Cybercrooks are targeting self-service checkout systems in UK supermarkets to cash-out compromised US credit and debit card accounts. Discussions on underground forums suggest that store chains including Asda and Tesco are being targeted. Rather than buying groceries, which would be hard to sell on, the scam relies on getting " …
You should have checked their tech blog out as well, readers comments was getting bitchy.
This is nothing new...
AFAIK, even the British ATMs fall back to magstripe when the chip on British cards is not readable. Presumably, you can clone UK CCs with 'faulty' chips to force magstripe sale, as everywhere that has a chip reader also has a magstripe reader.
Fraudsters: head to Asda
While Tesco do not offer cashback from their self-service terminals, Asda do.
/Mine's the one with the wedge of non-sequential used twenties stuffed in the pocket.
Seriously, have you ever been onto these card forums? This has only been highlighted due to the fact that a couple of journos looking for a story logged onto these sites with the help and direction from a "computer expert".
There are numerous sites like these and they all discuss dozens of different scams, this one having been discussed for years and not something which should be included as "Breaking News" (not directing this at Mr Leyden) Mostly they are full of teenagers from the USA and the UK as well as people from the likes of Lebanon and Eastern Europe and most of them have a few credit card numbers that they have no idea what to do with yet boast about having hundreds/thousands of them. Do you seriously think pro carders use these forums to publicly talk about their scams? Sheesh....
A popular scam on these sites is to post carding software, 30/40 people run the software thinking it will verify the credit card numbers they have but in reality they are running a trojan, scamming the scammers they call it. In turn they harvest all the infected users and gain their databases. I remember a story about a few Russian mafia guys who had used one of these sites to try and sell their card numbers, falling for the old verification software scam to a couple of whitehats who replaced a few digits of each card number on the host machines (for millions of cards) and rendering them useless.
Fun times but no story, usual hype by stupid reporters who think they have stumbled onto something big....
probably won't work
theres just 4 flaws in their plan:
1) the self service consoles are chip and pin only
2) most stores dont allow high value items trough self service, our local tesco has signs al over the self serve kiosks to that effect
3) the self serice kioska dont offer cah back
4) stores like argos who do take mag stripe cards require you to sign in front of the person handing you the goods...
Nope, on a UK ATM a card will be identified as a chip and pin card. If it can't read the chip, it will reject and possibly eat the card.
You can however do this on non-chip and pin ATMs overseas
I've always thought, at my local tesco petrol station, if you pay at pump you do not need to enter a pin, although they'd have your number plate on the cameras, perhaps, walk in with a jerry can, fill up, pay on a card and walk off, maybe wear a hat to mask your face.
Mine's the one with the wallet full of plastic.
Fraid not old boy, ASDA have a gaping hole in their security for this.
Chip & PIN fails it asks you to swipe on the side of the terminal
Swipe your card and it asks you to sign on a little pad below the screen
Then you get asked for cashback
If your really unlucky the 18 year old with the puppy dog eyes looks up from her copy of Heat and makes sure your not too dodgy looking.
As this does happen, my card failed less than a week ago and I had to swipe, cashback paid for my taxi home...
Dumb yanks (or their banks)
perhaps this shows that the yanks are rather complacent about reporting their cards lost of stolen or the banks are so familiar with getting calls saying the card has gone missing and then Archibald Pleb finds it under his sofa 20 minutes late and rings the bank to reasctive it that they no longer bar cards which is why this kind of scam can occur (also assuming that Visa,Mastercard aren't doing a stand in authorisation because the bank is uncontactable)
Unless you own the PIN machine, this will continue to happen
NFC with *your* cell phone acting as the pin device is the only way to make a truely secure payment. Don't place your trust (or PIN) in any one else's equipment!
For a long time (almost a year IIRC) Tesco didn't require the 'pin' bit of Chip and Pin on their self service checkouts - you just swiped your card and left with the goods. Not great for security if your card is stolen.
NPC car parks still do this... although you'd have to do a lot of parking to make a lot out of a stoken card :p
Also you can use a broken C&P card with the mag stripe - my old one was completely broken and every store I went in was happy to swipe it and use the signature as backup... and since I never signed the card anyway the signature was utterly useless (in about 6 months only one store actually asked for a document with my signature on it as proof. The rest just carried on regardless).
Self service do use mag stripes.
To quote the ASDA one - "Insert your card into the chip and pin device, or swipe your card on the side of this monitor if your card does not have a chip"...
I work tills at Budgens. We are instructed not to take any cards without a chip.
We have no "self service" checkouts
re: self service and PFS
ok, as far as self service goes in tesco:
pin cards must be put through chip+pin terminal unless chip is faulty (can only be partially read).
If it falls back to signature or theres no pin, swipe on side of monitor. the attendant must then go to the terminal and get you to sign for it in front of them. the signature can only be authorised at the terminal and not at the attendant desk. This is all recorded on CCTV.
Attendant must also check the name on the card (well, title, ie mr/mrs/miss/etc) corresponds to the customer and to prevent swapping cards after you've swiped it, check the last 4 digits which are on the receipt are those on the front of the card.
If card is not signed, it cannot be accepted. Cards are NOT valid unless signed and we can also refuse payment by pin on the grounds a card is not signed. (read the back of the card folks, this is a REGULAR issue)
cards are NOT valid if the signature has worn off or appears tampered with. see above.
If there is anything dodgy about the card, if is refused.
management come down hard on folks ignoring the rules
re: PFS pay@pump
there is a £50 limit on pay at pump and you are correct that you and your car are observed on CCTV and your plate recorded.
the staff have to manually activate the pump from the checkout when you lift the nozzle, which means they have to check who is there. Those without cars are supposed to be blocked from pay@pump and transaction paid at the checkout.
A chip and pin upgrade for pay@pump is being rolled out.
I work in a Tesco Extra on Self Service Night Shift, and do overtime in the PFS.
re: Stupid, by ian
Bad luck, dude.
Um most banks in the US,(in fact I have not seen one yet) will let you reactivate a lost card
Furrin parts != easy pickings
Maybe US cards can be trivially scammed in the UK due to current lax security by supermarkets etc, but in Spain the supermarkets require either chip/pin or sight of your passport. We got found this out in Consum when our checkout line had a broken C&P machine. Fortunately we had enough cash on us.
Do the same here: non-UK card sir? Can I see your passport / ID card / Driving license? and this problem goes away.
re: Dumb yanks (or their banks)
I went to a conference in Seattle last year, and at least three times (if not more) the locals manning checkouts or taking payment in bars/restaurants were amazed that I had a credit card that was - get this - not carrying a chip, but (sharp intake of breath) GREEN.
On the third occasion I asked to see theirs (yeah, I'll show you mine etc etc). They had three, from different banks/providers, and they were *all* blue. A bloody good job I didn't have a Mint card, then...
It doesn't matter whether we have chip'n'pin, signature, biometrics or blood. It doesn't matter that the UK and European banks have pulled a fast one on us, making us believe chip'n'pin is better than a signature when in reality all it does is moves the liability away from the banks. All that matters is that US credit cards are blue (apparently).
No IT angle at all, I know. Who cares?
AFAIK in the U.S. it is not required that one sign the back of a credit/ debit card, but those who do not sign need to be prepared to show an ID with photo and signature. This seems more secure since a photo ID will identify both the face and signature, while a signed card only requires thieves to spend enough time practicing the sig to fake it. (Of course, one should write something like "Ask for ID" on the signature tape, else a thief only needs to put her/his version of your name in that space.) I have never in my years of plastic purchasing had a problem with this method (other than wondering how the DMV always manages to get the worst possible photo to stick on the drivers license).
Since when? I'm a British expatriate living in the United States, and as recently as this year, Budgens were perfectly happy to accept my US credit cards while I was back in old Blighty.
Frankly, I'd have been *supremely* pissed off, had they not.
AC RE: Tesco
I was just there, you can swipe the mag strip and enter the pin into the reader and get cashback. This is the normal fallback for foreign cards, I did the same abroad in the USA and Canada.
(the tesco dude again)
It all depends on wether the cashier is satisfied that you are the legitimate cardholder. I can ask for other ID if i am not satisfied that you are the cardholder. And even then i can still refuse the payment if i'm still not sure.
also, remember folks, even if its payment by pin and they have your permission, its still fraud if someone else uses your card, even your husband/wife, and we can destroy your card right in front of them.
also a quick note, we randomly have to do a voice authorisation on a card which means the bank has to be phoned. one fo the first things they ask is wether or not the card is signed. if the answer is no, they tell us to destroy the card.
whose watching who?
What's to stop the 'mule' from simply keeping all the loot for himself? Scam artists ripping off a scam artist. I love this song.
no title here
> you can swipe the mag strip and enter the pin
erm wut? not in my store i'v not seen a 'swipe and pin' on a self serve before. swiping through a mainbank is different as they have chip readers at the bottom of the swipe and park.
> and get cashback
I wasnt aware this was being rolled out. parhaps in a newer hardware build but not in our store anyway. Nor in the smaller store just up the road which only opened 2 weeks ago and so should have the latest systems.
@ Unless you own the PIN machine, this will continue to happen (Brent Gardner)
You obviously haven't read up on cloned SIMcards, have you?
But you're right: the secure terminal isn't..
In our shop (we're a PC reseller so our goods are a target for easy sell-on)
We refuse to "fall-back" to mag strip if the chip doesn't work - and we keep a record of the three-digit security #. If someone does manage to defraud us, we're protected from the bank accusing us of accepting a cloned card!
@Ryan - "In our shop"
"we keep a record of the three-digit security #"
You may be asking for trouble. Do I hear a landshark wolfpack?
"Storing sensitive credit card data such as the full magnetic strip track data, CVV and CVV2 is prohibited under PCI DSS."
Has a Dutch tourist to the UK I've used my debit card numerous times. First in ATM's, which works as expected, requiring a PIN before handing me my cash. In a record store and a Waterstones however, I only had to swipe and sign. Now, I pulled the card from a shoulder pouch, not my wallet, so it seemed more like I was a tourist, but the signature on my card is totally faded, and they barely checked a thing. I showed ID however, but in all honesty, it'd be quite easy to commit fraud this way.
In Holland we have a swipe and pin system, with no chip. It's a pity the UK doesn't employ the same system, since it'd save tourist in both countries a lot of trouble.
That picture on the DMV document is often referred to as a "holy picture".
This is because people look at it and say " Jesus Christ, is that you?"
Yes APACS, sure this specific kind of crime will be stopped when the USA goes chip and pin, in that both the owner country of the card, and the UK support chip and pin... But you're avoiding the bigger issue.
To perform this kind of fraud you only need to find a retailer in a country that doesn't do chip and pin... and you don't have to go very far either... So take your copied USA or UK card over to Europe and go shopping!
cashback on self service
hmm.. and yet just last night i got cashback with my milkshake at a self service.. at asda
Re: Furrin parts != easy pickings
"...but in Spain the supermarkets require either chip/pin or sight of your passport..."
Actually, in Spain everyone over the age of 14 is required to carry some form of ID with a photo at all times. For spanish citizens this is in the form of a national identity card issued by the national police. For tourists and other visitors a passport is usually requested instead.
Long before C&P cards were issued you always had to show ID when using a credit/debit card.
To simple a solution ??
Surely the simple solution is to only allow self-service check-outs to only accept chip & pin. Or are we really that afraid of annoying our American cousins who will have to queue to interact with a human??
Of course, such a card may be a hard sell in the USA. We already have an abysmally low trust of our or practically *any* government (sorry, folks; it's part of our history). It is true that unsigned cards can be taken at the retailer's discretion, though this usually involves a request for a current photo ID with signature (in the US, this usually takes one of three forms--state-issued driver license/ID card, military ID, or passport). And depending on your clearing house, they may let slide small (under $10 or $25) purchases without need for a signature (this is due to an increase in the issue of contactless cards--they'll let slide the occasional bum transaction so as to get faster transactions and thus more of them). And due to increasing fraud, manual card entry is increasingly being tabooed.
The whole system is a fallacy
I used to remember going on holiday with parents - to nowhere far, just France... Now, when the banks first started issuing cards with chips in to UK customers, my Dad had a couple of them, one which was his primary credit card. The French adopted their version of C&P years before we did (they had those handheld readers for bars and restaurants years before we did, too). You'd think the UK cards' chips would've worked, right?
This was always a source of much consternation for both us and the people on the other side of the desk, putting the card in ' *bleep* unable to read chip, try again... *bleep*.... try again.. *bleepbleep*, and have to swipe in the end. We were even accused of having a fake card once, until the person's manager pointed out to her that it was a UK card and 'they do this all the time'. In fact, when I (or my parents) go to France now, the machines *still* have to fallback to swipe and sign - and the machines' mag readers hardly ever get used, so it's a bloody mission trying to get the thing to even read the magstrip.
Unless the countries of the EU make a concerted effort to align their systems in some vague shape or form, the whole C&P scheme will have been an utter waste of time (and it was never that great to begin with, echoing the sentiments of other commenters here, particularly Greem).
Different stores, different behaviours
My Canadian g/f went into a Boots store over here, and tried paying with her Canadian card, which has no chip. Unfortunately she didn't notice that at some point her signature had worn off the strip on the back...
She tried making a £10 purchase, after she handed over the card the cashier hit a buzzer. A few seconds later my girlfriend was face-to-face with a couple of security guards who took her into a back room for "a chat". An hour later, after taking a picture of her and calling the plod, they let her go.
Needless to say she's never shopped at Boots again!
The problem was that France, with their massive plastic card fraud problem needed to get a c&p system working before the rest of the world. They chose a system which was not ratified by the card issuers standards people, therefore when the actual official c&p system was developed and was incompatible, they had to replace all their terminals so they were ISO (I believe it is an ISO) compliant. So is the penalty for early adoption, which is a shame. ALL c&p terminals in France are now 100% compatible with the rest of the world.
"What's to stop the 'mule' from simply keeping all the loot for himself?"
Well typically the fact that they, a) would get the crap kicked out of them, b) are usually dependent on the money (i.e. an addict), and c) wouldn't get any more "work" if they did...
C&P in France
My English C&P card works fine in France - however they are not accepted at 24 hour automated petrol pumps, but are at toll gates. This is more to do with policy than technology.
However, my Swiss C&P card (they are late adaptors - I only got the chip last year) doesn't work in France (again, policy as it is an ISO chip) and I have to sign when I use it. Almost every time I had to remind the check-out girl that I needed to sign even though a warning pops up on the reader display, and presumably their terminal. Even when I did sign, they never checked the card signature.
As my trolley has been full of potentially resellable booze each time, usually more than €100 worth, this appears to be a major security loophole.
Forget Asda - go to LeClerc or Champion with your cloned cards.
@self service checkouts
Who in their right mind uses them anyway? They are always slower and more annoying than just queueing in the "10 items or less" queue anyway.
I use self-service because:
a) There is usually one free so I know I won't be queuing behind some arse that doesn't think to look for purse\wallet until asked for payment and then remembers they've got 37 different vouchers they want to use
b) you get a plastic bag to put things in without having to ask
c) I fancy the bird at my local Tesco who has the job of pressing the "he looks over 18" button whenever I run some Merlot through the system .... which is often
At our local Tesco they've just updated the pay at pump so you have to enter your PIN. Stupidly (of course) they've provided no shielding so world+dog can see which buttons you press.... One step forward, one back...
Why are we worried ?
Why should we be bothered about this ? If the boot was on the other foot, I'm sure the Americans wouldn't give a toss about us Brits being defrauded - so why should we care ?
Fear teh haxx0rs :o/
Errr, they buy high value, easy to sell on items like whiskey eh? Really? They send some 18 year old yoof across to check you ain't underage if you buy alcohol, which kinda makes it risky.
The most cashback you can get is £50 to boot, so hardly as bad as the midnight £300 + £300 trick.
If they make lots of transactions, or the Yank makes a transaction within a few hours of the thieves, it is going to get flagged and stopped (he was in Costa in Baltimore at 1700 EST and in Tesco in Croydon getting some tabs at 1300 GMT. Hmmm...)
Jon G - I can see your argument, but:
i) it's nice to care - it's why we have schools, charity, the NHS etc;
ii) The Yank Bank won't pay up, Tesco/ASDA lose money, they put the prices up, we both pay them (well I don;t, I shop at Sainsbury...) so our shopping bills go up;
iii) it means more hassle when you use your card as they do "security checks" which always annoys me.
The fact you read it on an internet forum you didn;t have to provide 1000 validated CC numbers to get access to should be a heads up that it's a bunch of 'tards talking smack, not the pros.
CVV number ...
...just skimming this article and saw mention of the CVV (the 3 digit "extra" number for Cardholder Not Present transactions), and thought I'd mentioned a trick I use, which is to scratch it off the card (after memorizing it). That way the card is useless to a thief trying to use it for an internet or telephone purchase.
The number isn't required for a Chip'n'Pin transaction ....
@ Anon Coward
Until, of course, the retailer gets prompted to telephone the card issuer for a 'spot check', and then they're unable to provide the CVV number.
Admittedly it happens rarely. But it happens.
FYI to various posters above.... Amex are only re-issuing corporate cardholders with chip & pin cards when the current cards expire, and at one point were even refusing to send cardholders a chip & pin card upon request, stating that it is a condition of retailers' merchant agreements to accept mag stripe cards.
Naturally as a cardholder it meant that every time I bought anything it was a complete battle - however a quick call to Amex customer services usually resulted in them straightening out any offending retailers. It did take several calls to get South West Trains to stop their ticket machines unilaterally rejecting the cards outright, however...
chip and pin atm issues
hi which countries does chip and pin work ? and i have a chip n my card were in eu would i be able to withdraw cash and it woould read the chip i hear some cash machine in the eu and america do not recuire a chip they read straight off the mag-strip
is this true
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- FOUR DAYS: That's how long it took to crack Galaxy S5 fingerscanner
- Did a date calculation bug just cost hard-up Co-op Bank £110m?
- Feast your PUNY eyes on highest resolution phone display EVER
- Wall St's DROOLING as Twitter GULPS DOWN analytics firm Gnip