jm + credit-cards   12

In praise of cash
'The battle to protect cash is one full of ambiguities - it feels somewhat
like trying to protect good ol' normal capitalism from a Minority Report
surveillance-capitalism'
cash  payment  contactless  surveillance  banking  banks  credit-cards 
27 days ago by jm
Contactless credit cards vulnerable to a range of scams
Johanson said it's possible to use an RFID "gate antenna" — two electronic readers spanning a doorway, similar to the anti-theft gates in retail stores — to scan the credit cards of people passing through. 
With enough high-powered gates installed at key doorways in a city or across the country, someone could collect comprehensive information on people's movements, buying habits and social patterns.
"These days you can buy a $500 antenna to mount in doorways that can read every card that goes through it," Johanson said.


Amazingly, these seem to be rife with holes -- they still use the legacy EMV protocol, do not require online verification with backend systems, and allow replay attacks. A Journal.ie article today claims that attackers are sniffing EMV data, then replaying it against card readers in shops in Dublin, which while it may not be true, the attack certainly seems viable...
rfid  security  scams  emv  wireless  contactless  credit-cards  replay-attacks 
december 2016 by jm
PayWave & PayPass deletion via RFID antenna kill
remove RFID from a payment card with a single drilled hole
rfid  banking  cards  debit-cards  credit-cards 
november 2016 by jm
100 thieves steal $13m in three hours from cash machines across Japan
'Police believe that as many as 100 people, none of whom have been apprehended, worked together using forged credit cards containing account details illegally obtained from a bank in South Africa. The culprits used the fake cards at 1,400 convenience store automated teller machines on the morning of 15 May, according to police. Each made a single withdrawal of 100,000 yen – the maximum allowed by the cash machines.'

1,600 forged/stolen credit card credentials from a single bank, then a synchronised attack made possible by the eventually-consistent ledger model of ATM accounting.

(via William Gibson)
atms  banking  japan  fraud  security  credit-cards 
may 2016 by jm
How a criminal ring defeated the secure chip-and-PIN credit cards | Ars Technica
Ingenious --
The stolen cards were still considered evidence, so the researchers couldn’t do a full tear-down or run any tests that would alter the data on the card, so they used X-ray scans to look at where the chip cards had been tampered with. They also analyzed the way the chips distributed electricity when in use and used read-only programs to see what information the cards sent to a Point of Sale (POS) terminal.

According to the paper, the fraudsters were able to perform a man-in-the-middle attack by programming a second hobbyist chip called a FUN card to accept any PIN entry, and soldering that chip onto the card’s original chip. This increased the thickness of the chip from 0.4mm to 0.7mm, "making insertion into a PoS somewhat uneasy but perfectly feasible,” the researchers write. [....]

The researchers explain that a typical EMV transaction involves three steps: card authentication, cardholder verification, and then transaction authorization. During a transaction using one of the altered cards, the original chip was allowed to respond with the card authentication as normal. Then, during card holder authentication, the POS system would ask for a user’s PIN, the thief would respond with any PIN, and the FUN card would step in and send the POS the code indicating that it was ok to proceed with the transaction because the PIN checked out. During the final transaction authentication phase, the FUN card would relay the transaction data between the POS and the original chip, sending the issuing bank an authorization request cryptogram which the card issuer uses to tell the POS system whether to accept the transaction or not.
security  chip-and-pin  hacking  pos  emv  transactions  credit-cards  debit-cards  hardware  chips  pin  fun-cards  smartcards 
october 2015 by jm
3D Secure and Verified By Visa to be canned
Yay.
Mastercard and Visa are removing the need for users to enter their passwords for identity confirmation as part of a revamp of the existing (oft-criticised) 3-D Secure scheme.
The arrival of 3D Secure 2.0 next year will see the credit card giants moving away from the existing system of secondary static passwords to authorise online purchases, as applied by Verified by Visa and MasterCard SecureCode, towards a next-gen system based on more secure biometric and token-based prompts.


(via Gordon)
via:gsyme  verified-by-visa  3d-secure  mastercard  visa  credit-cards  authentication  authorization  win  passwords 
november 2014 by jm
Full iSight report on the Kaptoxa attack on Target
'POS malware is becoming increasingly available to cyber criminals' ... 'there is growing demand for [this kind of malware]'. Watch your credit cards...
debit-cards  credit-cards  security  card-present  attacks  kaptoxa  ram-scrapers  trojans  point-of-sale  pos  malware  target 
january 2014 by jm
The Malware That Duped Target Has Been Found
a Windows 'RAM scraper' trojan known as Trojan.POSRAM, which was used to attack the Windows-based point-of-sales systems which the POS terminals are connected to. part of an operation called Kaptoxa. 'The code is based on a previous malicious tool known as BlackPOS that is believed to have been developed in 2013 in Russia, though the new variant was highly customized to prevent antivirus programs from detecting it' ... 'The tool monitors memory address spaces used by specific programs, such as payment application programs like pos.exe and PosW32.exe that process the data embossed in the magnetic strip of credit and debit cards data. The tool grabs the data from memory.' ... 'The siphoned data is stored on the system, and then every seven hours the malware checks the local time on the compromised system to see if it’s between the hours of 10 a.m. and 5 p.m. If so, it attempts to send the data over a temporary NetBIOS share to an internal host inside the compromised network so the attackers can then extract the data over an FTP ... connection.'

http://www.pcworld.com/article/2088920/target-credit-card-data-was-sent-to-server-in-russia.html says the data was then transmitted to another US-based server, and from there relayed to Russia, and notes: 'At the time of its discovery, Trojan.POSRAM “had a zero percent antivirus detection rate, which means that fully updated antivirus engines on fully patched computers could not identify the software as malicious,” iSight said.'

Massive AV fail.
kaptoxa  trojans  ram-scrapers  trojan.posram  posram  point-of-sale  security  hacks  target  credit-cards  pin  ftp  netbios  smb 
january 2014 by jm
Column: The Loyaltybuild breach shows it’s time to take data protection seriously
What is afoot here is a rerun of the Celtic Tiger era “light touch regulation” of financial services. Ireland has again made a Faustian pact whereby we lure employers here on the understanding that they will not subject to too-stringent a regulatory system. As the Loyaltybuild breach has shown, this is a bargain that will probably end badly. And as with the financial services boom, it is making the Germans nervous.
Perhaps we will listen to them this time.
fergal-crehan  loyaltybuild  celtic-tiger  ireland  dpa  regulation  data-protection  privacy  credit-cards 
november 2013 by jm
IPSO representative trivialising impact of the Loyaltybuild data breach
A very worrying quote from Una Dillon of the Irish Payment Services Organisation in regard to the Loyaltybuild incident:
“I wouldn’t be overly concerned if one of my cards was caught up in this,” Dillon says. “Even in the worst-case scenario – one in which my card was used fraudulently – my card provider will refund me everything that is taken”.


This reflects a deep lack of understanding of (a) how identity fraud works, and (b) how card-fraud refunds in Ireland appear to work.

(a): Direct misuse of credit card data is not always the result. Fraudsters may prefer to instead obtain separate credit through identity theft, ie. using other personal identifying data.

(b): Visa debit cards have no credit limit -- your bank account can be cleared out in its entirety, and refunds can take a long time. For instance, http://www.askaboutmoney.com/showthread.php?t=174482 describes several cases, including one customer who waited 21 days for a refund.

All in all it's trivialising a major risk for consumers. As I understand it, a separate statement from IPSO recommended that all customers of Loyaltybuild schemes need to monitor their bank accounts daily to keep an eye out for fraud, which is pretty absurd. Not impressive at all.
loyaltybuild  ipso  money  cards  credit-cards  visa  debit-cards  payment  fraud  identity-theft  ireland 
november 2013 by jm
O2's page on their new "block 18+ content on mobile internet" policy
O2 UK have just instituted a mandatory block for all "18+" content, which is only removed once the customer pays a UKP1 fee via credit card (which is immediately refunded). Twitter is *full* of angry UK O2 users right now
o2  uk  content  credit-cards  filtering  censorship  adult  from delicious
march 2011 by jm
Cybercrime Organizations Turn to ‘Mafia-Style’ Structure
good research coming out of McAfee -- lots of Eastern European, Russian, and ex-USSR-country cybercrime businesses nowadays, apparently
spam  scams  scareware  russia  eastern-europe  ukraine  romania  credit-cards  antivirus  mcafee  security  phishing  from delicious
october 2009 by jm

Copy this bookmark:



description:


tags: