Poland solved this problem pretty neat. I don't even remember using my credit card with ATM.
You open your mobile bank app, click BLIK icon and a 6-digit code is generated. You enter the code in ATM and you choose amount to withdraw. You accept the amount on your mobile phone and money comes out.
That's very clever but honestly, just removing the magnetic strip seems like a really obvious first step. I know for a fact they flag magnetic strip usage on ATMs for credit cards anyway. (Then again, could be some sort of honeypot.)
"The measurement card has a carefully etched set of traces in the magnetic stripe, (aligning with each of the three data tracks). When a read head contacts the card it bridges a pair of electrical traces and completes a circuit back to the microcontroller."
This seems to me to be a detective control which relies a bit too heavily on obscurity, obscurity which is now blown. Having knowledge of how this works, ATM skimming gangs who's devices might be found by local authorities with this device can now take the active counter-measure of placing a piece of Kapton tape over the read-head.
This is very cool. Basically a 'fake' card that can detect when it passes by more than one 'read' head in the machine.
It should be possible to build this into a credit card sized device that you could just swipe with and have it illuminate a red or green LED when it detects a skimmer.
Well, you have a point there.
But don't you think the "credit card sized device" will again be used for fraudulent purposes?
Maybe to trace EM emissions or something else?
Perhaps, but the gist of the article is that you basically won't be able to detect a skimmer most of the time. But their technique does detect skimmers (all the time when they tested it). What I was wondering was if you could carry something in your wallet to easily check for skimmers. A CC sized think PCB with a thin package on it would be idea, and then a paper overlay to create uniform thickness.
Some places have automated rollers that move the card in and out of the machine. I would not want to lose my skimmer detector by having it getting hung up inside the machine.
We should really add 2FA to cards. E.g. if I withdraw a large sum or make an unusual transaction prompt for a 2FA code.
For small transactions it makes no sense, but for anything above a user defined limit we should have this option. e.g. I only withdraw more than £50 in unusual circumstances.
In EU all banks have to implement 3D Card Secure - when making an online payment over a certain amount, or of an unusual type the vendors website redirects you to your bank's website where you have to authenticate the payment(usually provide an SMS code or answer some security questions).
In Finland you get a tiny card filled with single use pin codes. It's pretty secure. Unfortunately, if your card is skimmed, the scammers will just -- for example -- associate it with an Uber account and sell the account. Because non-EU companies don't use 3D-secure there's nothing stopping them. I have tried asking for non 3D-secure transactions to be blocked, (I believe when a vendor doesn't offer it I can always find an alternative) but no such luck. (Obviously you can get the money back, but I'd like to avoid the inconvenience and the fact the scammers get money for nothing.)
> In Finland you get a tiny card filled with single use pin codes. It's pretty secure.
Nordea Bank Finland ceased providing code cards earlier this year. Logging on to online banking even warns that the code card you already have may stop working soon. Everything has moved to the mobile app or, available as a special order for the elderly and luddites, an electronic keypad.
My bank has a user-defined limit after which transactions must be authorized either by phone call or in web or mobile app (or by visting a bank office in person), all the ways are equal. The thing is that the lower bound for that feature is ≈$300.
I imagine ordinary 2FA probably wouldn't work... the timeout would have to be too long.
But I don't see why 2-factor pre-authentication shouldn't work? Before purchasing, just authorize a larger charge on your card than a limit you or your bank previously set. If it works, then great. Worst case is it doesn't work (app breaks, phone out of juice, whatever), in which case you're back to the current situation.
I don't know what you mean by "ordinary" 2FA, but it's pretty common in Thailand when making online payments to have an SMS sent to you, and in the UK my Amex card has been known to require SMS/email codes for online purchases.
Sort of - for chip readers that don't have a magnetic swipe on them, yes. However all cards have enough info in the magnetic strip to validate transactions, so if your card ever goes in card reader with a magnetic swipe reader that is compromised it's not a proper factor.
If the "something you have" part of 2FA can be replicated then it's not 2FA. So you need a "something you know" (password, PIN, etc.) and a "something you have" (a phone app authorization, a card that cannot be replicated, etc.).
This excludes anything with a magnetic strip from being any part of the 2FA scheme.
Are you liable for unauthorized withdrawals? Here in the US the bank is usually liable - so while it can be an administrative headache - from a customer perspective 2FA seems like a pain
In the US they generally have both if issued in the last few years, but many places still accept magnetic strips. I don't use an ATM often anymore, maybe once or twice a year at most, but I've yet to see an ATM that only demands the chip instead of forcing you to insert the whole card, so chip-only debit and credit cards can't come soon enough.
Curious if there's an easy way to make my stripe unreadable with my most used credit card, especially for dining where your card can disappear for several minutes at a time.
I think some or all ATMs are still able to "keep" cards that fail authorisation repeatedly, e.g. because they're stolen or fake. Without ingesting the entire card an ATM can't do that.
Countries that have completed EMV roll out still issue cards with mag stripes. It's maybe worth briefly explaining why this might not matter at all:
The payment card networks have two _entirely separate_ mechanisms in play. To a Hacker News reader it may seem insane to not tie them together, but this is how they evolved and apparently banks would rather eat fraud and error costs than spend whatever it would cost to fix.
1. Authorisation. This mechanism is in charge of deciding whether all the parties are OK with a transaction, e.g. "Mike Smith pays Example Co. $145". Cryptographic security can be used to verify that this was really Mike Smith's authentic card, he entered his PIN, Example Co asked for exactly $145 and Mike's bank said that was OK.
2. Payment. This operates entirely on the honour system between banks and retailers. Example Co. says Mike Smith agreed to pay $145 and the backend systems automatically give $145 of Mike Smith's money to Example Co. Done.
Because these two systems aren't tied together at all, even though the authorisation system guarantees the exact amounts, is strongly replay resistant, and so on, none of those properties apply to actually paying your money to some retailer. So regardless of whether it's tricky to get past authorisation it doesn't matter to big fraudsters, they can just take whatever they want and ignore the Authorisation step altogether.
When you realise somebody took your money you will call your bank. They may try to give you the run around (after all, it's easier) but ultimately - perhaps after some notice period - they'll probably agree to reverse that clearly fraudulent charge and if you live in a country with actual consumer protection they may even have to pay back any fees or other financial penalties you incurred as a result of them accepting the fraudulent payment request.
>an ATM that only demands the chip instead of forcing you to insert the whole card
Inserting the whole card is also a security measure to be able to take the card away if an incorrect pin is entered 3 times, or if the card is left in the device after leaving the ATM.
That's just more work for the ATM owner, determining whether to confiscate a card, keeping track of which cards have been confiscated, disposing of confiscated cards... consequently it has been over a decade since I've seen an ATM capable of confiscating a card. Since I prefer cash for everyday transactions and move around a fair bit, I feel I have sampled a wide range of ATMs in midwest USA and some small portion of ATMs globally.
This just disables making payments via the strip. It's not actually disabling anything on the card. You can still get details by reading the mag strip.
It's actually against the terms and conditions of Visa and MasterCard in EU to take the card away for any reason, if any establishment does this report them to Visa/MasterCard and they'll get their terminals revoked if they don't comply. It's inconceivable to me that in US bars keep your card to keep the tab open for example - it's insane that people agree to this.
It’s kind of amazing to me that despite the sheer insecurity of US consumer financial products like credit cards that the rate of credit card fraud isn’t even higher than it is. Maybe there’s an incentive somewhere we’re unaware of to allow such fraud to occur.
The rate of fraud is low enough that the cost reduce it further would be more than the savings. That sucks for you if you're a fraud victim, but the card companies don't really care if they make more money by not trying to stop more fraud.
What's the point of keeping a tab then? Why not pay the full amount each night? Also, there's nothing preventing you from giving them a card, then reporting it lost/stolen
Except that the rest of the world has long ago figured out the solution to this that does not involve strangers keeping my card behind a bar - they come to your table with a terminal(or you come to them), you enter the card + pin and preauthorize payment. Done - you keep your card, they can charge you if you run away, your card numbers are not compromised. Easy.
In the age of cheap, wireless chip+pin terminals, I think that the rite of taking the card to The Secret Room Where The Bills Are Printed is merely a show staged for status reasons: the patron gets to show off confidence (as in the original con trick) while the restaurant gets to show off how much patrons trust them. The first restaurants breaking that line would come off as not sufficiently trustworthy, taking a completely unwarranted reputation hit.
It must be a well known paradox, the more you expect people to trust you, the more they will be inclined to trust you.
Heck, virtually all cards still have embossed characters so you can take a carbon copy. That's just finally starting to go away in the past few years; magstripes will be here for a fair while longer.
I actually had to use one of those the other day! I needed to check a guest into a hotel while the city municipality was working on the power so we were on emergency lights and no connectivity.
Took a second, but that sound is just so satisfying.
The so-called 'Electron' cards (e.g. VISA Electron) don't have embossed characters - just ordinary printed characters. Banks often provide these as lower cost cards or cards for children. As the main difference from 'ordinary' cards is that you can't take a carbon copy I'm not sure why they're considered more 'child safe'. Maybe there's more than that, but as far as I can tell they work for everything else - my wife got one of those from the bank.
I'd like the card to disappear altogether. I do about half my daily transactions with NFC (Apple Pay) these days, and it's kind of irritating to have to reach into my pocket and fish out a card.
Now, if Apple would allow me to nickname the damn cards so I could tell which is which, that would be grand. sigh
We are only now starting to catch up to where they were in about 1998. I know, because I moved to Europe in 1998, and I remember how huge of a change it felt like to me. I moved back to the US in 2006, and with regards to credit cards it felt like going back in time at least a couple of decades.
Almost every card I've ever had in the UK and Sweden has had embossed characters. All eight cards I currently have (in the UK) are embossed, including those issued by app-based banks. None have ever had a carbon copy made of them.
I just don't understand why my card even has a magnetic stripe anymore. It's been years since I've seen any terminals that could actually accept it, it's all chip and pin over here. If I could get a card without the strip I'd gladly do so.
The United States is still predominantly magstripe. We’ve had chip-and-no-pin for a few years but many large retailers haven’t enabled it, possibly because transactions are so much slower (usually 30-60 seconds) and less reliable.
> possibly because transactions are so much slower (usually 30-60 seconds)
I don't know the details of the technological differences in transaction communication between the two, but in the UK chip and pin is noticeably and consistently faster to perform transactions in my experience, often to the the point that it's perceptibly instant... although it has been quite some years since i've used magnetic ones so that's from memory.
I suppose one way to protect yourself if you are never going to use your card in the US, is by destroying the magnetic strip (magnetically).
The slow reads are entirely a technical failure by some of the large vendors. Some systems are as fast as you describe and most of the ones which I see being that slow are much faster for NFC, so I’m pretty sure it’s just that they were rushed into profuction to meet the deadline imposed by the card vendors.
* many places moved from offline magstripe authorisation to online chip-and-pin authorisation (while still often using card terminals that use dialup connections, and connect per transaction)
* many US banks have really slow authorisation servers (for whatever reasons!); I remember some sales staff being really surprised at my card going through in about a second (and that verification probably involved a network roundtrip to the UK!)
Maybe it's just a difference in how relatively new the technology is to US retailers then, UK shops have had plenty of time to work out the kinks and learn what hardware to avoid.
The first generation of Chip&Pin in the UK were garbage too. Slow and often failed to read the chip, resulting in awkwardly cleaning the chip contacts.
Most of the machines were replaced inside of the first year and things have improved substantially since then.
Ahh yes I do remember a few instances of that now... I wonder what the introduction of the magnetic strip was like, looks like that technology arrived in 1969, anyone here experience that transition?
"UK chip and pin is noticeably and consistently faster to perform transactions" is not because chip&pin process is faster, but because the risk of counterfeit cards is lower and the system can be configured to not verify small transactions against the bank, saving a network roundtrip - the terminal just "talks" to the chip, and does the full verification with the bank later in offline mode, without requiring the customer to wait for the outcome. Doing the same with magstripe would be much more risky.
Hmm, are you talking about the £30 limit? because other than having to manually enter a pin it doesn't seem significantly longer... no i haven't timed it, and I'm not saying that you're wrong, just that it still seems to be bellow a perceptibly significant amount of time. Or perhaps I just don't do enough shopping to have a broad enough range of samples.
I get a Monzo notification on my phone whenever I make a payment. I often feel my phone buzz before the machine has even finished and allowed me to take my card back.
I don't think the percieved speed is simply due to offline mode.
When arriving from Europe to the US it feels like going back in time. To take an example, in Poland most card transactions are contactless and I don't think there are any terminals left that do not accept contactless payments. When Apple Pay was enabled, it was instantly available everywhere (and I do mean everywhere) and nobody even calls it "apple pay", it's just known as paying with your phone, which was possible with android phones for a long time already.
Also, I don't think there are any places left where you swipe the magnetic stripe. If for some reason you don't use contactless, it's a chip transaction. I believe it's pretty much the same all across Europe?
In my experience (I'm in the US) the chip cards were noticably slower when they were first introduced, but in the last year or so that seems to have been mostly resolved. Gas pumps are the one big holdout that still does mag-stripe reads. I don't think I've seen a chip read gas pump anywhere yet.
Everywhere I go supports magstripe. An increasing percentage support chips but I still see terminals which don’t, or more commonly, where they have a sign telling you not to use it because it’s not enabled or broken. I’m assume there have been a lot of slacker IT departments caught out by these upgrades since it’s usually big chains which have problems.
Try swiping sometime. In my experience if you have a chip card and try to swipe it, the reader will reject the swipe and tell you to insert the card instead.
This varies hugely by retailer, though. I'm convinced there's a level of optimization that some just aren't incentivized to do.
When I'm at O'Reilly Auto Parts, the pinpad is beeping at me to remove my card almost the moment I've inserted it. It's shockingly fast. (Then their neolithic-age printer takes 8 more seconds to generate a receipt, but... baby steps!)
I wish whoever set up their system could go show some others how it's done. Because yes, on average, most retailers have abominably slow processing for chip cards.
Yes, in Portland Oregon we have a grocery store called New Seasons that implemented a chip reader system where as soon as you walk up to the checkout you can insert your card, it tells you to remove it immediately and then the clerk continues to ring up your groceries. This might just be the way it works in other parts of the world, but in the US this particular implementation was surprisingly smooth compared to the multi step dance that other retailers require. Don’t insert card until all purchases have been rung up, ok now insert card, do not remove card, move to new screen, but still do not remove card, ok, now remove card, now sign, etc.
In the rest of the world, the customer isn’t standing around waiting for someone else to bag their groceries, so there isn’t a parallelisation possible - you stick your card in once you’ve finished bagging everything.
I live in the U.S. and I have exactly one store that I go to which doesn't support the chip. Small store running on a shoestring, so I'm not terribly shocked. Everywhere else I go it's chip only, if you swipe the machine will bark at you and tell you to insert the card into the chip reader instead.
It's all chip and pin where I live too, and has been for ages.
Often enough, the chip or the reader is dirty and fails to read, the terminal will prompt you to swipe the card through the mag-reader instead. Usually, it will prompt you to try the card reader again, then back to the mag-reader for a final swipe before continuing.
In the Netherlands, when we switched to a new chip system, most terminals blocked the mag-swipe with some cardboard sign instructing the user to use the chip instead.
I'm pretty sure the swipe-style is aggresively deprecated by the banks. I talked to a vendor who had an older terminal that would not accept NFC, and he mentioned that within 2 years, he'd have to get a terminal that would process NFC payments.
The deprecation works by shifting fraud risk to the merchant. I know for a fact this was done in the US and UK, and I would assume the rough playbook was used everywhere, it's named "liability shift".
The idea is, if there's fraud and the real account holder gets their money back (a chargeback in payment industry terms) somebody has to eat that loss. The liability shift rules say if you didn't do EMV, that's you. For a bank that decided they wouldn't issue EMV cards, they pay when there's fraud on their non-EMV cards - so the merchant still gets their money. But for a merchant if the customer has an EMV card but they swipe it, if that comes back as fraud they're not getting their money.
If the terminals suck, and your business has very low fraud rates or your markup is so enormous you can eat plenty of fraud and not care, it could make sense to ignore liability shift. Especially at first when customers know they could go elsewhere. But as terminals improve, and everybody else is forcing them to use the chip anyway, offering swipe is pretty much a sign "Commit fraud here, ask us how".
For NFC I don't know, it's hard to imagine them trying liability shift. "Use this less secure option or, we'll stick you with fraud costs for the uh, more secure option?" maybe they're just doing the usual thing where they raise fees for everybody who doesn't want to go along with their latest craze :/
in parts of Europe you can use Revolut, where you can choose whether to enable or disable contactless payments, chip and pin, ATM withdrawals and online payments, depending on what you want to use the card for. You can even keep all of them off and only activate a specific feature for a few minutes when needed.
You can stratch it off, or use a very powerful magnet to erase the strip. When scratching be careful not to damage the NFC antenna which loops around in the card.
It doesn't need a 'very powerful magnet'. In fact I'm surprised how easy it is to make the magnetic strip unreadable. The way I (unintentionally) do it is simply to keep the cards together in the wallet. Their individual magnetic stripes destroy each other. All the cards are unreadable now, except for the newest card. And no, there aren't any other magnetic or electro-whatever device nearby.
Actually, the prudent thing is to actively damage the NFC antenna.
There is not much point in damaging the magnetic stripe but leaving wireless functionality... they are exactly the same thing only wireless works from a greater distance.
That's absolutely not true. Magnetic stripe is just a dumb carrier of information - you can buy a $5 reader off eBay and read every card in the world, it's not protected in any way. Modern NFC cards do not surrender their information to some random reader - they need to receive a valid cryptographic key first to reply with the data - and such key can only be produced by an authorized terminal. A normal NFC reader will not read any data off a contactless card, it's just not possible(yes I am aware that there have been attacks demonstrated, but they were all timing based, with extremely limited use in real world).
Depends on the card. All NFC cards in Sweden are just as dumb as a magnetic stripe cards. I actually believe all cards in Europe are but I could be wrong.
It's there, in plain text, any normal NFC-reader will get you everything (there even are android-apps that does it in the play-store).
In Britain, where people have arguably embraced contactless cards to a greater extent than individuals in other countries, researchers have routinely been able to copy the financial details of some cards, including the 16-digit card number and expiration date, by merely passing their own N.F.C. reader close to a person’s wallet.
There have been numerous other demonstrations of this as well.
> researchers have routinely been able to copy the financial details of some cards
I think this is the key. The implementation of each card may differ leading to inconsistent results.
As a general rule I suggest covering up the CVV or scratching it off if you're sure you have it somewhere safe. An option is to also erase the magnetic strip. It might lead to a less useful card (in cases where only magstrip would work) but definitely a more secure one. And for any NFC card an RFID shield sleeve does wonders.
Yes? And that is a common technique to do it. Hide a small camera behind the counter, make sure quickly hold a customers card in view of it and you are done.
NFC though has the advantage to be read from a distance, easily through a pocket and wallet (if the wallet doesn't have an rfid shield). Surely open up that attack vector isn't helping?
If you are paying attention you can detect someone trying to photograph your card (they shouldn't even be handling it in the first place). But through your pocket? Practically impossible to detect.
edit: The fact that we still print everything needed to make a purchase on the card itself isn't particularly flattering for our species.
>And that is a common technique to do it. Hide a small camera behind the counter, make sure quickly hold a customers card in view of it and you are done.
Nobody actually does this. Name+card#+cvv+expiry just isn’t worth the hassle, easier to get 1000s at a time via phishing or hacking web shops.
Stripe dumps are an entirely different market, with ATM pins increasing the value of a single dump up to 100x.
>If you mean the CVV it isn't required to make a transaction.
that's incorrect. there's a cvv1 on the magstripe that's needed for magstripe transactions, and there's cvv2 that's on the back of the card that's mostly required (depends on merchant policy) for card not present transactions. for EMV transactions, you need a payment terminal because the card will refuse to communicate unless the other side has a valid certificate. even then, the card only returns a signed response, which you can't use elsewhere.
>No? You just said so yourself? "depends on merchant policy" Why would an attacker choose a merchant whose policy denies their use case?
it's not as easy as you think. nearly all merchants require some sort of additional information (cvv, billing address, cardholder name) in addition to card number + expiration date. reason being, for card not present transactions (eg. online), the merchant is liable for fraud (the purchase amount + ~$25 chargeback fee), so they have a strong financial incentive to collect/verify as many pieces of information to reduce their losses. it would be insane to not collect any of those (only requiring card number + expiry date), because the chargebacks will bankrupt you. the reason i said "depends on merchant policy" is because some merchants (iirc amazon) don't collect cvv2 (but they do collect billing address + cardholder name), which I presume is for convenience/conversion rate reasons. I don't actually know of any merchants that only collects card number + expiry date.
But name is the only additional information you need to make a legitimate purchase, and that information isn't a secret (if you, under any circumstance, ask for someones CVV they will tell you to fuck off. Ask for their name is another thing (maybe even present on a name tag or in many cases trivial in a certain context)). It will make it slightly harder to just randomly scan peoples pockets on the subway but still an absolute security nightmare.
>But name is the only additional information you need to make a legitimate purchase
where did you get the impression that there are merchants (worth stealing from) that only accepts card number + expiry + name? the example I gave was with amazon, and they take name AND address. even if you're able to find a merchant with lax security and is worth stealing from, how long can you keep the scam up for? maybe a week or two before the fraud reports start pouring in? then they'll patch up their systems and you're back to square one. you're better off installing skimmers and using the card numbers at any merchant that accepts credit (at least in the US).
>will make it slightly harder to just randomly scan peoples pockets on the subway but still an absolute security nightmare.
considering that you have to be pretty close for NFC to work, whoever is doing it is going to look pretty suspicious as he's bumping into everyone walking endlessly through the train.
>Just disable NFC altogether, no reason not to.
I can think of one: convenience. wave your card in front of the reader vs insert card, wait, type in, wait some more, then taking out your card.
Do amazon really even validate the address to the card owner? I've sent stuff to different locations in different names using the same card.
I've heard poker and gaming sites are popular to extract funds (and simultaneously launder them), don't expect them to have much security no.
> considering that you have to be pretty close for NFC to work, whoever is doing it is going to look pretty suspicious as he's bumping into everyone walking endlessly through the train.
Seriously? Just go during rush hour and you can basically stand still, the victims will practically bump into you for you. I don't expect anyone to attempt sprinting a carriage at a time...
Doubt it, maybe for US residents? When I did my first purchase my address didn't match because I was officially living at my parents but sent the package to my own address.
You make it sound like this is difficult or rare, yet banks have a very lax attitude about this and consequently funds thieves with billions upon billions every year. Somehow it is worth it, relying on the victims to scan their transaction history for errors (talk about convenient!).
NFC payment cards are cryptographic protected. It's not just read it and you have a 1:1 copy. Attacks are possible but only online attacks (this is no offline payment system) and with the right critical timing.
Apparently there do exist some cards that are protected, but all I've seen and all I've got access too are completely passive. They serve the exact same function as the magnetic stripe only from a greater distance.
Having just travelled in the almost-cashless country of Norway, I found a surprising example: the Oslo airport fast train gates operate by magswiping a payment card. I suppose it's because contactless doesn't reliably work internationally.
It's interesting to contrast that to Japan's standard "IC" card NFC system, with multiple vendors (Pasmo, Suica, etc.). Everything in that system is so blazing fast. Commute-hour Tokyo subways full of people moving as fast as they can without resorting to a full run, TAPTAPTAPTAPTAPTAPTAP... through the turnstiles, very low failure rates (I've never witnessed one), not really a noticeable delay, and it'll show you your balance if you can swivel your head fast enough as you're whipping through the gate.
It makes a much more recently deployed system in my area of the US look like a total embarrassment: seconds per processed tap, a much higher tap failure rate (regularly see tap failures for myself and others), etc.
Yes, that's as close to perfect as it can get. Just rush through the turnstiles (and btw the default position is open - nothing stops you as long as the card has cash, so there's no pausing at all), figure out where the train (or subway) is after that, not to mention not having to figure out tickets from the machine. The only decent way to travel, just go go go, no delay. And you can use the same card to buy a coffee from the vending machines in the station.
But then again trains and a lot more really work in Japan. Supermarket? No waiting for payment (card or otherwise) - they're using double-buffering.
One trick (which I believe has been fixed) is not so much a replay attack but a multiple transaction attack. A modified terminal makes multiple transactions on the card while the card is still in the terminal, coupled with another attack that modified what was presented on the screen of the terminal could turn a single $5 transaction to 3 $500 transactions.
There are plenty of flaws in the underlying technology, and most especially in real world implementations, but I don't know that any of them result in the chip being cloned. Anybody?
An example I know about with one of those flaws was the "Yes card" which MITMs a real (presumably stolen) card and arranges that the conversation goes like this:
* Legitimate terminal "Hi, I'm a Legitimate terminal, who are you?"
* Real card: "Hi, I'm Sizzle's Real Payment Card from Real Bank"
* Legitimate terminal "OK, let's do an offline transaction. I want Sizzle to authorise payment of 24.50. They entered PIN 1234, is that OK?"
MITM Yes card blocks this and tells the card instead:
"OK, let's do an offline transaction. I want Sizzle to authorize payment of 24.50, but I can't be bothered with a PIN so let's skip that"
* Real card: "OK, yes, payment of 24.50 sounds fine" (cryptographically signed message)
So this way you don't need the correct PIN, since the card never realises you entered a PIN, and so the transaction OK simply never mentions the PIN at all. You don't clone the card though, you need a real card, you're just using something like a Confused Deputy attack where the card and terminal misunderstand the situation.
A _smart_ backend at the bank could identify this fraud when the offline transactions are processed, hours or days later, but many did not, and even if they did spot it the fraudsters got away with their transaction meanwhile. The permanent "fix" for this was to roll out new cards and terminals, given this costs money it was probably not done widely or quickly.
As an anti tamper measure, the ATM will not just pull in the card and read it; instead, it's movement is somewhat randomised, as to increase the difficulty of obtaining an illicit read.
(At least the ATMs in my country are said to usually do that)
As a result, the ATM's read head might pass over the detection spot multiple times.
Maybe you can force the measurement device to move only in one direction, but if I were to design the ATM, it would detect inconsistent, physical card movement.
> Maybe you can force the measurement device to move only in one direction, but if I were to design the ATM, it would detect inconsistent, physical card movement.
That would be very prone to false positives. Weather variations (temperature, humidity), card types, dirt (grease , dust) and foreign objects (stickers on the card) etc etc would all make the card movement inconsistent.
I don't think so. If you don't know how it moves, you can not read meaningful data (if it moves forward/backward). That's the whole point of that counter measure.
If they [the ATMs] do this and can read the card, then they can also check that the measured movement matches what the controller sent to the motor driver. Heck, depending on the driver they could just let it measure back EMF (e.g. some Trinamic stepper drivers can do that).
When running backwards and forwards you get the same sequence 3 times, once in reverse. It seems to me like that could be detected and reversed statistically with good odds. Especially if you take into account the 'total length' of the card swipe and have a lower bound on the distance of a jitter. (so you don't have to worry about 10 01 10 being a jitter)
Doesn't the track data contain the card number? (Not looked into mag stripe cards in a while so my knowledge of them is rusty). If it does doesn't the card number itself contain a check digit? If so if a skimmer recorded everything it saw passing though it the data could be recalculated like how rocqua stated.
Sure the data wouldn't be immediately available and require some post processing but unless the skimmer only recorded a fixed length I can see that method of protection bypassed very quickly and easily.
I know your posting about the skim detection tool but it just seems to me like a bad method of trying to defeat skimmers. I would guess such systems are used for trying to detect a "Lebanese loop" which traps the card when it tries to eject.
It would be nice if I could clip on a thin piece of plastic/foil to my card to block out the magnetic strip if I know the device I'm inserting it into only needs the chip.
I live in the US where you essentially have no liability for fraudulent transactions (if you identify them in a reasonable amount of time) - so while it’s annoying to have to get a card reissued once every couple of years, it doesn’t seem like such a big deal
I can't recommend SMS alerts for all transactions highly enough... that way even traveling you know what went through, when, and for what amount.
However, once a year seems optimistic for card replacement, if you use them at a lot of POS (gas stations). I've seen replacements at once a week (every time they filled up) and the gas station attendent doesn't care either.
>There’s one thing that’s fundamental to overlay and deep-insert skimmers – they have to actually read your card data! This requires a read head pressed against the magnetic track on the card with a spring mechanism. Furthermore, the head must be a conductor and in practice seems to always be metallic.
next up: skimmers with "undetectable" read heads (lined with plastic)
I've seen cashiers sandwich cards between pieces of paper to get problematic cards to read, which makes think that while the read head must be metal, it doesn't have to be in contact with the card to work.
> External devices can be attached as card reader overlays, deep-inserts inside the magnetic stripe slot, those that fit in the EMV slot (chip reader) and those that wiretap the physical communication line.
I believe the "those that fit into the EMV slot" and "those that wiretap the physical communication line" are two different types.
A skimmer in the EMV slot can still skim the mag-stripe. Wiretapping the communication line is used when the ATM/Payment terminal uses poor security between it and what ever its connected too.
Some of the card dip style readers do have a full card insert. Examples would be the in shop ATMs that prevent the card from being removed (so they can query the chip).
Better than hoping your customers are carrying their own detection device, build such a detection mechanism into the rear of the card slot and have it periodically "sweep" itself.
There is a clever solution to this from a bank in Slovakia (Tatrabanka), you can use their mobile banking application to generate a one-time numerical code for the withdrawal. So you can just generate the code and enter it on any ATM that is owned by this bank. You don't need to have the card with you (and you can forward this code to your wife for example). Also 100% of cards in Europe are also protected by PIN, so simple skimmers won't work.
PIN does not protect you from skimmers... Everything you need is on the magnetic stripe, PIN is only needed if you use the chip - which an attacker obviously wouldn't.
The whole concept of chip+pin is pretty pathetic considering that the magnetic stripe is still there for backwards compatibility.
And now with wireless cards it is even less secure than a magnetic stripe.
As I described below, all of this is part of Authorization, in principle an old-fashioned carbon impression sheet of your card could be used to justify a $5000 payment and it's up to you to contest that if it's bogus. Authorization protects the bank, not the customers.
But for the Authorization a PIN absolutely can be required for online card transactions using a mag stripe. And this was routinely done in countries which had PINs for debit cards years before EMV. The terminal calls the bank and says I have this card, and here's the PIN entered by the customer, is that OK?
Unlike the mag stripe you can't clone a card using the "wireless" EMV mode, the chip isn't just playing back a fixed data stream, it's an active component.
[ It might be instructive to expand here, so I shall ]
A part of an EMV transaction the terminal and card are supposed to pick random ("unpredictable") numbers each time. If this is done correctly it presents a significant security feature. For example, suppose tomorrow I plan to tell a jewellery store's payment terminal that your card, which I was able to access briefly today when you were in the same elevator as me, authorises purchase of a $500 watch, then I'll pawn the watch and keep the cash. Well, I need the cryptographically signed message from your card saying this is authorized. But, that message needs the unpredictable number that the jewellery store terminal will choose tomorrow, which I don't know yet, so I can't do it.
Now, in practice researchers found some terminals and cards are crap and e.g. the numbers they use aren't truly unpredictable. But that's an implementation flaw that can be fixed, just the same as if your bank has a habit of leaving the back door open and the vault unlocked. It's something your defence attorney should know if the bank accuses you of fraud for someone else's transaction, but it's not an inherent problem in "wireless" EMV.
The whole point is that the attacker can opt to withdraw funds using a site/service/xxx that doesn't perform such authorization. I've only seen such authorizations be used on domestic sites, an attacker would probably even prefer to withdraw funds from a country other than that of the victim.
Absent the authorization you can just unwind the transaction, since there's no evidence whatsoever that you authorized it. It will depend on how strong consumer protection is as to whether this actually leaves you financially whole afterwards or whether the bank is able to get away with just giving back the money for the single transaction.
To the extent that Authorization isn't mandatory before the Payment step, sure, everything about payment cards is "pointless". Banks have decided they don't care about fraud and will just pass that cost on to you. shrug
You can do that if the bank decides that you have not been negligent. Whether you have been negligent seems to be correlated with how much money was taken from you ;)
Anyway, it is pretty immoral to rely on reimbursements - actively funding and making thievery profitable.
I've seen you claim wireless cards are really insecure a few times in this thread. I was wondering about a source, and about the mechanism.
Certainly, using rather basic NFC smart card technology, all but on-line attacks could be eliminated. My question is then, what kind of low-protection protocol do they use in practice to make this so insecure.
Specifically, I am asking about an offline attack that allows an actual spend the bank would accept. I am also only interested in debit cards (because that is what I have) so just reading a CC number from NFC doesn't bother me.
My "Party trick" when NFC payments was newish in the UK was using a pair of Nexus S phones in a relay attack.
I would say to a friend "I bet I can buy the next round using your card, if I can you buy the round if not I'll buy the round" Get them to place their wallet with their card in it on the table with one of my phones near the wallet and I would present my other phone to the reader at the bar.
At the time the bar I did it at had public wifi without Wireless Isolation so I could use the bar's wifi as a low latency connection between the two phones but back then the tolerances on the timings would allow you do do it with a decent mobile connection. (At one point you could just get a NexusS custom rom already set up for this replay attack).
It was more of a party trick as you had to have close proximity to the payment card as it was just a relay attack and the banks limited NFC transactions to a max of £20 which the banks would cover (its been bumped upto £30 these days or more if you auth with biometrics like with Apple Pay if the store permits the transaction).
I believe NFC payment terminals these days have tightened up the timings of card reads to make such relay attacks more difficult.
I've never been asked for a pin when using NFC payments (if you don't count the times I've used my phone) but I mix my card transactions up all the time between cash width drawls, Chip and Pin payments and NFC so I guess the "ask for a pin counter / algo" gets reset when I use a pin in Chip and Pin / ATM.
I believe that after so many NFC payments (without reseting the count) or try and make a purchase over £30 they ask for a pin and my bank will cover any NFC payments on a lost card as long as you make them aware of the loss within a reasonable time period. So personally I'm not too worried about losing my NFC card. They know its not a perfect system (is anything perfect?) so limit their loss by restricting the amounts used on such cards.
EDIT: Esp as a lost card could be used for online transactions as they have the CVV (as they have the card) and losing your card prob means losing your wallet and prob your driving license with your address on it (almost everything a bad actor needs to make an online purchase, just got to hope that Verified by Visa / Mastercard SecureCode kicks in).
I actually need the PIN for any payment over €25, which can still be done with NFC. Besides that, I'd say I still need to enter my PIN for small payments roughly once every 2 weeks.
I believe the "purchase over £30" in the UK is dependant on the store. Instead of asking I've just use Chip and Pin for such transactions. But yeah never had the "enter your pin" for small NFC payments. Guess the bank thinks I'm a low risk :-p
(Now I've said it I bet the next time I use NFC it will pester me for a pin :-p)
Because I use a (Dutch) debit card. This is not a Credit Card, so it does not have a real card number (it has a 4-digit number to identify it among potential other cards issued for my account). I just checked, and was surprised to see it had an expiration date, because that does not play any role in authentication.
Note that I am coming at this from the perspective "Is payment in my country done well". So I only care about attacks against my card, and the cards of people I know.
It does seem stupid to me to have a CC number and expiration date available in plain text. But honestly, I am more amazed by that information being sufficient to authorize payment. That said, it amazes that 'upgrades' both neglect to fix the underlying issue, and fail to take it into account in their implementation.
Besides this entire story, there is an interesting issue of PIN-less tap-and-pay, which scares me more (from the dutch perspective) than plaintext data on my NFC card. It doesn't scare me enough to disable it though.
How do you purchase something on international sites?
I totally agree that the requirements to authorize a transaction is laughable. Even more so that the information is printed on the card itself, insane.
I use paypal when possible. Otherwise, I have a separate, rarely used, credit card. The card has no NFC.
Notably, every time I've used it on-line, it forwarded me to my banks website, where I needed to do a 2 factor thing. I'd guess that is vendor-dependent though. I can't imagine US webshops are setup for that. (Most of my usage is amazon.de)
Ok, I didn't know that. But I have never used the magnetic strip in Europe, I don't think anyone accepts it here. My previous bank would even issue standard debit cards without the magnetic strip. So how would you use the card without the PIN? Can you read the whole card number + expiration + CVV code and then buy something online?
In Sweden it is not that uncommon (majority of readers take both chip+magnetic stripe). Also, ATMs swallow the whole card so a skimmer would work there even if the ATM itself only uses the chip. And now with wireless you could probably trivially skim people that used the chip (or wireless) functionality as well.
I have never seen a card without magnetic stripe, that is awesome. I even have some trouble getting a card without wireless...
At least whole card number + expiration is on the magnetic stripe. You don't need CVV as it is optional. Everything is written in clear-text and by definition that text must contain everything needed to perform a purchase.
During my visit in the US, sometimes my European creditcard would not work with magnetic stripe, the dealer telling me to use the chip. There were some terminals which had a non working chip-reader, you had to enter the cardnumber + CVV to pay.
That the home bank somehow knows that you just used the magnetic stripe and says "I want the chip".
Of course skimming (the act of reading and copying the magnetic data) still works, but payment not.
My memory is hazy on this but I believe there is a bit on the magnetic stripe that says "hey, I have a chip please use that instead". And if the terminal supports chips it will probably ask you to use the chip instead.
If the terminal does not have a chip reader (or doesn't parse that information) it will allow the purchase. If you are cloning the magnetic stripe you would of course reset that bit and you would be all good.
BBVA in Spain has the same thing, it directly asks which phone number to send the code to, in case you want another person to withdraw the money: https://www.youtube.com/watch?v=Hb6KNWSKXmE
Does it work without a mobile data connection? Regardless this is a great idea and I would love to know what it would take to convince other banks to do the same.
It doesn't - but usually everyone has a mobile data plan here and coverage is great, so it's not a concern. In the rare event you can use the card as backup. I wish this was some sort of standard between banks. But thankfully this is the biggest bank in the country, so their ATM is usually very close to you (there is no special hardware, it's an ordinary ATM - with just a menu option of entering the one-time code).
While you can tell revolut to block transactions that use the magnetic stripe, it doesn't physically disable the stripe, so they can still pull your data from it which maybe enough for them to carry out an attack.
Please someone...
Why on earth are there still ATMs with magnetic stripe readers in some countries?
Where I travel I don't run into those anymore. Because if I did it wouldn't work - I've found that with enough magnetic stripe cards in the wallet they effectively de-magnetize each other. I currently have exactly one (very new) VISA debet card with a functioning magnetic stripe, which I use for parking only, as there are still a few very old magnetic stripe machines around. The other cards can't be read. (Someone could put a pinhole camera on the parking lot reader.. doesn't matter, as no pin is entered. Cost is up to ~a dollar or so, so they don't bother with the pin.)
You open your mobile bank app, click BLIK icon and a 6-digit code is generated. You enter the code in ATM and you choose amount to withdraw. You accept the amount on your mobile phone and money comes out.
This is how it looks: https://www.mbank.pl/indywidualny/uslugi/uslugi/blik/