Couple of things. First, I suppose I should have assumed it, but I didn't know botnets had nice admin panels! :)
Secondly, this is at least part of what chip-and-pin was supposed to solve, and here in the US we ended up with chip and signature, which is almost as useless. (Not that it helps much with online transactions, although I'd be more scared of mail fraud charges than anything...)
I wonder if card companies ever go darknet and try to bot the bots, to proactively close and replace those compromised cards?
From what I understand, this is exactly what chip and signature solves and adding a PIN does little. The "credit card numbers" a chip produces are one time use, so skimming them is worthless. And if the POS system is really and truly owned, it still gets to see the PIN.
The only thing a PIN protects against is stolen cards. But it also creates the presumption that any stolen card that is used was the users fault because she gave up the PIN. This is problematic especially if coupled with a liability shift. There is a long line of work by [0] about these problems in England.
The ideal thing would be having a pin you enter into a little keyboard on the card itself, meaning physically stealing the card wouldn't be easy. Then have an interface that would let these cards to be used over the net. Then stolen credentials would be hard to do.
Note that, if you could dust the card, and be highly likely to get the 4 numbers needed for a typical 4 digit pin, with 3 guesses, you'd have a ~13% chance of guessing the pin for a card ( 1/4! + 1/(4!-1) + 1(4!-2) ). [ed: obviously there are (at most, for 4 different digits) 24 possible combinations, so you'd need 12 tries at 2 guesses/try to be certain you found the correct code].
This does assume you can figure out which digits are in use, but I'd be surprised if you couldn't...
Well, if the card could require you to enter first a random code and then your pin, the key board might be kept such that each key was hit equally often.
I'm sure there are plenty more bugs to work out in such a system but if such things were reasonably widespread, it would make overall security much higher.
> First, I suppose I should have assumed it, but I didn't know botnets had nice admin panels! :)
Since selling botnets and access to them has become a large business, they have to be user-friendly. And have features like license checks, reseller-accounts etc, like you'd expect from a proper SaaS package.
Great article! I love these kinds of reports on the features and capabilities of the latest trojans.
I used to get my fix when I was active (as a customer) in the malware scene several years back, but now I can't follow these developments anymore. Don't worry: I didn't do much, and it's all behind me now.
Does anyone know of good blogs or websites that cover these kinds of things? I currently follow Krebs and a number of subreddits, yet I still feel there's more out there.
These are the ones I'm subscribed to. There is unfortunately some overlap in content, and some stuff is not related to malware, but they're pretty good when taken together.
Any word on who is running this botnet? I'm guessing it is not a hacking ring inside the USA, and would guess China or Russia, but that is based on reputation, not any specific knowledge.
Secondly, this is at least part of what chip-and-pin was supposed to solve, and here in the US we ended up with chip and signature, which is almost as useless. (Not that it helps much with online transactions, although I'd be more scared of mail fraud charges than anything...)
I wonder if card companies ever go darknet and try to bot the bots, to proactively close and replace those compromised cards?