Cybercrooks can buy hacked POS device and money-laundering bundle for $2,000

Filed Under: Data loss, Featured, Security threats

POS swipe card. Image courtesy of ShutterstockCrooks can now purchase a low-cost, booby-trapped bank card reader bundled with a suite of money-stealing support services that make fraud crimes even easier.

The replete package of goods and services now available on the digital underground:

  • Rigged card reader that can feed stolen account data to a laptop via serial cable or to a phone outfitted with a SIM card,
  • Participating "grey" merchants who provide illegal cash-outs of dumped PINs, and
  • Hire-purchase agreement that allows criminals to buy the package for $2,000, in exchange for sharing 20% of pilfered proceeds.

Then again, criminals who don't feel like sharing the profits can simply buy a working kit outright for $3,000.

The finding comes from cybersecurity consultants Group-IB, a company that's detected criminals who have started to sell modified Verifone VX670 POS Terminals (GSM) that intercept tracks 1 and 2 from the magnetic stripes on the back of swiped bank cards.

In other words, crooks are able to purchase rigged card readers with which they can swipe a card (can you imagine how often store clerks or wait staff do that every day?) and get your account number, your name and your PIN code.

Andrey Komarov, head of international projects at Group-IB, told The Register that the fraud takes less than 3 hours.

The new approach is being used by various cybercriminals against the Russian bank Sberbank, Komarov said.

In this video demonstration (courtesy of The Register's YouTube channel) that Group-IB apparently downloaded from an underground market, a card is swiped through a tampered point-of-sale (POS) device, and a PIN is entered - the same as would happen in a typical card transaction.

After a series of key-presses, the data is transferred to a laptop via serial cable, and the computer screen displays account numbers and other sensitive information. The data can also be texted to a mobile phone that's outfitted with a SIM card reader.

That evidence leads Group-IB to believe that the vendor of the fraud bundle is based in Russia, he said:

On video demonstration, it is possible to detect the "Sberbank" credit card in the example (national and the leading russian bank). The criminal extract the intercepted information from device by USB/COM port and demonstrates intercepted data on the PC. For sure, the vendor of the service is with Russian-speaking roots, because of the previous fact with "Sberbank" card.

Crooks have been hacking and selling tampered POS systems for some time.

Case in point: In March, a pair of former Subway franchisees from California were charged with cyberfraud after allegedly selling pre-compromised POS systems that allowed them to plunder gift card credits.

Fortunately for us good, law-abiding consumers, POS fraud is tough. ATM skimmers are "really hard to sell and to use," Komarov says, given how much attention banks have given the problem, with the result of improved physical security around the devices.

(In Australia, however, crooks have turned to 3D printers to help in the manufacturing arms race of ATM skimmers.)

POS malware is another new trend, but it's hard to find vulnerable card readers and merchants, not to mention the difficulties around installing the malware, which requires the use of insider help.

All that means the crooks are going to just eat this new bundle right up, Komarov said, given its low cost and ease of use:

It is easy to [figure] out that it is cheap, and such kind of service will have great popularity in the black market, [given that] tampered devices such as this... [are] very easy to use with the help of [insiders] in restaurants and [in the] retail sector.

It might sound quite appealing to the criminal set, but they should bear in mind that getting caught is no fun.

It might be tough to track down and prosecute cross-border criminals who steal bank-card data, but it most certainly isn't impossible.

That was evidenced by the case of a Romanian payment card crook, who was sentenced in January to 21 months jail time in the US for hacking POS systems at Subway and other businesses.

Prison time can be a pretty serious string attached to this good-sounding fraud deal.

Image of POS device courtesy of Shutterstock.

, , , , , ,

You might like

3 Responses to Cybercrooks can buy hacked POS device and money-laundering bundle for $2,000

  1. cash comeback

  2. Sean · 348 days ago

    "...criminals who don't feel like sharing the profits..."

    In my lexicon, money acquired through criminal activity is not profit. Profit is the gain that results from voluntary transactions, where those involved know what they're exchanging.

    You're talking about fraud here...outright theft. Loot, booty, takings, plunder, pillage, lucre, rapine...these are appropriate descriptors for ill-gotten gains. Not only are they more semantically precise, they're far more colorful. And they don't give the appearance of an anti-profit ideological agenda.

  3. poorguy · 348 days ago

    seriously? $2000?....every electronics graduation can make it! I can make it! if I want it. But no I not a cracker! and not bad guys. $2000? for a sim card reader / magnetic reader and some crypto codes? you even can ask some anonymous member to do some crypto things for free just using their own ego ha ha ha..

    no need 3d printing...just use some gypsum/fiber + used plastic bottle + fortran code to frame the card house on atm machine. $2000? u can make it for $100-200.

    .

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.