Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Crime Security Your Rights Online

178 Arrested In US/EU Credit Card Cloning Ops 103

Posted by timothy from the spreading-the-wealth dept.
eldavojohn writes with this report from Brian Krebs: "Authorities have moved in on 178 people accused of working in credit card cloning labs across the USA and Europe, but with the bulk of the work apparently operating out of Spain. The source states that 'Police in 14 countries participated in a two-year investigation, initiated in Spain, where police have discovered 120,000 stolen credit card numbers and 5,000 cloned cards, and arrested 76 people and dismantled six cloning labs. The raids were made primarily in Romania, France, Italy, Germany, Ireland, and the United States, with arrests also made in Australia, Sweden, Greece, Finland, and Hungary. The detainees are also suspected of armed robbery, blackmail, sexual exploitation, and money-laundering, the police said.' Krebs notes a new credit card debuting at Turkish banks that appears to have a built-in LCD that has a random six-digit number associated with each transaction much like RSA SecurID keys used for computer logins."
This discussion has been archived. No new comments can be posted.

178 Arrested In US/EU Credit Card Cloning Ops More

178 Arrested In US/EU Credit Card Cloning Ops

Comments Filter:

  • Re:Doesnt sound very profitable. (Score:1, Informative)

    by Anonymous Coward on Tuesday June 15, 2010 @04:36PM (#32583164)

    No wonder they lacked profitability.

    sexual exploitation

    First rule: Don't use your own product

  • Re:Random? (Score:5, Informative)

    by Speare ( 84249 ) on Tuesday June 15, 2010 @04:43PM (#32583242) Homepage Journal

    SecurID is pretty much the exact opposite of a random number.

    Er, a reasonable working definition of "random" is "you can't predict it." The card changes its displayed number every N seconds. The card's pseudo-random number generator has an algorithm and a seed value which are generally unknown to the user, and unknown to the merchant. It was produced in sync with the server, and continues to compute the numbers in parallel with the server. Even if the thief knows the algorithm, they would require significant time (an understatement) to acquire enough samples to accurately predict the next number that the server is expecting. So, for all practical purposes, yes, it's random.

  • Re:Random? (Score:3, Informative)

    by Beardo the Bearded ( 321478 ) on Tuesday June 15, 2010 @05:02PM (#32583450)

    Except that it's not a random number or a random number generator.

    It's a cipher generator, which is what Stradenko is getting at -- it's also what you're getting at, ironically. If the numbers were totally random, they would be useless. What it's doing is applying the downside of PRNGs - namely, their predictability - to create a sequence that is known to the computers in question, but appears random to the observer. If you seed multiple generators, all with the same algorithm, then you'll get the same sequence. That's terrible if you're running a lotto, but pretty good if you're trying to get two things to sync up.

    People have won millions by successfully outguessing PRNGs. I am not sure if this will add more security or if this is just security theater. Given the banking industry's track record, I'm going to go out on a limb and suggest that it's WIWTF security.

  • Re:False security (Score:3, Informative)

    by girlintraining ( 1395911 ) on Tuesday June 15, 2010 @05:03PM (#32583466)

    Apparently it's more complicated than some hand waving at "other inputs" or nobody would use the RSA security cards that operate on the same principal.

    No, it is not complicated: There's a number being displayed on the card every six seconds. For it to have any value in authentication, that number needs to be somewhere else every six seconds too. Which means it's not "random". It might pass every test for random, but it isn't. Which means there is an algorithm in place. That algorithm requires two things: First, that it stay syncronized (time), and second that there's a reference point shared between the circuitry on the card and the bank where that number is validated.

    Those requirements all lead to one conclusion: PRNG. The seed is probably a key of some kind plus time. There are at least two places that key is kept: On the card, and at the bank, and probably more places. Access any of them, and you recover the key. It's just a question of cost.

    Now here's the kicker: 100,000 credit cards linked to a random cross-section of the population is worth a fair amount of money. Probably more than the cost of cracking that protection. And that means it's still profitable and practical to crack it.

  • Re:Random? (Score:2, Informative)

    by synackpshfin ( 1622285 ) on Tuesday June 15, 2010 @05:38PM (#32583778)
    Hi. SecurID tokencode is calculated from current time + seed fed to the (AES) crypto algorithm. I believe that without knowing the seed it is quite hard to predict next tokencode...

  • Re:Doesnt sound very profitable. But is. (Score:1, Informative)

    by Anonymous Coward on Tuesday June 15, 2010 @05:51PM (#32583916)

    You can win 10k month easily if you do the business by yourself, I'm talking about steal ccs using spam-scams, botnets etc and selling some bds, hacked host and logins you wont use.
    Anyway if you to do that you have to discover so vulns to enter in some servers and have so hacked host to do spam and have scams, the mainserver for the botnet and the bds to have emails and eventually some ccs.
    EgoPL

Slashdot Top Deals

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky

Close