Posts Tagged: Visa


30
Oct 14

Chip & PIN vs. Chip & Signature

The Obama administration recently issued an executive order requiring that federal agencies migrate to more secure chip-and-PIN based credit cards for all federal employees that are issued payment cards. The move marks a departure from the far more prevalent “chip-and-signature” standard, an approach that has been overwhelmingly adopted by a majority of U.S. banks that are currently issuing chip-based cards. This post seeks to explore some of the possible reasons for the disparity.

emvkeyChip-based cards are designed to be far more expensive and difficult for thieves to counterfeit than regular credit cards that most U.S. consumers have in their wallets. Non-chip cards store cardholder data on a magnetic stripe, which can be trivially copied and re-encoded onto virtually anything else with a magnetic stripe.

Magnetic-stripe based cards are the primary target for hackers who have been breaking into retailers like Target and Home Depot and installing malicious software on the cash registers: The data is quite valuable to crooks because it can be sold to thieves who encode the information onto new plastic and go shopping at big box stores for stuff they can easily resell for cash (think high-dollar gift cards and electronics).

The United States is the last of the G20 nations to move to more secure chip-based cards. Other countries that have made this shift have done so by government fiat mandating the use of chip-and-PIN. Requiring a PIN at each transaction addresses both the card counterfeiting problem, as well as the use of lost or stolen cards.

Here in the States, however, the movement to chip-based cards has evolved overwhelmingly toward the chip-and-signature approach. Naturally, if your chip-and-signature card is lost or stolen and used fraudulently, there is little likelihood that a $9-per-hour checkout clerk is going to bat an eyelash at a thief who signs your name when using your stolen card to buy stuff at retailers. Nor will a signature card stop thieves from using a counterfeit card at automated payment terminals (think gas pumps).

But just how broadly adopted is chip-and-signature versus chip-and-PIN in the United States? According to an unscientific poll that’s been running for the past two years at the travel forum Flyertalk, only a handful of major U.S. banks issue chip-and-PIN cards; most have pushed chip-and-signature. Check out Flyertalk’s comprehensive Google Docs spreadsheet here for a member-contributed rundown of which banks support chip-and-PIN versus chip-and-signature.

I’ve been getting lots of questions from readers who are curious or upset at the prevalence of chip-and-signature over chip-and-PIN cards here in the United States, and I realized I didn’t know much about the reasons behind the disparity vis-a-vis other nations that have already made the switch to chip cards. So  I reached out to several experts to get their take on it.

Julie Conroy, a fraud analyst with The Aite Group, said that by and large Visa has been pushing chip-and-signature and that MasterCard has been promoting chip-and-PIN. Avivah Litan, an analyst at Gartner Inc., said MasterCard is neutral on the technology. For its part, Visa maintains that it is agnostic on the technology, saying in an emailed statement that the company believes “requiring stakeholders to use just one form of cardholder authentication may unnecessarily complicate the adoption of this important technology.”

BK: A lot of readers seem confused about why more banks wouldn’t adopt chip-and-PIN over chip-and-signature, given that the former protects against more forms of fraud.

Conroy: The PIN only addresses fraud when the card is lost or stolen, and in the U.S. market lost-and-stolen fraud is very small in comparison with counterfeit card fraud. Also, as we looked at other geographies — and our research has substantiated this — as you see these geographies go chip-and-PIN, the lost-and-stolen fraud dips a little bit but then the criminals adjust. So in the UK, the lost-and-stolen fraud is now back above where was before the migration. The criminals there have adjusted. and that increased focus on capturing the PIN gives them more opportunity, because if they do figure out ways to compromise that PIN, then they can perpetrate ATM fraud and get more bang for their buck.

So, PIN at the end of the day is a static data element, and it only goes so far from a security perspective. And as you weigh that potential for attrition versus the potential to address the relatively small amount of fraud that is lost and stolen fraud, the business case for chip and signature is really a no-brainer.

Litan: Most card issuing banks and Visa don’t want PINs because the PINs can be stolen and used with the magnetic stripe data on the same cards (that also have a chip card) to withdraw cash from ATM machines. Banks eat the ATM fraud costs. This scenario has happened with the roll-out of chip cards with PIN – in Europe and in Canada. Continue reading →


27
Oct 14

‘Replay’ Attacks Spoof Chip Card Charges

An odd new pattern of credit card fraud emanating from Brazil and targeting U.S. financial institutions could spell costly trouble for banks that are just beginning to issue customers more secure chip-based credit and debit cards.

emvblueOver the past week, at least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.

The most puzzling aspect of these unauthorized charges? They were all submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards in question haven’t even yet begun sending customers chip-enabled cards.

The most frustrating aspect of these unauthorized charges? They’re far harder for the bank to dispute. Banks usually end up eating the cost of fraud from unauthorized transactions when scammers counterfeit and use stolen credit cards. Even so, a bank may be able to recover some of that loss through dispute mechanisms set up by Visa and MasterCard, as long as the bank can show that the fraud was the result of a breach at a specific merchant (in this case Home Depot).

However, banks are responsible for all of the fraud costs that occur from any fraudulent use of their customers’ chip-enabled credit/debit cards — even fraudulent charges disguised as these pseudo-chip transactions.

CLONED CHIP CARDS, OR CLONED TRANSACTIONS?

The bank I first heard from about this fraud — a small financial institution in New England — battled some $120,000 in fraudulent charges from Brazilian stores in less than two days beginning last week. The bank managed to block $80,000 of those fraudulent charges, but the bank’s processor, which approves incoming transactions when the bank’s core systems are offline, let through the other $40,000. All of the transactions were debit charges, and all came across MasterCard’s network looking to MasterCard like chip transactions without a PIN.

The fraud expert with the New England bank said the institution had decided against reissuing customer cards that were potentially compromised in the five-month breach at Home Depot, mainly because that would mean reissuing a sizable chunk of the bank’s overall card base and because the bank had until that point seen virtually no fraud on the accounts.

“We saw very low penetration rates on our Home Depot cards, so we didn’t do a mass reissue,” the expert said. “And then in one day we matched a month’s worth of fraud on those cards thanks to these charges from Brazil.” Continue reading →


18
Sep 14

In Home Depot Breach, Investigation Focuses on Self-Checkout Lanes

The malicious software that unknown thieves used to steal credit and debit card numbers in the data breach at Home Depot this year was installed mainly on payment systems in the self-checkout lanes at retail stores, according to sources close to the investigation. The finding could mean thieves stole far fewer cards during the almost five-month breach than they might have otherwise.

A self-checkout lane at a Home Depot in N. Virginia.

A self-checkout lane at a Home Depot in N. Virginia.

Since news of the Home Depot breach first broke on Sept. 2, this publication has been in constant contact with multiple financial institutions that are closely monitoring daily alerts from Visa and MasterCard for reports about new batches of accounts that the card associations believe were compromised in the break-in. Many banks have been bracing for a financial hit that is much bigger than the exposure caused by the breach at Target, which lasted only three weeks and exposed 40 million cards.

But so far, banking sources say Visa and MasterCard have been reporting far fewer compromised cards than expected given the length of the Home Depot exposure.

Sources now tell KrebsOnSecurity that in a conference call with financial institutions today, officials at MasterCard shared several updates from the ongoing forensic investigation into the breach at the nationwide home improvement store chain. The card brand reportedly told banks that at this time it is believed that only self-checkout terminals were impacted in the breach, but stressed that the investigation is far from complete. Continue reading →


16
Sep 14

Breach at Goodwill Vendor Lasted 18 Months

C&K Systems Inc., a third-party payment vendor blamed for a credit and debit card breach at more than 330 Goodwill locations nationwide, disclosed this week that the intrusion lasted more than 18 months and has impacted at least two other organizations.

cksystemsOn July 21, 2014, this site broke the news that multiple banks were reporting indications that Goodwill Industries had suffered an apparent breach that led to the theft of customer credit and debit card data. Goodwill later confirmed that the breach impacted a portion of its stores, but blamed the incident on an unnamed “third-party vendor.”

Last week, KrebsOnSecurity obtained some internal talking points apparently sent by Goodwill to prepare its member organizations to respond to any calls from the news media about the incident. Those talking points identified the breached third-party vendor as C&K Systems, a retail point-of-sale operator based in Murrells Inlet, S.C.

In response to inquiries from this reporter, C&K released a statement acknowledging that it was informed on July 30 by “an independent security analyst” that its “hosted managed services environment may have experienced unauthorized access.” The company says it then hired an independent cyber investigative team and alerted law enforcement about the incident.

C&K says the investigation determined malicious hackers had access to its systems “intermittently” between Feb. 10, 2013 and Aug. 14, 2014, and that the intrusion led to the the installation of “highly specialized point of sale (POS) infostealer.rawpos malware variant that was undetectable by our security software systems until Sept. 5, 2014,” [link added].

Their statement continues:

“This unauthorized access currently is known to have affected only three (3) customers of C&K, including Goodwill Industries International. While many payment cards may have been compromised, the number of these cards of which we are informed have been used fraudulently is currently less than 25.”

C&K System’s full statement is posted here. Continue reading →


28
Feb 14

Breach Blind Spot Puts Retailers on Defensive

In response to rumors in the financial industry that Sears may be the latest retailer hit by hackers, the company said today it has no indications that it has been breached. Although the Sears investigation is ongoing, experts say there is a good chance the identification of Sears as a victim is a false alarm caused by a common weaknesses in banks’ anti-fraud systems that becomes apparent mainly in the wake of massive breaches like the one at Target late last year.

Earlier this week, rumors began flying that Sears was breached by the same sort of attack that hit Target. In December, Target disclosed that malware installed on its store cash registers compromised credit and debit card data on 40 some million transactions. This publication reached out on Wednesday to Sears to check the validity of those rumors, and earlier today Bloomberg moved a brief story saying that the U.S. Secret Service was said to be investigating a possible data breach at Sears.

But in a short statement issued today, Sears said the company has found no information indicating a breach at the company.

“There have been rumors and reports throughout the retail industry of security incidents at various retailers, and we are actively reviewing our systems to determine if we have been a victim of a breach,” Sears said in a written statement. “We have found no information based on our review of our systems to date indicating a breach.”

The Secret Service declined to comment.

Media stories about undisclosed breaches in the retail sector have fueled rampant speculation about the identities of other victim companies. Earlier this week, The Wall Street Journal ran a piece quoting Verizon Enterprise Solutions’s Bryan Sartin saying that the company — which investigates data breaches — was responding to two different currently undisclosed breaches at major retailers.

Interestingly, Sartin gave an interview last week to this publication specifically to discuss a potential blind spot in the approach used by most banks to identify companies that may have had a payment card breach — a weakness that he said almost exclusively manifests itself directly after large breaches like the Target break-in.

Continue reading →


20
Dec 13

Cards Stolen in Target Breach Flood Underground Markets

Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card, KrebsOnSecurity has learned.

targetgoboom

Prior to breaking the story of the Target breach on Wednesday, Dec. 18, I spoke with a fraud analyst at a major bank who said his team had independently confirmed that Target had been breached after buying a huge chunk of the bank’s card accounts from a well-known “card shop” — an online store advertised in cybercrime forums as a place where thieves can reliably buy stolen credit and debit cards.

There are literally hundreds of these shady stores selling stolen credit and debit cards from virtually every bank and country. But this store has earned a special reputation for selling quality “dumps,” data stolen from the magnetic stripe on the backs of credit and debit cards. Armed with that information, thieves can effectively clone the cards and use them in stores. If the dumps are from debit cards and the thieves also have access to the PINs for those cards, they can use the cloned cards at ATMs to pull cash out of the victim’s bank account.

At least two sources at major banks said they’d heard from the credit card companies: More than a million of their cards were thought to have been compromised in the Target breach. One of those institutions noticed that one card shop in particular had recently alerted its loyal customers about a huge new batch of more than a million quality dumps that had been added to the online store. Suspecting that the advertised cache of new dumps were actually stolen in the Target breach, fraud investigators with the bank browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.

When the bank examined the common point of purchase among all the dumps it had bought from the shady card shop, it found that all of them had been used in Target stores nationwide between Nov. 27 and Dec. 15. Subsequent buys of new cards added to that same shop returned the same result.

On Dec. 19, Target would confirm that crooks had stolen 40 million debit and credit cards from stores nationwide in a breach that extended from Nov. 27 to Dec. 15. Not long after that announcement, I pinged a source at a small community bank in New England to see whether his institution had been notified by Visa or MasterCard about specific cards that were potentially compromised in the Target breach.

This institution has issued a grand total of more than 120,000 debit and credit cards to its customers, but my source told me the tiny bank had not yet heard anything from the card associations about specific cards that might have been compromised as a result of the Target breach. My source was anxious to determine how many of the bank’s cards were most at risk of being used for fraud, and how many should be proactively canceled and re-issued to customers. The bank wasn’t exactly chomping at the bit to re-issue the cards; that process costs around $3 to $5 per card, but more importantly it didn’t want to unnecessarily re-issue cards at a time when many of its customers would be racing around to buy last-minute Christmas gifts and traveling for the holidays.

On the other hand, this bank had identified nearly 6,000 customer cards — almost 5 percent of all cards issued to customers — that had been used at Target stores nationwide during the breach window described by the retailer.

“Nobody has notified us,” my source said. “Law enforcement hasn’t said anything, our statewide banking associations haven’t sent anything out…nothing. Our senior legal counsel today was asking me if we have positive confirmation from the card associations about affected cards, but so far we haven’t gotten anything.”

When I mentioned that a big bank I’d spoken with had found a 100 percent overlap with the Target breach window after purchasing its available cards off a particular black market card shop called rescator[dot]la, my source at the small bank asked would I be willing to advise his fraud team on how to do the same?

CARD SHOPPING

Ultimately, I agreed to help in exchange for permission to write about the bank’s experience without actually naming the institution. The first step in finding any of the bank’s cards for sale was to browse the card shop’s remarkably efficient and customer-friendly Web site and search for the bank’s “BINs”; the Bank Identification Number is merely the first six digits of a debit or credit card, and each bank has its own unique BIN or multiple BINs.

According to the "base" name, this "Dumps" shop sells only cards stolen in the Target breach.

According to the “base” name for all stolen cards sold at this card shop, the proprietor sells only cards stolen in the Target breach.

A quick search on the card shop for the bank’s BINs revealed nearly 100 of its customers’s cards for sale, a mix of MasterCard dumps ranging in price from $26.60 to $44.80 apiece. As one can imagine, this store doesn’t let customers pay for purchases with credit cards; rather, customers can “add money” to their accounts using a variety of irreversible payment mechanisms, including virtual currencies like Bitcoin, Litecoin, WebMoney and PerfectMoney, as well as the more traditional wire transfers via Western Union and MoneyGram.

With my source’s newly registered account funded via wire transfer to the tune of USD $450, it was time to go shopping. My source wasn’t prepared to buy up all of the available cards that match his institution’s BINs, so he opted to start with a batch of 20 or so of the more recently-issued cards for sale.

Continue reading →


25
Jul 13

Hacker Ring Stole 160 Million Credit Cards

U.S. federal authorities have indicted five men — four Russians and a Ukrainian – for allegedly perpetrating many of the biggest cybercrimes of the past decade, including the theft of more than 160 million credit card numbers from major U.S. retailers, banks and card processors.

The gang is thought to be responsible for the 2007 breach at credit card processor Heartland Payment Systems that exposed some 130 million card numbers, as well as the 2011 breach at Global Payments that involved nearly a million accounts and cost the company almost $100 million.

Federal prosecutors in New Jersey today called the case the largest hacking scheme ever prosecuted in the U.S. Justice Department officials said the men were part of a gang run by Albert “Soupnazi” Gonzalez, a hacker arrested in 2008 who is currently serving a 20-year-prison sentence for his role in many of the breaches, including the theft of some 90 million credit cards from retailer TJX.

One of the accused, 27-year-0ld Dmitriy Smilianets, is in U.S. custody. Vladimir Drinkman, 32 of Syktyvkar, Russia, is awaiting extradition to the United States. Three others named in the indictments remain at large, including Aleksandr Kalinin, 26 of St. Petersburg; 32-year-old Roman Kotov from Moscow; and Mikhail Rytikov, 26, of Odessa, Ukraine.

According to the government’s indictment, other high-profile heists tied to this gang include compromises at:

Hannaford Brothers Co: 2007, 4.2 million card numbers

Carrefour S.A.: 2007, 2 million card numbers

Commidea Ltd.: 2008, 30 million card numbers

Euronet: 2010, 2 million card numbers

Visa, Inc.: 2011, 800,000 card numbers

Discover Financial Services: 500,000 Diners card numbers

In addition, the group is being blamed for breaking into and planting malware on the networks of NASDAQ, 7-Eleven, JetBlue, JCPenny, Wet Seal, Dexia, Dow Jones, and Ingenicard.

The hackers broke into their targets using SQL injection attacks, which take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server. Once inside, the attackers can upload software and siphon data.

The government’s indictment alleges that the thieves were at times overwhelmed by the sheer amount of data yielded by their SQL attacks.  On Aug. 12, 2007, Kalinin allegedly sent Gonzalez  an instant message that he’d just gained access to 30 SQL servers on NASDAQ’s network, but hadn’t yet cracked the administrator passwords that secured the data inside. “These [databases] are hell big and I think most of info is trading histories.” On Jan. 9, 2008, after Gonzalez offered to help attack the trading floor’s computer systems, Kalinin allegedly messaged back, “NASDAQ is owned.”

Continue reading →


3
Jun 13

Cashout Service for Ransomware Scammers

There are 1,001 ways to swindle people online, but the hardest part for crooks is converting those ill-gotten gains into cash. A new service catering to purveyors of ransomware — malware that hijacks PCs until victims pay a ransom – levees a hefty fee for laundering funds from these scams, and it does so by abusing a legitimate Web site that allows betting on dog and horse races in the United States.

Ransonware scam spoofing the DHS to obtain Moneypak/unlock codes.

Ransonware scam spoofing the DHS to obtain Moneypak/unlock codes. Source: botnets.fr

Ransomware is most often distributed via hacked or malicious sites that exploit browser vulnerabilities.  Typically, these scams impersonate the Department of Homeland Security or the FBI (or the equivalent federal investigative authority in the victim’s country) and try to frighten people into paying fines to avoid prosecution for supposedly downloading child pornography and pirated content.

Ransomware locks the victim’s PC until he either pays the ransom or finds a way to remove the malware. Victims are instructed to pay the ransom by purchasing a prepaid MoneyPak card, sold at everything from Walgreens to Wal-Mart (some scams tell victims to pay using a PaySafe or Ukash card). Victims are then told to send the attackers a 14-digit voucher code that allows the bad guys to redeem those MoneyPak vouchers for cash.

Trouble is, taking funds off of a MoneyPak requires either spending it at stores that accept it, or hooking it up to a U.S. bank account, to PayPal, or to a prepaid Visa or Mastercard. What’s more, most miscreants who are even halfway competent at spreading ransomware can expect to collect dozens of MoneyPak codes per day, so cashing out via the above-mentioned methods simply does not scale well for successful bad guys (particularly those who live outside of the United States).

Last week, I stumbled on a ransomware cashout service hosted in Minsk, Belarus that helps simplify the process. It checks the balances of MoneyPak codes by abusing a feature built into betamerica.com, a legitimate and legal site where gamblers can go to bet on dog and horse races in the United States.  Specifically, the ransomware cashout service queries a page at betamerica.com that lets customers fund their betting accounts using MoneyPak.

I reached out to Betamerica.com’s operations team and spoke with a woman who would only give her name as “Leslie.” Leslie said the company had already flagged the account that was being used to check the MoneyPak voucher codes.

“This account was already flagged as some type of bot or compromise, and was set to non-wagering,” she said, explaining that this status prevents customer accounts from placing bets on races. Leslie said Betamerica scrutinizes the Moneypak activity because fraudsters have tried to use the codes to launder money.

“We are pretty diligent, because in the past we have had [individuals who] will try to do a Moneypak deposit and then do a withdrawal, basically trying to launder it. Bottom line is that money has to be wagered. It’s not going to be returned to you in another form.”

When I first encountered this ransomware cashout service and discovered the connection to Betamerica, I was sure the miscreants were trying to launder money through the betting site. But after my conversation with Leslie, the true scope of this ransomware operation began to come into focus. It appears to involve the cooperation of several sets of actors:

MoneyPak cashout scheme.

Scheme to cash out $300 MoneyPak vouchers obtained from ransomware victims.

Continue reading →


6
Feb 13

Crooks Net Millions in Coordinated ATM Heists

Organized cyber criminals stole almost $11 million in two highly coordinated ATM heists in the final days of 2012, KrebsOnSecurity has learned. The events prompted Visa to warn U.S. payment card issuers to be on high-alert for additional ATM cash-out fraud schemes in the New Year.

atmafterdarkAccording to sources in the financial industry and in law enforcement, the thieves first struck on Christmas Eve 2012. Using a small number of re-loadable prepaid debit cards tied to accounts that they controlled, scammers began pulling cash out of ATMs in at least a dozen countries. Within hours, the perpetrators had stolen approximately $9 million.

Then, just prior to New Year’s Eve, the fraudsters struck again, this time attacking a card network in India and making off with slightly less than $2 million, investigators say.

The accounts that the perpetrators used to withdraw money from ATMs were tied to re-loadable prepaid debit cards, which can be replenished with additional funds once depleted. Prepaid card networks generally enforce low-dollar limits that restrict the amounts customers can withdraw from associated accounts in a 24 hour period. But in both ATM heists, sources said, the crooks were able to increase or eliminate the withdrawal limits for the prepaid accounts they controlled.

Shortly after the second heist, Visa released a private alert to payment card issuers, warning them to be on the lookout for additional ATM mega-heists over the New Years holiday. Sources say Visa’s alert was indeed prompted by the multi-million dollar heists at the end of December.

The Visa alert (PDF), sent to card issuers at the beginning of January 2013, warns:

“Visa has been alerted to new cases where ATM Cash-Out frauds have been attempted and successfully completed by organized criminal groups across the globe. In a recently reported  case, criminals used a small number of cards to conduct 1000’s of ATM withdrawals in multiple  countries around the world in one weekend.”

“These attacks result from hackers gaining access to issuer authorization systems and card parameter information. Once inside, the hackers manipulate daily withdrawal amount limits, card balances and other card parameters to facilitate massive fraud on individual cards. In some instances over $500K USD has been withdrawn on a single card in less than 24 hours.”

Continue reading →