Category Archives: Security & Cryptography

Aldi Stores Credit Card Fraud

A recent article I came across from my Security Focus newsletter inspired my latest post regarding the recent Aldi Credit Card fraud that occurred across 31 states. (See entire article below)

To quote the article’s author:

“It looks like this was the work of a network of criminals who went into stores and somehow distracted store personnel long enough to take out PIN pads and swap them out with retrofitted devices…rogue PIN pads allowed the attackers to capture payment card data wirelessly from within the store itself or from a nearby location…tampering likely occurred over a period of several months…driving the trend is the easy and growing availability of sophisticated counterfeit payment terminal kits…rings of fraudsters, largely from Eastern Europe…same types of fraudsters are organized to attack multiple stores in multiple states simultaneously…”

These kind of high level crimes set a dangerous precedence if they increase in popularity. Our current civil authorities simply put do not have the level of sophistication required to stop these types of criminals.

A common police protocol in this type of situation might be to see the video types for individual stores for the last 6 months, however, most stores do not carry footage for this long and unless the devices themselves can be traced back to original manufacturing, not many leads could be extracted without the resources of federal investigative units.

This emphasizes the importance of security corporations and organizations to help and assist these government agencies in any way possible. Federal units are currently highly diversified, and with increased focus on countering violent terrorists, these other acts that are non-violent may get overlooked.

Even with federal and state-wide corporate assistance, their may still be needed political resources. Groups which organized crimes such as the Aldi Stores Fraud may have established rings outside of the country, and fly in trained professionals, either consultants or direct employees, most likely with fake identities, to commit the crimes and then fly back out, etc.

To stop this kind of international crime will require treaties and help of many government and corporate agencies, as this clearly indicates the need for international policy to combat all forms of terrorism, even these non-violent actions.

The defense and security of individual nations can only be a realized with international cooperation.

I’m sure these realizations and concerns are not mine alone, and can only hope this same thought is shared across the right people to truly make a difference.

References:
Jaikumar Vijayan. “Aldi data breach shows payment terminal holes”. Computerworld. http://www.computerworld.com/s/article/9189982

October Newsletter. Securityfocus. http://www.securityfocus.com/

Advertisement

Facebook is down!

As of approx. October 6, 12:30 AM EST GMT -5 Facebook HTTP services seemed to have gone down.

Ping tests were successful during this time, however, attempts to load the website resulted in timeouts.

More updates tomorrow morning after some official announcements have been made. My initial speculation is botnet and/or DoS attack but this is very preliminary.

Update 12:49 AM EST GMT -5

Looks like downrightnow.com is down as well…

Update 10:15 AM EST GMT -5

Some other sites also seem to have gone down, reddit, apple store and digg among others.

Javascript Security

Little code snippet a colleague of mine stumbled across..

Go to any site, then in the address line of your browser for that site, replace the entire URL with the code below.

Watch as you can now edit any content on the page. This serves as an example of why server side request validation and/or anti-XSS techniques and libraries are crucial in all coding practices.

As additional security measures, check HTTP headers and authenticate all POST and GET headers as well to prevent these kind of attacks.

javascript: document.body.contentEditable = 'true'; document.designMode = 'on'; void 0