[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [Dataloss] Local credit card numbers stolen
Quote: > “They could show no compromise to the hard drive,” said Allen. “One > thing we don’t know is how the suspects obtained the information.” I sure hope that the authorities aren't giving up on understanding how this attack was carried out. If we accept that the card-reader on the DVD machine was not hacked, the disk-drive was not hacked and they were encrypting CCN before putting it on the wire, the logical conclusion is one of the following: 1) Either their encryption key-management was weak/non-existent; or 2) One of the libraries/applications that had access to the plaintext CCN was compromised. Both are sophisticated forms of attacks - unless the application and/or implementation of the encryption/key-management was so bad that it did not require any serious effort. In any case, the authorities have a duty to investigate, understand and disseminate the information to the security community to avoid repeats of this attack. Arshad Noor StrongAuth, Inc. Greg Kellogg wrote: > http://cards-and-unsecured-business.blogspot.com/2009/01/local-credit-card-numbers-stolen.html > > Two men are in custody and under investigation by the FBI in an > identity theft scheme that victimized 2,500 Cache County residents, > Smithfield police officials said Wednesday. > > In late 2008, San Francisco police served a search warrant on a Bay > Area hotel room where detectives found multiple computers and a > machine that manufactures magnetic strips used on the back of credit, > debit and gift cards, Det. Travis Allen said. > > In the computers’ hard drives were the credit card numbers of Cache > County residents, many of whom had been notified by their banks of > fraudulent charges on their accounts, Allen added. > > Smithfield police say they received an unusual number of credit card > fraud claims in the fall of 2007. > > “We finally found one common factor among everybody that was calling > us: They had all used the Family Fun Box,” Allen said. > > The DVD-dispensing machines were located in the Summit Creek Sinclair > gas station and Lee’s Marketplace in Smithfield. A third operated in > the Wellcome Mart in Wellsville. > > “We thought maybe somebody had a credit card reading device attached > to the machine,” Allen said. “We couldn’t find anything and thought, > maybe it’s being internally hacked somehow.” > > Smithfield police learned the machines store no account information > but encrypt card numbers before sending them to a merchant processor > in Dallas, Texas. > > The company, Teleasy Corporation, told Smithfield police its servers > had never been hacked and that it would know if they had, Dunn said. > > Police reports show the unauthorized charges were taking place in > Northern California, Illinois, even Spain. > > “We did find some instances where someone had gone to a boat shop in > Florida and spent several thousand dollars,” added Allen. “In > Smithfield, I think we had about 55 victims and over $100,000 in > losses.” > > Investigators extracted a hard drive from one of the DVD machines and > sent it to a computer forensic lab in Salt Lake City where specialists > told police there was no evidence of local tampering. > > “They could show no compromise to the hard drive,” said Allen. “One > thing we don’t know is how the suspects obtained the information.” > > Allen presented his findings to the Utah Attorney General’s Office and > later to the FBI’s Cyber Crimes Task Force. > > Information was distributed to national law enforcement agencies and a > tip came when police in California responded to a Longs Drug Store > where an individual was allegedly trying to use a gift card that was > traced back to a stolen credit card number, Allen said. > > An investigation led to the search of a Bay Area hotel where two males > were arrested and charged with various crimes, Allen said. > > Smithfield police say the names of the individuals have not been > released at the request of the U.S. Attorney General’s Office. > > “Travis has done an exceptional job on this case” said Smithfield > Police Chief Johnny McCoy. “And through the course of that, we’ve > identified 2,500 victims just within our area.” > > Todd Durrant, owner of the three Family Fun Box machines, said Friday > he’s stopped running his business. > > “The machine at Lee’s was half my business,” he said. “And when that > was gone I didn’t have the income and still had loans to pay on the > machines.” > > Durrant said he experimented with a cash-based membership card for > customers who still used the kiosks but business slowed. > > “I would love to see whoever does this kind of crime get what’s coming > to them,” he said. “They don’t even see the faces of the people they > hurt.” > _______________________________________________ > Dataloss Mailing List (dataloss@datalossdb.org)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]