A hacked card reader – similar to the ones used in shops and restaurants – is on sale on Russian forums for $2,000, and can “text” details including PIN numbers to cybercriminals, who empty bank accounts in three hours using teams of money-launderers.
Most people are suspicious when a waiter takes a little too long to run a debit or credit card transaction – but a new pre-hacked card reader can steal details instantly, and “text” them to cybercriminals.
Gangs using the readers can empty bank accounts in three hours, according to Russian security experts – the $2,000 reader is offered as a “package” with a money laundering service built in.
Shown off in a video leaked to tech site The Register, the card reader – looking very similar to models used in restaurants worldwide – is shown to “read” numbers including the PIN, which are then displayed on a computer screen.
In the video, the information is transferred via cable – but if the terminal is fitted with a GSM SIM card, it can “text” the information direct from a shop or restaurant table to teams of criminals. The device is offered as a package – alongside a “service” where teams of criminals use cloned cards to buy fake goods, demand refunds, then take the cash. The video is used as a sales tool for the $2,000 device, which is sold on underground forums in Russia, according to The Register’s report.
Thieves can strip a customer’s bank account in under three hours, according to Russian security investigators Group-IB.
ESET Senior Research Fellow David Harley says, “The most worrying aspect of this story is the support services package. Unfortunately, developing such support networks is something for which Eastern European gangs have shown particular flair in recent years.”
“I suspect that we’ll see similar packages associated with banking Trojans that have the functionality to access information from smart card readers attached to Windows machines. “
“We have detected a new group that sells this modified model of POS terminals and provides services for illegal cash-outs of dumped PINs through their own ‘grey’ merchants: it seems they buy fake stuff, and then cash-out money,” said Andrey Komarov of Group-IB.
“It takes less than three hours. According to our information, this kind of service is really new, and it is also being used by different cybercriminals against the Russian bank Sberbank.”
Targeting point-of-sale terminals is not new, however – nor is it restricted to Russia. American bookstore Barnes & Noble admitted that data thieves had installed corrupted terminals in 63 stores in 2012, according to USA Today.
In September last year, an arrest of four men trading counterfeit debit cards led to a fifth suspect, who had a stash of counterfeit point of sales terminals, some partially disassembled, according to Toronto detective Ian Nichol, speaking to USA Today.
“Criminal gangs worldwide are illegally accessing active POS terminals and modifying them by inserting an undetectable electronic “bug” that captures cardholder data and PINs during normal transaction processing,” Visa says in a guide for businesses on how to prevent such fraud.