* Posts by sugerbear

101 posts • joined 5 Jan 2010

Page:

Contactless card fraud? Easy. All you need is an off-the-shelf scanner

sugerbear

Re: Attack of the clones

@Dabooka.

You dont understand because you dont understand how EMV works maybe?

Anyway, short answer

The terminal generates a random number that is sent to the card along with a bunch of transaction info. The card then uses a secret key to generate an ARQC. The terminal then sends the random number + transaction information to the issuer who also hold a copy of the secret key. The issuer then uses the information supplied to the chip to recreate the ARQC and compare it to the one the chip generated. You can check the EMV CO manuals if you want to investigate further.

If you understand how it works you will understand why cloning a contactless transaction so you can use it later in a contactless terminal wont work because you can't predict the random number that the terminal will send to the card when you attempt to replay it.

2
0
sugerbear

Re: Attack of the clones

@ theOtherJT

You would have to steal my card first. But fair enough, you take my card and use it buy everyone a round in the pub. I report it to my bank and the money is refunded, I have lost nothing in that scenario because i have not been negligent. You may or may not be filmed on CCTV buying those beers and if you are the type of person that does that kind of thing you are at some stage going to get caught.

"If in that time I can successfully clone your card and get it back to you so you don't know I've got a copy" how have you cloned the secure element of the chip and extracted the keys? Do you have access to a lab of some sort?

1
1
sugerbear

Re: Attack of the clones

[comment]Ok, you're going to struggle to buy thousands of pounds worth of goods with this - but surely the real way to abuse this system is with a cloned card and just keep paying for little things? Keep a stack of them and never pay for your tube journey again. Never pay for your petrol again (only fill up 1/4 of a tank at a time). Never pay for your round in the pub again... That's what has always really worried me about this contactless thing. Just because it's a small amount of money per transaction doesn't mean someone couldn't systematically steal a lot from you before your next bank statement arrives - I mean, who actually checks theirs daily to make sure it all lines up?[/comment]

Sigh... your comments are typical of the ill informed "security researchers" that pop up every now and again to tell the world (and sell a story to a newspaper) about some hole in EMV or contactless.

Your idea of living off someones card are unworkable. It is sad because a little lie goes a long way on the internet. The terminal generates a random number which then forms the ARQC that the issuer validates. So unless you can pre-predict the random number that the terminal will generate your idea is.a crock shite (excuse my french).

1
20

Blighty's BONKERS BANKING BONKING BONANZA: Apple Pay arrives

sugerbear

Re: With a £20 limit...

Can't you use the Apple Store app and collect instore without having to resort to using a point of sale terminal. A friend purchased that way long before apple pay arrived so I assumed it worked the same way,

0
0
sugerbear

I think your quote about transactions under £20 is wrong, I still had to authenticate a £9.50 transaction in Costa using my fingerprint so it isn't the same as a card (I actually like having to authenticate all transactions using a biometric). I have two cards registered so not sure if that makes a difference.

I didn't downvote you BTW :)

0
0

Account at HSBC? BAD LUCK, no iPhone bonk-banking for you

sugerbear

Re: NFC? No thanks.

[quote]That's nothing - a good hacker can do it from several meters away without you needing to pull your wallet out...[/quote]

I think i might notice if this "good hacker" pulled my iphone out then managed to get my thumb on the button for a good 10 seconds all without me notice, I dont think "good hacker" even comes it, maybe this hacker is actually a stealth ninja hypnotist in which case why wouldn't they just hypnotise me then get me a bank and withdrawing all my money.

1
1
sugerbear

Re: NFC? No thanks.

On the other hand, if you don't wear a tinfoil hat, don't live in a iPhone mugging hotspot (like London) and have an iPhone 6 then it's really easy to add your credit card and use it to pay for stuff.

That is what you are doing at the end of the day and my iPhone is a damn sight slimmer than my NFC Card/Cash stuffed wallet, plus so far I have to use my thumb to authorise every transaction, no big deal and easier than having to shiel my PIN at the POS terminal. Now (hopefully) the merchants will start to roll out more contactless terminals and make my life even easier.

I didn't buy my phone to use it to pay for stuff, but it's a very nice feature to have.

7
2

NatWest and RBS' mobile banking apps go TITSUP

sugerbear

Another successful implementation

Well the website is working just fine. Just another inconvenience really.

Well tested that IT department, I am sure I saw something last week on the mobile about an upgrade happening this weekend :-) Surely the two things can't be connected can they..

3
0

Radio 4 and Dr K on programming languages: Full of Java Kool-Aid

sugerbear

Re: miss

Apart from Javascript being a scripting language in which case HTML should also be classed as a programming language (both of which I disagree with).

Fortran, Cobol, C, Java & Basic would have been my top 5

1
9

Raspberry Pi, meet face: You're probably NOT Blighty's biggest PC maker!

sugerbear

Caveat your news release with

A. the word "Probably".

B. Biggest selling 32bit computer

C. Biggest selling credit card sized card, HDMI supporting... and so on

0
1

Gov.UK tells Londoners: You too can cash in on the 'sharing economy'

sugerbear

Re: Something tells me...

Something tells me you are spot on.

6
0

UK banks prepare for Apple Pay 'invasion', look to slap on bonking protection

sugerbear

Re: Where do Apple fit in?

On your second point apple had to build a secure element into the iphone to hold the payment app (along with the secure keys), plus they also have to build some of the infrastructure to support setting up the payment app.

The payment itself is between the phone and the merchant which then gets authorised through the scheme by the issuer of the card (or token in the case of the bonking applet).

It's apple at the end of the day and they will charge what the issuers are prepared to pay. The issuers dont have to play with Apple, they can build their own secure application/infrastrure (like the telco's tried to do).

6
0

Torvalds CONFESSES: 'I'm pretty good at alienating devs'

sugerbear

Being rude/abrasive/verbally abusive hasn't hurt other leaders in the tech industry.

Sometimes peoples ideas are shit. And maybe calling that out very quickly actually works.

2
2

EU: Let's cost financial traders $400m a day, because EVIL BANKERS. Right?

sugerbear

Article sounds like a rant

A rant from someone very close to the software industry.

I have no fear of seeing a reduction in HFT trades. In fact I think my pension fund may benefit.

25
7

Lloyds Group probes server crash behind ATM, cash card outage

sugerbear

Re: HP Server?

Or HP Almost NonStop

0
0

Clink! Terrorist jailed for refusing to tell police his encryption password

sugerbear

GCHQ isn't the problem

It doesn't matter if GCHQ can or cannot brute force the password. (maybe they have already and dont want to alert anyone to whatever is contained within it).

It matters only that the person charged has refused to disclose the password.

That is how the law is framed.

3
1

Target hackers: Woohoo, we're rich! Um. Guys? Anyone know how to break bank encryption?

sugerbear

CVC2 is written on the card. That value is held on the magstripe and the chip but it wont be the same value as the CVC2 so it wouldn't be visible to the terminal.

0
1
sugerbear

Re: Er - too much information?

Chip and PIN allows for the PIN to be held at the issuer and not on the card, it can be one of the options in the CVM list. Not all terminals support offline PIN validation so in those cases the PIN would be sent online to the acquirer (encrypted).

UK EMV cards support validation of the card between the terminal.

1
0

RBS MELTDOWN LATEST: 'We'll be the bank we should be ... next YEAR maybe'

sugerbear

My statement is missing some detail...

i noticed that my POS payment on monday at ASDA appears on my Natwest statement with absolutely no detail whatsoever (unless you call the last 4 digits of the card number..detail).

Every other payment from this retailer is clearly definied and includes who the retailer was and the type. But not this one.

Let the speculation begin !!

0
0

IT MELTDOWN ruins Cyber Monday for RBS, Natwest customers

sugerbear

... because you can run a bank on a shoestring budget with all your development out of India.

15
1

Dragons' Den star's biz Outsourcery sends yet more millions up in smoke

sugerbear

The cloud business paradigm

1. Put stuff in the cloud

2. Burn through cash

3. ???

4. Profit !!

3
0

Universal Credit CRUNCHED: Dole handouts IT system to be rebuilt

sugerbear

[quote] This is about changing the way we do business – and changing people's behaviour by ensuring there is always an incentive to be in work[/quote]

I take it that he is referring to the various contractors/outsourcers and management involved in any IT contract with the government.

6
0

RBS Mainframe Meltdown: A year on, the fallout is still coming

sugerbear

Porting Apps? Downtime.. Eh

[quote]RBS faces a Herculean job in bringing online a new mainframe operating in a core part of its day-to-day business. It must plan and execute the job without interrupting the existing service by taking the old mainframe offline during the transition.

RBS did not say when it plans to bring the new mainframe online.

But hardware is only one thing: RBS must also determine what do with the existing apps running on the system. Either it must port existing apps to the new system - which is likely - or write or buy new apps. If the former, RBS must design, write, test and then shift. If the latter, RBS must make sure the new apps work on the new mainframe and interoperate with other RBS’s other, connected systems.[/quote]

Spoken by someone that knows nothing about mainframes. Are you a consultant by any chance ?

RBS are just buying a bigger mainframe and then plugging it into their existing parallel sysplex system. Whoop de doo. All that will get them is the chance to use the newest version of the bits of mainframe software and things will run a bit faster.

No porting of apps, no downtime required. That is what makes the mainframe such a great environement to develop and run. Something that lesser mortals dont get.

10
0

AXE-WAVING BIKER GANG SMASHES into swanky Apple UK store

sugerbear

iPolice

Good job they are contributing so much of that lovely corporate tax that goes towards paying for said police force..

8
2

BBC's Digital Moneypit Initiative known to be 'pile of dung' for years

sugerbear

[quote]The first question a PwC (or any other 'management') consultant asked to carry out such a review will ask is: "What would you like the answer to be?" [/quote]

Hello Mr Fox, can you investigate why all my hens have disappeared.

Also telling that the senior (mis)management cant work out the causes of the problem themselves without squandering more cash on the problem. Do they actually have any IT experience or are they just managers who manage so far removed from the actual workplace that this kind of thing happens (and rinse and repeat).

2
0

Prankster 'Superhero' takes on robot traffic warden AND WINS

sugerbear

Less Basil Fawlty

More organised scam. The parking operators used to employ people to collect money when people left the car park. In the name of decreasing costs they went over to automated systems and then the racket of towing and clamping anyone unlucky enough to be in one of their car parks without a ticket.

They could always go back to the man in a shed approach but I guess the revenue from charging people who dont pay or overstay, however % small that is, is worth more to them.

The "tickets" they send are just an offer to pay. So I choose not to.

10
0

Barnes & Noble bungs Raspberry Pi-priced Nook on shelves

sugerbear

Good price

Really good at this price, maybe B&N should have sold them at this price to get a bigger market share first of all.

Always playing catchup with Amazon/Kindle.

0
2

Is the IT industry short on Cobolers? This could be your lucky day

sugerbear

No mention of IMS

Moving from IMS to CICS was more open heart surgery with a brain transplant thrown in. CICS is the devils work.

Anyway, I know plenty of people that are mainframers in the age group of 35 - 50 but unfortunately their jobs can be done offshore much cheaper so no one is going to be hiring them anytime soon unless the whole offshoring industry collapses in a heap.

I would love a job back in a COBOL/DB2/IMS or CICS support role but i think the time I have spent away 4 years ish and my age of 40+ will mean that there really is no way back into IT unless there is another round of year 2000 type work.

I can write all sorts of complex SQL but I cant find a role that needs it solely. I must be looking in the wrong place.

1
0

Brits on benefits: 'Dole office site only works on PCs over 10 YEARS OLD'

sugerbear

Re: Problem?

[quote]I'm a self employed company director...[/quote]

or your full title... Powerfully built tax dodger.

7
4

Finance bods probe RBS over bank-crippling IT cock-up

sugerbear

Mike Errington's head on a plate?

Is Mike Errington still in charge of their IT?

If so he needs to be renamed Teflon, because the brown stuff certainly isn't sticking to him.

1
0

Yahoo! makes Brit teen app maker VERY RICH with Summly buy

sugerbear

How much

That is all that matters.

0
0

Brit Bill Gates writes ANOTHER open letter to HP board

sugerbear

A better question

Dear HP shareholders. Your board paid way too much for Autonomy. Where does the buck stop?

3
0

Adobe reports great re$ult$ but loses CTO Kevin Lynch to Apple

sugerbear

Apple to buyout Adobe..

Just a thought, wouldn;t be the first time that a company has brought in someone before taking over. They have a lot of cash swirling around in their bank account. Adobe have lots of "creative" software. Plus Apple could effectively kill flash once and for all withouth any chance of it re-surfacing.

1
0

Uni profs: Kids today could do with a bit of 'mind-crippling' COBOL

sugerbear

Nothing mind crippling about any programming language.

You use the tool that is best suited for the job.

The arguments set forth here are like a bunch of carpenters trying to argue the merits of a drill over a router.

If you cant get your head round cobol then maybe you just aren't cut out for a career in IT (I have written in Pascal, C, c++, java, cobol, zos assember).

2
0

RBS and NatWest FAIL downs services across UK

sugerbear
FAIL

Oops I did it again...

Another piss implementation.

I wonder who was involved this time

3
0

What's NFC? PayPal lobs Chip and PIN readers at UK small biz

sugerbear

Re: So...

ok. The worst that could happen is that the trader will know your PIN number. He may also know your card pan number and its expiry date. But the reader wont know what is on the magstripe (which is good, cant be cloned and used in the US).

Without the physcial card the info the trader has is useless. The generated cryptograms rely on (amongst other things) the application transaction counter (which is held on the chip) which is unique to every transasction.

So I understand peoples reluctance to use something that looks odd, but because it's chip it is much more secure.

0
2
sugerbear

Re: A certain Pin/Chip reader manufacturer ...

Unfortunatly you are being very selective by choosing a card (not Visa/MasterCard/JCB/Discovery/Amex) with a well known defect.

So please please please, take a bank card from the UK and clone ALL of the chip data (software, keys etc).

When you have done you can then post about it.

0
0

'Depression-era grandma' Apple responds to bolshy investor

sugerbear

Mr Einhorn is correct

He is spot on.

Apple are under the impression that they can utilise the 100+ billion they have in reserve better than the investor (who own the company) can. The board of the company work for the investors.

if Apple need cash to purchase something in the future they can quite easily borrow from either their investors or a bank.

Mr Einhorn is saying is that he and other investors can better utilise the captial that Apple have sitting in their bank account. They want Apple to return that captial to the shareholders in the form of new shares of dividends.

He is spot on. Any company that has captial that is just sitting there doing nothing year after year is doing a diservice to their investors.

2
0

US retail kingpins swoon: Nobody bonks like Google does

sugerbear

[quote]What about the man-in-middle attack reported last year (arbitrary pin can be used for purchases at an EMV terminal with a stolen card) rendering security put in place by such a system rather moot? OK granted it does require physical access to the card.

[/quote]

That attack doesn't work on all card, only where issuers dont have the correct rules in place on their auth platform. It certainly doesn't work on ATM's (where the PIN is sent online) nor does it work in countries that only support online PIN. And if the issuer issuer checks the CVR correctly (Which is signed by the chip and verfified by the issuer) then you certainly cannot bypass the PIN.

0
0

Dexter malware targets point of sale systems worldwide

sugerbear

Clone a chip

A bit pointless trying to "clone" a chip transaction because the information is dynamic and one time. Much more of a problem for magstripe cards or where the terminal is used for card no present transasctions.

0
0

Schmidt 'very proud' of Google's tiny tax bill: 'It's called capitalism'

sugerbear

Re: Talk about stating the obvious... @Def

Ok I will bit and call B@llsh!t. Every single one of the IT contractors I know set up as a contractor for the sole reason that they receive more income and pay less tax. Deducting travelling/accomodation costs associated with working somewhere and being able to employ your non-working wife was also a great wheeze unavailable to PAYE employees.

All well and good until the IR realised that more and more people were avoiding income tax by playing "pretend" contractor and were no different to a normal employee that changed jobs every 6/12/24 months.

90% of IT contractors are not really contractors. They are just PAYE employees that change jobs more frequently. Businesses like them because they pay less tax and are easier to hire/fire.

3
2

Man facing rare refusal-to-unlock-encryption charge: Court date set

sugerbear

I think it would end badly for you. It's the balance of probabilities and how beleivable you are in court. Trying to be a smart arse in court will alienate you from the jury and a lair normally gets found out. "it must be corrupted officer" excuses if found to be untrue will be reflected in your sentence.

To think a highly skilled hacker/cracker whatever manages to infiltrate networks and launch DDOS attacks but then the file the police are trying to unlock is corrupted ! Any decent barrister will be able to show either malicous damage or wilful obstruction.

Anyway, I have several dead bodies locked in a safe in my home and there is absolutely NO WAY that I am going to incriminate myself by giving the police the combination. I have NOTHING to hide ;-)

1
0

Top IT bods bail out of new Universal Credit online dole system

sugerbear

Bailing out 6 with six months to go.

Is it..

A) because they have found a much better contract

B) because they dont want to be anywhere near the project when it goes live.

9
0

Natwest's Get Cash app pulled, but NOTHING to do with frauds

sugerbear

Re: A 6-digit PIN gives 'emergency' cash to anyone who types it in

This is what I would worry about, the chances of guessing are 999,999 to 1 but if enough people use it then there is a fair chance that at some stage someone will guess one correctly.

Why not enter you account number or some other reference no instead (maybe your DOB even).

0
4

Cambridge boffins: Chip and PIN cards CAN be cloned – here's how

sugerbear

Re: Chip+PIN / ATMs

Hello America and your backward magstripe technology :o)

You are wrong though. EMV is used in ATM transactions, the difference is the PIN is authenticated at the issuer/processor. The US uses magstripe but only becuase they have such a fragmented market and no one to drive the changes other than the schemes (which will eventually happen between 2013-2015).

If I had the option I would do away with the magstripe on my EMV card but there are still some terminals that use it (before reverting to the chip).

2
0
sugerbear

Might not work with the majority of EMV cards.

I look at the article and I beleive the attack is only possible with older static data (SDA) type cards.

The problem with Cambridge is that some of their research is based on old tech standards, but there are are still some SDA cards in circulation (because they are cheap). I have not had a chance to check yet but to correctly guess the cryptogram on a DDA (dynamic data authentication) card is impossible as the chip generates its own random number so seeing two transasctions with the same ICC random number would highlight a cloned card.

There are also other technologies such as the ATC count so again cloning is made difficult if the card hasn't been stolen.

As with all tech, someone will eventually break it but as long as it isn't cheap/quick then its still worth employing.

Paywave and Passpass incorporate even more complex cryptogram generation CDA which makes the duplication even more very difficult.

But dont let the above get in the way of a good story and worry mongering :o)

3
1

VCs snaffle £200m of UK taxpayer gold ... to bet on high-risk biz

sugerbear

[quote]Conservatives traditionally only support state intervention in cases of market failure[/quote]

I nearly fell off my seat laughing at that statement. They are quite happy to support their friends/relatives/business associates and their associated businesses. Especially if the relationship involves sponsorship of the party !

4
0

Banking IT cowboys 'need whipping into shape by watchdog'

sugerbear

My document is out next week.

Next week I am also releasing a 60 page document. It will explain that banks have failed to invest in the one key asset that will in future prevent the global banking system from collapsing.

They are called employees, but most senior managers probably refer to them as excessive operational expenses.

0
0

Disaster strikes Doyenz disaster recovery cloud

sugerbear

No worries

All my data is safe in the cloud...

I suppose people should be gratful it didn't just wait to run out of money and some honking great repo man pulled the plug overnight and sold the servers on ebay.

Clouds. Love em.

4
0

RBS: June's tech enormo-cock-up cost us £125m

sugerbear

[quote]We'll be simplifying the batches and tightening procedures a bit.[/quote]

I cant see that ending well.

See my previous posts. No change, no blame and more red tape ;-)

3
0

Page:

Forums