Credit Card Skimming in WA

[NaFenn]

http://www.abc.net.au/news/stories/2...11/2710723.htm

Banks caught up in the McDonald's skimming scam say they have been forced to take quick action and block customers' cards to prevent further fraud.

Hundreds of thousands of dollars have been stolen from the accounts of thousands of West Australians caught up in the scam.

Police say the accounts are being accessed from A-T-Ms in Malaysia and Canada.

Several thousand bank customers in Perth have been sent a text message by their bank, informing them that their cards have been stopped.

A Westpac spokeswoman says the bank has blocked all of the cards which went through the compromised McDonald's machines, even if the accounts had not been tampered with.

Jane Counsel says those customers were considered to be at high risk of fraud.

The bank has apologised for the inconvenience, but says the people affected can still access their accounts online or walk go to a branch for a new card.

Unfortunatley, one of my cards has been cancelled... as it was used in one of the affected areas.... now me and someone else dont have access to the account

[Braxton]

I am not too sure how things work in your country with regards to credit/debit card transmissions from the business to the bank, but I know a major weakness we have in the United States is many businesses do not have a strongly encrpyted connection when they transmit their information to the bank for payment. As a result, all someone needs is a good laptop and a wireless connection card to hack into the stores' transmissions to get a hold of hundreds of account numbers. I know that some major chains were involved in this problem, and it is truly scary how the burden of security falls upon the customer and how retailers are not being more proactive about securing their networks as McDonald's clearly has failed to do based on the story above.

[NaFenn]

here its been done more sneakilly

the cops arent giving out how its being done (for obvious reasons), but there were devices put in ATMs a while ago, that trap the card in the machine

[pulses]

Yeah, happened to my uncle just after the show. Crazy it's on such a large scale huh.

[FlyingKiwi]

It's been happening on this side of the Tasman as well, although fortunately I haven't been caught up in any scams. (yet)

[NaFenn]

I am not too sure how things work in your country with regards to credit/debit card transmissions from the business to the bank, but I know a major weakness we have in the United States is many businesses do not have a strongly encrpyted connection when they transmit their information to the bank for payment. As a result, all someone needs is a good laptop and a wireless connection card to hack into the stores' transmissions to get a hold of hundreds of account numbers. I know that some major chains were involved in this problem, and it is truly scary how the burden of security falls upon the customer and how retailers are not being more proactive about securing their networks as McDonald's clearly has failed to do based on the story above.

In Australia, EFTPOS terminals (stands for Electronic Funds Transfer at Point Of Sale) either work via an encrypted tunnel over an Internet link, similar to virtual private networks, or a dedicated phone line. According to a page that a friend found on my behalf, the information is encrypted with the DES algorithm - see http://school.maths.uwa.edu.au/~praeger/teaching/3CC/WWW/chapter5.html#tth_sEc5.5

Thankfully, banking law in Australia makes the bank liable for fraudulent transactions, not the customer. In this case, the banks are wearing the costs of these skimming activities, customers are having the money refunded into their accounts.

The card that I had cancelled is used to access both an everyday transaction account (what you guys in the US call a 'checking' account) and a Visa credit card. The bank wanted to cancel the card and re-issue to protect not only my money that's in the transaction account but also the line of credit in the Visa account, as someone with access to the card details could use it to take money from either account. We should all have our replacement cards in a week or so with luck.

The unofficial word is that people have engaged in some clever "social engineering" to get these cards skimmed. It seems that people have turned up at stores and claimed to be there to perform essential upgrades to the EFTPOS network. They've then somehow programmed the terminals to store card information and forward it to some other location - that's how they're getting hold of people's card details apparently.

[Braxton]

here its been done more sneakilly

the cops arent giving out how its being done (for obvious reasons), but there were devices put in ATMs a while ago, that trap the card in the machine

We have had a problem like that here in the United States with cyber criminals putting an external device in front of the card hole of Cash Station/ATM machines which would scan the card and steal its information. Well, it sure seems that things are pretty similar between our respective countries with regards to electronic crimes unfortunately.

In Australia, EFTPOS terminals (stands for Electronic Funds Transfer at Point Of Sale) either work via an encrypted tunnel over an Internet link, similar to virtual private networks, or a dedicated phone line. According to a page that a friend found on my behalf, the information is encrypted with the DES algorithm - see http://school.maths.uwa.edu.au/~praeger/teaching/3CC/WWW/chapter5.html#tth_sEc5.5

Thankfully, banking law in Australia makes the bank liable for fraudulent transactions, not the customer. In this case, the banks are wearing the costs of these skimming activities, customers are having the money refunded into their accounts.

The card that I had cancelled is used to access both an everyday transaction account (what you guys in the US call a 'checking' account) and a Visa credit card. The bank wanted to cancel the card and re-issue to protect not only my money that's in the transaction account but also the line of credit in the Visa account, as someone with access to the card details could use it to take money from either account. We should all have our replacement cards in a week or so with luck.

The unofficial word is that people have engaged in some clever "social engineering" to get these cards skimmed. It seems that people have turned up at stores and claimed to be there to perform essential upgrades to the EFTPOS network. They've then somehow programmed the terminals to store card information and forward it to some other location - that's how they're getting hold of people's card details apparently.

The Australian system of encrypting store data is a really good idea, and I think a major weakness we have in US stores, from what I understand, is that they do not use a system as strong as your country's. My guess is that unless Government agencies force stores over here to be proactive with security measures they will try to cut as many corners as possible, especially in this economy, to save costs even if that means that consumers are put at risk.

Your country's banking laws are quite progressive, and I think the onus is on the American consumer to notice errors. It really seems like your country's banks are very proactive about problems, and there is no question that American banks have a lot to learn from you all.

As for how this problem occurred in the first place, there is no question that the criminals involved with this scam are very intelligent people who not only could create a device to steal so much information but also talk their ways into stores and possibly having credentials from the companies in concern to be able to do what they have done.