SAN FRANCISCO — The end of the road for the 56 million credit card numbers stolen a month ago from Home Depot turns out, often as not, to be a cheap meal at McDonald's or a gallon of milk at Walmart.
"We're generally not seeing $1,000 transactions where they're buying wide-screen TVs," said Rob Miller, chief operations officer with San Diego-based Mission Federal Credit Union.
The story of how a massive international data breach ended up at a fast food store in California's Central Valley began last April.
That was when someone inserted malicious software — malware — into point-of-sale machines at Home Depot stores in the USA and Canada.
Many in the security community suspect the attackers were in Russia or Eastern Europe, but there's no way to know for sure. What is known is that malware skimmed off credit and debit card information, undetected, for six months.
As many as 56 million cards were compromised, according to Home Depot.
The news broke in September, when someone put a batch of cards for sale on a criminal Internet site that trafficked in stolen financial information.
rsvp - Spencer Peep Toe Pump (Black Patent) - Footwear
The North Face Morgan Softshell Jacket - Women's Spicy Orange, M
Factory Reconditioned Milwaukee 6123-830 5-in/6-in 12.0 Amp Trigger Switch Small Angle Grinder with Lock-On Button
Jumping Beans Snoozasaurus 7-pc. Bed Set - Full
Nautica Mainsail Mini Comforter Set - Plaid Twin, Navy/Red
Sperry Top-Sider - Snapper (Metallic Gold) - Footwear
NPower Dominator 1000 Powerpack System - 30 Ah Battery
Vans - Madero ((14 oz Canvas) Dune/Stripes) - Footwear
Olivia Black/ Chestnut Nesting Tables (Set of 3)
Warrior Vision Yth. Warm-Up Jacket
Hartz Groomer's Best: Shampoo Whitener Cherry Blossom Scent, 18 Fl Oz
Matthews Fan Company DG-CR-WD Dagny Dual Rotational Ceiling Fan in Chrome/Wood - blades Included
Schatzii Power Stick - Rechargeable Battery. Charges your Smartphone, Tablet or Laptop while on the go. Portable & Convenient battery pack to slip in your pocket, purse or briefcase for extra power whenever you need it. Never run out of juice again! 2000m
Carmen Marc Valvo Giada Oxford Flats
SportStar Hockey Helmet Decal Awards Blue/White Star
DECIBEL MENS Red Clothing / Buttondowns XXL
Dell KGR81 Imaging Drum (WDH78)
Drake Waterfowl Systems MST Jean-Cut Under Wader Pant for Men
Tahari Degrade Dot Side Tie Sheath Dress (Regular & Petite)
GP1-R Exhaust System
Wild Orchid? Massager
Trump Home by Serta Luxury Suites Super Pillowtop Full Set
Marc by Marc Jacobs - Animal Diamond Scarf (Pickles Puppy) - Accessories
True Religion - Casey Super Skinny Camo (Olive) - Apparel
Minnetonka Moccasin Women's Boca II Thong Sandals (White Leather)
UGG Australia 'Scuff' Slipper (Men) Mens Espresso Size 12 M 12 M
Filson Tin Cloth Cruiser Jacket - Men's Tan, L
Hinge 'Hollyday' Laser Cut Bootie Womens Black 7 M
Lauren Ralph Lauren Floral Print Strapless Gown
Samsonite Luggage, Drive Sphere 30-in. Expandable Spinner Upright
Jumping Jacks Kids - Malinda (Toddler/Little Kid) (Brown Gusto Leather) - Footwear
HSM14584 Hsm Classic 225.2 High Security Level 6 Cross-Cut Shredder
Mainstays Offset Outdoor Umbrella Base
Houston Texans Women's Glitter Pattern Canvas Slip-On Shoes
The North Face Morgan Softshell Jacket - Women's Spicy Orange, M
Factory Reconditioned Milwaukee 6123-830 5-in/6-in 12.0 Amp Trigger Switch Small Angle Grinder with Lock-On Button
Jumping Beans Snoozasaurus 7-pc. Bed Set - Full
Nautica Mainsail Mini Comforter Set - Plaid Twin, Navy/Red
Sperry Top-Sider - Snapper (Metallic Gold) - Footwear
NPower Dominator 1000 Powerpack System - 30 Ah Battery
Vans - Madero ((14 oz Canvas) Dune/Stripes) - Footwear
Olivia Black/ Chestnut Nesting Tables (Set of 3)
Warrior Vision Yth. Warm-Up Jacket
Hartz Groomer's Best: Shampoo Whitener Cherry Blossom Scent, 18 Fl Oz
Matthews Fan Company DG-CR-WD Dagny Dual Rotational Ceiling Fan in Chrome/Wood - blades Included
Schatzii Power Stick - Rechargeable Battery. Charges your Smartphone, Tablet or Laptop while on the go. Portable & Convenient battery pack to slip in your pocket, purse or briefcase for extra power whenever you need it. Never run out of juice again! 2000m
Carmen Marc Valvo Giada Oxford Flats
SportStar Hockey Helmet Decal Awards Blue/White Star
DECIBEL MENS Red Clothing / Buttondowns XXL
Dell KGR81 Imaging Drum (WDH78)
Drake Waterfowl Systems MST Jean-Cut Under Wader Pant for Men
Tahari Degrade Dot Side Tie Sheath Dress (Regular & Petite)
GP1-R Exhaust System
Wild Orchid? Massager
Trump Home by Serta Luxury Suites Super Pillowtop Full Set
Marc by Marc Jacobs - Animal Diamond Scarf (Pickles Puppy) - Accessories
True Religion - Casey Super Skinny Camo (Olive) - Apparel
Minnetonka Moccasin Women's Boca II Thong Sandals (White Leather)
UGG Australia 'Scuff' Slipper (Men) Mens Espresso Size 12 M 12 M
Filson Tin Cloth Cruiser Jacket - Men's Tan, L
Hinge 'Hollyday' Laser Cut Bootie Womens Black 7 M
Lauren Ralph Lauren Floral Print Strapless Gown
Samsonite Luggage, Drive Sphere 30-in. Expandable Spinner Upright
Jumping Jacks Kids - Malinda (Toddler/Little Kid) (Brown Gusto Leather) - Footwear
HSM14584 Hsm Classic 225.2 High Security Level 6 Cross-Cut Shredder
Mainstays Offset Outdoor Umbrella Base
Houston Texans Women's Glitter Pattern Canvas Slip-On Shoes
Banks and credit unions began to see bogus charges appear almost immediately. Despite the far-reaching criminal networks that create these massive computer security breaches, the people who end up buying things with the stolen cards appear to be "just using them for day-to-day living," Miller said.
For Air Academy Federal Credit Union in Colorado Springs, the first indication something was wrong was when members started seeing charges on their cards from Indonesia.
"Our people travel, many of them are Air Force, but we don't have a whole lot of customers who go to Indonesia," said Brad Barnes, chief financial officer for the non-profit organization.
It was easy to cut off cards whose owners were buying gas in Colorado Springs the same day a charge suddenly popped up in Jakarta. It got a whole lot harder when the charges began appearing in Denver, an hour to the north, Barnes said.
"The financial institution is going to reimburse the customer for any fraudulent transaction on the account," said Doug Johnson, vice president for risk management policy with the American Bankers Association.
Computer security writer Brian Krebs reported that banks have taken big losses from cards compromised in the breach.
Mission Federal has dealt with more than $100,000 in fraud claims that might be linked to cards compromised in the Home Depot breach in the past month, Miller said.
Credit unions are not-for-profit, he said, so "when we take $100,000 in credit card losses, that's $100,000 that we could have used to give our customers higher interest rates or lower loan rates."
Another cost financial institutions face is replacing compromised cards. Mission Federal Credit has gotten about 10 lists of compromised cards from MasterCard in the past two weeks. They total 28,000 cards.
"That's about 15% of the credit cards we issue," Miller said. It costs the credit union about $2.60 to replace each card, so "that's $72,800 so far. It's another hit."
The trajectory, from a continent away to a few ZIP copes away, isn't any surprise to security experts.
"The thing to remember about this whole process is that it's an industry," said Geoff Webb, director of strategy for NetIQ, a Houston-based computer security company.
ILLEGAL DIGITAL SUPPLY CHAIN
Data theft is like any supply chain. First come the manufacturers, then the wholesalers, the middlemen, the retailers and, finally, consumers.
The manufacturers are the organized professionals who plant the malicious software that steal the card information. "They've had a lot of training; they steal huge numbers of credit cards," Webb said. "That's the raw material."
Once these might have been used to buy expensive merchandise online, but credit card companies created sophisticated anti-fraud algorithms that quickly detected anomalous charges on compromised accounts.
The thieves reconfigured.
Now these numbers go to wholesalers, usually still overseas, who break them down in manageable groups of cards, sorting them by area and ZIP code.
These bundles are offered up for sale in bulk on underground websites.
"They'll even send you samples, so you can test the quality. If it's good, you come back and buy more. Some of these guys are so confident that they have money-back guarantees," Webb said.
The middlemen buy up a list of numbers and use them to make cloned credit cards. Machines and blanks cards are readily available online.
"It's going to cost you about $500 online to set up a nice carding operation," said John Sileo, a data security expert with the Sileo Group in Denver.
The FBI broke up one such group in January, arresting three men behind the site Fakeplastic.net.
CLONE CARDS
The newly cloned cards are sold to low-level gangs or criminals.
One tactic is to use the cloned cards to buy gift cards. Target is a popular choice because "there they can buy 50 different kinds of gift cards in one place. They're laundering the money because it's very hard to trace those cards," Sileo said.
Cards are sometimes sold on street corners. Sileo's talked to people who were approached in New York City by someone saying, "I've got this $50 gift card that I can't use, I'll give it to you for $10."
The dealers are "incredibly entrepreneurial. They're working it out for their little corner of the world, in their ZIP code," he said.
The amounts the final users end up charging are tiny. The average fraud on the fake cards Mission Federal Credit Union saw in July was $201, Miller said.
"We see a lot of McDonald's meals, Jack in the Box, visits to Target and Walmart, maybe to get a fan or a heater," he said.
The role of the people committing the original crime — stealing the data — is limited, said Dan Kaminsky, chief scientist at White Ops, an anti-fraud company.
The final users are often poor people trying to get by, charging small amounts on cards that last for a week or so until the credit card company cancels them.
The computer criminals half a world away "have taken the risk out of it" for themselves, Kaminsky said. This leaves law enforcement with no one to target.
"What are they going to do," he said, "go bust some guy in Modesto who's just trying to feed his family?"
No comments:
Post a Comment