Back to Blog

News from the Online Fraud Cyberwar

The same week that Pay By Touch settled outstanding government claims against CardSystems, news of a new computer breach that could be at least as damaging emerged from California, while keylogging made the front page of the New York Times.

CardSystems Settlement
At this point, the CardSystems matter should be mere gossip; it would be, that is, if the Federal Trade Commission’s (FTC) complaint didn’t make perfectly clear that CardSystems’ failures were more abysmal than commonly thought.

The complaint, which lists seven violations of Section 5(a) of the Federal Trade Commission Act(see http://www.ftc.gov/os/caselist/0523148/0523148complaint.pdf), says that CardSystems had what seems to have been only fairly rudimentary computer security. It didn’t hack itself so it could understand its vulnerabilities and protect against them, for instance, and wasn’t using so-called “strong” passwords to protect against hackers.

As a result, an unknown hacker was able to launch an SQL (structured query language) attack last September that slipped a keylogger program into CardSystems’ network. SQL attacks are considered commonplace and easily deflected, and the tools the attacker used are easy to buy on the Internet at one of the many “Warez” sites.

That keylogger program, in turn, was collecting and transmitting magnetic stripe data to the hacker every four days—data that CardSystems had been storing for up to 30 days in violation of the card associations’ PCI (Payment Card Infrastructure) security protocols.

As a result, says the complaint, tens of millions of credit and debit cards were compromised—not the several hundred thousand reported to have been compromised at the time—and what the FTC called “several million dollars” in purchases were charged to them. To date, the hacker has not been caught.

Pay By Touch, which bought CardSystems last December, agreed with the FTC to create a comprehensive cyber security program—we can guess this already existed, since Pay By Touch is in the authentication business—and to be audited by a third-party security professional every other year for 20 years. Pay By Touch also agreed to adhere to what the FTC called “standard bookkeeping and record-keeping provisions.” Pay By Touch was represented by Constantine Cannon LLP, the well-known Washington, D.C., law firm. It bought CardSystems’ assets after CyberSource Corp. made an aborted offer in September.

Since details of the Pay By Touch acquisition are unavailable, exactly how great a deal Pay By Touch was able to cut is unknown, although common sense allows any observer to infer that acquiring CardSystems’ customer list—in 2005 the company processed 210 million payment-card transactions for 119,000 merchants, worth some $15 billion—was cheap, considering the sensation surrounding the hapless processor. And while the FTC may have thought it was being tough, it may not have considered the marketing benefits that attach to Pay By Touch’s being able to say its systems are certifiably secure. Looked at that way, a deal that left many payments pros scratching their heads last year is looking smarter every day. (Contact: Federal Trade Commission, 202-326-2181; Pay By Touch, 415-281-2253)

Latest Card Breach Getting Bigger and Better
Meanwhile, an FBI investigation of a West Coast security breach, reportedly affecting about 200,000 customers, is getting new legs because the bureau thinks the case may be linked to other debit card cases around the country.

The breach in question has affected consumers in the Western United States. Beginning in late December, customers of banks and credit unions, mostly based in California, began discovering funds being withdrawn from their accounts at foreign ATMs, following which the banks and credit unions affected issued the customers new debit cards.

At first the investigation was being conducted out of the FBI’s Sacramento office, but two weeks ago it was moved to Charlotte, N.C., when bureau officials there learned the case might be related to one of their investigations, according to CNET News.com, which first reported the story. Both Bank of America and Wachovia are headquartered in Charlotte.

The first breach affected two retailers, Wal-Mart Stores Inc. and, it’s rumored, OfficeMax Inc. Wal-Mart acknowledged that in December, some customers who had bought gasoline at the company’s Sam’s Club unit between Sept. 21, 2005, and Oct. 2, 2005, had had their card accounts compromised. According to the CNET story, investigators discovered that many of those consumers had also shopped at OfficeMax, leading to the widening investigation. OfficeMax said its systems have not been breached. (Contact: FBI, Charlotte, NC, office, 704- 377-9200; Wal-Mart Stores Inc., 479-277-9362; OfficeMax Inc., 630-438-8584)

Also, One Big Conviction

In another indication that law enforcement is taking cybercrime seriously, federal authorities in Little Rock, Ark., say that Scott Levine, the 45-year-old former owner of Snipermail Inc., a defunct email advertising firm, got eight years in the federal slammer for stealing from Acxiom Corp. what the feds said was 8.2 gigabytes of data.

The data included one billion individual customer records, including names, physical and email addresses, and phone numbers. Levine was convicted last August of 120 counts of unauthorized access of a protected computer, two counts of access-device fraud, and obstruction of justice. He could have received a maximum of 640 years in prison and/or $30.75 million in fines.

According to the U.S. Attorney and the FBI, Levine, together with six employees, stole the Acxiom files between April 2002 and July 2003 by using decryption software to steal passwords, and then gain access to Acxiom databases. The six employees all turned state’s evidence.

Investigators from the sheriff’s office in Hamilton County, Ohio, stumbled across Levine in the course of an unrelated investigation into charges that another man had illegally accessed and downloaded data from Acxiom. That man, Daniel Baas, pled guilty to federal charges in Ohio on Dec. 2, 2003.

The feds made Levine sound like a super hacker, but according to reporting in the Arkansas Democrat-Gazette, Levine was nothing of the sort. According to the newspaper, Levine was simply selling email addresses to Acxiom, and in the course of sending the company files, discovered that Acxiom’s password for uploading files was the same as the one for downloading.

Levine’s mistake, of course, was using that password. Acxiom may have ignored commonsense computer-security procedures that allowed Levine to commit the crime, but it wasn’t illegal.

On the other hand, Levine, while certainly found guilty of the crime, apparently had limited criminal intent. While some of the data was resold to a broker and used in an ad campaign, there’s no evidence that any of the stolen data was used in identity theft or credit card fraud schemes, from which we can infer that Levine, while stupid, wasn’t a career criminal.

Acxiom is a database management firm based in Little Rock that among other things stores personal, financial and company data for other companies as part of its IT outsourcing operations. It reported $347.4 million in revenues for its third quarter, ended January 25. (Contact: FBI, Little Rock office, 501-221-9100; U.S. Attorney, Eastern District of Arkansas, 502-340-2600)

New Threat Report
PandaLabs says there’s a new trojan/keylogger program for sale on the Internet, called Trj/Briz.A, that’s designed to steal personal data from Web forms accessed by infected computers. The truly dangerous part: This program can’t be detected by any antivirus protection, because the person who wrote it checks and updates it every day.

Crooks who buy the program get more than just a tool; they also get the ability to control the infection, allowing them to get a list with what PandaLabs says is “a large quantity of data about the infected computers,” including IP addresses, passwords, even the physical location of an infected computer.

The file that causes the Trj/Briz.A infection is called "iexplore.exe," and uses the name to pass as Internet Explorer. When run, it downloads different files, following which it stops and deactivates Windows Security Center services and Shared Internet Access. Then it collects information on browsers like Outlook, Eudora, and The Bat, and sends it to the attacker. Just to make things as bad as possible, it also makes it impossible for the infected computer to access antivirus websites. (Contact: PandaLabs, 818-543-6909)

Keylogging on Page One
And if all that news wasn’t bad enough for the credibilty of online financial services, the keylogging threat made the front page of the New York Times today, becoming the second-most emailed article of the day. The fourth paragraph tells of a Brazilian scheme, broken up two weeks ago, that netted $4.7 million from 200 accounts at six banks. A separate keylogging incident in France is also said to have netted $1.1 million.