New Security Threat ... Little Piece of Plastic, Usually Purple

[Monroe]

How about this ... it was so nice when I got my first computer in 1998 ... it was before all of the spying, stealing personal and financial information and all the other "negatives" that have developed. Maybe we could still trust Google, Yahoo and other sites back then ... there was no Facebook and the other stuff that was soon to come along ... it was kind of a nice time for me ... learning about my "new" computer and enjoying the internet with all the information and conveniences it had to offer. The "digital world" was truly great and it was great experience for me.

So now we have to check the back of a cash register for a little piece of purple plastic which of course most of us won't be able to do ... what's the next surprise ???

New security threat: Cash register skimmers

16 Oct 2013

http://www.cnbc.com/id/101115205

Crooks who steal credit and debit card numbers have found a devious new way to snag this information. They're using a small, relatively cheap piece of off-the-shelf technology to compromise computerized store cash registers.

We know about this because a band of brazen thieves was caught on security cameras installing these high-tech skimmers on cash registers at the Nordstrom store in Aventura, Fla., two weeks ago.

The skimmers are built into standard Ps2 cable connectors that plug into the back of a computer where customers can't see them. They're only about an inch long—and look so innocuous that even if employees saw them they might not suspect anything.

"It's a little piece of plastic, usually purple, that fits into the port where your keyboard connects to your computer," said security analyst Brian Krebs, who first reported this story on his KrebsOnSecurity blog. "It intercepts any data that is sent on that communication channel, whether it's keystrokes or somebody swiping a card through a terminal."

Ps2 keystroke loggers have been available for years. They sell for as little as $40 and are marketed as "professional surveillance products." Krebs said this is the first time he's ever heard of them being used to skim card information from a retailer.

Nordstrom confirmed that it had found and removed "unauthorized devices on a small number of cash registers" at its Aventura store.

... More info at the link.

Edited October 20, 2013 by duffy98

[ROTS]

So you are saying that, a person who steals/make/setup these devices could in fact collect peoples information thru a keyboard i/o??? They walk right into the store, make an distraction, and plugs the device in. To a non computer savy person, it looks normal. So then a store security officer, sees a person

not in store uniform installing a device.

These devices are sometimes hidden in consumer products as well? My Keyboard device, might be storing data on me right now, as I type this? In a short note, the law is interpreted in words and words alone.

Lets me say something. That purple thing they talking about, is a standard color for the official Keyboard i/o devices. Most if not all keyboards after the Serial days were taken over by these. Most likely the mouse and keyboard ports are limited??? compared to the serial.

The disturbing part about this, is not security threats to your Debit/credit card, since it is very easy to get your cash refunded. Just by filing a report to your bank. Where they will destroy your card, and send you a new one. Some people are just too dumb not do tack immediate action, when they see the

charges in their account history. Even when they have "direct/electronic access" to their history. The disturbing part is if any vendors like OCP or Shinra Electrical is using this against us.

Not too long ago, when I should have quit college in my intro to computer class, the professor was telling me about how you could program the keyboard for many things. In fact many older and bolder computers from the 1980's could make sound effects come out of the keyboards, lights plays in sequential order ( like on a toy ), and even store tons of data. More recently a new keyboard has visual displays, so you can have keys with little screens, that displays any image you want on them.

Edited October 18, 2013 by ROTS

[CharlotteTheHarlot]

No surprise to me.

Look up ATM scamming. Clever thieves build false attachments to accept your card and record your PIN. The machine doesn't work so you just move to another one and think nothing of it. Later the thief collects the attachment and no-one realizes it was ever there. Then they have a collection of PINs and card stripe information to use at their leisure.

That is quite a bit of expert and elaborate handiwork done elsewhere without an ATM to practice on. So with everyday computers it is far easier for them to trial and error on actual computers they have.

EDIT: typo

Edited October 19, 2013 by CharlotteTheHarlot

[jaclaz]

Here is a photo of an actual skimmer "installed" on an ATM:

http://www.valtrompianews.it/files/magazine/img/skimmer.jpg

and here is a video of what the "hidden camera" may record:

jaclaz

[Monroe]

It seems this little piece of plastic was "possibly" at work at Target on Black Friday and beyond ... look at the magnitude of the operation ... all over the country, how could that many people be involved without being seen or noticed? ... getting near cash registers for the time required to install or hook something up.

"The theft was national in scope and happened in stores, not online, and may have involved tampering with the machines customers use to swipe their cards when making purchases, people familiar with the matter said."

Target Hit by Credit-Card Breach

Updated Dec. 19, 2013

http://online.wsj.com/news/articles/SB10001424052702304773104579266743230242538

Target Corp. was hit by an extensive theft of its customers' credit-card and debit-card data over the busy Black Friday weekend, a brazen breach of the major retailer's information security.

The company early Thursday confirmed a data breach may have affected about 40 million credit- and debit-card accounts between Nov. 27 and Dec. 15. Target said it alerted authorities and financial institutions immediately after it found out about the unauthorized access. It added that it is partnering with a forensics firm to conduct an investigation into the incident.

--------------------------------------------

Target: 40M card accounts may be breached

http://wtop.com/628/3527975/Target-40M-accounts-may-be-involved-in-breach

Edited December 19, 2013 by duffy98

[Tripredacus]

There's a problem with this story. It specifically points out that the attack was done in a store and not online, however it doesn't match up with the data stolen.

The theft was national in scope and happened in stores, not online, and may have involved tampering with the machines customers use to swipe their cards when making purchases, people familiar with the matter said.

The data affected in the breach included customer names, credit or debit card numbers, expiration dates and CVV security codes, according to a notice posted for customers on the Target website.

CVV codes are only printed on the card and not part of magnetic strip data. So in order for CVV codes to be part of the data, it would have come from instances where they were manually entered during a purchase. A standard purchase at target does not use this code. To my knowledge, the only time you'd need it is if you were returning an item for credit and money was added back to your card through a request to the card company. The other place this code could be used is online. It is possible that this database had a field for CVV codes but it was not present for a lot of customers.

Unfortunately, Target has itself a larger problem. It is illegal for a merchant to store CVV codes in a database for any reason.

http://blog.elementps.com/element_payment_solutions/2011/03/staying-within-pci-dss-requirements-when-storing-cvccvv2-information.html

https://www.braintreepayments.com/blog/merchants-are-prohibited-from-storing-cvv2-csc-per-pci-standards

Information regarding the code and the magnetic strip:

https://secure.bmtmicro.com/resources/info/CVV.html

[jaclaz]

It is illegal for a merchant to store CVV codes in a database for any reason.

Well, actually it is not respecting the PCI standards, being "illegal" is different.

These clowns here:

https://www.pcisecuritystandards.org/

https://www.pcisecuritystandards.org/security_standards/role_of_pci_council.php

just as any self-appointed, self-generated assembly of clowns calling themselves an "industry standard" remain mainly worth-nothing/do-nothing people that pontificate about theories, are of not any practical use if not to provide a valid justification for the big Credit/Debit Card circuits (Visa, Mastercard, American Express, etc.) continuing to do whatever they see fit and keep their dominance on market and market shares.

Whether a country or state Law - separately and independently form the above - do coincidentally prohibit that storing, it is another thing.

jaclaz

[Tripredacus]

Ok, breach of contract is illegal correct? Take Visa for example, merchants are not allowed to store CVV codes. If any Visa cards are within this database and CVV values are stored, they would be in breach of the Visa Merchant Agreement for accepting Visa card payments.

http://usa.visa.com/download/merchants/card-acceptance-guidelines-for-visa-merchants.pdf

[jaclaz]

Breaking the Law is illegal.

Breaching a contract may be illegal ONCE (and IF) a Court has ruled that the contract breach happened AND it was illegal (i.e. it is breaking the Law) and that the contract is legal.

It is NOT the same thing.

jaclaz

[Monroe]

More alarming news about the Target mess and encrypted personal identification numbers (PINs).

"The hackers who attacked Target Corp and compromised up to 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers (PINs), according to a senior payments executive familiar with the situation.

One major U.S. bank fears that the thieves would be able to crack the encryption code and make fraudulent withdrawals from consumer bank accounts, said the executive, who spoke on the condition of anonymity because the data breach is still under investigation."

Exclusive: Target hackers stole encrypted bank PINs

Dec 24, 2013

http://uk.reuters.com/article/2013/12/24/uk-target-databreach-exclusive-idUKBRE9BN0L420131224

... more at the link, I just pulled out a few things from the story.

Target has not said how its systems were compromised, though it described the operation as "sophisticated." The U.S. Secret Service and the Justice Department are investigating. Officials with both agencies have declined comment on the investigations.

The attack could end up costing hundreds of millions of dollars, but it is unclear so far who will bear the expense.

While bank customers are typically not liable for losses because of fraudulent activity on their credit and debit cards, JPMorgan Chase & Co and Santander Bank said they have lowered limits on how much cash customers can take out of teller machines and spend at stores.

Security experts said it is highly unusual for banks to reduce caps on withdrawals, and the move likely reflects worries that PINs have fallen into criminal hands, even if they are encrypted.

"That's a really extreme measure to take," said Avivah Litan, a Gartner analyst who specializes in cyber security and fraud detection. "They definitely found something in the data that showed there was something happening with cash withdrawals."

BREAKING THE CODE

While the use of encryption codes may prevent amateur hackers from obtaining the digital keys to customer bank deposits, the concern is the coding cannot stop the kind of sophisticated cyber criminal who was able to infiltrate Target for three weeks.

Daniel Clemens, CEO of Packet Ninjas, a cyber security consulting firm, said banks were prudent to lower debit card limits because they will not know for sure if Target's PIN encryption was infallible until the investigation is completed.

As an example of potential vulnerabilities in PIN encryption, Clemens said he once worked for a retailer who hired his firm to hack into its network to find security vulnerabilities. He was able to access the closely guarded digital "key" used to unscramble encrypted PINs, which he said surprised his client, who thought the data was secure.

In other cases, hackers can get PINs by using a tool known as a "RAM scraper," which captures the PINs while they are temporarily stored in memory, Clemens said.

The attack on Target began on November 27, the day before the Thanksgiving holiday and continued until December 15. Banks that issue debit and credit cards learned about the breach on December 18, and Target publicly disclosed the loss of personal account data on December 19.

On December 21, JPMorgan, the largest U.S. bank, alerted 2 million of its debit cardholders that it was lowering the daily limits on ATM withdrawals to $100 and capping store purchases with their cards at $500.

On Monday, the bank partly eased the limits it had imposed on Saturday, setting them at $250 a day for ATM withdrawals and $1,000 a day for purchases. (The usual debit card daily limits are $200 to $500 for cash withdrawals and $500 for purchases, a bank spokeswoman said last week.)

On Monday, Santander - a unit of Spain's Banco Santander - followed suit, lowering the daily limits on cash withdrawals and purchases on Santander and Sovereign branded debit and credit cards of customers who used them at Target when the breach occurred. Santander did not disclose the new limits, but said it was monitoring the accounts and issuing new cards to customers who were affected.

The largest breach against a U.S. retailer, uncovered in 2007 at TJX Cos Inc, led to the theft of data from more than 90 million credit cards over about 18 months.

...