Terminal Velocity
Many terminal makers include features to show evidence of device-tampering, and fraudsters, in turn, play up their abilities to
Brian Krebs showed some of these pitches in a post to his website, Krebs on Security, on May 18.
Scammers advertise "Pre-compromised [point of sale] terminals that can be installed at the cash register; fake POS devices that do not process transactions but are designed to record data from swiped cards and PIN entries; or do-it-yourself kits that include all parts, wiring and instructions needed to modify an existing POS terminal."
Krebs interviewed an entrepreneurial fraudster who sells devices made to order. This thief specializes in targeting VeriFone Systems Inc. terminals.
"His skimmer kit includes a PIN pad skimmer and two small circuit boards," Krebs wrote. "One is a programmable board with specialized software designed to interact with the real card reader and to store purloined data; the other is a Bluetooth-enabled board that allows the thief to wirelessly download the stolen card data from the hacked device using a laptop or smartphone."
Kits from this particular dealer cost roughly $3,000.
Customers get a discount after purchasing 10 or more kits, and they can buy them for about $2,000 apiece.
Sony Stung Again
After a data breach led to a nearly monthlong outage of Sony Corp.'s PlayStation Network online gaming service and digital media store, the company finds that another of its units
The Sony BMG website in Greece was "hacked and information dumped," according to a May 22 post on NakedSecurity, the blog of the security firm Sophos Ltd.
A database containing usernames, real names and email addresses of users registered on SonyMusic.gr was posted to the Internet document repository pastebin.com.
This latest attack, on top of the company's PSN breach, could prompt Sony to beef up its website security, Sophos said. Both have exposed critical flaws in the company's Internet services.
"The lesson I take away from this is similar to other stories we have published on data breaches," wrote author Chester Wisniewski, senior security advisor at Sophos Canada. "It would cost far less to perform thorough penetration tests than to suffer the loss of trust, fines, disclosure costs and loss of reputation these incidents have resulted in."
Sony recently restored some functions of the PSN after a 26-day outage, in which the personal data of millions of subscribers was exposed.
During the outage, Sony also discovered that the card data of customers of its online PC games had been exposed.
Under the Hood
When asked to remove his hood, the robber complied — and robbed the bank anyway, The Columbus Dispatch reported May 19.
No suspect had been identified by the time the article ran.
Federal Bureau of Investigation Special Agent Harry W. Trombitas said he suspected that the robber removed his hood to avoid drawing more attention to himself, and in doing so allowed the bank's cameras to get a clear look at his face.
When he got to the front of the teller line, the culprit handed the teller a holdup note, threatening to shoot her if she did not hand over any money.
The suspect is a white male in his mid-20s, 5 feet 5 inches tall, clean-shaven with short brown hair.
A Bad Bet
Two people
The newspaper cited a Pechanga Resort and Casino investigation statement that said "the men used more than two dozen fraudulently obtained Chase Bank Visa debit card numbers to purchase around $25,000 in gift cards at the casino."
The men allegedly bought the cards in late February, placing their real names on the cards. The casino estimated that it lost $50,000.
Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any
