Credit card (in)security issues

Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The fraud begins with either the theft of the physical card or the compromise of data associated with the account (card account number and/or verification codes).

Skimming is the theft of credit card information used in an otherwise legitimate transaction. Instances of skimming have been reported where the perpetrator has put a device over the card slot of an ATM (automated teller machine), which reads the magnetic strip as the user unknowingly passes their card through it. Technology needed to read the contents of the magnetic strip is pretty simple. Usually a miniature camera or fake keypad over original is used to read the user’s PIN at the same time. Skimming is usually very difficult for the typical cardholder to detect. All About Skimmers article series is about ATM skimmers, gas pump skimmers and other related fraud devices.

Skimming has been on news in Finland lately. Police has revealed some details of the hard to detect skimming devices that have been found installed on tens of ATM devices around Finland. Articles Ovela huijaus Otto-automaateilla – huomaatko eron kuvissa?, Kummassa pankkiautomaatissa on huijauslaite? and Skimmaajat teettivät erikoislaitteita Suomen oloihin show you pictures of ATM with and without skimming device. These device custom made for Finnish ATMs are really hard to detect. According to articles thousands of ATM card have been compromised and used to steal several hundreds thousand euros. Look carefully next time you use ATM.

Muga_Golden_Credit_Card

Throughout Europe the traditional in-store credit card signing process is increasingly being replaced with a system in which the customer is asked to enter their PIN instead of signing. PINs were widely introduced at the same time as EMV chips on the cards. In Finland the PIN codes that comes with the card are predefined by card issuer. In some countries with some banks the customer can freely choose them. Security of Self-Selected PINs Is Lacking article tells that Cambridge University Computer Laboratory team collected statistics on how people choose banking PINs when they are permitted to select their own keys. There is every incentive for the bad guys to try guessing PINs on every card that they steal. “A thief can expect to get lucky every 18th wallet — except for those banks which negligently allow their customers to choose really dumb PINs like 1111 and 1234″. Their report traces an idiosyncratic history of the use of passwords by financial institutions. The researchers wrote that there were two lessons to be drawn from their study. First, customers should never use date of birth as a PIN or password. Second, banks should institute blacklists of common passwords, or prohibit user selection of passwords entirely.

Proximity payments are coming. Pay-by-wave: At least it’s better than being mugged article tell that the public thinks that paying with a tap of the phone is risky, with criminals able to intercept and steal credentials, so it seems a good time to take a closer look at proximity payments. Today’s proximity payment systems are based on the NFC standard, which uses a radio connection at 13.56MHz for short-range peer-to-peer communications. The same frequency is used by RFID tags, in a simplistic way, but NFC is a good deal more complicated, and expensive. Proximity payments are implemented in smartphones and contactless credit cards.

1325432106

Hacker’s Demo Shows How Easily Credit Cards Can Be Read Through Clothes And Wallets article tells that contactless cards are far more common than they might seem: According to the Smart Card Association, about 100 million of the RFID-enabled cards are in circulation. Visa calls its technology payWave, MasterCard dubs it PayPass, Discover brands it Zip, and American Express calls it ExpressPay.

Hacker’s Demo Shows How Easily Credit Cards Can Be Read Through Clothes And Wallets and Shmoocon Demo Shows Easy, Wireless Credit Card Fraud articles tell that some contacless cards have serious security holes. Paget, a well-known security researcher for the consultancy Recursion Ventures, used a simple method for her hack: impersonating a legitimate contactless point-of-sale terminal with her own RFID card reader. Commercially-available RFID reader can read the data from a contactless card as easily as a store’s point-of-sale device does. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer’s credit card onstage and obtained the card’s number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. She flashed the volunteer’s credit card number on a screen in front of an audience of hundreds of hackers and security researchers. “You were planning on cancelling that card, weren’t you?”. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer’s money with the counterfeit card she’d just created. Paget’s firm has been working on a credit-card-shaped protection device known as GuardBunny that sits in a wallet alongside payment cards and blocks any would-be RFID fraudster. So it sound like this hacking demonstration was just a marketing gimmick for their product.

Randy Vanderhoof, executive director of the industry group the Smart Card Alliance, points out that despite previous research on the contactless attack, no real-world instances of the fraud have ever been reported. To fight against fraud contactless cards do offer one security feature traditional cards don’t: Along with the card’s 16-digit number and expiration date, the cards are set to offer up a one-time CVV code with every scan. Those codes can only be used for one transaction, and have to used in the order they’re generated. If a payment processor detects multiple transactions with the same code or even codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number once.

According to a smart card expert I know Square and card issuer bank is also to blame on that this worked (and would not work with European banks and other payment services). Also the sum was so low that the payment company might not do all the check it does for bigger sums of money. In card where things are built well, there is different card number for normal swipe card use and contactless operation. The contactless number would fail to work if you try to pay with their code on the terminal that swipes the card. So the security holes are not as big and bad as it seems based on those hacking news.

209 Comments

  1. Tomi Engdahl says:
    Stripe Lands Apple in Quest for $720 Billion in Payments
    http://www.bloomberg.com/news/2014-09-17/stripe-lands-apple-in-quest-for-720-billion-in-payments.html

    Apple Inc. (AAPL)’s list of partners for its new Apple Pay service reads like a Who’s Who of the payments world, including Visa Inc. and First Data Corp.

    Then there’s Stripe Inc.

    Getting included on Apple’s list was a coup for the five-year-old startup, which will enable mobile applications to work with Apple Pay. It’s the latest success for Stripe, which is also powering an e-commerce feature for Twitter Inc., working with Alibaba Group Holdings Ltd.’s Alipay, and helping thousands of other companies process online and mobile payments.

    The challenge for San Francisco-based Stripe is fending off EBay Inc.’s PayPal and traditional financial companies that are barreling into mobile payments. The burgeoning market — with global spending on commerce via handheld gadgets set to reach $720 billion in 2017, up from $300 billion this year, according to IDC — has brought on a crowded field of competitors.

    “We’re hugely excited about the Apple announcement, but this is just another step along the way,” said Patrick Collison, 26, who along with his brother, John, 24, founded Stripe in 2009.

    Reply
  2. Akilah says:
    This page truly has all the information and facts I
    wanted about this subject and didn’t know who
    to ask.
    Reply
  3. Danh bai says:
    Good day very cool website!! Man .. Beautiful .. Wonderful ..
    I’ll bookmark your web site and take the feeds also? I’m happy to find so
    many helpful info right here within the publish, we’d like work out extra techniques
    on this regard, thanks for sharing. . . . . .
    Reply
  4. Tomi Engdahl says:
    Payment security vastly improved when you DON’T ENTER your BANK DETAILS
    Entering randomly generated ‘tokens’ makes it safer – report
    http://www.theregister.co.uk/2014/09/30/payments_security_vastly_improved_by_tokenisation_according_to_report/

    Developments around “tokenisation” should help to “instil confidence in a payments environment challenged by more frequent data breaches” and fraud, according to a report released by the Federal Reserve Bank of Boston.

    The June 2014 report from the US Federal Reserve’s Mobile Payments Industry Workgroup (MPIW), which was released on 24 September (16-page/320KB PDF), defined tokenisation as the process of “randomly generating substitute value to replace sensitive information”.

    The report said: “When used for financial transactions, tokens replace payment credentials, such as bank account and credit/debit card numbers. The ability to remove actual payment credentials from the transaction flow can improve the security of the payment and is a key benefit of tokenisation.”

    However, the report said some “hurdles” remain before tokenisation receives broad adoption by industry, “particularly around standards and coordination of the different solutions”.

    According to the report, “the key goal of tokenisation” is to protect the 13 to 19-digit primary account number (PAN) embossed on a plastic bank or credit card and encoded on the card’s magnetic strip. “The PAN identifies the card issuer in the first six digits, known as the bank identification number (BIN), as well as the individual cardholder account (generally the final four digits), and includes a check digit for authentication.”

    Tokenisation “eliminates the need for merchants to store the full PAN on their network systems for exception processing or to resolve disputes”

    Reply
  5. Tomi Engdahl says:
    How RAM Scrapers Work: The Sneaky Tools Behind the Latest Credit Card Hacks
    http://www.wired.com/2014/09/ram-scrapers-how-they-work/

    Attackers installed these RAM scrapers surreptitiously on the point-of-sale systems used to scan and process credit and debit card transactions at Albertson’s and Supervalu. The tools make it easy to steal card numbers by the millions as they pass through the system.

    RAM scrapers—used recently in the Target and Home Depot breaches to net the hackers data on more than 100 million bank cards collectively—are not new. VISA issued a warning to retailers about their use in 2008. But they’ve become increasingly sophisticated and efficient at stealing massive caches of cards.

    They’ve also become more ubiquitous as developer kits for building them—from a starter stub that is easily customized from a menu of features—have pushed scrapers into the mainstream and made them accessible to a wider swath of hackers. Need something to exfiltrate data from your victim’s network to a server in Minsk? Check. Want a turnkey solution for managing your command-and-control server in Mumbai? The kits have got that covered, too.

    RAM scrapers can be installed remotely on a Big-Box retailer’s network and deployed widely to dozens of stores in a franchise.

    Reply
  6. Judson says:
    Hello very cool web site!! Man .. Excellent .. Superb ..
    I will bookmark your blog and take the feeds additionally?

    I’m satisfied to search out a lot of useful info here within the submit,
    we want develop extra techniques in this regard, thank you for
    sharing. . . . . .

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*