Thursday, October 13, 2011
"This is by far the largest – and certainly among the most sophisticated – identity theft/credit card fraud cases that law enforcement has come across," Brown said.
According to the indictment, the thieves acquired stolen credit card information in various ways – among them, direct theft from cards, insider theft of card information, and purchasing stolen card data from underground websites selling data breach information. The stolen information was transmitted to a factory where bogus cards were forged using the information. The newly minted fraudulent cards were then distributed to a network of gangs that would spread out to malls across the United States to buy high end electronics, clothing and other popular items with the phony cards. These items were then sold at discount to fencing operations that resold the goods to shady retailers.
Unfortunately, some industry experts believe the arrests will have little effect on global cyber crime because hundreds of similarly sophisticated cyber theft gangs are still operating undetected around the world.
In talking about the case, Randy Vanderhoof, Executive Director of the Smart Card Alliance, a nonprofit organization working for adoption of smart card technology, said, "It is extraordinary law enforcement officials were able to catch up to and arrest as many as they did. There are actually few cases that are successfully investigated and the criminals rounded up. This is one of hundreds of cases. Most cases either go undetected or, because there are limited resources, law enforcement lets the hard task of cyber security go by while they focus on bigger and easier targets."
Vanderhoof believes a large part of the problem lies with the magnetic stripe technology used on most credit cards in the United States. He noted that the European Payments Council is drafting recommendations for the elimination of magnetic stripe cards there because of security concerns. "Mag stripe is the easiest point of attack," he said. "It is a static form of card information holder and not protected in any way."
Vanderhoof said while the Payment Card Industry (PCI) Data Security Standard (DSS) hardens the payment network for mag stripe data, it is not 100 percent effective. "Investment in PCI has not stopped fraud entirely," he said. "All it has done is slow it down."
Mark Bower, Vice President at Voltage Security Inc. in Cupertino, Calif., said, "It's interesting to have a story like this surface because what it shows is, while law enforcement did a good job finding and arresting these people, [the criminals] still operated for 16 months converting stolen information into cash. It was also interesting to see there were apparently a number of criminal organizations coordinating to achieve this kind of heist of information not protected in the system's ecosystem. Clearly, the promise of $13 million can create a sophisticated network."
Bower believes end-to-end encryption, a solution his company sells, is at least part of the answer to building a healthy and secure payment network. "The vast majority of merchants shouldn't have to worry about security," he said. "They want transparency, security, and plug-in and play."
Bower anticipates cyber theft will continue at unprecedented rates. "You don't need to rob banks these days to get access to information and convert it to cash," he said. "The bottom line at the end of the day is if you are in a system that hasn't taken steps to protect the information it stores it's a matter of time, not a matter of if you are going to get hacked."
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.