Credit card (in)security issues

Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The fraud begins with either the theft of the physical card or the compromise of data associated with the account (card account number and/or verification codes).

Skimming is the theft of credit card information used in an otherwise legitimate transaction. Instances of skimming have been reported where the perpetrator has put a device over the card slot of an ATM (automated teller machine), which reads the magnetic strip as the user unknowingly passes their card through it. Technology needed to read the contents of the magnetic strip is pretty simple. Usually a miniature camera or fake keypad over original is used to read the user’s PIN at the same time. Skimming is usually very difficult for the typical cardholder to detect. All About Skimmers article series is about ATM skimmers, gas pump skimmers and other related fraud devices.

Skimming has been on news in Finland lately. Police has revealed some details of the hard to detect skimming devices that have been found installed on tens of ATM devices around Finland. Articles Ovela huijaus Otto-automaateilla – huomaatko eron kuvissa?, Kummassa pankkiautomaatissa on huijauslaite? and Skimmaajat teettivät erikoislaitteita Suomen oloihin show you pictures of ATM with and without skimming device. These device custom made for Finnish ATMs are really hard to detect. According to articles thousands of ATM card have been compromised and used to steal several hundreds thousand euros. Look carefully next time you use ATM.

Muga_Golden_Credit_Card

Throughout Europe the traditional in-store credit card signing process is increasingly being replaced with a system in which the customer is asked to enter their PIN instead of signing. PINs were widely introduced at the same time as EMV chips on the cards. In Finland the PIN codes that comes with the card are predefined by card issuer. In some countries with some banks the customer can freely choose them. Security of Self-Selected PINs Is Lacking article tells that Cambridge University Computer Laboratory team collected statistics on how people choose banking PINs when they are permitted to select their own keys. There is every incentive for the bad guys to try guessing PINs on every card that they steal. “A thief can expect to get lucky every 18th wallet — except for those banks which negligently allow their customers to choose really dumb PINs like 1111 and 1234″. Their report traces an idiosyncratic history of the use of passwords by financial institutions. The researchers wrote that there were two lessons to be drawn from their study. First, customers should never use date of birth as a PIN or password. Second, banks should institute blacklists of common passwords, or prohibit user selection of passwords entirely.

Proximity payments are coming. Pay-by-wave: At least it’s better than being mugged article tell that the public thinks that paying with a tap of the phone is risky, with criminals able to intercept and steal credentials, so it seems a good time to take a closer look at proximity payments. Today’s proximity payment systems are based on the NFC standard, which uses a radio connection at 13.56MHz for short-range peer-to-peer communications. The same frequency is used by RFID tags, in a simplistic way, but NFC is a good deal more complicated, and expensive. Proximity payments are implemented in smartphones and contactless credit cards.

1325432106

Hacker’s Demo Shows How Easily Credit Cards Can Be Read Through Clothes And Wallets article tells that contactless cards are far more common than they might seem: According to the Smart Card Association, about 100 million of the RFID-enabled cards are in circulation. Visa calls its technology payWave, MasterCard dubs it PayPass, Discover brands it Zip, and American Express calls it ExpressPay.

Hacker’s Demo Shows How Easily Credit Cards Can Be Read Through Clothes And Wallets and Shmoocon Demo Shows Easy, Wireless Credit Card Fraud articles tell that some contacless cards have serious security holes. Paget, a well-known security researcher for the consultancy Recursion Ventures, used a simple method for her hack: impersonating a legitimate contactless point-of-sale terminal with her own RFID card reader. Commercially-available RFID reader can read the data from a contactless card as easily as a store’s point-of-sale device does. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer’s credit card onstage and obtained the card’s number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. She flashed the volunteer’s credit card number on a screen in front of an audience of hundreds of hackers and security researchers. “You were planning on cancelling that card, weren’t you?”. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer’s money with the counterfeit card she’d just created. Paget’s firm has been working on a credit-card-shaped protection device known as GuardBunny that sits in a wallet alongside payment cards and blocks any would-be RFID fraudster. So it sound like this hacking demonstration was just a marketing gimmick for their product.

Randy Vanderhoof, executive director of the industry group the Smart Card Alliance, points out that despite previous research on the contactless attack, no real-world instances of the fraud have ever been reported. To fight against fraud contactless cards do offer one security feature traditional cards don’t: Along with the card’s 16-digit number and expiration date, the cards are set to offer up a one-time CVV code with every scan. Those codes can only be used for one transaction, and have to used in the order they’re generated. If a payment processor detects multiple transactions with the same code or even codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number once.

According to a smart card expert I know Square and card issuer bank is also to blame on that this worked (and would not work with European banks and other payment services). Also the sum was so low that the payment company might not do all the check it does for bigger sums of money. In card where things are built well, there is different card number for normal swipe card use and contactless operation. The contactless number would fail to work if you try to pay with their code on the terminal that swipes the card. So the security holes are not as big and bad as it seems based on those hacking news.

172 Comments

  1. Tomi Engdahl says:
    Crypto-Currency Market Capitalizations
    http://coinmarketcap.com/

    Total Market Cap: $ 8,647,665,810

    Reply
  2. Tomi Engdahl says:
    Bloomberg anchor displays bitcoin on TV, immediately gets robbed by viewer
    http://rt.com/usa/bloomberg-anchor-robbed-bitcoin-747/

    Bloomberg TV provided viewers with an important lesson in digital currency when one of its anchors had a gift card stolen while showing it during a live broadcast.

    On Friday, December 20, Matt Miller surprised his two fellow anchors – Adam Johnson and Trish Regan – with bitcoin gift certificates during his “12 Days of Bitcoin” segment. Johnson then flashed his certificate on the screen for roughly 10 seconds – more than enough time for a Reddit user to scan the digital QR code with his phone and take the gift for himself.

    “The guy that is hosting the series gave bitcoin gift certificates to the other two hosts. One of them opens up the certificate to reveal QR code of the private key,” he wrote. “They then proceeded to show a closeup of the QR code in glorious HD for about 10 seconds. Hilarious.”

    “I took it, it was only $20 worth. It was exhilarating nevertheless”

    Although milywaymasta offered to return the cash, Miller followed up with the user on Reddit, stating that it would not be necessary.

    “So freaking classic but also a GREAT lesson in bitcoin security!” he wrote. “You can keep the $20 – well earned.”

    Reply
  3. Tomi Engdahl says:
    Bitcoin Exchanges Shut Down in India After Government Warning
    http://www.wired.com/business/2013/12/bitcoin-india/

    Bitcoin is once again feeling the squeeze from government regulators. This time, the crunch comes in India, where multiple online exchanges have suspended operations following a warning against the digital currency from the country’s central bank and, according to a local report, authorities have raided the home of the man who oversaw the largest of these exchanges.

    Coming little more than a week after the Chinese government launched its own crackdown on Bitcoin exchanges, the news bathes the world’s most popular digital currency in an unflattering light, but these are the expected growing pains for a technology that is still less than five years old.

    “We are suspending buy and sell operations until we can outline a clearer framework with which to work,” reads a notice on the BuySellBitCo.in site. “This is being done to protect the interest of our customer.”

    Reply
  4. Tomi Engdahl says:
    Exclusive: Target hackers stole encrypted bank PINs – source
    http://www.reuters.com/article/2013/12/25/us-target-databreach-idUSBRE9BN0L220131225

    The hackers who attacked Target Corp and compromised up to 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers (PINs), according to a senior payments executive familiar with the situation.

    One major U.S. bank fears that the thieves would be able to crack the encryption code and make fraudulent withdrawals from consumer bank accounts, said the executive, who spoke on the condition of anonymity because the data breach is still under investigation.

    Target spokeswoman Molly Snyder said “no unencrypted PIN data was accessed” and there was no evidence that PIN data has been “compromised.” She confirmed that some “encrypted data” was stolen, but declined to say if that included encrypted PINs.

    Target has not said how its systems were compromised, though it described the operation as “sophisticated.”

    JPMorgan has said it was able to reduce inconvenience by giving customers new debit cards printed quickly at many of its branches, and by keeping branches open for extended hours. A Santander spokeswoman was not available for comment on Tuesday.

    Security experts said it is highly unusual for banks to reduce caps on withdrawals, and the move likely reflects worries that PINs have fallen into criminal hands, even if they are encrypted.

    “That’s a really extreme measure to take,” said Avivah Litan, a Gartner analyst who specializes in cyber security and fraud detection. “They definitely found something in the data that showed there was something happening with cash withdrawals.”

    While the use of encryption codes may prevent amateur hackers from obtaining the digital keys to customer bank deposits, the concern is the coding cannot stop the kind of sophisticated cyber criminal who was able to infiltrate Target for three weeks.

    As an example of potential vulnerabilities in PIN encryption, Clemens said he once worked for a retailer who hired his firm to hack into its network to find security vulnerabilities. He was able to access the closely guarded digital “key” used to unscramble encrypted PINs, which he said surprised his client, who thought the data was secure.

    In other cases, hackers can get PINs by using a tool known as a “RAM scraper,” which captures the PINs while they are temporarily stored in memory, Clemens said.

    Reply
  5. Tomi Engdahl says:
    Cash machines raided with infected USB sticks
    http://www.bbc.co.uk/news/technology-25550512

    Researchers have revealed how cyber-thieves sliced into cash machines in order to infect them with malware earlier this year.

    The criminals cut the holes in order to plug in USB drives that installed their code onto the ATMs.

    Details of the attacks on an unnamed European bank’s cash dispensers were presented at the hacker-themed Chaos Computing Congress in Hamburg, Germany.

    The crimes also appear to indicate the thieves mistrusted each other.

    The two researchers who detailed the attacks have asked for their names not to be published

    After surveillance was increased, the bank discovered the criminals were vandalising the machines to use the infected USB sticks.

    Once the malware had been transferred they patched the holes up. This allowed the same machines to be targeted several times without the hack being discovered.

    Reply
  6. Tomi Engdahl says:
    Yes, There’s Kanye West-Themed Crypto-Currency
    http://slashdot.org/topic/bi/yes-theres-kanye-west-themed-crypto-currency/

    In the future, every major celebrity will have a crypto-currency named after him or her.

    Bitcoin, the world’s most popular crypto-currency, is based on an open-source protocol; and because it’s peer-to-peer without a central server or bank, it’s theoretically possible for anyone with the right combination of tools and knowhow to use the underlying code as the foundation for their own crypto-currency. Which is exactly what a bunch of anonymous developers have done with the new “Coinye West,” an upcoming crypto-currency named after rapper Kanye “I Am a God” West.

    Coinye West isn’t an official production of Kanye West, and the developers are staying anonymous because they probably fear the inevitable copyright lawsuits.

    The recent spike in Bitcoin value has sparked a much broader discussion about the validity of crypto-currencies as a medium of exchange.

    Reply
  7. Tomi Engdahl says:
    Kanye’s Lawyer Moves to Block Coinye
    http://blogs.wsj.com/digits/2014/01/07/kanyes-lawyer-moves-to-block-coinye/

    Lawyers for Kanye West filed cease-and-desist papers against the seven anonymous coders behind Coinye West, a virtual currency that went from chatroom joke to Internet sensation last week.

    As virtual currencies like bitcoin and litecoin have taken off, copycats have emerged. Some offer slight tweaks to the bitcoin code to account for fraudsters or improve transactions. Others, such as BBQcoin and dogecoin, appear more as jokes than legitimate crypto-currencies.

    Reply
  8. Tomi Engdahl says:
    Bitcoin me: How to make your own digital currency
    http://www.theguardian.com/technology/2014/jan/07/bitcoin-me-how-to-make-your-own-digital-currency

    Move over Dogecoin: the Herncoin is here. But what can making your own currency teach you about the world of bitcoin?

    Reply
  9. Yong Hands says:
    Sweet website , super style and design , really clean and use pleasant.
    Reply
  10. Tomi Engdahl says:
    Bluetooth Hackers Allegedly Skimmed Millions Via Gas Stations
    http://www.wired.com/threatlevel/2014/01/gas-station-skimming-scheme/

    Thirteen suspects have been indicted in New York on a gas station skimming scheme that netted them more than $2 million, according to court documents.

    The skimming devices, placed on card readers at gas station pumps throughout the southern U.S., recorded credit and debit card data, as well as PINs, which the thieves then used to withdraw more than $2 million from ATMs.

    Some of the skimming devices were placed on pumps at Raceway and Racetrac gas stations throughout Texas, Georgia, and South Carolina. The devices were Bluetooth enabled, so the thieves could simply download the stolen data from the skimming device without having to remove it.

    Reply
  11. Tomi Engdahl says:
    US card scammers pull $2m petrol heist
    Skimming operation nets big bucks and serious charges for gang
    http://www.theregister.co.uk/2014/01/23/us_card_scammers_pull_2m_petrol_heist/

    US attorneys have charged thirteen people in connection with a massive fraud operation which netted some $2m in stolen funds.

    The Manhattan District Attorney’s office says that four defendants masterminded a plot to install card skimming devices at gas pumps throughout the southern US and then use a network of money mules to withdraw and transfer funds from the stolen cards in a money laundering operation.

    Reply
  12. Eleanore says:
    If you hit the ground at high speeds with these jackets you’ll be very well protected.

    Though most surgeons will not execute the hymenoplasty treatment for causes of birth, you can
    find some that will so it continues to be incorporated.
    The range of Bajaj Bikes in Chennai will suit to every market
    segment whether its youngsters, adult, old even ladies can safely ride this.

    Reply
  13. sportscarphoto4.soup.Io says:
    Hello just wanted to give you a quick heads up. The ords in your post seem to be running off thee screen in Firefox.
    I’m noot sure if this iis a format issue or something to do with internet browser compatibiloity but I thought I’d post to let you know.
    The layout look great though! Hope you get the issue fixed soon.
    Kudos
    Reply
  14. research in motion says:
    Unquestionably imagine that that you said. Your favourite reason appeared to be at the
    web the simplest factor to be mindful of. I say to you, I certainly get annoyed even as other people
    think about worries that they just do not realize about.

    You managed to hit the nail upon the top and defined out the whole thing without having side
    effect , people can take a signal. Will probably be back
    to get more. Thank you

    Reply
  15. Tomi Engdahl says:
    October 2015: The End of the Swipe-and-Sign Credit Card
    http://blogs.wsj.com/corporate-intelligence/2014/02/06/october-2015-the-end-of-the-swipe-and-sign-credit-card/?KEYWORDS=chip+and+pin

    prepare to say farewell to the swipe-and-sign of a credit card transaction.

    Beginning later next year, you will stop signing those credit card receipts. Instead, you will insert your card into a slot and enter a PIN number, just like people do in much of the rest of the world. The U.S. is the last major market to still use the old-fashioned signature system, and it’s a big reason why almost half the world’s credit card fraud happens in America, despite the country being home to about a quarter of all credit card transactions.

    Reply
  16. Tomi Engdahl says:
    Credit card of PayPal PRESIDENT cloned by UK crooks
    Tripping the hack scam-plastic
    http://www.theregister.co.uk/2014/02/12/paypal_pres_card_cloning_caper/

    PayPal president’s credit card got hacked on a UK visit, the victim revealed on Twitter.

    David Marcus said that an unidentified criminal used a skimming device and his credit card was cloned before “tons” of fraudulent transaction were made

    “My card (with EMV chip) got skimmed while in the UK.”

    Reply
  17. Tomi Engdahl says:
    Swedish police would like each user’s bank card to make a small trick that the card is better protected from con artists: CVV or Card Verification Value code should be covered – if not even scrape off completely. The card holder’s name, the front of the number, and the back of the CVV are in fact the only information the e-shopping usually requires. If the CVV code is displayed, the card is easy for fraudsters to scan or photograph the card. On the rear side of the three-digit number Cloaking is a simple way to prevent a crime.

    When the code is not visible, the card is not able to take advantage of, for example, on-line purchases. Some of the online shops for shopping only need a debit card number, expiration date and CVV code.

    OP Pohjola Finance Manager Kasimir Hirn and the Swedish Bankers’ Association chief financial Leif Trogen are critical of the Swedish police to submitted bank card protection trick.

    OP Pohjola Finance Manager Kasimir Hirn points out that the payment card holder does not have permission to access the payment card physically. For example scratching can can damage the card. Taped card can jam inside ATMs and payment terminals.

    - Retailers are not obliged to accept the treated/modifed cards

    - CVV code has to be displayed, or the card is invalid.

    - The most important thing is to keep the card firmly in your possession and PIN in your mind.

    Bankers’ Association chief financial Leif Trogen believes that the banks’ security systems in Sweden to be at least safe enough without any extra gimmicks. If someone is cheating card information for himself and manages to take the money from the victim’s account, the bank will replace it to the card holder.

    Sources: Iltalehti
    http://www.iltalehti.fi/uutiset/2014021118029393_uu.shtml
    http://www.iltalehti.fi/uutiset/2014021318037959_uu.shtml

    Reply
  18. Tomi Engdahl says:
    360 million newly stolen credentials on black market: cybersecurity firm
    http://www.reuters.com/article/2014/02/25/us-cybercrime-databreach-idUSBREA1O20S20140225

    A cybersecurity firm said on Tuesday that it uncovered stolen credentials from some 360 million accounts that are available for sale on cyber black markets, though it is unsure where they came from or what they can be used to access.

    Reply
  19. Tomi Engdahl says:
    Mastercard, Syniverse target holiday payment security with mobile verification system
    Not in Bora Bora? Crooks can’t use your credit card there
    http://www.theregister.co.uk/2014/03/12/mastercard_and_syniverse_in_roaming_pact/

    It’s ironic that when people are abroad so many people switch off their mobile phones’ data and so many banks switch off customers’ credit cards.

    You’ll have heard of Mastercard but are less likely to know about Syniverse unless you work in the mobile industry. The firm is a kind of central broker for mobile phone networks that want to deal with lots of other networks without having to set up individual arrangements one at a time.

    When you move your mobile phone number from one network to another, the protocols to do this probably go through Syniverse.

    The new project allows the Mastercard network to tap into the data in mobile phone networks to establish that a credit card being used abroad is kosher.

    The tie-up between Mastercard and Syniverse allows customers to register their mobile phone number with their credit card company
    the system checks the Visitor Location Register to make sure the phone is where the card is.

    There are no mechanisms used to check the position of the phone and card more accurately such as Cell ID, triangulation or correlating phone and point-of-sale locations. Other checks will still be in place

    Reply
  20. Tomi Engdahl says:
    Diebold Deploys First ATM Without Card Reader Or PIN Pad
    http://news.diebold.com/press-releases/diebold-deploys-first-atm-without-card-reader-or-pin-pad.htm

    An automated teller machine (ATM) with no card reader. Pre-staged withdrawals on smartphones. Cardless transactions. And everything managed via the cloud. A new era of banking, inspired by the Millennial generation, is dawning at Diebold Federal Credit Union (DFCU), where an innovative ATM from Diebold, Incorporated (NYSE: DBD) and a mobile wallet solution are allowing members to complete self-service transactions and make retail purchases without using physical debit or credit cards.

    DFCU is piloting the world’s first ATM without a card reader or PIN pad that relies solely on mobile authentication. When a consumer scans a unique QR code at the ATM using a smartphone, the ATM authenticates the user via cloud-hosted services to enable secure, cardless transactions. With no card or PIN required, the solution eliminates the threats of card skimming and shoulder surfing at the ATM.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*