Credit card (in)security issues

Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The fraud begins with either the theft of the physical card or the compromise of data associated with the account (card account number and/or verification codes).

Skimming is the theft of credit card information used in an otherwise legitimate transaction. Instances of skimming have been reported where the perpetrator has put a device over the card slot of an ATM (automated teller machine), which reads the magnetic strip as the user unknowingly passes their card through it. Technology needed to read the contents of the magnetic strip is pretty simple. Usually a miniature camera or fake keypad over original is used to read the user’s PIN at the same time. Skimming is usually very difficult for the typical cardholder to detect. All About Skimmers article series is about ATM skimmers, gas pump skimmers and other related fraud devices.

Skimming has been on news in Finland lately. Police has revealed some details of the hard to detect skimming devices that have been found installed on tens of ATM devices around Finland. Articles Ovela huijaus Otto-automaateilla – huomaatko eron kuvissa?, Kummassa pankkiautomaatissa on huijauslaite? and Skimmaajat teettivät erikoislaitteita Suomen oloihin show you pictures of ATM with and without skimming device. These device custom made for Finnish ATMs are really hard to detect. According to articles thousands of ATM card have been compromised and used to steal several hundreds thousand euros. Look carefully next time you use ATM.

Muga_Golden_Credit_Card

Throughout Europe the traditional in-store credit card signing process is increasingly being replaced with a system in which the customer is asked to enter their PIN instead of signing. PINs were widely introduced at the same time as EMV chips on the cards. In Finland the PIN codes that comes with the card are predefined by card issuer. In some countries with some banks the customer can freely choose them. Security of Self-Selected PINs Is Lacking article tells that Cambridge University Computer Laboratory team collected statistics on how people choose banking PINs when they are permitted to select their own keys. There is every incentive for the bad guys to try guessing PINs on every card that they steal. “A thief can expect to get lucky every 18th wallet — except for those banks which negligently allow their customers to choose really dumb PINs like 1111 and 1234″. Their report traces an idiosyncratic history of the use of passwords by financial institutions. The researchers wrote that there were two lessons to be drawn from their study. First, customers should never use date of birth as a PIN or password. Second, banks should institute blacklists of common passwords, or prohibit user selection of passwords entirely.

Proximity payments are coming. Pay-by-wave: At least it’s better than being mugged article tell that the public thinks that paying with a tap of the phone is risky, with criminals able to intercept and steal credentials, so it seems a good time to take a closer look at proximity payments. Today’s proximity payment systems are based on the NFC standard, which uses a radio connection at 13.56MHz for short-range peer-to-peer communications. The same frequency is used by RFID tags, in a simplistic way, but NFC is a good deal more complicated, and expensive. Proximity payments are implemented in smartphones and contactless credit cards.

1325432106

Hacker’s Demo Shows How Easily Credit Cards Can Be Read Through Clothes And Wallets article tells that contactless cards are far more common than they might seem: According to the Smart Card Association, about 100 million of the RFID-enabled cards are in circulation. Visa calls its technology payWave, MasterCard dubs it PayPass, Discover brands it Zip, and American Express calls it ExpressPay.

Hacker’s Demo Shows How Easily Credit Cards Can Be Read Through Clothes And Wallets and Shmoocon Demo Shows Easy, Wireless Credit Card Fraud articles tell that some contacless cards have serious security holes. Paget, a well-known security researcher for the consultancy Recursion Ventures, used a simple method for her hack: impersonating a legitimate contactless point-of-sale terminal with her own RFID card reader. Commercially-available RFID reader can read the data from a contactless card as easily as a store’s point-of-sale device does. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer’s credit card onstage and obtained the card’s number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. She flashed the volunteer’s credit card number on a screen in front of an audience of hundreds of hackers and security researchers. “You were planning on cancelling that card, weren’t you?”. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer’s money with the counterfeit card she’d just created. Paget’s firm has been working on a credit-card-shaped protection device known as GuardBunny that sits in a wallet alongside payment cards and blocks any would-be RFID fraudster. So it sound like this hacking demonstration was just a marketing gimmick for their product.

Randy Vanderhoof, executive director of the industry group the Smart Card Alliance, points out that despite previous research on the contactless attack, no real-world instances of the fraud have ever been reported. To fight against fraud contactless cards do offer one security feature traditional cards don’t: Along with the card’s 16-digit number and expiration date, the cards are set to offer up a one-time CVV code with every scan. Those codes can only be used for one transaction, and have to used in the order they’re generated. If a payment processor detects multiple transactions with the same code or even codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number once.

According to a smart card expert I know Square and card issuer bank is also to blame on that this worked (and would not work with European banks and other payment services). Also the sum was so low that the payment company might not do all the check it does for bigger sums of money. In card where things are built well, there is different card number for normal swipe card use and contactless operation. The contactless number would fail to work if you try to pay with their code on the terminal that swipes the card. So the security holes are not as big and bad as it seems based on those hacking news.

191 Comments

  1. Tomi Engdahl says:
    Crypto-Currency Market Capitalizations
    http://coinmarketcap.com/

    Total Market Cap: $ 8,647,665,810

    Reply
  2. Tomi Engdahl says:
    Bloomberg anchor displays bitcoin on TV, immediately gets robbed by viewer
    http://rt.com/usa/bloomberg-anchor-robbed-bitcoin-747/

    Bloomberg TV provided viewers with an important lesson in digital currency when one of its anchors had a gift card stolen while showing it during a live broadcast.

    On Friday, December 20, Matt Miller surprised his two fellow anchors – Adam Johnson and Trish Regan – with bitcoin gift certificates during his “12 Days of Bitcoin” segment. Johnson then flashed his certificate on the screen for roughly 10 seconds – more than enough time for a Reddit user to scan the digital QR code with his phone and take the gift for himself.

    “The guy that is hosting the series gave bitcoin gift certificates to the other two hosts. One of them opens up the certificate to reveal QR code of the private key,” he wrote. “They then proceeded to show a closeup of the QR code in glorious HD for about 10 seconds. Hilarious.”

    “I took it, it was only $20 worth. It was exhilarating nevertheless”

    Although milywaymasta offered to return the cash, Miller followed up with the user on Reddit, stating that it would not be necessary.

    “So freaking classic but also a GREAT lesson in bitcoin security!” he wrote. “You can keep the $20 – well earned.”

    Reply
  3. Tomi Engdahl says:
    Bitcoin Exchanges Shut Down in India After Government Warning
    http://www.wired.com/business/2013/12/bitcoin-india/

    Bitcoin is once again feeling the squeeze from government regulators. This time, the crunch comes in India, where multiple online exchanges have suspended operations following a warning against the digital currency from the country’s central bank and, according to a local report, authorities have raided the home of the man who oversaw the largest of these exchanges.

    Coming little more than a week after the Chinese government launched its own crackdown on Bitcoin exchanges, the news bathes the world’s most popular digital currency in an unflattering light, but these are the expected growing pains for a technology that is still less than five years old.

    “We are suspending buy and sell operations until we can outline a clearer framework with which to work,” reads a notice on the BuySellBitCo.in site. “This is being done to protect the interest of our customer.”

    Reply
  4. Tomi Engdahl says:
    Exclusive: Target hackers stole encrypted bank PINs – source
    http://www.reuters.com/article/2013/12/25/us-target-databreach-idUSBRE9BN0L220131225

    The hackers who attacked Target Corp and compromised up to 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers (PINs), according to a senior payments executive familiar with the situation.

    One major U.S. bank fears that the thieves would be able to crack the encryption code and make fraudulent withdrawals from consumer bank accounts, said the executive, who spoke on the condition of anonymity because the data breach is still under investigation.

    Target spokeswoman Molly Snyder said “no unencrypted PIN data was accessed” and there was no evidence that PIN data has been “compromised.” She confirmed that some “encrypted data” was stolen, but declined to say if that included encrypted PINs.

    Target has not said how its systems were compromised, though it described the operation as “sophisticated.”

    JPMorgan has said it was able to reduce inconvenience by giving customers new debit cards printed quickly at many of its branches, and by keeping branches open for extended hours. A Santander spokeswoman was not available for comment on Tuesday.

    Security experts said it is highly unusual for banks to reduce caps on withdrawals, and the move likely reflects worries that PINs have fallen into criminal hands, even if they are encrypted.

    “That’s a really extreme measure to take,” said Avivah Litan, a Gartner analyst who specializes in cyber security and fraud detection. “They definitely found something in the data that showed there was something happening with cash withdrawals.”

    While the use of encryption codes may prevent amateur hackers from obtaining the digital keys to customer bank deposits, the concern is the coding cannot stop the kind of sophisticated cyber criminal who was able to infiltrate Target for three weeks.

    As an example of potential vulnerabilities in PIN encryption, Clemens said he once worked for a retailer who hired his firm to hack into its network to find security vulnerabilities. He was able to access the closely guarded digital “key” used to unscramble encrypted PINs, which he said surprised his client, who thought the data was secure.

    In other cases, hackers can get PINs by using a tool known as a “RAM scraper,” which captures the PINs while they are temporarily stored in memory, Clemens said.

    Reply
  5. Tomi Engdahl says:
    Cash machines raided with infected USB sticks
    http://www.bbc.co.uk/news/technology-25550512

    Researchers have revealed how cyber-thieves sliced into cash machines in order to infect them with malware earlier this year.

    The criminals cut the holes in order to plug in USB drives that installed their code onto the ATMs.

    Details of the attacks on an unnamed European bank’s cash dispensers were presented at the hacker-themed Chaos Computing Congress in Hamburg, Germany.

    The crimes also appear to indicate the thieves mistrusted each other.

    The two researchers who detailed the attacks have asked for their names not to be published

    After surveillance was increased, the bank discovered the criminals were vandalising the machines to use the infected USB sticks.

    Once the malware had been transferred they patched the holes up. This allowed the same machines to be targeted several times without the hack being discovered.

    Reply
  6. Tomi Engdahl says:
    Yes, There’s Kanye West-Themed Crypto-Currency
    http://slashdot.org/topic/bi/yes-theres-kanye-west-themed-crypto-currency/

    In the future, every major celebrity will have a crypto-currency named after him or her.

    Bitcoin, the world’s most popular crypto-currency, is based on an open-source protocol; and because it’s peer-to-peer without a central server or bank, it’s theoretically possible for anyone with the right combination of tools and knowhow to use the underlying code as the foundation for their own crypto-currency. Which is exactly what a bunch of anonymous developers have done with the new “Coinye West,” an upcoming crypto-currency named after rapper Kanye “I Am a God” West.

    Coinye West isn’t an official production of Kanye West, and the developers are staying anonymous because they probably fear the inevitable copyright lawsuits.

    The recent spike in Bitcoin value has sparked a much broader discussion about the validity of crypto-currencies as a medium of exchange.

    Reply
  7. Tomi Engdahl says:
    Kanye’s Lawyer Moves to Block Coinye
    http://blogs.wsj.com/digits/2014/01/07/kanyes-lawyer-moves-to-block-coinye/

    Lawyers for Kanye West filed cease-and-desist papers against the seven anonymous coders behind Coinye West, a virtual currency that went from chatroom joke to Internet sensation last week.

    As virtual currencies like bitcoin and litecoin have taken off, copycats have emerged. Some offer slight tweaks to the bitcoin code to account for fraudsters or improve transactions. Others, such as BBQcoin and dogecoin, appear more as jokes than legitimate crypto-currencies.

    Reply
  8. Tomi Engdahl says:
    Bitcoin me: How to make your own digital currency
    http://www.theguardian.com/technology/2014/jan/07/bitcoin-me-how-to-make-your-own-digital-currency

    Move over Dogecoin: the Herncoin is here. But what can making your own currency teach you about the world of bitcoin?

    Reply
  9. Yong Hands says:
    Sweet website , super style and design , really clean and use pleasant.
    Reply
  10. Tomi Engdahl says:
    Bluetooth Hackers Allegedly Skimmed Millions Via Gas Stations
    http://www.wired.com/threatlevel/2014/01/gas-station-skimming-scheme/

    Thirteen suspects have been indicted in New York on a gas station skimming scheme that netted them more than $2 million, according to court documents.

    The skimming devices, placed on card readers at gas station pumps throughout the southern U.S., recorded credit and debit card data, as well as PINs, which the thieves then used to withdraw more than $2 million from ATMs.

    Some of the skimming devices were placed on pumps at Raceway and Racetrac gas stations throughout Texas, Georgia, and South Carolina. The devices were Bluetooth enabled, so the thieves could simply download the stolen data from the skimming device without having to remove it.

    Reply
  11. Tomi Engdahl says:
    US card scammers pull $2m petrol heist
    Skimming operation nets big bucks and serious charges for gang
    http://www.theregister.co.uk/2014/01/23/us_card_scammers_pull_2m_petrol_heist/

    US attorneys have charged thirteen people in connection with a massive fraud operation which netted some $2m in stolen funds.

    The Manhattan District Attorney’s office says that four defendants masterminded a plot to install card skimming devices at gas pumps throughout the southern US and then use a network of money mules to withdraw and transfer funds from the stolen cards in a money laundering operation.

    Reply
  12. Eleanore says:
    If you hit the ground at high speeds with these jackets you’ll be very well protected.

    Though most surgeons will not execute the hymenoplasty treatment for causes of birth, you can
    find some that will so it continues to be incorporated.
    The range of Bajaj Bikes in Chennai will suit to every market
    segment whether its youngsters, adult, old even ladies can safely ride this.

    Reply
  13. sportscarphoto4.soup.Io says:
    Hello just wanted to give you a quick heads up. The ords in your post seem to be running off thee screen in Firefox.
    I’m noot sure if this iis a format issue or something to do with internet browser compatibiloity but I thought I’d post to let you know.
    The layout look great though! Hope you get the issue fixed soon.
    Kudos
    Reply
  14. research in motion says:
    Unquestionably imagine that that you said. Your favourite reason appeared to be at the
    web the simplest factor to be mindful of. I say to you, I certainly get annoyed even as other people
    think about worries that they just do not realize about.

    You managed to hit the nail upon the top and defined out the whole thing without having side
    effect , people can take a signal. Will probably be back
    to get more. Thank you

    Reply
  15. Tomi Engdahl says:
    October 2015: The End of the Swipe-and-Sign Credit Card
    http://blogs.wsj.com/corporate-intelligence/2014/02/06/october-2015-the-end-of-the-swipe-and-sign-credit-card/?KEYWORDS=chip+and+pin

    prepare to say farewell to the swipe-and-sign of a credit card transaction.

    Beginning later next year, you will stop signing those credit card receipts. Instead, you will insert your card into a slot and enter a PIN number, just like people do in much of the rest of the world. The U.S. is the last major market to still use the old-fashioned signature system, and it’s a big reason why almost half the world’s credit card fraud happens in America, despite the country being home to about a quarter of all credit card transactions.

    Reply
  16. Tomi Engdahl says:
    Credit card of PayPal PRESIDENT cloned by UK crooks
    Tripping the hack scam-plastic
    http://www.theregister.co.uk/2014/02/12/paypal_pres_card_cloning_caper/

    PayPal president’s credit card got hacked on a UK visit, the victim revealed on Twitter.

    David Marcus said that an unidentified criminal used a skimming device and his credit card was cloned before “tons” of fraudulent transaction were made

    “My card (with EMV chip) got skimmed while in the UK.”

    Reply
  17. Tomi Engdahl says:
    Swedish police would like each user’s bank card to make a small trick that the card is better protected from con artists: CVV or Card Verification Value code should be covered – if not even scrape off completely. The card holder’s name, the front of the number, and the back of the CVV are in fact the only information the e-shopping usually requires. If the CVV code is displayed, the card is easy for fraudsters to scan or photograph the card. On the rear side of the three-digit number Cloaking is a simple way to prevent a crime.

    When the code is not visible, the card is not able to take advantage of, for example, on-line purchases. Some of the online shops for shopping only need a debit card number, expiration date and CVV code.

    OP Pohjola Finance Manager Kasimir Hirn and the Swedish Bankers’ Association chief financial Leif Trogen are critical of the Swedish police to submitted bank card protection trick.

    OP Pohjola Finance Manager Kasimir Hirn points out that the payment card holder does not have permission to access the payment card physically. For example scratching can can damage the card. Taped card can jam inside ATMs and payment terminals.

    - Retailers are not obliged to accept the treated/modifed cards

    - CVV code has to be displayed, or the card is invalid.

    - The most important thing is to keep the card firmly in your possession and PIN in your mind.

    Bankers’ Association chief financial Leif Trogen believes that the banks’ security systems in Sweden to be at least safe enough without any extra gimmicks. If someone is cheating card information for himself and manages to take the money from the victim’s account, the bank will replace it to the card holder.

    Sources: Iltalehti
    http://www.iltalehti.fi/uutiset/2014021118029393_uu.shtml
    http://www.iltalehti.fi/uutiset/2014021318037959_uu.shtml

    Reply
  18. Tomi Engdahl says:
    360 million newly stolen credentials on black market: cybersecurity firm
    http://www.reuters.com/article/2014/02/25/us-cybercrime-databreach-idUSBREA1O20S20140225

    A cybersecurity firm said on Tuesday that it uncovered stolen credentials from some 360 million accounts that are available for sale on cyber black markets, though it is unsure where they came from or what they can be used to access.

    Reply
  19. Tomi Engdahl says:
    Mastercard, Syniverse target holiday payment security with mobile verification system
    Not in Bora Bora? Crooks can’t use your credit card there
    http://www.theregister.co.uk/2014/03/12/mastercard_and_syniverse_in_roaming_pact/

    It’s ironic that when people are abroad so many people switch off their mobile phones’ data and so many banks switch off customers’ credit cards.

    You’ll have heard of Mastercard but are less likely to know about Syniverse unless you work in the mobile industry. The firm is a kind of central broker for mobile phone networks that want to deal with lots of other networks without having to set up individual arrangements one at a time.

    When you move your mobile phone number from one network to another, the protocols to do this probably go through Syniverse.

    The new project allows the Mastercard network to tap into the data in mobile phone networks to establish that a credit card being used abroad is kosher.

    The tie-up between Mastercard and Syniverse allows customers to register their mobile phone number with their credit card company
    the system checks the Visitor Location Register to make sure the phone is where the card is.

    There are no mechanisms used to check the position of the phone and card more accurately such as Cell ID, triangulation or correlating phone and point-of-sale locations. Other checks will still be in place

    Reply
  20. Tomi Engdahl says:
    Diebold Deploys First ATM Without Card Reader Or PIN Pad
    http://news.diebold.com/press-releases/diebold-deploys-first-atm-without-card-reader-or-pin-pad.htm

    An automated teller machine (ATM) with no card reader. Pre-staged withdrawals on smartphones. Cardless transactions. And everything managed via the cloud. A new era of banking, inspired by the Millennial generation, is dawning at Diebold Federal Credit Union (DFCU), where an innovative ATM from Diebold, Incorporated (NYSE: DBD) and a mobile wallet solution are allowing members to complete self-service transactions and make retail purchases without using physical debit or credit cards.

    DFCU is piloting the world’s first ATM without a card reader or PIN pad that relies solely on mobile authentication. When a consumer scans a unique QR code at the ATM using a smartphone, the ATM authenticates the user via cloud-hosted services to enable secure, cardless transactions. With no card or PIN required, the solution eliminates the threats of card skimming and shoulder surfing at the ATM.

    Reply
  21. online payment system says:
    Hey! I know this is somewhat off topic but I was wondering which blog platform are you using for this site?
    I’m getting fed up of WordPress because I’ve had problems with hackers and I’m looking at options for another
    platform. I would be awesome if you could point me in the direction of a
    good platform.
    Reply
    • Tomi Engdahl says:
      I use WordPress platform.
      It is a good platform when you configure it correctly, remember backup and remember to keep it up to date.
      Those same points apply to other major blogging platforms as well…
      You can get hacked with any major platform if you setup it incorrectly and forget to update it when needed (especially of some security issue comes up in the news).
      Reply
  22. Tomi Engdahl says:
    Chip and SKIM: How dodgy crypto can leave shoppers open to fraud
    Cambridge uni gurus to present debit, credit PIN card findings today in San Jose
    http://www.theregister.co.uk/2014/05/19/chip_and_skim/

    UK academics today describe how criminals can forge chip-and-PIN cards transactions and spend other people’s money for free.

    The team of University of Cambridge experts say their technique exploits a cryptographic weakness in some devices implementing the EMV (aka chip’n’PIN) standard. And they’re confident they’ve found a separate flaw in the EMV design, too.

    “Because the transactions look legitimate, banks may refuse to refund victims of fraud,” warned team member Steven J. Murdoch.

    As per the EMV standard, cash machines (ATMs) generate for each transaction a nonce – a supposedly unpredictable 32-bit number. This is supposed to add freshness to ensure transactions can’t be replayed by fraudsters.

    But it turns out some EMV terminals use counters, timestamps or crap homegrown algorithms to generate the nonces. These values are not particularly random, so this exposes victims’ to a “pre-play” attack that is indistinguishable in the bank’s records from using a perfect physical copy of the card.

    Reply
  23. Alexandria says:
    In fact no matter if someone doesn’t understand afterward its up
    to other people that they will help, so here it happens.
    Reply
  24. Art says:
    Hi there! I just wanted to ask if you ever have any
    issues with hackers? My last blog (wordpress) was hacked and I ended up losing several weeks of hard work due to no back up.

    Do you have any methods to stop hackers?

    Reply
    • Tomi Engdahl says:
      You can get hacked with any major platform if you setup it incorrectly and forget to update it when needed (especially of some security issue comes up in the news).

      The methods to stop hackers is to keep the platform up-to-date and all the security related settings correctly (means password set correctly, only secure services running etc..). And then make sure you have regular back-up procedure (taking backups and knowing how to restore from them and make sure those steps work) so that you can do often enough that you don’t loose too muck and can recover easily if hackers hit your blog.

      The proper way to running a web site or blog is to make reasonable efforts so that the site is not easy to hack into, and have a plan how to easily recover when some day some hacker hits your system (make a plan so that recovering from it it is not a disaster, just some reasonable amount extra work for you or some admin you pay for the maintenance).

      Reply
  25. Tomi Engdahl says:
    Safari in iOS 8 uses camera to scan and enter credit card info
    http://9to5mac.com/2014/06/05/safari-in-ios-8-uses-camera-to-scan-and-enter-credit-card-info/

    In iOS 8, Apple has a new feature in Safari that allows users to scan a credit card with the device’s camera rather than manually entering the number when making a purchase online.

    Website developers don’t have to do anything to enable the feature, as Safari appears to automatically detect when a credit card number is being requested and presents the option to scan above the keypad.

    Reply
  26. Tomi Engdahl says:
    AT&T wants to improve payment card fraud prevention with phone geolocation
    The operator expects to make a new service available to enterprise customers later this year
    http://www.itworld.com/security/421861/att-wants-improve-payment-card-fraud-prevention-phone-geolocation

    AT&T plans to test a service allowing payment card providers to access the location of a customer’s phone to improve the accuracy of fraud prevention systems for transactions made abroad.

    The service is part of AT&T’s Location Information Services portfolio, and allows businesses to access network data to locate a device to authenticate a user’s location, helping to protect against potential fraud. For the fraud protection to work, users will first have to opt in, AT&T said.

    A credit card company can use the service to confirm someone has traveled to a new country as soon as they land and turn on their phone. The goal is to help credit card companies make more informed decisions, such as whether to approve or decline purchases made abroad.

    Between 50 percent and 80 percent of declined transactions are actually legitimate, but they are turned down by financial institutions for security reasons, according to Mastercard.

    AT&T’s service is based on the operator’s Mobile Identity API Toolkit, which launched in December last year.

    Reply
  27. Tomi Engdahl says:
    Banks: Credit Card Breach at P.F. Chang’s
    https://krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs/

    Nationwide chain P.F. Chang’s China Bistro said today that it is investigating claims of a data breach involving credit and debit card data reportedly stolen from restaurant locations nationwide.

    The items for sale are not cards, per se, but instead data copied from the magnetic stripe on the backs of credit cards. Armed with this information, thieves can re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example).

    The most common way that thieves steal this type of card data is by hacking into cash registers at retail locations and planting malicious software that surreptitiously records mag stripe data when cards are swiped through the machines. The breaches at Target, Neiman Marcus, Michaels and Sally Beauty all were powered by malware that thieves planted on point-of-sale systems.

    Reply
  28. Tomi Engdahl says:
    EMV Chips in 70% of Credit Cards by 2015
    http://www.eetimes.com/document.asp?doc_id=1322710&

    Increasing fraud rates will push issuers to migrate customers to EMV-enabled cards before the October 2015 liability shift on card-present transactions, Aite Group says.

    Credit card with EMV chip.
    Credit card with EMV chip.

    Rising card fraud will drive issuers to migrate 70% of credit cards in the US to EMV (Europay, MasterCard, and Visa*) by October 2015, along with 41% of debit cards, a new report by Aite Group predicts. Credit card fraud rates have doubled since 2007, an debit card fraud is also rising sharply, according to the report.

    The beginning of October 2015 is when Visa will implement a liability shift or card-present transactions.

    Reply
  29. Moses says:
    Fantastic post but I was wondering if you could write a litte more on this subject?

    I’d be very grateful if you could elaborate a little bit more.
    Thanks!

    Reply
  30. Tomi Engdahl says:
    Square Bets Big on Next-Gen Credit Card Tech
    http://www.wired.com/2014/07/exclusive-square-bets-big-on-next-gen-credit-card-tech/

    Square first came to fame with a credit card reader you could plug into your iPhone jack. But next year, the company’s signature device will be on its way to obsolescence as the U.S transitions to a new kind of credit card that verifies purchases with an embedded computer chip.

    In anticipation of this sweeping change in the way Americans pay, Square designers and engineers have been working on new hardware

    The change happens in October 2015, when credit card companies will start cajoling merchants to accept cards that work via a more secure embedded chip rather than the classic—and classically easy to hack—stripe on the back of every card now. In what’s being called the great “liability shift,” the major card networks—Visa, Mastercard, American Express, Discover—say merchants who don’t offer a way to accept the new chip-based cards, also known as EMV cards, by the deadline will be responsible for any fraud they suffer as a result, not the card companies.

    The big challenge in making the shift is that every business that takes credit cards will need to buy new hardware capable of reading the new cards. Chip-card readers aren’t new—EMV has been in use for years in Europe, Canada, Asia, and Latin America

    It’s this heightened security that is motivating the credit card industry to push for the switch, and some big stores have already started.

    Goodbye to the Swipe

    One of the biggest pieces of internal gadgetry needed to accept chip-based cards is a battery. The cards themselves don’t carry a power source. They rely on readers to power the chips,

    So, the new Square reader comes equipped with a super-thin battery and a mini-USB port to charge it, a feature its stripe-only reader doesn’t require.

    The one major feature that will be missing from the new reader will be an additional layer of security from which the popular nickname for EMV comes: “chip and PIN.” The most secure chip-based card systems also require a PIN instead of an easily forged signature to verify the identity of the cardholder. Dorogusker says that, in the U.S., card issuers aren’t requiring PINs as part of the transition, so merchants who take Square will use a “chip and signature” system.

    To be sure, a keypad for entering PINs would make the reader too large for use with smartphones.

    Reply
  31. Tomi Engdahl says:
    Square readies new Reader with chip-and-PIN card support ahead of EMV adoption in the US
    http://thenextweb.com/us/2014/07/30/square-readies-new-reader-chip-pin-card-support-us/
    Reply
  32. Tomi Engdahl says:
    Black Hat 2014: A New Smartcard Hack
    http://spectrum.ieee.org/riskfactor/telecom/security/black-hat-2014-how-to-hack-smartcards-and-termsofservice

    According to new research, chip-based “Smartcard” credit and debit cards—the next-generation replacement for magnetic stripe cards—are vulnerable to unanticipated hacks and financial fraud. Stricter security measures are needed, the researchers say, as well as increased awareness of changing terms-of-service that could make consumers bear more of the financial brunt for their hacked cards.

    The work is being presented at this week’s Black Hat 2014 digital security conference in Las Vegas. Ross Anderson, professor of security engineering at Cambridge University, and co-authors have been studying the so-called Europay-Mastercard-Visa (EMV) security protocols behind emerging Smartcard systems.

    “Any forged signature will likely be shown to be a forgery by later expert examination,” Anderson wrote in his ACM article. “In contrast, if the correct PIN was entered the fraud victim is left in the impossible position of having to prove that he did not negligently disclose it.”

    And PIN authentication schemes, Anderson says, have a number of already discovered vulnerabilities, a few of which can be scaled up by professional crooks into substantial digital heists.

    Reply
  33. Tomi Engdahl says:
    Why Jack Dorsey Killed The Square Credit Card
    http://www.fastcompany.com/3032811/most-innovative-companies/why-jack-dorsey-killed-the-square-credit-card

    Square, the payments startup from Twitter cofounder Jack Dorsey, has prototyped a Square credit card. The plastic card is all black, and save for the card holder’s name emblazoned on the face, features no logos–not even Square’s. Over the past year, multiple sources indicate Square employees have been carrying the card–seen here below, partially blurred to protect the card holder’s identity–around in their wallet.

    However, despite buzz about the potential of a Square credit card, other company sources indicate the project was recently killed.

    The company eventually realized a digital-only solution might be too ahead of its time, so Square began considering whether it could bring innovation to plastic bank cards instead. The benefits were obvious: The company could bring its design savvy to the space, attracting new consumers to its platform to gain more payments data while up-selling them on rewards programs, which have long been a boon to the bottom lines of credit card companies (not to mention hotels, airlines, and other credit card partners).

    After the idea gained momentum with the leadership team, Square created its concept Square credit card: a non-branded, black plastic card.

    when employees got their hands on it, one insider says, they found it “extremely appealing,”

    How would Square differentiate from other credit cards in the market? Anyone who has used a Citibank or other credit card knows what a hassle it is not only to keep track of purchases, but to keep up with statements and rewards.

    Yet weeks later, the company, while declining to confirm that a Square credit card ever existed, confirmed to me that it is not launching a credit card, with no further explanation. Multiple sources indicate there are two reasons why that might be the case: a Square credit card would likely alienate Square’s financial partners, and it would also have myriad legal implications for how the company operated. “You can only fight so many battles at the same time,” one source told me.

    Reply
  34. Tomi Engdahl says:
    Americans to be guinea pigs in vast chip-and-PIN security experiment
    PSA: If you really want to steal millions – embarrass the banks enough
    http://www.theregister.co.uk/2014/08/07/americans_about_to_become_guinea_pigs_in_chip_and_pin_experiment/

    Black Hat 2014 Next year US banks will begin a wide-scale rollout of chip-and-PIN bank cards, just 11 years after the UK made it mandatory.

    In doing so, Americans will take part in a vast experiment to test chip-and-PIN against chip-and-sign when it comes to stamping out money thieves.

    Not every US bank is keen on the PIN system, so some customers will get chip-and-sign cards instead.

    The results of the split approach will be studied by security experts to determine the pros and cons of each system

    Singapore is another country that prefers chip-and-signature

    Chip-and-PIN systems aren’t perfect
    there was an recess that gave access to the motherboard.
    By drilling at a precise point, the team was able to install a wiretap that recorded all transaction data.

    It turns out that the recess was intended to hold extra cryptographic electronics, but the banks decided they didn’t need it. Prof Anderson alerted the banking industry to the problem, but was told it wasn’t a serious issue.

    The American experiment in chip-and-PIN and chip-and-signature will produce some very interesting data, but if the experience in the UK is anything to go by, it won’t kill card fraud by any means, Anderson said. While chip and PIN did cut some types of crime, crooks got smart – with some potentially fatal consequences for victims.

    For example, while point-of-sale fraud fell after the UK rollout of chip and PIN, online fraud rocketed. To combat this, banks gave customers a little gadget into which one can insert their card, type in a valid PIN, and generate a one-time access code for verifying an internet transaction
    These devices are pretty popular with criminals, too.

    He warned that banks were changing their terms and conditions to make consumers liable for fraudulent use of smart-cards and, unless regulators get involved

    Reply
  35. Tomi Engdahl says:
    Amazon Just Launched A Square-Killer Credit-Card Reader
    http://www.businessinsider.com/r-amazoncom-builds-brick-and-mortar-presence-with-card-swiping-device-2014-13

    SAN FRANCISCO (Reuters) – Amazon.com Inc unveiled a $10 credit-card reader and mobile app for brick-and-mortar businesses on Wednesday, marking the latest step by the U.S. online retailer to expand its presence in the physical world.

    The move pits Amazon against a slew of rivals, including startup Square, which popularized a payments dongle that allowed small- and mid-sized businesses like food trucks, coffee shops and personal trainers to quickly accept credit and debit cards.

    The new point-of-sale system, called Amazon Local Register, would give Amazon crucial data on how U.S. consumers shop offline. More than 90 percent of U.S. retail sales still take place in physical stores, according to U.S. government data.

    Reply
  36. Tomi Engdahl says:
    Goodbye, “Everything Store.” Hello, “Everything City.”
    https://www.theinformation.com/Goodbye-Everything-Store-Hello-Everything-City

    Amazon Local Register offers new card readers and a service that allows small businesses to accept credit card payments.

    Reply
  37. Tomi Engdahl says:
    Amazon takes swipe at PayPal, Square with card reader for mobes
    Etailer plans to undercut rivals with low transaction fee offer
    http://www.theregister.co.uk/2014/08/13/amazon_launches_credit_card_reading_device/

    Amazon has launched its own mobile payments device and app at a starting price that undercuts existing tech from Square and PayPal.

    Amazon’s “Local Register” popped up in a YouTube video and a dedicated site online before the mega etailer officially announced it.

    The initial launch covers the US, but it’s likely that Amazon will want to spread the service to all of its markets. Square currently operates in the US, Canada and Japan and PayPal Here is available in the US and the UK.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*