Credit card fraudsters caught, 2500 victims cited
Technorati Tag: Security Breach
Date Reported:
1/11/09
Organization:
Family Funbox
Contractor/Consultant/Branch:
None
Location:
Cache County, Utah
Victims:
Customers
Number Affected:
"some 2,500"
Types of Data:
Credit card information
Breach Description:
Customers of Family Funbox, a local Cache County (UT) DVD rental business, have been victimized by widespread credit card fraud. Family Funbox is now out of business.
Reference URL:
KSL Television & Radio
The Herald Journal
Report Credit:
Matthew Jensen, The Herald Journal
Response:
From the online sources cited above:
Two men are in custody and under investigation by the FBI in an identity theft scheme that victimized 2,500 Cache County residents, Smithfield police officials said Wednesday.
In late 2008, San Francisco police served a search warrant on a Bay Area hotel room where detectives found multiple computers and a machine that manufactures magnetic strips used on the back of credit, debit and gift cards, Det. Travis Allen said.
[Evan] San Francisco is almost 800 miles away from Cache County; where the credit card numbers are alleged to have been stolen. Unless these two arrested men have/had local (Cache County) ties, it seems likely that these are not the same men who stole the information from Family Funbox. I'll elaborate later in this post.
In the computers’ hard drives were the credit card numbers of Cache County residents, many of whom had been notified by their banks of fraudulent charges on their accounts, Allen added.
Smithfield police say they received an unusual number of credit card fraud claims in the fall of 2007.
[Evan] So it seems as though the theft of credit card numbers could have happened anytime between the time the DVD rental boxes were installed until the source of the fraud was discovered.
“We finally found one common factor among everybody that was calling us: They had all used the Family Fun Box,” Allen said.
The DVD-dispensing machines were located in the Summit Creek Sinclair gas station and Lee’s Marketplace in Smithfield. A third operated in the Wellcome Mart in Wellsville.
[Evan] How easily could these machines be physically compromised in these locations? One of the easiest ways to compromise these machines would be to place a skimmer over the credit card slot. If the skimmer is fairly well disguised, it would probably meet with some success.
“We thought maybe somebody had a credit card reading device attached to the machine,” Allen said.
“We couldn’t find anything and thought, maybe it’s being internally hacked somehow.”
[Evan] Police didn't find anything when the looked, but the skimmer could have been uninstalled long beforehand. We aren't sure of the exact timeframe, but it seems like there was ample time to capture magnetic strip data of thousands of customer credit/debit cards before the investigation even began. Think about it for a second. Capture thousands of cards, remove the skimmer, THEN sell the data or commit fraud. The skimmer would have been long removed by the time police are ever aware of a problem
Smithfield police learned the machines store no account information but encrypt card numbers before sending them to a merchant processor in Dallas, Texas.
[Evan] This doesn't matter if a skimmer is placed over the card slot.
The company, Teleasy Corporation, told Smithfield police its servers had never been hacked and that it would know if they had, Dunn said.
Police reports show the unauthorized charges were taking place in Northern California, Illinois, even Spain.
[Evan] This substantiates the possibility that the users of the information are not the same people that stole the information. In my opinion (based on public articles), one or more people stole the credit card information and sold it on to street-level fraudsters.
“We did find some instances where someone had gone to a boat shop in Florida and spent several thousand dollars,” added Allen. “In Smithfield, I think we had about 55 victims and over $100,000 in losses.”
[Evan] Credit card fraud and identity theft can be very rewarding for the crooks. The problem will probably only get worse before people and organizations (financial institutions primarily) get serious.
Investigators extracted a hard drive from one of the DVD machines and sent it to a computer forensic lab in Salt Lake City where specialists told police there was no evidence of local tampering.
[Evan] Again, nothing would show up if a skimmer were used. The police deserve credit though for conducting a thorough investigation and eliminating the possibilities.
“They could show no compromise to the hard drive,” said Allen. “One thing we don’t know is how the suspects obtained the information.”
Allen presented his findings to the Utah Attorney General’s Office and later to the FBI’s Cyber Crimes Task Force.
Information was distributed to national law enforcement agencies and a tip came when police in California responded to a Longs Drug Store where an individual was allegedly trying to use a gift card that was traced back to a stolen credit card number, Allen said.
An investigation led to the search of a Bay Area hotel where two males were arrested and charged with various crimes, Allen said.
[Evan] Are these two individuals just street-level thugs caught using the information that they obtained elsewhere?
Smithfield police say the names of the individuals have not been released at the request of the U.S. Attorney General’s Office.
"we’ve identified 2,500 victims just within our area.” Smithfield Police Chief Johnny McCoy
Todd Durrant, owner of the three Family Fun Box machines, said Friday he’s stopped running his business.
“The machine at Lee’s was half my business,” he said. “And when that was gone I didn’t have the income and still had loans to pay on the machines.”
“I would love to see whoever does this kind of crime get what’s coming to them,” he said. “They don’t even see the faces of the people they hurt.”
[Evan] It's sad, but I don't think chances are good for people like Mr. Durrant.
Commentary:
The stolen information economy is really thriving. There are three of major roles. There are the stealers; these are the people who obtain the information. There are the dealers; these are the people who make a cut in buying/selling stolen information, and then there are the users; these people use the information to commit fraud. Sometimes the same person fulfills more than one role, and sometimes things are more complicated. In this case, you can make the call.
Stealers, dealers, and users. Users are usually the easiest to catch.
Past Breaches:
Unknown
Date Reported:1/11/09
Organization:
Family Funbox
Contractor/Consultant/Branch:
None
Location:
Cache County, Utah
Victims:
Customers
Number Affected:
"some 2,500"
Types of Data:
Credit card information
Breach Description:
Customers of Family Funbox, a local Cache County (UT) DVD rental business, have been victimized by widespread credit card fraud. Family Funbox is now out of business.
Reference URL:
KSL Television & Radio
The Herald Journal
Report Credit:
Matthew Jensen, The Herald Journal
Response:
From the online sources cited above:
Two men are in custody and under investigation by the FBI in an identity theft scheme that victimized 2,500 Cache County residents, Smithfield police officials said Wednesday.
In late 2008, San Francisco police served a search warrant on a Bay Area hotel room where detectives found multiple computers and a machine that manufactures magnetic strips used on the back of credit, debit and gift cards, Det. Travis Allen said.
[Evan] San Francisco is almost 800 miles away from Cache County; where the credit card numbers are alleged to have been stolen. Unless these two arrested men have/had local (Cache County) ties, it seems likely that these are not the same men who stole the information from Family Funbox. I'll elaborate later in this post.
In the computers’ hard drives were the credit card numbers of Cache County residents, many of whom had been notified by their banks of fraudulent charges on their accounts, Allen added.
Smithfield police say they received an unusual number of credit card fraud claims in the fall of 2007.
[Evan] So it seems as though the theft of credit card numbers could have happened anytime between the time the DVD rental boxes were installed until the source of the fraud was discovered.
“We finally found one common factor among everybody that was calling us: They had all used the Family Fun Box,” Allen said.
The DVD-dispensing machines were located in the Summit Creek Sinclair gas station and Lee’s Marketplace in Smithfield. A third operated in the Wellcome Mart in Wellsville.
[Evan] How easily could these machines be physically compromised in these locations? One of the easiest ways to compromise these machines would be to place a skimmer over the credit card slot. If the skimmer is fairly well disguised, it would probably meet with some success.
“We thought maybe somebody had a credit card reading device attached to the machine,” Allen said.
“We couldn’t find anything and thought, maybe it’s being internally hacked somehow.”
[Evan] Police didn't find anything when the looked, but the skimmer could have been uninstalled long beforehand. We aren't sure of the exact timeframe, but it seems like there was ample time to capture magnetic strip data of thousands of customer credit/debit cards before the investigation even began. Think about it for a second. Capture thousands of cards, remove the skimmer, THEN sell the data or commit fraud. The skimmer would have been long removed by the time police are ever aware of a problem
Smithfield police learned the machines store no account information but encrypt card numbers before sending them to a merchant processor in Dallas, Texas.
[Evan] This doesn't matter if a skimmer is placed over the card slot.
The company, Teleasy Corporation, told Smithfield police its servers had never been hacked and that it would know if they had, Dunn said.
Police reports show the unauthorized charges were taking place in Northern California, Illinois, even Spain.
[Evan] This substantiates the possibility that the users of the information are not the same people that stole the information. In my opinion (based on public articles), one or more people stole the credit card information and sold it on to street-level fraudsters.
“We did find some instances where someone had gone to a boat shop in Florida and spent several thousand dollars,” added Allen. “In Smithfield, I think we had about 55 victims and over $100,000 in losses.”
[Evan] Credit card fraud and identity theft can be very rewarding for the crooks. The problem will probably only get worse before people and organizations (financial institutions primarily) get serious.
Investigators extracted a hard drive from one of the DVD machines and sent it to a computer forensic lab in Salt Lake City where specialists told police there was no evidence of local tampering.
[Evan] Again, nothing would show up if a skimmer were used. The police deserve credit though for conducting a thorough investigation and eliminating the possibilities.
“They could show no compromise to the hard drive,” said Allen. “One thing we don’t know is how the suspects obtained the information.”
Allen presented his findings to the Utah Attorney General’s Office and later to the FBI’s Cyber Crimes Task Force.
Information was distributed to national law enforcement agencies and a tip came when police in California responded to a Longs Drug Store where an individual was allegedly trying to use a gift card that was traced back to a stolen credit card number, Allen said.
An investigation led to the search of a Bay Area hotel where two males were arrested and charged with various crimes, Allen said.
[Evan] Are these two individuals just street-level thugs caught using the information that they obtained elsewhere?
Smithfield police say the names of the individuals have not been released at the request of the U.S. Attorney General’s Office.
"we’ve identified 2,500 victims just within our area.” Smithfield Police Chief Johnny McCoy
Todd Durrant, owner of the three Family Fun Box machines, said Friday he’s stopped running his business.
“The machine at Lee’s was half my business,” he said. “And when that was gone I didn’t have the income and still had loans to pay on the machines.”
“I would love to see whoever does this kind of crime get what’s coming to them,” he said. “They don’t even see the faces of the people they hurt.”
[Evan] It's sad, but I don't think chances are good for people like Mr. Durrant.
Commentary:
The stolen information economy is really thriving. There are three of major roles. There are the stealers; these are the people who obtain the information. There are the dealers; these are the people who make a cut in buying/selling stolen information, and then there are the users; these people use the information to commit fraud. Sometimes the same person fulfills more than one role, and sometimes things are more complicated. In this case, you can make the call.
Stealers, dealers, and users. Users are usually the easiest to catch.
Past Breaches:
Unknown
Posts Atom 1.0
Comments