Page last updated at 14:06 GMT, Thursday, 28 August 2008 15:06 UK

Hackers prepare supermarket sweep

Advertisement

Reformed hacker Jacques Erasmus of security firm Prevx explains the scam

Self-checkout systems in UK supermarkets are being targeted by hi-tech criminals with stolen credit card details.

A BBC investigation has unearthed a plan hatching online to loot US bank accounts via the checkout systems.

Fake credit cards loaded with details from the accounts will be used to get cash or buy high value goods.

The supermarkets targeted said there was little chance the fraudsters would make significant gains with their plan.

With the help of computer security experts the BBC found a discussion on a card fraud website in which hi-tech thieves debated the best way to strip money from the US accounts.

The thieves claim to have comprehensive details of US credit and debit cards passed to them from an American gang who tapped phone lines between cash machines and banks.

'Cashing out'

Dollars in wallet, Eyewire
The funds being laundered have been pilfered from US bank accounts

The gang plans to copy card details onto the magnetic stripes of fake cards and then use them in UK stores. In the discussion on the card site those co-ordinating the fraud say they are seeking places to "cash out", meaning strip funds from the bank accounts using fake cards.

In the forum they are asking for information about Asda and Tesco stores in which it is possible to use self-service systems that mules could visit with the fake cards to get at the cash.

The fraudsters are looking for self-service systems to avoid contact with store staff who may spot the fake cards.

Over the period of a month from mid-August the ringleader claims he will have details from 2300 cards to handle.

In the forum he declares: "Its (sic) shopping spree guys help me out and I will take care of you."

It's not difficult to take compromised cards from one country and exploit them in another
Andrew Moloney

The information found by the BBC has been passed to the Dedicated Cheque and Plastic Crime Unit so it can investigate the ongoing fraud.

Andrew Moloney, security evangelist at RSA, said the gang were involved in "classic" card fraud by cloning details on to magnetic stripes.

He said it was an example of a long observed trend in fraud.

"We've seen a shift from card-present fraud to card-not-present to fraud abroad," he said.

"The internet is the global marketplace," he said. "It's not difficult to take compromised cards from one country and exploit them in another. It's a simple and routine procedure for these guys these days."

The discussion on the crooks' forum is a bit of a wake-up call for all those who think that the introduction of chip-and-pin in the UK has wiped out card fraud
Rory Cellan-Jones
BBC technology correspondent

Jacques Erasmus, from security firm Prevx, agreed that cashing out abroad was a well established method. "They do not normally cash out in the same country," he said, "just because it makes the law enforcement job that much harder."

He said many criminal gangs even offer their fraudulent services via the web.

"They will do it for you in India and China," he said.

Sweeping up

Armed with fake cards and a list of shops and supermarkets that can be hit the fraudsters could make 5-8000 per day, according to Mr Erasmus.

The funds would be split between the mules who actually carry out the transactions, those organising the mules and the hi-tech thieves who stole the original card numbers.

Representatives from both Tesco and Asda argue that payment systems automatically contact the banks when a card is swiped instead of using chip-and-pin. The banks must authorise the acceptance of a signature.

"If the card has not been reported as having been cloned, yes, it can go through," said a spokeswoman for Tesco. However, she pointed out that swipe and sign transactions represent a tiny fraction of the supermarket chain's trade.

"We would hope this will bring further pressure on the States to introduce chip-and-pin," said Jemma Smith of the UK payments organisation Apacs. "Until that happens we will still see fraud on US cards happening in our shops and our cash-machines and also fraud on our cards happening in the US."




SEE ALSO
Help for identity fraud victims
12 Aug 08 |  Business
Thieves set up data supermarkets
23 Apr 08 |  Technology
What makes a cyber criminal?
19 May 08 |  Americas
Net card fraud 'underestimated'
23 Apr 08 |  Business
How secure is your card info?
06 Aug 08 |  Technology
Conmen abuse web address checks
11 Jun 08 |  Technology

RELATED INTERNET LINKS
The BBC is not responsible for the content of external internet sites


FEATURES, VIEWS, ANALYSIS
Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit

BBC navigation

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.

Americas Africa Europe Middle East South Asia Asia Pacific