.S., at least not for a while. Slashgear.com reports that the devices are being trialed with Turkish bank for now.

Read more about the specs of this device, at this data sheet (PDF)  from the manufacturer’s Web site.

Google has reportedly stopped censoring Chinese search results for its Google.cn property, in response to what it said earlier this week were targeted attacks against its corporate infrastructure aimed at Chinese dissident groups. But a security research firm claims the attack that hit Google was part of a larger, unusually sophisticated assault aimed at stealing source code from Google and at least 30 other Silicon Valley firms, banks and defense contractors.

Also, Google switches to “always on” encryption for all Gmail users. And some pundits see ulterior motives in Google’s Chinese hacking disclosure. More after the jump.

In a report released shortly after Google’s disclosure Tuesday evening, Sterling, Va. based iDefense cited two independent, anonymous sources in the defense contracting and intelligence consulting community as saying that Google traced the attack back to a “drop server” used as a repository for stolen files, where Google discovered its own data as well as proprietary data suggesting that at least 33 additional companies had been hit.

iDefense said the attack bears “significant resemblance” to a July 2009 attack in which assailants launched targeted e-mail campaigns against approximately 100 IT-focused companies. That attack employed a PDF file that exploited a then-undocumented vulnerability in Adobe Reader, and that a similar leveraging booby-trapped PDFs-as-attachments was used in the attack against Google, the report notes.

Kim Zetter at Wired.com’s Threat Level blog has a great deal more information in her thorough story on this.

Cynics see all kinds of ulterior motives in Google’s announcement that it got hacked and the subsequent arm-twisting with the Chinese government. Foreign Policy‘s Evgeny Morozov has penned a pair of incisive and trenchant opinion pieces speculating that Google’s move was little more than a calculated PR and business bid to gain market share vis-a-vis China’s dominant Baidu search engine. Krebsonsecurity.com reader and fellow security blogger Gunnar Peterson pointed my attention to a piece by Motley Fool‘s Tim Hanson that echoes those sentiments.

In apparently related news, Google has switched to “always on” encryption for all Gmail users, not just for those who have gone out of their way to select the “always use https://” option. By default, Google has always forced users to transmit their credentials over an encrypted (https://) connection when logging in, but after that Gmail users were popped back into an unencrypted connection unless they had changed the default option in the Gmail user settings to encrypt all Gmail communications.

The danger is that there are now free tools that help attackers steal the session cookie that most Webmail providers use to indicate users have already authenticated.  Armed with these tools, anyone recording the traffic on the local network would be able to access your Gmail inbox by simply loading that cookie on their machine. While these tools assume the attacker is on the same network as the target, most users do not sign out of Web mail services, and any session cookies that keep users logged in to their Webmail will most likely be transmitted periodically when roving users connect to a wireless network, for example.

Alas, Google has many properties that still do not enjoy this always-encrypted setting. In mid-2009, a Who’s Who of more than three dozen high-tech and security experts from industry and academia urged Google to encrypt all Google services by default, noting that tens of millions of consumers now rely on Google for a wide array of services that include sensitive data, such as Google Adsense, Adwords, Google Health. Still, this is a welcome step that hopefully will be emulated by the likes of Microsoft and Yahoo!, the other two major Webmail providers.

A periodic pointer to some of the more interesting and newsworthy security news stories. In no particular order:

Proof-of-concept for Mac OS X systems Released
Possible Malicious Apps for Google’s Android Phone
Online Gaming Exec. Sentenced to 33 Months
‘Massive Cybercrime Conspiracy’

Read after the jump for summaries and links to more information.

–Dan Goodin from The Register writes that researchers have disclosed a critical vulnerability in the latest version of Mac OS X that they claim Apple has sat on for almost seven months without fixing. The Reg says the flaw “could be exploited by attackers to remotely execute malicious code, and virtually all Apple devices – including Mac computers and servers, iPhones, and even Apple TV – are susceptible.” Once again, full disclosure in the face of apparent vendor lethargy.

I exchanged e-mails about this threat last night with Dino Dai Zovi, probably one of the foremost experts on Mac security. Dai Zovi said while the flaw may be exploitable through a number of third-party applications that run on top of Mac OS X (Firefox, for example), it isn’t likely we’ll see this bug being exploited in the wild. “This vulnerability is more complex than much simpler vulnerabilities in Mac OS X that did not result in widespread exploitation,” Dai Zovi wrote in an email to KoS. ” There have yet to be any reports of Mac-based malware exploiting a browser vulnerability in order to install itself in the wild.  For that reason, I wouldn’t suggest that Mac users need to take action to protect themselves against this issue at this time.”

MITRE’s writeup on this vulnerability has a nice list of applications that may be a potential way to exploit this flaw.

–The blogs are abuzz with word of fraudulent apps being posted to the Android Market. The apps, reportedly created by an anonymous developer named “09Droid”, appear to be an attempt to snag online banking credentials from Android users. The F-Secure blog has a bit more on the nasty apps.

–The chief executive of an overseas, online gambling operation was sentenced by a U.S. judge to 33 months in prison after pleading guilty to racketeering, writes Wired.com’s Threat Level. The sentence, against David Carruthers, 52, a former executive at BetonSports, comes as U.S. lawmakers consider allowing Internet gambling, even as federal regulators step up enforcement of existing anti-online gaming laws.

–In other cyber justice news, a federal grand jury in Dallas last Friday indicted 19 people in what the government is calling a “massive cybercrime conspiracy” – a Web hosting scam that defrauded both customers and contractors, according to Dark Reading’s Tim Wilson. The accused alleged created a mess of shell companies purporting to be legitimate Web hosting and services providers, and used said companies to collect customer fees, obtain loans, and purchase good services. “In the end, many of the customers were left without Web servers, the loans were not repaid, and many contractors — including collocation service providers such as AT&T and Verizon — were never paid, the indictment says.”