Parrish allegedly visited Apple Stores and tried to buy products with four different debit cards, which were all closed by his respective financial institutions. When his debit card was inevitably declined by the Apple Store, he would protest and offer to call his bank—except, he wasn’t really calling his bank.
So, the complaint says, he would offer the Apple Store employees a fake authorization code with a certain number of digits, which is normally provided by credit card issuers to create a record of the credit or debit override.
Now that this trick is public, how long before stores stop accepting these authorization codes altogether? I’ll be that fixing the infrastructure will be expensive.
Posted on July 31, 2014 at 6:55 AM •
Well, new to us:
You see, an EMV payment card authenticates itself with a MAC of transaction data, for which the freshly generated component is the unpredictable number (UN). If you can predict it, you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location. You can as good as clone the chip. It’s called a “pre-play” attack. Just like most vulnerabilities we find these days some in industry already knew about it but covered it up; we have indications the crooks know about this too, and we believe it explains a good portion of the unsolved phantom withdrawal cases reported to us for which we had until recently no explanation.
Paper here. And news article.
Posted on September 11, 2012 at 12:38 PM •
This one is installed inside gas pumps. There’s nothing the customer can detect.
EDITED TO ADD (3/5): Pictures.
LVMPD found that one of these skimmers can be installed in eight minutes flat.
Posted on February 22, 2010 at 7:09 AM •
Ross Anderson reports:
Online transactions with credit cards or debit cards are increasingly verified using the 3D Secure system, which is branded as “Verified by VISA” and “MasterCard SecureCode”. This is now the most widely-used single sign-on scheme ever, with over 200 million cardholders registered. It’s getting hard to shop online without being forced to use it.
In a paper I’m presenting today at Financial Cryptography, Steven Murdoch and I analyse 3D Secure. From the engineering point of view, it does just about everything wrong, and it’s becoming a fat target for phishing. So why did it succeed in the marketplace?
Quite simply, it has strong incentives for adoption. Merchants who use it push liability for fraud back to banks, who in turn push it on to cardholders. Properly designed single sign-on systems, like OpenID and InfoCard, can’t offer anything like this. So this is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure. We conclude with a suggestion on what bank regulators might do to fix the problem.
Posted on February 1, 2010 at 6:26 AM •
This seems like a solution in search of a problem:
MagTek discovered that no two magnetic strips are identical. This is due to the manufacturing process. Similar to DNA, the structure of every magnetic stripe is different and the differences are distinguishable.
Knowing that, MagTek pairs the card’s magnetic strip signature with the card user’s personal data to create a one-of-a-kind digital identifier. MagTek calls this technology MagnePrint.
Basically, each card gets a “fingerprint” of the magnetic strip printed on it. And the reader (merchant terminal, ATM, whatever) verifies not only the card information, but the fingerprint as well. So a thief can’t skim your card information and make another card.
I see a couple of issues here. One, any fraud solution that requires the credit card companies to issue new readers simply isn’t going to happen in the U.S. If it were, we’d have embedded chips in our credit cards already. Trying to convince the merchants to type additional data in by hand isn’t going to work, either. We finally got merchants to type in a 3–4 digit CVV code—that basically does the same thing as this idea (albeit with less security).
Two, physically cloning cards is much less of a threat than virtually cloning them: buying things over the phone and Internet, etc. Yes, there are losses here, but I’m sure they’re not great enough to justify all of this infrastructure change.
Still, a clever security idea. I expect there’s an application for this somewhere.
Posted on December 18, 2009 at 6:32 AM •
Interesting story of a 2006 Wal-Mart hack from, probably, Minsk.
Posted on October 27, 2009 at 7:42 AM •
“Optimised to Fail: Card Readers for Online Banking,” by Saar Drimer, Steven J. Murdoch, and Ross Anderson.
The Chip Authentication Programme (CAP) has been introduced by banks in Europe to deal with the soaring losses due to online banking fraud. A handheld reader is used together with the customer’s debit card to generate one-time codes for both login and transaction authentication. The CAP protocol is not public, and was rolled out without any public scrutiny. We reverse engineered the UK variant of card readers and smart cards and here provide the first public description of the protocol. We found numerous weaknesses that are due to design errors such as reusing authentication tokens, overloading data semantics, and failing to ensure freshness of responses. The overall strategic error was excessive optimisation. There are also policy implications. The move from signature to PIN for authorising point-of-sale transactions shifted liability from banks to customers; CAP introduces the same problem for online banking. It may also expose customers to physical harm.
EDITED TO ADD (3/12): More info.
Posted on March 5, 2009 at 12:45 PM •
The readers were hacked when they were built, “either during the manufacturing process at a factory in China, or shortly after they came off the production line.” It’s being called a “supply chain hack.”
Sophisticated stuff, and yet another demonstration that these all-computer security systems are full of risks.
BTW, what’s it worth to rig an election?
Posted on October 14, 2008 at 1:44 PM •
This both is and isn’t news. In the security world, we knew that replacing credit card signatures with chip and PIN created new vulnerabilities. In this paper (see also the press release and FAQ), researchers demonstrated some pretty basic attacks against the system—one using a paper clip, a needle, and a small recording device. This BBC article is a good summary of the research.
And also, there’s also this leaked chip and PIN report from APACS, the UK trade association that has been pushing chip and PIN.
Posted on March 12, 2008 at 2:12 PM •
We discuss credit card data centers getting hacked; why banks getting hacked doesn’t make mainstream media; reissuing bank cards; how much he makes cashing out bank cards; how banks cover money stolen from credit cards; why companies are not cracking down on credit card crimes; how to prevent credit card theft; ATM scams; being “legit” in the criminal world; how he gets cash out gigs; getting PINs and encoding blank credit cards; how much money he can pull in a day; e-gold; his chances of getting caught; the best day to hit the ATMs; encrypting ICQ messages.
Posted on June 5, 2006 at 6:23 AM •
Sidebar photo of Bruce Schneier by Joe MacInnis.