Credit card (in)security issues

Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The fraud begins with either the theft of the physical card or the compromise of data associated with the account (card account number and/or verification codes).

Skimming is the theft of credit card information used in an otherwise legitimate transaction. Instances of skimming have been reported where the perpetrator has put a device over the card slot of an ATM (automated teller machine), which reads the magnetic strip as the user unknowingly passes their card through it. Technology needed to read the contents of the magnetic strip is pretty simple. Usually a miniature camera or fake keypad over original is used to read the user’s PIN at the same time. Skimming is usually very difficult for the typical cardholder to detect. All About Skimmers article series is about ATM skimmers, gas pump skimmers and other related fraud devices.

Skimming has been on news in Finland lately. Police has revealed some details of the hard to detect skimming devices that have been found installed on tens of ATM devices around Finland. Articles Ovela huijaus Otto-automaateilla – huomaatko eron kuvissa?, Kummassa pankkiautomaatissa on huijauslaite? and Skimmaajat teettivät erikoislaitteita Suomen oloihin show you pictures of ATM with and without skimming device. These device custom made for Finnish ATMs are really hard to detect. According to articles thousands of ATM card have been compromised and used to steal several hundreds thousand euros. Look carefully next time you use ATM.

Muga_Golden_Credit_Card

Throughout Europe the traditional in-store credit card signing process is increasingly being replaced with a system in which the customer is asked to enter their PIN instead of signing. PINs were widely introduced at the same time as EMV chips on the cards. In Finland the PIN codes that comes with the card are predefined by card issuer. In some countries with some banks the customer can freely choose them. Security of Self-Selected PINs Is Lacking article tells that Cambridge University Computer Laboratory team collected statistics on how people choose banking PINs when they are permitted to select their own keys. There is every incentive for the bad guys to try guessing PINs on every card that they steal. “A thief can expect to get lucky every 18th wallet — except for those banks which negligently allow their customers to choose really dumb PINs like 1111 and 1234″. Their report traces an idiosyncratic history of the use of passwords by financial institutions. The researchers wrote that there were two lessons to be drawn from their study. First, customers should never use date of birth as a PIN or password. Second, banks should institute blacklists of common passwords, or prohibit user selection of passwords entirely.

Proximity payments are coming. Pay-by-wave: At least it’s better than being mugged article tell that the public thinks that paying with a tap of the phone is risky, with criminals able to intercept and steal credentials, so it seems a good time to take a closer look at proximity payments. Today’s proximity payment systems are based on the NFC standard, which uses a radio connection at 13.56MHz for short-range peer-to-peer communications. The same frequency is used by RFID tags, in a simplistic way, but NFC is a good deal more complicated, and expensive. Proximity payments are implemented in smartphones and contactless credit cards.

1325432106

Hacker’s Demo Shows How Easily Credit Cards Can Be Read Through Clothes And Wallets article tells that contactless cards are far more common than they might seem: According to the Smart Card Association, about 100 million of the RFID-enabled cards are in circulation. Visa calls its technology payWave, MasterCard dubs it PayPass, Discover brands it Zip, and American Express calls it ExpressPay.

Hacker’s Demo Shows How Easily Credit Cards Can Be Read Through Clothes And Wallets and Shmoocon Demo Shows Easy, Wireless Credit Card Fraud articles tell that some contacless cards have serious security holes. Paget, a well-known security researcher for the consultancy Recursion Ventures, used a simple method for her hack: impersonating a legitimate contactless point-of-sale terminal with her own RFID card reader. Commercially-available RFID reader can read the data from a contactless card as easily as a store’s point-of-sale device does. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer’s credit card onstage and obtained the card’s number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. She flashed the volunteer’s credit card number on a screen in front of an audience of hundreds of hackers and security researchers. “You were planning on cancelling that card, weren’t you?”. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer’s money with the counterfeit card she’d just created. Paget’s firm has been working on a credit-card-shaped protection device known as GuardBunny that sits in a wallet alongside payment cards and blocks any would-be RFID fraudster. So it sound like this hacking demonstration was just a marketing gimmick for their product.

Randy Vanderhoof, executive director of the industry group the Smart Card Alliance, points out that despite previous research on the contactless attack, no real-world instances of the fraud have ever been reported. To fight against fraud contactless cards do offer one security feature traditional cards don’t: Along with the card’s 16-digit number and expiration date, the cards are set to offer up a one-time CVV code with every scan. Those codes can only be used for one transaction, and have to used in the order they’re generated. If a payment processor detects multiple transactions with the same code or even codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number once.

According to a smart card expert I know Square and card issuer bank is also to blame on that this worked (and would not work with European banks and other payment services). Also the sum was so low that the payment company might not do all the check it does for bigger sums of money. In card where things are built well, there is different card number for normal swipe card use and contactless operation. The contactless number would fail to work if you try to pay with their code on the terminal that swipes the card. So the security holes are not as big and bad as it seems based on those hacking news.

211 Comments

  1. Tomi Engdahl says:
    Stripe Lands Apple in Quest for $720 Billion in Payments
    http://www.bloomberg.com/news/2014-09-17/stripe-lands-apple-in-quest-for-720-billion-in-payments.html

    Apple Inc. (AAPL)’s list of partners for its new Apple Pay service reads like a Who’s Who of the payments world, including Visa Inc. and First Data Corp.

    Then there’s Stripe Inc.

    Getting included on Apple’s list was a coup for the five-year-old startup, which will enable mobile applications to work with Apple Pay. It’s the latest success for Stripe, which is also powering an e-commerce feature for Twitter Inc., working with Alibaba Group Holdings Ltd.’s Alipay, and helping thousands of other companies process online and mobile payments.

    The challenge for San Francisco-based Stripe is fending off EBay Inc.’s PayPal and traditional financial companies that are barreling into mobile payments. The burgeoning market — with global spending on commerce via handheld gadgets set to reach $720 billion in 2017, up from $300 billion this year, according to IDC — has brought on a crowded field of competitors.

    “We’re hugely excited about the Apple announcement, but this is just another step along the way,” said Patrick Collison, 26, who along with his brother, John, 24, founded Stripe in 2009.

    Reply
  2. Akilah says:
    This page truly has all the information and facts I
    wanted about this subject and didn’t know who
    to ask.
    Reply
  3. Danh bai says:
    Good day very cool website!! Man .. Beautiful .. Wonderful ..
    I’ll bookmark your web site and take the feeds also? I’m happy to find so
    many helpful info right here within the publish, we’d like work out extra techniques
    on this regard, thanks for sharing. . . . . .
    Reply
  4. Tomi Engdahl says:
    Payment security vastly improved when you DON’T ENTER your BANK DETAILS
    Entering randomly generated ‘tokens’ makes it safer – report
    http://www.theregister.co.uk/2014/09/30/payments_security_vastly_improved_by_tokenisation_according_to_report/

    Developments around “tokenisation” should help to “instil confidence in a payments environment challenged by more frequent data breaches” and fraud, according to a report released by the Federal Reserve Bank of Boston.

    The June 2014 report from the US Federal Reserve’s Mobile Payments Industry Workgroup (MPIW), which was released on 24 September (16-page/320KB PDF), defined tokenisation as the process of “randomly generating substitute value to replace sensitive information”.

    The report said: “When used for financial transactions, tokens replace payment credentials, such as bank account and credit/debit card numbers. The ability to remove actual payment credentials from the transaction flow can improve the security of the payment and is a key benefit of tokenisation.”

    However, the report said some “hurdles” remain before tokenisation receives broad adoption by industry, “particularly around standards and coordination of the different solutions”.

    According to the report, “the key goal of tokenisation” is to protect the 13 to 19-digit primary account number (PAN) embossed on a plastic bank or credit card and encoded on the card’s magnetic strip. “The PAN identifies the card issuer in the first six digits, known as the bank identification number (BIN), as well as the individual cardholder account (generally the final four digits), and includes a check digit for authentication.”

    Tokenisation “eliminates the need for merchants to store the full PAN on their network systems for exception processing or to resolve disputes”

    Reply
  5. Tomi Engdahl says:
    How RAM Scrapers Work: The Sneaky Tools Behind the Latest Credit Card Hacks
    http://www.wired.com/2014/09/ram-scrapers-how-they-work/

    Attackers installed these RAM scrapers surreptitiously on the point-of-sale systems used to scan and process credit and debit card transactions at Albertson’s and Supervalu. The tools make it easy to steal card numbers by the millions as they pass through the system.

    RAM scrapers—used recently in the Target and Home Depot breaches to net the hackers data on more than 100 million bank cards collectively—are not new. VISA issued a warning to retailers about their use in 2008. But they’ve become increasingly sophisticated and efficient at stealing massive caches of cards.

    They’ve also become more ubiquitous as developer kits for building them—from a starter stub that is easily customized from a menu of features—have pushed scrapers into the mainstream and made them accessible to a wider swath of hackers. Need something to exfiltrate data from your victim’s network to a server in Minsk? Check. Want a turnkey solution for managing your command-and-control server in Mumbai? The kits have got that covered, too.

    RAM scrapers can be installed remotely on a Big-Box retailer’s network and deployed widely to dozens of stores in a franchise.

    Reply
  6. Judson says:
    Hello very cool web site!! Man .. Excellent .. Superb ..
    I will bookmark your blog and take the feeds additionally?

    I’m satisfied to search out a lot of useful info here within the submit,
    we want develop extra techniques in this regard, thank you for
    sharing. . . . . .

    Reply
  7. Tomi Engdahl says:
    Kili Unveils 1-Stop Fix for Chip-Card Mandate
    POS terminals that read all forms of payment
    http://www.eetimes.com/document.asp?doc_id=1324404&

    While US retailers struggle to keep up with the transition of mobile payment systems partly prompted by new technologies like NFC-based contactless mobile payment solutions (i.e. ApplePay in iPhone 6), they face an even bigger challenge, as US card issuers drag them into the new world of EMV-compliant (Europay, MasterCard, and Visa) chip cards.

    Under a new mandate, Oct. 1, 2015 will mark a liability shift from banks to merchants. After that date, any fraudulent card transactions will be the responsibility of merchants who failed to hook up a new point-of-sales terminal that can read chip cards. But if a new terminal is in place, the merchant’s off the hook. Liability reverts back to the bank that failed to issue chip cards.

    In short, the switch to EMV is pressuring merchants and financial institutions to add new in-store technology and internal processing systems compliant with new liability rules. Taking advantage of these profound changes in mobile payment is Kili Technology of San Carlos, Calif., a developer of secure, low-cost payment processing solutions. Kili is a spin-off of SecureKey, a Canada-based identity and authentication provider, which developed its core technology over the last five years.

    While targeting the replacement market for legacy POS terminals, Kili is also eyeing the so-called “on-the-go” mobile payment solutions increasingly in demand among small retailers and individual business owners like plumbers. Mobile payment systems such as Square have been rapidly gaining popularity. However, they are currently capable of processing only magnetic stripe cards.

    Massabki sees most of the company’s chip competitors, such as NXP Semiconductors, STMicroelectroincs, or Freescale, offering discrete solutions in the form of a family of devices such as NFC, smartcards, and security chips. In contrast, Kili takes pride in offering highly integrated mobile POS solution-on-a-chips such as K409B. Incorporated in the dual CPU core-based K409B are an NFC transceiver, a controller, a secure capacitive touch controller, an on-chip capacity touch analog front-end, memories, and analog power management.

    Reply
  8. Tomi Engdahl says:
    Chip & PIN vs. Chip & Signature
    http://krebsonsecurity.com/2014/10/chip-pin-vs-chip-signature/

    The Obama administration recently issued an executive order requiring that federal agencies migrate to more secure chip-and-PIN based credit cards for all federal employees that are issued payment cards. The move marks a departure from the far more prevalent “chip-and-signature” standard, an approach that has been overwhelmingly adopted by a majority of U.S. banks that are currently issuing chip-based cards. This post seeks to explore some of the possible reasons for the disparity.

    emvkeyChip-based cards are designed to be far more expensive and difficult for thieves to counterfeit than regular credit cards that most U.S. consumers have in their wallets. Non-chip cards store cardholder data on a magnetic stripe, which can be trivially copied and re-encoded onto virtually anything else with a magnetic stripe.

    Magnetic-stripe based cards are the primary target for hackers who have been breaking into retailers like Target and Home Depot and installing malicious software on the cash registers: The data is quite valuable to crooks because it can be sold to thieves who encode the information onto new plastic and go shopping at big box stores for stuff they can easily resell for cash (think high-dollar gift cards and electronics).

    The United States is the last of the G20 nations to move to more secure chip-based cards. Other countries that have made this shift have done so by government fiat mandating the use of chip-and-PIN. Requiring a PIN at each transaction addresses both the card counterfeiting problem, as well as the use of lost or stolen cards.

    Here in the States, however, the movement to chip-based cards has evolved overwhelmingly toward the chip-and-signature approach. Naturally, if your chip-and-signature card is lost or stolen and used fraudulently, there is little likelihood that a $9-per-hour checkout clerk is going to bat an eyelash at a thief who signs your name when using your stolen card to buy stuff at retailers. Nor will a signature card stop thieves from using a counterfeit card at automated payment terminals (think gas pumps).

    But just how broadly adopted is chip-and-signature versus chip-and-PIN in the United States? According to an unscientific poll that’s been running for the past two years at the travel forum Flyertalk, only a handful of major U.S. banks issue chip-and-PIN cards; most have pushed chip-and-signature.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*