Forgot your password?
typodupeerror
Crime Security Your Rights Online

178 Arrested In US/EU Credit Card Cloning Ops 103

Posted by timothy
from the spreading-the-wealth dept.
eldavojohn writes with this report from Brian Krebs: "Authorities have moved in on 178 people accused of working in credit card cloning labs across the USA and Europe, but with the bulk of the work apparently operating out of Spain. The source states that 'Police in 14 countries participated in a two-year investigation, initiated in Spain, where police have discovered 120,000 stolen credit card numbers and 5,000 cloned cards, and arrested 76 people and dismantled six cloning labs. The raids were made primarily in Romania, France, Italy, Germany, Ireland, and the United States, with arrests also made in Australia, Sweden, Greece, Finland, and Hungary. The detainees are also suspected of armed robbery, blackmail, sexual exploitation, and money-laundering, the police said.' Krebs notes a new credit card debuting at Turkish banks that appears to have a built-in LCD that has a random six-digit number associated with each transaction much like RSA SecurID keys used for computer logins."
This discussion has been archived. No new comments can be posted.

178 Arrested In US/EU Credit Card Cloning Ops

Comments Filter:
  • by Anonymous Coward

    if you are going to steal from someone, don't steal from professional thieves.

  • by Rivalz (1431453) on Tuesday June 15, 2010 @04:32PM (#32583102)

    Close to 200 employees spanning multiple countries. And they take in only 25mil? Not just that but getting cash out of credit card companies I thought was a pain in the ass. Is it 25 mil per year or total? Because if it is total that seems like a shitty business investment. They should just stick to guns, drugs, and prostitution.

  • T'riffic. (Score:3, Interesting)

    by blair1q (305137) on Tuesday June 15, 2010 @04:33PM (#32583130) Journal

    Terrific. 6 more ways for a mouth-breathing cash-register operator to fuck up your transaction...

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Terrific. 6 more ways for a mouth-breathing cash-register operator to fuck up your transaction...

      You're perfectly welcome to do the job yourself and do it better than they do. Step right up.

      What's that? You're not willing to lower yourself to their level? That work's beneath you? You've got too much dignity? You're not willing to see what the little guy has to do to get by? You never had to work a day of retail in your pampered, high-class life? Well, by all means, you can STFU, ass.

    • i applaud and endorse them ripping you off, and spitting in your food

      be gracious to other human beings, no matter what their socioeconomic status, or suffer, and deserve, the same fate as marie antoinette, for the same reasons

      • by mlts (1038732) *

        This reminds me of when I was working at a Fortune 100 company. My boss and I were at a restaurant and were talking to a salesperson about some new gizmo which was very expensive, but we had multiple bids for.

        This salesperson was rude as hell to the maitre d' and waitstaff. He ordered one thing, said he ordered something else, yelled at her with choice epithets, demanded another alcoholic drink because the last one wasn't good, then finally stiffed her on the tip. It was so bad that my boss and I both we

      • heya,

        Err, I've worked some pretty "low-end" jobs. I've done various retail stints for a few years, and I actually still work at a local pool on the weekends now, teaching little kids how to swim. The pay there is terrible, but the work is actually pretty fun.

        However, I have to agree with the parent - people who are stuck in low-end retails jobs, year after year, are often there because they're got no other choice. (I'm not talking high-school or college kids getting extra allowance on the side here - I mean

  • SecurID is pretty much the exact opposite of a random number.

    • Re:Random? (Score:5, Informative)

      by Speare (84249) on Tuesday June 15, 2010 @04:43PM (#32583242) Homepage Journal

      SecurID is pretty much the exact opposite of a random number.

      Er, a reasonable working definition of "random" is "you can't predict it." The card changes its displayed number every N seconds. The card's pseudo-random number generator has an algorithm and a seed value which are generally unknown to the user, and unknown to the merchant. It was produced in sync with the server, and continues to compute the numbers in parallel with the server. Even if the thief knows the algorithm, they would require significant time (an understatement) to acquire enough samples to accurately predict the next number that the server is expecting. So, for all practical purposes, yes, it's random.

      • Re: (Score:3, Informative)

        Except that it's not a random number or a random number generator.

        It's a cipher generator, which is what Stradenko is getting at -- it's also what you're getting at, ironically. If the numbers were totally random, they would be useless. What it's doing is applying the downside of PRNGs - namely, their predictability - to create a sequence that is known to the computers in question, but appears random to the observer. If you seed multiple generators, all with the same algorithm, then you'll get the same s

        • Re: (Score:1, Insightful)

          by Anonymous Coward

          There is no requirement that it use a PRNG. A simple LUT containing a list of predetermined values could be used instead. In this case, they would act as one-time pads and there would be no way to crack them.

          16MB gets you 1 256-bit key every minute for a year.

          • by Tim C (15259)

            16MB gets you 1 256-bit key every minute for a year.

            Given that you can get microSD cards in 32GB capacities now, at least from a size point of view that is definitely not a problem.

      • Re: (Score:3, Funny)

        by interval1066 (668936)

        "Even if the thief knows the algorithm, they would require significant time (an understatement) to acquire enough samples to accurately predict the next number that the server is expecting. So, for all practical purposes, yes, it's random."

        Yep, digital security, almost always infallible. When was the last time a digitally secure system was broken? About 15 minutes ago? Well, I'll be sleeping easier tonight, surely.

      • Re: (Score:3, Interesting)

        by spacerog (692065)

        "This short paper will examine several discovered statistical irregularities
        in functions used within the SecurID algorithm: the time
        computation and final conversion routines. Where and how these irregularities
        can be mitigated by usage and policy are explored."

        http://www.linuxsecurity.com/resource_files/cryptography/initial_securid_analysis.pdf [linuxsecurity.com]

        My point is just because it is encased in plastic does not mean that the number can not be determined.

        - SR

      • Great explanation. The way I like to think about it is that randomness is not a property of the number, but of the generator.

        > a random six-digit number associated with each transaction
        Validating transactions. It's about damn time.

      • Re:Random? (Score:4, Funny)

        by Hognoxious (631665) on Tuesday June 15, 2010 @06:55PM (#32584586) Homepage Journal

        a reasonable working definition of "random" is "you can't predict it."

        No, it's that nobody can predict it.

        You haven't got a hope in hell of predicting the next number I write down, but for me it's a certainty.

    • Re: (Score:2, Informative)

      by synackpshfin (1622285)
      Hi. SecurID tokencode is calculated from current time + seed fed to the (AES) crypto algorithm. I believe that without knowing the seed it is quite hard to predict next tokencode...
  • Here I thought that Spain was going broke only moments after Greece, and now I find out that insted they have innovated with entirely new forms of income.
    • Re:Spain, Really? (Score:5, Insightful)

      by blair1q (305137) on Tuesday June 15, 2010 @05:01PM (#32583438) Journal

      Actually, innovating with new forms of income is why nations are going broke these days.

      They're pretending that speculation is investment, borrowing is income, and money-multiplication through circular lending is economic growth.

      And hidden among these obvious insanities is a much more subtle one that will snap the rubber band: they track money borrowed to speculate as risk at the interest rate of the loan, not at the rate-of-ruin of the speculation.

      The United States was as usual the most innovative, and therefore led the world. To a precipice and beyond. As usual by setting a good example.

      • One of the best and simplest and clearest descriptions of this huge ripoff economy I have read, mucho props to you.

        The sad part is, millions of otherwise intelligent people are still defending those thieves, the thieve's political sockpuppets, and this conjob-based economic system in general.

    • Re: (Score:3, Interesting)

      by quenda (644621)

      TFA is to PC to say it outright, but putting Romania at the head or the list says it is a Gypsy operation.
      These are multi-generational career criminal families. And the Spanish police seem unable to do anything about it.
      There was a good documentary on the BBC:

      How Gypsy gangs use child thieves [bbc.co.uk]

      • by rozz (766975)

        TFA is to PC to say it outright, but putting Romania at the head or the list says it is a Gypsy operation. These are multi-generational career criminal families. And the Spanish police seem unable to do anything about it. There was a good documentary on the BBC:

        How Gypsy gangs use child thieves [bbc.co.uk]

        really? bet you never had contact with a gypsy your whole life.

        I am a big fan of BBC documentaries almost all are very well done. The problem with those is that not any dummy can understand. Sometimes I cannot believe what some ppl get from such documentaries. And although I have not seen this one, sounds like it was your case too.

        Gypsies are "low-tech" crime experts .. small time thieves, children/women exploitation, etc. The vast majority are illiterate and the bosses make no exception. And probab

  • False security (Score:3, Insightful)

    by girlintraining (1395911) on Tuesday June 15, 2010 @04:40PM (#32583206)

    178 people. Remember that number.

    Unless the card is radioactive it's not "random"... it's pseudorandom, and therefore based on an algorithm. Figure out the seed (initial vector) and other inputs, and you're right where you started, only your clients feel more secure and the criminals have to spend an extra few bucks. Given that there are multinational laboratories churning out thousands of dup cards, and assuming they have an active distribution network... it's safe to say these aren't the only guys or the first.

    • Mod up please, +1 Insightful. This is an important concept.

      And no excellent karma yet? I thought they handed out karma to everyone...
    • by swb (14022)

      Apparently it's more complicated than some hand waving at "other inputs" or nobody would use the RSA security cards that operate on the same principal.

      • Re: (Score:3, Informative)

        Apparently it's more complicated than some hand waving at "other inputs" or nobody would use the RSA security cards that operate on the same principal.

        No, it is not complicated: There's a number being displayed on the card every six seconds. For it to have any value in authentication, that number needs to be somewhere else every six seconds too. Which means it's not "random". It might pass every test for random, but it isn't. Which means there is an algorithm in place. That algorithm requires two things: First, that it stay syncronized (time), and second that there's a reference point shared between the circuitry on the card and the bank where that number

        • Re: (Score:1, Insightful)

          by Anonymous Coward

          Those requirements all lead to one conclusion: PRNG. The seed is probably a key of some kind plus time. There are at least two places that key is kept: On the card, and at the bank

          Congratulations, you have just deduced the information available in a SecurID brochure. The "key of some kind" is a 128 bit key associated with the serial number of the device. It is stored on the device, and on the RSA authentication server. If you're talking about cracking open a stolen device and *voila* extracting the key, you may have a matter of hours to a long weekend to do so before it is reported stolen; thus negating any benefit of cloning it. If your goal is to steal it from the server, well,

        • by swb (14022)

          There's millions of RSA cards in use now that work basically like that, many are in the hands of business accounting folks who use them to manage cash accounts of $100,000 or more. Consumer credit cards are peanuts in comparison; why haven't the RSA cards been compromised if its so easy?

          • by Mattpw (1777544)
            RSA tokens and in fact all OTP token devices are regularly defeated by most of the new trojans who simple MITB Man-In-The-Browser their way past them. Lookup Zeus for further info. The solution is transaction authentication which OTP devices cannot do.
            • This only works if you (the MITB) want to authenticate before the number changes, because that's all it grabs. That situation doesn't work for a card cloner who needs to have a valid sequence at an arbitrary time of purchase.
              • by Mattpw (1777544)
                The OTP card shown in the article is purely used for online transactions. There is no hardware or method available for authenticating these OTP values in a personal way say at an ATM or a shop in these cases to prevent cloning they would opt to use the EMV secret key on the smartchip inside most cards, sadly there are ways around this too by tricking the devices that your card isnt running on the EMV standard so it goes into a non EMV mode. About the only solution which can fix the card cloning problem econ
                • And yet my family in colombia are having their accounts emptied by thieves who always find a way around anything magnetic based.

                  My card with it's number generator has been fine. It is so common down there that they actually have a number you call when you have used the card in what they consider a "shady" place.

                  I have seen the cards get skimmed first hand , they are not to good at it. And the cards are literally turned out in hours and being used to buy stuff.

                  • by Mattpw (1777544)
                    Yes I understand the Magtek solution was widely introduced in Chile and Argentina. I am not associated with the company and have no idea where its been implemented all I know is a bank manager there who implemented it said that cloning went to zero since they did, I like their cost effective solution to the problem which from the article above EMV which Europe has gone for is failing to solve. I dont disagree the OTP generators are not better than nothing and do add an extra step for the attacker but the
                • I think you've missed the point. That code cycles every 60 seconds. If you MITM me while I'm using it, you get my code, and can buy things for 60 seconds. You can't sell it to anyone who expects it to work after the 60 seconds is up.

                  You could, however, sell it as a service with an app that displayed all 'hot' card #s and validation codes as they got intercepted, allowing your clients access to a sort of aggregate-clone card. You could even track the compromised cards usage statistics to offer up cards
                  • In an age where stocks are traded in millisecond timescales, I expect that some MITM attack that has "only" 60 seconds to take advantage of a number will indeed find a way to do so. Particularly if the MITM takes place on the internet. The information is already in a computer. There's even traffic going out *almost* concurrently with the attack, to cover the tracks.

                    • by Mattpw (1777544)
                      There are plenty of phishing examples where they simply added a jabber instant messenger client to the phishing page to instantly transmit the OTP codes.
                • by plover (150551) *

                  Sorry, but the magtek "solution" is a band-aid at best, and far more likely to be snake oil. It's expensive to deploy the fancy proprietary hardware to every single merchant, and as soon as the cloners improve their technology the whole thing fails epically.

                  The entire "security" of the magtek system comes from a technical difficulty that nobody's had the economic incentive to try to break, not that it's technically unbreakable.

                  If adopted, I predict that magtek will make their money, then collapse under the

                  • by swb (14022)

                    Why would merchants need need new hardware? AFAIK the auth code from the card is checked on the back end; merchant systems may need new software to process the transactions so that they can include the auth code from the card.

                    Like any other security solution, it doesn't have to be perfect, it only has to make it complex and expensive enough that crooks move along to some other form of crime.

                    • by plover (150551) *

                      You missed that I was replying to the GP poster who said that the magtek solution (a discriminating read head is installed on the POS terminals) was a good one. It is not. The magtek solution is a terrible solution for all the reasons I mentioned.

                      This new card solution mentioned in the article has an actual basis in cryptography for being more secure than mag stripes. Yes, it can still be MITM and browser hijacked, and will still be susceptible to unauthorized stored reuse (keeping your card on file for aut

                  • by Mattpw (1777544)
                    I am not associated with Magtek but at least they are offering a solution, you cant call it snake oil as it has been widely deployed (in Chile) and has worked quite well by all reports. Their technology security argument seems as strong as anyone else's argument. The question to you is whats the alternative? Magtek requires new read heads to be installed, EMV requires entirely new hardware and the new smartcards to go along with them which cost $2 a pop which by the million is no small change. The bank mana
                    • by plover (150551) *

                      Once criminals get a hold of the new read heads, and learn how to measure the "fingerprints" they will be able to clone the mag stripes. If you can read it magnetically, you can copy it digitally, and you can create a clone that passes the digital tests perfectly. I am not saying I can personally clone the cards yet, but it is inevitable that if this new technology becomes the standard, it will be broken by criminals with the resources to do so. It has not been broken yet simply because it is not widely

                    • by Mattpw (1777544)
                      Please explain your smartcard web based system which will overcome online fraud? If you are thinking of the outrageously expensive EMV CAP readers there is a thread below about it being a monsterous fail in security, cost and usability.
                    • by Mattpw (1777544)
                      regarding Magtek, im not their salesman and I dont know how the costs break down but I know they dont have the cost of replacing all the cards.
                    • by plover (150551) *

                      TFA is discussing the Maestro card being tested by MasterCard in Turkey that has an on-card display of an authorization number. This is identical in practice to an RSA SecurID token. The number proves that the card is authentic and not a clone. Since this number can be keyed by the customer in place of the PIN, the mechanisms exist today for authenticating it. That's a weakness in usability, but a serious improvement in security. It also has the potential to cost the merchants nothing, as it can be use

        • Now here's the kicker: 100,000 credit cards linked to a random cross-section of the population is worth a fair amount of money. Probably more than the cost of cracking that protection. And that means it's still profitable and practical to crack it.

          No, it certainly does not. Assumptions about ROI do not prove a venture is profitable. Facts about the cost to obtain and crack one RSA token, and how much you could sell it for (which would be a fraction of it's value)*, might prove this venture feasible; but the current, dependable state of RSA-token-based security suggests that it is not.

          • Facts about the cost to obtain and crack one RSA token...

            Why do people on slashdot invariably assume that the most difficult to attack component is the measure of the security of the system? O_o

            • Because not every system is secured with a single chain. This system is a lock, and it has 3 keys. To obtain one viable account, you have compromise the ID(card number), PIN, and the token (or the 128bit key within) linked to the account. None of them works without the other two, thus the combined inaccessibility of each is a measure of this system's security. The PIN and ID each have exploitable information chains, but if you want to clone the card, you need that key, there is no shortcut around that f
              • Assuming there isn't a weakness in the key, or how it's stored on the chip. Perhaps simply having physical possession of the card for a minute is enough to 'scan' it and reveal the key.

                • by plover (150551) *

                  Modern cryptographic (RSA-based) smart cards have demonstrated a consistently high cost of attack, and attacks currently require the destructive opening of the chip and a high resolution microscope and probe, or that they be hooked up to a precision power supply and are subjected to thousands of attacks on the power and timing, not to mention requiring the presence of a PhD to interpret the results. There is some speculation of an RF based attack on the timing as well, but that hasn't been demonstrated yet

    • by Mattpw (1777544)
      No need to attack the algorithm, instead of running a keylogger just run a trojan which attacks the browser and MITB you way straight past this and other OTP devices. Zeus and most of the major trojans already do. While the device shows no information about WHAT they are authenticating its easy to get a user to authenticate whatever you like without spending any extra bucks.
  • ...if the bank card wasn't using some RSA-style system but instead just had an LCD display in the card that changed numbers and just made it LOOK like the numbers were used for some kind of high-strength cryptography?

    It might even be half-assed effective if it made it all the more complicated to manufacture/obtain card blanks. Bonus points for the numbers displayed on the LCD display meaning something halfway useful (some kind of hash representing the card number and the current date) but not really repres

  • T-Spam (Score:1, Interesting)

    by Anonymous Coward

    In a couple years, 90% of all financial transactions will be fraudulent, like spam e-mail.

  • Like all OTP devices including the RSA OTP tokens the modern trojans simply MITB Man-In-The-Browser their way past these devices including the electronic card pictured in the article. Most of the new trojans (Zeus etc) have this feature or module and they simply hijack the browser dll and then create a second connection in the background. Often the banks require a second OTP value to authenticate the outgoing transaction and so the trojans usually just bounce the user to a "session expired, please login aga
    • by jonwil (467024)

      I have followed PassWindow ever since it was seen on The New Inventors on Australian TV and I think its a GREAT idea. I for one would LOVE to see my bank offer this on my Visa Debit card.

      • by Mattpw (1777544)
        Ah cheers, thanks mate, its hard pushing an entirely new method in such a conservative industry but ive finally got some banks implementing it and some online service networks in Asia where security was important. (Not in Australia yet however) Actually since the show ive improved it enormously, the main discovery was that I can do transaction authentication which prevents any type of trojan attack at a fundamental level and give it a security edge over the electronic OTP devices many banks currently use. T
        • by pipedwho (1174327)

          There is a potential issue with your system in situations where the user makes multiple transactions over time.

          The following assumes that a passive trojan is acting as a MITB (man in the browser) and can access both the outbound images and inbound responses. That is obviously not trivial, but possible none-the-less.

          After a single transaction, it should still be theoretically impossible to deduce with 100% certainty the pattern on the user's card.

          However, as the user performs more and more transactions, the

          • by Mattpw (1777544)
            Regarding deductive trojan analysis of PassWindow, you are correct each time the token is used a tiny bit of probabilistic information is leaked in an ideal trojan attack. Since this is the only online attack the method faces everything fom the beginning is done to eliminate that specific threat. When we generate a new key and associated challenge data we assume a trojan is intercepting all the challenges and all the correct user responses. Since the combinatorics inference is entirely predictable we can de
            • by pipedwho (1174327)

              The concept is excellent. It's great to see that your cryptanalysis suggests that there is more than sufficient security margin in the animated challenge / static key generator algorithms that you've created.

              Although, they aren't immune from active attackers as you've described, the primary benefit of the OTP secure token is that passive evesdropping at any single point is insufficient to compromise the system.

              Whereas, while PassWindow is immune to trojan interception, it doesn't solve the problem of the pr

              • by Mattpw (1777544)
                Regarding the personal attacks, ie hidden cameras etc actually I came up with a really simple solution, you tint the transparent background to a 75% darkness which appears almost black in normal lighting but then when placed over a electronic screen the key segments are clearly visible, most people just dont realise how bright the average screen is. From playing with it I know I would have a much easier time surveiling my OTP token screen with a hidden camera than the tinted key pattern. The best thing is t
                • by pipedwho (1174327)

                  One great idea after the next!

                  Out of interest, how did you come up with your figure of 10000 interceptions?

                  After thinking about it for a bit, I get the impression that 10000 is quite high for this type of cipher.

                  The method boils down to a boolean 'OR' of two inputs to produce an output. Only one of the inputs and a section of the output pattern are known. The output pattern is known to exist, but at one of a few possible locations within the combined field. This implies that all other valid outputs do not e

                  • by Mattpw (1777544)
                    When I originally came up with the idea it seemed that 4 digits in 16 columns was going to be cracked in about 10 interceptions, with some careful management of the challenges we could get it up to around 50 but we still felt we might have to deploy a virtual keypad with it which didn’t sit right with everyone. Sadly it was at this point I first went on a TV in Australia and got a front page Slashdot story where the response from security people wasn’t great as nobody wants to hear 10 intercepti
                    • by pipedwho (1174327)

                      Sounds like some decent security analysis has been done. Very impressive that such simplicity can be so effective. I hope it takes off sooner than later.

panic: kernel trap (ignored)

Working...