[ad]
Another big heist in the US netting a whole lot of juicy information on credit and debit cards, over half a million USD lost in this case alone. There’s a whole lot of fraud going on..
Not bad for fiddling with the cash register system of a restaurant chain. It just shows, anyone dealing with finanical information really should make sure they are secure.
These guys are clever and they know how to make the most out of whatever they get.
Three men have been indicted for hacking into a number of cash registers at Dave & Buster’s restaurant locations nationwide to steal data from thousands of credit and debit cards, data that was later sold or used to cause more than $600,000 in losses, the Justice Department said this week.
The government’s 27-count indictment unsealed this week names Maksym “Maksik” Yastremskiy, of Kharkov, Ukraine, and Aleksandr “JonnyHell,” Suvorov, of Sillamae, Estonia, with wire fraud conspiracy, wire fraud, conspiracy to possess unauthorized access devices, access device fraud, aggravated identity theft, conspiracy to commit computer fraud, computer fraud and counts of interception of electronic communications.
That’s a whole long list of indictments! It seems these guys are in pretty serious trouble for what they’ve done. They managed to get hold of the “Track 2” data encoded in the cards, this is quite enough info to reprint new cards with a matching ID and use them in stores.
It’s not really useful for online transactions as they don’t actually know the customers name or postal address.
The stolen card data, known as “Track 2” data, is stored in the magnetic stripe on the back of each credit and debit card. It’s stored unencrypted and in plain text. Consequently, it can be read and re-encoded onto a counterfeit card that can then be used to make purchases at main street stores. It includes the customer’s account number and expiration date, but not the cardholder’s name or other personally identifiable information.
As a result, Dave & Busters had no way to notify the individual affected customers. Rather, in Sept. 2007, the company alerted its payment processor, Santa Monica, Calif., based Chased Paymentech Solutions, LLC, which in turn notified the credit card companies.
I wonder will the company get sued for incompetence or allowing such a breach of data? Saying that though no ‘confidential’ or ‘personal’ information was lost, so the only real loser here are the banks and credit card companies who will have to refund all the money fraudulently used.
Source: Washington Post
zupakomputer says
Credit cards have been hackable all along. It was even possible to use hotel door key scanners to read the magnetic strips, and make dupes.
At the end of the day, there’s some things that don’t benefit from becoming automated. At least when it was old ring-up tills, you couldn’t mess things up with the wrong scan-in, one person on the till at a time, sorry can’t give you change of whatever cause it’s all automated – you just punched in the prices, and added them up, and printed a receipt.
It’s an awful thing when technology replaces what works fine without it (or in this case, without it updating past mechanical or stand-alone electrical).
Guy Sohmbadi says
Hey – just a quick note: You say “the only real loser here are the banks and credit card companies who will have to refund all the money fraudulently used.”
This is incorrect. Visa/MC/AMEX are setup so that in the event of a fraudulent transaction, the MERCHANT loses. not the bank or credit card company. In fact, they even get to keep the transaction fees for the fraudulent transaction…
Let me repeat that. The ONLY person that loses in a fraudulent CC purchase is the MERCHANT. They are out the goods, and the CC company takes back the money, to give it back to the real card holder.
linuxamp says
Guy, you say that the merchant is hurt. Don’t the CC companies have security policies that, if followed, remove such liability? What about auditors? You’d think the merchants could have CC audits also to shift liability.
Jinesh Doshi says
Thankfully our country is not tht advanced or I would have lost $5k-$10k already :)
Lawrence Pingree says
Actually, the losers here is the retailer, the retailer is held responsible for fraudulent transactions since the retailer is the one who was not protecting the data appropriately. The credit card companies and banks are almost never held responsible, it sucks, but its the way their contracts are written. I have proposed several times to the House Subcommittee on Finance and Consumer credit to change the laws regarding validation of PII during credit issuance to include validation of the credit to check a valid Bank Checking account information against the credit card before permitting the credit issuance, I know it does not apply here but must fraud is performed without AVS (Address Verification Service) which is one huge issue with processing cards. I feel the PII should be encrypted in the card with the user’s PIN just like debit cards, this way the card cannot be used unless you have the PIN duh, credit card companies have this ability on their terminals but refuse to utilize it because then they would be held more responsible instead of the retailer. My 2 cents.