GS Logo
The Green Sheet, Inc

Please Log in

Banner Ad
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

A call to Washington

News

Industry Update

ETA goal remains growing ISOs

TSYS, Central Payment form joint venture

Durbin urges merchants to reject proposed settlement

Mobile payments in the spotlight

ThreatMetrix warns of new malware

Features

GS Advisory Board:
New times, new strategies: What are you doing? - Part 3

Hope begins with one

Selling Prepaid

Prepaid in brief

Good and bad in Green Dot reforecast

Bankers oppose CFPB remittance rule

Views

What's still in your wallet?

Patti Murphy
ProScribes Inc.

Education

Street SmartsSM:
Stocking your MLS toolbox

Jeff Fortney
Clearent LLC

The long tail of the Durbin Amendment

Marc Abbey, Chris Sanson and Casey Merolla
First Annapolis Consulting

Micro attacks: Fraud of the future

Nicholas Cucci
Network Merchants Inc.

Countdown toTIN deadline: Are you ready?

Jacob Young
SecurityMetrics

Pay-at-the-table systems pay for themselves

Rick Berry
ABC Mobile Pay Inc.

Company Profile

Royal Merchant Holdings LLC

New Products

An elegant POS terminal

PAR EverServ 7000
ParTech Inc.

Safe checkout for online merchants

LeapLock Secure Checkout
PayLeap

Inspiration

Pause before you post

Departments

Forum

Resource Guide

Datebook

Skyscraper Ad

The Green Sheet Online Edition

August 27, 2012  •  Issue 12:08:02

previous next

Micro attacks: Fraud of the future

By Nicholas Cucci

We all remember the data breach at Michaels Stores Inc. in 2011. POS and PIN-entry devices were compromised at 84 locations in over 20 states. These devices were swapped out with corrupt devices that were manipulated to collect payment card numbers and PINs. More than 94,000 cards have been affected thus far.

In June 2012, a U.S. District Court judge in California sentenced the perpetrators of the Michaels breach to multiyear prison terms on charges of conspiracy, bank fraud and identity theft, and ordered them to pay restitution. The breach has been one of the largest-scale reported POS breaches. Michaels used standard POS equipment used by most large companies back then.

Small attacks looming large

A recent trend noted by Gartner Inc. Vice President and Distinguished Analyst Avivah Litan is the localized, smaller-scale breach. She wrote in a July 12, 2012, blog post that such breaches can stay "under the radar longer." She also coined the phrase "micro attack" to describe a breach at restaurant Puerta Grande in Winchester, Ky., in June.

Litan noted that fraudsters may have gained remote access to the restaurant's POS system, reportedly enabling them to steal mag stripe data and create counterfeit cards. Soon after, Winchester community banks saw an increase in card fraud. Authorities estimated that 100 accounts had been compromised, a serious hit for small-town banks.

Small businesses are more susceptible to micro attacks, depending on the POS device or system model. Merchants are making this easy for fraudsters by failing to change default passwords installed by manufacturers. These micro attacks may seem small, but the frequency is increasing. According to the U.S. Department of Justice, over $5.5 billion in credit card fraud has already occurred worldwide in 2012, and one in 10 Americans have fallen victim to card fraud.

Preference for fresh data

In another example of a micro-attack, federal authorities arrested Los Angeles-based rapper Charles Tony Williamson, better known as Guerilla Black, in July for conspiring to buy credit card data from two hackers also under indictment. According to Williamson's indictment, he expressed an interest in buying card data that was freshly stolen from POS systems.

The hackers' allegedly stole data for thousands of bankcards by targeting restaurant POS devices near Seattle. This group was charged with access device fraud, bank fraud and aggravated identity theft.

At the heart of the underground economy is the selling of stolen data. From bankcard numbers to account credentials, every piece of information has a price and is subject to the laws of supply and demand. The supply is growing with the increase in demand overseas for stolen data. For example, credit cards have a different price based on their countries of origin and card brand and type. Visa Inc.'s Visa Platinum cards go for more than Visa Classic cards. Often, card details are sold in batches containing multiple cards, all at relatively low prices.

Five-star card data

Similar to legitimate online retailers, sellers of black-market data frequently receive ratings on the quality of their data. Also, many perpetrators know each other's reputations and where to go for certain types of information. These transactions take place in online Internet Relay Chat rooms. Fraudsters have preferred servers for chatting and exchanging data. However, these busts by the FBI are proving to fraudsters they can no longer hide behind computers. They can still be found and prosecuted.

What merchants and ISOs need to do is obvious. It's time to for us to educate ourselves on the various attacks that can happen to our merchants and their devices. If all ISOs explained to their merchants while signing them up that passwords need to be changed on devices and wireless Internet systems need to adhere to Wi-Fi Protected Access (WPA) or WPA2, we would drastically cut back on fraud, which becomes another barrier to entry.

Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at ncucci@nmi.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services