Attack of the Clone

Sealtiel Chacon Zepeda stole gift cards not from a massive database, a newspaper report says, but one at a time, from store shelves — and then he put them back.

Before returning them, Zepeda copied the data in the cards' magnetic stripes, then stored that data on a computer, the report says. Since the cards do not carry a balance until they are purchased and activated, he used a computer program to check the cards' status online multiple times a day. Whenever a card was activated by another shopper, the story says, Zepeda wrote that card's stripe data to another card and drained the balance of the cloned card.

Zepeda pleaded guilty this month to five counts of computer crime for what Beaverton, Ore., Police Detective Michael Hanada called a "really unique" form of card fraud, The Oregonian reported Aug. 11.

Zepeda was caught after a Fred Meyer retail location he targeted investigated multiple complaints from customers who bought gift cards from the store but discovered later that the cards — which Zepeda had already stolen, copied and returned — had a zero balance, the paper said. Fred Meyer lets customers check gift card balances and activation status on a website, which was how Zepeda was able to automate his testing of which cards were active.

That website also played a major role in Zepeda's capture.

A typical gift card customer would check the card's balance online only once. The cards Zepeda stole "racked up hundreds of balance inquiries a day," the paper said. These inquiries all came from a computer with Zepeda's Internet Protocol address. This evidence, paired with video surveillance footage of Zepeda, helped lead to his arrest in February 2009.

Police said that they found roughly 1,000 stolen gift cards at Zepeda's home, and that he targeted a number of other retailers, though Fred Meyer, which is run by Kroger Co. of Cincinnati, was the only store that agreed to cooperate with police.


A woman suspected of using a cloned debit card at a retail store may have been just one player in a much larger fraud ring.

Lecresha S. Dudley was arrested Friday in Flowery Branch, Ga., after a 911 call was placed about someone trying to use a fake debit card at the retailer, The Times of Gainesville, Ga., reported Monday. Another unidentified person fled the scene before police arrived.

Police say Dudley, who was caught allegedly using the driver's license and payment cards of a California woman, may be involved in a fraud ring that has also scammed retailers in Texas, Louisiana and Florida. In all, the ring is believed to have made more than $100,000 in fraudulent charges, police said.

Dudley has been charged with one count of card fraud, one count of forgery of a transaction card, two counts of identity fraud, two counts of first-degree forgery and 13 counts of transaction card theft, the paper reported. She also had outstanding warrants in other counties on similar charges.

Breach Records

Breaches at the Department of Veterans Affairs no longer measure up to the infamous 2006 incident that affected more than 26 million people — but they still happen, and the agency is increasingly open about them.

The department has begun publishing monthly reports detailing any possible exposures of sensitive data, InformationWeek reported Aug. 13. A report that covers the time from July 5 to Aug. 1 details, among other incidents, six lost laptops, 13 lost smartphones and two lost personal computers. The laptops were all encrypted, the report noted.

The report also describes incidents such as when sensitive e-mails were sent to the wrong party.

The most recent data breach that InformationWeek described as "major" was in April, when two unencrypted laptops with the personal information of about 600 people were lost.

The article describes the department's openness today as a sharp contrast to its state in 2006. "The posting of the reports also shows how far the agency has come in terms of transparency and accountability for its IT operations, which historically have been criticized for serious inefficiency," the article said.

Arrest

An alleged card fraud veteran has been arrested in France and faces extradition to the U.S.

Vladislav Anatolievich Horohorin is believed to be one of the earliest members of one of the earliest online marketplaces for stolen card data, CarderPlanet. Horohorin was indicted in November 2009 on charges of access-device fraud and aggravated identity theft after an investigation by the U.S. Secret Service, Wired.com's "Threat Level" blog reported on Aug. 11.

Horohorin was arrested in Nice, France, as he boarded a flight to Russia, the story said. If convicted in the U.S., he could face up to 10 years in prison and a $250,000 fine for the access-device fraud charge. The identity theft charge could double the fine and add another two years in prison.

The indictment described how Horohorin allegedly defended his card-trading sites against hackers who tried to break in to steal the websites' supply of stolen card data. One site, dumps.name, had a notice offering to pay hackers who found scripting vulnerabilities if they reported the vulnerabilities without using them.

"Please think about one thing — how much time a lot of people spent here to get the [card data] to make this shop available for underground," the notice said.

Parking Violation

Hackers may have compromised up to 5 million websites in a scam that targeted "parked" domain names — those where someone has bought the domain but has yet to put up a permanent Web page, Computerworld reported Monday.

Parked domains typically display ads, generating revenue for the company that hosts the site until the domain name's owner uploads something else.

The security company Armorize Technologies Inc. of Santa Clara, Calif., discovered that a large number of domains parked with the hosting provider Network Solutions LLC had been compromised with a widget that could infect many of the computers that visit those sites.

Network Solutions confirmed to Computerworld that there was an incident, but it disputed Armorize's estimate for the number of compromised sites.

It said it has disabled the problematic widget.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.