The US Department of Justice made an announcement on November 18th that gives only a shadow of the story of Lin Mun Poo. It says he is a Malaysian citizen who made a stop in New York on his way home from Europe. He was detained by the Secret Service not long after arrival.

A more complete version of events and allegations is found in his detention letter.

…the defendant appears to have traveled to the United States for the sole purpose of engaging in criminal activity; within hours of his arrival at JFK on October 21, 2010, United States Secret Service agents observed the defendant selling stolen credit card numbers for $1,000 at a diner in Brooklyn and arrested him shortly thereafter. In his post-arrest statement, the defendant admitted that the primary purpose of his journey to the United States was to meet with an individual who the defendant believed was capable of regularly providing the defendant with a large volume of stolen card numbers and personal identification numbers, which the defendant said he planned to use to withdraw cash from automated teller machines.

I see a problem in this story: Poo is made out in most reports to be a “career” criminal hacker. He is alleged to be very proficient stealing card numbers and identification from financial institutions. Why was he in a New York diner trying to find someone to give him stolen card numbers if he already had a way to get them remotely?

It seems foolishly risky for him to fly into the US. It would make some sense, in terms of risk, if he had to meet a buyer. That is how the allegation starts out — he has 400,000 card numbers and someone (the Secret Service must have set him up in a sting operation) offered him $1,000 for some amount of them.

Why would someone like Poo fail to use a mule for this operation on American soil? It is obviously high-risk — career-ending for a criminal. Why would he also fail to use a mule to make ATM withdrawals?

Maybe he could not figure out a mule system? That seems unlikely, given that he was said to have hacked into a bank anonymously. Even if I assume he could not figure out mule systems to sell his bounty of stolen card numbers, I have no good explanation for why he would need to arrive in the US to acquire more stolen card numbers.

The full story thus sounds like one of three things: a mule was arrested and has been made out to be a mastermind to block his escape, this criminal mastermind is actually not much brighter than a mule, or the Secret Service has been doing some top-notch social engineering to get a criminal mastermind to walk straight into their arms.

The PCI Security Standards Council gave notice today of a 90-day extension for the PABP (Payment Application Best Practices) expiration date.

After discussion with Payment Application vendors, the PA-QSA community and other stakeholders, the Council is extending this deadline by 90 days to March 2nd 2011. Accordingly, after March 2nd 2011, PCI SSC listed PABP v1.4 applications may only be used in pre-existing deployments.

This updated deadline recognizes the challenges many merchants and Payment Application end users have in implementing system changes over the busy holiday period, and allows the Payment Application vendor community to consider submitting new versions of their products for assessment against the new PA-DSS 2.0 standard that was discussed at our recent Community Meetings.

Neither the PA-DSS 2.0 standard nor the holiday period are any kind of surprise, so the Council may have had other reasons at this late date for extending the deadline.

Looking for ways to make your bicycle safe and at the same time conspicuous? A site in Germany claims to have developed “the most secure bike lock in the world“.

It is based upon a wireless remote (Conrad 433 MHz transmitter SHT-7) and receiver module (Conrad 433 MHz SHR-7).

Some obvious security issues are the security of the radio signal, resistance to a long hook that could simply drag the lock down or lift the bike off the elevator, another device sent up to prevent the lock coming down…