Google dismayed
Wishes they'd thought of this way of stealing peoples info
Cyberooks are selling malware through underground forums which they claim offers the ability to steal credit card information from a hotel point of sale (POS) applications. The ruse, detected by transaction security firm Trusteer, shows how criminals are using malware on enterprise machines to collect financial information in …
Unfortunately there is this thing called innocent until proven guilty.
The banks can decide not accept any more transactions for an account but they can not arbitrarily decide that customer X is breaking the law therefore we will refund all transactions involving that account. I don't think they can even stop them from transferring the money elsewhere.
As for tracing the money, all you have to do is transfer it to another bank and the first bank no longer knows what has happened to the money.
It takes the involvement of law enforcement (and court orders) to enable funds to be tracked from one account/bank to another.
Then there's the matter of INTERNATIONAL accounts. All the crooks have to do is pass through at least one bank in a country with negative Western relations and you're sorted, since they'll have no interest in cooperating.
Then there are the money mules who remove the money from the banking system and then forward it on, creating a near-untraceable link in the chain. Sophisticated money launderers know all the tricks in the book.
not to mention bulletproof hosting...
Look it up. These are facilities with armed guards that host content primarily for criminal organizations. Failure to meet the SLA, results in termination if this for the data center owner/operator...this dramatically increases the motivation to defend by force. So you see, it is a little more complex than just shutting them down or tracking them. Law enforcement task forces could know exactly who the perp is and not be able to do anything about it.
...sellers even offer advice on how to use telephone social engineering techniques via VoIP software to trick front desk managers into installing the Trojan.
If your hotel allows its front desk staff to install software, get a hold of me for some badly needed consulting.
I realize hospitality vendors are lazy about automatic updates of their garbage software, but this is just insulting after twelve years of Windows 2000.
Last week my CC was used to buy a train ticket in London, even though I was in the US at the time. Previous week I had been staying at a smaller hotel in Paris. CC company caught the fraudulent use and cancelled the card. A couple of days later a hotel in Spain emails to tell me the same credit card, which I had used as a reservation guarantee, was no longer valid. They must be pulling the card every few weeks to check...
Yes, the smaller hotels are a major weakness in the CC system, I think...
.
Several years ago, I called up to make a reservation at a hotel.
Oh yes, we have your credit card on file.
Oh you DO?
WTF. I mean PCI DSS is for what? This person (an operator) can see my card number, name and details? They are using a system that is probably not physically secured at all. No vulnerability management, AV that might be out of date, running on XP and IE6. The staff uses this machine to surf the net during slow times. The network is not isolated. It really is a complete wonder the problem is not worse.
On the screen shot what you don't see is the OS, this is probably XP Pro as Opera often needs to run as an administrator on the machine, so often the user is also an admin user in order to print from Opera.
Glad I switched to W7 early last year, with no admin user rights for any of the day to day users and workstations screwed down enough to get a monthly winge.
The people I work for do invest in the IT infrastructure, but many hotels I do go to see (on exchange visits) are still running W98, WNT etc... Then say PCI compliance what's that?
You've got to hand it to the scammers, they found an industry where a lot of local businesses are present, they do most of their business through credit card transactions, and they spend very little on IT security, training or infrastructure.
Evil genius at work! :/
The benefits (convenience and speed) offered by putting everyone's data in one place in increasingly being offset by the costs (the target stands out like a sore thumb).
When are these idiots gonna realize that best practices demand a distributed storage model? Why turn your system into a high-value target and then advertise it? Hey, everyone! Look at me! I have millions of names, addresses, dates of birth, employment history, medical records, social insurance records, investment records, bank numbers, credit card info, other financial info, etc. etc.
Organized crime has teams of well-paid hackers searching for these high-value targets. Why make it so easy for them?
See:
http://polippix.org/docs/ElgaardPriseBook.html
"The threat to privacy is mainly caused by centralized gathering of increasingly detailed personal information... To allow citizens more privacy, we have to design systems that are decentralized and require less personal information."
And:
http://privacybydesign.ca/about/principles/