Parrish allegedly visited Apple Stores and tried to buy products with four different debit cards, which were all closed by his respective financial institutions. When his debit card was inevitably declined by the Apple Store, he would protest and offer to call his bank — except, he wasn’t really calling his bank.
So, the complaint says, he would offer the Apple Store employees a fake authorization code with a certain number of digits, which is normally provided by credit card issuers to create a record of the credit or debit override.
Now that this trick is public, how long before stores stop accepting these authorization codes altogether? I’ll be that fixing the infrastructure will be expensive.
Posted on July 31, 2014 at 6:55 AM •
Long and interesting article about the Target credit card breach from last year. What’s especially interesting to me is that the attack had been preventable, but the problem was that Target messed up its incident response.
In testimony before Congress, Target has said that it was only after the U.S. Department of Justice notified the retailer about the breach in mid-December that company investigators went back to figure out what happened. What it hasn’t publicly revealed: Poring over computer logs, Target found FireEye’s alerts from Nov. 30 and more from Dec. 2, when hackers installed yet another version of the malware. Not only should those alarms have been impossible to miss, they went off early enough that the hackers hadn’t begun transmitting the stolen card data out of Target’s network. Had the company’s security team responded when it was supposed to, the theft that has since engulfed Target, touched as many as one in three American consumers, and led to an international manhunt for the hackers never would have happened at all.
This is exactly the sort of thing that my new company, Co3 Systems, solves. All of those next-generation endpoint detection systems, threat intelligence feeds, and so on only matter if you do something in response to them. If Target had had incident response procedures in place, and a system in place to ensure they followed those procedures, it would have been much more likely to have responded to the alerts it received from FireEye.
This is why I believe that incident response is the most underserved area of IT security right now.
Posted on March 17, 2014 at 9:10 AM •
Interesting paper by Steven J. Murdoch and Ross Anderson in this year’s Financial Cryptography conference: “Security Protocols and Evidence: Where Many Payment Systems Fail.”
Abstract: As security protocols are used to authenticate more transactions, they end up being relied on in legal proceedings. Designers often fail to anticipate this. Here we show how the EMV protocol — the dominant card payment system worldwide — does not produce adequate evidence for resolving disputes. We propose five principles for designing systems to produce robust evidence. We apply these to other systems such as Bitcoin, electronic banking and phone payment apps. We finally propose specific modifications to EMV that could allow disputes to be resolved more efficiently and fairly.
Ross Anderson has a blog post on the paper.
Posted on February 6, 2014 at 6:05 AM •
This is a pretty impressive social engineering story: an attacker compromised someone’s GoDaddy domain registration in order to change his e-mail address and steal his Twitter handle. It’s a complicated attack.
My claim was refused because I am not the “current registrant.” GoDaddy asked the attacker if it was ok to change account information, while they didn’t bother asking me if it was ok when the attacker did it.
It’s hard to decide what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification.
The misuse of credit card numbers as authentication is also how Matt Honan got hacked.
Posted on January 31, 2014 at 6:16 AM •
This study concludes that there is a benefit to forcing companies to undergo privacy audits: “The results show that there are empirical regularities consistent with the privacy disclosures in the audited financial statements having some effect. Companies disclosing privacy risks are less likely to incur a breach of privacy related to unintentional disclosure of privacy information; while companies suffering a breach of privacy related to credit cards are more likely to disclose privacy risks afterwards. Disclosure after a breach is negatively related to privacy breaches related to hacking, and disclosure before a breach is positively related to breaches concerning insider trading.”
Posted on July 9, 2013 at 12:17 PM •
Well, new to us:
You see, an EMV payment card authenticates itself with a MAC of transaction data, for which the freshly generated component is the unpredictable number (UN). If you can predict it, you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location. You can as good as clone the chip. It’s called a “pre-play” attack. Just like most vulnerabilities we find these days some in industry already knew about it but covered it up; we have indications the crooks know about this too, and we believe it explains a good portion of the unsolved phantom withdrawal cases reported to us for which we had until recently no explanation.
Paper here. And news article.
Posted on September 11, 2012 at 12:38 PM •
When you pay a restaurant bill at your table using a point-of-sale machine, are you sure it’s legit? In the past three months, Toronto and Peel police have discovered many that aren’t.
In what is the latest financial fraud, crooks are using distraction techniques to replace merchants’ machines with their own, police say. At the end of the day, they create another distraction to pull the switch again.
Using information inputted by customers, including PIN data, the criminals are reproducing credit cards at an alarming rate.
Presumably these hacked point-of-sale terminals look and function normally, and additionally save a copy of the credit card information.
Note that this attack works despite any customer-focused security, like chip-and-pin systems.
Posted on June 19, 2012 at 1:02 PM •
Two very interesting points in this essay on cybercrime. The first is that cybercrime isn’t as big a problem as conventional wisdom makes it out to be.
We have examined cybercrime from an economics standpoint and found a story at odds with the conventional wisdom. A few criminals do well, but cybercrime is a relentless, low-profit struggle for the majority. Spamming, stealing passwords or pillaging bank accounts might appear a perfect business. Cybercriminals can be thousands of miles from the scene of the crime, they can download everything they need online, and there’s little training or capital outlay required. Almost anyone can do it.
Well, not really. Structurally, the economics of cybercrimes like spam and password-stealing are the same as those of fishing. Economics long ago established that common-access resources make for bad business opportunities. No matter how large the original opportunity, new entrants continue to arrive, driving the average return ever downward. Just as unregulated fish stocks are driven to exhaustion, there is never enough “easy money” to go around.
The second is that exaggerating the effects of cybercrime is a direct result of how the estimates are generated.
For one thing, in numeric surveys, errors are almost always upward: since the amounts of estimated losses must be positive, there’s no limit on the upside, but zero is a hard limit on the downside. As a consequence, respondent errors – or outright lies — cannot be canceled out. Even worse, errors get amplified when researchers scale between the survey group and the overall population.
Suppose we asked 5,000 people to report their cybercrime losses, which we will then extrapolate over a population of 200 million. Every dollar claimed gets multiplied by 40,000. A single individual who falsely claims $25,000 in losses adds a spurious $1 billion to the estimate. And since no one can claim negative losses, the error can’t be canceled.
A cybercrime where profits are slim and competition is ruthless also offers simple explanations of facts that are otherwise puzzling. Credentials and stolen credit-card numbers are offered for sale at pennies on the dollar for the simple reason that they are hard to monetize. Cybercrime billionaires are hard to locate because there aren’t any. Few people know anyone who has lost substantial money because victims are far rarer than the exaggerated estimates would imply.
Posted on May 2, 2012 at 7:10 AM •
This is a first:
…the McCombs allege that the bank, and the payment card industry (PCI) in general, force merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to dispute claims before money is seized.
It’s the first known case to challenge the heart of the self-regulated PCI security standards a system that requires businesses accepting credit and debit card payments to implement a series of technological steps to secure data. The controversial system, imposed on merchants by credit card companies like Visa and MasterCard, has been called a “near scam” by a spokesman for the National Retail Federation and others who say it’s designed less to secure card data than to profit credit card companies while giving them executive powers of punishment through a mandated compliance system that has no oversight.
The PCI standards are probably the biggest non-government security standard. It’ll be interesting to see how this turns out.
Posted on January 16, 2012 at 9:58 AM •
The story of how Subway’s point-of-sale system was hacked for $3 million.
Posted on December 26, 2011 at 8:39 AM •
Sidebar photo of Bruce Schneier by Joe MacInnis.