New Fraud Spree Investigated

Retailers, Restaurants Struck by String of Crimes Targeting Cards
New Fraud Spree Investigated
The arrests of two men in Florida on multiple identity theft charges represent "just the tip of the iceberg" in payment card crimes against merchants and consumers across the U.S., according to law enforcement officials.

While these two suspects aren't believed to be the masterminds behind the string of fraud incidents that have hit retail chains such as Hancock Fabrics, the spike in the number of these crimes is undeniable, investigators and fraud analysts says.

A recent example: On June 3, Buffalo Wild Wings Restaurant near Oklahoma City was one of several regional restaurant chains to report being hit with credit and debit card fraud. Law enforcement has not yet said what the source of the credit card fraud was, but Elaine Dodd, head of the Oklahoma Bankers Association's fraud division, says it may have been a skimmer or point-of-sale compromise. "[Fraudsters] are using multiple routes to get card data because they know it can be done," Dodd says.

Dodd believes the Florida arrests, on the heels of fraud incidents reported throughout the U.S., show that multiple states are being struck concurrently by attacks that include skimming, point-of-sale swaps of terminals and possible hacking incidents of payment processing software. "We even got hit by another big vishing attack against consumers here in Oklahoma about a week ago," Dodd says. "The criminals are using every weapon in their arsenal to get card data."

Law enforcement officials - including the U.S. Secret Service - will not speak on the record about these cases, but confirm that they are conducting a multi-state, multi-country investigation into this string of crimes.

List of Recent Incidents

The increase in payment card fraud has spurred the Oklahoma Bankers Association to form a special group with law enforcement to focus on the trend.

"It is beyond apparent our bankers are taking great losses on these cards and we also need to explore creative ideas to mitigate these losses," the association says in its announcement of the group. "It is in the best interest of retailers, bankers, processors and card providers to find ways to limit these losses so that debit and credit cards can remain a viable method of payment."

Among recent incidents to have been reported in other states, according to the Identity Theft Resource Center:

  • Dairy Queen, Hanceville, Ala. had its Internet server hacked in early February, and thieves took debit card information. Thousands of dollars of debit card fraud has been reported in California and Georgia, say local law enforcement investigating the hack.
  • Mad Capper Bar and Restaurant, Stillwater, Minn. reports that at least 200 customers of the eatery had their credit cards stolen by unknown means in April. Thousands of dollars in fraudulent charges appeared on the customers credit cards shortly after the first reports came in. Investigators say the stolen cards have been used all over the country, from the east to west coast, and internationally, including several purchases made in Russia.
  • Mary's Pizza, Sonoma, Calif. -- an international computer hacker hit the 18-store chain in March and took an unknown number of credit cards from the computer system. The restaurant hired forensic firm Trustwave to determine the source of the hack, which turned out to be from Russia. The owner of the chain says other businesses in the Sonoma Valley were also hit with similar attacks.
  • Cedar Falls, Iowa businesses in April reported various incidents of credit card fraud. About 100 victims came forward saying fraudulent charges, ranging from less than $100 to more than $1,000, were happening in multiple states, including Arizona, California, Connecticut, Georgia, New York, Maryland, Michigan and Texas, as well as outside the country, in Canada and Serbia, says the police department. Cloned cards were reported to be used to make online purchases and selling the cloned cards for card present purchases. The police say they are looking into a possible card processing connection to the fraudulent charges.
  • Picante Restaurant, Berkley, Calif. was the target of an international fraud operation in early May, say Berkeley Police. The intrusion is being traced to Russia, where hackers penetrated the restaurant's card encryption system, stealing the card numbers of dozens of customers. Police say Picante is just one of a number of Berkeley and Bay Area businesses that have been hit with stolen card data capers. The Secret Service is also involved in the investigation.

'Criminals Are Migrating'

The multiple attacks against retailers are no coincidence, fraud experts say. "I'm sure that organized crime, both domestic and global, is heavily and increasingly involved in this type of activity," says Tom Wills, security, fraud and compliance senior analyst at Javelin Research, a security research firm based in Pleasanton, Calif. "It's impossible to say what the level of connection is between gangs, but it's likely to roll up to just a few players, just as the Heartland case did."

Gartner analyst Avivah Litan agrees with Wills, saying these events are indicative of organized criminal involvement in credit and debit card fraud. "There are lots of loosely coupled fraud rings that sell stolen card data, routines and schemes for stealing it, and services that help turn stolen cards into cash," she says. These criminal rings are very well organized, subcontract a lot of their work and bring together a services-based crime industry that enables the ring leaders to get a hefty cut of the resulting transactions, Litan adds.

Security and card fraud analyst Jasbir Anand of ACI Worldwide sees these cases as a disturbing trend. "Criminals are migrating from just stealing card data to focused theft of customer identity data," Anand says. "From the criminals' perspective, the extra legwork required to steal identity data once a card has been counterfeited significantly increases the amount of money that can be stolen."

Once identity data is compromised, fraud can be conducted at multiple institutions over a longer period of time. Anand says the impact on victims of identity fraud is much more significant than card fraud alone. "ID fraud can go unnoticed by victims for a long time," he says. "Often they find out when they apply for credit and get denied or receive collection notices."

Layered Security, Cooperation Needed

For financial institutions that want to help their retail customers stave off these attacks, the key is layered security, says Gartner's Litan. Among her tips:

  • Do not store any data -- or else tokenize the data using an outsourced service provider;
  • Encrypt data in transit;
  • Employ strong network segmentation;
  • Take a whitelist approach to data access control, data transfer routines and destinations.

Further, Litan says, these incidents underscore the strong need for international cooperation among financial institutions, law enforcement agencies and governments. "Cooperation is sometimes hard to get," she acknowledges. "But without it, the main fire can't be snuffed out."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.