This seems like a solution in search of a problem:
MagTek discovered that no two magnetic strips are identical. This is due to the manufacturing process. Similar to DNA, the structure of every magnetic stripe is different and the differences are distinguishable.
Knowing that, MagTek pairs the card’s magnetic strip signature with the card user’s personal data to create a one-of-a-kind digital identifier. MagTek calls this technology MagnePrint.
Basically, each card gets a “fingerprint” of the magnetic strip printed on it. And the reader (merchant terminal, ATM, whatever) verifies not only the card information, but the fingerprint as well. So a thief can’t skim your card information and make another card.
I see a couple of issues here. One, any fraud solution that requires the credit card companies to issue new readers simply isn’t going to happen in the U.S. If it were, we’d have embedded chips in our credit cards already. Trying to convince the merchants to type additional data in by hand isn’t going to work, either. We finally got merchants to type in a 3–4 digit CVV code — that basically does the same thing as this idea (albeit with less security).
Two, physically cloning cards is much less of a threat than virtually cloning them: buying things over the phone and Internet, etc. Yes, there are losses here, but I’m sure they’re not great enough to justify all of this infrastructure change.
Still, a clever security idea. I expect there’s an application for this somewhere.
Posted on December 18, 2009 at 6:32 AM •
Interesting story of a 2006 Wal-Mart hack from, probably, Minsk.
Posted on October 27, 2009 at 7:42 AM •
It’s not just hackers who steal financial and medical information:
Between April 2007 and January 2008, visitors to the Kmart and Sears web sites were invited to join an “online community” for which they would be paid $10 with the idea they would be helping the company learn more about their customers. It turned out they learned a lot more than participants realized or that the feds thought was reasonable.
To join the “My SHC Community,” users downloaded software that ended up grabbing some members’ prescription information, emails, bank account data and purchases on other sites.
Reminds me of the 2005 Sony rootkit, which — oddly enough — is in the news again too:
After purchasing an Anastacia CD, the plaintiff played it in his computer but his anti-virus software set off an alert saying the disc was infected with a rootkit. He went on to test the CD on three other computers. As a result, the plaintiff ended up losing valuable data.
Claiming for his losses, the plaintiff demanded 200 euros for 20 hours wasted dealing with the virus alerts and another 100 euros for 10 hours spent restoring lost data. Since the plaintiff was self-employed, he also claimed for loss of profits and in addition claimed 800 euros which he paid to a computer expert to repair his network after the infection. Added to this was 185 euros in legal costs making a total claim of around 1,500 euros.
The judge’s assessment was that the CD sold to the plaintiff was faulty, since he should be able to expect that the CD could play on his system without interfering with it.
The court ordered the retailer of the CD to pay damages of 1,200 euros.
Posted on September 24, 2009 at 6:37 AM •
For all of you who want to scam your company’s expense reimbursement system.
I’ve heard of sites where you give them a range of dates and a city, and they give you a full set of receipts for a trip to that city: airfare, hotel, meals, everything — but I can’t find a website.
Posted on June 26, 2009 at 1:16 PM •
It’s called “sweethearting”: when cashiers pass free merchandise to friends. And some stores are using security cameras to detect it:
Mathematical algorithms embedded in the stores’ new security system pick out sweethearting on their own. There’s no need for a security guard watching banks of video monitors or reviewing hours of grainy footage. When the system thinks it’s spotted evidence, it alerts management on a computer screen and offers up the footage.
Big Y’s security system comes from a Cambridge, Mass.-based company called StopLift Inc. The technology works by scouring video pixels for various gestures and deciding whether they add up to a normal transaction at the register or not.
How good is it? My guess is that it’s not very good, but this is an instance where that may be good enough. As long as there aren’t a lot of false positives — as long as a person can quickly review the suspect footage and dismiss it as a false positive — the cost savings might be worth the expense.
Posted on May 13, 2009 at 7:55 AM •
“Optimised to Fail: Card Readers for Online Banking,” by Saar Drimer, Steven J. Murdoch, and Ross Anderson.
The Chip Authentication Programme (CAP) has been introduced by banks in Europe to deal with the soaring losses due to online banking fraud. A handheld reader is used together with the customer’s debit card to generate one-time codes for both login and transaction authentication. The CAP protocol is not public, and was rolled out without any public scrutiny. We reverse engineered the UK variant of card readers and smart cards and here provide the first public description of the protocol. We found numerous weaknesses that are due to design errors such as reusing authentication tokens, overloading data semantics, and failing to ensure freshness of responses. The overall strategic error was excessive optimisation. There are also policy implications. The move from signature to PIN for authorising point-of-sale transactions shifted liability from banks to customers; CAP introduces the same problem for online banking. It may also expose customers to physical harm.
EDITED TO ADD (3/12): More info.
Posted on March 5, 2009 at 12:45 PM •
Surely this isn’t new:
Suspects entered the business, selected merchandise worth almost $8,000. They handed a credit card with no financial backing to the clerk which when swiped was rejected by the cash register’s computer. The suspects then informed the clerk that this rejection was expected and to contact the credit card company by phone to receive a payment approval confirmation code. The clerk was then given a number to call which was answered by another person in the scam who approved the purchase and gave a bogus confirmation number. The suspects then left the store with the unpaid for merchandise.
Anyone reading this blog would know enough not to call a number given to you by the potential purchaser, but presumably many store clerks don’t have good security sense.
Posted on January 19, 2009 at 1:23 PM •
From the New York Times:
Police departments across the country say that shoplifting arrests are 10 percent to 20 percent higher this year than last. The problem is probably even greater than arrest records indicate since shoplifters are often banned from stores rather than arrested.
Much of the increase has come from first-time offenders like Mr. Johnson making rash decisions in a pinch, the authorities say. But the ease with which stolen goods can be sold on the Internet has meant a bigger role for organized crime rings, which also engage in receipt fraud, fake price tagging and gift card schemes, the police and security experts say.
Shoplifters also seem to be getting bolder, according to industry surveys.
Thieves often put stolen items in bags lined with aluminum foil to avoid detection by the storefront alarms. Others work in teams, with a decoy who tries to look suspicious to draw out undercover security agents and attract the attention of security cameras, the police said.
“We’re definitely seeing more sprinters,” said an undercover security guard at Macy’s near Oakland, Calif., referring to shoplifters who make a run for the door.
A previous post listed the most frequently shoplifted items: small, expensive things with a long shelf life.
EDITED TO ADD (1/13): Maybe shoplifting isn’t on the rise after all.
Posted on December 29, 2008 at 2:52 PM •
It’s not a new scam to switch bar codes and buy merchandise for a lower value, but how do you get away with over $1M worth of merchandise with this scam?
In a statement of facts filed with Tidwell’s plea, he admitted that, during one year, he and others conspired to steal more than $1 million in merchandise from large retailers and sell the items through eBay. The targeted merchandise included high-end vacuum cleaners, electric welders, power winches, personal computers, and electric generators.
Tidwell created fraudulent UPC labels on his home personal computer. Conspirators entered various stores in Ohio, Illinois, Indiana, Pennsylvania and Texas and placed the fraudulent labels on merchandise they targeted, and then bought the items from the store. The fraudulent UPC labels attached to the merchandise would cause the item to be rung up for a price far below its actual retail value.
That requires a lot of really clueless checkout clerks.
EDITED TO ADD (11/7): Video of talk on barcode hacks.
Posted on October 31, 2008 at 6:43 AM •
The readers were hacked when they were built, “either during the manufacturing process at a factory in China, or shortly after they came off the production line.” It’s being called a “supply chain hack.”
Sophisticated stuff, and yet another demonstration that these all-computer security systems are full of risks.
BTW, what’s it worth to rig an election?
Posted on October 14, 2008 at 1:44 PM •
Sidebar photo of Bruce Schneier by Joe MacInnis.