Credit card 'flash attack' steals up to $500,000 a month Credit card fraudsters may have pocketed as much as $500,000 over the past month by pursuing a new type of attack that exploits a major blind spot in payment processors' defenses, an analyst said. The "flash attacks" recruit hundreds of money mules who go to ATMs throughout the US and almost simultaneously withdraw relatively …
Chip and PIN has already been demonstrated to have exploitable weaknesses. Recall that not long ago, some researcher demonstrated how he could use a C&P card without actually entering a valid PIN. In addition, the card processing system recorded that a valid PIN **HAD** been entered.
OK, it's not a cloned card and requires possession of the actual card, but it did demonstrate that the system had flaws.
Now, people above point out that the onus of proof is on the card issuer. The trouble is, they have this *proof* that your card was used with the PIN - therefore either you, or someone you gave the PIN to, was responsible. Against that, it becomes the users task to prove that the banks evidence is wrong. Good luck with that unless you can prove you were someone else AND prove that you haven't given the PIN to anyone. The latter is not provable in general.
That particular attack was a man in the middle attack which required a ribbon cable to be soldered to the chip of the fake card inserted into a merchant's machine and a bunch of hardware hung between it and the target card.
The banks/payment handlers said something along the lines of: Yes, it could work but it will cost a lot and would get noticed.
Furthermore, I believe that it only works for auth from the card itself, rather than from the banks, so you'd be limited to small amounts of money. Also, the cryptogrphic hash wouldn't be that of the target card, so there would be somewhere to look as well.
(nb: This is all from memory, so I may be wrong in parts)
I got a call from my credit card company's fraud department when my credit card was used to attempt to withdraw cash from more than one ATM cash machine in the space of a few minutes in the town where I live.
They then went through all the recent transaction to ask me to confirm which ones were real and cancelled the card and sent me a new one.
I also got a call once when my card was used on a whole load of porn and gambling sites online in the space of a couple of hours all for small amounts and including a sign up to Ancestry.com in an attempt to get mother's maiden name one presumes. Different credit card company same routine of confirming which transactions were mine - which took a while going through the 20 odd porn sites before we found a petrol transaction.
They detect things based on behaviour patterns. If I'd regularly used porn or gambling sites in the past it might not have flagged.
Whilst I have encountered automated detection and response from at least three credit card houses, the same systems may not be in place at all organisations.
One simple solution is to offload your fraud detection to the end user: sms/email/pigeon/whatever alert for each transaction or when transaction amount/volumen exceeds a defined threshold (i.e. advise me when X amount has been spent within Y period or when Z amount has been surpassed in any single transaction).
Much like chip and pin, the banks could then push the responsibility of fraud notification onto the end user. WIN!
Kind of question the assertion that this is difficult to detect. A threshold (say, 3 transactions in 5 seconds) that no normal individual would come close to, or a detection of ATM use across more than N terminals at least 1 km apart (where N is the number of ATM cards or account holders) could trigger a fraud warning. I'm sure banks have this info already when you're making the transaction.
Wanted to remind some folks this exploit is for Credit Cards used at ATMs for a cash advance. The far lower transactional priority for a lower withdrawal/advance amount means that the de facto methodology is to auth based on successful PIN entry in combination with the credentials stored on the card. Even with an ATM card, offline machines (say during weekend or nightly maintenance, heavy holiday traffic, and so forth) are set to auth up to a ceiling without contacting the central system (then recording the transaction.) You don't know this happens, but it does and I am sure you are thankful it does with your mates ready to go to the next pub or bar.
My guess is this is due to the cost of purchasing and maintaining a system that can handle the number of database updates versus the comparitive historical financial risk of the lower amounts. Think of write cache in HDDs or onboard memory cache for processors. To auth all lower transactional amounts adds significant additional volume and load on the infrastructure. Bursting the transactions is all about lowering the TCO. A system capable of handling all this in real time? I can see the customer talking to the hardware software vendor(s) and the Systems Engineer saying, "Sure, it can be done...but it's gonna cost you."
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
