Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Coverage Areas:

Lucky stores weren’t so lucky – Another Flash Attack?

by Avivah Litan  |  December 8, 2011  |  Comments Off

What really happened at Lucky and Savemart stores? See http://savemart.com/index.php?id=449 for their press release on this.

Something here doesn’t add up. The chain says employee and customer bank accounts were compromised but employees generally don’t swipe their cards at the POS systems. So I for one, would like to understand the connection to employee accounts. There must be more than just card reader tampering going on here.

But if you take the employee piece out of the picture (and I don’t say we should) then this looks like yet another sophisticated POS card reader fraud attack.

The bad guys are very organized. They have the ring leaders that target the POS systems used at the store chain. They must have known which type of POS equipment Savemart uses and designed an attack specifically against their systems.

The ring leader(s) hire ‘flackies’ to insert skimmers in the equipment or to replace the equipment Savemart has have installed altogether. (Most likely it’s the former option although the latter option is more common in South America). They then hire the counterfeit specialists that turn the stolen data into counterfeit cards (with PIN numbers, if they have them) taped on to the counterfeit cards. And finally they hire the ‘cash out’ flunkies to use the cards at ATM machines or other POS systems to turn the stolen cards into stolen cash or easily fence-able goods (like TVs, tablets or other electronic goods).

Then they hire people to collect the cash or to fence the goods before the cash is collected.

They generally use the cards VERY QUICKLY at ATM machines around the country and sometimes in other countries, simultaneously withdrawing small amounts at dozens of machines against dozens of accounts, typically within 10-30 minutes. Then they wait an hour and do it again. This way they can evade many of the fraud detection systems.

I blogged about this months ago – I call this the Flash Attacks. Of course Savemart is only reporting on their piece and the banks generally don’t disclose their side of things so we can’t be sure if Flash Attacks resulted from this hack.

Also the part disclosed on employee account takeover is still troublesome. I’d like to know more about that. As noted, employees typically don’t swipe their own cards at the cash registers.

Comments Off

Category: Uncategorized     Tags: