Authentication Attack Against Credit Card Verification

Here's a physical attack against a credit card verification system. Basically, the attack disrupts the communications between the retail terminal and the system that identifies revoked credit cards. Since retailers generally default to accepting cards when the system doesn't work, the attack is generally successful.

Posted on October 27, 2014 at 10:56 AM • 14 Comments

Comments

guestOctober 27, 2014 2:50 PM

Twitter redirection? On my laptop juliansanchez retweeted as Julian Scarynamechez - and there have been others. On smartphone, twitter page shows up transitorily, then is replaced by a "sorry, that page doesn't exist" error message.


AnuraOctober 27, 2014 3:11 PM

Unfortunately, this is one of those hard to fix cases. Given that the vast majority of credit card transactions are successful, it probably costs more money to stop processing than to let the cards go through. The main thing you can do is use redundant systems to keep everything online in the event there is a single system with a problem. Hopefully your payment processor has redundant systems as well.

Bruce SchneierOctober 27, 2014 3:19 PM

"Unfortunately, this is one of those hard to fix cases."

More importantly, it is probably cheaper to allow the occasional fraud than to lose all of the legitimate transactions when there's an actual service outage.

Douglas KnightOctober 27, 2014 3:32 PM

When the system is down, it isn't a choice between being vulnerable or turning away business. There are middle grounds: eg, ask for ID.

Of course, you also have to take into account the cost of designing such a measure and promulgating the policy. Until this active attack makes the conditions of fraud and a down system correlate, it wasn't worth doing anything.

guestOctober 27, 2014 3:37 PM

When my web and IRL feeds seem to be distorted from the real world, who, online or off, can I go to, who will be honest and will be motivated and competent to verify whether there is indeed a problem? (If anyone is responding here, I am not seeing it. Yes, I realize this is not the optimal place to be asking. No, I do not know where a better place would be.)

Homer SimpsonOctober 27, 2014 7:58 PM

D"oh*

This expression is solely of the author and do not represent the views of my employer

bobOctober 28, 2014 6:18 AM

@Douglas Knight

That might work in the land of the free, but ID's not carried by default in civilised countries.

Clive RobinsonOctober 28, 2014 6:48 AM

@ Bob,

I can not think of any country civilized or not where not carrying ID does not have negative consiquences.

Take the UK for instance, there are a whole gamault of things the police can legitimately stop you for and ask you questions including your name etc. If you cannot provide that to their satisfaction then they can detain you untill they are satisfied. Thus having official photo ID on you negates that possibility and you are alowed to continue on your way. It also has a side effect that having identified yourself you can verify or vouch for others to the same effect.

The only place I had problems was in a well known European holiday destination, where they had at the time the quaint policy of you having to leave your passport at the hotel reception untill the local government agent had come around and looked at it "for the records". I decided that not being able to sleep due to jet lag, I would go for a walk before breakfast, I was stopped by a bored police officer who asked me why I was out and about at such a time. The upshot was he walked me back to the hotel where the receptionist got my passport, during which time the police officer was given a cup of coffee by the hotel staff in such a practiced manner I could see that the coffee was of more interest to the officer than me...

paulOctober 28, 2014 9:07 AM

Typically when communication is lost, the default isn't "approve everything", it's "approve everything below a fairly reasonable limit". (I'm actually a little surprised at the size of the thefts here, but what with the need to allow fillups of trucks and purchase of random overpriced food items...)

So as a scam this is effective but also limited in interesting ways. To make money from it, you need physical credit cards, (at least) two perpetrators, at least one prior visit to scope out the antenna location, and a fence for the goods you end up with. Makes much more sense for an organized gang (with semi-disposable people doing the visible crime) than for an individual entrepeneur.

LesOctober 28, 2014 10:15 AM

You also need an area that doesn't have good cell or wired coverage. Satellite backup for credit card transactions isn't all that common.

Sancho_POctober 28, 2014 12:11 PM

@ Clive Robinson: Got ya, you’ve been in Spain!

Where I live you can’t use a credit card without showing a picture ID.
We have too many crooks - sorry, tourists here ;-)
When using my wife’s card I often have some problems to do so, especially at the gas station, and while friendly talking to me, they will hold credit card and ID close to their desk - and there is an automated camera to take a picture of both, you wouldn’t notice that, but as I frequently try …

They also have a camera and license plate reader integrated into their system, the car’s registration number is being displayed at their computer monitor next to the pump details.
Of course they will delete / anonymize all private data when you leave the station …

Thanks @ bob for the civilized country, though!

vas pupOctober 28, 2014 2:10 PM

@Bruce Schneier • October 27, 2014 3:19 PM:
"...it is probably cheaper to allow the occasional fraud than to lose all of the legitimate transactions when there's an actual service outage".
As soon as it is cheaper for business, and responsibility/burden for fraud is not transferred to the pool of honest customers, I agree. Otherwise - dissent. My impression is that similar losses usually covered by transferring and spreading them on honest ones. It reminds me when in recent past private hospital provided medical service for person with no insurance coverage and no assets. In that case money spent is distributed to others having coverage or assets by charging them more.

Daniel OliveDecember 24, 2014 9:52 AM

@Clive Robinson

People, even those who normally carry ID, might quite reasonably fill up and not have ID. For example, the last time I bought petrol, I didn't have my photocard licence on me. I'd lost it. I wouldn't have known they would want to see ID when I filled up. Their choice then would be to be paid, or not.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.