[su_dropcap style=”simple”]O[/su_dropcap]ur society is a lot more “cash-less” now than it has ever been, yet we’re getting robbed more often. When I was in college studying economics, one professor taught us “macroeconomics”. Macroeconomics is the study of the economy as a whole. For example the amount of actual currency out in the world would be one element. We learned that the introduction of the ATM dramatically increased the amount of currency in the economy because people didn’t have to go to banks to get cash anymore. They had access to it 24/7.
With the introduction of debit cards people don’t even bother going to the ATMs anymore, they just swipe their cards for purchases as small as $1.59. So, I guess those kids in college studying economics now are getting a different lesson.
I bother you with such drivel because our society has essentially gone cash-less. And since that has seemingly happened, we are, as a whole, getting robbed everyday. The interception (stealing) of credit and debit cards are a real cost to our economy. Imagine that 80,000 people who went to buy a submarine sandwich were robbed of their cash as they stood at the counter ordering. Crazy thought right? It just happened…electronically.
The United States Department of Justice recently announced the indictment (courtesy of Wired – pdf) of four Romanian Nationals. Three are in custody and one is on the lam. They are accused of operating a rather sophisticated credit card theft ring that was able to steal upwards of 80,000 card numbers resulting in millions of dollars in losses. Here’s how they did it:
According to the press release and numerous articles on the story (here, here, here), the Romanian hackers managed to infiltrate the credit card processing machines of approximately 150 Subway stores and “other” unnamed retail establishments. (Nice PR work by the “other” companies to keep their name out of it) These establishments use was are called POS or “point of sale” machines to capture your credit or debit card information. The machines are supposed to merely pass through the information to a card processor who in turn either approves the account for the transaction or denies it.
Somewhere along this communication line, the card data was being copied and then sent to the hackers. Once they had the data they either sold the information or used it to make other, fraudulent, credit cards and use them. Remember the last time you stopped at a store and used their oh so convenient card machine? If you used a debit card you put your PIN in, right? And if you used a credit card, you signed the machine with that “pen” that was attached to it, right?
The big question is how does a group of 20-somethings from far flung Romania do this? Well, they need a little help… the machines have to be somehow connected to the Internet and in this case there is some discussion that the owners or servicers of some POS machines may install certain helpful “remote access” software so that they could “service” or “repair” the machines without having to actually visit the machines.
What actually happened here has yet to be completely revealed. The Government is being rather silent on just how these industrious youths pulled it off. Probably because these POS machines are everywhere. There is a discussion about “infecting” the POS terminals to capture the data, and “scanning” the Internet to find vulnerable unnamed remote access systems. No real discussion about why such systems are vulnerable. I guess we’ll have to wait for the lawsuits to get that data. And as for which Subway stores were affected? According to the indictment, they included locations in New Hampshire, New York, Florida, California, so, just about everywhere. The case is being prosecuted out of the NH US Attorney’s Office and the Boston Office of the Secret Service is investigating – so it sounds close to home.
Did the people whose accounts were stolen get their money back? Probably, but the banks are still out the money, who then in turn find a way to offset their losses by, maybe, instituting a $5/month debit card fee perhaps? And that’s the real cost to the economy. Nothing is free, not even “zero liability” card protection from a certain, very large, bank.
[su_quote]Oh, and that guy who’s on the lam? He’s from Rimnicu Vilcea… “hackerville!” (Fabulous story about that place here)[/su_quote]
PS – I presume that once this criminal investigation is done, the “data breach notifications” begin? Good luck fellas… You’ll need more than Jared for this one.
[su_note]UPDATE: I no sooner logged off from writing this than I bumped into Paul Roberts’ story about yet ANOTHER credit card hack related to retail… this time it’s Restaurant Depot and they’re saying about 100,000 cards. Is there anywhere safe to use your card?[/su_note]