Credit card (in)security issues

Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The fraud begins with either the theft of the physical card or the compromise of data associated with the account (card account number and/or verification codes).

Skimming is the theft of credit card information used in an otherwise legitimate transaction. Instances of skimming have been reported where the perpetrator has put a device over the card slot of an ATM (automated teller machine), which reads the magnetic strip as the user unknowingly passes their card through it. Technology needed to read the contents of the magnetic strip is pretty simple. Usually a miniature camera or fake keypad over original is used to read the user’s PIN at the same time. Skimming is usually very difficult for the typical cardholder to detect. All About Skimmers article series is about ATM skimmers, gas pump skimmers and other related fraud devices.

Skimming has been on news in Finland lately. Police has revealed some details of the hard to detect skimming devices that have been found installed on tens of ATM devices around Finland. Articles Ovela huijaus Otto-automaateilla – huomaatko eron kuvissa?, Kummassa pankkiautomaatissa on huijauslaite? and Skimmaajat teettivät erikoislaitteita Suomen oloihin show you pictures of ATM with and without skimming device. These device custom made for Finnish ATMs are really hard to detect. According to articles thousands of ATM card have been compromised and used to steal several hundreds thousand euros. Look carefully next time you use ATM.

Muga_Golden_Credit_Card

Throughout Europe the traditional in-store credit card signing process is increasingly being replaced with a system in which the customer is asked to enter their PIN instead of signing. PINs were widely introduced at the same time as EMV chips on the cards. In Finland the PIN codes that comes with the card are predefined by card issuer. In some countries with some banks the customer can freely choose them. Security of Self-Selected PINs Is Lacking article tells that Cambridge University Computer Laboratory team collected statistics on how people choose banking PINs when they are permitted to select their own keys. There is every incentive for the bad guys to try guessing PINs on every card that they steal. “A thief can expect to get lucky every 18th wallet — except for those banks which negligently allow their customers to choose really dumb PINs like 1111 and 1234″. Their report traces an idiosyncratic history of the use of passwords by financial institutions. The researchers wrote that there were two lessons to be drawn from their study. First, customers should never use date of birth as a PIN or password. Second, banks should institute blacklists of common passwords, or prohibit user selection of passwords entirely.

Proximity payments are coming. Pay-by-wave: At least it’s better than being mugged article tell that the public thinks that paying with a tap of the phone is risky, with criminals able to intercept and steal credentials, so it seems a good time to take a closer look at proximity payments. Today’s proximity payment systems are based on the NFC standard, which uses a radio connection at 13.56MHz for short-range peer-to-peer communications. The same frequency is used by RFID tags, in a simplistic way, but NFC is a good deal more complicated, and expensive. Proximity payments are implemented in smartphones and contactless credit cards.

1325432106

Hacker’s Demo Shows How Easily Credit Cards Can Be Read Through Clothes And Wallets article tells that contactless cards are far more common than they might seem: According to the Smart Card Association, about 100 million of the RFID-enabled cards are in circulation. Visa calls its technology payWave, MasterCard dubs it PayPass, Discover brands it Zip, and American Express calls it ExpressPay.

Hacker’s Demo Shows How Easily Credit Cards Can Be Read Through Clothes And Wallets and Shmoocon Demo Shows Easy, Wireless Credit Card Fraud articles tell that some contacless cards have serious security holes. Paget, a well-known security researcher for the consultancy Recursion Ventures, used a simple method for her hack: impersonating a legitimate contactless point-of-sale terminal with her own RFID card reader. Commercially-available RFID reader can read the data from a contactless card as easily as a store’s point-of-sale device does. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer’s credit card onstage and obtained the card’s number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. She flashed the volunteer’s credit card number on a screen in front of an audience of hundreds of hackers and security researchers. “You were planning on cancelling that card, weren’t you?”. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer’s money with the counterfeit card she’d just created. Paget’s firm has been working on a credit-card-shaped protection device known as GuardBunny that sits in a wallet alongside payment cards and blocks any would-be RFID fraudster. So it sound like this hacking demonstration was just a marketing gimmick for their product.

Randy Vanderhoof, executive director of the industry group the Smart Card Alliance, points out that despite previous research on the contactless attack, no real-world instances of the fraud have ever been reported. To fight against fraud contactless cards do offer one security feature traditional cards don’t: Along with the card’s 16-digit number and expiration date, the cards are set to offer up a one-time CVV code with every scan. Those codes can only be used for one transaction, and have to used in the order they’re generated. If a payment processor detects multiple transactions with the same code or even codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number once.

According to a smart card expert I know Square and card issuer bank is also to blame on that this worked (and would not work with European banks and other payment services). Also the sum was so low that the payment company might not do all the check it does for bigger sums of money. In card where things are built well, there is different card number for normal swipe card use and contactless operation. The contactless number would fail to work if you try to pay with their code on the terminal that swipes the card. So the security holes are not as big and bad as it seems based on those hacking news.

214 Comments

  1. Credit card (in)security issues | saynotoiphone says:

    [...] from: Credit card (in)security issues This entry was posted in Uncategorized and tagged card-accoun, card-fraud, compromise, [...]

    Reply
  2. Tomi Engdahl says:

    ALL Visa cards blab punters’ names – not just Barclaycards
    http://www.theregister.co.uk/2012/03/29/visa_cards/

    Channel 4 News has been bothering contact-less bank cards again, and managed to wirelessly extract the customer’s name from ANY Visa-branded card within a few centimetres.

    That’s important because without the name even Amazon won’t process payments. Retailers generally check the CVV code (the three-digit number on the back), which isn’t stored on the card chip so it can’t be lifted, and reputable shops should check the cardholder’s address too. However Amazon was caught skipping both those checks when the telly newshounds probed earlier this week.

    “If a retailer is processing payments without CVV codes, the name isn’t probably going to make a lot of difference,” the bank claimed.

    Reply
  3. Tomi Engdahl says:

    Cyber-crime a major adverse financial sector

    Cyber-crime is the field of accounting offenses, fraud, corruption and money laundering even bigger problem, and huge losses, the report states.

    PwC’s report shows that only 18 percent of companies in the financial sector is prepared to cyber threads sufficiently.

    Many companies, however, continue tohide cyber-attacks and concealing their financial losses caused by the fear that they would allow customers to understand that the company is some way behind technologically.

    Source:
    http://www.tietoviikko.fi/kaikki_uutiset/kyberrikollisuus+merkittava+haitta+finanssisektorille/a794781?s=r&wtm=tietoviikko/-30032012&

    Reply
  4. Tomi says:

    Visa and MasterCard warn of credit card data breach
    http://www.theregister.co.uk/2012/03/30/visa_mastercard_breach/

    Visa and MasterCard have been quietly informing banking partners that a third-party supplier has suffered a major breach of security that could let the attacker clone users’ cards.

    According to Krebs on Security, the credit card companies are warning that between January 21 and February 25, a successful attack appears to have occured and that Track one and Track two data could have been stolen. Those terms refer to the data stored on the magnetic stripes on the backs of cards, and indicate that the attacker could clone legitimate cards at will.

    Reply
  5. Tomi Engdahl says:

    Card Processor: Hackers Stole Account Numbers
    http://online.wsj.com/article_email/SB10001424052702304750404577318083097652936-lMyQjAxMTAyMDAwMTEwNDEyWj.html

    Global Payments Inc., the credit-card processor that reported a significant security breach Friday, said that hackers stole account numbers and other key information from up to 1.5 million accounts in North America.

    The news, released Sunday night in a statement, came after the company received a fresh blow over the weekend when Visa Inc. yanked its seal of approval from the company.

    It was the first time that Global Payments disclosed details of the breach. The company didn’t say how the intruders got access to the information.

    Visa confirmed that it removed the company from the list “based on Global Payments’ reported unauthorized access.”

    Reply
  6. Tomi Engdahl says:

    MasterCard, VISA Warn of Processor Breach
    http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/

    VISA and MasterCard are alerting banks across the country about a recent major breach at a U.S.-based credit card processor. Sources in the financial sector are calling the breach “massive,” and say it may involve more than 10 million compromised card numbers.

    “Global Payments Inc. (NYSE: GPN), a leader in payment processing services, announced it identified and self-reported unauthorized access into a portion of its processing system. In early March 2012, the company determined card data may have been accessed. It immediately engaged external experts in information technology forensics and contacted federal law enforcement. The company promptly notified appropriate industry parties to allow them to minimize potential cardholder impact. The company is continuing its investigation into this matter.

    “It is reassuring that our security processes detected an intrusion. It is crucial to understand that this incident does not involve our merchants or their relationships with their customers,” said Chairman and CEO Paul R. Garcia.

    Reply
  7. Tomi Engdahl says:

    Xbox 360 credit card slurp alert under fire
    Sniffing wiped privates not possible says Microsoft
    http://www.theregister.co.uk/2012/04/04/xbox_refurbed_console_security_risk/

    Doubts have arisen over claims that credit card numbers and other personal information can be easily recovered from used Xbox 360 consoles – even after users take the precaution of restoring their kit to its factory settings.

    Researchers at Drexel University in Philadelphia bought a refurbished Xbox 360 from a Microsoft-authorised reseller, and accessed files and folders on the box’s hard disk after using widely available “modding” software, which is normally used to run home-brew or pirated software on the consoles. The academics claimed they were subsequently able to extract a previous owner’s credit card details and other private information.

    However Microsoft and an independent security expert have said credit card details are not held locally on the console.

    Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data.

    “Credit card data isn’t stored locally on the console, and there are so many console hacking and modding forums around that if a method did exist to pull this information then I’d be surprised it isn’t already public knowledge.

    Reply
  8. Tomi Engdahl says:

    Heartland Security Breach Class Action: Victims $1925, Lawyers $600,000
    http://it.slashdot.org/story/12/04/10/009248/heartland-security-breach-class-action-victims-1925-lawyers-600000

    Back in 2007, Heartland had a security breach that resulted in a 130 million credit card details being lifted. A class action suit followed and many thought it would send a direct message to business to ensure proper security measures protecting their clients and customers.

    With the Heartland case now over and settlements paid out and divided up, the final breakdown is as follows: Class members: $1925 (11 cases out of 290 filed were ‘valid’). Lawyers for the plaintiff class action: $606,192. Non-Profits: around $1,000,000

    Heartland also paid its own lawyers around $2 million.

    Heartland spent $1.5M to advertise the settlement.

    It appears that the parties spent $160k per legitimate claimant.

    Reply
  9. Tomi Engdahl says:

    Japanese ATMs to use palm readers in place of cash cards
    A local Japanese bank says cardless ATMs are well-suited for natural disasters where customers lose their cards
    http://www.networkworld.com/news/2012/041112-japanese-atms-to-use-palm-258152.html

    Ogaki Kyoristu Bank said the new machines will allow customers to withdraw or deposit cash and check their balances by placing their hand on a scanner and entering their birthday plus a pin number. The ATMs will initially be installed at 10 banks, as well as a drive-through ATM and two mobile banks, from September.

    Ogaiki announced the new ATMs with the slogan “You are your cash card.”

    One reason the bank decided to use the new technology was the massive earthquake and tsunami that ravaged the country’s northeast coast last year, it said. Many who escaped the tsunami lost their homes, personal possessions and all forms of identification, and so were unable to access their bank accounts until weeks or months later.

    Finger and palm scanners are currently used by many large Japanese banks along with cash cards as an additional safety feature, but Ogaki said it will be the first bank in the country to do away with cards all together.

    Reply
  10. Humberto Nuckols says:

    Thanks for your marvelous posting! I quite enjoyed reading it, you’re a great author.I will make certain to bookmark your blog and will eventually come back someday. I want to encourage you continue your great work, have a nice weekend!

    Reply
  11. Tomi Engdahl says:

    3 million bank accounts hacked in Iran
    http://www.zdnet.com/blog/security/3-million-bank-accounts-hacked-in-iran/11577

    Summary: First, he warned of the security flaw in Iran’s banking system. Then he provided them with 1,000 bank account details. When they didn’t listen, he hacked 3 million accounts across at least 22 banks.

    After finding a security vulnerability in Iran’s banking system, Khosrow Zarefarid wrote a formal report and sent it to the CEOs of all the affected banks across the country. When the banks ignored his findings, he hacked 3 million bank accounts, belonging to at least 22 different banks, to prove his point.

    It does not appear as if Zarefarid stole money from the accounts; he merely dumped the account details of around 3 million individuals, including card numbers and PINs, on his blog: ircard.blogspot.ca. I found the link via his Facebook account, along with the question “Is your bank card between thease 3000000 cards?”

    At least three Iranian banks (Saderat, Eghtesad Novin, and Saman) have already sent text messages to their clients, warning them to change their debit card PINs. Furthermore, the Central Bank of Iran (CBI) issued a statement announcing that millions of ATM cards have been hacked and urged all card holders to change their PINs, especially if they haven’t done so in the last few months. The warning was repeated on state TV channels.

    Reply
  12. Tomi Engdahl says:

    Trojan sneaks into hotel, slurps guests’ credit card data
    http://www.theregister.co.uk/2012/04/19/hotel_trojan_scam/

    Cyberooks are selling malware through underground forums which they claim offers the ability to steal credit card information from a hotel point of sale (POS) applications.

    The ruse, detected by transaction security firm Trusteer, shows how criminals are using malware on enterprise machines to collect financial information in addition to targeting consumer PCs with banking Trojans and other nasties.

    The hospitality industry attack involves using a remote access Trojan program to infect hotel front desk computers. The malware includes spyware components that steal credit card and other customer information by capturing screenshots from the PoS application.

    The attack code is being offered for $280 in Visa underground forums. The purchase price includes instructions on how to set up the Trojan.

    Last week Trusteer warned about a ZeuS-based Trojan that targeted cloud-based payroll service providers. The transactions security firm reckon the hospitality industry malware it found on an underground forum is part of the same trend, involving the diversification of Trojan-based attacks away from traditional targets such as consumers and small business bank customers.

    “Criminals are increasingly expanding the focus of their attacks from online banking targets to enterprises,”

    Reply
  13. Tomi Engdahl says:

    “Chrome is the best security for all browsers, but the protection of privacy is not so good,” said the security company F-Secure ‘s Chief Research Officer Mikko Hypponen, the ICT Expo 2012 trade fair in Helsinki on Thursday.

    Research Director advises users to avoid the use of Java. If the Java have to be used, such as Sampo bank web site, then it should be used in different than a normal web browser used for web browsing.

    “Please visit our web site such as Firefox and Chrome use the other navigation,” Hypponen said.

    “Google and Facebook work in network as so-called Big Brother, that is, will know all the movements and actions of users, “Hypponen said.

    Research Director notes that the use of Chrome you give yourself your data to Google. Chrome’s popularity has grown rapidly in recent times and has passed the Firefox browser, moving as soon as the second most popular browser.

    Users will be aware that Google becomes aware of everything that visitors are searching for search engines.

    “The problem is that Google sees everything we do in Google Adverts, Ads and Analytics, which can be found nowadays almost every web page,” Hypponen explained.

    “Facebook users to know the same steps outside the site. It takes advantage of Facebook to the sides of the buttons, “Hypponen said.

    Hypponen said the threats to your computer and mobile threats are different. “The mobile is a different attack tactics”

    “The mobile malware has been allocated to complete than the other way around computers. Linux is in fact the most popular destination, while on Windows and Apple has not been observed in the mobile malware at all, “Hypponen said.

    Source: http://www.tietoviikko.fi/kaikki_uutiset/fsecuren+hypponen+kayta+verkkopankissa+toista+selainta/a801359?s=r&wtm=tietoviikko/-19042012&

    Reply
  14. Tomi Engdahl says:

    Japanese ATMs to use palm readers in place of cash cards
    http://www.networkworld.com/news/2012/041112-japanese-atms-to-use-palm-258152.html

    A Japanese bank will introduce ATMs that use palm scanners in place of cash cards, it said Wednesday.

    Ogaki Kyoristu Bank said the new machines will allow customers to withdraw or deposit cash and check their balances by placing their hand on a scanner and entering their birthday plus a pin number. The ATMs will initially be installed at 10 banks, as well as a drive-through ATM and two mobile banks, from September.

    Ogaiki announced the new ATMs with the slogan “You are your cash card.”

    A local Japanese bank says cardless ATMs are well-suited for natural disasters where customers lose their cards

    Finger and palm scanners are currently used by many large Japanese banks along with cash cards as an additional safety feature, but Ogaki said it will be the first bank in the country to do away with cards all together.

    The palm-scanning technology in the ATMs was developed by Fujitsu, which uses the vein patterns in a person’s hand to check their identity.

    Reply
  15. Tomi Engdahl says:

    Why embossed credit cards are here to stay
    Mobile blackspots, global compatibility, keep bumpy numbers alive
    http://www.theregister.co.uk/2012/05/03/embossed_credit_cards_are_here_to_stay/

    Embossed numbers on credit cards are here to stay, and probably for a very long time, say the big three credit card issuers.

    The raised numbering on credit cards may seem anachronistic given that EMV chips are increasingly being adopted around the world, while magnetic strip cards have been with us for decades.

    The long likely lifespan for raised numbers can also look odd given that pre-paid credit cards have already ditched embossed numbering.
    Forcing you to electronically authorise every transaction with a pre-paid card means you’ll never be able to overdraw such cards.

    But credit card companies want to hang on to the old bumpy numbering for conventional cards, for several reasons.

    The first is that not every merchant which accepts credit cards has access to online transaction processing facilities. “The genius of our system is global interoperability,”
    Keeping raised numbers therefore means that wherever you take your card, merchants will be able to accept it.

    Old-fashioned “click clack” card readers, which take an imprint of the raised numbers on a special form, are also an important backup for merchants.

    “Card numbers are raised so merchants can take an imprint of the card to complete a sale,” explains Andrew Craig, of Visa Australia and New Zealand’s Corporate Affairs team. “They’re used as a back up in cases where a merchant’s terminal is not working.”

    That’s a problem that can even strike in developed nations, as mobile merchants like taxis can often enter mobile coverage black spots. When that happens, reverting to click clack readers is convenient for merchant and customer alike.

    Another reason embossed numbers are still with us may be that a click-clack machine is considered more secure than writing down credit card numbers. Credit card companies aren’t super-keen on “card not present” transactions that involve card numbers being written down: merchants who unwittingly use invalid card numbers are liable for fraudulent purchases.

    Reply
  16. Tomi Engdahl says:

    Hackers Blackmail Belgian Bank With Threats to Publish Customer Data
    http://www.pcworld.com/businesscenter/article/254908/hackers_blackmail_belgian_bank_with_threats_to_publish_customer_data.html

    Hackers claimed to have breached the systems of the Belgian credit provider Elantis and threatened to publish confidential customer information if the bank does not pay €150,000 (US$197,000) before Friday, May 4, they said in a statement posted to Pastebin. Elantis confirmed the data breach on Thursday, but the bank said it will not give in to extortion threats.

    The hackers claim to have captured login credentials and tables with online loan applications which hold data such as full names, job descriptions, contact information, ID card numbers and income figures.

    “While this could be called ‘blackmail,’ we prefer to think of it as an ‘idiot tax’ for leaving confidential data unprotected on a Web server,” they said.

    The hackers contacted the bank via email last Friday, said Moniek Delvou, spokeswoman for Belfius Bank (formerly known as Dexia), Elantis’ parent company. “We assume they possibly captured the data of 3,700 customers,” Delvou said, adding that the compromised data could belong to existing and potential customers.

    Reply
  17. Tomi Engdahl says:

    Global Payments Breach Fueled Prepaid Card Fraud
    http://krebsonsecurity.com/2012/05/global-payments-breach-fueled-prepaid-card-fraud/

    Debit card accounts stolen in a recent hacker break-in at card processor Global Payments have been showing up in fraud incidents at retailers in Las Vegas and elsewhere, according to officials from one bank impacted by the fraud.

    According to Fuller, Higgins said the fraudsters were coming to the stores to buy low-denomination Safeway branded prepaid cards, and then encoding debit card accounts issued by USB onto the magnetic stripe on the backs of the prepaid cards. The thieves then used those cards to purchase additional prepaid cards with much higher values, which were then used to buy electronics and other high-priced goods from other retailers.

    Yet, as USB’s story shows, the data on Track 2 alone was enough for the crooks to encode the card number and expiration date onto any cards equipped with a magnetic stripe. The cards could then be used at any merchant that accepts signature debit — transactions that do not require the cardholder to enter his or her PIN.

    Visa and MasterCard each have revoked their certification of Global Payments as a compliant card processor. Global Payments said it is still investigating the cause and extent of the incident. The company maintains that fewer than 1.5 million card accounts were stolen, but some in the industry now believe more than 7 million card accounts may have been compromised. Meanwhile, the card associations keep broadening the window of time in which hackers likely had access to the processor’s network.

    Initially, Visa and MasterCard said the breach window at Global Payments was between January and February 2012, but in the latest round of alerts sent to banks affected by the breach, the card brands warned that the breach dates back to at least early June 2011.

    Reply
  18. BreapirrizRat says:

    Was looking for this on the web and found on your site, thanks. Prepaid Debit Cards

    Reply
  19. Tomi Engdahl says:

    RBS IT cockup: This sort of thing can destroy a bank, normally
    But in this case the taxpayers just get hit again
    http://www.theregister.co.uk/2012/06/25/banking_fail_rbs_natwest/

    The thing you have to remember about banking is that it’s a confidence trick. As with all such things, once the confidence is gone the trick no longer works. That’s what should be worrying the executives at NatWest and RBS over the shambles in their computer systems this week.

    My bit is to try and divine what this means for the future of the bank itself. And that’s where the confidence trick comes in. The basic thing about banking is that if you borrow short and lend long you’re a bank – if you don’t, you’re not.

    To a bank, our deposits in the bank itself (the balance of our current accounts) are loans to the bank. These are the bank’s liabilities (some of them at least), while its actual assets are the loans the bank has made out to other people.

    The actual job we want banks to do is this maturity transformation: we want them to take that short-term money that is lying around the economy and turn it into the sort of long-term loans out of which an ever more glorious civilisation can be built. This is, over and above their provision of a basic payments system, the economic purpose of having banks at all.

    But it is precisely this maturity transformation that makes banks fragile, at risk of a loss of confidence. Because the money has been put out there in three-year loans while our deposits are recallable anytime we want our dosh. So if everyone turns up at the same time to demand their cash, then the bank goes bust; not because it is insolvent, but because it is illiquid. It is worth the money that it owes, it just cannot lay hands on it right now.

    There is always thus the risk of a bank being illiquid. And all that stops it being so is the confidence that it won’t be so. Lose that confidence and you get a bank run.

    This is in fact what happened to Northern Rock.

    This can happen to absolutely any bank, anywhere, at any time: once confidence goes, so does the bank. And that is what should be getting the NatWest peeps worried. Not that they’ve had a computer blowup but that they’ve right royally pissed off their customers and some fraction of them, as soon as it is actually possible to remove money from the bank, are going to remove all of their money from the bank. A bank run of some size in short.

    No, this isn’t going to lead to the bankruptcy of RBS (again). The first reason being that it’s already pretty much government-owned and the solution to a bank run is government ownership to restore confidence. The second is that it’s the wholesale markets which are the real worry.

    While RBS can and will survive any set of withdrawals it’s pretty obvious that it will do so as a much smaller bank (or series of banks if you prefer).

    It’s a strange but true fact that while moving an account is quite easy (it’s easier than moving house – yet people move house more often than banks), very few people actually do. The stickiness of personal banking is observable but not really explainable by standard economic theory. It just is: and that is what makes it all very profitable for the UK banks. They get that float in our current accounts for no interest and then lend it out at interest.

    Well, there is one evil thing that could be done: engineer a similar crisis at another bank this week. Then consumers will conclude that all are as bad as each other and thus won’t move their accounts. But I have a feeling that managing such a feat deliberately would be rather difficult: as opposed to the ease with which incompetence seems to have achieved it.

    Reply
  20. Tomi Engdahl says:

    ‘Inexperienced’ RBS tech operative’s blunder led to banking meltdown
    http://www.theregister.co.uk/2012/06/26/rbs_natwest_ca_technologies_outsourcing/

    A serious error committed by an “inexperienced operative” caused the IT meltdown which crippled the RBS banks last week, a source familiar with the matter has told The Register. Job adverts show that at least some of the team responsible for the blunder were recruited earlier this year in India following IT job cuts at RBS in the UK.

    Following our revelation yesterday that a bungled update to CA-7 batch processing software used by RBS lay behind the collapse, further details have emerged.

    CA Technologies – the makers of the CA-7 software at the heart of the snarl-up – are helping RBS to fix the disaster that has affected 16.9 million UK bank accounts.

    The batch scheduling tool CA-7 is widely used and generally considered to be very reliable, so it appears that the error – that meant millions of accounts have registered incorrect balances for many days – sprang from the oversight of the technology at RBS.

    RBS: “No evidence” this is connected to outsourcing

    Reply
  21. Tomi Engdahl says:

    McAfee discovers $78 million worth of sophisticated cyber attacks against banking systems
    http://www.theverge.com/2012/6/26/3118002/mcafee-guardian-analytics-cyber-attacks-banking-systems-europe

    Security firms McAfee and Guardian Analytics have published a joint fraud report, dubbed Operation High Roller, on new methods of siphoning money from banking systems. Using a series of highly sophisticated cyber attacks to target high balance accounts, criminals have been able to successfully bypass physical “chip and pin” authentication and use server-based fraudulent transactions to steal money from a number of accounts in Europe.

    The attacks originated in Italy, using SpyEye and Zeus malware to transfer funds into fraudulent accounts.
    McAfee discovered 426 unknown variants of the typical Zeus or SpyEye malware that were difficult to detect

    The company is warning that 60 servers have been processing thousands of attempted thefts from high-value accounts over a period of months, resulting in attempts to steal at least €60 million (US$78 million).

    McAfee says that if all the attempted fraud attacks were successful then the total attempted fraud could be as high as €2 billion ($2.49 billion).

    Reply
  22. Tomi Engdahl says:

    Crypto boffins: RSA tokens can be cracked in 13 MINUTES
    No practical risk to SecurID 800 users – RSA
    http://www.theregister.co.uk/2012/06/27/smartcard_crypto_attack/

    Crypto boffins have developed an attack that’s capable of extracting the protected information from hardened security devices such as RSA’s SecurID 800.

    The research (PDF), developed by a group of computer scientists who call themselves Team Prosecco – due to be presented at the CRYPTO 2012 conference in August – is a refinement of existing techniques. But the big news is that this attack is capable of extracting information in just 13 minutes, instead of hours.

    the attack works against a variety of devices that protect access to computer networks or digitally sign e-mails. The side-channel attack also works against RSA’s SecurID 800 and many other devices that use PKCS #1 v1.5 padding mechanism, including electronic ID cards such as those issued by the government of Estonia as well as smartcards and USB tokens, the reserachers claim.

    Aladdin’s eTokenPro, SafeNet’s iKey 2032, Gemalto’s CyberFlex, and Siemens’ CardOS are among the technologies vulnerable to the attack, they write.

    RSA downplayed the practical significance of the attack. “While the research is scientifically interesting, it does not demonstrate a new or useful attack against RSA SecurID 800,” a spokesman told El Reg.

    Reply
  23. Tomi Engdahl says:

    RBS considers suing software supplier over IT glitch
    Passing the buck for banking system outage
    http://www.theinquirer.net/inquirer/news/2187444/rbs-considers-suing-software-supplier-glitch

    UK BANK RBS is considering suing software supplier CA Technologies over its ongoing IT problems, which have seen thousands of customers go without access to their money.

    According to a report at the Financial Times that cites “two people familiar with the situation”, managers at RBS are blaming a CA Technologies software system called CA-7 for its on-going glitch, after it failed to upgrade overnight.

    CA-7 is a large job scheduling subsystem that’s used primarily to sequence and dispatch batch processing jobs in IBM mainframe computer datacentres. It’s about 40 years old by now.

    One of the report’s internal sources said, “It was certainly an issue with this software. We will still have to establish if this was their fault or if it was our handling of the software.”

    “The problem could have been caused by the software, or by the specifics of the upgrade work and how it was executed. Untying that knot will not be easy.”

    RBS has said that the problem has now been resolved, but added that it could take a few weeks for everything to get back to normal.

    Reply
  24. Tomi Engdahl says:

    So far, debit card PIN can be chooses on a limited number of cards.

    Luottokunta is already offering this year to their customers a choice of payment card PIN code. The first new service will be Nordea’s Finnish and Swedish customers. The service is suitable for all payment cards.

    Luottokunta sheet sets, that the new PIN code service number does not need to change the turn of the card.

    The code can be sent via SMS to the cardholder

    Source: http://www.digitoday.fi/tietoturva/2012/06/28/maksukortin-pin-koodin-voi-pian-valita-itse/201232421/66?rss=6

    So in the future 50% of the credit cards, PIN code is “1234″.

    A good idea in itself, but it should definitely put something in, then restrictions on the type of number combinations are allowed to take.
    The most common 1234, 9876, 2580, 1122, etc, of course, the list of banned…

    Reply
  25. Tomi Engdahl says:

    ‘Backing out of a failed update really ought to be a trivial matter…’
    http://www.theregister.co.uk/2012/06/29/quotw_ending_june_29/

    This was the week when there was an almighty tech disaster at RBS and Natwest that froze millions out of their bank accounts. Stories abounded of houses lost because sales hadn’t gone through, people stuck in prison because their bail hadn’t been paid and legions of folks just plain old p***ed off because they couldn’t put their hands on their own money.

    Sources told The Register that the error was in a piece of batch scheduling software called CA-7, at least partially run out of India.

    A former employee said:

    Backing out of a failed update to CA-7 really ought to have been a trivial matter for experienced operations and systems programming staff, especially if they knew that an update had been made. That this was not the case tends to imply that the criticisms of the policy to “off-shore” also hold some water.

    Another former employee said:

    When they did the back-out, a major error was made. An inexperienced person cleared the whole queue… they erased all the scheduling.

    Meanwhile, RBS denied that what was quickly becoming an apocalyptic disaster had anything to do with outsourcing.

    Reply
  26. Business Credit says:

    I’m glad that there are foes like you to write such articles Free Classifieds http://www.nmwt.net

    Reply
  27. Gregory Greisiger says:

    Wonderful work! This is the type of info that should be shared around the internet. Shame on Google for not positioning this post higher! Come on over and visit my website . Thanks =).

    Reply
  28. Tomi says:

    Finanssialan it-järjestelmät ovat retuperällä
    http://www.tietoviikko.fi/kaikki_uutiset/finanssialan+itjarjestelmat+ovat+retuperalla/a827009?s=r&wtm=tietoviikko/-07082012&

    Reply
  29. Tomi says:

    Financial Sector IT systems are completely neglected

    The financial sector, the IT systems will no longer serve its purpose, to report the IT industry association Intellect .

    A good example of it’s status is the recent Royal Bank of Scotland , the bank’s problem, which jammed the banking system. CA-7-banking software update was the bank accounts of some customers hang up to a month. It caused a problem in the bank, at least 125 million pounds (157 million) in damages.

    Intellect of the financial sector infrastructure is so fragmented that it prevents banks from providing accurate information about its activities. This in turn prevents lawmakers from getting proper information from banks and the entire financial system.

    Source: http://www.tietoviikko.fi/kaikki_uutiset/finanssialan+itjarjestelmat+ovat+retuperalla/a827009?s=r&wtm=tietoviikko/-07082012&

    Reply
  30. Tomi says:

    Why customers may want to think different about the consumer-tech giant.
    http://motherboard.vice.com/2012/8/7/this-is-what-wall-street-s-terrifying-robot-invasion-looks-like

    The majority of all trades made everyday are now executed by robots looking to exploit micro-movements in stock price in a perpetual game of musical chairs. The finance industry insists that this is a net-positive operation. The established argument is that, by increasing liquidity and reducing price spreads, everyone benefits from price stability and lower transaction costs.

    This may be true, but there are side effects, as one HFT insider explained to Zero Hedge:

    HFT affects all investors to an extent, because stocks are now priced differently than in the past. The market used to consist mostly of investors analyzing cash flows and balance sheets, trying to calculate a company’s fair value. HFTs, on the other hand, react to movements in stock prices alone. That is not necessarily a bad thing, but since HFTs are responsible for two-thirds of the trading volume, we have the strange situation where they can set the price based on what they perceive others’ perceptions to be.

    Reply
  31. Tomi says:

    Wall Street and the Mismanagement of Software
    http://developers.slashdot.org/story/12/08/10/1247217/wall-street-and-the-mismanagement-of-software

    “Last week, a bug in high-frequency trading software from Knight Capital Group resulted in erroneous trades costing almost a half-billion dollars. So, what went wrong and how can they, or any other software developer, prevent something similar from happening again?”

    “Robert Dewar at Dr. Dobb’s suggests the financial industry needs to take a page from the avionics rulebook, which has very strict guidelines about what code can be implemented due to the high cost of failure in that field.”

    Wall Street and the Mismanagement of Software
    http://www.drdobbs.com/architecture-and-design/wall-street-and-the-mismanagement-of-sof/240005196

    High-frequency automated trading is not avionics flight control, but the aviation industry has demonstrated that safe, reliable real-time software is possible, practical, and necessary. It requires appropriate development technology and processes as well as a culture that thinks in terms of safety (or reliability) first. That is the real lesson to be learned from last week’s incident. It doesn’t come for free, but it certainly costs less than $440M.

    Reply
  32. Tomi says:

    Alliance Wants to Make Mobile Payments the New Norm, But Where is Square?
    http://www.wired.com/business/2012/08/phone-credit-card-tech-companies-join-to-make-mobile-payments-the-new-norm/

    AT&T, Sprint, T-Mobile, and Verizon have joined with the major credit card companies, Google, PayPal, Intuit and others to form the Electronic Transactions Association’s Mobile Payments Committee.
    (to make your smartphone a standard checkout option)

    “is designed to ensure that the early stages of mobile payments are handled in the best possible way: With insight and ingenuity from all the players—private as well as public sector.”

    Reply
  33. Tomi Engdahl says:

    Identity fraud: Retailer incompetence is at the core of a system that’s deeply flawed
    http://www.edn.com/electronics-blogs/other/4394133/Identity-fraud–Retailer-incompetence-is-at-the-core-of-a-system-that-s-deeply-flawed-?cid=EDNToday

    The criminal(s) maxed out each card’s temporary credit limit, with shopping activity spread across several states within a single day, and then promptly disappeared. Since I was able to prove I was in CA at the time, the charges were promptly waived and no permanent damage to my credit rating occurred. Yet wading through the mess (including filing a formal police report) was a huge hassle, and it left me feeling quite vulnerable. And it all occurred because the stores granted, as a “convenience’, automatic multi-hundred-dollar per-card credit approval in advance of credential verification.

    But as it turns out, “as a convenience for our customers,” Walmart doesn’t currently require security code re-entry for an order placed within an unspecified timeframe after the prior one (a company representative told me that this “feature” is in the process of being “removed”).

    Reply
  34. Tomi Engdahl says:

    Square Debuts Monthly Pricing Option For Small Businesses With Zero Swiping Fees
    http://techcrunch.com/2012/08/16/square-debuts-monthly-pricing-option-for-small-businesses-drops-swiping-fees/

    On the heels of announcing a mega-deal with Starbucks, mobile payments processing company Square is announcing another piece of key news—specialized, lower pricing per swipe for small businesses

    Square CEO and co-founder Jack Dorsey has been addressing the issue that many businesses have no idea how much they are spending in credit card fees. In a release, he said “For 62 years, merchants have suffered complicated, expensive processing fees. Square is the first company to rethink electronic payment pricing with the merchant in mind. We are giving merchants affordable, predictable pricing…With one monthly price, merchants know that the sales they’ve processed in a day is the same amount deposited in the bank.”

    Square says that this is the first time ever that small business has has an advantage over big business with respect to credit card fees pricing.

    Square has been steadily expanding its payments network and reach over the past year. The company now has 2 million people and businesses accepting credit cards with the service (up from 1 million last year), and is processing $6 billion in payments volume per year.

    Reply
  35. Tomi Engdahl says:

    Payment Data Is More Valuable Than Payment Fees
    http://techcrunch.com/2012/08/18/payment-data-is-more-valuable-than-payment-fees/

    We are in the midst of a great revolution in the payments space: anyone with a phone can now accept credit cards; online-to-offline commerce is allowing online payment for offline purchase and significant friction is being removed from the consumer purchase experience thanks to mobile. All of this innovation (read: competition), combined with government intervention, means that payment fees are falling, threatening revenue streams for incumbents and startups alike in the payments space. But a broader opportunity exists: using the data of payments to build a more valuable, more defensible business model, one not dependent on fees. The result will revolutionize offline commerce and online advertising.

    Reply
  36. Tomi Engdahl says:

    Secret E-Scores Chart Consumers’ Buying Power
    http://www.nytimes.com/2012/08/19/business/electronic-scores-rank-consumers-by-potential-value.html?pagewanted=all

    AMERICANS are obsessed with their scores. Credit scores, G.P.A.’s, SAT’s, blood pressure and cholesterol levels — you name it.

    So here’s a new score to obsess about: the e-score, an online calculation that is assuming an increasingly important, and controversial, role in e-commerce.

    These digital scores, known broadly as consumer valuation or buying-power scores, measure our potential value as customers. What’s your e-score? You’ll probably never know. That’s because they are largely invisible to the public. But they are highly valuable to companies that want — or in some cases, don’t want — to have you as their customer.

    Online consumer scores are calculated by a handful of start-ups, as well as a few financial services stalwarts, that specialize in the flourishing field of predictive consumer analytics.

    It’s true that credit scores, based on personal credit reports, have been around for decades. And direct marketing companies have long ranked consumers by their socioeconomic status. But e-scores go further. They can take into account facts like occupation, salary and home value to spending on luxury goods or pet food, and do it all with algorithms that their creators say accurately predict spending.

    And now e-scores rank our potential value to companies.

    But the spread of consumer rankings raises deep questions of fairness, says Frank Pasquale, a professor at Seton Hall University School of Law, who is writing a book about scoring technologies. The scores may help companies, he says. But over time, they may send some consumers into a downward spiral, locking them into a world of digital disadvantage.

    “I’m troubled by the idea that some people will essentially be seeing ads for subprime loans, vocational schools and payday loans,” Professor Pasquale says, “while others might be seeing ads for regular banks and colleges, and not know why.”

    Reply
  37. Tomi Engdahl says:

    Bitcoin-based credit card reportedly due in two months
    http://news.cnet.com/8301-1023_3-57497014-93/bitcoin-based-credit-card-reportedly-due-in-two-months/?part=rss&subj=news&tag=title

    BitInstant is close to introducing an international credit/debit card based on the peer-to-peer currency, according to an alleged interview with the exchange service’s co-founder.

    Bitcoin, the peer-to-peer currency that’s been gaining in popularity, appears to be getting ready to take the leap from the digital world to the real world.

    Exchange service BitInstant is creating a Bitcoin-funded card that would function as a standard debit/credit card and would be honored where ever MasterCard is accepted, according to the transcript of an interview allegedly conducted wth BitInstant co-founder Charlie Shrem.

    The cards would be issued by a “major international bank” with which BitInstant has partnered and funded at a rate of 1 percent, Shrem said.

    will feature a QR code on the front and a printed Bitcoin address on the back for funding

    Bitcoin sprang up in 2009 as a peer-to-peer currency that intentionally avoided the prying eyes of law enforcement officials.

    Reply
  38. Tomi Engdahl says:

    High frequency trading: Sinatra sings and stochastic processes swing
    http://www.edn.com/electronics-blogs/looking—electronics/4394234/High-Frequency-Trading–Sinatra-Sings-and-Stochastic-Processes-Swing?cid=EDNToday

    “The frequency of the submission of orders has increased and the time to execute market orders on these electronic markets has dropped from more than 25 ms in 2000 to less than 1 ms in 2010.”

    “These programs are designed to trade enormous volumes of stocks, bonds and other financial instruments at superfast speeds, taking advantage of second-to-second fractional price shifts and market trends.”

    For HFT hardware, computer processors are tailored for these algorithms. “GPU computing has become very popular in quantitative finance and many financial institutions are moving their CPU based applications to the GPU platform”

    With money as no object, one new computer chip, named iX-eCute (see Figure 5), was designed specifically for high-frequency trading and can prepare trades in 740 nanoseconds; a proposed $300 million transatlantic cable is being built just to shave 6 milli-seconds off the current 65milli-second transaction times between New York City and London.)”

    Is High Frequency Trading Wall Street’s Doomsday Machine?

    “High frequency (HF) trading firms represent approximately 2% of the nearly 20,000 trading firms operating in the U.S. markets, but since 2009 they have accounted for over 70% of the volume in U.S. equity markets and are fast approaching 50% of the volume in futures markets”.

    Reply
  39. Tomi Engdahl says:

    Ecryption used RFID cards is considered to be safe, but last spring, two American scientists from the University of Texas Instruments were able to break the encryption provided by chips.

    They researched remotely TI’s DST tags used in automotive security keys and Exxon Speed ​​Pass payment card. Researchers used device that can be bought from Interner for $200. They were able to simulate the DST tags and cheat a car security systems and gasoline to refuel many times for free on the same day.

    Most probably the issue is fixes on MasterCard PayPass cards.

    Source: http://www.itviikko.fi/muu/2005/08/22/vilautuskortista-loytyi-internet-aukko/20054172/7

    Reply
  40. Tomi Engdahl says:

    PayPal Trumps Square’s Deal With Starbucks by Partnering With Discover
    http://allthingsd.com/20120822/paypal-trumps-squares-deal-with-starbucks-by-partnering-with-discover/

    Under a new partnership being announced with Discover, PayPal is super-sizing the number of U.S. merchant locations at which it will be accepted — more than seven million.

    “The whole industry has been looking for a landmark that says that all of this is really happening,” said Don Kingsborough, PayPal’s VP of Retail Services. “This is an important deal for us, because it gets us to over seven million locations pretty seamlessly.”

    Just two weeks ago, Square made a huge splash after announcing that Starbucks would use the start-up to process all of its credit and debit transactions.

    Now, one of Square’s biggest rivals is making it clear that it is still in the game.

    In ranking the two deals, Ken Paterson, VP of Research at Mercator Advisory Group, says he would guess that PayPal’s deal is potentially larger. ”It could bring PayPal to the majority of card-accepting merchants across the country,” he said. “The potential scale involved here is very significant.”

    Reply
  41. Tomi Engdahl says:

    Identity fraud: Retailer incompetence is at the core of a system that’s deeply flawed
    http://www.edn.com/electronics-blogs/brians-brain/4394133/Identity-fraud–Retailer-incompetence-is-at-the-core-of-a-system-that-s-deeply-flawed-?cid=Newsletter+-+EDN+on+Consumer+Electronics

    The criminal(s) maxed out each card’s temporary credit limit, with shopping activity spread across several states within a single day, and then promptly disappeared. Since I was able to prove I was in CA at the time, the charges were promptly waived and no permanent damage to my credit rating occurred. Yet wading through the mess (including filing a formal police report) was a huge hassle, and it left me feeling quite vulnerable. And it all occurred because the stores granted, as a “convenience’, automatic multi-hundred-dollar per-card credit approval in advance of credential verification.

    But as it turns out, “as a convenience for our customers,” Walmart doesn’t currently require security code re-entry for an order placed within an unspecified timeframe after the prior one (a company representative told me that this “feature” is in the process of being “removed”).

    Reply
  42. Tomi Engdahl says:

    British retailers are losing millions to cyber criminals
    £205.4m a year is not falling down the back of the sofa
    http://www.theinquirer.net/inquirer/news/2200801/british-retailers-are-losing-millions-to-cyber-criminals

    UK RETAILERS are losing hundreds of millions to cyber criminals every year, warns the British Retail Consortium (BRC).

    The BRC reckons that such crime is the biggest threat facing the retail sector, so is even worse than bored shop assistants, and is an evolving market that sees criminals adopting new methods all the time.

    These new methods have cost retailers £205.4m it reckons, a figure that is made up of £77.3m in losses from fraud and a mix of prevention investment and other business costs.

    The biggest cost to retailers comes from ID theft related fraud, and the BRC tots this up to £20m a year. Card fraud is second and caused £15m in losses between 2011 and 2012, and refund fraud is third, costing £1.2m in losses.

    “Online retailing has the potential for huge future commercial expansion but Government and police need to take e-crime more seriously”

    Reply
  43. Tomi Engdahl says:

    When using Apple Store’s EasyPay isn’t so easy
    Student blames arrest on EasyPay mistake—how safe is Apple’s checkout system?
    http://www.macworld.com/article/1168261/when_using_apple_stores_easypay_isnt_so_easy.html

    Apple’s EasyPay service promises Apple Store shoppers a fast way to conduct business at the company’s retail outlets, letting them buy items without even talking to a store employee. It’s fast and convenient—but one New Jersey teenager claims he got more than he bargained for, after he was accused of trying to walk out of the Apple Store on New York’s Fifth Avenue without paying for a pair of headphones.

    With great convenience comes great responsibility for making sure that you’ve followed every step in the process—right down to confirming that your purchase has gone through.

    Apple introduced EasyPay last November as a way of simplifying its retail experience. The service is tied into the Apple Store mobile app for iOS devices. Using that app and your device’s built-in camera, you can scan in products and pay for them with the credit card linked to your Apple ID account.

    When you’re in an Apple Store and using the Apple Store app, you’ll see the EasyPay option. You scan the barcode of the item you’d like to purchase with your iPhone’s camera—that will bring up various details about the product, including its price. Tap the green button with the price to pay. The app will prompt you to provide your Apple ID password. At the end of the process, you’ll see a screen like the one to the right, which includes a link to view your receipt.

    Either option—checking for confirmation screen or getting help from an Apple Store employee might have saved Shine a lot of trouble when he walked into the Fifth Avenue Apple Store earlier this month.

    To be fair, customers who’ve used the service seem to be delighted with EasyPay—at least if our Twitter feed is any indication.

    Some retail experts doubt that Shine’s experience with EasyPay would be a common one. “I don’t believe that story for a second,”

    “If you look at the cost analysis, they’re gambling that the amount of money leaving the store, versus the amount of money they’re saving on needing people in the store checking customers out, works in their favor,” Ciabarra said. “Less people means less salaries you have to pay,” which saves Apple plenty of money, he said.

    Stores with self-checkout options can leverage impressive technology to prevent theft—intentional or otherwise.

    Reply
  44. theatre blogs says:

    I have fun with, result in I discovered exactly what I was looking for. You’ve ended my 4 day lengthy hunt! God Bless you man. Have a nice day. Bye

    Reply
  45. Tomi Engdahl says:

    Chip and pin ‘weakness’ exposed by Cambridge researchers
    http://www.bbc.com/news/technology-19559124

    A vulnerability in the widely used chip and pin payment system has been exposed by Cambridge University researchers.

    Cards were found to be open to a form of cloning, despite past assurances from banks that chip and pin could not be compromised.

    Poor implementation of cryptography methods were behind the flaw, researchers said.

    They accused some banks of “systematically” suppressing information about the vulnerabilities.

    Chip and pin is the leading processing and authentication method for credit and debit card payments, with many more than a billion cards in use worldwide.

    Believed to be far more secure than previous technology, such as a magnetic strip, adoption of chip and pin had led to banks becoming more aggressive when dealing with compensation claims, the researchers said

    The team’s research was presented at a cryptography conference in Leuven, Belgium, on Tuesday.

    The paper said despite chip and pin being in use for over a decade, it was only recently “starting to come under proper scrutiny from academics, media and industry alike”.

    “If you can predict [the UN], you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location,” said researcher Mike Bond in a blog post.

    “The sort of frauds we’re seeing are easily explained by this, and by no other modus operandi we can think of,” researcher Prof Ross Anderson told the BBC.

    “For example, a physics professor from Stockholm last Christmas bought a meal for some people for 255 euros ($326, £200), and just an hour and a half later, there were two withdrawals of 750 euros made from a nearby cash machine used by what appears to have been a clone of his card.”

    Chip and Skim: cloning EMV cards with the pre-play attack
    http://www.lightbluetouchpaper.org/2012/09/10/chip-and-skim-cloning-emv-cards-with-the-pre-play-attack/

    the EMV Unpredictable Number field – a 32 bit field that’s supposed to be unique to each transaction. I soon got muddled up… it turned out that the unpredictable numbers… well… weren’t. Each shared 17 bits in common and the remaining 15 looked at first glance like a counter.

    You see, an EMV payment card authenticates itself with a MAC of transaction data, for which the freshly generated component is the unpredictable number (UN). If you can predict it, you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location. You can as good as clone the chip. It’s called a “pre-play” attack.

    Mike Bond, Omar Choudary, Steven J. Murdoch, Sergei Skorobogatov, and Ross Anderson wrote a paper on the research, and Steven is presenting our work as keynote speaker at Cryptographic Hardware and Embedded System (CHES) 2012, in Leuven, Belgium. We discovered that the significance of these numbers went far beyond this one case.

    Expecting some sort of foul play we examined Alex’s log data in detail and found the vulnerabilities in the ATM. Either there is a causal linkage between Alex’s fraud and the deficiencies in the ATM, or these deficiencies are extremely widespread.

    First, there is an easier attack than predicting the RNG.
    Since the unpredictable number is generated by the terminal but the relying party is the issuing bank, any intermediate party – from POS terminal software, to payment switches, or a middleman on the phone line – can intercept and superimpose their own choice of UN. Attacks such as those of Nohl and Roth, and MWR Labs show that POS terminals can be remotely hacked simply by inserting a sabotaged smartcard into the terminal.

    Second, there are legal ramifications: It can no longer be taken for granted that data in a transaction log was harvested at the time and place claimed, which undermines the reliability of evidence in both civil and criminal cases.

    Third, there are public policy issues.
    We have described some of the complaints we receive regularly from bank customers that stolen cards have been used in circumstances where the PIN could not have been compromised, and yet whose bank refuses a refund claiming its records show the PIN was used. Many of these customers are credible witnesses and it is not believable that they are all mistaken or lying.

    Chip and Skim: cloning EMV cards with the pre-play attack
    http://www.cl.cam.ac.uk/~rja14/Papers/unattack.pdf

    EMV, also known as “Chip and PIN”, is the leading system for card payments world-wide. It is used throughout Europe and much of Asia, and is starting to be introduced in North America too.

    EMV is now the leading scheme worldwide for debit and credit card payments, as well as for cash withdrawals at ATMs, with more than 1.34 billion cards in use worldwide. US banks were late adopters, but are now in starting to issue EMV cards to their customers. EMV cards contain a smart card chip, and are more dicult to clone than the magnetic-strip cards that preceded them.
    EMV was rolled out in Europe over the last ten years,

    we advise the fraud victim to demand the transaction logs from the bank. In many cases the banks refuse, or even delete logs during the dispute process, leaving customers to argue about generalities. Some courts have recently criticised banks for this and in the Gambin case the bank produced detailed log data. We
    observed that one of the elds on the log le, the unpredictable number” or UN, appeared to be increasing steadily

    The UN appears to consist of a 17 bit xed value and the low 15 bits are simply a counter that is incremented every few milliseconds, cycling every three minutes. We wondered whether, if the unpredictable number” generated by an ATM is in fact
    predictable, this might create the opportunity for an attack in which a criminal with temporary access to a card

    Many countries, including the UK, moved to authenticating cardholders with a PIN rather than a signature at both POS and ATM, where previously PINs had only been used at ATMs. The goal was to make it harder to use a stolen card.

    EMV did not cut fraud as its proponents predicted. While using counterfeit and stolen cards did become more dicult, criminals adapted in two way

    First, they moved to “card-not-present” transactions { Internet, mail-order, and phone-based payments { which remained beyond the scope of EMV.

    Second, they started making magnetic-strip clones of EMV cards.

    Total fraud levels were brought down following 2008 through improvements to back-end fraud detection mechanisms which reject suspicious transactions; by more aggressive tactics towards customers who dispute transactions; and by reducing the number of UK ATMs that accept fallback” magnetic-strip transactions on EMV-issued cards. Fallback fraud is now hard enough to push the criminal community to more sophisticated smart-card-based attacks.

    Pre-play attacks against EMV have been discussed theoretically before, but for a real-world attack to work, there are many practical challenges. In this section we describe our own approach to them: surveying for an exploitable vulnerability, skimming data, and deploying the attack. Each stage of the process must be completed by criminals with reasonable yield and an acceptably low cost (including probability of being caught).

    Reply
  46. Tomi Engdahl says:

    Hacker’s Demo Shows How Easily Credit Cards Can Be Read Through Clothes And Wallets
    http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers-demo-shows-how-easily-credit-cards-can-be-read-through-clothes-and-wallets/

    Reply
  47. Tomi Engdahl says:

    Cambridge boffins: Chip-and-PIN cards CAN be cloned – here’s how
    http://www.theregister.co.uk/2012/09/13/chip_and_pin_security_flaw_research/

    Boffins at Cambridge University have uncovered shortcomings in ATM security that might be abused to create a mechanism to clone chip-and-PIN cards.

    The security shortcoming might already be known to criminals and creates an explanation for what might have happened in some, otherwise baffling, “phantom” withdrawal cases.

    The cryptographic flaw – the result of mistakes by both banks and card manufacturers in implementing the EMV* protocol – creates a means to predict that authentication code (the “unpredictable” number).

    ‘We’ve never claimed chip-and-PIN is 100 per cent secure’

    The idea that debit and credit cards fitted with supposedly tamper-proof chips might be vulnerable to a form of cloning sits awkwardly with assurances from the banking sector that the technology is highly reliable, if not foolproof.

    In a statement, the UK’s Financial Fraud Action told El Reg:

    We’ve never claimed that chip and PIN is 100 per cent secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud.

    Reply
  48. Tomi Engdahl says:

    World Operates “On an Inferior Monetary System” Says BitInstant
    http://paritynews.com/web-news/item/322-world-operates-on-an-inferior-monetary-system-says-bitinstant

    Speaking about Bitcoin the duo explained to NACHA attendees of the power of virtual currency and its inevitability in the long run and how it is not disruptive in its literal meaning.

    In their presentation [PPT] “Money without Borders” Shrem and Voorhees explained the basics of Bitcoin, features of the currency, the network behind the currency and gave out some statistics about BTC. According to the presentation, there are a total of 9,911,550 BTC with a market cap of 110,414,469 USD.

    The interesting part of the whole forum was how Bitcoin as a currency and transaction system as of whole “eviscerates entire statutes of law.”

    Bitcoin is not a centralized system but is a decentralized computer network yet a RPC nonetheless as transactions are being carried out. Thus Bitcoin violates the law when it comes to disclosure of information.

    The presenter said, “well, if the regulators don’t like what Bitcoin is doing, it’s very possible they could come after you.”

    Reply
  49. Tomi Engdahl says:

    PIN analysis
    “All credit card PIN numbers in the World leaked”
    http://www.datagenetics.com/blog/september32012/index.html

    There are 10,000 possible combinations that the digits 0-9 can be arranged to form a 4-digit pin code. Out of these ten thousand codes, which is the least commonly used?

    The most popular password is 1234 …
    … nearly 11% of the 3.4 million passwords are 1234 !!!

    he next most popular 4-digit PIN in use is 1111 with over 6% of passwords being this.

    In third place is 0000 with almost 2%.

    OK, we’ve investigated most frequently used PINS and found they tend to be predictable and easy to remember

    Reply
  50. Tomi Engdahl says:

    Forget the stress tests: Europe’s banks are a worrisome mystery
    http://qz.com/10310/forget-the-stress-tests-europes-banks-are-a-worrisome-mystery/

    Revelations on Sept. 28 that Spanish banks need almost €60 billion ($77 billion) to avoid going bust in the event of a severe Spanish recession seemed, at first, like relatively good news: It was slightly less than previously thought. But investors are worried that the “stress tests” that produced this figure, like many others performed on European banks in the last two years, may actually be close to worthless.

    The stress tests (pdf) essentially look at the share of a bank’s loans that would go bad in the event of recessions of varying severity, and calculate what that would cost the banks.

    And the shortcomings of these Spanish bank stress tests are merely emblematic of a larger European problem. Banks have been pushed to increase the quantities of “core”—or highest-ranked—capital they hold in order to perform better on stress tests. Supposedly, this capital is risk-free, or “zero-risk-weighted” in the lingo. However, such holdings—particularly of government bonds—do have some inherent risks

    “Leveraging Basel zero risk weightings on Eurozone sovereign bonds to absurdly high levels caused the current Europe financial mess. European problems make it obvious the €1.86 trillion of zero risk weighted assets contain some hidden sovereign risk, counterparty risk, market risk or liquidity risk.”

    In other words, European stress testing and calls to raise capital have convinced no one that European banks are truly stable, because they make troubling assumptions about the safety of that capital. What regulators get, then, are numbers they want to see rather than the numbers that really exist—and that’s frightening to investors.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*