Pakistani techies stealing European credit card data

European law-enforcement officials have uncovered a highly-sophisticated credit-card fraud that funnels account data to Pakistan from hundreds of grocery-store card machines across Europe, the Wall Street Journal reported quoting the US intelligence officials and other people familiar with the case.

Specialists say the theft technology is the most advanced they have seen, and a person close to the British law enforcement said it affected big retailers, including a British unit of Wal-Mart Stores Inc and Tesco Ltd.

The account data have been used to make repeated bank withdrawals and Internet purchases, such as airline tickets, in several countries, including the US. Investigators haven’t pinpointed the culprits. Early estimates of the losses range of $50 million to $100 million, but the figure could grow, said the person close to the British law enforcement.

The scheme uses untraceable devices inserted into credit-card readers that were made in China. The devices selectively send account data through a wireless connection to computer servers in Lahore and constantly change the pattern of theft, so it is hard to detect, officials say.

“Pretty small but intelligent criminal organisations are pulling off transnational, multi-continent heists that only a foreign intelligence service would have been able to do a few years ago,” said Joel F Brenner, the US government’s top counter-intelligence officer. The US intelligence officials, including senior National Security Agency officials, are monitoring the case in part because of ties with Pakistan. The scheme comes on the heels of the August indictment of a fraud ring that stole more than 40 million credit-card numbers from the US companies, including TJX Cos, the parent company of the TJ Maxx.

In March, the security officials at the MasterCard Inc saw a pattern of potential fraud in northern England. Meanwhile, a security guard at a UK grocery store noticed suspicious statistics on his cell phone and alerted authorities. The Scotland Yard learned of the report and eventually connected it with the warning from the MasterCard, according to the person close to the British law enforcement. Examining the store’s credit-card readers, investigators discovered a high-tech bug tucked behind the motherboard. It was a small card containing wireless communication technology.

The bug would read an individual’s card number and the corresponding personal identification number, then package and store the data. The device would call a number in Lahore once a day to upload the data to the servers there and obtain instructions on what to steal next.

A MasterCard spokesman declined to discuss details of the case but said safeguarding the financial information was a top priority for the company. There is no obvious visual indication that a machine has been altered, but those with the bugs weigh about four ounces more. For the past several months, teams of investigators have been weighing thousands of machines across Europe with a precision scale.

So far, investigators have found hundreds of machines in five countries: Britain, Ireland, Belgium, the Netherlands and Denmark. They have turned up at European grocery chains, including Asda, which is owned by Wal-Mart; Tesco; and J Sainsbury PLC, according to the person close to the British law enforcement.

A spokeswoman for Asda said: “It’s subject to a police investigation, so we can’t comment.” A spokeswoman for the Sainsbury denied its stores were hit by the scheme. A spokeswoman for the Tesco said: “We’re aware that this was an issue for retailers.” She said the Tesco tested its devices and was confident that they were secure now.

The device can be told to copy certain types of transactions — for example, five Visa platinum cards or every tenth transaction. It can also be instructed to go dormant to evade detection. On average, only five to 10 card numbers would be phoned in to Pakistan, the person close to the British law enforcement said.

Source : News