It was a cunning plan

[Dave Birch] It’s amazing to me — no, not amazing, more kind of quaint, reassuring and comforting — that in this high-technology e-money world, there are crooks who still try to rob banks the old fashioned way. Not the modern way (by working for them as traders) but the old fashioned way. There are still people out there who rob banks with shotguns. And there are still people out there who make dodgy banknotes. An example being the gang of Chinese counterfeiters currently on trial in London for attempting to defraud the Bank of England of more than TWENTY EIGHT BILLION POUNDS. Yes, that’s right. They tried to cheat the Bank of England out of more than FIFTY BILLION DOLLARS by swapping 360 “special-issue” £500,000 notes and and 28 million £1,000 notes for lower denominations. Unfortunately, there were two tiny flaws in their masterplan: the Bank of England has never issued a £500,000 note and £1,000 notes were taken out of circulation in 1943 (and there are only 63 of them not accounted for). The criminal geniuses tried to get the Bank of England to accept £1,000 notes with the signature of Jasper Holland, the chief cashier in 1963. Now, far be it from me to criticize — I know virtually nothing about counterfeiting — but c’mon guys. Didn’t anyone think that the Bank of England might double-check if someone turns up with twenty eight billion pounds in used notes? The only way to get away with this kind of thing is to skim off a small amount from each legitimate note in circulation (like the Chancellor of the Exchequer does).

Technorati Tags: credit cards, debit cards, EMV, fraud, retail, security

E-crime must surely be less risky, which is why it continues to grow. Phishing is now commonplace and not a day goes by without more e-mail arriving from “Royal Bank of Scotland”, “Citibank” and “Merrill Lynch”. In the latter case, this convincing missive arrived while I was typing the beginning of the paragraph!

Merrill Lynch Enhanced Security Authentication: We have enhanced the Merrill Lynch Business Center security access to further safeguard access to your account information. Click on the hyperlink below and follow the prompts to answer and record answers to five personalized security questions. We may, in the future, ask you for answers to these questions when you log into the Business Center to ensure that only you are accessing your account information.
By clicking the link below and/or by using the Merrill Lynch Business Center website (“site”), you:
Login by clicking here: https://wcma.businesscenter.ml.com/ [deleted URL for security purposes: 8yvcv.com] I. Represent and warrant that you are authorized to accept the Merrill Lynch Business Center Terms Conditions [deleted URL for security purposes: 8yvcv.com] and use the site on behalf of yourself and your employer and in doing so you are acting within the scope of your duties and
II. Accept the Merrill Lynch Business Center Terms Conditions [deleted URL for security purposes: 8yvcv.com] on behalf of yourself, agree to be bound by them.

Pretty convincing, I’m sure you’ll agree. I almost clicked on it myself, but didn’t because I don’t have a Merrill Lynch account. But some people do, and some of them will click on it. The phishers rely on familiarity to acquire sensitive information, such as usernames, passwords, and financial data, by masquerading as a familiar or nationally recognized bank, credit card company or even an online auction site. A McAfee Avert Labs report showed the number of phishing Web sites increased by 784 percent in the first half of 2007. Social network sites are also a new target for the fraudsters: in December of 2006, cyber criminals targeted MySpace and used a worm to convert legitimate links to those to lure consumers to a phishing site designed specifically to obtain personal information. Until we begin to assemble a proper digital identity infrastructure, I can’t see much changing here to be honest.

So “real” world money isn’t safe and online money isn’t safe either. In fact, fraudsters happily straddle both worlds, compromising physical point-of-sale (POS) terminals to collect and store the data on cards and then whisk it around the world to manufacture bogus cards for use in POS and at ATMs or in card-not-present environments. Avivah Litan of Gartner says

It’s almost more dangerous to go to the gas station than it is online.

That’s if you can find a gas station that still takes cards, of course. She also said that of 160 data breaches investigated for one major credit card brand, 128 were card present (hence all the efforts to strenghten PCI-DSS). It doesn’t look as if there will be much improvement either: Gartner predicts that only a third of POS software will be PCI-DSS compliant by 2009. But even when the POS software is fully PCI-DSS compliant, the problem of criminals tampering with POS terminals will still grow. So long as people are being asked to put their PINs into a device they cannot trust, criminals will target that process as the weak link in the card security chain.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]