The Green Sheet Online Edition
August 27, 2012 • Issue 12:08:02
Micro attacks: Fraud of the future
We all remember the data breach at Michaels Stores Inc. in 2011. POS and PIN-entry devices were compromised at 84 locations in over 20 states. These devices were swapped out with corrupt devices that were manipulated to collect payment card numbers and PINs. More than 94,000 cards have been affected thus far.
In June 2012, a U.S. District Court judge in California sentenced the perpetrators of the Michaels breach to multiyear prison terms on charges of conspiracy, bank fraud and identity theft, and ordered them to pay restitution. The breach has been one of the largest-scale reported POS breaches. Michaels used standard POS equipment used by most large companies back then.
Small attacks looming large
A recent trend noted by Gartner Inc. Vice President and Distinguished Analyst Avivah Litan is the localized, smaller-scale breach. She wrote in a July 12, 2012, blog post that such breaches can stay "under the radar longer." She also coined the phrase "micro attack" to describe a breach at restaurant Puerta Grande in Winchester, Ky., in June.
Litan noted that fraudsters may have gained remote access to the restaurant's POS system, reportedly enabling them to steal mag stripe data and create counterfeit cards. Soon after, Winchester community banks saw an increase in card fraud. Authorities estimated that 100 accounts had been compromised, a serious hit for small-town banks.
Small businesses are more susceptible to micro attacks, depending on the POS device or system model. Merchants are making this easy for fraudsters by failing to change default passwords installed by manufacturers. These micro attacks may seem small, but the frequency is increasing. According to the U.S. Department of Justice, over $5.5 billion in credit card fraud has already occurred worldwide in 2012, and one in 10 Americans have fallen victim to card fraud.
Preference for fresh data
In another example of a micro-attack, federal authorities arrested Los Angeles-based rapper Charles Tony Williamson, better known as Guerilla Black, in July for conspiring to buy credit card data from two hackers also under indictment. According to Williamson's indictment, he expressed an interest in buying card data that was freshly stolen from POS systems.
The hackers' allegedly stole data for thousands of bankcards by targeting restaurant POS devices near Seattle. This group was charged with access device fraud, bank fraud and aggravated identity theft.
At the heart of the underground economy is the selling of stolen data. From bankcard numbers to account credentials, every piece of information has a price and is subject to the laws of supply and demand. The supply is growing with the increase in demand overseas for stolen data. For example, credit cards have a different price based on their countries of origin and card brand and type. Visa Inc.'s Visa Platinum cards go for more than Visa Classic cards. Often, card details are sold in batches containing multiple cards, all at relatively low prices.
Five-star card data
Similar to legitimate online retailers, sellers of black-market data frequently receive ratings on the quality of their data. Also, many perpetrators know each other's reputations and where to go for certain types of information. These transactions take place in online Internet Relay Chat rooms. Fraudsters have preferred servers for chatting and exchanging data. However, these busts by the FBI are proving to fraudsters they can no longer hide behind computers. They can still be found and prosecuted.
What merchants and ISOs need to do is obvious. It's time to for us to educate ourselves on the various attacks that can happen to our merchants and their devices. If all ISOs explained to their merchants while signing them up that passwords need to be changed on devices and wireless Internet systems need to adhere to Wi-Fi Protected Access (WPA) or WPA2, we would drastically cut back on fraud, which becomes another barrier to entry.
Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.