[Dataloss] Canadian Thieves Swapping out keypad terminals

Al Mac macwheel99 at sigecom.net
Tue Jul 11 13:39:25 EDT 2006


There have been intermittent incidents like this in the USA, and I can dig 
up urls of stories if you desire.  I feel that phishing via e-mail, and 
various attacks on poorly secured financial web sites can net crooks a lot 
more loot, be more likely to be untraceable, be able to escape then open up 
shop some place else.  The hardware attacks seem to be from people of more 
traditional historical criminal minds, who may not yet be web-savvy.


Let's suppose a standard keypad has certain security features.
An electronics technician can probably disable those security features, 
given enough time working on it covertly.


You walk into a shopping mall, and you see an ATM machine.
You assume that it is really from the bank whose name is on the box.
99% of the time you right
but there are some fraudulent machines out there.
They take your card, tell you sorry they out of money, you need to find 
another ATM, but they not tell you this until you have entered your PIN # 
etc.  so the fraudulent machine has your plastic info, the magnetic strip 
info, your PIN #, and some place someone turns out a duplicate, then drains 
your account.
This is why I only use ATM machines that are right at the actual bank.


There was one shopping mall, where it was found that someone had installed 
a camera with telephoto lens in ceiling over an ATM to record what people 
keyed in as the PIN#.  I not remember from that story how they got the card 
data for duplicating the magnetic stripe.  It may be that there is enough 
info on the face of the card to make a duplicate.


Gasoline prices have been rising in the USA
We usually stick credit card into the pump, push buttons on a keypad to 
select services.  That keypad is also used by the retail outfit to adjust 
the gasoline prices as needed.  Some naughty consumers have figured out how 
to use the keypad to drop the pricing to free or almost free, then after 
doing a fill up, leave the pricing that way for other consumers to use.s
There have been many arrests around the USA in regards to this, but the 
practice is spreading.


My PC is now connected to Internet via Cable Modem.  When I was on dial up, 
it was same line as my portable phone.  I could hear over the same line, a 
local taxi service dispatch, and I assume they could hear my computer 
signal traffic.  Wireless can be a pain to secure.  Companies with computer 
professionals on staff, or computer tech support, often get this taken care 
of, but your average restaurant, convenience store etc. just gets the 
special phone line for the credit approval, then becomes vulnerable to 
telecommunications marketers trying to sell them a cheaper phone line that 
they neglect to say may be much less secure than what they now using.


Security Risks and Security Protection are like Weapons and Defenses in the 
Military.  The enemy is constantly striving to come up with better weapons 
to penetrate your armor, and also come up with better armor to defend 
against your weapons.  It is a race.  If you are operating on technology 
that was invented years ago, you are probably not secure.  Many companies 
are operating on technology that was invented decades ago.


If you go into a bank, you will not find any deposit slips on the counter 
for your convenience like we had years ago.  You have to get them with your 
checks.  The reason for this is that there was a scam where people opened 
some bank account, printed their own deposit slips that looked blank to 
human eye, but had the magnetic ink deal that banks use to sort 
checks.  People would go into bank, fill out deposit slip in human readable 
ink, the banks computers would read the magnetic ink and deposit into the 
crooks account.  Since everyone knew when the bank sent out the bank 
statements, the crooks would clean out their account and skip town right 
before customers piling up at bank to complain about deposits not making it 
into their accounts.


Many systems have design flaws that crooks will figure out how to 
exploit.  It is a never ending war, until such time that systems are 
deployed that have been thoroughly tested for flaws before deployment.  But 
testing is time consuming, needs special software to do it properly.  The 
winner in the marketplace is the outfit that is first to come out with some 
new feature more inexpensively than the competition.  Security is usually 
in last place in terms of importance.




>Has anyone heard any additional detail on this?  Tampering with the
>keypad is *SUPPOSED* to wipe the authentication key from memory.
>
>
>
>
>DEBIT CARD FRAUD PLAGUES CANADIAN RETAILERS
>
>NEW YORK - A recent surge in debit card fraud is plaguing Canadian
>retailers, reports BankNet 360.
>
>The news source writes that debit card thieves are stealing card
>terminals from gas stations, convenience stores and fast food
>restaurants so they can rig the devices and swipe embedded data stored
>on card magnetic strips. Thieves then switch the rigged terminals with
>genuine machines, which gives them the ability to collect personal
>account information from swiped debit cards, such as personal
>identification numbers (PIN).
>
>"In Ottawa and Montreal, PIN pad fraud has resulted in approximately
>$6.7 million in losses during the past few months," notes the news
>source.
>
>Additionally, more than 40 retailers in Montreal have reported that
>wireless Internet connections were used to remotely retrieve PINs and
>card numbers from rigged card terminals. Thieves used that data to clear
>out the bank accounts of approximately 18,000 debit card holders.
>
>The news source notes that Canadians use debit cards "more than any
>other country, averaging 82 million debit transactions a year."
>
>Copyright 2006 NACS
>
>________________________________________________________________________
>_
>NACS Daily
>Subscribe:    http://www.nacsonline.com/NACS/NACSDaily/Subscribe.htm
>Today's News: http://www.nacsonline.com/NACS/News/
>News Archive: http://www.nacsonline.com/NACS/News/Daily_News_Archives/
>
>
>This message and any files transmitted with it is intended solely for the 
>designated recipient and may contain privileged, proprietary or otherwise 
>private information. Unauthorized use, copying or distribution of this 
>e-mail, in whole or in part, is strictly prohibited. If you have received 
>it in error, please notify the sender immediately and delete the original 
>and any attachments.
>_______________________________________________
>Dataloss Mailing List (dataloss at attrition.org)
>http://attrition.org/errata/dataloss/




More information about the Dataloss mailing list