The Life of a Stolen Credit Card Name: Institution:                               Table of Contents Introduction. 3 Strategies for Credit Card Theft 3 Skimmers. 4 Point of Sales (PoS) Breaches. 7 RFID Breaches. 10 Large Data Breaches. 10 Carding Forums. 11 The Carding Ecosystem: Virtual Money Laundering. 14 Online Carding. 14 Offline Carding. 15 Specialized Services in the Carding Ecosystem.. 15 Vulnerabilities in the Credit Card Processing Infrastructure. 21 Magnetic Strip Protocol 21 EMV Protocol 21 Avoiding Credit Card Theft 22 Structural Solutions. 22 Individual Precautions. 22 Conclusion. 23 References. 24              

Introduction

Identity theft is mostly associated with credit card theft. The later occurs when cardholders’ financial information is obtained by unauthorized individuals and utilized with fraudulent intent. Due to the increasing sophistication of card theft and the streamlined processes of profiting from the crime, it is imperative that consumers and industry practitioners reflect on the life of a stolen credit card. To achieve this objective, this report details the strategies that “carders” use to obtain fraudulently card information and the ecosystem established to ensure that they profit from this information. The multi-page report closes with a set of recommendations and observations on how to increase card information security and reflects on unresolved and emergent vulnerabilities in the card-processing infrastructure.

Strategies for Credit Card Theft

The credit card ecosystem depends on the relationship between acquiring (i.e. accepting) and issuing banks and customers (Anderson, Manifavas & Sutherland, 1996). The issuing bank extends credit to the customer in the form of a credit card while the acquirer bank processes the credit card payment made by the consumer. The positions of these players in the payment chain represent opportunities for credit card theft and, broadly, identity theft (Anderson, Manifavas & Sutherland, 1996). For instance, vulnerabilities on the side of the issuing or acquiring bank such as insider threats or processor breaches jeopardize the security of personal information (Krebs, 2015a). Points of weaknesses in this processing infrastructure include point of sales terminals, automated teller machines (ATMs), customer databases such as those operated by electronic commerce sites, Internet banking, and insurance firms, and user or personnel files. These technologies are, in themselves, attack vectors and threats are delivered by means of insider or outsider threats and through third party vendor breaches. This section discusses the means or strategies by which financially motivated actors steal credit card data including through ATM skimmers, point of sale (PoS) attacks, and data breaches.

Skimmers

Automated teller machine (ATM) and gas pump skimmers are often tied to organized crime (Krebs, 2015a). The link between skimmers and organized is uniquely chronicled in extant resources (Martinez, 2014; Krebs, 2015b). Information obtained through this attack vector, while likely discoverable by card associations and banks, can last numerous months and are superlatively difficult to prosecute (Krebs, 2015a).   Figure 1 - An ATM PIN capture overlay device retracted to reveal the actual PIN entry pad (Adapted from (Krebs, 2010)) Skimmers have also been encountered in the wild in point of sale terminals such as for VeriFone terminals (Krebs, 2013c), in several Wal-Mart stores in Virginia and Kentucky (Krebs, 2016d) as well as Safeway credit and debit self-checkout terminals stores in Colorado (Krebs, 2016e).     Figure 2 - An overlay skimmer retrieved from a VeriFone self-checkout terminal in use at a Safeway store (Adapted from (Krebs, 2016e)) This overlay skimmer is composed of two components. The first is a PIN pad overlay necessary to capture a user’s PIN and the second records credit or debit card data stored in the magnetic strip. Notably, while only one store using this PoS system was compromised, numerous other retailers in the United States use VeriFone terminals (Krebs, 2016d).   Figure 3 - An overlay credit card skimmer retrieved from an Ingenico self-checkout PoS terminal at a Wal-Mart store with a device (bottom) for offloading stolen data (Adapted from (Krebs, 2016d)) As with the previous overlay skimmer, this particular device captures PIN and magnetic stripe information and is easy to attach to terminals (Krebs, 2016). Additionally, skimmers have been deployed in fuel stations most notably in Arizona (Krebs, 2016f). Almost all the mostly Bluetooth-based skimmers targeted Gilbarco on-pump card readers (Krebs, 2016f).   Figure 4 - An external fuel pump-skimming device (Right) (Adapted from (Krebs, 2015g))     Figure 5 - An unaltered fuel pump card slot (Left) and  a card slot with a Bluetooth-based skimming device attached (Right) (Adapted from (Krebs, 2013h)) While there have been innovations in the techniques and methods of designing and installing skimmers, it is noteworthy that a 3D-printed ATM skimmer has been retrieved from the wild (Krebs, 2011i). The ability to 3D print these devices implies that the costs will lower and accessibility to criminals will increase. This particular device comprised of a minituarized spy camera cannibalized from a smartphone to record PIN entries and data ports to allow manual offloading of stolen data (Krebs, 2011i).

Point of Sales (PoS) Breaches

Arguably, the most popular attack vector for point of sales terminals involves RAM scrapping. This technique is achieved through the delivery of PoS malware (Krebs, 2016j). Delivery mechanisms include the use of vulnerability exploits or zero-days, e-mail phishing, keylogging, brute force attacks, Bluetooth “war driving”, and by exploiting weak passwords. Once the malware has been delivered, it then scans the PoS RAM for unencrypted payment data. Scanning us achieved through pre-specified function calls or more commonly, through regular expressions that match with the card dumps. The figures below further illustrate this process.   Figure 6 - Example of PoS malware utilizing regular expressions to match unencrypted RAM data with card dumps (Adapted from (Singh, 2015))   Figure 7 - Diagrammatic depiction of a prototypical magnetic strip credit card showing where Track 1, 2, and 3 data is stored (Adapted from (Singh, 2016)) Magnetic strip cards store their information in specific formats as illustrated above. The logical and sequential placement of financial information is depicted in the tracks 1, 2, and 3. This placement facilitates the automated reading of data and, coincidentally, enables exploitation by malware. Point of sale malware steal these track data dumps and convert them into actionable credit card information for fraud purposes.   Figure 8 - Track 1 (Left) and Track 2 ( Right) data dumps showing how regular expressions match card data in PoS RAM (Adapted from (Singh, 2015))     Figure 9 - Example of Track 1 data dump containing enough information to be converted into Track 2 information (Adapted from (Singh, 2015)) The use of malicious software to “jack” public ATM machines is also another accelerating trend (Krebs, 2014k). In 2014, Kaspersky Lab documented the ATM-specific malware Backdoor.MSIL.Tyupkin that rapidly spread from Eastern European banking institutions to Asia and the continental Americas as depicted below. Several other researchers have also documented malware jackpotting of ATM machines (Borland, 2013).   Figure 10 - Malware submission of Backdoor.MSIL.Tyupkin in mid-2014 (Adapted from (GReAT, 2014)) Point of sale terminals are deployed in numerous commercial properties such as restaurants, convenience stores, supermarkets, and high street vendors among others. Restaurants and high street merchants represent the widest attack surface area and their point of sales terminals are the most common source of credit card fraud (Krebs, 2015a). Numerous PoS breaches at small vendors have been previously documented (Krebs, 2015l; Krebs, 2015m) Additionally, insider threats in the form of unscrupulous employees are another common form through which such PoS terminals are compromised (Krebs, 2015a). In both cases, consumer losses are high and chances of discovering the fraud are markedly low.

RFID Breaches

RFID-enabled credit cards are no longer a novelty and are targets, along with NFC-enabled payment solutions, of wireless identity theft. Already, 10% of card transactions in the United Kingdom were contactless by early 2016 (Webster, 2016). Although data on RFID-enabled cards in the United States is not updated with a dated report citing a circulation of 3.5% of all credit and debit cards (Consumer Reports Magazine, 2011), several significant studies and demonstrations have already detailed the inherent flaws in these wireless solutions (Newitz, 2006; Heydt-Benjamin et al., 2009; Zetter, 2009; Lee, 2012).

Large Data Breaches

Credit card fraud today is discussed largely within the context of large-scale data breaches. Financially motivated attackers use these breaches as a way to steal numerous records at a go as opposed to the relatively unscalable means of ATM skimming, malware jackpotting, and binary RFID data sniffing. Notable incidents include the 2014 Target hack, multiple Sony hacks, among others. In 2015, with the highest number of reported data breaches in history, 64.6% of reported incidents and 58% of exposed or stolen records were as result of hacking (Kouns, 2016). Privacy Rights Clearinghouse (2016) provides an exhaustive chronol...