Hackers prepare supermarket sweep

NEXT TARGET : Hackers prepare supermarket sweep

Reformed hacker Jacques Erasmus of security firm Prevx explains the scam

2008/08/28

BBC NEWS

http://news.bbc.co.uk/go/pr/fr/-/1/hi/technology/7584258.stm

Self-checkout systems in UK supermarkets are being targeted by hi-tech criminals with stolen credit card details.

A BBC investigation has unearthed a plan hatching online to loot US bank accounts via the checkout systems.

Fake credit cards loaded with details from the accounts will be used to get cash or buy high value goods.

The supermarkets targeted said there was little chance the fraudsters would make significant gains with their plan.

With the help of computer security experts the BBC found a discussion on a card fraud website in which hi-tech thieves debated the best way to strip money from the US accounts.

The thieves claim to have comprehensive details of US credit and debit cards passed to them from an American gang who tapped phone lines between cash machines and banks.

'Cashing out'

The gang plans to copy card details onto the magnetic stripes of fake cards and then use them in UK stores. In the discussion on the card site those co-ordinating the fraud say they are seeking places to "cash out", meaning strip funds from the bank accounts using fake cards.

In the forum they are asking for information about Asda and Tesco stores in which it is possible to use self-service systems that mules could visit with the fake cards to get at the cash.

The fraudsters are looking for self-service systems to avoid contact with store staff who may spot the fake cards.

Over the period of a month from mid-August the ringleader claims he will have details from 2300 cards to handle.

In the forum he declares: "Its (sic) shopping spree guys help me out and I will take care of you."

The information found by the BBC has been passed to the Dedicated Cheque and Plastic Crime Unit so it can investigate the ongoing fraud.

Andrew Moloney, security evangelist at RSA, said the gang were involved in "classic" card fraud by cloning details on to magnetic stripes.

He said it was an example of a long observed trend in fraud.

"We've seen a shift from card-present fraud to card-not-present to fraud abroad," he said.

"The internet is the global marketplace," he said. "It's not difficult to take compromised cards from one country and exploit them in another. It's a simple and routine procedure for these guys these days."

Jacques Erasmus, from security firm Prevx, agreed that cashing out abroad was a well established method. "They do not normally cash out in the same country," he said, "just because it makes the law enforcement job that much harder."

He said many criminal gangs even offer their fraudulent services via the web.

"They will do it for you in India and China," he said.

Sweeping up

Armed with fake cards and a list of shops and supermarkets that can be hit the fraudsters could make £5-8000 per day, according to Mr Erasmus.

The funds would be split between the mules who actually carry out the transactions, those organising the mules and the hi-tech thieves who stole the original card numbers.

Representatives from both Tesco and Asda argue that payment systems automatically contact the banks when a card is swiped instead of using chip-and-pin. The banks must authorise the acceptance of a signature.

"If the card has not been reported as having been cloned, yes, it can go through," said a spokeswoman for Tesco. However, she pointed out that swipe and sign transactions represent a tiny fraction of the supermarket chain's trade.

"We would hope this will bring further pressure on the States to introduce chip-and-pin," said Jemma Smith of the UK payments organisation Apacs. "Until that happens we will still see fraud on US cards happening in our shops and our cash-machines and also fraud on our cards happening in the US."