BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Low-Tech Scheme Targets Small Merchants

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 15 Oct 2013 23:05:07 -0600
http://www.databreachtoday.com/low-tech-scheme-targets-small-merchants-a-6147

Many merchant network breaches involve fraudsters intercepting unencrypted
transactions as they're transmitted from the point of sale. But last month,
fraudsters targeted a handful of small retailers in Kansas City, Mo., with
a low-tech scheme designed to block transactions.

Local merchants notified authorities that the satellite dishes they use to
transmit payment card transactions, including authorizations, had been
covered with aluminum foil to block transmission of credit card transaction
data via satellite to card issuers, helping to pave the way for fraud.

Security experts say merchant acquirers should be warning their retailers
about this trend and taking steps to pick up on merchant transactions that
appear to have gone dark for extended periods of time.The Kansas City
Police Department explained in an alert how the scheme worked. Retailers
routinely use the satellite dishes to send transactions to the card brands
and payments processors, which helps detect fraud. When the dishes were
covered, however, transmissions were blocked, allowing fraudsters to run
countless transactions with credit card numbers that were counterfeit or
stolen.

Over the course of a weekend, about four small businesses were compromised.
In one case, fraudsters used the method to spend $1,665 on cigarettes with
a fraudulent card number, police say. Police have now warned neighboring
businesses to check their satellite dishes for tampering and to immediately
notify authorities if they notice anything suspicious.

Foiling the Scam

Although this type of scam is rare, retailers should take some
precautionary steps, Pascual says.

"Be wary of any customer using multiple cards to purchase large amounts of
items that are easily fenced, such as liquor or cigarettes," he says. "With
the merchant's terminal offline, a criminal can take advantage of any
unexpired credit or debit card without worrying as to whether or not it was
reported stolen or if it has an available balance. Small merchants should
be very aware of this type of crime, if they weren't already."

Pascual also points out that other systems, such as those used for lottery
sales, could go offline if they share the same satellite connection as
those used to transmit data to the card networks and issuers, or if the
criminals foil every satellite dish they find on the roof.

John Buzzard, who oversees FICO's Card Alert Service, says the risks posed
by satellite transmission tampering are substantial because the payments
presented to the merchant during the time of the attack cannot be properly
authorized in real time.

"The risk is at the merchant level," Buzzard says. "The foil takes the
payment authorization system offline and forces it into stand-in [without
online authorization] mode that holds the authorizations until the system
comes back online. You could literally take a closed payment card [such as
a credit or debit card] into the store at that point and purchase $1,000
worth of cigarettes and the authorization would most likely appear to the
merchant to go through."

Card issuing and acquiring banking institutions must be careful about the
kind of advice they offer to merchants about how to thwart this kind of
fraud, Pascual notes.

"It is certainly in the interest of merchant acquirers to educate their
[retail] clients about these types of crimes, along with the red flags that
they should be aware of," he says. "My concern there would be around
liability. As an acquirer, I would be cautious about recommending that
merchants regularly climb on roofs to check their satellite dishes."

But acquirers could be more proactive in identifying merchants that have
been targeted by a satellite-foiling attack, Pascual adds. "They could be
on the lookout for stores that went dark for an extended period of time,
and, subsequently, contact those stores to confirm that the lull in
activity is legitimate and not a product of a disabled satellite dish," he
says.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: