Good'n'bad in the credit card theft world
Jan. 29th, 2020 09:39 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneFirst, the bad: the Wawa theft lasted nine months and looks like it netted 30 million+ cards. I'm not sure why they say "nationwide" when I've been all over the country and never seen one, unless they operate under different names in different places, but apparently they operate in 40+ states. Anyway, this looks like a central hack, maybe they got in to central IT and used remote access tools to push their software out to all terminals and gas pumps.
The net result is a lot of compromised cards. All of which are for sale on carder forums.
The big problem here is that the USA is the last of the G20 nations to really push to chip-based credit cards and to get rid of magnetic stripes as this makes it hella tougher to steal card information as it creates end-to-end encryption. It's child's play to steal magnetic strips, I complain every time I have to swipe my card at a merchant. On top of that, Visa is pushing back on chips, but there's a deadline of October of this year for gas station merchants to upgrade their pumps for chip readers. I think most of the pumps in my area have been upgraded to also have wireless contact for those credit cards that have it or for Google/Apple Pay devices.
Now here's an interesting and actually good bit of news: even if 30+ mil cards were stolen, previous evidence would suggest that the numbers used in fraud are pretty low. The monster Target breach in 2013? Over 40 million cards were stolen, but only 3 mil used in fraud.
https://krebsonsecurity.com/2020/01/wawa-breach-may-have-compromised-more-than-30-million-payment-cards/
The good news: major Russian cybercrime boss made a classic mistake: DO NOT EFFING LEAVE RUSSIA! He went to Israel in 2015, Israel arrested him, Israel handed him over to the United States.
This guy, Aleksei Burkov, ran a very exclusive crime forum. To join it, you had to be recommended by other members. Then you had to pay a fee to join. You had to be fluent in Russian. AND you had to have a security certificate installed on your computer before the web page would load! That's some pretty good operational security. He was described as an important asset to the Russian government.
But then he got stupid and he traveled to a country not controlled by Russia, and he got nabbed. He plead guilty in a Virginia Federal court to running a carder forum and selling more than 150,000 stolen credit cards, he has not yet been sentenced.
Russia retaliated and an Israeli woman traveling from India, had a layover in Russia, Russian authorities "discovered" 10 grams of marijuana in her luggage which she had no access to during the layover, and arrested her. Naama Issachar had been attending a yoga course and had not sought to enter Russia, it's just how the plane was routed. No telling what her fate may be.
https://krebsonsecurity.com/2020/01/russian-cybercrime-boss-burkov-pleads-guilty/
The net result is a lot of compromised cards. All of which are for sale on carder forums.
The big problem here is that the USA is the last of the G20 nations to really push to chip-based credit cards and to get rid of magnetic stripes as this makes it hella tougher to steal card information as it creates end-to-end encryption. It's child's play to steal magnetic strips, I complain every time I have to swipe my card at a merchant. On top of that, Visa is pushing back on chips, but there's a deadline of October of this year for gas station merchants to upgrade their pumps for chip readers. I think most of the pumps in my area have been upgraded to also have wireless contact for those credit cards that have it or for Google/Apple Pay devices.
Now here's an interesting and actually good bit of news: even if 30+ mil cards were stolen, previous evidence would suggest that the numbers used in fraud are pretty low. The monster Target breach in 2013? Over 40 million cards were stolen, but only 3 mil used in fraud.
https://krebsonsecurity.com/2020/01/wawa-breach-may-have-compromised-more-than-30-million-payment-cards/
The good news: major Russian cybercrime boss made a classic mistake: DO NOT EFFING LEAVE RUSSIA! He went to Israel in 2015, Israel arrested him, Israel handed him over to the United States.
This guy, Aleksei Burkov, ran a very exclusive crime forum. To join it, you had to be recommended by other members. Then you had to pay a fee to join. You had to be fluent in Russian. AND you had to have a security certificate installed on your computer before the web page would load! That's some pretty good operational security. He was described as an important asset to the Russian government.
But then he got stupid and he traveled to a country not controlled by Russia, and he got nabbed. He plead guilty in a Virginia Federal court to running a carder forum and selling more than 150,000 stolen credit cards, he has not yet been sentenced.
Russia retaliated and an Israeli woman traveling from India, had a layover in Russia, Russian authorities "discovered" 10 grams of marijuana in her luggage which she had no access to during the layover, and arrested her. Naama Issachar had been attending a yoga course and had not sought to enter Russia, it's just how the plane was routed. No telling what her fate may be.
https://krebsonsecurity.com/2020/01/russian-cybercrime-boss-burkov-pleads-guilty/
no subject
Date: 2020-01-29 06:16 pm (UTC)no subject
Date: 2020-01-29 07:02 pm (UTC)It is tragic when innocent people get caught in geopolitical wrangling. It's one thing if Country X grabs Country A's spy when Country A arrests Country X's bigwig for something: the spy knows he might get caught and arrested, and spies and intelligence officers are trained to cope, but when they start arresting Tourist Bob off the street for trumped-up charges, that's just wrong.
no subject
Date: 2020-01-30 11:36 pm (UTC)no subject
Date: 2020-01-30 11:39 pm (UTC)no subject
Date: 2020-02-02 08:33 pm (UTC)(resonantt, aka troy, aka garlic potatoes in french class guy)
no subject
Date: 2020-01-30 07:25 pm (UTC)So I think it's less "don't you interfere with us" a la Canadians imprisoned by China in retaliation, and more that it's just plain easier to pull these off internationally from certain countries - Russia just happening to be one of them. The US gets whacked a lot because there's a lot of Americans and a lot of money to be had, and as thewayne said, the US financial sector lags behind a wee bit, techwise.
That said, some researchers at Cambridge demonstrated some PoC attacks on chip+PIN cards years ago, eg https://www.theregister.co.uk/2012/09/13/chip_and_pin_security_flaw_research/ .
And unfortunately, thewayne, it's not just the US. Canada went big into chip+PIN years ago, it's true, but all our cards still have magstripes and most readers can still read a swiped card - the caveat being the chip needs to have failed first. Still, when I was in St Louis in 2014 (? I think) a cab driver pulled out a freaking impression machine, and the one restaurant that took my chip wasn't set up for PINs, just chip+signature. There was certainly no "wave and pay" either, but those have only in the last 3-4 years become common in Canada.
no subject
Date: 2020-01-29 07:05 pm (UTC)