The UK Cards Association reports four criminals were sentenced for a total of 15 years at Southwark Crown Court for their involvement in a series of card frauds that took place in the south of England during 2009. Their scam involved tampering with chip and PIN devices in various petrol stations in order to copy the electronic data from customers’ credit and debit cards. The criminals then used this data to make fake magnetic stripe cards that could be used fraudulently overseas in countries yet to introduce chip and PIN.
Tom Espinser at ZDNet UK reports that Researchers at Cambridge University have found a fundamental flaw in the EMV — Europay, MasterCard, Visa — protocol that underlies chip-and-PIN validation for debit and credit cards. As a consequence, a device can be created to modify and intercept communications between a card and a point-of-sale terminal, and fool the terminal into accepting that a PIN verification has succeeded.
Bank Info Security reports institutions, customers are paying for lack of security on gas terminals. At a Shell station in Alachua, FL, last week, a service technician found a skimming device on a pay-at-the-pump terminal when he opened the machine for a routine maintenance check. This incident, the latest in a wave of such attacks, highlights two concerns: That skimming isn’t limited to ATMs, and that banking institutions and customers have yet another vulnerability to consider regarding payment card transactions.
The Bank Fraud Forum reports that new places and unfamiliar ATMs are fertile ground for skimming scams that cost consumers and the ATM industry about $1 billion in annual global losses. Skimming involves stealing the information from a card’s magnetic strip or pilfering a consumer’s personal identification number, or PIN. It’s the most basic of ATM frauds. It can involve a peek over a shoulder or crooks posting small cameras or using telescopic devices to see the PIN. Skimming also happens with fake card readers and phony ATMs.
Craig Tieken at First Data presents perspectives on what data encryption and tokenization will mean for payments industry standards. He states data that comprises a token is random; the token can have the same 16-character format as a credit card, which is powerful for merchants as it enables them to use it in back-end databases and business applications without modifying those systems. If you are not able to map the token with the individual cardholder, merchants will lose valuable information such as trends and customer buying behavior.
Robert McMillon at RSA’s Speaking of Security blogs Visa issued their initial guidance on tokenization best practices. He states, “Overall, I think Visa presented a good start for the industry. Several other bloggers seem to agree. However, I do have a bone or two to pick with what they propose. The biggest issue that I have is that they seem to be allowing encrypted values to be called tokens, the very thing I cautioned against a few weeks ago.”
Visa Inc. announced global industry best practices for tokenization to provide guidance to merchants, vendors, service providers and acquirers and promote safer merchant payment environments. Based on Visa’s experience working with the industry and also insights from data compromise investigations, the tokenization best practices are the latest in a series of guidance to help merchants reduce or eliminate sensitive card data from payment systems and simplify data security and compliance efforts.
The Register reports Visa has withdrawn PCI certification from two older PIN entry devices from Ingenico following concern they are vulnerable to manipulation by cybercrooks. The development represents an apparent change of strategy from Visa, which has previously maintained that retailers who achieve and maintain PCI-compliance are protected against security breaches. The credit card giant has also been at pains to make sure that products that fail to reach PCI compliance do not make it into the public domain and are only circulated within the industry.
Dark Reading, a part of TechWeb, reports Trusteer and AVG have identified new botnets with different features, both built on Zeus technology. Zeus, a Trojan horse that spreads botnets quickly, can be adapted for multiple purposes. “The botnet appears to be controlling more than 100,000 infected computers, 98 percent of which are U.K. Internet users,” Trusteer says. “The criminals have been harvesting all manner of potentially lucrative and revenue-producing credentials, including online account IDs, plus login information to banks, credit and debit card numbers, account types plus balances, bank statements, browser cookies, client side certificates, login information for email accounts and social networks, and even FTP passwords.”
The Jackson Mississippi office of the FBI announced Patricia A. Wilson, 34, of Woodville, Mississippi, pleaded guilty today in federal court in Jackson, Mississippi, to conspiring with her cousin, a Natchez Police Department police officer, to commit identity theft, credit card fraud, and bank fraud. During her plea, Wilson acknowledged that on May 23, 2009, her cousin arranged a meeting and gave Wilson a credit card, which she believed he had stolen. The police officer, who appeared to be holding a second credit card in his hand, asked Wilson to buy beer for an upcoming party he was throwing.
