HP HSTNN-UB73 laptop battery www.dearbattery.co.uk |
Posted: March 22, 2018 |
Unsubstantiated? Certainly. Speculative? Definitely. But hey, let's not let the Gallic rumor-mongers have all the fun. Video A Russian-speaking man casually shows on camera how he can download a punter's bank-card details and PIN from a hacked card reader.In a video demonstrating a tampered sales terminal, a card is swiped through the handheld device and a PIN entered - just as any customer would in a restaurant or shop. Later, after a series of key-presses, the data is transferred to a laptop via a serial cable.Account numbers and other sensitive information appear on the computer screen, ready to be exploited. And the data can be texted to a phone, if a SIM card is fitted to the handheld.We're told the footage, apparently shown on an underworld bazaar, is used to flog the compromised but otherwise working kit for $3,000 apiece - or a mere $2,000 if you're willing to share 20 per cent of the ill-gotten gains with the sellers under a form of hired-purchase agreement. Crucially, the gang selling this device offers a money-laundering service to drain victims' bank accounts for newbie fraudsters: a network of corrupt merchants are given the harvested card data and extract the money typically by buying fake goods and then cashing out refunds. The loot eventually works its way back to the owner of the hacked card reader.A copy of the web video was passed to The Reg, and is embedded below. We have rotated part of the footage so it's easier to read the on-screen text.Electronic security consultancy Group-IB said the modified Verifone VX670 point-of-sale terminal, shown above, retains in memory data hoovered from tracks 1 and 2 of the magnetic stripe on the back of swiped bank cards, as well as the PIN entered on the keypad - enough information for fraudsters to exploit.The setup suggests the sellers are based in Russia. In the video, a credit card from Sberbank, the country's largest bank and the third largest in Europe, is used to demonstrate the hacked terminal's capabilities. If a SIM card for a GSM mobile phone network is fitted to the doctored device, the information can be sent by SMS rather than transferred over a serial cable, explained Andrey Komarov, head of international projects at Group-IB.He told us crooks tampering with point-of-sale (POS) terminals and selling them isn't new - but the bundling of money-stealing support services, allowing fraud to be carried out more easily, is a new development in the digital underground."We have detected a new group that sells this modified model of POS terminals and provides services for illegal cash-outs of dumped PINs through their own 'grey' merchants: it seems they buy fake stuff, and then cash-out money," Komarov said."It takes less than three hours. According to our information, this kind of service is really new, and it is also being used by different cyber-criminals against the Russian bank Sberbank."Komarov told El Reg that the emergence of hacked card readers is due to banks improving their security against criminals' card-skimming hardware hidden in cash machines and similar scams. Planting data-swiping malware in POS handhelds out in the field is possible, but it is fairly tricky to find vulnerable terminals and infiltrate them reliably without being caught. It's a touch easier to buy a tampered device and get it installed in a shop or restaurant with the help of staff or bosses on the take. This creates a huge potential market for fraudsters, according to Komarov.Banking giant Visa has issued several alerts about this kind of fraud along with occasional warnings about device vulnerabilities - such as this warning from 2009 [PDF]. And social-engineering tricks [PDF] in which fraudsters pose as Visa employees carrying out adjustments to terminals - while actually compromising them - has been going on for years.One alert [PDF] from Visa, dating from 2010, explains how thieves worked in the past and the steps merchants can take to defend against the fraud: anti-tampering advice from this year can be found here [PDF], an extract of which is below:
Criminal gangs worldwide are illegally accessing active POS terminals and modifying them by inserting an undetectable electronic “bug” that captures cardholder data and PINs during normal transaction processing. The impact of this type of crime can be significant to all key parties involved in card acceptance. An attack can not only undermine the integrity of the payment system, but diminish consumer trust in a merchant’s business. In response to this emerging threat, acquirers, merchants and their processors need to proactively secure their POS terminals and make them less vulnerable to tampering.A more recent advisory on combating this type of fraud, issued earlier this year by Visa, can be found here [PDF].Avivah Litan, a Gartner Research vice-president and an expert in banking security and related topics, said that tampering with card readers has been going on for years. She agreed with Group-IB's observation that since banks are investing more in securing cashpoints, penetrating point-of-sale terminals can be an easier way to make money for criminals. "The bad guys will go after anything they can, but it can be easier to find dishonest merchants to cooperate in running tampered terminals [to harvest bank details] than going after ATMs," Litan told El Reg, adding that this kind of fraud was rife in South America, particularly in countries such as Brazil.But Group-IB's Komarov believes the Russian-speaking fraudsters behind the black-market sale of hacked sales terminals are targeting the international market as well as crims in the motherland. "The example they showed for Sberbank was just because they also use it against Russian-speaking countries, as they have Russian-speaking roots," he explained.We passed on Group-IB's research to Verifone at the start of this month, along with a request for comment on what could be done to frustrate the trade of tampered card readers through underground markets and similar scams. We have yet to hear back from the device manufacturer. We'll update this story if we hear more. IDF13 The near-ubiquitous PCI Express interconnect – aka PCIe – is finding its way into mobile devices, working its way into cabling, and is on schedule to double its throughput in 2015 to a jaw-dropping 64 gigabytes per second in 16-lane configurations.So said Ramin Neshati, the Marketing Workgroup Chair of the PCI-SIG, when The Reg sat down with him during this week's IDF13 in San Francisco.This June, Neshati reminded us, the PCI-SIG announced the M-PCIe spec, which enables the PCIe architecture to operate over the high bandwidth, serial interface M-PHY physical layer technology of the MIPI (mobile industry processor interface) Alliance.On the same day that the PCI-SIG closed the M-PCIe spec and announced it, two IP vendors - Synopsis and Cadence – announced that they had working IP based on the spec. "Which is," Neshati told us, "to my recollection the record. I haven't seen anybody on the same day the spec was closed announce that they had IP on it."
The M-PCIe spec supports three "Gears" – Gear 1 operates at 1.25 to 1.45 Gbps; Gear 2 is 2.5 to 2.9 Gbps; and Gear 3 is 5.0 to 5.8 Gbps, all tuned to work on the short-channel topologies for which the M-PHY is designed to support."Basically, the scope of the M-PCIe spec is limited," Neshati said. "That's why it got released so quickly." This simplicity – and M-PCIe's ability to work across multiple usage scenarios in a single system without reconfiguration – helps developers of mobile hardware such as handset or tablets to easily reap the benefits of PCIe in small form-factor devices. "You can 'do once, use many'," he told us, which shortens development cycles."In an environment where things turn quickly, like smartphones and tablets, this is ideal because it allows you to keep that cadence going," he said.Although the MIPI Alliance suggests that M-PCIe can be used for chip-to-chip interconnects in a mobile system, and promotes the UFS (universal flash storage) interconnect for – you guessed it – storage, Neshati sees no reason M-PCIe can't be extended to storage, as well. "There's nothing precluding you from using it for storage," he said. Neshati was loath to disparage UFS, and noted that since the two share the same PHY their native bit rates are identical, but he did point out that PCIe does have an advantage over UFS in that the latter doesn't yet have a software ecosystem to support it. "There may yet be one," he said, "but it has to come about. There is an existing ecosystem around PCI Express, so from a software point of view it's already solved, it's already there." PCIe already has tools for measuring performance and compliance, he said, while UFS has yet to benefit from that sort of ecosystem.The PCI-SIG is also working on a new spec that will extend PCIe via cabling, either inside a system to connected storage devices, or externally for any sort of PCIe-supported device, be it storage an enclosure with PCIe slots, or some other implementation. This spec, now under development, is called "OCuLink" – optical copper link."Usually PCI Express is a technology that's in the box," Neshati said, "connectivity that's chip-to-chip or on a board. OCuLink is the cable version of PCI Express."
|
|||||||||||||||||||||||||||||||||||||||||||
|