Internet Security Systems - AlertCon(TM)

Hackers Prepare UK Supermarket Sweep

Posted by Gunter Ollmann on August 29, 2008 at 12:21 PM EDT.

The BBC has a story running concerning the targeting of self-checkout systems in UK supermarkets – Hackers Prepare Supermarket Sweep. It covers some investigative work in to the underground forums that discuss techniques in using stolen credit card details in the UK – in particular, the use of self-checkout systems so that the criminals can avoid contact with store staff that may spot the fake cards.

I’d recommend having a read of the story (and watch the news clip) if you get a chance, it’s a good primer on one popular aspect of this class of crime and helps answer one of those nagging questions as to who actually purchases/uses all those stolen identity and credit card details we hear about every day.

But, with that in mind, there are a few points that I think need some clarification.

While the story is concerned with the use of foreign (e.g. US) credit card details fraudulently being used in UK supermarkets, it’s important to understand that any stolen credit card details could be used. In this case non-UK (and I’d expect non-Europe) credit card details are preferred because of the widespread use of Chip & PIN technologies – which make it more difficult to defraud an account than just reprogramming (cloning) a cards magstripe.

The use of self-checkout systems is obviously a preferred vehicle for reducing the probability of detection by store personnel – especially if the criminal has simply reprogrammed the magstripe of one of their own cards (and the printed/embossed card details won’t match the magstripe data). But having said that, the process of simply printing and embossing your own counterfeit card is downright trivial and will only cost a criminal team a few hundred dollars to set up shop (see my previous blogs on how to create your own credit cards – including Chip & PIN cards). And, with a little charm and social engineering, a criminal armed with freshly minted counterfeit credit cards could make higher value purchases by going through the regular sales (person-to-person) channels.

I guess in this reported case, I’d be inclined to say that the investigation stumbled on some relatively inexperienced (dare I say “amateur”?) credit card criminals. Why? Well, firstly, they appear to be trying to figure out how to do this from scratch through Internet postings (dumb idea!). And secondly, they're preoccupied with routes that don’t require physical interaction with store staff. Sounds like a bunch of chavs trying to advance their criminal career.

The story itself terminates with a kind-of call-to-arms for the US to adopt Chip & PIN technologies. I’d love for that to happen, it’s a more efficient technology than magstripes and signatures – but let’s not get carried away in thinking that the technology is going to stop dead this class of fraud. As I’ve repeatedly pointed out in the past, Chip & PIN card technologies are already defeatable through various techniques (through both technology and social engineering). Chip and PIN helps raise the anti-fraud post a little higher, but is still well within the range of any marginally technical criminal.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.