Notice: Undefined offset: 1 in /usr/local/src/wordpress/wp-content/themes/montezuma/includes/parse_php.php on line 79

Credit Card Security

You may have heard about the massive credit card breaches at Target, Neiman-Marcus, Sally Beauty Supply, Splash & Key Road Car Washes, Roy’s Restaurants, MAPCO Express, Schnuck Markets, and others.   Where customers of those stores who used credit cards during certain periods in the past year, have had their credit card information scooped up and sold on the black market for carders to buy and steal with.   Thousands of cards for sale in a carders’ forum called Rescator[dot]so and [dot]la (don’t visit it without shields up) at $10-$25 each, in tranches called “Ronald Reagan”, and so on.   Rescator brought an innovation that hasn’t been seen before across dozens of similar crime shops in the underground:   It indexes stolen cards primarily by the city, state and zipcode of the stores from which each card had been stolen, which means carders can conveniently shop in their area and not trip alarms.   Carders (usually street gang members) buy blocks of this card info (tens, hundreds, thousands of cards), write the magstripe of old gift cards with the info, and use them to buy expensive items to re-sell, and more gift cards.   (Incidentally, banks are also buying this card info, to try and stem the tide… it’s cheaper than the thefts they have to cover)

One detective said, “Honestly, the fact that we still have bank robberies is sort of perplexing.   Rob a bank and you’re lucky if you get away with $600.   But you can rob a credit card company and all the banks are afraid to have their name associated with a case like this, and they quickly reimburse the victims.   And most of the retailers are so afraid of having their name in the press associated with credit card fraud and data breaches that make the job doubly hard for us.

But does this matter to us?   I think it matters because the credit card infrastructure is for the most part outdated (in some cases ancient), and if you happen to use a credit card at a store or restaurant which is compromised, you will easily become an identity theft victim which believe me, causes endless headaches.

And how is this card theft happening?   Checkout stands are mostly computerized today.   And if they’re not, there’s always a dial-up card reader so the business can run your credit/debit card.   What happened in each of the above cases was that ‘malware’ called BlackPOS was installed on that point-of-sale terminal, which looks for the area in memory where the credit card magstripe info is stored in memory, and then ‘scrapes’ that area whenever the info changes (a new card is run).   That info is then forwarded to its command/control server.

IntelCrawler says there are about nine people who’ve bought BlackPOS ($2,000 each, from a *talented* Russian teenager, who should probably be executed now, before he gets better), and are working to get it installed wherever they can.

Six more retailers’ PoS (point-of-sale) systems are now being shopped around the underground as being open and for sale.   Being in Eastern Europe, it’s almost impossible to get these guys arrested and extradited.

How is the malware installed? It’s evolving daily, hourly.   In the above attacks there were various methods.   With Target, an HVAC contractor was given access to Target’s internal systems, which inexplicably did not limit them to need-to-know, and that contractor was compromised.   At Neiman’s a guy was running around to all the PoS terminals and installing from a USB stick.   Somebody caught him in the act, lol.   PF Chang’s is still investigating, but the others had an employee’s desktop computer compromised, and that had privileged access to the PoS terminals.   The two main vectors to compromise a secured machine like this are ‘spear-phishing’, where the attacker sends an email to a targeted employee with some compelling or routine content and induces that person to open a hostile email attachment; or ‘drive-by’, where that employee is sent a link to a dummy website usually made up to look like something they need to look at (but with some subtle difference in the URL), and when the employee hits that website some vulnerability in their browser (Flash, iframes, javascript, etc) is used and the malware installed.   All the employee has to do is open the attachment or visit the website and they’d never know they were hit.

Is this going to continue?   How many merchants are using out-of-date equipment, like Splash Car Wash — all locations were using ancient card readers based on Micrologic hardware, which was running ancient pcAnywhere software in which none of the default passwords had been changed (!), on an old version of WinXP.   Think you’re safe at Home Depot or Safeway?

What does this mean?   I for one, am getting off the credit cards, and -particularly- debit cards.   You don’t get reimbursed with debit cards, nor with company bank accounts.   I’m easing back to cash.   Maybe people will not take this seriously, but that’s what I’m doing as I know what can be done.   I’ve spent the time to write this to let you know the facts so you can make an informed decision.   Please at least stop using the debit cards.   At core the problem is that the US has inexplicably refused to adopt the international EMV Standard up until recently, where a crypto-engine chip is embedded in the card.   It would effectively eliminate this problem, but we’re a long way from implementation.

BTW, an excellent article by security researcher Moxie Marlinspike:   We Should All Have Something To Hide
Please consider installing his two Android apps RedPhone and TextSecure.

Also you might like to see my next entry, Credit Card Security – corollary.

,'after' => '

') )