Card cloning syndicate bust

[Mila]

http://www.news24.com/SouthAfrica/News/Card-cloning-syndicate-bust-20100621

Nelspruit - An Mpumalanga police constable and five other suspects appeared in the Nelspruit Magistrate's Court on Monday on charges of fraud, corruption and possession of a stolen firearm.

Constable Zakhele Mkhatshwa, 27, a member of the detective branch in White River, was arrested with his co-accused after a complaint from a member of the public about unauthorised transactions processed on her account after she had used it at a music store in Nelspruit.

Mkhatshwa, who got a lawyer immediately after his arrest on Saturday, was released on R5 000 bail by magistrate Amos Khumalo during a hearing before 08:00 on Monday.

The other five suspects, Mpendulo Shiba, 25, Thabo Tsela, 22, Bongani Nyerenda, 23, Dennis De Beer, 30 and Dumisani Mkhatshwa, 33, were denied bail by Magistrate Eddie Hall despite an argument by their defence lawyer, Eddie Mabaso, to be given the same treatment.

He postponed their bail application until Friday.

According to provincial police spokesperson Captain Leonard Hlathi, the constable was found to be living in a house worth more than R1m in Nelsville and had a staggering R600 000 in his bank account at the time of his arrest.

Accomplices

"During the search at his house, the police recovered a laptop, one card skimming encoder, one card skimming device and several cloned cards," added Hlathi.

He said the provincial commercial crime unit’s investigation led them to a cashier at the music store where the complainant had shopped.

"The suspect was found in possession of a card skimming device and he then led the police to two other suspects, who actually came to the shop to collect the device.

"After searching their vehicle, the police recovered two more devices. They then arrested two more suspects in KaNyamazane, where they confiscated a 9mm pistol, two laptops, one card reprinter, several cloned cards from South Africa and other countries, and one FIFA cash access card with a fake ID photo.

"The five suspects led police to the constable's house, where he was arrested."

Nelspruit State prosecutor Tobie Steyn said some of the cards that the police had found in Mkhatshwa's possession had been stolen from foreign visitors who had come to watch the FIFA World Cup.

"A transaction worth R53 000 had been done on one of them. The police are still trying to establish the other amounts," he said.

Hlathi said the arrest of the five men had busted a sophisticated card-cloning syndicate.

Hope this leads to more arrests.

 

[davemc]

Automated lifestyle audits.

 

[Senshi]

The Syndicate isn't just in Nelspruit.

R3000 was withdrawn from my GF's account on Sunday evening. She has taken the matter up with the bank and the police.

The scary part is, the last time she used her card was at an actual Standard Bank ATM, and before that she hadn't used it for nearly 3 weeks.

 

[Rouxenator]

I have no money (< R500 ) on my two cards - pitty the sucka fool that skims them

 

[koffiejunkie]

Why on earth has S.A. banks not rolled out chip&pin and completely discontinued mag-stripe cards? All the pay points I've used on visits to S.A. over the last three years recognised and used my chip&pin, so clearly the infrastructure is there.

 

[Romito]

at the moment only std bank is issuing all chip and pin credit cards since 2008. other banks might be doin it too.

 

[koffiejunkie]

at the moment only std bank is issuing all chip and pin credit cards since 2008. other banks might be doin it too.

Good to hear.

 

[Mars]

Why on earth has S.A. banks not rolled out chip&pin and completely discontinued mag-stripe cards? All the pay points I've used on visits to S.A. over the last three years recognised and used my chip&pin, so clearly the infrastructure is there.

Chip and pin means nothing. On my credit card machine its possible to bypass the chip and pin tech.
The only difference is who loses in the case of card fraud.
If the pin is entered the card owner pays.
If no pin is entered the vendor pays.

 

[koffiejunkie]

Chip and pin means nothing. On my credit card machine its possible to bypass the chip and pin tech.

Because you have mag-stripe on the same card. That's why I said "and completely discontinued mag-stripe"

 

[Mars]

Because you have mag-stripe on the same card. That's why I said "and completely discontinued mag-stripe"

Even then it is possible to bypass the pin. And since the pin is stored on the actual card, it would be possible just to clone the card and insert your own pin.
This has all been covered in another thread arround here.

 

[koffiejunkie]

linky?

 

[Mars]

linky?

I knew you where gonna ask me that lemme look.

 

[koffiejunkie]

Thanks If I knew which forum it was in and what the subject was I would have bothered doing it myself

 

[Mars]

Thanks If I knew which forum it was in and what the subject was I would have bothered doing it myself

Found it!
http://mybroadband.co.za/vb/showthr...Pin-smartcards-(debit-and-credit)-compromised

 

[ToAsTeD]

Good news!

 

[analogsa]

And since the pin is stored on the actual card, it would be possible just to clone the card and insert your own pin.

Breaking the encryption of the chip? Not too likely. Neither is it likely that the pin is stored as plain text.

 

[koffiejunkie]

Found it!
http://mybroadband.co.za/vb/showthr...Pin-smartcards-(debit-and-credit)-compromised

Well, this is a different exploit to the one I was thinking of. Nevertheless, while it's doable, it depends on you having your laptop with python script handy, and the merchant allowing you to plug it in. Or have the wires down your sleeve and the merchant not noticing.

Just about any sort of communication protocol is vulnerable to man in the middle if someone on either side isn't paying attention.

 

[PeterCH]

Well, this is a different exploit to the one I was thinking of. Nevertheless, while it's doable, it depends on you having your laptop with python script handy, and the merchant allowing you to plug it in. Or have the wires down your sleeve and the merchant not noticing.

Just about any sort of communication protocol is vulnerable to man in the middle if someone on either side isn't paying attention.

They may be able to get away with it in the future by miniaturizing the Python component to the card. Do note however that as mentioned already, the magnetic stripe is still used.

Sadly the move to PIN and MC 3D Secure/Verified by Visa is bad news for the consumer (card holder). The vendors are now no longer liable and it is easy to phish the Verified by Visa/3D secure code as the credit card companies themselves recommend the use of IFRAMES to drop this junk on the web customer and chip and pin is forced on everyone.

Some banks (RBS/ABN AMRO) don't force the pin though. The liability still lies with the vendor to check the signature/ID.

 

[koffiejunkie]

Do note however that as mentioned already, the magnetic stripe is still used.

The magnetic stripe is required for a chip & pin transaction? I wasn't aware of that?

Sadly the move to PIN and MC 3D Secure/Verified by Visa is bad news for the consumer (card holder). The vendors are now no longer liable and it is easy to phish the Verified by Visa/3D secure code as the credit card companies themselves recommend the use of IFRAMES to drop this junk on the web customer and chip and pin is forced on everyone.

Agreed.

 

[PeterCH]

The magnetic stripe is required for a chip & pin transaction? I wasn't aware of that?

The transaction can be done using the mag stripe instead of the Chip. In case of technical problems the machine falls back to the Magnetic stripe and/or older models work that way too.