Have you ever made a payment through a debit card or a credit card? Of course, you would have. That was a stupid question, scratch that. Let’s try a new question. Did you know your debit/credit card can be hacked, simply because you used it? Does that mean you shouldn’t pay through cards at all? No. But you do need to exercise caution on where to use them. Below I present a case of credit card fraud, based on an actual incident, that depicts how these frauds happen and what could be their implications.
A large pizza to go
Arnav, an investment banker, was returning to Mumbai after spending a hectic day in Pune meeting his clients. A glance at his wrist watch told him that he wouldn’t be able to make it before dinner time, so he decided to pick something on the way. He stopped at a pizza outlet and ordered a large pizza to go. When his order was ready, he paid through his credit card and left the outlet. Once he reached home, he went straight to bed and forgot all about that pizza outlet.
Four weeks later, he received a message on his phone saying that his credit card has been charged Rs. 19,599. He called his wife to check if she had made any purchase. She didn’t. He called his bank to check it’s authenticity, they told him that the transaction was valid and his account had indeed been charged by that amount. He panicked. Since he didn’t knew what else to do, he went to the nearest police station and filed a FIR. This lead to an intensive investigation, as numerous such cases had been reported in other police stations as well.
Will curiosity kill the cat?
2 months before..
It was late in the night. However, Nihal’s day had just started. He spent most of his nights in front of his computer, either coding or hacking. He was a Computer Science student with an immense thirst for knowledge. His curiosity eventually lead him to the field of computer hacking. At first, it was a learning exercise but soon he was able to break into other’s computers. It gave him a rush he had never felt before. He got hooked to it and kept working to hone his skills. Within months he could break into networks and navigate through them like he owned them.
Two days earlier, he had penetrated the network of a big food processing company and had managed to extract the list of all IP addresses in it’s network. He fed the list in a tool that would automatically scan the IPs for open ports. Since a port scan produces a lot of noise that could be noticed in the day time, he scheduled the tool to run at night. That night, the tool had finally coughed up the list of IPs which had open ports.
At random, he tried few of them and came across an unpatched Microsoft Windows XP machine. He checked the Exploits Database for known vulnerabilities on that version of Windows XP and picked one. He ran the exploit and got administrator access to the machine. He scanned the machine for some interesting data and came across a folder that contained several text files. It turned out that this machine belonged to one of the outlets of the food company. It had a Point of Sale (PoS) terminal attached to it. The PoS terminal created a text file to keep track of transactions happened each day. Ideally a PoS terminal would upload this file to a central server and delete the local copy at the end of the day. Only this one didn’t. Therefore, the files Nihal had found contained credit card information, including CVV number, of over 2000 cards. He had hit a jackpot but he didn’t knew what to do with them.
His hacking forays had lead him to the dark side of the internet, the so called ‘Online Underworld’. He knew that such information would be of great value there and he might even make a small fortune. He approached few of his contacts. He didn’t knew their real names. In the online underworld it’s a taboo to use one’s real name. One of his contacts introduced him to a dealer who dealt in stolen credit card information. They struck a deal and Nihal supplied him with the credit card information in return for 2 bitcoins.
Nihal installed a backdoor in that machine and kept a watch on it for new information. To his amazement, a new text file with more credit card information was created each day. He became a regular supplier of stolen credit card information in return for bitcoins. He used bitcoin because it left no trace and ensured complete anonymity.
Recycling plastic information
The dealer, to which Nihal had supplied the stolen credit card information, was an expert in cloning credit cards. He had an inventory blank magnetic cards, a machine to print designs, another to write data on the magnetic strip and another to print the 3D seal. He could easily decipher the company and the bank that issued the card, with the help of first eight digits of a credit card number, and print the design and the 3D seal accordingly. Once a clone was ready, it was as good as the real card. However, the dealer could not use it to withdraw money, as doing so would leave a trail. Instead, he hired a few young girls to shop using these cards. He then sold these products, through an online marketplace website, at discounted rates.
Finding a needle in the haystack
The outlet, from which Nihal had obtained those files, was the same where Arnav had stopped for his dinner. When he paid through his card, it’s information got stored in one of those files. When the dealer eventually cloned his card and used it for shopping, it triggered a message notifying Arnav of the purchase.
Unfortunately, the FIR didn’t result in anything substantial. The police suggested him to cancel his credit card and raise the issue with his bank. He filled an official complaint with the bank and after a bit of tussle the amount was refunded to him. However, this lead the bank to examine recent complaints and a pattern started to emerge. With the help of the card issuing company they were able to identify a correlation between the complaints and the pizza outlet. The bank then notified the food company of the incident. The food company conducted their own internal investigation and found that machines across all outlets were unpatched and vulnerable to similar attacks.
Uday Mittal (OSCP, Associate CISSP, DCPP) is the founder of Yaksas CSC. He has over 4 years of experience in dealing with various issues related to cyber security. He is actively working towards educating people on cyber security risks and steps to mitigate them. He’s also a member of (ISC)2, ISACA and DSCI.