Credit Card Fraud

You are currently browsing the archive for the Credit Card Fraud category.

Affiliate Marketing Scam

November 20, 2011 in Credit Card Fraud, Web | No comments

Affiliate marketing is a very popular way for people to make money from their websites.  Most websites that charge membership fees have affiliate marketing programs whereby they pay others for driving traffic to their sites. Usually the affiliate will receive  a certain percentage of the money spent by each person that signs up for a service or buys a product that was referred by the affiliate site.  For example, Amazon has a huge affiliate program where it will share revenue with affiliates that drive traffic to Amazon that results in a sale.

Affiliate marketing is very widespread in the online adult entertainment industry. Just about every adult website has an affiliate program and it is not uncommon for scammers to look for ways to take advantage of these programs in a effort to make quick money, even if it means committing fraud to do it.  I was recently informed by a large payment gateway operator of an affiliate scam that is is currently in operation in the adult arena.  Here is how it works:

First, the scammers establish affiliate relationships with legitimate websites that have generous affiliate payouts.  Then the scammers create a website of their own with teaser content that is likely to generate interest.  The site requires a fee of X dollars for full access to the site, which in actuality has little or no content.  Of course viewers won’t discover this until after they have signed up for the site and provided the scammers with their credit card information.  The scammers then take that credit card information and use it to sign up with one of the websites with which they have an affiliate relationship. The scammers will then collect the affiliate payout from their affiliate partner sites.

Based on the information I have received, the elements listed below have been associated with this latest scam:

  • Billing Phone:
  • Billing Email: 
  • Email: 
  • Email: 
  • Email: 
  • Company Name: Anton Dzarty

Additionally, it seems that a payment gateway operating out of Germany called is associated with this scam and is injecting the harvested details directly into payment pages of merchants.  I would advise all merchants with affiliate programs to search their databases for any of the above information and to scrutinize traffic coming from the gateway.  Currently this scam is focusing on those merchants in the adult space, but it is likely that this will spread to other markets with big affiliate programs as well.

Heartland Payment Processor Breach

February 1, 2009 in Credit Card Fraud, PCI DSS

Another day, another major breach of credit card data. And this one is a doozy. The payment processor Heartland Payments Systems on January 20th that they had suffered a breach and an unknown number of credit card accounts had been compromised. Heartland is the 5th largest payment processor in the world, with over 250,000 customers and handling over 100 million transactions per month. It is likely this breach will result in the compromise of more accounts than the infamous TJX breach of 2006 in which approximately 95 million card accounts were exposed.

It appears this hack was a result of poor endpoint security and a lack of encryption of data in motion. I will start by stating that Heartland was in compliance with the PCI DSS and had been audited in April of 2008. That being said, PCI DSS compliance does not guarantee that data is secure. It is a good starting point, but more can and should be done, to ensure the protection of cardholder data.

Back to the Heartland hack; according to the information I have read so far, it appears that some number of systems in their cardholder data environment became infected with spyware that was able to sniff credit card account information while being transmitted over the network. If this is true, it validates my belief that endpoint security is often times the weakest link in the enterprise security environment. I have no doubt that these systems had anti-virus software installed. However, anti-virus software is only as good as their signature database and most are woefully inadequate at detecting malware, especially custom malware. In environments with high security concerns, it is appropriate to utilize application whitelisting utilities that allow only those applications that are specifically defined to execute. These utilities don’t rely on signtures and significantly reduces the threat of malware.

The other problem in the Heartland environment was the fact that credit card data was being transmitted between them and the card companies in clear text. The reason this was not highlighted as a violation of the PCI DSS is because many payment processors use dedicated leased lines to the payment brands, which is often cited as a compensating control for the use of encryption. Clearly, this is a weak compensating control that allows for unfettered access to information on the network in the event that a workstation or server is compromised. Best practice would dictate that account numbers should be encrypted over the network, which is easily achievable with a variety of methods. Defense in depth is lesson to be learned here.

Finally, it appears that Heartland did not have very strong logging and monitoring controls in place as they did not detect the malware themselves. They were notified by Visa and Mastercard of suspicious activity coming from their network. Once notified, Heartland took nearly two months to disclose the breach. It appears their handling of this incident may be in violation of several state laws. If the scope of the breach is as large as is being reported, Heartland may end up spending $100 million dollars or more to deal with this incident. They are already facing a lawsuit as a result of the incident. This is far more money than it would have cost to secure their endpoints and encrypt data in motion. Look for the PCI DSS to be amended as a result of this incident to address these issues.

My Latest Experience With Credit Card Fraud

December 29, 2008 in Credit Card Fraud, PCI DSS

creditcard

Well, it has happened again.  One of my credit cards has been used to make unauthorized purchases.  I was contacted about a month ago by my issuing bank to inform me of suspicious purchases at a grocery store and restaurant in Arizona.  I presumed (incorrectly) that because I live in North Carolina and did not make any airline ticket purchases or show a pattern of purchases that would lead them to believe that I was in Arizona, the card issuing bank became suspicious and contacted me.  Once I informed them that I did not make the purchases and that the card was still in my possession, they immediately canceled the account and issued me a new card.  I was impressed with their monitoring system that was able to detect this fraud so quickly.  I discovered later that the bank was not as proactive as I had assumed.

This is not the first time this has happened to me.  A couple of years ago this same card was used to make fraudulent purchases on a web site.  In that case, I notified the bank of the fraudulent transaction after seeing it on my statement.  I never did figure out how my card information was obtained during that incident, but something interesting happened recently that I believe explains how the criminals got a hold of my card data this time.  It also explains how the bank noticed the unauthorized charges so quickly.

A few days ago I received a letter in the mail from a major hotel chain stating that they had suffered a breach and that my credit card information had been stolen. I only stayed at this particular hotel once about two and half years ago and I used this credit card to pay for the room.  According to the letter, a “sophicated hacker” had gained access to the computer systems of one of their franchises and was able to access “customer transaction files at a number of other hotels” to obtain credit and debit card data.  Aha.  Given the timing of the incidents it seems probable that the fraudulent transactions were a result of this breach.

To the hotel’s credit, they did at least have some detective controls in place that discovered the breach and appropriately alerted both the payment card companies as well as affected customers.  This is how my issuing bank detected the fraudulent charges so quickly.  They had a heads up.  However, the hotel was clearly not in compliance with the PCI DSS.  Credit card data is supposed to be encrypted when stored, which would have prevented the hacker from being able to read this sensitive information.  And if it was encrypted, then they did not properly manage the encryption keys, which again, is a violation of the PCI DSS.

One of the most important things for any company that stores sensitive information, such as credit card data, to do is implement controls to delete such data after a certain period of time.  There is no reason to store credit card data for two and half years, especially if there is not a recuring transaction.  By limiting the amount of sensitive data that is stored to the absolute minimum necessary for business purposes, a business can reduce its risk and mitigate the resulting damage in the event of a security breach.  No doubt this hotel chain is spending much more on cleaning up after this incident than it would have had it followed this advice.

Copyright © 2011 InfoSecStuff.com — All Rights Reserved