March 4, 2009
-
How's the CC Fraud Business Doing?, Pt.3
More tricks of the trade.Pin Entry Device tampering: New PCI DSS rules are coming out soon to address this problem. They are coming out with stronger standards involving PCI hardware components. They have already addressed ‘attended' situations where an guardian is present to oversee public access and activity but, now they are looking to secure unattended situations. These are things like ATMs, gas pump debit and other unattended credit card ‘stations'. Any place where the most sensitive credit card information like PIN codes are entered. The PCI DSS Council has already set up several laboratory-condition sites throughout the world. In order to qualify for PCI Compliance, venders and participants must submit their data entry devices to one of these facilities. The facility will perform extensive evaluations and administer appropriate for debit and credit card security certifications. The new standard is that "encryption must begin with the entry and not be accessible in an unencrypted form from that point on." For more on these developments, please refer to my article series entitled "PCI Security Risks Reviewed".
Spear Phishing: This is the high end of ‘phishing' where a thief already has some vital credit card information but, can do ‘much better' (or worse) with a little more. For example, a thief may already have someone's PAN (credit card number) but, would also like to have the PIN or CVV2 code (little 3 to 4-digit number on the back of the card which enables placing charges on a card without physically being present for the transaction). This is implemented by either scouting out different electronic sources (like network servers) or with direct communication with the owner. On average, 1,000 victims are solicited every month.
Counterfeiting: Nothing new about this trade. However, since better traps evolve better rats, new innovations are coming out all the time. One of the latest involves loading stolen credit cart data onto the magnetic strip of major association gift cards (like VISA). They are cheap, easy to manage, require little identification and are almost never suspect. This technique works great when coupled with ‘skimming' (next topic).