Friday, March 29, 2013

Card skimming goes viral

It should come as no surprise that if most computer criminals are interested in money, they would go where the money is. As a report this morning indicates, often that means either banks or points of sale.

That in itself is nothing new. For years gas pumps and ATMs have been targeted, often by hiding tiny magnetic readers that read the data on your credit or debit card when you insert it into the machine.  As technology progresses, those once easily-recognized additions have gotten smaller and smaller, to the point that they may be very difficult to recognize, or even be inside the machine where you cannot see them.

Today's report highlights a different approach, one that is far more difficult to detect. Russian-based security company Group-IB recently discovered malware called “Dump Memory Grabber,” which it believes has already been used to steal debit and credit card information from customers using major US banks. Unlike most malware (commonly called computer viruses) you may be familiar with, this malware is actually installed on the ATM or the point of sale registers/kiosks. It harvests everything the device obtains from the user - including everything from the mag stripe as well as potentially the PIN.

Friday, March 22, 2013

Identity theft while at a hacker conference ... an ironic coincidence

It is disturbingly ironic to have had to deal with credit card fraud in the middle of a hacker conference. Thankfully this story has a happy ending. I have to give kudos to Walmart for their quick and professional handling of this incident.

This week I attended the BSides Austin event, a 2-day hacker "unconference" in Austin, Texas. BSides originated as an alternative to the major security conventions, which in many ways have become so massive and so commercial that it is hard to have real interaction with researchers. It is a play on old vinyl records, on which the "B Side" contained lesser-known and often complementary songs.

As I sat down to watch a presentation, I received an email alert confirming a order. I thought it odd because I had not made any such purchase. I thought it even more odd because it included an order for pre-paid cell phone minutes on a carrier I do not use, to be delivered via email.  Within 6 minutes I received 3 more order confirmations for similar purchases, followed by a confirmation that my account information (such as name, mailing address, and email) had been changed.  Uh oh.