Nordstrom Finds Cash Register Skimmers(krebsonsecurity.com) |
Nordstrom Finds Cash Register Skimmers(krebsonsecurity.com) |
This lady simply swapped bar codes on expensive items for bar codes of inexpensive items. Got away with it for over a year and made as much as $30,000 per month in some months:
http://miami.cbslocal.com/latest-videos/?autoStart=true&topV...
http://www.paloaltoonline.com/news/2012/05/21/sap-palo-alto-...
I started doing this after I watched a whole tray of pink lady apples go in a skip because they brought new produce out.
The same is true of a lt of retail establishments. Old stock is destroyed to keep prices up.
On learning of such a trait in someone I ask 'what if you get caught?', but actually it is not them getting caught that matters. Think of the people that work in that shop and the position they get put in having to deal with petty cheats. Also, would you really want to be banned from the store you get your groceries from? That would be a big inconvenience.
I did see a talk where the folks noted (but did not remove) such devices and then began tracking every account that went through the modified device. This was to figure out who the bad guys were. By watching the fraudulent transactions that happened later they were able to roll up a carding group in the Baltics. But it does take a more proactive approach.
From a future products prospective the use of cards with embedded processors seems better and better.
Btw, if anyone wants to buy one, you can here: http://www.keelog.com/wifi_hardware_keylogger.html
A skimmer and a keylogger are two very distinct things. When I read the title I was interested to find out how the skimmers were placed, placing a keylogger takes much less skill and craft, it's a piece you can buy in bulk, whereas placing a skimmer usually requires a different class of criminal, skimmers often have to be fabricated for each location.
[1] http://support.quickbooks.intuit.com/opencms/sites/default/I...
[2] http://www.ebay.com/itm/CHERRY-MY8000-BEIGE-PS-2-KEYBOARD-CR...
Card got skimmed a few years ago somehow, Amex called, asked if I was in Nicaragua (I wasn't) they apologized, removed the $200 or so in charges and next-day aired me a new card. Almost zero hassle.
I'd hate to have my debit card skimmed but as far as a credit card... I'm not too worried. The risk isn't mine.
It's much better for the banks to carry the can here, so they implement more secure devices.
The rollout date is supposed to be Oct 2013.
As an end user, you are not able to protect from this type of fraud. That's why the liability doesn't reside with you.
Now that this is happening in other types of retail stores, maybe it will spur the use of more secure options (chip and pin?).
The entire US still is, and that represents more transactions per day than happen in all of Europe.
These fools are getting caught doing elaborate plants. That's not how real criminals key log (btw, this is not a skimmer, but is a 'keylogger' as joenathan points out). Real criminals sit in the comfort of their car or nearby coffee shop and scan for open connections and insecure use of credentials.
http://www.cherrycorp.com/english/keyboards/pos/8000/
This explains the 'attack vector'. Presumably the scammers have USB dongles too.
You save some $$ in hardware but take on risk.
The U.S. method, where the low-security retailer is liable, is the most fair. The current charge back system works. Retailers that use inventory control, secure systems, and require ID with large purchases receive few legitimate charge backs. [4]
[1] http://www.cl.cam.ac.uk/~rja14/Papers/unattack.pdf
[2] http://www.telegraph.co.uk/news/uknews/law-and-order/3173346...
[3] http://www.techrepublic.com/blog/it-security/chip-and-pin-th...
[4] http://www.internetretailer.com/2012/10/31/how-karmaloop-cle...
Very interesting subject.
The real security would come with a second factor that the user controls, either by approving on your phone or by using one-time-numbers for each transaction. The reason why these do not exist yet is because they would impede transaction flow, and the basic math with these companies is if fraud rate > rate loss of transaction volume from security feature then use security feature. Otherwise, don't.
"you also type the pin into the same machine... so adding a skimmer..."
There's no copying of SIM Cards.
Yes, you can still copy the magnetic stripe that's there for backwards compatibility. So, yes, it's not going to be safer while there's support for old technology.
My (European) bank issued me a chip-and-pin card without the mag stripe, good for travels, where I won't risk getting my card skimmed again.
It is the second factor in a two-factor authentication scheme.
I seem to recall reading a while back that the overall credit card fraud rate is at the level of single-digit basis points. Is that really true? (I can't seem to find a good link.)
As another poster pointed out, chip and pin is not foolproof and may present a nasty liability shift to consumers when it comes to fraud.
There are also more practical issues with chip cards. First, merchants will be requires to buy new chip capable card readers. They will not be happy about it, but they'll be forced into it by their merchant agreements. Second, chip transactions take noticeably longer to process. From my casual observation a swipe takes 1-3 seconds, but chip readers took at least twice as long. Sounds silly, but it can really add up if there is a long line.
[0] http://www.transactionworld.net/articles/2011/november/innov...
Unfortunately, at least in Canada, it seems like merchants were only obligated to buy the chip terminal so a lot of smaller businesses didn't bother with the wireless payments and force you to type in your pin for a $7 pita.
For real security, you'd need to do something like have the reader internally encrypt the data with the card processor's public key and only send an encrypted blob out of the device. If you're doing that, then anything's secure against this kind of attack. But the readers would have to cost like 10x more, and it probably isn't enough of a problem to bother replacing them all.
It's ridiculous how such an important infrastructure is so vulnerable. Magnetic stripes are easily copiable and without any other "authentication method" it's a done deal.
When capitalism pushes profit margins, some losses are insignificant not to invest in otherwise they will hurt the margins they are trying to protect.
Also if they gave a shit, they'd have staff on all checkouts and not use self-service checkouts. Staff are more expensive.
They know; they just don't care.
They know; they just don't care.
While I agree that the stores "deserve" the amount of the theft through fraud that comes with replacing human checkers with automated checkout systems, that doesn't make your behavior in explicitly taking committing that fraud any more ethical.
Scan something wrong by accident, that's the store's fault for setting up the system to allow such accidents. But to intentionally exploit their system, that's on you.
I personally make it a rule to never go through automated check-outs because I think the stores that use them are not holding up their end of the social contract. I've even abandoned a few carts when I got to the check-out and found they had no human checkers (I found out the hard way that some grocery stores around here go 100% automated after 10pm).
I read the article to mean that the bad guys were using key loggers to skim mag stripe images out of the keyboard data stream (from mag stripe readers attached via "wedges"). That's one level of threat.
Your link, however, calls to mind a higher level threat that happened in Rhode Island a while back. Bank customers were disavowing ATM withdrawals. Bank security noticed that the complaining customers had all used their debit cards at the same all-night Stop & Shop. A review of the store's security video showed a gang of four guys coming in during third shift and installing hacked PIN pads at the registers while keeping the thin staff distracted. They were busted when they returned to harvest their next haul of debit card details.
How they compromised the PIN pads I do not know. PIN pads are supposed to be sealed and tamper-proof. Your PIN is supposed to be encrypted before it leaves the keypad and decrypted only when it reaches the payment processor. The encryption key is supposed to be erased if someone tampers with the device. In order for the hack to work, they would need to be recording the mag stripe data along with cleartext PINs.
I see it happened to Barnes & Noble more recently and on a larger scale:
http://www.esecurityplanet.com/hackers/hackers-compromise-ba...
https://www.google.com/search?q=card+skimmer&safe=off&source...
One thing to remember is that keyloggers have been around much longer than card skimmers, keylogger is a well known and well defined term.
http://en.wikipedia.org/wiki/Hardware_keylogger
https://www.google.com/search?q=hardware+keylogger&safe=off&...
It's all very interesting to watch as criminals become more sophisticated.
They also want to film the underside of the card to read the three digit code.
"VisaNet authorizes, clears and settles an average of 150 million transactions per day in 200 countries and territories."
Either way, the best way to prove an assertion based on numbers is to source it.
I would be careful with such statement :-) Security usually maters on type of card, but top range is pretty expensive. There are number of ways howto 'debug' chip using power consumption, xrays etc...
It is easy to copy GSM SIM card. Also operators usually give replacement SIM ( if original gets lost) to anyone with photo id. There were number of frauds in Europe.
The circuit on the chip is known, that's not important. The important thing is the information in rom. Difficult, but certainly not readable through x-ray.
"It is easy to copy GSM SIM card. Also operators usually give replacement SIM"
Of course they can give you a replacement SIM, they can reconfigure their systems to point the customer to the new SIM. That's not copying.
Actual copying would be more difficult.
To be clear: there are many businessmen who are greedy selfish exploiters. However, the purpose of capitalism is to take these natural human tendencies and make them into a force for good.
You could say the same thing about democracy. It's a game whereby people can seek power and influence without having to kill each other or their subjects. If you doubt that democracy is an effective solution, just read up about all the Wars of Succession that Europe has witnessed when those countries were monarchies. Elections are practically love-fests in comparison.
I live in a poverty stricken area. The supermarkets shove the following distribution of fruit out (I know this because my wife works in one as well):
- 20 bags of 5x apples for £1.89 each. 20% go in the bin.
- 100 pink lady apple at £0.75 each. 80% go in the bin.
- 20 cheap apples (one tray) at around £0.12 each. 0% go in the bin.
Now, why should I take the last single cheap apple which instantly prices out the poorer people which is clearly the intention of the supermarket which is to upsell to the pink ladies or bags of apples?
Fuck 'em to hell. There is no honour or integrity in capitalism. Trample over everyone to make profit.
I'm not selfish.
I'm not lacking integrity.
I'm not lacking honour.
Perhaps lacking in faith and respect for rules but that is my only crime.
If you don't spill it you pay for it.
Do you go back to the register and say you spilled it?