Crooks can now purchase a low-cost, booby-trapped bank card reader bundled with a suite of money-stealing support services that make fraud crimes even easier.
The replete package of goods and services now available on the digital underground:
- Rigged card reader that can feed stolen account data to a laptop via serial cable or to a phone outfitted with a SIM card,
- Participating "grey" merchants who provide illegal cash-outs of dumped PINs, and
- Hire-purchase agreement that allows criminals to buy the package for $2,000, in exchange for sharing 20% of pilfered proceeds.
Then again, criminals who don't feel like sharing the profits can simply buy a working kit outright for $3,000.
The finding comes from cybersecurity consultants Group-IB, a company that's detected criminals who have started to sell modified Verifone VX670 POS Terminals (GSM) that intercept tracks 1 and 2 from the magnetic stripes on the back of swiped bank cards.
In other words, crooks are able to purchase rigged card readers with which they can swipe a card (can you imagine how often store clerks or wait staff do that every day?) and get your account number, your name and your PIN code.
Andrey Komarov, head of international projects at Group-IB, told The Register that the fraud takes less than 3 hours.
The new approach is being used by various cybercriminals against the Russian bank Sberbank, Komarov said.
In this video demonstration (courtesy of The Register's YouTube channel) that Group-IB apparently downloaded from an underground market, a card is swiped through a tampered point-of-sale (POS) device, and a PIN is entered - the same as would happen in a typical card transaction.
After a series of key-presses, the data is transferred to a laptop via serial cable, and the computer screen displays account numbers and other sensitive information. The data can also be texted to a mobile phone that's outfitted with a SIM card reader.
That evidence leads Group-IB to believe that the vendor of the fraud bundle is based in Russia, he said:
On video demonstration, it is possible to detect the "Sberbank" credit card in the example (national and the leading russian bank). The criminal extract the intercepted information from device by USB/COM port and demonstrates intercepted data on the PC. For sure, the vendor of the service is with Russian-speaking roots, because of the previous fact with "Sberbank" card.
Crooks have been hacking and selling tampered POS systems for some time.
Case in point: In March, a pair of former Subway franchisees from California were charged with cyberfraud after allegedly selling pre-compromised POS systems that allowed them to plunder gift card credits.
Fortunately for us good, law-abiding consumers, POS fraud is tough. ATM skimmers are "really hard to sell and to use," Komarov says, given how much attention banks have given the problem, with the result of improved physical security around the devices.
(In Australia, however, crooks have turned to 3D printers to help in the manufacturing arms race of ATM skimmers.)
POS malware is another new trend, but it's hard to find vulnerable card readers and merchants, not to mention the difficulties around installing the malware, which requires the use of insider help.
All that means the crooks are going to just eat this new bundle right up, Komarov said, given its low cost and ease of use:
It is easy to [figure] out that it is cheap, and such kind of service will have great popularity in the black market, [given that] tampered devices such as this... [are] very easy to use with the help of [insiders] in restaurants and [in the] retail sector.
It might sound quite appealing to the criminal set, but they should bear in mind that getting caught is no fun.
It might be tough to track down and prosecute cross-border criminals who steal bank-card data, but it most certainly isn't impossible.
That was evidenced by the case of a Romanian payment card crook, who was sentenced in January to 21 months jail time in the US for hacking POS systems at Subway and other businesses.
Prison time can be a pretty serious string attached to this good-sounding fraud deal.Follow @NakedSecurity