Forums > Specific Focus > Technical Mexico

kirkswig

Sep 15, 2004, 2:34 PM

Post #1 of 8 (816 views)

Shortcut

More on the hazards of using computer cafes

Can't Post | Private Reply

My neighbors just saw their checking account wiped out. The perpetrator repeatedly withdrew funds until finally the account was overdrawn.

They were amazed that this could happen. The thief accessed the account through a VISA debit card that they hadn't used in months. At first they thought that it must've been somebody out there just cycling through all the possible VISA card numbers, but after we discussed it at length it became very clear what happened.

The only time the card was used for anything other than cash withdrawal was to place an order over the Internet using a publicly-accessible computer terminal and using the debit card to pay for it.

It's very likely the thief simply installed a key-logger on the computer and recorded every keystroke made since. Then the thief accesses the log of those keystrokes. Then the thief scans this log for numbers that appear to be credit card numbers. And then he uses them.

This order was placed almost a half-year ago, so I'm thinking it wasn't a local job, i.e., somebody accessing the terminal beforehand and installing the key logger manually. I'm thinking that it was a trojan horse of some kind that got installed on the machine under the guise of something as inane as an "Internet speed booster" or "Free spyware remover program" and that piggybacked on something like the Sasser worm to spread. The thief is no doubt in possession of thousands, if not millions of credit card numbers as a result of this exploit. The delayed time between acquiring my neighbors' card number and actually using it is probably because the thief has so many numbers to go through that my neighbors were literally put on a waiting list.

The bank won't re-open the affected accounts unless and until they present themselves in person at a branch NOB. Thankfully, they have enough cash on hand to manage the trip.

A lot of us are here based on the good graces of a single ATM card. It's a very slender thread. So don't play games with your card number. If you absolutely have to buy something online, do it using a phone call instead.

To boldly go where no wig has gone before.

raferguson

Sep 15, 2004, 4:19 PM

Post #2 of 8 (798 views)

Shortcut

Computer crime

Can't Post | Private Reply

It is also possible that this was an inside job. Anyone who works with data at any company that they have bought from in the past, whether by phone or by internet, potentially has access to whatever credit card number they used to buy goods. Buying by phone will not protect you if the source of the number is the company you bought from. Given the 6 month delay, rather than blame a cybercafe, I vote for an inside job.

I have been reading about employees stealing thousands of credit card numbers, and selling them. This is not theoretical, people are being prosecuted for it. This is a different kind of computer crime.

The key to me is that no one should travel on a single piece of plastic. We usually carry at least three different cards on a trip, some credit and some debit, and we do not keep them all in the same place. For instance, I might carry one debit and one credit card, and my spouse carries a different credit card. One of my credit cards has a PIN number, so I can get cash if I need it, even if I do pay fees and interest.

I am pretty sure that they will end up getting the money back, but the hassle factor could be large.

Richard

http://www.fergusonsculpture.com

kirkswig

Sep 19, 2004, 10:16 PM

Post #3 of 8 (744 views)

Shortcut

Re: [raferguson] Computer crime

Can't Post | Private Reply

Quote

Given the 6 month delay, rather than blame a cybercafe, I vote for an inside job.

Of course, you could be right, but I think the odds are against it. I've given my credit card number to so many people over the years -- and I've must've purchased services/products over the web at least a hundred times by now -- and I've yet to be a victim of this.

My neighbors only had to use the card once to get bit.

The difference? They entered the number over a public terminal, something I have never done nor will ever do (unless it is a dire emergency.)

Google gives lots of hits on keylogger/trojan horse implementations, the best perhaps being this one from Symantec which talks about a specific keylogging Trojan horse that was released shortly before my neighbors credit card number was compromised.

As for the six month delay, what's wrong with the explanation that the attacker is simply being overwhelmed with all these credit card numbers he's getting? That he can't process all of them at the same time, so he has to go through them one-by-one? Which takes time?

Moreover, there is at least something people can do to protect themselves from keyloggers. DON'T ENTER YOUR CREDIT CARD NUMBER INTO A PUBLIC TERMINAL! If instead you are right, the only solution is to not buy any service or product using a credit card, which can be pretty harsh. The suggestion that you have on hand several such cards isn't practical for many people. Not everybody can or wants to open a credit card account. Some people just want a card to get cash out of an ATM. Some banks won't issue duplicate cards, and getting multiple checking accounts may incur redundent monthly charges that somebody on a budget won't be interested in paying.

To boldly go where no wig has gone before.

sfmacaws

Sep 19, 2004, 11:55 PM

Post #4 of 8 (740 views)

Shortcut

Re: [kirkswig] Computer crime

Can't Post | Private Reply

I also doubt that it was stolen 6 months before it was used. That doesn't fit any of the computer id theft scenarios I've seen. The most likely culprit is the last transaction before the number was used fraudulently.

I did have a number stolen from an online purchase. Amex caught it and canceled the charges and I notified the only company I'd used it at in several months. They admitted to catching an employee stealing card numbers, rather remarkable actually that they admitted it. They sent me a letter from the president and a gift and, mainly because they admitted the problem, I will use them again. It can happen with any employee in any company and I think it is how they deal with it that sets them apart.

Key loggers require some kind of script to scan for likely sequences, it would be impossible to do by hand. It is an automated kind of theft and I find it hard to believe that having stolen something using such automation, you would then use it manually - and 6 months later. It just doesn't make sense.

I too vote for an inside job somewhere that they used the card. I think it is a lot more dangerous to sign a credit card receipt in a restaurant and leave them with all the info they need to charge your card than to order something on a secure sight from an internet cafe. There are risks with both for sure, but it's much more common for the theft to be related to a legitimate purchase.

Jonna - Mérida, Yucatán

kirkswig

Sep 20, 2004, 2:16 AM

Post #5 of 8 (735 views)

Shortcut

Re: [sfmacaws] Computer crime

Can't Post | Private Reply

Quote

Key loggers require some kind of script to scan for likely sequences...

Agreed. Perl, or any language supporting the extraction of text based on regular-expressions would do.

Quote

...it would be impossible to do by hand.

No, you could do this by hand. It would be slow, that's all. I've seen computer professionals manually indent multi-page documents by clicking at the beginning of the line of text and then pressing the tab key, then clicking at the beginning of the next line of text and pressing the tab key again, and so on and so forth, until they reach the end of the document, when all they had to do was a "Select All" and then issue an indent command. There's no reason why the hacker responsible for the keylogger should be any more sophisticated. Remember, he's likely not the same person who created the trojan horse in the first place: he's probably just a script-kiddie who copied-and-pasted the source from some bulletin-board somewhere and changed the email/IP address so that the credit card numbers were directed to him instead of the original author.

Quote

It is an automated kind of theft and I find it hard to believe that having stolen something using such automation, you would then use it manually - and 6 months later.

Acquiring the credit card numbers is probably automated, but their use? How do you propose automating that?

If you are accepting the fact that the acquisition of these numbers is automated, then aren't you also accepting the fact that we're talking about a huge quantity of such numbers? This is a trojan horse that could conceivably be installed on millions of computers. How do you use so many numbers without calling attention to yourself?

Well, one way is by selling those numbers. It's less risk and you profit from the exploit almost immediately. What do the people who buy the numbers do? They likely sell them too!

The more hands the numbers pass through, the longer the delay between their originally being acquired and their finally being exploited.

There is also the question of how best to cover your tracks. In the case involving my neighbors, the detective work was easy... they had only used this credit card number ONCE. I think that's probably the exception rather than the rule, and I'd bet that the hackers/thieves think so too.

So if they're under the impression that the card is being frequently used, separating the occasion when the card number was first obtained from when it is finally used is a good thing. And six months sounds like a really good number to use here, given that the standard expiration date is two years from the date the card was originally issued.

Quote

It just doesn't make sense.

How exactly is that? We know for a fact that these trojan horse/keylogger combinations exist. We know for a fact a that these things infest public terminals, often coexisting with one another, i.e., you will have multiple numbers of keyloggers running on the same machine. We know for a fact that these hackers have put these programs out there for the purpose of acquiring credit card numbers. We know for a fact that once acquired, these hackers will then sell these numbers to the highest bidder. And we know for a fact that the buyers will often turn around and sell these numbers to others.

We can assume that this process of buying and selling credit card numbers takes time, since the buying and selling of any service or merchandise takes time, and we can also assume that the buyers, sellers, or the hackers themselves, are willing to introduce delays in the processing of these numbers in an effort to cover their tracks, i.e., make it more difficult to know when and where the number was originally stolen.

I think I have a pretty good case here.

And I think I can describe why you and others feel the way you do...

A lot of you have been doing financial transactions using public terminals while SOB and have been doing so for some time. This is not my first post on this subject, and it is not the first time such a posting has been ill-received. A lot of you are still, to this very day, using public terminals to conduct your financial transactions, and you don't want to change the way you're doing business because to do so means that not only are you going to have to change your habits but that you're also going to have to spend money making these changes. There's probably also an element of feeling foolish about having exposed yourself to so much risk for so long when the hallmark of a serious trader/investor is understanding how to manage such risk.

It is a fact that using a public terminal to send *any* vital information is a risk. Indeed, unless you really know what you're doing, using *any* terminal, public or not, is a risk. The exploits involving workers who steal credit card numbers in the course of their employment are almost always solved, because the workers almost always are greedy, and law enforcement can easily identify the company, and then finally the workers responsible for the fraud.

And the banks are quick to credit your account for such losses.

But what we're seeing now with computer-based fraud, the banks are not being so quick, because it's becoming more and more difficult to determine who exactly is responsible for these exploits. In other words, the bank has no way of knowing whether it isn't you who is trying to exploit the bank.

And banks today are under all kinds of pressure. They can build a voice-mail system that gives you your account balance on demand, but dealing with fraud isn't something they can buy a machine for. It's very human-intensive.

Which means that it costs them money.

Which means that, of course, they're looking for ways to pass the cost on to you.

I've alluded to this on another forum, but since moving to Mexico, I've noticed what must be at least a 10,000% increase in efforts to break into my network. Mexico is literally crawling with virii and worms, and the reason why is because so many people here rely on public terminals to conduct their business. The administration of these public terminals -- in my experience -- ranges from poor to bad.

What's the problem with refraining from using public terminals as if your financial security depended on it? There are other ways of accessing you account info and/or purchasing services or merchandise from distant vendors. Why dispute the obvious risks here?

Why put yourself in harm's way?

To boldly go where no wig has gone before.

sfmacaws

Sep 20, 2004, 7:21 AM

Post #6 of 8 (721 views)

Shortcut

Re: [kirkswig] Computer crime

Can't Post | Private Reply

Kirk,

I'm not saying it couldn't or doesn't happen, I said that above. What I am still saying is that there are other ways it could have happened AND that there is more crime of this type resulting from those other ways than there is from the one and only way you want to look at.

I agree with you, transmitting key information from a public terminal is a risky thing. However, there are many other equally risky ways to send out your information and yet you are discounting those.

How did the thieves access the money of your friends? Did they buy things with the card? Or transfer money? These are the ways it can be tracked. Without the physical card they aren't just going to an ATM and withdrawing the cash and if they purchase something it has to be delivered somewhere. Were items purchased and delivered to Mexico?

All I'm saying is that you are taking a limited amount of knowledge and jumping to a conclusion that is not consistent with the stats for this type of crime. It's true that even if something is rare, it can happen to you. It isn't true that you can assume that a less common means was used without more proof.

As to some of us ignoring your valid advice about using public terminals. We all take risks of some sort, it largely depends on a personal evaluation of risk vs reward for our individual situations. Have you ever used a credit card at a restaurant in Mexico? or in the US for that matter? Have you signed the slip and let the waiter walk away with the business copy? I have, and I know the risks. I try not to do it but when it is the only way I can pay for dinner, I do it and cross my mental fingers. Same thing with using a public terminal.

I don't think anyone here is defending the safety and security of internet cafes, they are rife with virii and other nasty and malicious beasts. Partly I think it is financial, site licenses for anti-virus software is expensive. Partly it is the backwater problem, much of the hue and cry about these things is written in english and publicized stronger in the US. What I DON'T believe is that there is a more common intent here in Mexico than in the US or any other country. There is just less awareness and less protection and many more public machines in Mexico.

As to the time factor, things operate at a much swifter pace on the internet than in real time. I have never met a crook who could effectively sit on a stolen product for any great length of time. I'm still dubious that all this buying and selling of numbers would take this amount of time or that anyone would refrain from using them for that long. YMMV

Jonna - Mérida, Yucatán

kirkswig

Sep 20, 2004, 3:32 PM

Post #7 of 8 (699 views)

Shortcut

Re: [sfmacaws] Computer crime

Can't Post | Private Reply

Quote

...there is more crime of this type resulting from those other ways than there is from the one and only way you want to look at.

I question whether this is so. I had believed that Internet-related fraud, incl. keyloggers, had outpaced other kinds of fraud, such as employee-theft, but I just spent five minutes on Google and I can't find anything definitive either way.

The thing with employee-theft is that they almost always find the perp, right? Greed causes the employee to steal yet another number, and eventually the pattern emerges which lets the authorities zero in on the culprit. So there's a pretty big deterrent here. It's not clear to me how this would work with keyloggers, or what the deterrent would be.

Quote

How did the thieves access the money of your friends? Did they buy things with the card? Or transfer money?

Both, kind of. There were charges placed on the card, but the charges went to an eBay account. Evidently, eBay makes it easy to for people to send you money using their credit cards. It certainly wasn't an ATM withdrawal.

Quote

I'm still dubious that all this buying and selling of numbers would take this amount of time or that anyone would refrain from using them for that long.

If someone has thousands of credit card numbers, how quickly do you think they could harvest them all? This part of it doesn't seem to lend itself to automation, or, even if it did, I have to believe that some kind of alarm would sound when the same entity/terminal/IP address/whatever attempts to initiate thousands of transactions using thousands of different CCN's.

My neighbors are moving (this incident may have played a factor in that decision), however we will be keeping in touch via email. I am hoping that eventually they will discover exactly what happened, and then relate it to me.

And then I will relate it to the forum.

To boldly go where no wig has gone before.

sfmacaws

Sep 20, 2004, 8:41 PM

Post #8 of 8 (677 views)

Shortcut

Re: [kirkswig] Computer crime

Can't Post | Private Reply

The last thing I saw (and I don't have an online site to quote) was that 'social engineering' or conning people was still the largest form of fraud both internet and not. This includes the new Phish letters that claim to be from your bank or paypal or Ebay. It's still conning someone not cracking a computer or logging keys for that matter. Phish scams are known for clearing out the bank account in under 15 minutes from getting the login and password. They work very fast.

Most crooks of all kinds get caught at the payoff, ie when they try to collect or pawn or sell or pickup their loot. In the case that happened to me, they got caught because of people like me who called in and helped to establish a trail. The main evidence that could be used in court though was related to what they bought. In my case, they bought cards for a Cricket (pay-as-you-go) cell phone and they both called out and received calls. Stupid? Yes, but not uncommon. Don't overestimate the brain power of the criminal world, if they weren't so stupid we'd be in a world of hurt.

Although I am a retired cop, internet fraud was not the area I worked. I'm a geek though and so I read all the bulletins and the cases that came by. My info is not current, I retired 3 years ago, but I do still read occasional info on this issue through friends who are still working. It's interesting but one of the things that I found most interesting is that there is very little real difference between the guy who runs a shell game on a corner and the guy who sends out phish letters to con you out of your password. Different skills but the short sighted greed is the same as is the tendency to disregard the consequences.

Quote

If someone has thousands of credit card numbers, how quickly do you think they could harvest them all?

If they have a way to send money from the stolen accounts to an Ebay account, they could do it very fast and it could be scripted. If you assume that they would open and close accounts quickly as well, it sure wouldn't take 6 months. I'm also dubious that any of these scams wouldn't move on or fall apart within 6 months. I mean, the people first hit are going to complain right away and at that point the whole scam starts to get hot and it's doubtful that it could continue with that long string of victims stretching out behind it.

It will be interesting to find out what comes of this. I'm sorry for your neighbors, it's a shattering experience to be victimized like that. It shakes your belief in a lot of things. I hope that their money is returned to their account and that the whole event doesn't consume their lives for the next several years.

Jonna - Mérida, Yucatán