How Cyber Criminals Are Exploiting Our Swipe-n-Go Society

Chris Dougherty
VirtualThreat Contributing Writer

Curtis Abernathy, a small business owner in Arizona, never expected to be caught up as the victim of an international ring of cyber criminals stealing identities online.  But that’s exactly what happened last week when he received a call from Bank of America’s security office.

The bank’s security team took notice after Abernathy used his debit/credit card at a local convenience store in Arizona, then an hour or so later there were two charges on the same card at retail stores in California.  According to the bank staff, the thieves walked in to Nordstrom Fashion Island (Store #333) at 901 Newport Center Drive in Newport Beach, California and used a physical credit card bearing the same name and account number as Abernathy’s. The Nordstrom store is located right across the street from the Newport Country Club, it appears our thieves have expensive taste.

The cyber criminals had stolen Abernathy’s identity, printed credit cards bearing his name and account number, and then went on to purchase medium value items so as not to raise the suspicion of store clerks. It was as easy as walking up to the cashier, swiping the credit/debit card pad, signing and walking away. The items they purchased with the stolen credit card will most likely end up on sites like Craig’s List or Ebay where the thieves can wash the money and cash out.

In total the thieves took Abernathy for $360.00 before the bank noticed. He was one of the lucky ones, chances are hundreds or even thousands of people have been victims of similar fraud campaigns.  As is the case with most banks these days, Bank of America has a zero-liability policy with regard to fraudulent credit card charges, so Abernathy will immediately get the money deposited back into his account. For him this was both a learning experience and a major inconvenience.

Unfortunately, all of the players are somewhat complacent in this type of crime. The attackers are aware of this vulnerability and and they will exploit it to its fullest potential in order to plunder our bank accounts.

We as customers love all that is quick and convenient. We use online and mobile banking apps even though the media tells us about stolen accounts all the time, we download screen savers and cool games that might be infected with malware, and we open links and attachments in emails that appear to come from our friends, family and coworkers.

The majority of stores these days have installed customer-facing debit and credit card PIN pads so that we can swipe our cards and go along our merry way as quickly as possible.  Everyone hates a long line, from the clerks to the pissed off customer at the end of the line.  Some stores have self-service checkout lanes to hurry the process along even more.

The problem with all of this is, while it may be quicker and more convenient, there are many serious flaws in the process.

Think about how often you get asked for an ID when making a purchase using your credit or debit card through a customer-facing PIN pad these days.  I’d bet it’s not nearly as often as you think. Beyond the obvious, what if an attacker has found a way to rig the point-of-sale (POS) system itself, or maybe they’ve hacked your ATM? How many of us feel safer because our virus protection software tells us that our computer is clean? What about the malware that they haven’t discovered yet or what if they infect your smart phone instead?

In December, VirtualThreat.com ran a story about Facebook assisting the U.S. Federal authorities in order to arrest hackers responsible for stealing over $850 Million over a period of two years.  There have also been recent reports of hackers in Iran and Russia attacking U.S. bank accounts through advanced botnets.

The thing is, these aren’t street fraudsters that are perpetrating these crimes.  The majority of the heists can be traced to large organized criminal networks, terrorists and sometimes even governments. And all the while the banks are under reporting cyber crimes in order to protect their reputations.

Cyber criminals typically have 3 primary techniques that they use in order to steal your credit card information or identity.

1. Phishing
   Wikipedia – “Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing emails may contain links to websites that are infected with malware.

   Phishing is typically carried out by e-mail spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies.”

2. Malware
   Wikipedia – “Malware, short for malicious (or malevolent) software, is software used or created by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. ‘Malware’ is a general term used to refer to a variety of forms of hostile or intrusive software.Malware includes computer viruses, ransomware, worms, trojan horses, rootkits, keyloggers, spyware, adware and other malicious programs; the majority of active malware threats are usually worms or trojans rather than viruses.”
3. Credit Card Skimmers
   Wikipedia – “Skimming is the theft of credit card information used in an otherwise legitimate transaction. The thief can procure a victim’s credit card number using basic methods such as photocopying receipts or more advanced methods such as using a small electronic device (skimmer) to swipe and store hundreds of victims’ credit card numbers. Common scenarios for skimming are restaurants or bars where the skimmer has possession of the victim’s credit card out of their immediate view. The thief may also use a small keypad to unobtrusively transcribe the 3 or 4 digit Card Security Code which is not present on the magnetic strip. Call centers are another area where skimming can easily occur. Skimming can also occur at merchants such as gas stations when a third-party card-reading device is installed either out­side or inside a fuel dispenser or other card-swiping terminal. This device allows a thief to capture a customer’s cred­it and debit card information, including their PIN, with each card swipe.

   Instances of skimming have been reported where the perpetrator has put a device over the card slot of an ATM (automated teller machine), which reads the magnetic strip as the user unknowingly passes their card through it. These devices are often used in conjunction with a miniature camera (inconspicuously attached to the ATM) to read the user’s PIN at the same time. This method is being used very frequently in many parts of the world, including South America, Argentina, and Europe. Another technique used is a keypad overlay that matches up with the buttons of the legitimate keypad below it and presses them when operated, but records or transmits the keylog of the PIN entered by wireless. The device or group of devices illicitly installed on an ATM are also colloquially known as a “skimmer”. Recently-made ATMs now often run a picture of what the slot and keypad are supposed to look like as a background, so that consumers can identify foreign devices attached.”

I hope that you don’t become the next victim of credit card fraud or identity theft. However, the odds are that you, or someone that you know, will unwittingly become a target at some point in the future. Hackers are generally indiscriminate about their targets and hit huge groups of accounts in a single campaign, often netting the criminals 10′s of millions of dollars. With the increasingly rapid growth ow technology, we as consumers need to stay informed about the threats that await us.

If you have been the victim of cyber crime please contact the FBI through their Cyber Crimes website right away.

About the author…

Chris Dougherty is a grey hat hacker and online security expert.  Please visit his blog, www.VirtualThreat.com, for more excellent news and information about protecting yourself in cyberspace.

This article is offered under Creative Commons license. It’s okay to republish it anywhere as long as attribution bio is included and all links remain intact.