Over the past 5 years a scam known as electronic funds transfers at the point of sale (EFTPOS ) or skimming has been prevalent. Consumers commonly swipe both credit and debit cards through the in-store machines to pay for goods and services and hackers have been adept at coming up with ways to skim those customer cards.
In one such case, Romanian hackers were indicted when they were charged with remotely accessed hundreds of small businesses' POS systems and stealing enough credit card data to rack up fraudulent charges totaling over $3 million. The hackers' targets included more than 150 Subway restaurant franchises and at least 50 smaller retailers.
SCMagazine reports "An Eastern European criminal syndicate has hacked into a small Australian business and stolen details of half a million credit cards from the company's network. In both cases, the syndicate captured credit card details using keyloggers installed within Point of Sale (POS) terminals and siphoned the data through an insecure open Microsoft's Remote Desktop Protocol (RDP) connection. The syndicate found its victims by scanning the internet for vulnerable POS terminals.
Card skimming is just one of many ways that cybercriminals obtain access to stolen identities. And what happens once they have this information? They begin hitting many of the major brand websites to purchase products that are commonly found in our homes and office. How can retailers, ticketing companies, gaming sites and credit issuers protect their businesses and customers from fraudulent transactions?
Many start by identifying the device being used to access their website, through advanced device identification technology. Is it a computer, laptop, tablet, mobile phone or another Internet-enabled device? Is that a device that is already known to a collaborative cybercrime intelligence network? If so, has it been involved in fraudulent or abusive activities in the past? Often times, known bad devices have a history of credit card fraud, identity theft, account takeover attempts and other abuses. If the device comes back clean, is it related to other known bad devices?
Security and flushing out the bad guys begins with understanding the web of associations between related devices, which helps businesses identify and shut down entire fraud rings. Lastly, online businesses run their highly-customized business rules as the transaction or activity is attempted.
Recently at the Merchant Risk Council Platinum Meeting in Seattle, iovation the device reputation authority demonstrated it's ReputationManager 360 fraud prevention service, and showed in simple terms, what happens during a real-time device reputation check.