The Federal Trade Commission said it is cracking down on a years-long scam involving perpetrators' bogus companies that were created to make fraudulent credit card charges.
The scam has been going on for about four years, according to an article Computerworld ran June 27. The scammers set up fake U.S. companies that exploited loopholes in the card-processing system to make a number of small fraudulent charges to stolen credit cards that went largely undetected and uncontested, the FTC said.
The charges, ranging from 25 cents to $9, were disputed by only 6% of victims, the article said.
Over four years, the scammers rang up $9.5 million, the FTC said. The bogus businesses went by names like Adele Services and Bartelca LLC; there were 100 made-up company names overall.
The FTC filed a civil suit against the scammers in March, which led to a freeze on its U.S. assets, the closing of its merchant accounts and a halt to the activities of 14 of the money mules. (U.S. residents who helped move the stolen funds out of the country.)
Avivah Litan, a vice president and distinguished analyst at the Stamford, Conn., market research company Gartner Inc., said the scammers succeeded for so long because they stuck to low-value transactions.
"They know that most of the fraud-detection systems won't detect anything under $10, and they know that consumers won't complain about a 20-cent fee," she said in the article.
Steve Wernikoff, the FTC staff attorney prosecuting this case, called it "a very patient scam."
The scammers were able to trick card processors by creating fake companies with names and addresses similar to real ones, and then using the real companies' tax ID numbers.
For example, the bogus Adele Services was based on the real Adele Group, in New York. The scammers also used stolen identities to conjure up names of company executives.
And through a "virtual office" service operated by a company named Regus, the scammers were able to receive mail that was forwarded from the addresses they made up, the article said. The scammers had the mail sent to a company called Earth Class Mail, which scanned any correspondence and delivered it electronically.
If the scammers had to connect to processor websites, they made sure to use IP addresses based near their bogus physical addresses.
Security experts are realizing that the compromised data from this month's iPad data breach might be more useful than initially thought, The Wall Street Journal reported Monday.
AT&T Inc.'s website exposed e-mail addresses for users of the models of Apple Inc.'s iPad tablet that can connect to its wireless network.
The website did so when a person submitted a valid ICC-ID number, which identifies the mobile device's SIM card. Through brute-force guessing, a person could submit enough valid ICC-ID numbers to obtain a large list of e-mail addresses belonging to iPad users.
The initial response among security experts to this breach was: So what? At worst, the flaw appeared to be a way to get a list of e-mail addresses but it did not expose passwords or billing data. But "some security experts, however, say the ICC-ID number isn't as harmless as AT&T has implied," the Journal reported.
Most notably, a user's IMSI number, which is used to uniquely identify users for billing purposes, can sometimes be derived from the supposedly harmless ICC-ID number, a former cell phone forensics examiner, Lee Reiber, told the Journal. The IMSI number can also be used to track a mobile device user's approximate location or even listen in on a user's calls, Reiber said.
The Journal stressed that intercepting data transmissions is not simple even knowing a user's IMSI number. Doing so "is only possible with equipment that is expensive and typically limited to uses like law enforcement," the article said.
Don't trust an unaffiliated automated teller machine — it may be a scammer's decoy.
A dummy ATM was set up in Beijing to record the card details of any passerby who attempted to use it to withdraw cash, AFP reported June 23. The thieves who planted the ATM then used the stolen card info to create their own counterfeit cards.
One victim reported losing $735 to the scam.
Though not connected to any bank, the ATM otherwise appeared to be a legitimate machine that had fallen into the wrong hands.
The ATM advertised that it accepted many types of bank cards, but when victims attempted to use it, the machine would put up an error message and not dispense any cash, the article said.
Some ATMs could have design flaws that leave them vulnerable to hacking, a security researcher says.
Barnaby Jack, IOActive Labs' head of research, plans to disclose these vulnerabilities at the Black Hat security conference in Las Vegas next month, Reuters reported Friday.
One way ATMs can be left vulnerable to hacking is by leaving communication ports exposed, the story said.
Hardware security expert Joe Grand told Reuters that the research is unsurprising. "Parking meters, ATMs, everything that has electronics in it can be broken," Grand said.
National Australia Bank Group's Bank of New Zealand is rewriting the rule book on card fraud by rewriting some of the data on its cards.
Its "liquid encryption number" system allows it to write dynamic data to magnetic stripe cards, thus making counterfeit cards more easily detectable, The Sydney Morning Herald reported June 23. The dynamic value is changed each time the card is used at an ATM.
If the bank observes an outdated dynamic value, it would know not only that a card has been cloned but also be able to approximate when the data was stolen by determining when the dynamic value on the cloned card's stripe was in use with the legitimate card, the article said.
BNZ is pairing this technology with shields that can be attached to ATMs to make it more difficult for fraudsters to observe a user's PIN while it is typed, the article said.
Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.