Hackers prep for credit card scam in UK supermarkets

Hackers have been preparing for a large scam using cloned US credit cards in British supermarkets.
  • Leo King (Computerworld UK)
  • 02 September, 2008 08:26

Cyber criminals have been planning to conduct a sophisticated scam that involves using cloned US credit cards to target self-checkouts in British supermarkets.

The criminals have been plotting to clone magnetic stripes to create cards, and then use these cloned cards to loot US bank accounts at British checkouts, BBC reports.

In online forums, the thieves discussed how to use self-service tills, in particular in Asda and Tesco, to conduct transactions without being watched by a cashier. But the supermarkets told the BBC that there was little chance the criminals would make significant gains.

Andrew Moloney, a security expert at software supplier RSA, said cloning the magnetic stripe on the card is "one of the simplest ways to commit fraud."

"There's no pin involved, it's not encrypted, and the hardware for doing it is readily and legally available. It's essentially the same hardware you'd use when making a membership card," he said.

Unlike the UK chip and pin system, US credit cards only require a signature for transactions. In the planned scam, the fraudster would create cloned cards, therefore could create any signature they wish.

But the criminals' plan may have been flawed because self service tills in many supermarkets will not accept transactions without a pin being entered, according to a Tesco spokesperson. Tesco also said a member of staff would have to approve a signature. Asda could not be reached for immediate comment on its authorization controls.

Even the pin identification system is not completely safe, according to Eric Domage, manager of western European security research at analyst house IDC. In one instance in Paris, he said, criminals were placing fake cash machines on the front of real machines, capturing the cards and pin numbers, and then taking the cards round the corner to spend thousands of euros.

But criminals using cloned cards are also taking a risk, Domage said. "People doing this will be caught easily on camera when they use the self service tills."

Also many cloned cards could lack proper bank imagery or logos, which presents a major problem for the fraudsters, Moloney at RSA explained. "The card has to look credible, and often cloned cards are blank. By checking, the supermarkets would reduce the chance of this type of fraud."

Page Break

The information discovered in the investigation has been handed to the banking industry-sponsored Dedicated Cheque and Plastic Crime Unit, which said it was examining the reports. But it would not confirm if an investigation will take place.

The DCPCU said the only way to effectively stop this type of crime was for the US to follow Europe in using the chip and pin system. "Ultimately, the buck stops with the US," a spokesperson said.

But the same problem also affects UK cards being used in the US, again with the magnetic stripe being cloned, the spokesperson explained. "As Europe rolls out chip and pin, it's pushed the fraud in the direction of the US. The US is now in pole position for UK cards being used fraudulently abroad."

Moloney said cardholder not present transactions were another popular choice for fraudsters looking to get cash from credit cards. These include the use of money transfer services, and criminals have also set up fake premium-rate telephone numbers, and fake stores, to take the cash.

Earlier this month, fraudsters in Ireland posing as authorized bank service personnel replaced credit card readers in retailers' stores with their own, capturing data that can be used to empty bank accounts and make purchases.

And the DCPCU raided a counterfeit card fraud factory in Birmingham, finding the equipment needed to steal card details and make counterfeit magnetic stripe cards "on a massive scale."