In late March, before Schnuck Markets Inc. knew the extent of a
breach that compromised as many as 2.4 million debit and credit cards, a
Wal-Mart employee in Plano, Texas, saw something strange.
The employee, a loss prevention officer, noticed a woman acting
oddly. She was trying to use several payment cards at the register, and
she was buying gift cards. Both of those things raised red flags, so the
officer took the woman aside.
Later that day, the woman was charged with credit card forgery. And
sometime that same day, law enforcement authorities made a link: The
44-year-old Fort Worth, Texas, woman was attempting to shop with
counterfeit cards containing data that had been stripped from a card
used at a Schnucks grocery store, hundreds of miles away and probably
months beforehand.
While thousands of fraudulent transactions linked to the breach were
conducted all over the country, the woman's arrest is one of only a
handful made so far and it was something of a fluke.
The fact is, experts say, it's not likely that many people will be
called to account for their criminal connections to the breach.
The woman may have been what cyber-crime investigators consider a mule
or a runner a person who takes fake cards encoded with stolen data and
attempts to see if the cards work, reporting success or failure to
higher-ups.
Or she may have bought the cards on the black market, hoping to get
away with fraudulently purchased loot, or in this case, gift cards.
In other words, she is small potatoes not the person investigators
are after. The people investigators really want are likely thousands of
miles away, possibly in Eastern Europe, and they may never catch them.
Those thieves, experts say, have probably closed up shop and moved
on, vanishing without a trace, leaving people such as the woman charged
in Plano holding the proverbial bag.
Cyber-crime experts say that, given that information and given what
they know from cyber-sleuth circles the data were lifted just after
cards were swiped at the point of sale. Several said the likely culprit
was a Romanian cyber gang.
“The Schnucks breach was the result of random access memory malware,”
explained Al Pascual, a senior analyst of security risk and fraud at
Javelin Strategy & Research, a California company that advises the
payment industry. “That means there's malicious software at the point of
sale.
After a card is swiped, the data goes into the register, then it goes
to random access memory on the computer itself, and this malware pulls
it right off the memory before it's transmitted somewhere else.”
Typically, after information is stolen, it gets sold in batches on
the Internet. The thieves send the data to an IP address Internet
Protocol address where other thieves can buy the information. This used
to happen on what's known as the “dark Web,” beyond the reach of online
search engines, but now, experts said, a buyer can find stolen data
fairly easily.
“It used to be you had to know where to go,” Pascual said. “But it's
made its way into the mainstream. Now you can actually Google the
information, and you'll find forums. There are even groups on Facebook.”
After buyers get their hands on the information, they often encode it
into cards, often blank cards known as “white plastics” in the industry
or on gift cards that they recode with the stolen information. The data
can be used to buy merchandise online in “card not present”
transactions.
By the time these cards make their way down the food chain from the
hackers, through the syndicates that sell the data, to the low-level
mule or buyer on the street the IP address where the information was
sent has long gone dark, and the criminals have vanished.
“They bounce information from different IP addresses, and then they
burn them they don't use them again,” explained Jim McKee of Red Sky
Alliance, a network of cyber-security experts based in St. Louis. “So
you have a dead end. The hackers sold all the credit card numbers,
they've made their money, and they've moved on.”
No comments:
Post a Comment