The New Face of Card Fraud
Show transcript [en]
alright good morning everybody we're gonna do a quick welcome yeah it's everybody awake mostly did anybody go to the endgame party last night anyone there's a few people who are those people are struggling and now after endgame had way too much fun last night all right welcome to the third annual besides DC we are the actober festive besides what we build ourselves as a quick show of hands who's been here before Wow tons of people any returning black badges in the house anyone anyone I turn off that radio before I deaf and everybody and who's new to be sighs is this like your first besides wow wow about half cool well welcome so just some quick housekeeping items before we
start please silence all the things that make noise I know you have a really cool ringtone but everybody else doesn't need to hear it respect speakers organizers volunteers and everybody else adhere to our principles if you want to see those there in the program manager don't be a jerk as the main rule and the main thing is participate there's tons of things to do today there's lockpick village there's Internet of Things village there's plenty of great talks lined up I mentioned lockpick wireless wireless CT of everything else so definitely take a chance to take a look around especially if you're new tribe try checking out a bunch of different things all right who's who orange badges are organizers
that's myself Bob Weiss my my other co-director any of our other people Duran our finance director volunteers yellow badges these are people who are volunteering to help us put this together direct you where you need to go and do everything like that speakers yeah volunteers will be wearing the rust colored shirts speakers they were wearing the white badges check them out feel free to ask them questions in the hallway I'm sure they'd love to talk to you green is our sponsors we cannot put this event on and have such a great event without our sponsors so check them out go to their tables say hi to them security they're wearing the red shirts obey them blue attendees that's you guys
thank you very much for coming out ok this is our third year and 2012 mark bolts and bill sure email Jack Daniel and said hey why isn't there besides in DC and he's like congratulations you guys are putting it on so three years later here we are this is the first year with a crib kids con that's upstairs you'll see them walking around with their super awesome flashing badges that I'm jealous ax we sold more tickets in about the same time as last year this is the second largest besides globally only second to Las Vegas the schedule is available on conf you I'll put that link up a little bit so a quick tour of it Internet of Things village
that's in London one that's basically straight this way over by the elevators they ran in at Def Con they called us and said hey we'd like to bring it to besides DC so check it out it's Internet of Things devices and probably something so hopelessly broken router hacking as well Loch sport village there in London to that's down the hallway past the elevators they'll be there all day today and all day tomorrow let you play with tools crack locks open things up please do not take the locks they have some for sale ask questions please also don't practice on any of the locks in the hotel the wire Kahuna don't listen to that guy wireless
CTF that's upstairs on the second floor in the junior ballroom that is open to conference attendees so go check that out there will be a CTF there and you can also learn from those guys crib kids that starts at ten ten a.m. 10 1030 is the crib kids keynote that will be in this room after we reset the rooms for the two tracks so any attendees are welcome to check that out as well the kruky kids keynote is Alicia Kazakh wits it's going to be very interesting from the sound of it something outside of what we usually do in the computer security field but I think it's going to be very interesting the crib kids cotton
I do definitely want to give a shout out to Jenny making David they did a ton of work on this and really I think knocked it out of the park so it's going to be super cool alright schedule just really quick schedule is on conf you big thanks to Darnell for setting that up for us so it's conf you calm there's a link for be sized DC that's optimized for your phone so you can look at it by time by speaker by track everything like that so and it has all the descriptions of the talks and the bios of the speakers in there so you can look it up carry it with you super handy it also has the most
up-to-date list we had three talk changes that are listed in there they're all on sunday so the program will be a little bit behind conf you at registration they also have the list of the talks that have changed so we just that tiny conf you is really great not only for our con the four others if you do others it's a you know can you look at it oh good I'll get closer Mike front so confu is really good not only for our con but for other cons they handle Def Con and some of the besides and a lot of the other events so it's a graphical mobile-friendly website you can look at the schedule and sort of very easy to
pit on your phone so recommend that you hit that and sa it's very useful is Dave in the audience thank you dave davis confu guy
alright so on the subject of thanks we have to go through our sponsors again these are these are all people who are helping put this con on so in our engage the audience sponsors various groups adapted threat division sands and net Wars there anyone do networks last night I think I see a couple of networks t-shirts so you guys have fun to Annette words last night I think that turned out really great so it sounds like that might be something we're going to do in future years so keep an eye out for that in next year all right above and beyond sponsors HP this is their third third year with us cobalt strike this is our
third year and there are lanyard sponsor this year so thanks to them aruba is back again see CSC / tenacity is back again this this is our third straight year and our new sponsors valiant solutions and endgame thank you to all dis consulting they're also sponsoring the party tonight so big thanks to them fireeye returning this year Palo Alto Networks returning this year fidelis returning this year as well and booz allen hamilton above and beyond more above and beyond sponsors in Milton security GDIT antietam tenable mitre core supporter sponsors hacker warehouse go to Garrett's table out there he has cool stuff system 1 clear jobs net threat connect evident io guide point security other thanks these are other
companies are supporting us in other ways a critical stack sophos for the networking gear speaking of the network there is a wireless network the SSID says the password is in it that's the conference network for you guys please don't hack the conference network I fix it they donated tools for the crypt kids a village upstairs tool obviously tool DC putting on the lockpick village for us every year they're doing a great job we really appreciate them coming back the Iron Horse pub for hosting us tonight the marriott for giving us the space to have the Conn in no Sarge press and independent security evaluate errs were the organization's yes so I want you guys to know you all haven't paid a
lot of money for your tickets right and the reason we're able besides organizations nationally internationally and us write our are able to keep that ticket price down is because of these sponsors right without the sponsors this event does not happen most of the money for for putting this event on comes from the sponsorship so spit takes some time if you see anyone with a green badge or you stop by the booths thank them listen to them stop by the boots understand what their what their pitching or what they're trying to promote and and again they are what is putting on this conference so again be wrecked recognize that thank you guys alright so our worthy
organizations we do some fundraising here through sales of things in the swag shop which will be open later today and the we do try to donate every year to eff and both both eff and hackers for charity so we want to give back to the community to support things that are important to us ok the important part the party tonight the fest in hack Tober it's at the Iron Horse taproom begin 730 again altis consulting corporation Thank You Jacob Porter and altis consulting corporation to for sponsoring the party for this year there will be drink tickets and we're featuring a list of local beers so virginia maryland DC delaware and finally the team this is
all the people who have been working for the last year to put all this together spending nights weekends everything else so big thanks to everybody here on this list if you see them if you see a volunteer if she and organizer definitely thank them for their efforts so it's not it's not a minute not a trivial thing to put this on and obviously big thanks to Jack Daniel for kicking us in the button making us do it Alex you didn't put yourself on that list I know I didn't put myself on that right big thanks Alex Norman also all right so with that I will let Bob Bob introduce our keynote mr. G mark hearty
thanks a lot so I've known G mark for I don't know at least eight or nine years he is the founder and president of national security Corp he is an internationally recognized speaker and I don't know what two years ago gee Marc and I did a talk and he literally ran in from what was the name of the medicine the army 10-miler in the middle of the talk he was like okay I'm here so so thanks for the army 10-miler for moving there their event so they had it last week so he could be here today so a chew mark party thanks
and we were good to see how much hacking they did on my laptop while I was away survey says daunted at all okay welcome hello why she didn't do see nothin you need more Starbucks do something like that anyway SQ park rd pleasure to be here i'm gonna make a really tough to the camera guys they walk all over the place i bets problem let me know and we'll go full the pony boy go straighten presider i want to talk about credit card fraud who here is going to credit cards yeah we got dubba cards got him okay who you're never reaches your hand when you're asked to raise your hand that would be that Lisa okay there you
check out the financial system I want to talk about the direction we're going if you notice letting cards are different this year when we good things thank you there we going and here i am i'm so used to work without a microphone they I kind of got too many of these things at home they mate they make great collectors items so we'll have to back up for the recording yes no listen you're lost nothing we could start over yet anyway think about it what's been going on with all these credit card breaches we look at things like at Target and Sally's at home depot and of course there's more coming but what are they all got in
common yeah Dave well they all got it they all got whacked they got whack of the pretty big way and what they're going after we're finding after as criminals are going after credit card and debit card information it's really kind of a little bit back to go back Willie Sutton remember the bank robber when they asked him why do you rob banks his answer was because that's where the body is well this is where the money is now it's last year's verizon data breach report but you know he could still squeak a little bit out of it they said hey you know it's a year the retailer bridge now of course any year could probably be the year the retailer breach
it's just the nature of things because with so much information available for compromise it's really really kind of hard to say no if you're an attacker particularly if you don't even have to gain physical access to a system to get all the goodies that come out of it and so what we want to think about is what's going on here card fraud it's a huge industry 11 billion dollars in 2013 went up to about 12 and change in 2014 and still trying to get some final number sixteen billion dollars when you throw in the cost of all their credit card remediation you're gonna watch your credit history for like seriously remember that OPM hack whether they can
where they come out after the OPI anybody here yeah you're probably part of that if you've got a dot every we're headed clearance and they say we'll give you a free credit monitoring for a year like seriously you think the Chinese you don't all that's like it steal your credit cards dudes hello anyway credit cards oh yes they do want your money about sixteen billion dollars total well the problem is is expensive banks and generally eat about sixty-three percent of that loss almost two-thirds of it the rest goes to the merchant saying okay if a merchant didn't actually get that three digit cvv on the back or they didn't swipe the card because oh I left
my card at home but I remember my number or card-not-present think online all those folks tend to pay for it well the thing is what's missing for that equation you how much do you get ripped off I don't know because you might not know either unless you're kind of meticulous about checking your statements I even got popped about ten years ago and I missed it cuz I was on the road like I always am and it's like a ten-dollar charge I read a couple years later these guys stole two million cards they made one $10 charge on each of the two million cards and that's it they threw the rest they threw the numbers away well that was actually
pretty smart business model because they got away with it because ten dollars it's not worth getting on the phone and arguing with your bag for 45 minutes so you'll let it go and it scales up pretty well well the US has got a huge disproportionate amount of volume on this mostly because while we don't really have those Chip and PIN cards at all Europeans use cuz well we're Americans were better or smarter maybe well so what's happened is banks as default of these neural network type things the systems that are basically mainframe applications that run just like a giant firewall if then else if then else if then else and you can screw with those rule sets if you want and you
can do it legally so for example if you want to see if your bank is using a certain type of fraud prevention and you're a getting ready to go buy something at best buy because it's coming up a shopping season here's what you do take your credit card go to the gas station authorize your gas but then cancel it then drive down to best buy and buy your stuff and see what happens alright that one-two punch ought to kick into windows firewall rules and your card ought to either be hey was a problem with or declined or whatever now you haven't committed for god it's your old cart but what you're doing is like you're doing a good hacker
you're probing like a black boxes rule sets and that's exactly what criminals have done over the last few years they probed out that entire rule set and they've kind of figured it out and so this chip and pin or chip and signatures were doing the u.s. is not going to solve this problem it just changes the nature of the fraud because if you think about it we're going to find out that it really doesn't do a whole lot for things like online or card-not-present so card fraud it's complex it's not a bunch of computers dueling it out it's not like some Star Trek thing where you're okay you have to report to the disintegration chamber because your sector was bombed
no these are set up the static defenses attackers attack next week or next month whenever you push the updates we push the updates and it's a constantly losing battles by the way anybody sign up for Apple pay how's that working for you you're like smiling was it easy to seriously was it easy or hard to set up Apple pay for your bank relatively anybody have like a super easy way just provision your card and go anybody had to go like show up at a bank or actually do a phone call or do some other nation yeah because when Apple pay started out what happened is Apple they're brilliant they did the crypto well they did the
near field communications well they did the interface with all the switches they didn't think very carefully about how do we provision the card and figure it out pretty quickly with a stolen credit card number and just create an itunes account you can now provision your iphone 6 with a stolen card and now you got Apple pay but Apple pay is card present so very low fraud concern charges always go through but where's the card it's either in your sock drawer or somebody else's doctor or it's stolen so some of the banks that started doing Apple pay early on to do the easy provisioning six thousand percent increase in fraud massive spike in front because what you
do you go ahead you steal one of these things then you come back and you go to the apple store you said hey you know I got one of these iphones last yeah yesterday I like them so much I want to buy them for everybody in my company and and I'm going to pay for it with Apple pay in the cars going wow this is wonderful apples changing the world but of course it's all stolen so Apple is really one of the biggest victims of that and they don't want to admit that I've gotten emails from Apple saying hey I'm sorry was learning things about us they say well you guys more lawyers than I do so no I'm not
going to talk to you you know what you did go fix it and like anything else we're starting to see improvements but usually early adopters catch the first arrows so typical fraud prevention we're looking for this anomalous user behavior what I mean think about in the beginning for those of us hey Kahuna with a gray hair we remember back in the 70s or no hair in your case but in any case yeah we have to add all this stuff out the that's nothing i like about b-sides you don't have to be politically correct even in Washington DC so what happened was this if you remember the old days you got your first credit card you went
down to the Merkin you buy something they had a little onion skin booklet like little eight point font so you had to be younger than we are now to read it and they listed literally every single stolen credit card that week and then the next week they'd issue a new book it's like a very very small certificate revocation list but the problem was is that it didn't scale too well when things got a little bit bigger okay so now it happened I remember there was a clerk is like it can't find your number in the book it's a good thing Lady you know and that's probably why she was there making minimum wage well the
problem was is that as more people started using cars as hotlist got bigger and bigger and bigger like a dot hosts file which you couldn't go ahead and scale to the size of the internet you had to have something a little bit bigger and better so what do we do we want for these knuckle Buster run your card through to these online validation using this ooh a modem 1200 baud 24 and things like that but here's a crazy thing do you know what percentage of the merchants still use an unauthenticated unencrypted dial-up modem to run your credit card about ninety percent because if you want to do it across the internet you have to pay extra to the merchant
bank so why would you do that if your dry cleaner you don't want to say a bend extra money on it so you put up with it so the cool thing is so you can check for authorization real time because now you had a little bit of latency with that little book right you can steal car to money but nobody would know about it to the next week but now you can go ahead into a real time check online that's pretty cool and so now we can tell if your card not only is stolen or not we can tell there's a balance on it and whether or not the merchant should take it merchants like this because it
helped protect them then from people going ahead having cards that were out of money and if you didn't know that when you did the knuckle Buster thing and then you'd submitted it to your bank in three days later you found out there's no money there you got ripped off now we don't have to worry about it anymore well the problem is today for those Monty Python fans how do you know she's a witch of course what's the answer yeah she floats all right you must be made of wood so we look at all these solutions that come out of these mainframe type things these big copper and these are hundred million dollar companies and oh
by the way you know working with mock 37 who Dan Woolies out there and yeah I got their little card in here but talk to these folks by the way that's really cool they're a cybersecurity accelerator and they helped fund this little guy here which is why did all this research for you guys so what do you do then is we learn a behavior of a user and look for anomalous stuff now do any of us ever do anomalous things in her life oh it's sort of defines us right and so it works really well my grandma who's in Ohio who doesn't drive more than 20 miles from her house and never charges more than forty dollars on a credit card
solar guard Jose up in these Los Angeles on a friday night for 800 bucks to the best buy probably not grandma that's easy to spot but the thing is is that you get a lot of false positives that way and so even spite of that 12 billion dollars get past it and this is like an intrusion detection intrusion prevention but this is more of an IPS system if it's blocking transactions people aren't happy when your car doesn't work so things are changing on the first of October just a couple weeks ago what's happened they've just realigned the liability rules by the way you got told 2017 if you're in a gas pump and the idea is this if you're a bank and you
issue cars you don't have that little chip on there then you're paying for the fraud if you're a merchant and you don't take little chip you're paying for the prod by lana the carrot doesn't doesn't matter you're paying for it what if you both are guilty well then you have an arm wrestling or something they all work out the rules but this is not the federal government this is not the banks that are saying this this is the switches visa mastercard and discover and american express by least 20 of them out there in the united states alone here's a you take a look at the fraud equation how much fraud losses do visa have every
year zero and mastercard 0 why because it's in their contract we don't pay for fraud in fact it's even better than that fraudulent transaction comes through their system they get a little percentage of that too they're actually making money on fraud dude that is one rocket industry now you know why your stock has been doing so well except there's some other issues coming up so before you go out and buy their stock i'll give you some pointers on that so how are we doing so far so as of this past month eighteen percent up from about three percent of the credit cards now have a chip who here's got at least one card with a chip on it look around
yeah that's about seventy percent who here still has the old legacy ones in your wallet Oh from some of the old stuff yeah so we're in that transition phase even though the rules have kicked in by the way the estimate is going to cost about 8 billion dollars for all these donut shops and the Chinese restaurants and the dry cleaners and everybody else to upgrade all other hardware well gee whiz for that kind of money you could get for his estimates as high as 35 but you could buy a bunch of aircraft carriers and go rule part of the world or you could take chip cards I don't know about you but ruling part of
the world sounds more cool than taking a different form of payment heck we'll use Bitcoin and rule the world anyway not too many merchant locations a lot of these locations are maybe your big organizations like Target who spent 100 million dollars fixed in their systems but now they finally rolled them out walmart was pretty much first major retailers free so August and now you're going to see the customer experience a lot of frustration come black friday and all these shopping when people instead of swiping their card for half a second gotta stick it in there and leave it in there for six seconds seems like forever when there's 10 people in line behind you that think we're gonna see the first
fights coming out pretty soon it's probably going to be on cops and i'm sure it's gonna be down in pinellas park florida because that's where everybody is and the guys going to have no shirt on and it's always said you have to be if you want to be in cops and it's going to be a fight about people get stuck in line for these things so why are we doing this because we got this chip and pin thing it's not really pin it's not while the chip we call it formerly europay MasterCard and Visa EMV no to get the first billing and it's alphabetical know as Europe a is driven by the Europe it's been the standard there for several
years up in Canada now for about seven years actually I guess eight and a half of the exchange rate but in any case we're finding that 92 the 20 countries use Chip and PIN except for the US where a special we're different we're going to go to chip and pin when when we go to the metric system cuz we're America yeah we know better right so I ask the Europeans I was over there a couple times in the last two months oh why do we do you Americans you love criminals what do you mean you make movies about them you elect them to public office I mean it's it's it's an American thing okay what else oh we got much worse
fraud no we already saw the statistics it's much worse than us they're more security conscious in Americans I don't know you guys had more wars in last century then you have although we're trying to do our best to catch up Europeans are smarter than Americans I'll let you decide that for yourself but let's look at the real reason why this thing took off back in the United States when you want to get a new phone line 25 years ago what you do you called up one of the baby bells or even before the Bell System got broken up by Judge green call up AT&T hey it's Tuesday you got a new phone line by Friday so you
can take these new online credit card checking things over in Europe though they're running through PTT postal telephone and telegraph PTT is one of those ossified government organizations it takes forever to get something done and so you talk to somebody who grew up over in France or Germany or Italy or something like that back in the 70s or it would take you six to eight months seriously no kidding you get a new phone line in well you can't do that you can't scale these little onion skin revocation list because you'd be setting out phone books every week and so they had to come up with something else so the idea was we're going to bite the bullet we're
going to pay about ten times as much for the card and we're going to put into the hands of the merchants a way that they can validate that the cardholder and the card itself have a shared common secret and that's really all we're talking about by the way the software is written in Java for those of us who think that's a really fun idea here's an interesting project for next year anyway wants to work with me on a research project looking at the code and trying to see because how are you going to patch a credit card I mean we talk about the Internet of Things we're already into here but a lot of our money's tied up in this stuff
here when you insert into a reader the device interrogate sit and then I asked for the user so if you go to Europe it's kind of nice because your card never goes in the back room we don't see some shifty-looking person go back there skimming it a bunch of times they bring a little machine out there you put it in your peepee poo-poo and now you're in cool well why can't we do that in America well because we're Americans besides what does it not do it doesn't prove that there's any balance on the card for example if it was a debit card you don't know if his money it doesn't prove necessarily if the cards even
valid if maybe it's been revoked it doesn't prove that has been part of a large time of fraud because and it doesn't really check for anything if your card not present because we don't have e-commerce back in nineteen ninety all he had was what 1 800 flowers and like you're really gonna send flowers your grandma with a stolen credit card that's going to work like really welcome time for reading the will so it doesn't do any of these things but what it did do is it solved a different problem back then it allowed them to go ahead and do computer sort of verification of what that the cardholder and the card itself shared a common secret of pin that's it
which is good when somebody stole one card but what happens if these still 20 million cards see it doesn't scale very well or when you think about why would you even do that today well if you're in the payment card industry and if your abuse or MasterCard you're making these ridiculous profits good idea though we got a monopoly and now you've got things like alternative forms of payment Bitcoin currency Apple pay Samsung pay I think JP Morgan Chase just announced there is this past week a new form of electronic payment we're going to see a whole sea of payment forms that are going to potentially rock this industry to the core because remember who's driving this it's Visa and MasterCard
who are driving the shift they want to show something anything out to the user the consumer to show that hey somebody's doing something but the reality is is that although there's a lot of fraud being lost Visa and MasterCard technically make money on fraud and a certain odd extent banks because they get such a big percentage if you have a merchant bank where you pay in three to five percent to process anything from a visa or mastercard up to an amex but we don't have three to five percent fraud fraud really is around 10 9 to 10 basis points point zero zero nine and say a point zero nine percent so how do you justify
three percent you make money on the fraud because you can convince the regulator is not to regulate us it's a whole interesting system that if we drove the fraud out or very low you couldn't support those rates anymore and you'd have to lower your rates which would lower the cost to merchants which would lower your prices now as we get to this October first deadline in other word past that we found out that it was a big thing was like y2k it's like okay what happened not a whole lot but we find out that a lot of efforts were made to try to go ahead and steal stuff so let's take a quick look at a couple he
snakes target 40 million cars stolen so guys stole the cards what's it going to do is he got a cache about himself seriously no way what do you do if you take all these cards and you're going to sell them off to some criminal gang so we get someone like Al here he's going to stand in there for a criminal gang leader and Ellen is going to buy a whole bunch of cards and in fact lots of gangs going to buy lots of cards and then all these cards worked away into circulation see what you're starting to see here now for the first time is there is an ecosystem there is an entire underground economy that starts not even with this
but the person who wrote the malware who first did the memory scraping selling it a person implemented it who then sells the cards often the batches of to a major website like a rescatar and yet before I remind myself I got should have some websites here yeah if you go to their underground site here anybody recognize this fine gentleman here Brian Krebs yeah John's a great security blog I'd like to meet the guy lives right here in Northern Virginia although it's interesting because in his exposé about yo I'm in the underground hack hacking your stuff and learning your wares he's publishing all this and he's actually pointing out to the criminals some other operational security errors and failures
so what are the crooks doin they're fixing it so although they don't seem to like him to a certain extent he's kind of a hero of the soviet union because he is enabling the criminals to get free consulting to fix their errors and now the banks are paying millions more trying to fix the stuff you go to their website refund and replace policy they move around a little bit because yeah they're technically extra legal but if you pay your host country the right amount of money you get to stick around for a while and you can go look for car it's hard to see in the back of the room that'll teach you to pretend you're encouraged you should
have SAT up front but you can find here cards $10 17 bucks six dollars why because that chase card was getting ready to expire at the end of the month but what they have is they give you the individual dumps the batches that they came out of and they give you a percentage because when the target stuff first came out they're rated at one hundred percent why because none of the bank's none of the merchants none of the card holders knew their card was compromised you had a hundred percent chance of that card being good if you bought it early on they're still for sale they're down around thirty percent or so because what's happened after year
and a half a lot of these cards age because typically you three years old so to statistically fifty percent are dead bigger banks just bit the bullet reissued it but smaller banks credit unions and things like that little bit concerned about the fixed cost of reissuing cards depending upon how big you are it could be anywhere from three to twelve dollars to reissue the card send it out in the mail so they just saying you know we're going to suck it up and take our chances and some banks has turned out to be a multi-million dollar decision error but you can actually get here zip code city state the last four digits I was searching for
specific last for did used to match one of my card the first six digits or what's called tube in the back identification number so one of the things that Brian was pointing out is said hey with the first six digits for the bin knowing the bank knowing the last four digits knowing the city in the state in the zip code do you think you could triangulate on your customers and figure out which ones are for sale and then preemptively kill them right why would you point this out to the criminals okay this is an operational security error that they've been making that has allowed clever banks to spot stuff like that now you don't want to
kill them all or some little reverse engineer what you're doing so again this is a little game that you're playing where you're trying to go ahead and you're trying to op them a little bit at a time do it in a strategy so that they're not going to figure out exactly how do you know what you know you go back and you look at World War two in the Enigma and the challenge that came up for the Britain when they learned that the Germans were going to bomb Coventry fire bomb killing hundreds maybe thousands of their citizens what do you do do you evacuate the city and let the Nazis know that you can crack their code at which point you
never read another message or do you take the hit and these are that's why you get paid the big bucks right but those are tough problems that's life and death but you got to start thinking the same way in this type of is because this is economic warfare this is huge so criminals that get around with these low value tests they said you had years to go ahead and poke around to these things and figure out what will work so here's this ecosystem I was talking about what happens is is that you buy the card you steal them you sell to the next guy cell to the next guy cell to the next guy why
are you ever going to buy a cyst of stolen credit cards it could be revoked at any time by the bank you what do you want to make sure that they're going to do they're still going to work right so how do you know they're still going to work you run this little micro test because I understand if I get a call from my bag you know we just cancel your guard cuz someone trying to spend eight hundred and fifty seven dollars over in London okay got it but they said you know we cancel your carrot cuz somebody spend a dollar thirty seven at a starbucks seriously you back guys are nuts but so what do you know you run a
little test like in starbucks and you run it through hotel tests we've literally catalog a couple thousands of these tests which allow you then to go ahead and run under the radar because you do a little test early on and then what do you do you void it out you cancel the transaction so what happens the bank pays nothing because the merchant doesn't get money the merchant might have had their credential stolen they don't know what's going are the cardholder sees nothing on your statement nothing happened except for what so this guy selling you the packing stack of cards you take this hundred cards you run a little test run a little test run a little test other hundred
cards a hundred work or 98 or 50 it's like I guess in the movies you see them doing the heroin packets they're always like tasting it I don't know what heroines supposed to taste like I mean I maybe they're just taking sure it's not powdered sugar or something or powdered milk I don't know but it's sort of like tasting the credit card numbers so anyway what they'll do is now the bank doesn't see this the bank doesn't see that they get no visibility to list boom this cash out at the end here's a crazy thing people seem to think that a car gets stolen and gets used a few minutes later it could be weeks and sometimes months we've seen
cards in the underground for over a year work on their way through the system it's old stock it still sells but hey if the validity rate on this batch is down to twenty percent your may only paying a few pennies per card instead of a couple bucks it's worth it to give it a try particularly if you're doing online because what's your risk no one's going to arrest you especially be coming through tor so what not what happens to do is the big challenges trying to figure out can we spot these tests and kill the cards before the cash out that way we can figure that stuff that's kind of the problem I've been focusing on
here this is not a sales pitch because i'm outside now with my computer security world working on bank stuff but it's a really fun problem to take the way that we think about problems and apply it to different areas of industry so the current problem is what we try to profile users hey users are difficult to profile why because they do anomalous things for humans so do you ever get a call from your bank or difficult rands actually didn't work yeah that's a false positive okay what's the problem with a false positive well they're annoying and they're embarrassing hey I've been doing a start-up which means I'm eating it things like subway all day long now I'm
finally getting an important meeting with some back and take them out to like a fancy French restaurant trying to wine and dine this client and then the waiter comes back and says a credit card has been declined yeah as only a French waiter could say pardon my french accent there but what comes out of that is what you're horribly embarrassed and what we find out is a big percentage of customers who just take that card either never use it again or stick it in the back of the wallet what card vendors want you to have them on in front of the wall they want their card to be first there so what's in your wallet by the
way I did bring a card reader so we could do some scanning remind me to do this I'll show you some cool stuff and some frightening stuff as well but imagine trying your kid comes home with a box of crickets or cockroaches and you've got 500 of them do you want to find out two hours later and then case them all around the house or do you want to get the kid on the front doorstep no young man you train around get rid of that thing and so that's the whole idea is trying to change this entire fraud paradigm around now what we look at this false positive huge amount of lost sales by the way 13
times the cost of false negatives if we lose 12 billion de card fraud but we give up a hundred and eighteen billion in false positive fraud because it's not really fraud it's just denied transaction this is deals that just don't go through that's huge impact and so as they say people stop trying and so here's a challenge where's where's the fraud in there there are two fraudulent transactions on that screen it's a big data dump yes I'm stating to take a picture good luck with the resolution but and yes I did change the card numbers to protect the innocent but this stuff comes pouring in if you're a major bank you might be getting literally
millions of transactions every 24 hours we hate to be cliche you throw a big data but in a way it's that sort of a problem you're trying to look at this big huge stream of information and typically what financial companies do is you look at it at the instant it comes in because you've got a small amount of time to make a decision now in this case well we've done is we taking a little different look we said hey wait a minute instead of just looking at a transaction good or bad is this grandma she and Ohio is it a small transaction that's fast set of rules now we say who else are you shopping with because if you're doing
card fraud it doesn't scale very well if you're only doing one car at a time by that I mean that if I got to go online steal one card get in the car drive down Walmart go buy a gift card then run back go ahead by another stunt no you take 50 at a time or if you're on the wholesaling you're going to do it literally thousand or up to a million at a time huge blocks of the stuff move around and now what we find out is this particular card we were tracking went shopping in six different places that was very suspicious why because there's nothing because the card had already been killed it was a dead card this is a
zombie the cardholder had already had their card reissued they cut up the old card threw it away and yet the card is still out shopping how could that be because not all crooks are very careful and sometimes people kind of really never know that car that didn't work last week maybe the card older put money on to it so what we did that as we said hey let's take a look it kind of a guilt by association and we found out that there was same card it was used here with 50 other cards all in a very short period of time all for the identical transaction and what does that tell you those other 50 cards are all
stolen we didn't know about any of them it turns out there's a Coke machine in one in particular part of California it's on a loading dock and about once a week I think it's fridays nights around 10pm must be a bus 50 people from around America line up in front of that Coke machine and they all by exactly one coke at about 20 second intervals what's going on here right somebody's got a new stack of cards and by the way remember that food chain that we saw that's not somebody up here because they were going to reverse it you can't reverse the purchase of a coke so this is somebody who's getting ready to drive down to the
store and cash out and when you cash out what are you gonna buy best thing you buy as a gift card why because then you can fence the gift card and you broken you laundered the money yeah you can buy merchandise that you got to return the merchandise I lost my receipt then we'll have to give you a gift card okay that's a good thing here is what most people don't understand what's happening in there is that when I go to a merchant I go shopping there's an order system or I could just be a point-of-sale that information then gets sent to their merchant bank they have an acquiring bank that may then go through a payment
processor sort of aggregates all that which then gets into your switch visa mastercard discover american express etc thats which then sends over to the issuing bank which will authorize it send it back up here account check it validated come back that's about a 3-2 for second round trip so when you swipe your card or now dip your card is the correct term is the verb that's what's happening but what it mean what's banks every also been when they've been waiting from this 3 6 10 12 month cycle of things getting stolen to the last three seconds to take a look seriously it's like why do you want to wait till the bullets already in the air before
you decide there's a sniper out there maybe you should do a little bit preemptive stuff as well so if you understand this ecosystem you can also see where you can go do stuff and now if you understand how people work we find that all these different tests that are out there he said we found a couple thousands of them have different visibilities so I met a hotel hotel tests are great because hotels when you check in even if your room is prepaid what do they want I carried for incidentals do they charge your card no they do what they call a pre-authorization what a pre off does is it says hey I'm going to pre-authorize
two hundred dollars so if you walk out of here and we find out you empty the minibar because he had the munchies or something like that because it's an Oregon or Washington or Denver they might sell a lot in the minibar these days I still have that girl scout it made a fortune selling cookies outside of marijuana shop and they kind of called following says come on in any case they get their money if you check in get your pre off done on monday and then on tuesday you cancel your card saying it was stolen the hotel still gets their money because they have locked out that money which is why you don't want to use a debit card to rent a
car because they're gonna block out like fifty thousand dollars or something like that you get it back two weeks later fake merchants course you won't see that card verify brute force i'm not gonna go into the details in the chart the whole idea is there's a lot of different ways you can look at this stuff and remember if you're a crooked you've been doing this for a couple years you share it you put out there on YouTube videos you put it in onion there's all kinds of places you can go ahead and get resources to learn how to do card fraud and get good at it and what we're doing is we are saying hey wait a minute this is a link
analysis problem isn't it instead of looking at it one dimensional images here's your card and every time your card is presented for a new transaction we make a one-time decision does this look like you so 50 people go into that Coke machine have what 50 people that are all being asked do you look like you while buying a coke is not that unusual so they all go through never triggers an alarm nobody's saying 50 people from around the country going to the same coke machine should trigger an alarm and oh by the way let's pull back on that and now because of PCI DSS the data security standards banks can't share certain data you're not allowed to
crooks can share it kind of weird world so all these things linked together here's a real example again change a little bit of the data to make sure that it was anonymized but think about that ecosystem legitimate card holder in June goes amazon gets a one dollar authorization that is reversed in seven minutes later there's $11 charge live real or fraud that's real because that's what Amazon does you enter a car they're going to say does this thing work and if it does work they let you go to check out if it doesn't work they don't let you go to check out number two now four days later Apple online to dollar charge good sure why not now a month later they
say Cabela's what sets boarding goods store yeah $12 sixty-six cents authorization that is reversed hmm no harm no foul so far but then the following month we see a holiday in seven dollar eighty two cent pre-authorization also reversed and then two weeks later a gymboree for seven dollars it's approved and then a few minutes later euro car parts 448 bucks works Eurostar 110 bucks works punky fish 695 buck Bam Bam Bam Bam but they have to have her in that debit card within a matter of seconds they've emptied out almost twelve hundred dollars out of their card maxed it out now let's do a little bit of analysis here what we think we know about what's
going on is it the same crook doing all this stuff no because they got a different mo because we found another card just had two charges on it the same date a cabela's almost the same time for the same amount twelve dollars and sixty-six cents what does that tell you that that crook is the same person because they do the same merchant for the same amount now at 20-8 august at eight fifty one is compared to 20-8 august at 851 so it's probably an automated script euro car parts 448 euro car parts for 42 different crook doing what modifying their numbers a little bit so you can start to look at the data and figure out whose we're in the food
chain oh by the way they got NSF why because the card only had three hundred eighty bucks they try to hit it for 440 if they tried it for 370 you'd win but most time you want to get in or get the money and go and as soon as you get the merchandise you get to chip some place or you get a gift card you're home free and the idea being is that now the bank's stuck to deal with the loss and there's all kinds of things we can find these clones as we call them they're copies a legitimate car the track to which is what's on the mag stripe on the back of the card so you look at
any card whether it's a hotel card or a credit card you got a mag stripe and touch it up to three tracks to data here full mag stripe copy that's useful why because you can clone the card cvv the three digit code printed on the back of your car door for digital in front of the amex is not encoded in the mag stripe better not be unless you got a really dumb Bank which tells you then that if a card is a card present compromise which means they got the mag stripe data it doesn't become a card not present compromise where somebody has to enter in the three digit cvv so there's a pretty good firewall in between these
two types of fraud unless somebody gets what we call the foals if they got everything you got it so if i'm running a skimmer if i'm at a restaurant or something and i skim your card I write down the three digits as well I got it or if you look at target where they lost 40 million cards but 70 million customer records with addresses and things like that now if I'm trying to hack granmoun Ohio I don't go ahead and buy her card if I'm out in East Los Angeles I buy it if I'm in Ohio and then what happens is a credit card fraud algorithms gone eight hundred dollar purchase I I guess grandma is upgrading her television set
because she hasn't made a big purchase in three years must be legit boom it goes through because the more you know about your target the better you can do I'll show you some jumpers and things like that and trainwreck cards and already showed you a zombie it's already been killed it's out shopping so what we find then is that criminals and the behavior or such that there are certain things you gotta do to make this crime scale you can't do one car at a time usually do 20 30 50 100 there's big batches because it's a batch processing when you can let's see enough of the batch you can start to infer patterns a lot of times to buy exactly the same
items for the same merchant some crooks are smarter they'll mix up the dollar amounts a little oftentimes they may only appear once before cash out now as we're getting a more sophisticated to or three times as they move from the wholesaler to the retailer if you will to the gang member and who by the way at the very end you get a mule typical car gets popped for about 250 bucks plus or minus so here's the deal hey you want to make some money here's 50 cards you go back and you bring me back ten thousand dollars worth of stuff gift cards anything more you keep anything less I break your legs well that might not seem
like a bad deal and so what you can do is if you start to get inside this decision cycle you can start to mess with these ecosystems somebody goes out there and they started panicking when all the cards that they knew we're good half an hour ago half of them don't work anymore and so what you can do is you're going to show a little bit of heat and gets content in there and now we find out that even the chip cards can get cloned as well we've seen some great talks Kristen Padgett did a couple things a couple years ago she talked about near field communications cards and Oh major malfunction talked about cloning the chip cards so there's the
technologies out there it just raises the cost of doing at wholesale instead of costing you twenty to thirty cents a card you might be spending three dollars a card and that's a fixed cost if your criminal trying to do all that stuff but there's easier ways to do so like we've seen in every other country that's going over to the chips what do we do we go to online fraud even better why because you don't have to present yourself in front of the merchant in front of cameras where there might be a possibility local sheriff could pick you up so what we're doing is we just whack Amole push the fraud down here and it pops up right
over there and so here's a car this is a train wreck we see the 001 or legit cars this is a real customer up here hmm there's a marriott pulsar global e-commerce boom all of a sudden on the twenty-second we started seeing $67 591 50 51 the bam ba-bam until finally the car ran out of money Oh 59 but it's still going Bam Bam Bam Bam Bam Bam Bam Bam Bam because is an automated script it's not smart enough to stop because well maybe the cards temporary might work again but what does this tell you if you're on the defense now I know a list of the merchant ID is that they're trying to use to run it against you see
you leak a little bit of information every time and you can learn more and more about your opponent's a jumper we found this card moving around card present real cardholder California card not present and now we find within four minutes the card goes from Illinois to Alaska in a card present transaction not going to happen and so again crooks make mistakes little mistakes that don't seem significant because a lot of the people at the end of this whole pipeline are going ahead go ahead and they're trying to cash out they're not the sophisticated crooks who upstream we're making sure that they don't take any part of this end game by the way when target was hacked one of the first
question they got a call from one of the bank's hit G mark you think they got the pins because if they had the pins to all the debit cards Wow let's like game over and so I did a little bit of quick research you find out the company that manufactures the pin pads uses a special key cryptography protocol that was developed by the ANSI Banking Committee x9 here's the crazy thing I helped write this standard 1992 it's still around what it was there's one major major key for the merchant another one for the device and every single transaction had its own separate key so every pin came out with a separate key and so and when
they found out that they were using the stuff that I helped write 25 years like cool you're good so within half an hour I could tell the bank don't worry about it and it turned out was the right call so what happens that you get social engineering and brute force by the way there's no three tries and you're on a credit card in this hacking so we see things coming in 00 00 01 02 03 but the average 500 to get a cvv 5,000 tries to go ahead and hack a pin they don't time out or we go ahead and social engineer hello mr. well Sam hi this is your bank calling hi this is Peggy and we
understand you were shopping at Target well we want to protect you were going to issue a new card because we don't want you to be liable for any of the fraud that might have been done oh wow what a great Bank course you already covered by Reggie anyway but most people don't know that so what we like to do is to just verify your current information I'm going to send you over to our automated system and ask you to validate your PIN now you don't tell it to me no bank employee is ever going to ask you for a pen so don't ever give that up but it's okay to tell it to the computer so
wait a minute please enter your PIN beep boop thank you very much your card will be on its way in seven to 10 days thank you for being a customer of big bang of course your car gets emptied out within the next few minutes and we see a lot of this social engineering so look at the social engineering training for your family your friends your companies and things like that this zombie I showed you this thing we had a little zombie thing who goes out there it Krabs around it cones itself we saw the big spread it goes everywhere zipping through some of these things here but we find out that when clones are born what they do is
that they have different characteristics so I can tell the type of fraud would trace back to the type of compromise and so online as they said online i can go to youtube i can get a whole bunch of videos i can learn how to do this and for the most part once your online if you get away with something you got away with it involves shipping merchandise yeah well its got actually the loading dock and it usually goes to an abandoned house or some other drop place and merchants typically just share that list of bad addresses but if I'm buying now one of these gift cards it is just electronic information is not physical once it got it I got it because I can
shift it over to a gift card exchange company and had that thing soul within five minutes I can launder my laundered money all kinds of tests that are out there again go online if you want to look at it some more kind of zipping through here mostly because this is just an encyclopedic list of things to think about not so much cheating out of information but basically telling you that if you see these things that there's a lot of stuff going on so if you look at how do we going to protect this ecosystem in the future we got a hair worried about all these cash-outs merchandise it gets brought in back the next day hey I can't use it it's the
wrong size i don't like it i bought extra that's okay here's your gift card exactly what the crook wants and they'll be careful what you buy used gift cards on the underground market because i like i'm saving money i did that for my brother a few years ago before i started getting into card fraud prevention because he was working on his house a bunch of home depot gift cards but what i do i got a discount on him because i bought him some place turned out the lady said yeah these are stolen people steal stuff off with a job site they bring it back for for merchandise credit we don't want to be part of that fraud
ecosystem but it's just sort of the cost of doing business unfortunately you can block certain transactions and now we find out that there's certain dollar values hey a fifty dollar gift card that has a transaction fee that could be an exit because it's 495 so 5495 is a as a blacklisted number so you buy a candy bar at the same time you buy your gift card and now you throw off the algorithms again it's trivial to defeat these existing fixed algorithms cuz they just like a bunch of rule sets so i look for bad merchants i look for weak merchants anything of value i can send the mail drops all these are ways that I
cash out and I'm able to go ahead and get stuff out of there so banks are spending a fortune on the cards they say they go in from our thirty cents the three dollars a card and all these little chips are expensive by the way it'd be interesting to take a look more at them merchants are spending a fortune on this technology is anywhere from eight to thirty billion dollars when all is said and done with all these new readers and of course criminals are trying to cash these out yo and now as al there these folks are trying to make a ton of money off of this up and it's working pretty well so that's a little
quick insight by the way got a mag stripe reader show you a couple things but that's the formal presentation on this but let me shift over real quick I've got a couple questions now that the smart chip has been available the cost of the fraud is purchase it's pushed to the merchant if the merchant does not invest in a chip card reader if the bank how is going to clay out it'll be interesting to see how it plays out because they can't be cloned well it has been done it's been demonstrated Def Con a couple times and other hacker conferences it's more expensive to do it but it can be done especially you can find a phone that Java so what's going
to happen there's going to be a lot of blaming game no yes no yes arguing about it it's can all get fought out and the problem is ultimately you the user if you're a victim of somebody cloning your chipped card in the early days you just couldn't get your money back because they would argue is mathematically impossible well we've since proven it is possible it's just difficult when somebody gets to a breakthrough on that though it's going to be whole game changer so again recognize that credit cards and plastic goes back to the 1950s and are we getting to a different thing where for the most part our new means of doing commerce is not going to be
plastic but it's going to be electronic silicon and I think this is what's happening with all these card companies are going hey you know what we've got an entrenched marketplace but look at Kodak they missed the turn you can't buy kodachrome anymore they you know companies that Miss the turn because they were so entrenched and so in love with their own technology and so recognize that I think going forward we're going to see some real risks out there other thoughts of questions yes sir
right i mentioned that we just like not relinquishing your cards in restaurants well if all they have is a reader in the back because some of these things are fixed they're actually attached to the the cart they're not going to drag that entire cash register out to you you are not at risk for more than fifty dollars based upon regulation deregulation a sign back in the carter administration but i'd avoid dodgy restaurant side avoids people that look weird if you're really really really worried about a pic hash or use a gift card that has a limit and then once it goes to zero goes to zero but that's a little bit more expensive for you the customer but we're
starting to see competing technologies with the near field communications like Apple pay going to currency which is going to do qrk a lot of different things but yeah you're right that's always unnerved European folks and they think of the US as a high-risk area when they come here for credit card fraud and problem is I go over there with Mike chip and it's not shipping pin I called up a max I pay a lot of money for that fancy American Express card oh we don't issue pins unless you're not in the US this is but everybody uses them I go to buy groceries there you gotta wait line 45 minutes for someone going to get you
to sign a little piece of paper when you're at the grocery it's like seriously everybody else being boom Bing boom and out it's inconvenient but they figure all Americans aren't smart enough to learn how to use pins I think reality check is is that if we got everything that way we might see fraud go down you couldn't support those charges the banks are able to levy on to the merchants and that would change the ecosystem really cut profits Durbin amendment did a lot to cut profits by forcing certain merchants certain banks they have to use multiple paths to process their stuff how we doing on time good wrap it up alright it's what I do is wrap up on
time okay so we're really good by the way if you want to see what's on your wallet I've got a little card reader here no this is not a skimmer this doesn't fit in your hand but this is a tractor reader and it's interesting because you find out that in the back of card you got your credit card number an 11 digit security code by the way the 11 digit security code I was going to show you for my us a bank card is 11 zeros seriously guys okay anyway thank you very much hope you enjoyed a little insight on card fraud and welcome to be sides
