Re: [Dataloss] Local credit card numbers stolen

[Arshad Noor <arshad.noor@strongauth.com>]

Quote:

 > “They could show no compromise to the hard drive,” said Allen. “One
 > thing we don’t know is how the suspects obtained the information.”

I sure hope that the authorities aren't giving up on understanding
how this attack was carried out.  If we accept that the card-reader
on the DVD machine was not hacked, the disk-drive was not hacked
and they were encrypting CCN before putting it on the wire, the
logical conclusion is one of the following:

1) Either their encryption key-management was weak/non-existent; or

2) One of the libraries/applications that had access to the plaintext
    CCN was compromised.

Both are sophisticated forms of attacks - unless the application and/or
implementation of the encryption/key-management was so bad that it did
not require any serious effort.  In any case, the authorities have a
duty to investigate, understand and disseminate the information to the
security community to avoid repeats of this attack.

Arshad Noor
StrongAuth, Inc.


Greg Kellogg wrote:
> http://cards-and-unsecured-business.blogspot.com/2009/01/local-credit-card-numbers-stolen.html
> 
> Two men are in custody and under investigation by the FBI in an  
> identity theft scheme that victimized 2,500 Cache County residents,  
> Smithfield police officials said Wednesday.
> 
> In late 2008, San Francisco police served a search warrant on a Bay  
> Area hotel room where detectives found multiple computers and a  
> machine that manufactures magnetic strips used on the back of credit,  
> debit and gift cards, Det. Travis Allen said.
> 
> In the computers’ hard drives were the credit card numbers of Cache  
> County residents, many of whom had been notified by their banks of  
> fraudulent charges on their accounts, Allen added.
> 
> Smithfield police say they received an unusual number of credit card  
> fraud claims in the fall of 2007.
> 
> “We finally found one common factor among everybody that was calling  
> us: They had all used the Family Fun Box,” Allen said.
> 
> The DVD-dispensing machines were located in the Summit Creek Sinclair  
> gas station and Lee’s Marketplace in Smithfield. A third operated in  
> the Wellcome Mart in Wellsville.
> 
> “We thought maybe somebody had a credit card reading device attached  
> to the machine,” Allen said. “We couldn’t find anything and thought,  
> maybe it’s being internally hacked somehow.”
> 
> Smithfield police learned the machines store no account information  
> but encrypt card numbers before sending them to a merchant processor  
> in Dallas, Texas.
> 
> The company, Teleasy Corporation, told Smithfield police its servers  
> had never been hacked and that it would know if they had, Dunn said.
> 
> Police reports show the unauthorized charges were taking place in  
> Northern California, Illinois, even Spain.
> 
> “We did find some instances where someone had gone to a boat shop in  
> Florida and spent several thousand dollars,” added Allen. “In  
> Smithfield, I think we had about 55 victims and over $100,000 in  
> losses.”
> 
> Investigators extracted a hard drive from one of the DVD machines and  
> sent it to a computer forensic lab in Salt Lake City where specialists  
> told police there was no evidence of local tampering.
> 
> “They could show no compromise to the hard drive,” said Allen. “One  
> thing we don’t know is how the suspects obtained the information.”
> 
> Allen presented his findings to the Utah Attorney General’s Office and  
> later to the FBI’s Cyber Crimes Task Force.
> 
> Information was distributed to national law enforcement agencies and a  
> tip came when police in California responded to a Longs Drug Store  
> where an individual was allegedly trying to use a gift card that was  
> traced back to a stolen credit card number, Allen said.
> 
> An investigation led to the search of a Bay Area hotel where two males  
> were arrested and charged with various crimes, Allen said.
> 
> Smithfield police say the names of the individuals have not been  
> released at the request of the U.S. Attorney General’s Office.
> 
> “Travis has done an exceptional job on this case” said Smithfield  
> Police Chief Johnny McCoy. “And through the course of that, we’ve  
> identified 2,500 victims just within our area.”
> 
> Todd Durrant, owner of the three Family Fun Box machines, said Friday  
> he’s stopped running his business.
> 
> “The machine at Lee’s was half my business,” he said. “And when that  
> was gone I didn’t have the income and still had loans to pay on the  
> machines.”
> 
> Durrant said he experimented with a cash-based membership card for  
> customers who still used the kiosks but business slowed.
> 
> “I would love to see whoever does this kind of crime get what’s coming  
> to them,” he said. “They don’t even see the faces of the people they  
> hurt.”
> _______________________________________________
> Dataloss Mailing List (dataloss@datalossdb.org)