178 Arrested In US/EU Credit Card Cloning Ops 103
eldavojohn writes with this report from Brian Krebs: "Authorities have moved in on 178 people accused of working in credit card cloning labs across the USA and Europe, but with the bulk of the work apparently operating out of Spain. The source states that 'Police in 14 countries participated in a two-year investigation, initiated in Spain, where police have discovered 120,000 stolen credit card numbers and 5,000 cloned cards, and arrested 76 people and dismantled six cloning labs. The raids were made primarily in Romania, France, Italy, Germany, Ireland, and the United States, with arrests also made in Australia, Sweden, Greece, Finland, and Hungary. The detainees are also suspected of armed robbery, blackmail, sexual exploitation, and money-laundering, the police said.' Krebs notes a new credit card debuting at Turkish banks that appears to have a built-in LCD that has a random six-digit number associated with each transaction much like RSA SecurID keys used for computer logins."
Doesnt sound very profitable. (Score:4, Insightful)
Close to 200 employees spanning multiple countries. And they take in only 25mil? Not just that but getting cash out of credit card companies I thought was a pain in the ass. Is it 25 mil per year or total? Because if it is total that seems like a shitty business investment. They should just stick to guns, drugs, and prostitution.
False security (Score:3, Insightful)
178 people. Remember that number.
Unless the card is radioactive it's not "random"... it's pseudorandom, and therefore based on an algorithm. Figure out the seed (initial vector) and other inputs, and you're right where you started, only your clients feel more secure and the criminals have to spend an extra few bucks. Given that there are multinational laboratories churning out thousands of dup cards, and assuming they have an active distribution network... it's safe to say these aren't the only guys or the first.
Re:Doesnt sound very profitable. (Score:5, Insightful)
Most of these people aren't doing it because it's lucrative. They do it because they have no legitimate options. The lowest rungs of any criminal enterprise gets paid shit wages just like any business. 200 people at 20k a year is 4 million for payroll. That leaves over 20 million for the boss.
Re:Doesnt sound very profitable. (Score:1, Insightful)
Number one is: Don't underestimate the other guy's greed.
The latter lesson may also have played a role in them only netting 25M, tough.
Re:Doesnt sound very profitable. (Score:5, Insightful)
For many people in those ops 20k a year might be actually a quite decent level of income; compared to, say, the average at the place they are or from which they are.
Re:Spain, Really? (Score:5, Insightful)
Actually, innovating with new forms of income is why nations are going broke these days.
They're pretending that speculation is investment, borrowing is income, and money-multiplication through circular lending is economic growth.
And hidden among these obvious insanities is a much more subtle one that will snap the rubber band: they track money borrowed to speculate as risk at the interest rate of the loan, not at the rate-of-ruin of the speculation.
The United States was as usual the most innovative, and therefore led the world. To a precipice and beyond. As usual by setting a good example.
Re:False security (Score:1, Insightful)
Those requirements all lead to one conclusion: PRNG. The seed is probably a key of some kind plus time. There are at least two places that key is kept: On the card, and at the bank
Congratulations, you have just deduced the information available in a SecurID brochure. The "key of some kind" is a 128 bit key associated with the serial number of the device. It is stored on the device, and on the RSA authentication server. If you're talking about cracking open a stolen device and *voila* extracting the key, you may have a matter of hours to a long weekend to do so before it is reported stolen; thus negating any benefit of cloning it. If your goal is to steal it from the server, well, I can't speak to their internal security but I suspect you would not go unnoticed any longer than stealing the token; it would just cost the company more to replace everything.
The idea behind a cloned credit card is that no one knows it's been stolen until they see a bill. If you're forced to tip your hand before your client gets to use the cloned card, you might as well have stolen it outright.
Re:T'riffic. (Score:3, Insightful)
Terrific. 6 more ways for a mouth-breathing cash-register operator to fuck up your transaction...
You're perfectly welcome to do the job yourself and do it better than they do. Step right up.
What's that? You're not willing to lower yourself to their level? That work's beneath you? You've got too much dignity? You're not willing to see what the little guy has to do to get by? You never had to work a day of retail in your pampered, high-class life? Well, by all means, you can STFU, ass.
Re:Random? (Score:1, Insightful)
There is no requirement that it use a PRNG. A simple LUT containing a list of predetermined values could be used instead. In this case, they would act as one-time pads and there would be no way to crack them.
16MB gets you 1 256-bit key every minute for a year.