back to article Crooks plant fake payment card terminals at multiple stores

Crooks planted bogus payment card processing terminals at multiple locations operated by the Hancock Fabrics chain store that allowed for the theft of sensitive financial data from customers, the company warned. The personal identification number pads were stolen in August and September and "replaced with visually identical, …

COMMENTS

This topic is closed for new posts.
  1. Uk_Gadget
    Happy

    They got my details....

    ....But as they were spending less than my wife, I never reported it..

  2. joe 32

    42 years to 57 years!

    What! 42 years to 57 years for some fraud. Murders, Rapists and Paedophiles don't even get that long!

    1. kain preacher

      @42 years to 57 years!

      People like you make me laugh. The reason for so much time is because the amour of victims. I dont know were you live but Paedophiles here do get long sentences . Back to my original point. Show were some has killed or raped some more than 2 people who would be facing less time then life in prison with out a plea deal . Now if he just scammed on or two people I would say that 42 - 57 be extreme , but he scammed more than just two people .

      1. Tom 35

        They ripped of the bank, and worse made them look like fools

        If they had mugged the same number of people they would get 5-10

      2. Anonymous Coward
        WTF?

        @@42 years to 57 years! (Kain)

        No, people like YOU make ME laugh. Is it more important that powerful financial organizations got defrauded - for which they have insurance - than someone got raped? REALLY?

        So, you're saying that you'd prefer your significant other/wife/daughter raped rather than their credit card get ripped off? If you say so.

        PS: can we get a moron symbol?

    2. Steve Roper

      Yes, 42 to 57 years

      Now THAT'S more like it. Bung these bastards in the hole and throw away the bloody key. They're of no use to society whatsoever.

      And murderers and paedophiles do get life sentences. As for rapists - well, that's an offence that's pretty hard to prove, isn't it? If it *is* proven, then in most cases the rapist will do a long stretch.

      1. Anonymous Coward
        Anonymous Coward

        `They're of no use to society whatsoever"

        Moron...

        Some of the finest security consultants in the world are ex hackers and crackers. You are just a silly, bitter and angry little man....

    3. Anonymous Coward
      Anonymous Coward

      couple of points...

      Ah, and there is the inconvenient truth...

      Paedophiles and rapists and the like don't threaten the profit margins of large powerful corporations, so whilst it's important the state makes best endeavours to appear to care, it really isn't *that* concerned -where morality is concerned they leave it to us, the knuckle dragging masses. Where there's money involved, however...

      Anyway, `Paedophile` is a very vague term. Someone who likes/has a prediliction for young people. Bearing in mind the legal age of consent is completely arbitrary and varies wildly from one country/culture to the next.... Are we talking about someone who looks at pictures of naked teens (say 14-17) posing on the internet (and does not pay for it) or someone who actually physically rapes babies and or young children (or even older children)? Or someone who has sex with a person of the opposite sex with their consent? Or does it make no difference to you?

      Black and white thinking...tsk tsk...

      1. swaygeo
        Coffee/keyboard

        RE: Couple of points...

        Now that's some powerful cynicism ;-)

        The revolution will not be televised - well at least not in HD...

  3. Anonymous Coward
    Alert

    If they know the pin it's your fault

    Presumably the banks are still chanting the "if they used the pin then it must have been the fault of the customer matnra" with the regulator playing along?

  4. Disco-Legend-Zeke
    Pint

    This Is A Failing Of...

    ...the authentication system. Terminals should be polled, and all downtime logged/accounted for/investigated.

    You can do it while i swill my 211.

    Hmmm can swill be a verb?

    1. Code Monkey

      Swill is a verb

      But what's a 211?

      1. Disco-Legend-Zeke
        Pint

        In The USA...

        ...211 is the brand mark for Steel Reserve, a very cheap high gravity (8.1% ABV) beer.

        It tastes really nasty.

        Another, please!

  5. Peter 39
    WTF?

    where were the skimmers?

    It would have been nice if Hancock said which stores were found to have skimmers.

    I would also like to know why we only hear about it now, if it happened last August/September. Did they only just find out, or did their lawyers take this long to tell management they had to disclose it? If they have known about it for some time and did not disclose it then there are some serious liability claims.

    1. Anonymous Coward
      Grenade

      where were the skimmers?

      Old news... It made the papers in the SF Bay Area back in September ... At least one of the compromised stores was the Hancock Fabric store in Napa, CA. I believe there were others in parts of the Bay Area, and some in, I believe, Wisconsin.

      Lock 'em up and throw away the key...

    2. Anonymous Coward
      Anonymous Coward

      The legal system?

      Most likely waiting for cases to be cleared through the snail's pace legal system.

  6. Anonymous Coward
    Anonymous Coward

    Now those are what I call .....

    deterrent sentences,lol, to the extreme . What they need to do is advertise this widely and also UK bring in these sentences over here;

    ""...Last month, three Bulgarian men were charged with defrauding banks of more than $137,000 in a scheme that attached devices to numerous automatic teller machines in Massachusetts. If they are convicted, maximum prison sentences range from 42 years to 57 years...."

    2 less crims on streets,ever.

    1. Steve Renouf
      WTF?

      and cost the tax-payers a multitude more than they actually stole...

      ... in order to house, feed and clothe them for that period.

      I think we need to find a much more cost effective method of punishment. (pointed stick, anyone?)

      1. Anonymous Coward
        Joke

        We could...

        ...ship them off to some penal colony somewhere. But I think the Aussies would complain, they're not hot on immigration these days.

        Cf. http://bash.org/?262417

      2. Fatman
        Grenade

        Punishment

        You said: "I think we need to find a much more cost effective method of punishment. (pointed stick, anyone?)"

        Pointed stick????

        ^ Naaaah!

        |

        | IMHO, a .357 (through the brains) would do nicely!!!!

        |

        |------------------ Or perhaps, one of these!

  7. Steve Evans

    How can this be...

    After all we were all told the move to chip and pin would make things so much safer...

    </sarcasm>

    1. pctechxp

      @Steve Evans

      Chip and Pin isn't in operation in the States

  8. Wolf 1
    Stop

    PIN pads are something different

    A PIN pad is the keyboard unit found in an ATM, it's a self-contained computer with a huge number of safeguards that prevent exactly this sort of thing.

    What Hancock Fabric is talking about is just a credit card reader--a completely different thing. Calling these things terminals is really misleading. They have few if any safeguards and are absolutely NOT PIN pads.

    1. Boring Bob

      It is a PINpad

      A PINpad is any pad that you type a PIN into. The real ones are "highly" secure, the keyboard being itself part of a tamper proof boxes that encrypts the PIN before it can leave the box (it this is needed). The problem is the security requirements for the fake PINpads are somewhat lower than those for the real ones.

  9. Anonymous Coward
    Thumb Up

    Solution.

    1.Walk into bank.

    2. fill in paper withdrawal form

    3. speak to cleark.

    4. walk out with real, hard, cash

    5. buy items.

    6. Be content that your purchase was guaranteed hacker free.

    Cash truely is the last anonymous transaction.

    1. Chris007
      Big Brother

      you said...

      "Cash truely is the last anonymous transaction."

      Hence govt from all over the world trying to get rid of it....

  10. sabba
    Paris Hilton

    Inside job...

    I am assuming that these devices were inside the stores. In which case does this mean that store employees were culpable?

    paris - cos' she'd "swipe your card" for you!!

  11. lukewarmdog
    Alert

    how

    Did they manage to remove and replace the number pad with nobody watching? Isn't there usually a CCTV camera pointing at ATMs?

    As for the cost of locking them up.. maybe the answer isn't longer sentences but different ones. I'd suggest neutering as a good deterrent. Followed by a lobotomy. Then maybe chopping both hands off. Then feeding to hungry pigs. This should be the standard penalty for most crimes that get media attention.

  12. Cameron Colley

    But Chip 'n' Pin are infallible!!

    The great crime-fighting duo were brought in by banks to wipe out credit card fraud completely! They cannot have failed!!

  13. Robert Carnegie Silver badge

    This is in the U.S.

    so presumably it is not the "Chip and PIN" used in the UK, but are we safer?

    Apparently UK or international bank rules and standards require that a chip card has a magnetic stripe on it as well, which is easier to steal data from, including from compromised reading devices, even chip devices. I don't know if you're "allowed" to remove the data on the magnetic strip yourself. A wire brush or metal wire scouring pad perhaps, but probably not putting it in the microwave.

    1. Richard Scratcher

      Magnetic Strip

      Chip and PIN is not yet available worldwide so the magnetic strip is still required. You could erase it with an AC electromagnet (such as the old tape recorder degaussers). The trouble is you probably wouldn't be able to use the cash machines in the US.

      The magnetic tape strip contains all the data the crook needs except for your PIN but there are several scams going on to read the strip and then watch you type in your PIN to a chip & PIN reader. I saw a TV programme where a waiter in the UK was wearing a matchbox-sized card reader on her belt. She pretended to clean the chip of a card but was swiping it through the reader. Then she watched the punter enter his PIN into the chip & PIN terminal. Now she had the necessary data to send abroad so that a card can be made and used in cash machines there.

      The other common scam is to attached a false panel containing a strip reader to the front of UK cash machines. Then by using a camera or just looking over your shoulder, the necessary data can be gathered.

      The strip doesn't contain the PIN, that's kept at the bank but I was surprised to find that the PIN is stored on the chip.

    2. Peter 39

      advantage of no CHIP+PIN

      CHIP+PIN means that the customer is liable in cases of fraud, unless he/she can prove otherwise (banks don't help a lot here).

      In the U.S. the customer is liable only for $50.

      Not a difficult decision, is it?

  14. Ginolard

    re: Solution

    Huh. In my experience it would be more like

    1.Walk into bank.

    2. Try and find a pen still attached to its chain

    3. Try and find a working pen still attached to its chain

    4. Fill in withdrawal form without the pen nib tearing the form in two

    5. Join interminably long queue

    6. Realise you are behind the man from the penny arcade who's cashing in his yearly takings

    7. Give up and risk being hacked. It's less hassle.

  15. Tim Jenkins

    Re: how

    Rent white van

    Walk into store holding clipboard

    Tell mimimum wage counter clerk you are here to 'upgrade' the card readers

    When manager objects, tell them 'there was a memo about it months ago'

    Replace legitimate units with doctored ones

    Leave with more units to gimik

    Repeat

    Simples

    (You could even post the things in and get them to do it to themselves. Darn fleshy bio-units; always the weakest link...)

  16. Anonymous Coward
    Thumb Up

    Too poor to lose money

    So I'm safe then!

  17. Anonymous Coward
    Coat

    Good

    So, Chip & PIN, functionally useless, as predicted. What a shock. Let's hope this kicks the banks in the direction of implementing proper security. Or better, our politicians/courts into forcing the assumption that it's the banks problem until they can _prove_ the customer was knowingly fraudulent.

    Mine's the one with a chequebook in the pocket (hack that with electronics, or replicate my spiders-crawl pawprint as easily as lifting a 4 digit number, and you'll win a big prize...)

  18. Robert Carnegie Silver badge

    THIS IS NOT CHIP & PIN.

    It's a lousy, leaky, legacy American system.

    Would a magnetic eraser to make the stripe unreadable affect the chip on your card as well?

    1. Anonymous Coward
      Thumb Down

      No, BUT

      ATM's read the mag card before the chip and if the mag card is empty, the machine wont accept the card!!

      1. Robert Carnegie Silver badge

        Are you sure?

        "ATM's read the mag card before the chip and if the mag card is empty, the machine wont accept the card!!"

        If correct, that's moronic. But given many chip card readers don't -touch- the magnetic strip, or most of it anyway, I'm sceptical. I think that goes for human bank teller equipment too.

        Furthermore, since major UK upermarkets now let you draw cash at the checkout, you could use a magnetically defaced card for cash that way.

        Both theories could be tested on a card that is about to expire and that you have a replacement for, so that you aren't wiped out - at least for your ATM: embarrassing in a shop. I suspect the microwave may fry the chip and leave the magnetic strip working, but physically destroying the strip (scrape it off and then draw one on with permanent-marker pen) seems less risky - although I am rather "good" an!t destroying electronic devices by casual handling.

  19. kain preacher

    over 1000 victiams

    And you are surprised he got that much time. I never said that I prefer a loved one get raped and I never know were you get that impression . My point was the sheer number of victims and then you complain that he gets . Do9 you think Madoff should not of gotten the time he did .

This topic is closed for new posts.

Other stories you might like

  • China finds and kills 42,000 counterfeit apps – many of them investment scams
    Constant crackdowns on bad online behavior don't seem to deter crims

    The Cyberspace Administration of China (CAC) announced a crackdown on investment fraud platforms on Friday in conjunction with the country's Ministry of Public Security.

    "Since the beginning of this year, the Anti-Fraud Center of the CAC has investigated and cracked down on 42,000 counterfeit apps," declared the internet regulator.

    The CAC said those apps have been added to a database that currently includes around 3.8 million fraud-related websites and 514,000 apps, which have collectively seen it issue over two billion alerts.

    Continue reading
  • Interpol anti-fraud operation busts call centers behind business email scams
    1,770 premises raided, 2,000 arrested, $50m seized

    Law enforcement agencies around the world have arrested about 2,000 people and seized $50 million in a sweeping operation crackdown of social engineering and other scam operations around the globe.

    In the latest action in the ongoing "First Light", an operation Interpol has coordinated annually since 2014, law enforcement officials from 76 countries raided 1,770 call centers suspected of running fraudulent operations such as telephone and romance scams, email deception scams, and financial crimes.

    Among the 2,000 people arrested in Operation First Light 2022 were call center operators and fraudsters, and money launderers. Interpol stated that the operation also saw 4,000 bank accounts frozen and 3,000 suspects identified.

    Continue reading
  • State of internet crime in Q1 2022: Bot traffic on the rise, and more
    According to this cybersecurity outfit that wants your business, anyway

    The fraud industry, in some respects, grew in the first quarter of the year, with crooks putting more human resources into some attacks while increasingly relying on bots to carry out things like credential stuffing and fake account creation.

    That's according to Arkose Labs, which claimed in its latest State of Fraud and Account Security report that one in four online accounts created in Q1 2022 were fake and used for fraud, scams, and the like.

    The biz, which touts device and network defense software, said it came to this conclusion after analyzing "billions of sessions ... across our global network" during the first three months of the year. These sessions apparently spanned account registrations, logins, and interactions with financial, ecommerce, travel, social media, gaming, and entertainment services. Take all these numbers with a grain of salt as ultimately Arkose wants you to buy its stuff to prevent all this kind of crime.

    Continue reading
  • Indian authorities issue conflicting advice about biometric ID card security
    Government authority forced to backtrack warning that photocopied Aadhaar cards represent a risk

    The Unique Identification Authority of India (UIDAI) has backtracked on advice about how best to secure the "Aadhaar" national identity cards that enable access to a range of government and financial serivces.

    UIDAI promotes the cards as "a single source offline/online identity verification" for tasks ranging from passport applications, accessing social welfare schemes, opening a bank account, dispersing pensions, filing taxes or buying insurance.

    Although Bill Gates has lauded Aadhaar cards for improving access to services, the scheme has been the subject of many security-related scares as inappropriate access to personal information has sometimes been possible, UIDAI's infosec has sometimes been lax, and the biometrics captured to create citizens' records have sometimes been used for multiple individuals. Privacy concerns have also been raised over whether biometric data is properly stored and secured, if surveillance of individuals is made possible through Aadhaar, and and possible data mining of the schemes' massive data store.

    Continue reading
  • US recovers a record $15m from the 3ve ad-fraud crew
    Swiss banks cough up around half of the proceeds of crime

    The US government has recovered over $15 million in proceeds from the 3ve digital advertising fraud operation that cost businesses more than $29 million for ads that were never viewed.

    "This forfeiture is the largest international cybercrime recovery in the history of the Eastern District of New York," US Attorney Breon Peace said in a statement

    The action, Peace added, "sends a powerful message to those involved in cyber fraud that there are no boundaries to prosecuting these bad actors and locating their ill-gotten assets wherever they are in the world."

    Continue reading
  • China reveals its top five sources of online fraud
    'Brushing' tops the list, as quantity of forbidden content continue to rise

    China’s Ministry of Public Security has revealed the five most prevalent types of fraud perpetrated online or by phone.

    The e-commerce scam known as “brushing” topped the list and accounted for around a third of all internet fraud activity in China. Brushing sees victims lured into making payment for goods that may not be delivered, or are only delivered after buyers are asked to perform several other online tasks that may include downloading dodgy apps and/or establishing e-commerce profiles. Victims can find themselves being asked to pay more than the original price for goods, or denied promised rebates.

    Brushing has also seen e-commerce providers send victims small items they never ordered, using profiles victims did not create or control. Dodgy vendors use that tactic to then write themselves glowing product reviews that increase their visibility on marketplace platforms.

    Continue reading
  • IBM deliberately misclassified mainframe sales to enrich execs, lawsuit claims
    Lawsuit accuses Big Blue of cheating investors by shifting systems revenue to trendy cloud, mobile tech

    Special report IBM has been sued by investors who claim the company under former CEO Ginni Rometty propped up its stock price and deceived shareholders by moving revenues from its non-strategic mainframe business to its strategic business segments, allegedly in violation of securities regulations.

    The investors' securities fraud lawsuit [PDF] was filed on Tuesday, April 5 in a southern New York federal court. It names as defendants not only IBM but current and former executives including Rometty, former CFO Martin J. Schroeter (now CEO of IBM spin-off Kyndryl), current CFO James J. Kavanaugh, and current CEO Arvind Krishna.

    IBM "improperly and in violation of Generally Accepted Accounting Principles ('GAAP') embarked on a fraudulent scheme to shift billions of dollars in revenues from its mainframe line of business to its Strategic Imperatives and CAMSS line of business," the complaint reads.

    Continue reading
  • Cybercrooks target students with fake job opportunities
    Legit employers don't normally send a check before you've started – or ask you to send money to a Bitcoin address

    Scammers appear to be targeting university students looking to kickstart their careers, according to research from cybersecurity biz Proofpoint.

    From the department of "if it's too good to be true, it probably is" comes a study in which Proofpoint staffers responded to enticement emails to see what would happen.

    This particular threat comes in the wake of COVID-19, with people open to working from home and so perhaps more susceptible. "Threat actors use the promise of easy money working from home to collect personal data, steal money, or convince victims to unwillingly participate in illegal activities, such as money laundering," the researchers said.

    Continue reading
  • Yale finance director stole $40m in computers to resell on the sly
    Ill-gotten gains bankrolled swish life of flash cars and real estate

    A now-former finance director stole tablet computers and other equipment worth $40 million from the Yale University School of Medicine, and resold them for a profit.

    Jamie Petrone, 42, on Monday pleaded guilty to one count of wire fraud and one count of filing a false tax return, crimes related to the theft of thousands of electronic devices from her former employer. As director of finance and administration in the Department of Emergency Medicine, Petrone, of Lithia Springs, Georgia, was able to purchase products for her organization without approval if the each order total was less than $10,000.

    She abused her position by, for example, repeatedly ordering Apple iPads and Microsoft Surface Pro tablets only to ship them to New York and into the hands of a business listed as ThinkingMac LLC. Money made by this outfit from reselling the redirected equipment was then wired to Maziv Entertainment LLC, a now-defunct company traced back to Petrone and her husband, according to prosecutors in Connecticut [PDF].

    Continue reading
  • Singapore introduces potent anti-scam measures
    Plans to block more scam sites, share liability between banks and customers

    Singapore will step up up efforts to stamp out phishing and spoofing, ministers told the island nation's parliament on Tuesday.

    The topic earned ministerial attention after instances of attacks and scams soared recently. The standout example is the attack on Southeast Asia's second-largest bank, the Oversea-Chinese Banking Corporation (OCBC). In the OCBC bank scam, threat actors stole a combined SG$13.7 million ($10.2M) from 790 customers by spoofing text messages in what minister of finance Lawrence Wong referred to as "by far the most serious phishing scam seen" in Singapore.

    Wong detailed [VIDEO] several ways banks would be expected to improve security, including using more diverse machine learning algorithms to strengthen fraud detection tools to identify suspicious transactions. Banks will also be required to block suspicious transactions in a more consistent fashion, require additional customer confirmations for high-risk transactions or changes to account details, expand biometric technology, and accelerate adoption of – and preference for – mobile banking apps.

    Continue reading

Biting the hand that feeds IT © 1998–2022