funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hackers prepare (not-so-typical) supermarket sweep

From: Jim Murray <jim () digitaldaemons co uk>
Date: Tue, 02 Sep 2008 22:37:01 +0100
Juha-Matti Laurio wrote:

"Self-checkout systems in UK supermarkets are being targeted by hi-tech criminals with stolen credit card details.

A BBC investigation has unearthed a plan hatching online to loot US bank accounts via the checkout systems.


The scam works because US cards don't use 'chip and pin', they rely on
the magnetic stripe. The same dodge would work in reverse (ie. a UK card
in a US store, as their equipment doesn't handle chip & pin transactions).


Fake credit cards loaded with details from the accounts will be used to get cash or buy high value goods.

The supermarkets targeted said there was little chance the fraudsters would make significant gains with their plan.


I'm inclined to agree with that. It'd be difficult to get away with any
significant value of goods - even your dumbest store security guard is
going to notice the same guy buying high value items repeatedly (they
tend to be bulky, security tagged and require staff assistance!).
Automatic checkouts in my experience do not generally offer cash.


The thieves claim to have comprehensive details of US credit and debit cards passed to them from an American gang who 
tapped phone lines between cash machines and banks."


I do hope that is a case of inaccurate reporting. I was under the
impression that the links between banks and ATM's were encrypted so
'tapping the lines' really shouldn't get them anything. More likely is
'skimming' the card (copying the magstripe data) either manually by
swiping it through an extra reader when the cardholder isn't looking or
automatically by sticking a disguised reader on the front of an ATM. Of
course, you could always sit outside your local store with a wifi sniffer...

There have been reports in the UK of such skimmers being used in
conjunction with miniature wireless video cameras to steal card data &
PIN's...

Jim.


-- 
      DigitalDaemons IT Services.
---------------------------------------
   E-Mail : jim () digitaldaemons co uk
       PGP Key ID : 0xB7066495

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: