Sophos warns of credit card skimming malware targeting ATMs:

…rumours about compromised cash machines in Russia infected with a Trojan that captures credit card details and distributes the captured details to attackers.

I decided to check in our malware database to see if there are any samples that reference Diebold, the manufacturer of ATMs allegedly targeted and found 3 recently acquired files.

Note that the subsequent analysis points to insider and/or physical access to the systems:

By uncovering code that appears to encrypt data and a possible alternative user interface it seems to me that the stolen data is encrypted, probably to allow the attackers to use “money mules” to retrieve the data in person.

This also indicates that attackers require physical access to cash machines to install the Trojan. Overall, the malware seems to be a work of a programmer with a good knowldege of the internals of Diebold ATMs.

While this blog says it looks to be isolated, Graham Cluley of Sohpos argues that this should be no surprise. He also quotes the Diebold response, which points a finger at their customers:

Diebold continually emphasizes the customers’ role in reducing the risk of attacks by following industry-standard security procedures related to managing physical access to ATMs, password management and software updates.

If Diebold’s customers actually are to blame for the compromise, rather than a design flaw that has been patched, then I think it fair to assume that the incident will not remain isolated.

Faced with less than 200 burglaries a year on average, law enforcement authorities in the small town of Tiburon, California have decided to propose a high-tech surveillance system. Geographically isolated by mountains and water in Marin County, there are only two roads in and out so cameras can be easily situated.

Tiburon Police Chief Michael Cronin, is pitching the idea of installing closed circuit TV (CCTV) security video cameras on Tiburon Boulevard and Paradise Drive. The idea is they’d be able to capture cars and licenses of individuals suspected of committing those crimes in a much more efficient manner.

Their response to privacy concerns seem to be twofold. First, procedure for reviewing the data would require a formal investigation to be started. Otherwise the data will rest unseen. Second, only the back of the vehicles will be recorded.

This reminds me of a car I saw once in Santa Cruz, California that had placed a sheet of notebook paper over the license plate. The driver and passenger were reclined so far in their seats you could not see them from behind. Obviously avoiding high-tech surveillance systems, let alone human ones, is both well known and also fairly low-tech.

I am not opposed to using detection technology, but I think the better solution given the low crime rate is to educate residents on prevention such as the need to lock doors and hide valuables. It seems the police have already explained this in the town newsletter:

Most of the crimes occurred between midnight and dawn,
and most were thefts from unlocked cars.

All of that being said, I have to wonder about the police statement that “most of those arrested in these incidents did not live on the peninsula”. Are we talking about a vast majority, or just a little over half? What is the rate of conviction for local versus outsider suspects?

The BBC NEWS has posted an investigation that explains credit card fraud in Indian call centers. They did a far better job than many companies I have worked with that have claimed to provide assurance and security assessment services in India:

A criminal gang selling UK credit card details stolen from Indian call centres has been exposed by an undercover BBC News investigation.

Reporters posing as fraudsters bought UK names, addresses and valid credit card details from a Delhi-based man after receiving a tip off.

The reporters went undercover. They meet with a man in a cafe who sells them credit card records for $10/record in bulk.

In Delhi they say you can buy anything…about one in seven card numbers we bought were valid…

The reporters then contact the cardholders to alert them and they interview one man.

We saw a pattern. Two other customers had bought the same Norton program after dialing the same number. That suggested a breach of security at the call center handling sales of that Norton product.

Symantec of course called this an isolated incident and “one employee had been removed”. Very convincing security.

In India, in the last fourteen years, there has only been one successful prosecution for the misuse of details stolen from call centers and even that led to a non-custodial sentence.

The BBC then asks the man who sold them the credit card data to explain why he is doing it.

Sounds like it is about time for some India data protection regulation. Will the payment card brands crack down on the call center companies?