Are hackers ahead of card security?
A cyber crime ring has set a new record for the number of credit cards it hacked and compromised -- 130 million. How does a fraud happen on such a massive scale? Host Tess Vigeland talks with credit-card security expert Ted Crooks.
A number on a credit card (iStockPhoto)
More on International, Crime - Law, Russia
Links
- No soup for you, credit card thief
Scott Jagow on the Scratch Pad blog.
TEXT OF INTERVIEW
Tess Vigeland: So how does a fraud happen on such a massive scale? Well, basically, the thieves figured out some security algorithm that was being used by a credit-card processing company. And they used that information to swipe numbers from five major retailers, including 7-Eleven. The fraud involves an American suspect based in Miami and Russian accomplices.
For a look at how and why these massive thefts continue despite the best efforts of law enforcement, we turn to Ted Crooks. He's vice president of Global Analytics and helps banks come up with solutions to credit fraud problems. Thanks for talking with us.
TED CROOKS: My pleasure.
VIGELAND: Where was the failure here? Consumers, retailers, banks, some sort of middle man?
CROOKS: It's a shared responsibility because the payment system is like a giant refinery, with tubes and pipes and valves everywhere. And you are going to get leaks occasionally, and the system has to be built so it can withstand some of those leaks. And this is one case where a leak got completely out of control.
VIGELAND: So who takes the hit here? Who loses their shirt? Consumers really aren't held responsible, right?
CROOKS: Generally not. Under rare conditions a financial institution might try to pin it on a consumer, especially on a debit card because they're not as protected as credit cards. But in general, 99.99 percent of the loss will go to credit-card issuing banks.
VIGELAND: Is it true that banks and these payment-gateway systems that we're hearing about, that they have access to technology that could prevent this but they don't always use it?
CROOKS: Well, that's a little self-serving for me to answer that because that's the kind of stuff that I build, and our company does. Yes, there is always more technology that could be supplied. And much of it, of course, I think would be very worthwhile. But banks have to judge is that extra bit of technology going to really save enough money to make it worthwhile. The fraudsters will no doubt adapt around it eventually. So this is a never-ending arms race. Also if one bank gets ahead of the next bank, well then that other bank will catch up as well, and they all end up at parity again. They're more concerned how they stand with competition than the absolute amount of fraud.
VIGELAND: I've read that European credit cards actually have more protections than those in the U.S. Why is that?
CROOKS: Yes, the cards are more secure, but it's caused a bigger fraud problem. The UK, for example, shifted over to a secure, chip-based card that has an integrated circuit in the card and requires a PIN number anytime you use it. The electronics is very secure. But actually fraud has gone up substantially as a consequence of implementing it. And the reason was even though the fraud is more difficult, it's now more valuable. Because the same PIN you use to buy gas at a gas station you use to get cash out of a ATM.
VIGELAND: You know, is this kind of thing simply a fact of life at this point? Are we going to look back in a few years and say 130 million credit cards, child's play?
CROOKS: Well, it's actually much less serious than it was sometime back. About 15 years ago, fraud was much worse than it is now. Better technology was brought to play and has reduced fraud, and now it's starting to creep back up. And these compromises are only one aspect of it. It's a serious problem for the industry and for economic policy makers, but it's not really a big threat for individual card holders.
VIGELAND: I guess even if consumers shouldn't be losing sleep at night, the advice remains check your credit reports as often as you can.
CROOKS: Well, the big thing is if you're really worried about it, use your credit card more often than your debit card. If you can keep your balance down and pay it off every month, a credit card is safer. And secondly, do keep track of your bills first. Look at those bills you get from the card company and make sure that there's nothing on there you don't recognize. And then check your credit report. And you can do that three times a year for free.
VIGELAND: All right, excellent advice. Ted Crooks is vice president of Global Analytics. Thanks so much for joining us.
CROOKS: My pleasure.
Comments
Comment | Refresh
08/19/2009
Like the above poster stated, there is no sophisticated algorithm or even.
These networks were infiltrated through the web via SQL injection. This means that with the attacks taking place on an open port(80), that no traffic would of been blocked. Therefore allowing the attacker to bypass firewalls, and than work to gain administrative privs to infiltrate the rest of the network.
Once the attacker has administrative access, they're probably going to start looking for the domain controller/'s. When you gain administrative access to the domain controller/'s, you control the entire network.
Once the hacker has control of the network, he can custom code programs to do anything he wants..
He can have it gather all debit and credit cards, including pin, and store them into a text file, db file, encrypted file, etc.
At this point is when the data was probably being saved into some type of database or file, and than sent to the servers in the two other Countries.
This crime is not that sophisticated, it just took a lot of planning and 'man power'.
From Rochester, NY, 08/18/2009
Mr. Siegler is correct. There was no "security algorithm" figured out. The attackers used a technique called SQL injection, which essentially adds malicious commands to input data. I've tried to explain roughly how it works here: http://people.rit.edu/pkf1214/writing/sql-injection/
08/18/2009
I believe the reason Crooks recommended credit over debit is that it's not tied to your bank account. By reviewing your bill, you can catch unauthorized charges on a card and credit card companies monitor unusual trends (I've gotten a call from them when using my card late at night to buy gas and then groceries). All this vs. finding out your bank account has been emptied. Also, I know someone who had a much harder time convincing her bank when her debit card was hacked - they did try to blame her. I've never heard about this happening from credit card fraud.
08/18/2009
Lots of errors. The bad guys did not "figure out some security algorithm" at the targeted processors and retailers. After months of study and effort, they built attack tools that exploited vulnerabilities in the victims' systems. They then installed sophisticated sniffers and Trojan horse programs that masked their activity.
Credit card transacts are not "more secure" than PIN debit. In fact, credit card transactions are far less secure because they do not use encrypted data. PINs are encrypted and verified. The issuing bank may handle fraud differently for credit VS debit. The consumer protection laws require different policies. But there is comparatively trivial amount of fraud committed with PIN debit compared to the massive losses for standard credit cards which can be used without verification.
Crook's comment "Because the same PIN you use to buy gas at a gas station you use to get cash out of a ATM" is rather strange. The same PIN has always been used at the ATM and for purchases. It is not the cause of fraud increases where chip and PIN has been deployed. Overall fraud is higher for other reasons. The fraud rates in the UK are not higher for chip and PIN. They are much lower than for magnetic stripe.
Mark E. is correct. Most of the losses are rolled back to the merchants who fund most of the system anyway through interchange and fees. And of course, since this is a profit-making system, the consumer is the final payer.
From Montpelier, VT, 08/18/2009
Most of Credit Card fraud losses are born by the merchants! Not the issuing bank. Please check your facts. (My first comment got cut off)
From Montpelier, VT, 08/18/2009
"CROOKS: ... But in general, 99.99 percent of the loss will go to credit-card issuing banks."
Post a Comment: Please be civil, brief and relevant.
Email addresses are never displayed, but they are required to confirm your comments. All comments are moderated. Marketplace reserves the right to edit any comments on this site and to read them on the air if they are extra-interesting. Please read the Comment Guidelines before posting.
You must be 13 or over to submit information to American Public Media. The information entered into this form will not be used to send unsolicited email and will not be sold to a third party. For more information see Terms and Conditions and Privacy Policy.