Credit card (in)security issues

Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The fraud begins with either the theft of the physical card or the compromise of data associated with the account (card account number and/or verification codes).

Skimming is the theft of credit card information used in an otherwise legitimate transaction. Instances of skimming have been reported where the perpetrator has put a device over the card slot of an ATM (automated teller machine), which reads the magnetic strip as the user unknowingly passes their card through it. Technology needed to read the contents of the magnetic strip is pretty simple. Usually a miniature camera or fake keypad over original is used to read the user’s PIN at the same time. Skimming is usually very difficult for the typical cardholder to detect. All About Skimmers article series is about ATM skimmers, gas pump skimmers and other related fraud devices.

Skimming has been on news in Finland lately. Police has revealed some details of the hard to detect skimming devices that have been found installed on tens of ATM devices around Finland. Articles Ovela huijaus Otto-automaateilla – huomaatko eron kuvissa?, Kummassa pankkiautomaatissa on huijauslaite? and Skimmaajat teettivät erikoislaitteita Suomen oloihin show you pictures of ATM with and without skimming device. These device custom made for Finnish ATMs are really hard to detect. According to articles thousands of ATM card have been compromised and used to steal several hundreds thousand euros. Look carefully next time you use ATM.


Throughout Europe the traditional in-store credit card signing process is increasingly being replaced with a system in which the customer is asked to enter their PIN instead of signing. PINs were widely introduced at the same time as EMV chips on the cards. In Finland the PIN codes that comes with the card are predefined by card issuer. In some countries with some banks the customer can freely choose them. Security of Self-Selected PINs Is Lacking article tells that Cambridge University Computer Laboratory team collected statistics on how people choose banking PINs when they are permitted to select their own keys. There is every incentive for the bad guys to try guessing PINs on every card that they steal. “A thief can expect to get lucky every 18th wallet — except for those banks which negligently allow their customers to choose really dumb PINs like 1111 and 1234″. Their report traces an idiosyncratic history of the use of passwords by financial institutions. The researchers wrote that there were two lessons to be drawn from their study. First, customers should never use date of birth as a PIN or password. Second, banks should institute blacklists of common passwords, or prohibit user selection of passwords entirely.

Proximity payments are coming. Pay-by-wave: At least it’s better than being mugged article tell that the public thinks that paying with a tap of the phone is risky, with criminals able to intercept and steal credentials, so it seems a good time to take a closer look at proximity payments. Today’s proximity payment systems are based on the NFC standard, which uses a radio connection at 13.56MHz for short-range peer-to-peer communications. The same frequency is used by RFID tags, in a simplistic way, but NFC is a good deal more complicated, and expensive. Proximity payments are implemented in smartphones and contactless credit cards.


Hacker’s Demo Shows How Easily Credit Cards Can Be Read Through Clothes And Wallets article tells that contactless cards are far more common than they might seem: According to the Smart Card Association, about 100 million of the RFID-enabled cards are in circulation. Visa calls its technology payWave, MasterCard dubs it PayPass, Discover brands it Zip, and American Express calls it ExpressPay.

Hacker’s Demo Shows How Easily Credit Cards Can Be Read Through Clothes And Wallets and Shmoocon Demo Shows Easy, Wireless Credit Card Fraud articles tell that some contacless cards have serious security holes. Paget, a well-known security researcher for the consultancy Recursion Ventures, used a simple method for her hack: impersonating a legitimate contactless point-of-sale terminal with her own RFID card reader. Commercially-available RFID reader can read the data from a contactless card as easily as a store’s point-of-sale device does. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer’s credit card onstage and obtained the card’s number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. She flashed the volunteer’s credit card number on a screen in front of an audience of hundreds of hackers and security researchers. “You were planning on cancelling that card, weren’t you?”. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer’s money with the counterfeit card she’d just created. Paget’s firm has been working on a credit-card-shaped protection device known as GuardBunny that sits in a wallet alongside payment cards and blocks any would-be RFID fraudster. So it sound like this hacking demonstration was just a marketing gimmick for their product.

Randy Vanderhoof, executive director of the industry group the Smart Card Alliance, points out that despite previous research on the contactless attack, no real-world instances of the fraud have ever been reported. To fight against fraud contactless cards do offer one security feature traditional cards don’t: Along with the card’s 16-digit number and expiration date, the cards are set to offer up a one-time CVV code with every scan. Those codes can only be used for one transaction, and have to used in the order they’re generated. If a payment processor detects multiple transactions with the same code or even codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number once.

According to a smart card expert I know Square and card issuer bank is also to blame on that this worked (and would not work with European banks and other payment services). Also the sum was so low that the payment company might not do all the check it does for bigger sums of money. In card where things are built well, there is different card number for normal swipe card use and contactless operation. The contactless number would fail to work if you try to pay with their code on the terminal that swipes the card. So the security holes are not as big and bad as it seems based on those hacking news.


  1. Tomi Engdahl says:

    Crypto-Currency Market Capitalizations

    Total Market Cap: $ 8,647,665,810

  2. Tomi Engdahl says:

    Bloomberg anchor displays bitcoin on TV, immediately gets robbed by viewer

    Bloomberg TV provided viewers with an important lesson in digital currency when one of its anchors had a gift card stolen while showing it during a live broadcast.

    On Friday, December 20, Matt Miller surprised his two fellow anchors – Adam Johnson and Trish Regan – with bitcoin gift certificates during his “12 Days of Bitcoin” segment. Johnson then flashed his certificate on the screen for roughly 10 seconds – more than enough time for a Reddit user to scan the digital QR code with his phone and take the gift for himself.

    “The guy that is hosting the series gave bitcoin gift certificates to the other two hosts. One of them opens up the certificate to reveal QR code of the private key,” he wrote. “They then proceeded to show a closeup of the QR code in glorious HD for about 10 seconds. Hilarious.”

    “I took it, it was only $20 worth. It was exhilarating nevertheless”

    Although milywaymasta offered to return the cash, Miller followed up with the user on Reddit, stating that it would not be necessary.

    “So freaking classic but also a GREAT lesson in bitcoin security!” he wrote. “You can keep the $20 – well earned.”

  3. Tomi Engdahl says:

    Bitcoin Exchanges Shut Down in India After Government Warning

    Bitcoin is once again feeling the squeeze from government regulators. This time, the crunch comes in India, where multiple online exchanges have suspended operations following a warning against the digital currency from the country’s central bank and, according to a local report, authorities have raided the home of the man who oversaw the largest of these exchanges.

    Coming little more than a week after the Chinese government launched its own crackdown on Bitcoin exchanges, the news bathes the world’s most popular digital currency in an unflattering light, but these are the expected growing pains for a technology that is still less than five years old.

    “We are suspending buy and sell operations until we can outline a clearer framework with which to work,” reads a notice on the site. “This is being done to protect the interest of our customer.”

  4. Tomi Engdahl says:

    Exclusive: Target hackers stole encrypted bank PINs – source

    The hackers who attacked Target Corp and compromised up to 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers (PINs), according to a senior payments executive familiar with the situation.

    One major U.S. bank fears that the thieves would be able to crack the encryption code and make fraudulent withdrawals from consumer bank accounts, said the executive, who spoke on the condition of anonymity because the data breach is still under investigation.

    Target spokeswoman Molly Snyder said “no unencrypted PIN data was accessed” and there was no evidence that PIN data has been “compromised.” She confirmed that some “encrypted data” was stolen, but declined to say if that included encrypted PINs.

    Target has not said how its systems were compromised, though it described the operation as “sophisticated.”

    JPMorgan has said it was able to reduce inconvenience by giving customers new debit cards printed quickly at many of its branches, and by keeping branches open for extended hours. A Santander spokeswoman was not available for comment on Tuesday.

    Security experts said it is highly unusual for banks to reduce caps on withdrawals, and the move likely reflects worries that PINs have fallen into criminal hands, even if they are encrypted.

    “That’s a really extreme measure to take,” said Avivah Litan, a Gartner analyst who specializes in cyber security and fraud detection. “They definitely found something in the data that showed there was something happening with cash withdrawals.”

    While the use of encryption codes may prevent amateur hackers from obtaining the digital keys to customer bank deposits, the concern is the coding cannot stop the kind of sophisticated cyber criminal who was able to infiltrate Target for three weeks.

    As an example of potential vulnerabilities in PIN encryption, Clemens said he once worked for a retailer who hired his firm to hack into its network to find security vulnerabilities. He was able to access the closely guarded digital “key” used to unscramble encrypted PINs, which he said surprised his client, who thought the data was secure.

    In other cases, hackers can get PINs by using a tool known as a “RAM scraper,” which captures the PINs while they are temporarily stored in memory, Clemens said.

  5. Tomi Engdahl says:

    Cash machines raided with infected USB sticks

    Researchers have revealed how cyber-thieves sliced into cash machines in order to infect them with malware earlier this year.

    The criminals cut the holes in order to plug in USB drives that installed their code onto the ATMs.

    Details of the attacks on an unnamed European bank’s cash dispensers were presented at the hacker-themed Chaos Computing Congress in Hamburg, Germany.

    The crimes also appear to indicate the thieves mistrusted each other.

    The two researchers who detailed the attacks have asked for their names not to be published

    After surveillance was increased, the bank discovered the criminals were vandalising the machines to use the infected USB sticks.

    Once the malware had been transferred they patched the holes up. This allowed the same machines to be targeted several times without the hack being discovered.

  6. Tomi Engdahl says:

    Yes, There’s Kanye West-Themed Crypto-Currency

    In the future, every major celebrity will have a crypto-currency named after him or her.

    Bitcoin, the world’s most popular crypto-currency, is based on an open-source protocol; and because it’s peer-to-peer without a central server or bank, it’s theoretically possible for anyone with the right combination of tools and knowhow to use the underlying code as the foundation for their own crypto-currency. Which is exactly what a bunch of anonymous developers have done with the new “Coinye West,” an upcoming crypto-currency named after rapper Kanye “I Am a God” West.

    Coinye West isn’t an official production of Kanye West, and the developers are staying anonymous because they probably fear the inevitable copyright lawsuits.

    The recent spike in Bitcoin value has sparked a much broader discussion about the validity of crypto-currencies as a medium of exchange.

  7. Tomi Engdahl says:

    Kanye’s Lawyer Moves to Block Coinye

    Lawyers for Kanye West filed cease-and-desist papers against the seven anonymous coders behind Coinye West, a virtual currency that went from chatroom joke to Internet sensation last week.

    As virtual currencies like bitcoin and litecoin have taken off, copycats have emerged. Some offer slight tweaks to the bitcoin code to account for fraudsters or improve transactions. Others, such as BBQcoin and dogecoin, appear more as jokes than legitimate crypto-currencies.

  8. Tomi Engdahl says:

    Bitcoin me: How to make your own digital currency

    Move over Dogecoin: the Herncoin is here. But what can making your own currency teach you about the world of bitcoin?

  9. Yong Hands says:

    Sweet website , super style and design , really clean and use pleasant.

  10. Tomi Engdahl says:

    Bluetooth Hackers Allegedly Skimmed Millions Via Gas Stations

    Thirteen suspects have been indicted in New York on a gas station skimming scheme that netted them more than $2 million, according to court documents.

    The skimming devices, placed on card readers at gas station pumps throughout the southern U.S., recorded credit and debit card data, as well as PINs, which the thieves then used to withdraw more than $2 million from ATMs.

    Some of the skimming devices were placed on pumps at Raceway and Racetrac gas stations throughout Texas, Georgia, and South Carolina. The devices were Bluetooth enabled, so the thieves could simply download the stolen data from the skimming device without having to remove it.

  11. Tomi Engdahl says:

    US card scammers pull $2m petrol heist
    Skimming operation nets big bucks and serious charges for gang

    US attorneys have charged thirteen people in connection with a massive fraud operation which netted some $2m in stolen funds.

    The Manhattan District Attorney’s office says that four defendants masterminded a plot to install card skimming devices at gas pumps throughout the southern US and then use a network of money mules to withdraw and transfer funds from the stolen cards in a money laundering operation.

  12. Eleanore says:

    If you hit the ground at high speeds with these jackets you’ll be very well protected.

    Though most surgeons will not execute the hymenoplasty treatment for causes of birth, you can
    find some that will so it continues to be incorporated.
    The range of Bajaj Bikes in Chennai will suit to every market
    segment whether its youngsters, adult, old even ladies can safely ride this.

  13. sportscarphoto4.soup.Io says:

    Hello just wanted to give you a quick heads up. The ords in your post seem to be running off thee screen in Firefox.
    I’m noot sure if this iis a format issue or something to do with internet browser compatibiloity but I thought I’d post to let you know.
    The layout look great though! Hope you get the issue fixed soon.

  14. research in motion says:

    Unquestionably imagine that that you said. Your favourite reason appeared to be at the
    web the simplest factor to be mindful of. I say to you, I certainly get annoyed even as other people
    think about worries that they just do not realize about.

    You managed to hit the nail upon the top and defined out the whole thing without having side
    effect , people can take a signal. Will probably be back
    to get more. Thank you

  15. Tomi Engdahl says:

    October 2015: The End of the Swipe-and-Sign Credit Card

    prepare to say farewell to the swipe-and-sign of a credit card transaction.

    Beginning later next year, you will stop signing those credit card receipts. Instead, you will insert your card into a slot and enter a PIN number, just like people do in much of the rest of the world. The U.S. is the last major market to still use the old-fashioned signature system, and it’s a big reason why almost half the world’s credit card fraud happens in America, despite the country being home to about a quarter of all credit card transactions.

  16. Tomi Engdahl says:

    Credit card of PayPal PRESIDENT cloned by UK crooks
    Tripping the hack scam-plastic

    PayPal president’s credit card got hacked on a UK visit, the victim revealed on Twitter.

    David Marcus said that an unidentified criminal used a skimming device and his credit card was cloned before “tons” of fraudulent transaction were made

    “My card (with EMV chip) got skimmed while in the UK.”

  17. Tomi Engdahl says:

    Swedish police would like each user’s bank card to make a small trick that the card is better protected from con artists: CVV or Card Verification Value code should be covered – if not even scrape off completely. The card holder’s name, the front of the number, and the back of the CVV are in fact the only information the e-shopping usually requires. If the CVV code is displayed, the card is easy for fraudsters to scan or photograph the card. On the rear side of the three-digit number Cloaking is a simple way to prevent a crime.

    When the code is not visible, the card is not able to take advantage of, for example, on-line purchases. Some of the online shops for shopping only need a debit card number, expiration date and CVV code.

    OP Pohjola Finance Manager Kasimir Hirn and the Swedish Bankers’ Association chief financial Leif Trogen are critical of the Swedish police to submitted bank card protection trick.

    OP Pohjola Finance Manager Kasimir Hirn points out that the payment card holder does not have permission to access the payment card physically. For example scratching can can damage the card. Taped card can jam inside ATMs and payment terminals.

    - Retailers are not obliged to accept the treated/modifed cards

    - CVV code has to be displayed, or the card is invalid.

    - The most important thing is to keep the card firmly in your possession and PIN in your mind.

    Bankers’ Association chief financial Leif Trogen believes that the banks’ security systems in Sweden to be at least safe enough without any extra gimmicks. If someone is cheating card information for himself and manages to take the money from the victim’s account, the bank will replace it to the card holder.

    Sources: Iltalehti

  18. Tomi Engdahl says:

    360 million newly stolen credentials on black market: cybersecurity firm

    A cybersecurity firm said on Tuesday that it uncovered stolen credentials from some 360 million accounts that are available for sale on cyber black markets, though it is unsure where they came from or what they can be used to access.

  19. Tomi Engdahl says:

    Mastercard, Syniverse target holiday payment security with mobile verification system
    Not in Bora Bora? Crooks can’t use your credit card there

    It’s ironic that when people are abroad so many people switch off their mobile phones’ data and so many banks switch off customers’ credit cards.

    You’ll have heard of Mastercard but are less likely to know about Syniverse unless you work in the mobile industry. The firm is a kind of central broker for mobile phone networks that want to deal with lots of other networks without having to set up individual arrangements one at a time.

    When you move your mobile phone number from one network to another, the protocols to do this probably go through Syniverse.

    The new project allows the Mastercard network to tap into the data in mobile phone networks to establish that a credit card being used abroad is kosher.

    The tie-up between Mastercard and Syniverse allows customers to register their mobile phone number with their credit card company
    the system checks the Visitor Location Register to make sure the phone is where the card is.

    There are no mechanisms used to check the position of the phone and card more accurately such as Cell ID, triangulation or correlating phone and point-of-sale locations. Other checks will still be in place

  20. Tomi Engdahl says:

    Diebold Deploys First ATM Without Card Reader Or PIN Pad

    An automated teller machine (ATM) with no card reader. Pre-staged withdrawals on smartphones. Cardless transactions. And everything managed via the cloud. A new era of banking, inspired by the Millennial generation, is dawning at Diebold Federal Credit Union (DFCU), where an innovative ATM from Diebold, Incorporated (NYSE: DBD) and a mobile wallet solution are allowing members to complete self-service transactions and make retail purchases without using physical debit or credit cards.

    DFCU is piloting the world’s first ATM without a card reader or PIN pad that relies solely on mobile authentication. When a consumer scans a unique QR code at the ATM using a smartphone, the ATM authenticates the user via cloud-hosted services to enable secure, cardless transactions. With no card or PIN required, the solution eliminates the threats of card skimming and shoulder surfing at the ATM.

  21. online payment system says:

    Hey! I know this is somewhat off topic but I was wondering which blog platform are you using for this site?
    I’m getting fed up of WordPress because I’ve had problems with hackers and I’m looking at options for another
    platform. I would be awesome if you could point me in the direction of a
    good platform.

    • Tomi Engdahl says:

      I use WordPress platform.
      It is a good platform when you configure it correctly, remember backup and remember to keep it up to date.
      Those same points apply to other major blogging platforms as well…
      You can get hacked with any major platform if you setup it incorrectly and forget to update it when needed (especially of some security issue comes up in the news).

  22. Tomi Engdahl says:

    Chip and SKIM: How dodgy crypto can leave shoppers open to fraud
    Cambridge uni gurus to present debit, credit PIN card findings today in San Jose

    UK academics today describe how criminals can forge chip-and-PIN cards transactions and spend other people’s money for free.

    The team of University of Cambridge experts say their technique exploits a cryptographic weakness in some devices implementing the EMV (aka chip’n’PIN) standard. And they’re confident they’ve found a separate flaw in the EMV design, too.

    “Because the transactions look legitimate, banks may refuse to refund victims of fraud,” warned team member Steven J. Murdoch.

    As per the EMV standard, cash machines (ATMs) generate for each transaction a nonce – a supposedly unpredictable 32-bit number. This is supposed to add freshness to ensure transactions can’t be replayed by fraudsters.

    But it turns out some EMV terminals use counters, timestamps or crap homegrown algorithms to generate the nonces. These values are not particularly random, so this exposes victims’ to a “pre-play” attack that is indistinguishable in the bank’s records from using a perfect physical copy of the card.

  23. Alexandria says:

    In fact no matter if someone doesn’t understand afterward its up
    to other people that they will help, so here it happens.

  24. Art says:

    Hi there! I just wanted to ask if you ever have any
    issues with hackers? My last blog (wordpress) was hacked and I ended up losing several weeks of hard work due to no back up.

    Do you have any methods to stop hackers?

    • Tomi Engdahl says:

      You can get hacked with any major platform if you setup it incorrectly and forget to update it when needed (especially of some security issue comes up in the news).

      The methods to stop hackers is to keep the platform up-to-date and all the security related settings correctly (means password set correctly, only secure services running etc..). And then make sure you have regular back-up procedure (taking backups and knowing how to restore from them and make sure those steps work) so that you can do often enough that you don’t loose too muck and can recover easily if hackers hit your blog.

      The proper way to running a web site or blog is to make reasonable efforts so that the site is not easy to hack into, and have a plan how to easily recover when some day some hacker hits your system (make a plan so that recovering from it it is not a disaster, just some reasonable amount extra work for you or some admin you pay for the maintenance).

  25. Tomi Engdahl says:

    Safari in iOS 8 uses camera to scan and enter credit card info

    In iOS 8, Apple has a new feature in Safari that allows users to scan a credit card with the device’s camera rather than manually entering the number when making a purchase online.

    Website developers don’t have to do anything to enable the feature, as Safari appears to automatically detect when a credit card number is being requested and presents the option to scan above the keypad.

  26. Tomi Engdahl says:

    AT&T wants to improve payment card fraud prevention with phone geolocation
    The operator expects to make a new service available to enterprise customers later this year

    AT&T plans to test a service allowing payment card providers to access the location of a customer’s phone to improve the accuracy of fraud prevention systems for transactions made abroad.

    The service is part of AT&T’s Location Information Services portfolio, and allows businesses to access network data to locate a device to authenticate a user’s location, helping to protect against potential fraud. For the fraud protection to work, users will first have to opt in, AT&T said.

    A credit card company can use the service to confirm someone has traveled to a new country as soon as they land and turn on their phone. The goal is to help credit card companies make more informed decisions, such as whether to approve or decline purchases made abroad.

    Between 50 percent and 80 percent of declined transactions are actually legitimate, but they are turned down by financial institutions for security reasons, according to Mastercard.

    AT&T’s service is based on the operator’s Mobile Identity API Toolkit, which launched in December last year.

  27. Tomi Engdahl says:

    Banks: Credit Card Breach at P.F. Chang’s

    Nationwide chain P.F. Chang’s China Bistro said today that it is investigating claims of a data breach involving credit and debit card data reportedly stolen from restaurant locations nationwide.

    The items for sale are not cards, per se, but instead data copied from the magnetic stripe on the backs of credit cards. Armed with this information, thieves can re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example).

    The most common way that thieves steal this type of card data is by hacking into cash registers at retail locations and planting malicious software that surreptitiously records mag stripe data when cards are swiped through the machines. The breaches at Target, Neiman Marcus, Michaels and Sally Beauty all were powered by malware that thieves planted on point-of-sale systems.

  28. Tomi Engdahl says:

    EMV Chips in 70% of Credit Cards by 2015

    Increasing fraud rates will push issuers to migrate customers to EMV-enabled cards before the October 2015 liability shift on card-present transactions, Aite Group says.

    Credit card with EMV chip.
    Credit card with EMV chip.

    Rising card fraud will drive issuers to migrate 70% of credit cards in the US to EMV (Europay, MasterCard, and Visa*) by October 2015, along with 41% of debit cards, a new report by Aite Group predicts. Credit card fraud rates have doubled since 2007, an debit card fraud is also rising sharply, according to the report.

    The beginning of October 2015 is when Visa will implement a liability shift or card-present transactions.

  29. Moses says:

    Fantastic post but I was wondering if you could write a litte more on this subject?

    I’d be very grateful if you could elaborate a little bit more.

  30. Tomi Engdahl says:

    Square Bets Big on Next-Gen Credit Card Tech

    Square first came to fame with a credit card reader you could plug into your iPhone jack. But next year, the company’s signature device will be on its way to obsolescence as the U.S transitions to a new kind of credit card that verifies purchases with an embedded computer chip.

    In anticipation of this sweeping change in the way Americans pay, Square designers and engineers have been working on new hardware

    The change happens in October 2015, when credit card companies will start cajoling merchants to accept cards that work via a more secure embedded chip rather than the classic—and classically easy to hack—stripe on the back of every card now. In what’s being called the great “liability shift,” the major card networks—Visa, Mastercard, American Express, Discover—say merchants who don’t offer a way to accept the new chip-based cards, also known as EMV cards, by the deadline will be responsible for any fraud they suffer as a result, not the card companies.

    The big challenge in making the shift is that every business that takes credit cards will need to buy new hardware capable of reading the new cards. Chip-card readers aren’t new—EMV has been in use for years in Europe, Canada, Asia, and Latin America

    It’s this heightened security that is motivating the credit card industry to push for the switch, and some big stores have already started.

    Goodbye to the Swipe

    One of the biggest pieces of internal gadgetry needed to accept chip-based cards is a battery. The cards themselves don’t carry a power source. They rely on readers to power the chips,

    So, the new Square reader comes equipped with a super-thin battery and a mini-USB port to charge it, a feature its stripe-only reader doesn’t require.

    The one major feature that will be missing from the new reader will be an additional layer of security from which the popular nickname for EMV comes: “chip and PIN.” The most secure chip-based card systems also require a PIN instead of an easily forged signature to verify the identity of the cardholder. Dorogusker says that, in the U.S., card issuers aren’t requiring PINs as part of the transition, so merchants who take Square will use a “chip and signature” system.

    To be sure, a keypad for entering PINs would make the reader too large for use with smartphones.

  31. Tomi Engdahl says:

    Square readies new Reader with chip-and-PIN card support ahead of EMV adoption in the US

  32. Tomi Engdahl says:

    Black Hat 2014: A New Smartcard Hack

    According to new research, chip-based “Smartcard” credit and debit cards—the next-generation replacement for magnetic stripe cards—are vulnerable to unanticipated hacks and financial fraud. Stricter security measures are needed, the researchers say, as well as increased awareness of changing terms-of-service that could make consumers bear more of the financial brunt for their hacked cards.

    The work is being presented at this week’s Black Hat 2014 digital security conference in Las Vegas. Ross Anderson, professor of security engineering at Cambridge University, and co-authors have been studying the so-called Europay-Mastercard-Visa (EMV) security protocols behind emerging Smartcard systems.

    “Any forged signature will likely be shown to be a forgery by later expert examination,” Anderson wrote in his ACM article. “In contrast, if the correct PIN was entered the fraud victim is left in the impossible position of having to prove that he did not negligently disclose it.”

    And PIN authentication schemes, Anderson says, have a number of already discovered vulnerabilities, a few of which can be scaled up by professional crooks into substantial digital heists.

  33. Tomi Engdahl says:

    Why Jack Dorsey Killed The Square Credit Card

    Square, the payments startup from Twitter cofounder Jack Dorsey, has prototyped a Square credit card. The plastic card is all black, and save for the card holder’s name emblazoned on the face, features no logos–not even Square’s. Over the past year, multiple sources indicate Square employees have been carrying the card–seen here below, partially blurred to protect the card holder’s identity–around in their wallet.

    However, despite buzz about the potential of a Square credit card, other company sources indicate the project was recently killed.

    The company eventually realized a digital-only solution might be too ahead of its time, so Square began considering whether it could bring innovation to plastic bank cards instead. The benefits were obvious: The company could bring its design savvy to the space, attracting new consumers to its platform to gain more payments data while up-selling them on rewards programs, which have long been a boon to the bottom lines of credit card companies (not to mention hotels, airlines, and other credit card partners).

    After the idea gained momentum with the leadership team, Square created its concept Square credit card: a non-branded, black plastic card.

    when employees got their hands on it, one insider says, they found it “extremely appealing,”

    How would Square differentiate from other credit cards in the market? Anyone who has used a Citibank or other credit card knows what a hassle it is not only to keep track of purchases, but to keep up with statements and rewards.

    Yet weeks later, the company, while declining to confirm that a Square credit card ever existed, confirmed to me that it is not launching a credit card, with no further explanation. Multiple sources indicate there are two reasons why that might be the case: a Square credit card would likely alienate Square’s financial partners, and it would also have myriad legal implications for how the company operated. “You can only fight so many battles at the same time,” one source told me.

  34. Tomi Engdahl says:

    Americans to be guinea pigs in vast chip-and-PIN security experiment
    PSA: If you really want to steal millions – embarrass the banks enough

    Black Hat 2014 Next year US banks will begin a wide-scale rollout of chip-and-PIN bank cards, just 11 years after the UK made it mandatory.

    In doing so, Americans will take part in a vast experiment to test chip-and-PIN against chip-and-sign when it comes to stamping out money thieves.

    Not every US bank is keen on the PIN system, so some customers will get chip-and-sign cards instead.

    The results of the split approach will be studied by security experts to determine the pros and cons of each system

    Singapore is another country that prefers chip-and-signature

    Chip-and-PIN systems aren’t perfect
    there was an recess that gave access to the motherboard.
    By drilling at a precise point, the team was able to install a wiretap that recorded all transaction data.

    It turns out that the recess was intended to hold extra cryptographic electronics, but the banks decided they didn’t need it. Prof Anderson alerted the banking industry to the problem, but was told it wasn’t a serious issue.

    The American experiment in chip-and-PIN and chip-and-signature will produce some very interesting data, but if the experience in the UK is anything to go by, it won’t kill card fraud by any means, Anderson said. While chip and PIN did cut some types of crime, crooks got smart – with some potentially fatal consequences for victims.

    For example, while point-of-sale fraud fell after the UK rollout of chip and PIN, online fraud rocketed. To combat this, banks gave customers a little gadget into which one can insert their card, type in a valid PIN, and generate a one-time access code for verifying an internet transaction
    These devices are pretty popular with criminals, too.

    He warned that banks were changing their terms and conditions to make consumers liable for fraudulent use of smart-cards and, unless regulators get involved

  35. Tomi Engdahl says:

    Amazon Just Launched A Square-Killer Credit-Card Reader

    SAN FRANCISCO (Reuters) – Inc unveiled a $10 credit-card reader and mobile app for brick-and-mortar businesses on Wednesday, marking the latest step by the U.S. online retailer to expand its presence in the physical world.

    The move pits Amazon against a slew of rivals, including startup Square, which popularized a payments dongle that allowed small- and mid-sized businesses like food trucks, coffee shops and personal trainers to quickly accept credit and debit cards.

    The new point-of-sale system, called Amazon Local Register, would give Amazon crucial data on how U.S. consumers shop offline. More than 90 percent of U.S. retail sales still take place in physical stores, according to U.S. government data.

  36. Tomi Engdahl says:

    Goodbye, “Everything Store.” Hello, “Everything City.”

    Amazon Local Register offers new card readers and a service that allows small businesses to accept credit card payments.

  37. Tomi Engdahl says:

    Amazon takes swipe at PayPal, Square with card reader for mobes
    Etailer plans to undercut rivals with low transaction fee offer

    Amazon has launched its own mobile payments device and app at a starting price that undercuts existing tech from Square and PayPal.

    Amazon’s “Local Register” popped up in a YouTube video and a dedicated site online before the mega etailer officially announced it.

    The initial launch covers the US, but it’s likely that Amazon will want to spread the service to all of its markets. Square currently operates in the US, Canada and Japan and PayPal Here is available in the US and the UK.

  38. Tomi Engdahl says:

    Coin delays product launch until spring 2015 as questions remain

    The startup behind a smart electronic device that stores credit and debit cards will offer a beta program for 10,000 customers.

    Coin, the makers of an electronic device that works like a credit and debit card by storing information on all on your cards, is taking a pause.

    On Friday, the startup said it’s delaying its full product release until spring of 2015 while it refines the device and works out kinks in manufacturing. Instead, the company says it will ship what it’s calling Coin beta, the latest iteration of the all-in-one card, to the first 10,000 pre-order customers who opt-in to the program.

    The pushed back shipping date is not Coin’s only cause for concern. Complicating the company’s roadmap is the absence of a specialized security microchip that is in the process of being adopted by the US credit card industry.

  39. Tomi Engdahl says:

    Disabling Tap To Pay Debit Cards

    Some people aren’t too crazy about the rush of RFID enabled credit & debit cards, and the problem is, you don’t really have a choice what card you get if the bank sends you a new one! Well if you really don’t like this on your card for whatever reason, it’s pretty easy to disable.

    Simply make a small notch in the edge of your card, or snip off one of the corners. This breaks the antenna and prevents power to the chip when held near a reader — though if you don’t have access to a CT scanner you might want to double-check next time you buy something!

  40. Tomi Engdahl says:

    Coin apologizes to customers, won’t charge beta users $30 to upgrade

    The connected credit card startup apologizes for fumbling the announcement of a delay. Its beta program will be expanded and participants will no longer be charged $30 for the finished product.

  41. Tomi Engdahl says:

    PCI Council wants YOU to give it things to DO
    How about enforcing PCI DSS?

    Crusaders at the Payment Card Industry Security Standards Council have called for submissions into projects for 2015.

    The council is responsible for PCI Data Security Standards (PCI DSS), a – to date – largely failed initiative to impose better credit card processing security by retailers.

    The group was developed by the payment card industry initiatives as a means to target security challenges within the payments sector.

    Proposed topics for examination next year include “daily log monitoring”, PCI DSS mainframe probes, network virtualisation, and certificate and crypto key guidelines.

    Automated teller machines also deserve a look into, according to the group – perhaps given the resurgence of security research in the field that has uncovered evidence of ATMs being loaded with malware and the discovery of smaller and smarter skimmers.

    ‘Pay at the Pump’ petrol swipe slots should also be examined along with contactless payment vending machines that have popped up in recent years.

  42. Tomi Engdahl says:

    How to Protect Yourself From Big Bank-Card Hacks

    With hackers stealing millions of credit and debit card numbers with seeming impunity from Target, Home Depot, and other retailers lately, it might seem as if there’s nothing the average consumer can do to protect themselves.

    But you don’t have to rely on the security of Big Box retailers to shield you. With a couple of precautions, you can dramatically reduce the hassle and expense of a bank card breach if you are hit. Though you can’t guard against every scenario, a little op sec goes a long way.

    Use Prepaid or Single-Use Cards for Ecommerce

    If you have automatic card payments set up for Netflix or your gym membership, you’ll have to cancel the card data for each account and update it when the bank issues you new digits.

    Single-use, or disposable, credit card numbers are tied to your real card number, but can prevent that number from being exposed if a site is hacked. Citibank, Bank of America and Discover all offer disposable card numbers.

    Never Use Debit Cards Except to Withdraw Funds at Bank ATM

    With a credit card, you can always dispute fraudulent charges before you pay them. That’s not the case with a debit card, which is tied directly to your bank account.
    You can still get reimbursement for fraud on a debit card, but it will probably be well after the fact: hackers can drain your funds before you know the card number has been stolen.
    So treat your debit card with extra security. Don’t use it at gas pumps or other spots prone to skimming.

  43. Tomi Engdahl says:

    Visa, MasterCard in Talks with Mobile Wallets for ‘Cardholder Present’ Rate

    With the arrival of Apple Pay yesterday, the mobile wallet industry has been reinvigorated.

    Now, it looks like Visa and MasterCard are looking to advance all mobile wallets by lowering their transaction fees.

    Payments through mobile wallets currently are charged at Visa and MasterCard’s “Card Not Present” rate — which is typically higher than purchases with a credit card in hand, since it adds risk to the transaction. However, the two major payments networks are adding a third category — “cardholder present” rate — for mobile wallet providers to cut their digital transactions costs. The lower price is contingent on the mobile wallet providers integrating their services with biometric sensors, most prominently Touch ID in Apple’s iPhone 5S, 6, and 6 Plus.

    The card-present rate is on average 1.5% of the purchase price. Card-not-present, meanwhile, costs 2.75%.

  44. Tomi Engdahl says:

    Clever trick will safeguard Apple Watch from thieves

    One of the big questions about the Apple Watch is how Apple will prevent thieves from ripping it off your wrist and using it to clear your bank account.

    Because the Apple Watch is connected to Apple Pay — making purchases as easy as a quick swipe — what’s to stop miscreants from abusing it?

    Thanks to sensors on the Apple Watch’s back, the device can tell when it’s being worn and when it has been taken off.

  45. Tomi Engdahl says:

    Apple Pay Details: Apple Gets 0.15% Cut of Purchases, Higher Rates for Bluetooth Payments

    Apple’s ambitious new mobile payment initiative, Apple Pay, was announced on Tuesday during the company’s iPhone event. Many questions still linger about the service, but information is beginning to trickle out from various sources as retailers, banks, and credit card companies prepare for the service’s October launch.

    According to a new report from The Financial Times, Apple stands to make quite a bit of money from its payments service. Banks and payment networks will be forking over 0.15 percent of each purchase to Apple, which equates to 15 cents out of a $100 purchase.

    According to bank executives, Apple was able to negotiate with so many partners and receive choice deals because the industry didn’t see anything threatening in Apple Pay.

    Along with the cryptogram generated between a standard debit or credit card and a point of sale terminal, Apple Pay takes advantage of a token system that encrypts every step of the payment process. Tokenization is already built into the standard NFC specification, so what Apple is really doing is utilizing existing technology and further securing it with its own Touch ID fingerprint authorization system.

    Every card added to Apple Pay (and located in Passbook) is assigned a token, which Apple calls a Dynamic Account Number. Each Dynamic Account Number is stored in the secure element of the iPhone and accompanied by a unique cryptogram for each transaction.

    The token system essentially provides an extra layer of security to payments made through NFC, which, as mentioned earlier, allows merchants to pay a lower “card present” rate for NFC purchases. Merchants still pay the higher “card-not-present” rate when payments are made over Bluetooth LE rather than NFC, however, or when a purchase is made in-app using Apple Pay.

  46. Tomi Engdahl says:

    PayPal takes a swipe at Apple Pay security over iCloud celebrity photo leaks

    PayPal appears to be calling out Apple and its newly announced mobile payment service Apple Pay with an ad appearing in The New York Times print edition (via Pando Daily) indirectly reminding people of last month’s disastrous iCloud photo leak when a list of celebrities found their personal photos an intimate situations published on the web. The ad reads “We the people want our money safer than our selfies,” but PayPal isn’t without its own security issue in the past.

    Apple already has over 500 million iTunes account with most having credit cards, the company says, and iCloud features like iCloud Keychain manage and utilize credit card data for auto-completing credit card information.

  47. Tomi Engdahl says:

    A look at Point of Sale RAM scraper malware and how it works

    A special kind of malware has been hitting the headlines recently – that which attacks the RAM of Point of Sale (PoS) systems.

    Although it’s been getting quite a bit of publicity recently, we actually first identified it as a threat back in December 2009 and wrote about it in an article on Naked Security entitled Will RAM scraping loosen the sky and make it fall?.

    Answering that question today, it just might!

  48. Tomi Engdahl says:

    Target Breach: 8 Facts On Memory-Scraping Malware
    Target confirmed that malware compromised its point-of-sale systems. How does such malware work, and how can businesses prevent infections?

    What is memory-scraping malware, and how can it be stopped?

    Malware that attacks the RAM inside point-of-sale (POS) devices — the fancy name for digital cash registers used by everyone from retailers and restaurants to hoteliers and hospitals — leapt into the spotlight this week after it was tied to the recent breach of Target, and by extension, breaches involving Neiman Marcus and other as-yet-unnamed retailers.

    n the wake of Target’s admission, here’s what businesses and their customers should know about RAM-scraping malware and how to stop it.

    1. Memory-scraping malware isn’t new. Memory-scraping attacks date from at least 2011,

    2. POS malware routes around encryption. Memory-scraping malware is typically designed to target Track 1 and Track 2 data — including a cardholder’s name, card number, expiration date, and the card’s three-digit security code (a.k.a. CVV or CVC) — at the place where it’s most vulnerable to being intercepted: in memory, where it’s in plaintext format.

    “There is that opportunity to steal the credit card information when it is in memory, perhaps even before your payment has even been authorized, and the data hasn’t even been written to the hard drive yet,” said Cluley. “In some ways, it’s understandable that the bad guys did this because the Payment Card Industry Data Security Standards — PCI DSS — tell retailers that if you write this [card] information to a hard disk or any other type of media it has to be strongly encrypted so nothing can grab it, and if you transmit it must be strongly encrypted, so nothing can intercept it in transit.”

    3. Security wrinkle: plaintext realities. Unfortunately, it’s not feasible to encrypt data in POS system memory. “No matter how strong your encryption is, if the system needs to process data or process the code, everything needs to be decrypted in memory,”

    4. US-CERT hint: Dexter, Stardust RAM malware. What particular type of malware was used to attack Target or Neiman Marcus?

    5. Likely attack vectors. How do attackers infect POS systems with malware? To answer that question, it helps to understand that POS devices are network-connected, and thus any system that touches that network might be an infiltration point. Likewise, unsecured wireless networks may also give attackers an entry point.

    That’s why POS devices are vulnerable to phishing attacks, as long as attackers can get their malware to jump from an infected PC to POS devices.

    6. POS malware is easy to hide. If attackers gain access to the production network to which POS devices are connected, detecting or intercepting related malware-dropping attacks aimed at those POS devices may be quite difficult to detect.

    7. POS network must be secured. How can retailers block attacks that aim to sneak malware onto POS devices? The US-CERT warning recommends these six best-practices: use strong passwords to access POS devices, keep POS software up to date, use firewalls to isolate the POS production network from other networks or the Internet, employ antivirus tools, limit access to the Internet from the production network, and disable all remote access to POS systems.

    8. Can POS device security be verified?
    “It suggests that Target may have dropped the ball somewhat, not only in terms of verifying those devices but verifying that the image on those devices hasn’t changed,”

  49. Tomi Engdahl says:

    The chip alone does not protect against credit card hacks

    When the United States to pay by credit card, always gets nervous, cyber criminals hijack card information immediately to trade the system. Why Finland does not become a public card data theft?

    “We have smart cards, in the States does.” This in Finland it is customary to say, when the news that the United States, criminals have again been hijacked millions of payment cards with information on the systems.

    Source of the United States: There debit card information has reached the large numbers of criminals. Attacks, cybercriminals are ujuttaneet malicious transactions in payment systems. Target and Home Depot, the systems have been found Blackpose malware variants.

    Could something similar happen sometime in Finland?

    “In many cases in Finland reaction is that there could be, because we are used to chip cards. I think it is still possible that in Finland We’ll start our sales terminals,” the security company Trend Micro, Finland and the Baltic Kimmo Vesajoki says Tiville.

    “EMV chip cards or debit cards will not be able to prevent the payment terminals occurring in the so-called ram-mopping-based attacks,” Trend Micro’s report says.

    The United States and many other countries in payment systems is a serious weakness: Card Data processing ram memory merchant’s computer or on a server.

    At that moment, when the user enters a debit card trade card reader, the data is transmitted to the merchant’s own cashier or merchant’s server to your computer. Central memory card data are vanishingly small moment in an unencrypted format before they are encrypted. If a terminal is malware, it will automatically detect when the main memory should be specifically credit card information and collect them in a lightning recovery.

    “Card payments pci dss -tietoturvastandardi requires that the card data must be encrypted if they are saved or transmitted by the network. Therefore, the data collected from the main memory before they are encrypted”

    Trend Micro said already the end of August before the Home Depot-news that it has detected a Blackpose-new versions of the malware. They pretend to McAfee’s security agents of the program and hit the main memory.

    Card readers in the United States are almost everywhere in the magnetic lines of the readers. Would the chip card and smart card reader ram attack the use of?

    “The chip card has no additional security if the theft takes place in the main memory. The chip card primarily to prevent physical copy, but not the card information in the online store, ”

    “The chip card technology alone does not preclude the central memory of attacks, which is accentuated by the news of recent break-ins. Protection needed for other methods,” says Electronic payment International Organization for Standardization PCI’s director Bob Russo.

    Ram attack is successful in spite of the chip, if the data are exported to the merchant’s computer in the same way as magnetic stripe reading.

    The chip can be read from the card holder’s name, card number and expiration date. Just these data without cvv2 code is sufficient in some online shopping, so they are valid for criminals. Information is also collected successfully. It hints at the fact that the UK has moved to chip cards, but according to Trend Micro will become more common card payment fraud involving the use of the card data without a physical card, ie online.

    Card payment company Nets risk management expert Pekka Vermasvuo, however, says that the memory read malware in Finland do not get a card access to information. The reason for this is that here in the card payment transaction processing as a whole is done safely chip payment terminal and card information transmitted unencrypted kassatyöasemalle.

    “We estimate that in Finland all the available modern chip card terminal systems operate according to this principle and are not susceptible to such attacks,”

    “Among them, the card information is never go to the dealer in your system and data running on the merchant’s online all unencrypted. In the States a card reader transmits the information to Checkout that is running Windows XP or Linux workstation, while in Finland the data do not go to the workstation,”

    In segregated system, the card reader is not just a dumb terminal, such as the United States. The chip payment terminal is the small computer, which encrypts card data the same way own their shells within. It’s talking directly to the card issuer’s systems. Cashier must only provide knowledge of the total price to be paid.

    Encryption solution uses the term end to end encryption, p2pe.

    Transaction recipient to decrypt, verify card authenticity, validity and accuracy of the pin-code and makes charge reservation. Retail System does not get any sensitive any card data, only the acknowledgment made ​​the payment and the same identity that appear on the customer’s receipt.

    “Implementation is a common practice in Finland, and it is used by, for example, the largest grocery chains. It can be estimated that almost all of Finland’s card payments are transmitted to this day from end to end encrypted,”

    “Even the trader himself is not able to break into the card information, or listen to the traffic,”

    “The States the payment process is a POS system, when we have it is differentiated and it only transmits an acknowledgment to the POS system. Risks are of course not zero, but they are clearly lower. In the United States have woken up to the payment security very late, but I know that the situation is going to change quite a lot, ”

    Finland is still weak systems for small businesses (cafes, restaurants and shops), which have not been updated for some years. They card information may be further addressed, and to collect locally. A particularly clear warning sign is the fact that there is only a magnetic stripe reader.

    Finland Visa and MasterCard payment card company representative says the Nets Tiville that even small merchants do not have to worry about. Chip Card environments have moved broadly, that is, the card information goes only to the card transaction to the recipient.

    “In addition, p2pe implementation is also widely used for small traders. It represents a significant part of the New installations both large and small retailers, ”

    The Nordic countries, from end to end encryption and separate systems are widely used. The situation in other parts of the world, Niki Klaus does not know exactly, but in any case, the situation is considerably more diverse.

    Even the chip card does not give certainty. It only guarantees the payment entity. Many of the world sold the chip card readers do not support end to end encryption.

    If you travel, credit card transactions worth a go through carefully and regularly. Especially for small purchases should be checked because of this reason: Criminals do with stolen credit card information initially only small less than $ 10 test purchases to check whether they can be utilized. If the transaction is successful, it will raise the black market card information to a higher price point….



Leave a Comment

Your email address will not be published. Required fields are marked *