dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
8087

Bill_MI
Bill In Michigan
MVM
join:2001-01-03
Royal Oak, MI
TP-Link Archer C7
Linksys WRT54GS
Linksys WRT54G v4

Bill_MI to state

MVM

to state

Re: CC companies threaten Discovery over Mythbusters Show

I always liked this article: »boingboing.net/2008/03/1 ··· -an.html

Though they did a little stretching the vulnerability is very real. It shows how solid security takes a back seat to marketing by these 3rd party payment system scums.
Mango
Use DMZ and you get a kick in the dick.
Premium Member
join:2008-12-25
www.toao.net

Mango

Premium Member

"A secure system would have had the decryption happen way back in a banking institution."

Just what I said!
Mele20
Premium Member
join:2001-06-05
Hilo, HI

1 recommendation

Mele20 to Mango

Premium Member

to Mango
Sounds like you have a chip and pin debit card, right?

I hate debit cards.

I hate chip and pin cards be they debit or credit.

You should have CREDIT CARDS only. NO Pin needed. Your RFID CREDIT card should have dynamic CVV. Dynamic CVV became available last year and the card I was sent, when mine was up for renewal, is one of the first cards in USA to have dynamic CVV. With this card, you do not use a pin at the terminal. You pass/wave the card very close to the terminal and that is it. It never leaves your hand and for purchases under $50 there is no signing and no receipt and Dynamic CVV is in play. The place where you have to be careful is online purchases at websites too lazy to check CVV but then the onus is on them if there is a problem.

»Re: RFID chip in credit cards -anything changed?

You should never use a CREDIT card in your bank's ATM terminal. Have the bank issue a SEPARATE ATM card that has a Pin and use that in the bank's terminals. Use your credit card for credit purchases only. Decline the "do you want cash back crap?" which generally has three times the interest rate for credit purchases on the card.

Pay your credit card in full every month if you want to avoid interest. This is MUCH safer, in the USA, than using a debit card because you don't want interest on your credit card.

The thread I linked to above has some posts in claiming the USA is moving very fast to Chip and Pin credit cards. That's hooey. I just got two more newly issued credit cards from large banks (mine were expiring soon) and BOTH of them are ordinary, old-fashioned magnetic stripe cards which are not as safe as Chase's new RFID with dynamic CVV card. Of course, no card is totally safe and there is always the possibility of one losing it/having it stolen. Because these cards are not totally safe, it is best to never use debit cards as they do NOT have the protections that credit cards have (now someone will post and say they do...but they do NOT).

My "I See People" is configured to NOT show the location of the poster. I just now (after writing the above) went to your member page and I see now that much of what I said above does not apply to you because you are in the UK. You have those awful pin and chip cards that the USA will never have, at least, nothing like UK's. (It's all discussed in the thread I linked above).
Mango
Use DMZ and you get a kick in the dick.
Premium Member
join:2008-12-25
www.toao.net

Mango

Premium Member

I'm Canadian - I have a chip and pin credit card. Going to read the thread you linked right now.
Mister_E
join:2004-04-02
Etobicoke, ON

Mister_E to Mango

Member

to Mango
said by Mango:

When I use an RFID chip card, I enter my PIN, and the terminal instantly says whether or not I've entered it correctly. Only then does the POS phone home to the payment processor and verify there are funds available.

Incorrect. Current VISA standards require that the PIN entered on the keypad (or pinpad) be encrypted AT the keypad. The encrypted pin is then transmitted to the card processor where it's decrypted and verified to match the PIN associated with the card holder account. Also, contrary to most people beliefs, the card DOES NOT contain any PIN data on it.

Prior to this, the PIN used to be encrypted by the devices CPU before being transmitted. This caused for concern where PIN data from a keypad could be intercepted prior to encryption by the system.

Of course, a current pinpad that's been hacked/modified will still defeat this.
Mango
Use DMZ and you get a kick in the dick.
Premium Member
join:2008-12-25
www.toao.net

Mango

Premium Member

Interesting; so how does the system know my PIN is ok before it dials out? This is something I'd be delighted to be wrong about

kickass69
join:2002-06-03
Lake Hopatcong, NJ

kickass69 to trparky

Member

to trparky
Thing is, there should be an option to turn off NFC completely for those who choose not to use it. Short of removing the NFC chip from the phone itself that seems impossible. As TomR_in_MI states, I have a regular 'feature' flip phone as they call it, been using the same one for 5 and a half years and don't intend to ever switch to a smartphone. If it comes down to nothing but smartphones at that point I'll go without a cell as I'm not tethered to needing one.

IIIBradIII
Comm M-E-L Instr
join:2000-09-28
Greer, SC

IIIBradIII to Mango

Member

to Mango
said by Mango:

A follow-up question: are the rules for fraudulent swipe/sign transactions the same as the rules for fraudulent chip/pin transactions?

Let's say someone looks over my shoulder as I enter my PIN, then mugs me for my Visa, and uses it before I can cancel it. Who pays?

We only do eCommerce and MOTO, so I've never actually accepted a chip card from a customer.

Again, the merchant where the fraudulent transaction occurs is the one who pays here. Perp mugs you, runs over to XYZ Department Store and purchases a stereo. The store that accepted the purchase is on the hook for everything - original sales price + sales tax, transaction fees (1-5%, depending on the issuer), chargeback fees (often exceeding $40 *per* fraudulent transaction), plus the actual product (the stereo) they sold. The card issuer refunds you (the mugged cardholder) back the original transaction total, and they pocket all of the above fees.

Now, multiply this scenario by the thousands (millions?) of fraudulent transactions that occur daily (perps use and abuse cards multiple times until they are stopped) and you can see how little impetus the card issuers really have to prevent fraud.
IIIBradIII

IIIBradIII to Snowy

Member

to Snowy
said by Snowy:

said by IIIBradIII:

When fraud occurs, the merchant (the store the perp purchased from) pays out processing fees, chargeback fees, the original sales price, plus has already lost the original product/service that was purchased. The card issuers pocket the processing & chargeback fees and walk away smiling.

Whoa! Slow that pony down!
That can be true in the case of an online merchant but if it happened "face-to-face" with the cardholder signing in the presence of the merchant, the issuing bank is generally liable.
Another area where the issuers are eating it is in fraudulent ATM withdrawals.
Trust me, the banks do not profit off of fraudulent use of CC/debit cards, period.

Online merchants face the steepest uphill battle, but face-to-face transaction chargeback "protections" are of little help to B&M merchants since they require evidence that the card and cardholder was present. If the thief just scribbles like most of them do for the signature, the merchant can still be on the hook for all of the above.
MaynardKrebs
We did it. We heaved Steve. Yipee.
Premium Member
join:2009-06-17

1 edit

MaynardKrebs to Mango

Premium Member

to Mango
said by Mango:

A follow-up question: are the rules for fraudulent swipe/sign transactions the same as the rules for fraudulent chip/pin transactions?

Let's say someone looks over my shoulder as I enter my PIN, then mugs me for my Visa, and uses it before I can cancel it. Who pays?

Consumer pays because, "You've lost control of your PIN**".

[In Canada] Current regulations limit a card holder's liability for most unauthorized transactions on a lost or stolen credit card to either $50 or the maximum set by the credit agreement. That $50 limit, however, does not apply when a PIN is used for a credit card transaction at a bank machine such as for a cash advance.

Technological advancements suggest there are no longer legitimate grounds to distinguish between PIN-based transactions at bank machines and at cash registers, the CBA said. Also, it wants the $50 liability cap scrapped completely.

**Canadian Bankers Association to the Senate Banking, Trade and Commerce Committee, Ottawa, 2010-11-23

»pqasb.pqarchiver.com/the ··· d+liable

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy to IIIBradIII

Premium Member

to IIIBradIII
said by IIIBradIII:

If the thief just scribbles like most of them do for the signature, the merchant can still be on the hook for all of the above.

A thief is not going to draw attention to themselves with a scribbled signature. There's 2 scenarios for a B&M fraudulent transaction.
1. Possession of a lost/stolen card.
2. An encoded blank masquerading as a real card.
The thief has control of the signature in both cases, it's one of their strong points in the transaction.
Their not giving up at that point by scribbling the signature.
Again in a 'face to face' transaction the card issuer is generally liable.

IIIBradIII
Comm M-E-L Instr
join:2000-09-28
Greer, SC

IIIBradIII

Member

said by Snowy:

said by IIIBradIII:

If the thief just scribbles like most of them do for the signature, the merchant can still be on the hook for all of the above.

A thief is not going to draw attention to themselves with a scribbled signature. There's 2 scenarios for a B&M fraudulent transaction.
1. Possession of a lost/stolen card.
2. An encoded blank masquerading as a real card.
The thief has control of the signature in both cases, it's one of their strong points in the transaction.
Their not giving up at that point by scribbling the signature.
Again in a 'face to face' transaction the card issuer is generally liable.

In my experience, the thief isn't concerned that a signature is going to draw any attention - he knows he's in a race against time. Not time until his own discovery due to signatures or otherwise, but rather time until the transactions themselves are discovered.

But regardless of how often merchants are assured of their limited exposure by issuers, issuers are generally loathe to accept responsibility and instead use items such as a signature mismatch to hold merchants liable for the transaction.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by IIIBradIII:

But regardless of how often merchants are assured of their limited exposure by issuers, issuers are generally loathe to accept responsibility and instead use items such as a signature mismatch to hold merchants liable for the transaction.

That's cool, we've got differing beliefs on the matter.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve to Snowy

to Snowy
said by Snowy:

A thief is not going to draw attention to themselves with a scribbled signature.

In spite of paying attention to this issue for years, I cannot remember a time when I saw a clerk actually compare my signature with that of the card, and in many cases has actually returned the card to me before I've even gone to sign anything.

The disregard for Visa/MC rules in this respect is extraordinary.

EGeezer
Premium Member
join:2002-08-04
Midwest

EGeezer

Premium Member

When I go to Staples, the clerk always sees the "check ID" I wrote in the sig line and asks me for my ID

However, my signature is illegible most of the time if not always, but that doesn't seem to be an issue with anyone taking the card.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

said by EGeezer:

When I go to Staples, the clerk always sees the "check ID" I wrote in the sig line and asks me for my ID

However, my signature is illegible most of the time if not always, but that doesn't seem to be an issue with anyone taking the card.

Yep. No one looks at a signature on a card. But if you have SEE ID instead, or as well as a signature on the card, the vast majority of clerks at any store ask to see your ID.

I had one recently look at my pic on the card. She told me I should have the pic updated! It is about 12-13 years old. The bank just sent me a new card (came the very day she made the comment) or I would go get a new pic. I think the bank would balk though since they just issued a new card. (I was surprised to get a new card as I didn't even realize the current expired this month).

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy to Steve

Premium Member

to Steve
said by Steve:

The disregard for Visa/MC rules in this respect is extraordinary.

Yes, it's endemic.
Not to beat it to death but...
That in itself is a good indication that retailers are not regularly taking it in the butt for B&M charge backs with dis-similar signatures being the cause.

Thaler
Premium Member
join:2004-02-02
Los Angeles, CA

Thaler to state

Premium Member

to state
Eh, RFID is secure enough that most places I know of with the readers DON'T accept them for payment authorization. They have the capacity and means to read them, but for fraud/security/liability sake, they opt to disable them & have customers swipe their cards.

Honestly, it's once in a blue moon I can find a store with a RFID reader that's actually enabled.
Kearnstd
Space Elf
Premium Member
join:2002-01-22
Mullica Hill, NJ

Kearnstd to Steve

Premium Member

to Steve
said by Steve:

said by Snowy:

A thief is not going to draw attention to themselves with a scribbled signature.

In spite of paying attention to this issue for years, I cannot remember a time when I saw a clerk actually compare my signature with that of the card, and in many cases has actually returned the card to me before I've even gone to sign anything.

The disregard for Visa/MC rules in this respect is extraordinary.

most retail places I have been that are big stores at least just use the slide it yourself machines. And I can tell you this at no point in cashier training when I did my stint at the supermarket where we ever told to hold the card.
ryusoma
join:2006-09-30
Edmonton, AB

ryusoma to state

Member

to state
I've wondered how the chip/PIN and RFID encryption used in credit cards compare to that used by the Japanese FeLiCa RFID system developed by Sony?

FeLiCa has been used for over 10 years now in Japan for the regional rail-pass cash cards (PASSMO, SuiCa, ICoCa, etc) and Hong Kong's Octopus and London's Oyster cards. None of these have been cracked yet to my knowledge, and have been performing millions of transit and retail transactions daily.

I've had Suica and Octopus cards during travel in japan and HK, and they're utilized EVERYWHERE- from trains and buses to vending machines, convenience stores, grocery stores and payphones.
noname4
join:2012-02-07

noname4

Member

I don't know anything about the credit card RFID implementation specifics but in general designing a reasonably secure RFID+password/pin system is not that hard, especially with cheap low-power crypto processors available today. I have worked on such a system and in the end it comes down to fairly straight forward challenge-response authentication between the RFID key, the terminal and the back-end + some industry standard tamper-resistant hardware for storing keys.

The back-end authenticates both the RFID key and the terminal before authorizing the transaction. The challenge-response authentication ensures that the attacker cannot do anything with simple sniffing and the tamper-resistant hardware ensures that the only way to copy the keys from the card or the terminal (which is needed for impersonating them) is invasive, expensive and slow.

It is still possible for the attacker to see your pin as you enter it and then steal your key but then the owner would report it stolen immediately (there is an automatic system that lets them do that quickly).

This may not be perfect but it is much more secure than the magnetic stripe cards which are trivial to passively copy without your knowledge.
MaynardKrebs
We did it. We heaved Steve. Yipee.
Premium Member
join:2009-06-17

MaynardKrebs to ryusoma

Premium Member

to ryusoma
said by ryusoma:

I've wondered how the chip/PIN and RFID encryption used in credit cards compare to that used by the Japanese FeLiCa RFID system developed by Sony?

FeLiCa has been used for over 10 years now in Japan for the regional rail-pass cash cards (PASSMO, SuiCa, ICoCa, etc) and Hong Kong's Octopus and London's Oyster cards. None of these have been cracked yet to my knowledge, and have been performing millions of transit and retail transactions daily.

Oyster card hacked
»news.bbc.co.uk/2/hi/prog ··· 5292.stm

jester121
Premium Member
join:2003-08-09
Lake Zurich, IL

jester121 to EGeezer

Premium Member

to EGeezer
said by EGeezer:

When I go to Staples, the clerk always sees the "check ID" I wrote in the sig line and asks me for my ID

However, my signature is illegible most of the time if not always, but that doesn't seem to be an issue with anyone taking the card.

Both you and the vendor are in violation of the issuer's terms then. Writing "Ask for ID" makes a card invalid, and accepting a card with that written in the signature block puts the vendor at risk.
19579823 (banned)
An Awesome Dude
join:2003-08-04

19579823 (banned) to state

Member

to state

 

quote:
I ran across an interesting article on Gizmodo tonight about several credit card companies (VISA, American Express and Discover) threatening to pull advertising from the Discovery Channel if they aired a Mythbusters special about RFID technology and how susceptible it may be to hacking and tracking.
Screw them..... ITS THE TRUTH!!!!

This garbage shouldnt be used............ I HOPE THEY DO EXPOSE IT ON THIER SHOW!!!!

EGeezer
Premium Member
join:2002-08-04
Midwest

EGeezer to jester121

Premium Member

to jester121

Re: CC companies threaten Discovery over Mythbusters Show

said by jester121:

Both you and the vendor are in violation of the issuer's terms then. Writing "Ask for ID" makes a card invalid, and accepting a card with that written in the signature block puts the vendor at risk.

I need to see the contract. I wrote the signature and "check ID" in the block. If you can point me to a VISA or MC CC issuer link that specifically forbids it, I'd be pleased to read it.

wapu
Broadband Ranger
Premium Member
join:2001-09-05
Albion, NY

wapu to jester121

Premium Member

to jester121
said by jester121:

said by EGeezer:

When I go to Staples, the clerk always sees the "check ID" I wrote in the sig line and asks me for my ID

However, my signature is illegible most of the time if not always, but that doesn't seem to be an issue with anyone taking the card.

Both you and the vendor are in violation of the issuer's terms then. Writing "Ask for ID" makes a card invalid, and accepting a card with that written in the signature block puts the vendor at risk.

What he said.

As for who pays, it is the merchant.

It is not enough that there is a signature. for about the past year, I have seen a ton of rebuttles (that is where the merchant gets to dispute the charge back) get denied because the card was not swiped. one of my former clients went to a policy where if the card does not swipe on a transaction for more that $50, they will not take it the card.

AMEX has the highest fees and charges the merchant for both directions. If the merchant accepts payment they pay and if they return to the AMEX they pay again. I had a client sell a $100,000 Fur cota to a lady on an AMEX. they paid $3,000 to AMEX. She brought the coat back a week later. They returned $100,000 to her card and got hit for $3,000 again. They paid AMEX $6,000 so this lady could wear a fur coat for a week. Of course the $10,000,000 in fur she had purchased in the previous 4 years made it a little easier to pay.

jester121
Premium Member
join:2003-08-09
Lake Zurich, IL

jester121 to EGeezer

Premium Member

to EGeezer
If you signed it, then you're okay with the addendum. The prohibition is on unsigned cards.

You can download the Visa/MC merchant guidelines from their websites in a PDF and do a search.

wapu
Broadband Ranger
Premium Member
join:2001-09-05
Albion, NY

wapu

Premium Member

said by jester121:

If you signed it, then you're okay with the addendum. The prohibition is on unsigned cards.

You can download the Visa/MC merchant guidelines from their websites in a PDF and do a search.

Most don't sign it though. They just write "SEE ID" or something instead of the signature.

Our policy and what I typically advised when consulting was to take the card and check the ID. Not because of any security reasons, but to make the person feel better and have a better opinion of our store. Typically the type of person to write that on their credit card is the type of person who would be impressed by the retailer complying and will come back.

jester121
Premium Member
join:2003-08-09
Lake Zurich, IL

jester121

Premium Member

said by wapu:

Our policy and what I typically advised when consulting was to take the card and check the ID.

When consulting I took a different tack -- "Here's what the issuer rules are, which means if you choose to do otherwise, they can do X, Y, and Z. Your choices are to accept the card, reject the card, or do a phone verification, and C is the correct answer."

No way do I want the liability of "but you said it would be okay to break the rules!"

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

said by jester121:

When consulting I took a different tack

I'm just impressed to see somebody use "tack" correctly