credit card & gift card fraud (from today's comp.risks).

Thu Jan 10 15:13:06 EST 2002

other postings and recent info from comp.risks:

http://www.garlic.com/~lynn/aadsm9.htm#carnivore3 Shades of FV's Nathaniel
Borenstein: Carnivore's "Magic Lantern"
http://www.garlic.com/~lynn/2002.html#19 Buffer overflow
http://www.garlic.com/~lynn/2002.html#20 Younger recruits versus
experienced veterans  ( was Re: The demise  of compa
http://www.garlic.com/~lynn/2002.html#35 Buffer overflow
http://www.garlic.com/~lynn/2002.html#37 Buffer overflow
http://www.garlic.com/~lynn/2002.html#39 Buffer overflow

========================================================

Date: Mon, 07 Jan 2002 20:07:25 -0500
From: David Farber <dave at farber.net>
Subject: Credit-card cloners' $1B scam

Homemade machines costing about $50 are being used to read credit-card
mag-stripes, without having to steal the cards.  The information is then
e-mailed abroad, where cloned cards are fabricated.  This has become a
billion-dollar-a-year enterprise.

[PGN-ed from Monty Solomon's e-mail to Dave's IP, subtitled Terrorists,
mobsters in on hacking racket, by William Sherman, *NY Daily News*
  http://www.nydailynews.com/today/News_and_Views/City_Beat/a-137421.asp]

  [The gadget was first demonstrated in maybe 1960s at Caltech as part of a
  demo on how poor the mag-striped credit cards were. In spite of that,
they
  won.  Dave]

------------------------------

Date: Sat, 29 Dec 2001 09:59:00 -0600
From: Tim Christman <tjc at wavetech.net>
Subject: Mag-stripes on retail gift cards

Here's a link to an article on MSNBC that I found interesting --
  http://www.msnbc.com/news/598102.asp?0dm=C216T&cp1=1

Many retailers are replacing paper gift certificates with small plastic
cards containing magnetic stripes, similar to credit cards.  Ideally, the
purchase of a gift card would result in a database being updated to reflect
the balance associated with the card's unique account number.

Some retailers are using sequential account numbers and have no provisions
to protect against a thief using a mag-stripe reader/writer to re-program a
stolen card or small denomination card so that it matches the account
number
of a larger valued card purchased by someone else.  Many retailers even
provide a convenient 1-800 number so that the thief, knowing many valid
account numbers, can "shop" for a card of significantly greater value.

The RISK: A form of fraud, difficult to trace, involving a minimal
investment in equipment by the thief.  Also note that the thief only
requires the ability to query the back-end database (through the toll-free
number), not the ability to manipulate the records.  Perhaps more
ominously,
the risk is angry family members who find a zero balance on their gift
cards!

Solutions: One retailer, mentioned in the article, uses optical bar-coding
which can't be re-encoded without defacing the card.  Another follows a
technique used by many credit card companies -- extra check digits are
included in the mag-stripe that are not visible on the face of the card.
It
seems astounding that this isn't being done by all.

------------------------------

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com