Romanian scam forced thousands to fix systems

David Walker
The alleged A$30 million Romanian credit card scam caused possibly the largest remediation effort ever undertaken within the Australian consumer payments system in the 18 months before last week's arrest of the scammers.

Only 46 stores were confirmed to have been hacked in the scam last week, at a cost estimated at $30 million.

But industry sources have told Banking Day that thousands of merchants were required to have their systems "remediated" in the months after the scam came to light in June 2011, to fix their vulnerability. The remediations needed included changes to software, hardware and network configurations needed to prevent access to customer data.

Many of the stores affected were franchisees of Metcash's IGA grocery chain, sources confirmed. A spate of mid-2011 media reports described unsolved fraud outbreaks centred on IGA stores from as far afield as the Melbourne suburb of Warrandyte to regional Victorian towns like Horsham and Castlemaine and NSW regional towns such as Orange and Junee.

The victims of the Warrandyte fraud wave, which was centred on the Warrandyte SUPA IGA store, reportedly included two police officers.

At publication time, it remains unclear whether sanctions will be applied to anyone in the chain of parties that allowed the system vulnerabilities to be created and to continue for several years.

The scam was enabled by poor store decisions about hardware, software and IT service providers that may have been influenced both by franchisors such as IGA and by the acquiring banks. A Mastercard spokesperson told Banking Day that the acquiring banks were responsible for ensuring that their merchants complied with the industry data security standard, PCI DSS.

The affected stores all used integrated point-of-sale machines, essentially card-readers with attached PCs. Poorly qualified IT service providers often configured the point-of-sale software and/or networks insecurely, often so they could access them remotely themselves to work on the systems. In at least one case, a large number of a store's systems were secured using a single shared password.

A number of the terminals also used software that did not comply with PCI DSS and that left card data on the store system.

The Australian Federal Police's detective superintendent Brad Marden was referring to this problem when he reportedly said in an interview in August that "the network was set up by some local suppliers who didn't understand IT security" and was "a disaster waiting to happen."

The Romanian group allegedly responsible for the scam is said by police to have found the systems while scanning the internet for accessible point-of-sale systems. Once connected to the systems, the scammers began using "brute-force" attacks - essentially, setting up their own computers to keep guessing passwords in the Australian stores until they found one that worked.

Upon accessing the data, the alleged scammers downloaded stored data from magnetic-stripe cards and created new cards and sold them, often to crime syndicates. Cards with chips are more secure and so were not affected.

The cards were most attractive to criminals in the same areas from which the data was taken, because transactions in these areas were less likely to trigger banks' anti-fraud processes.

Neither the card schemes nor Australian banks appear to have taken steps to enforce PCI DSS compliance among small retailers beyond requiring remediation of the affected systems and carrying out an education campaign.

It is not clear how many customers have been informed about the breach of security of their cards, but on current reports it is likely to be a small proportion of those whose card information leaked out.

The AFP said last week that the scammers had access to about 500,000 Australian credit cards, with information from 68,000 sold, and information from 30,000 of these actually used in fraudulent activities.