Tag Archives: Credit card fraud

FBI 2020 Elder Fraud Report : 1 Billion loss

In 2020, IC3 received a total of 791,790 complaints with reported losses exceeding $4.1 billion. Based on the information provided in the complaints, approximately 28% of the total fraud losses were sustained by victims over the age of 60, resulting in approximately $1 billion in losses to seniors. This represents an increase of approximately $300 million in losses reported in 2020 versus what was reported by victims over 60 in 2019.

The initial contact in a lottery/sweepstakes scam is often a call, an email, a social media notification, or a piece of mail offering congratulations for winning a big contest, lottery, or sweepstakes the victim did not enter. To claim their prize, the victim is required to pay upfront fees and taxes. Subjects often request the payments be made via wire transfers or prepaid cards. Often, the scammers will ask for a victim’s banking information to transfer their winnings.

Read more in

CyberSecurity: Hackers can steal your card info at a gas station using card skimmers

What is the Card Skimmer?

Credit card skimming is a type of credit card theft where crooks use a small device to steal credit card information in an otherwise legitimate credit or debit card transaction. When a credit or debit card is swiped through a skimmer, the device captures and stores all the details stored in the card’s magnetic stripe.

You might be wonder how each & everything is weaponized to steal your hard earned money.

Gas station pumps are a different story, however. Most can easily be opened using a universal key which isn’t hard to acquire, allowing the skimming hardware to be installed inside so it’s completely invisible to unsuspecting users

To retrieve the data that’s collected throughout a day, like card numbers and PINs, criminals just need to pull up nearby and download it all over a wireless Bluetooth connection. 

How does hacker use card skimmer?

Read more in https://www.thebalance.com/how-credit-card-skimming-works-960773

Is there any solution to this problem?

The team from the University of California San Diego, who worked with other computer scientists from the University of Illinois, developed an app called Bluetana which not only scans and detects Bluetooth signals, but can actually differentiate those coming from legitimate devices—like sensors, smartphones, or vehicle tracking hardware—from card skimmers that are using the wireless protocol as a way to harvest stolen data. 

So far Bluetana app has identified successfully 42 Gas stations in United States. As of now, details of smartphone app has not been public because of hackers will find a way to bypass app algorithm.

CyberSecurity: EMV enabled credit cards does not stop fraud!

State bank of India asked their customer to get rid of a conventional swipe card and replace with EMV enabled chip cards. EMV Chips are considered to be safer & prevent credit/Debit cards fraud.

FYI: EMV stands for ‘Europay MasterCard Visa’ while the PIN is an acronym for the personal identification number.

Purpose of EMV

In theory, EMV should reduce fraud because every card transaction requires an encrypted connection between the chip card and the merchant’s point-of-sale terminal. EMV is meant to replace conventional swipe transactions that rely on magnetic strips, which contain data that is relatively easy for criminals to intercept and then copy on to a new card.

Reality of EVM

new report from the research firm Gemini Advisory has found that, of more than 60 million cases of credit card theft in the last 12 months, a whopping 93% of the stolen cards had the new chip technology.

This represents a major setback for the technology, known as the EMV standard, which is named after the companies (Europay, Mastercard and Visa) that created it.

“45.8 million…records [were] likely compromised through card-sniffing and point-of-sale (POS) breaches of businesses such as Saks, Lord & Taylor, Jason’s Deli, Cheddar’s Scratch Kitchen, Forever 21, and Whole Foods. To break it down even further, 90% or 41.6 million of those records were EMV chip-enabled,” states the report.

How fraud is still possible?

While the EMV standard is supposed to ensure the card data cannot be captured, many merchants are failing to properly configure their systems. This is the problem where banks & merchants are not configuring their systems and keep the system vulnerable.

What is the use of stolen Data?

There are multiple ways cybercriminals use stolen data. First & easy way is to sell these credit cards number in the dark web. A market full of criminals & isn’t public web or apps. The second method is that They create the replica of these cards & use it to withdraw money.

Reference:

http://fortune.com/2018/11/05/credit-card-chips-fail-to-halt-fraud-survey-says/

Cyber Security: Lesson to be learned

Below is the reference of the paper which is one of the finest paper i have read in recent time. Here is the glimpse of the paper & Reference.

https://www.thirdway.org/report/to-catch-a-hacker-toward-a-comprehensive-strategy-to-identify-pursue-and-punish-malicious-cyber-actors

In this paper, the author argues that the United States currently lacks a comprehensive overarching strategic approach to identify, stop and punish cyberattackers.Header-For-Cyber-Report

  1. There is a burgeoning cybercrime wave: A rising and often unseen crime wave is mushrooming in America. There are approximately 300,000 reported malicious cyber incidents per year, including up to 194,000 that could credibly be called individual or system-wide breaches or attempted breaches.9 This is likely a vast undercount since many victims don’t report break-ins to begin with.10 Attacks cost the US economy anywhere from $57 billion to $109 billion annually and these costs are increasing.11
  2. There is a stunning cyber enforcement gap: Our analysis of publicly available data shows that cybercriminals can operate with near impunity compared to their real-world counterparts. We estimate that cyber enforcement efforts are so scattered that less than 1% of malicious cyber incidents see an enforcement action taken against the attackers.
  3. There is no comprehensive US cyber enforcement strategy aimed at the human attacker: Despite the recent release of a National Cyber Strategy, the United States still lacks a comprehensive strategic approach to how it identifies, pursues, and punishes malicious human cyberattackers and the organizations and countries often behind them.

My takeaway & View:

Despite so many levels of effort by security experts & organizations and putting million dollars on security, it is a pretty scary situation. And the big question comes to my mind is that what about countries like India, Sri Lanka, Bangladesh or developing countries many others. These countries have not realized the threats yet and do not have an infrastructure to deal with such a horrible situation. However, cyber threat is real.

China bulldozes all their neighbours & In the cyber world, China is much advanced than anyone else. They are capable of listening to Mr Trump phone call as well. If President of United State phone isn’t considered as safe then what we can expect from the technology which many countries trying to adopt. What if China starts targeting their rivals. Does India has the power to hold himself in such attacks?

With given situation in the cyber world & technological advancement. The Lesson from all above can be learned. I won’t say it is too late for countries like India to learn and adapt the technology which could be safer to use. OR, enforce organizations to keep their services secure. Everything must be viewed now from the security perspective. Every digitalization must have security as their first priority.

Indian govt has been very pro-active in digitalization of their services however there are many services/portals which are vulnerable. And a lesson must be learned otherwise it would be very damaging & developing countries can’t afford it. Good stuff, however, has been identified but only on paper so far. For instance, GDPR.

I don’t want to sound like an expert here but truth to be told. Indian IT service companies must learn & realize the threat. Make our service more secure and deliver what it could make your client safer. Have security in mind when designing an application. Invest in training, skill newcomer to develop more secure applications. In reality, the issue is more of a mindset than a skill gap. People never understand what info to be exposed or hidden. As long as the application works, it is great. Here are the few instances:

  1. A simple example is that allowing users to change the password without checking the current password.
  2. Support Changing password, email or profile info using GET method in web service.
  3. If you check application, the application shows more insights. Don’t want to review any application but that is how software is developed.

Final words: Keep yourself aware of things which could impact you directly or indirectly.