There is very little true security in retail establishments.
This lady simply swapped bar codes on expensive items for bar codes of inexpensive items. Got away with it for over a year and made as much as $30,000 per month in some months:
This is another interesting case because it points out how vulnerable this part of the financial transaction chain is. Of course even after they catch the guys who were installing the skimmers they don't get the 'top' guys who make the fake cards and then withdraw funds in Serbia.
I did see a talk where the folks noted (but did not remove) such devices and then began tracking every account that went through the modified device. This was to figure out who the bad guys were. By watching the fraudulent transactions that happened later they were able to roll up a carding group in the Baltics. But it does take a more proactive approach.
From a future products prospective the use of cards with embedded processors seems better and better.
There are already scanhacks for iPad cash registers. Mostly consisting of a touchscreen overlay wired to look like its part of the protective case. So, forget that iSense of iSecurity, its not there ..
It occurred to me once upon a time that I could use just such a keylogger to capture my classmates' student ID card swipes when they went to release print jobs at any of the print stations on my university campus. I recognized this as a security flaw that (probably) didn't have many lucrative uses, but I never imagined such a technique might work for credit cards. I wrongly assumed that credit card readers would employ greater physical security.
hardware security aside, if credit card readers employ proper encryption, that in itself would probably be an effective deterrent against such leaks, but only IF such encryption is implemented.
I think a large factor in the lack of change in payment security (In the US anyway, I can't speak for anywhere else) is the rise of the "protected" card. I have no incentive to protect anything about my Amex.
Card got skimmed a few years ago somehow, Amex called, asked if I was in Nicaragua (I wasn't) they apologized, removed the $200 or so in charges and next-day aired me a new card. Almost zero hassle.
I'd hate to have my debit card skimmed but as far as a credit card... I'm not too worried. The risk isn't mine.
chip and fucking pin. sigh This problem is solved, yet practically nobody in the US is demanding the established solution. Until we do, this is only going to continue.
In the UK and EU, chip and pin carry with it some nasty liability problems. That is, the consumer is now de facto liable for all fraud that happens, in spite of the statute.[1] A significant amount of skimming still occurs in the EU.[2] The protocol, just like the traditional charge card method, used is considered insecure.[3]
The U.S. method, where the low-security retailer is liable, is the most fair. The current charge back system works. Retailers that use inventory control, secure systems, and require ID with large purchases receive few legitimate charge backs. [4]
I work in the industry. Chip and pin is not statistically safer (fraud rates in Spain, UK, and US are all the same despite having very different payment landscapes). The fundamental problem is that in traditional chip-and-pin setups you also type the pin into the same machine... so adding a skimmer + video camera OR adding a skimmer that records pin is marginally possible and not that hard.
The real security would come with a second factor that the user controls, either by approving on your phone or by using one-time-numbers for each transaction. The reason why these do not exist yet is because they would impede transaction flow, and the basic math with these companies is if fraud rate > rate loss of transaction volume from security feature then use security feature. Otherwise, don't.
The US is getting chip cards in 2015 [0], although it looks to be chip and signature.
As another poster pointed out, chip and pin is not foolproof and may present a nasty liability shift to consumers when it comes to fraud.
There are also more practical issues with chip cards. First, merchants will be requires to buy new chip capable card readers. They will not be happy about it, but they'll be forced into it by their merchant agreements. Second, chip transactions take noticeably longer to process. From my casual observation a swipe takes 1-3 seconds, but chip readers took at least twice as long. Sounds silly, but it can really add up if there is a long line.
Sounds like it depends more on how sophisticated the readers are. The current ones are apparently pretty dumb, and just pretend to be a PS2 keyboard and send the info as keypresses, since the guys in the article just used a off-the-shelf keylogger to steal the data. You could easily make a chip and pin pad that did the same thing and was just as easy to compromise.
For real security, you'd need to do something like have the reader internally encrypt the data with the card processor's public key and only send an encrypted blob out of the device. If you're doing that, then anything's secure against this kind of attack. But the readers would have to cost like 10x more, and it probably isn't enough of a problem to bother replacing them all.
It's ridiculous how such an important infrastructure is so vulnerable. Magnetic stripes are easily copiable and without any other "authentication method" it's a done deal.
I once worked for a retailer which was connected via Megapath (they outsourced to whatever local ISP is available at the store location). The internet setup was so abysmal in security, in some cases the stores used wifi to connect to the front registers with the password being (not kidding) [storename:storenumber]. That's it.
These fools are getting caught doing elaborate plants. That's not how real criminals key log (btw, this is not a skimmer, but is a 'keylogger' as joenathan points out). Real criminals sit in the comfort of their car or nearby coffee shop and scan for open connections and insecure use of credentials.
And the question is... why not just use secure card swipe devices? You load an encryption key onto the hardware, and then key loggers don't work any more. Sure, it won't solve all your problems, but nothing does.
I may be mistaken, but I thought that the PCI/DSS forbids using such devices (unencrypted transmission from the keypad), and if a merchant uses them then they're automatically liable in full for all such fraud; i.e., banks just refund all cardholders for their losses and bill that+card replacements to that merchant.
The main reason I find this interesting is the hacker scene in South Florida is so small. I bet if they caught one of these guys, they could track it down to the mastermind faster than somewhere like NY or SF.
From technical standpoint very lame attack. There's no hacking involved at all. There has been technically much more sophisticated attacks modifying terminal hardware & firmware , off loading data completely out of band using 3g networks, etc. That's something that could be called hacking and proper (malhardware) engineering.
[+] [-] 300bps|12 years ago|reply
This lady simply swapped bar codes on expensive items for bar codes of inexpensive items. Got away with it for over a year and made as much as $30,000 per month in some months:
http://miami.cbslocal.com/latest-videos/?autoStart=true&topV...
[+] [-] gojomo|12 years ago|reply
http://www.paloaltoonline.com/news/2012/05/21/sap-palo-alto-...
[+] [-] triton|12 years ago|reply
I started doing this after I watched a whole tray of pink lady apples go in a skip because they brought new produce out.
The same is true of a lt of retail establishments. Old stock is destroyed to keep prices up.
[+] [-] ChuckMcM|12 years ago|reply
I did see a talk where the folks noted (but did not remove) such devices and then began tracking every account that went through the modified device. This was to figure out who the bad guys were. By watching the fraudulent transactions that happened later they were able to roll up a carding group in the Baltics. But it does take a more proactive approach.
From a future products prospective the use of cards with embedded processors seems better and better.
[+] [-] dguido|12 years ago|reply
Btw, if anyone wants to buy one, you can here: http://www.keelog.com/wifi_hardware_keylogger.html
[+] [-] fit2rule|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] joenathan|12 years ago|reply
[+] [-] eps|12 years ago|reply
[+] [-] anglebracket|12 years ago|reply
[1] http://support.quickbooks.intuit.com/opencms/sites/default/I...
[2] http://www.ebay.com/itm/CHERRY-MY8000-BEIGE-PS-2-KEYBOARD-CR...
[+] [-] cardamomo|12 years ago|reply
[+] [-] artas_bartas|12 years ago|reply
[+] [-] zhamilton89|12 years ago|reply
Card got skimmed a few years ago somehow, Amex called, asked if I was in Nicaragua (I wasn't) they apologized, removed the $200 or so in charges and next-day aired me a new card. Almost zero hassle.
I'd hate to have my debit card skimmed but as far as a credit card... I'm not too worried. The risk isn't mine.
[+] [-] rwmj|12 years ago|reply
It's much better for the banks to carry the can here, so they implement more secure devices.
[+] [-] ohazi|12 years ago|reply
[+] [-] linkregister|12 years ago|reply
The U.S. method, where the low-security retailer is liable, is the most fair. The current charge back system works. Retailers that use inventory control, secure systems, and require ID with large purchases receive few legitimate charge backs. [4]
[1] http://www.cl.cam.ac.uk/~rja14/Papers/unattack.pdf
[2] http://www.telegraph.co.uk/news/uknews/law-and-order/3173346...
[3] http://www.techrepublic.com/blog/it-security/chip-and-pin-th...
[4] http://www.internetretailer.com/2012/10/31/how-karmaloop-cle...
[+] [-] yajoe|12 years ago|reply
The real security would come with a second factor that the user controls, either by approving on your phone or by using one-time-numbers for each transaction. The reason why these do not exist yet is because they would impede transaction flow, and the basic math with these companies is if fraud rate > rate loss of transaction volume from security feature then use security feature. Otherwise, don't.
[+] [-] tyoma|12 years ago|reply
As another poster pointed out, chip and pin is not foolproof and may present a nasty liability shift to consumers when it comes to fraud.
There are also more practical issues with chip cards. First, merchants will be requires to buy new chip capable card readers. They will not be happy about it, but they'll be forced into it by their merchant agreements. Second, chip transactions take noticeably longer to process. From my casual observation a swipe takes 1-3 seconds, but chip readers took at least twice as long. Sounds silly, but it can really add up if there is a long line.
[0] http://www.transactionworld.net/articles/2011/november/innov...
[+] [-] ufmace|12 years ago|reply
For real security, you'd need to do something like have the reader internally encrypt the data with the card processor's public key and only send an encrypted blob out of the device. If you're doing that, then anything's secure against this kind of attack. But the readers would have to cost like 10x more, and it probably isn't enough of a problem to bother replacing them all.
[+] [-] raverbashing|12 years ago|reply
It's ridiculous how such an important infrastructure is so vulnerable. Magnetic stripes are easily copiable and without any other "authentication method" it's a done deal.
[+] [-] callmeed|12 years ago|reply
Now that this is happening in other types of retail stores, maybe it will spur the use of more secure options (chip and pin?).
[+] [-] Sami_Lehtinen|12 years ago|reply
[+] [-] eksith|12 years ago|reply
These fools are getting caught doing elaborate plants. That's not how real criminals key log (btw, this is not a skimmer, but is a 'keylogger' as joenathan points out). Real criminals sit in the comfort of their car or nearby coffee shop and scan for open connections and insecure use of credentials.
[+] [-] dietrichepp|12 years ago|reply
[+] [-] Sami_Lehtinen|12 years ago|reply
[+] [-] Theodores|12 years ago|reply
http://www.cherrycorp.com/english/keyboards/pos/8000/
This explains the 'attack vector'. Presumably the scammers have USB dongles too.
[+] [-] PeterisP|12 years ago|reply
You save some $$ in hardware but take on risk.
[+] [-] peterwwillis|12 years ago|reply
[+] [-] Sami_Lehtinen|12 years ago|reply