More POS Hacks Grab CC Numbers

Everyone gets a kick out of TV shows and news reports that feature stupid criminals. People who get themselves locked inside the store they are trying to rob or stuck in the air vent attempting to break in. For some reason you don’t hear about the smart criminals very often. Maybe they don’t get caught as much?
Recently there has been a new twist on the old credit card number scam. Criminals have found a way to modify those point-of-sale scanning machines everyone swipes their cards through to make copies of the information. I’ve written about this before here and here. Previously it was Stop & Shop Supermarkets who had their card readers physically altered inside the store to record card information (smart) and the second time it was researchers at the University of Cambridge [PDF] who found how easy it was to tamper with the tamper resistant chip and pin machines (wicked smart). Now it is Lunardi’s Supermarket in Los Gatos California who have found their card swipe machines altered to record the card number and PIN. At least a hundred people so far have reported fraud against their cards.
There isn’t a lot of room inside those little machines, so to be able to take one apart, install your recording device then put it back together and install it inside the store without anyone noticing seems to be pretty damn smart to me.
So you want to be smarter? Don’t trust the machines. Don’t give out your PIN number to every retailer you shop at. When the machine asks for a PIN hit the cancel button and choose ‘credit’ instead of ‘debit’. If your debit card can’t double as a credit card get to your bank today and demand one that can. Don’t give your PIN to the Supermarket or Walmart, and at the corner MOM & POP store use cash. Cash is King. Even at the ATM protect your PIN, look for tampering at the machine, cover your hand when entering the number. Be smarter than the criminals. Sure you may feel like George Costanza in an episode of Seinfeld but better to feel like a stocky bald man than to become the victim of fraud.
 



This entry was posted in Commentary, Current Events by Space Rogue. Bookmark the permalink.

About Space Rogue

Space Rogue is widely sought after by journalists and industry analysts for his unique views and perceptions of the information security industry. He has been called to testify before the Senate Committee on Governmental Affairs and has been quoted in numerous magazine and newspaper articles as well as appeared on such TV shows as News Hour with Jim Lehrer, CNN Nightly News, ABC News Online with Sam Donaldson, and others. A recognized name within the industry, Space Rogue has written articles that are often quoted or refered to by other major media outlets. He has spoken before numerous audiances including the Digital Messageing Association, Defcon, Pumpcon, HOPE, H2K, and others. As a former member of L0pht Heavy Industries, Space Rogue ran the widely popular Hacker News Network which quickly became a major resource on the Internet for daily information security news. Before HNN he ran the The Whacked Mac Archives, which at the time, was the largest and the most popular Macintosh security site on the net. Currently Space Rogue does consulting for various companies.

One thought on “More POS Hacks Grab CC Numbers

  1. I’ve got to say, after installing and maintaining POS systems for a while, there is quite a bit that can be done, even without any hardware modification. The credit-card bridging software used by a number of POS software platforms can often be accessed to pull back full names and credit card numbers from each transaction. While not as powerful has having a PIN, if the clerk had to manually enter anything, or if it was a phone order, often times the CVV number will be included in these records.

    Since many small businesses use their POS server as an office computer as well, it’s just a matter of nabbing the IP address and getting yourself a backdoor. While it isn’t something that can be done easily, I don’t think it would be more difficult than dismantling a pin-pad and including a capture device.

Add Comment Register



Leave a Reply