November 2009

Identity Fraud: Why the companies affected are just as criminal


Christmas is approaching fast, but the World's fraudsters don't seem to be in a festive spirit. The payment fraud juggernaut continued to build momentum with a flurry of incidents recorded across Europe and America. There's nothing new or extraordinary in the reported crimes either. Instead, a familiar pattern of ineptitude, carelessness and sheer stupidity on behalf of the authorities and companies remain in question.

We'll start closest to home. The T-Mobile customer records scandal was well publicized in the UK media and drew criticism from the phone operator's customers. Allegedly, a former employee sold the personal details of thousands of customers, including information about when their contracts expired, to a number of 'brokers' who passed the data onto rival networks and other phone retailers.

The Information Commissioner's Office (ICO) announced it was actively investigating the case which involved 'substantial amounts of money changing hands'.

T-mobile claim they are free of any guilt, since they 'approached' the watchdog themselves. A cynic might suggest they were just pre-empting the inevitable onslaught of media criticism when the story emerged. So have T-mobile issued a whole-hearted apology to their customers? Have they promised to assist fully with the investigation or compensate furious clients? Of course not. Instead, a company spokesman expressed 'surprise' that the ICO had gone public with the story. It seems they would have rather swept this unfortunate incident under the carpet and forgot about it.

This isn't the first time a company's staff has sold sensitive data to others in the UK. Fear not though, the Police are investigating all cases. Whether they will solve the mystery in which an unnamed Scotland Yard employee illegally accessed personal details from the Police national computer remains to be seen.

In the USA, they like to go the extra mile and give fraud criminals a helping hand. A Boston-based security consultant found he could purchase second-hand ATM machines containing sensitive transaction data on eBay and Craigslist. For less than $800 (479.003 GBP) Robert Siciliano bought an ATM and extracted a log of hundreds of credit and debit card numbers as well as account details. Siciliano was able to make the purchase anonymously online and even managed to barter down the asking price.

And just in case an inexperienced fraudster gets a little bit confused, there's a manual supplied alongside the machine giving clear instructions on how to access the sensitive data stored inside. Scary, isn't it? In Spain, German authorities recalled more than 100,000 credit cards, the largest retraction in their history, amid fears that crooks had obtained sensitive data via an unnamed payment processing firm. Holidaymakers who used their Visa or Mastercard in Spain could be at risk of fraud following the security breach. Holders of cards issued by Barclays, DKB-Bank and Karstadt-Quelle were among those at risk.

The Volks and Raiffeisenbank banking group recalled as many as 60,000 potentially compromised credit cards as a precautionary measure. However, in a typical fashion, Visa and Mastercard deny any mishaps on their part, and pointed the blame elsewhere in the payment chain.

In a statement, the German Central Credit Card Commission (ZKA) convinced the public saying that the affected cardholders would be notified by their banks and any card fraud case will be properly addressed. Cardholders were advised to check their statements for suspicious transactions. The German banks and savings banks have already started exchanging potentially compromised cards free of charge.

But all hope is not lost. The eight members of an Eastern European crime ring have been charged for their part in the hacking of RBS WorldPay last year. After stealing more than $9m (5,388,786 GBP) in half a day, the men dispatched cashers in 280 cities worldwide to withdraw the money. The suspects were charged with computer fraud, identity theft, conspiracy and device fraud. They could face more than 50 years behind bars as well as being forced to pay back the stolen amount.

It seems as fraudster's methods become increasingly sophisticated, the defence systems in place to thwart them are getting more and more primitive. As long as nobody accepts responsibility, or agrees to do anything about this problem, the crisis will continue to grow. Expect similar reports next month. And even the month after that. Payment fraud is here to stay - we'd better get used to it.

Tom Tainton, – Smartcard & Identity News


Unable to open RSS Feed with error SSL certificate problem: certificate has expired, exiting

Video Interviews

Tim Jones talks on the wealth of networks

Christophe Dolique of Gemplus talks about ·SIM

Dominique Brule of Philips Semiconductors talks about Near Field Communication