Target's EasySweep – Simplifying Skimmer Detection(tech.target.com) |
Target's EasySweep – Simplifying Skimmer Detection(tech.target.com) |
Seems like a lot of TLDR; :)
The article says exactly how it works.
> The usage is very simple: Insert the tool into the payment terminal’s chip card slot. If it can insert fully, the terminal is safe. If it gets stopped, there might be a skimmer!
If they find a skimmer, they will probably go back over the video until they find who put it there. Former Target security guard: "All cameras are functional and can look in any direction. Many are 4K and can zoom."
[1] https://www.paypath.com/Small-Business/why-target-is-the-wor...
Imagine that the misdemeanor — a fine and a few months in prison — would sufficiently deter an individual from ever stealing again, or at least from Target. Target's theft problem is resolved, and the individual goes on with a more abiding life.
In the actual case, Target allows this person to believe the theft is easy and rewarding. When Target preps the legal case, this person serves years in prison.
Target has lost additional inventory meanwhile, Target has paid for the case-building, the individual serves a long sentence, and the individual loses future job candidacy.
Society also pays for the prison time and must support an individual with a difficult-to-employ problem. Everybody is worse off.
I didn't read OP's paragraph and think that they intended to make Target sound bad, but I was able to make the case myself, I think.
The skimmer binds to the payment slot, some payment slots change shape to prevent skimmer binding, and now the tester-block binds to check that nothing is already bound...
(1) Terminal has a scale built into its feet/mount. It periodically weighs itself, and if (ignoring fluctuations) it weighs too much, it shuts down. It's hard to build a skimmer that weighs 0 grams.
(2) Proximity sensors in key locations on the housing. My smartphone can disable its touchscreen when I hold it against my face, so a payment terminal should be able to detect when something is covering a part that isn't supposed to be covered.
(3) Light sensors. Put some in an area where skimmers need to cover (near card slot) and other where skimmers probably can't cover (the display), and detect whether they get roughly the same amount of light.
(4) Microphones. Same idea as light sensors but with sound.
It's nice that someone got this through the default corporate deny policies.
They seem to have the sensor on the pumps, but they never work.
Why I still can't register a public key with my bank and say "do not under any circumstance honor a transaction unless it's signed with my private key" is beyond me.
Though it could just be cost given that Target could just pay for a plastic injection mold overseas and then pay peanuts yearly to make a 60k batch for their yearly renewal they mention, compared to $20*60k each time
I think the most obvious circumvention would be for the criminal enterprise to focus on altering the length of the verification devices, since an EasySweep does not appear to have a formal method to verify its own correctness. A shortened card tab on EasySweep would provide feedback that the terminal was ok since the keypad finger support presses against the terminal.
impressive.
I need a solution that lets me, the card holder, check these. This ain't it.
Hell, some of the internal skimmers just solder jumper wires to pcb pins/testpoints don't they? There's nothing mechanical for a card to touch. Target's got so many telescreen cameras in the store, they could likely get the pin numbers straight from that, no need to intercept that.
it allows any Target team member to easily
sweep a store for skimmers
A second guy distracting the clerk helps, too.
It is still not 100% impossible, but the "overlay" type of skimmer this protects against has been eliminated for a few years now.
But then it would cost more than their competitors. With much more maintenance for false positives, etc. And the vendor doesn't really pay the price for skimmer fraud..
1) Contactless merchant fees are lower than dip or swipe 2) Payment terminals are cheaper 3) Less fraud/shrink
This hunk of plastic from Target is a solution looking for a problem.
“Just use contactless” doesn’t work in the US.
Just yesterday a friend was commenting that he got a new credit card (old card expired) and the new one still doesn’t have contactless. Seems his bank decided it wasn’t worth it.
But that’s not all. Target gift cards don’t have contactless. Don’t think Visa/MC/AmEx gift cards do either. I bet EBT cards don’t, I think a rule requiring them to have chips was just passed.
I know other countries are ahead of us, and that major banks have been issuing chip cards for a while. But there are still a lot of people that leaves out.
And target wants to sell to them.
When you're dealing with tens of thousands of terminals that you want to check on a regular basis across thousands of stores, having a device that verifies things quickly is a solution to a real problem.
They probably cannot make card-not-present (online) purchases since I don't think they can get the CVV.
https://krebsonsecurity.com/2021/02/checkout-skimmers-powere...
https://security.stackexchange.com/questions/151081/shimmers...
> In addition to the track-two data on the magnetic stripe, EMV cards generally have identical data encoded on the chip, which is read as part of the normal EMV transaction process. If an EMV reader is compromised to the extent that the conversation between the card and the terminal is intercepted, then the attacker may be able to recover both the track-two data and the PIN, allowing construction of a magnetic stripe card, which, while not usable in a Chip and PIN terminal, can be used, for example, in terminal devices that permit fallback to magstripe processing for foreign customers without chip cards, and defective cards.
https://en.wikipedia.org/wiki/EMV#Opportunities_to_harvest_P...
> A payment can still be successful even if the CVC or postal code check fails. This is because card issuers take many signals into account when making a decision about whether to approve or decline a payment. In some cases, a card issuer may still approve a payment they consider legitimate, even if the CVC or postal code verification check fails.
The old mag stripe emulation mode of contactless did, but that’s legacy and many places won’t accept it and cards won’t do it.
However the good old “break the slot or chip reader so they have to use mag stripe and scan the card things the old fashioned way” technique still works great.
The actual user of the stolen card dump will cause the terminal to allow a magstripe fallback (typically with a bad chip on a fake card that won't read) -- "aw jeez my stupid chip isn't reading" is still every much a valid excuse to a cashier to go to magstripe.
I can’t remember having to fall back from the chip to a swipe in ages, and I have a couple of cards, so I could keep one as a backup with a working stripe just in case (long ago I found myself far from home and low on gas, with no cash, a dead cell phone and a “suspicious transaction” blocked credit card, and I’d rather not repeat that experience).
My understanding is: They don’t. If you stick to contactless payments, you’re not at risk.
I'm assuming you are thinking about an attack where a compromised terminal processes an attacker-issued transaction (relayed from elsewhere) instead of the genuine one.
It seems like a solution to this would be for the card to issue a challenge to the reader and only provide a very short timeframe to answer, so that relaying it elsewhere is impossible due to speed of light and all that.
At minimum, EMV would need to be verifiable. Ideally rotatable. Best case: chooseable.
- an on-card UI. Yubikey-style one-button-tap is not enough, you actually need to verify the transaction details.
- integration with backend systems to support rotation and recovery because otherwise folks will screw this up and lock themselves out
There's a reason webauthn passkey has obfuscated PKI to oblivion, because they simply can't figure out how to entrust end users with keys.
To be clear, I'm a PKI fan and want all of these things to exist, but we're very far from it. In the interim, a bank-managed PKI is a welcome improvement.
Like, I understand what you are talking about, most of the readers here understand what you are talking about, but I also understand that almost everyone else doesn't.
What you are describing is Bitcoin.
Actually, I spoke too soon... the signature-strip has been worn away too and now that I really look at it, I can make out the word "Void" underneath.
Seems like a good idea to wrap the card in something opaque.
I know the old mag stripe emulation was vulnerable, but EMV contactless shouldn’t hand out the card number and uses cryptographic signatures. You’d have to capture and play back a transaction (not randomly scan a card) and there are time stamps and transaction counters that would be wrong and the terminal ID wouldn’t match.
They replace the objects every 6 months. And there are multiples. So, yeah, I guess it's doable.
> I need a solution that lets me, the card holder, check these.
You could just print one and carry it with you.
> some of the internal skimmers just solder jumper wires to pcb pins/testpoints don't they?
At the point, there's no real security. If that's your threat model, you can just substitute the entire reader for a counterfeit one.
> Target's got so many telescreen cameras in the store, they could likely get the pin numbers straight from that
If you are as paranoid as you sound, you should be covering your hand putting the PIN in with your other hand.
You seem to not understand the threat threat models. A skimmer is a 3 second attack that requires no accomplice and can be done with slight of hand while people are watching. Making that scale to a multi-person operation with more physical construction, the need to swap out (and hide) a bunch of red plastic going in and out is a win. In much the same way that locking your jewelry in a small safe isn't going to stop determined thieves, but will make casual thieves abandon it.
I'm just repeating what I've read elsewhere, seen elsewhere.
The gas pump skimmers are completely internal. None of that bullshit where their plastic fits over the top of the other snugly. They wire just 4 or 5 leads to the pcb... vcc and gnd, obviously... so the rest of it must be 12c or some other serial/2wire protocol I guess.
Someone was saying "well at least they can't get the cvc", but that got me to wondering with cameras so small and cheap, could you hide one where it could see that on the underside? At least on my cards, it's on the same end as the chip itself, so maybe?
How many cards can they skim, before it's detected, and what's the average value of skimming one card? If you multiply those two together, and the answer is in the tens of thousands or hundreds of thousands (or god help us, millions), then it's very much worth it to be a multi-person operation. Especially since such an operation will have more than one card-skimmer going... how many can a small team manage reliably? I guess it's really `a x b x c =` here.
Does Target have free in-store wifi? If so and they pre-configure, they never have to show up on-site again. Fuck, can they get someone hired on for 3 days to do all this, and switch out the skimmer detection tools? Then they just no-show, no-call, and move on to the next.
> If you are as paranoid as you sound, you should be covering your hand putting the PIN in with your other hand.
Have been for the last 20 years. Some woman in a gas station in Virginia once got pissy at me for doing it "it's just you and me in here!"... "Lady, you have a surveillance camera pointed right at me, I can see myself on the monitor behind you".
No. Most modern card terminals are tamper-resistant and will erase key material if opened.
(Besides, it's not like you're going to be able to casually crack open a payment terminal, pull out a soldering iron, and modify it while you're standing in the store checkout line.)
Gas pumps are a little quirkier because they use integration modules, I would imagine they got better with newer ones but earlier ones, even with chips, would basically just be an exposed pcb on the inside
Frankly, as a _credit_ cardholder with zero liability, I’m not overly-concerned by skimmers. I won’t lose anything. The card tax is already baked into all prices, so there’s no real benefit for me to solve this problem.
No you don't. All you need to do is use a payment method that is actually secure. Demand it. When they tell you tap doesnt work, ask why. Hand your card to the cashier and make them scan it on the register's reader.
https://www.forbes.com/advisor/business/how-accept-apple-pay...
I imagine it is possible to do something wrong at the processor to make this not work, due to the device card number shenanigans you mention. But, are there really still processors who still do it wrong? The device card number is associated at the issuing bank, not at the processor (unless I am missing something).
https://security.stackexchange.com/questions/161493/what-inf...
Contactless has two forms. The old one is mag-stripe emulation. It would literally just respond with the information from the mag-stripes. It was exactly as secure as mag-stripe. Probably worse because you didn’t need to physically move the card over a read head.
That’s no longer supported in many (most?) modern cards. I know ApplePay refuses to do it. I think card brands have said to stop using it but I’m not positive.
The other mode (absolutely dominant in contactless) works through encrypted EMV tags the same as you get when using a physical slot. The order of things is a little different but it’s just as secure.
I was in a major home improvement store a few weeks ago, and it was swipe-only. Either Home Depot or Lowe's.
"All individuals should know to use /r/shoplifting and are therefore impervious to Target's case-building trap."
To be clear, I think the actual problem with shoplifting is systemic suppressed wages coupled with inflation and arbitrary price hikes by corporations.
Imagine that the misdemeanor — a fine and a few months in prison
The reason mag stripe and associated technologies stuck around is precisely because US banks were good enough at real-time fraud detection that the cost of fraud was << cost of replacing every card and strongaming every merchant into buying new payment terminals. Eventually they relented since the US became the place to cash out non-US cards.
And identity theft is absolutely a thing in Europe. As a random example, here is Sweden: https://globalinitiative.net/analysis/21752-2/
US consumer laws don't hold a candle to European ones - it's not even close.
Have you ever gone through this process yourself, or are you stating the idealized version of what should happen? I'd like to hear the bank you were dealing with, because mine tried to give me the run around ("It's not fraudulent because your PIN was used"), and I had to fight them over many calls to get a "temporary refund" by threatening to involve a state ombudsman. Later on, I got a letter in the mail that said the investigation was complete, and the refund was now permanent, only to have the refund yanked again months later.
Caping for American banks in this day and age is weird. They are mostly terrible and will rather have their clients take the financial hit before they do - even if they have to lie or frustrated you with long holds & multiple calls unless you show them you mean business.
The idea is that if someone steals your debit card and buys a bunch of stuff, they've stolen your money, but if someone steals your credit card and buys a bunch of stuff, they've stolen the bank's money, and the bank is on the hook for it - not you.
IIRC with debit card fraud you've got like 60 days and the bank can put some of the burden of proof on you, but for a credit card you can literally just say "I didn't buy that" 5 months later and the bank basically has to give you your money back. If you abuse this, the worst thing that can happen is the bank closes your card and cancels their relationship with you, but you won't be on the hook for the spending itself. Because of this additional liability, U.S. banks got really good at early detection of fraud and irregular spending, and Americans don't really give a huge shit about keeping their credit cards safe because there aren't really any major consequences.
I am sorry you had such a terrible experience, but mine has been completely different.
US banking regs are actually more consumer friendly than Europe, and I have sources. Security Engineering 2nd ed, chap 10 section 10.4.3: https://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c10.pdf
I recently went through the opposite of this. A purchase at denon.com was declined, got a "please verify" email from my issuer which I approved and re-did the purchase. My issuer authorized the payment the second time, but then it got held up by NoFraud who sent me their own "please verify" email which I did. I had used an iCloud Hide My Email address for the purchase so a day later I get another email from NoFraud:
> Thank you for confirming your recent order. We are the fraud solution for the merchants website. We flagged the order for additional review before we notify the merchant to process it. To complete the verification for approval, we require an alternate email address for the cardholder. Please respond with an alternate email address.
At that point I tracked down NoFraud's phone # and called them to finally get the transaction approved.
I got hit by a merchant using "NoFraud" as well. After making an order from the merchant's site, using Apple Pay on the web (which is, allegedly, rather hard to fake), I received an email saying my order was canceled as it "appears that a merchant-specific email address was used" and to "please resubmit the order using your personal contact details".
They were right, because I always use [merchantname]@subdomain.mydomain.com. Whatever it was couldn't have been that important because I didn't bother redoing it if they're going to be that picky.
(I can't find the purchase confirmation and subsequent email in my email, probably because I deleted it out of annoyance, so I'm not naming who I think I remember it being just in case I'm wrong)
Which was my point exactly: European debit card users are more protected than American debit card users when their money is on the line
[1] "NoFraud’s multi-layered solution analyzes thousands of data points fusing machine learning."
Kroger finally gave up on Kroger Pay if only because they realized customers were still entering their alternate ID/phone number during checkout so they could still link your data together.
The funny part is Walmart in Canada fully allows contactless… almost as if they don’t care they aren’t getting that customer data up there.
No it's because our banking system is dramatically different in Canada and the expectations of the average shopper and the POS options available to them here are all working to force that issue.
Canada had chip and pin and contactless LONG LONG before the US did - and it's easier for us to make these pivots and changes due to fewer banks and pre-defined co-operation agreements.
None of them wanted Apple Pay/Google Pay/Samsung Pay to succeed. They wanted their own thing to get out from having to pay credit card fees.
Weren’t they all members of that ridiculous CurrenC project that completely flopped?
The EBT, gift card, and lazy small banks would get their act together pretty damn quick, I'd wager.
Come back when your state government decides to pay to re-issue every card with better technology.”
That’s cruel. The move to EMV was only recently mandated for EBT (if I remember correctly and it was done at all) because so many people were having their benefits stolen by mag stripe skimmers.
You can’t use a stick against powerless people to affect change. It just makes them suffer.
Even if Target did mandate contactless, the stock would plummet on news of all the lost sales and the CEO would be out. The new one would reverse it immediately.