back to article Do you trust your waiter? Hacked bank-card reader TEXTS your info to crims

A Russian-speaking man casually shows on camera how he can download a punter's bank-card details and PIN from a hacked card reader. In a video demonstrating a tampered sales terminal, a card is swiped through the handheld device and a PIN entered - just as any customer would in a restaurant or shop. Later, after a series of …

COMMENTS

This topic is closed for new posts.
  1. TRT Silver badge

    Two part PIN?

    Like the PayPal text a code to your phone thing?

    1. Anonymous Coward
      Anonymous Coward

      Re: Two part PIN?

      Or, you could just use chip and pin.

      1. Destroy All Monsters Silver badge

        Re: Two part PIN?

        Or YubiKey and PIN

      2. Eugene Crosser

        Re: Two part PIN?

        Or, you could just use chip and pin.

        Compromised terminal can show on screen that it's charging $10, but in fact charge $100. The only way is to build a mini display and keypad into the card.

        1. Anonymous Coward
          Anonymous Coward

          Re: Two part PIN?

          The implication was use Chip and PIN and not use magstripe.

          There are no reports of the chip having been cloned, sure you could use a tampered PED, but this will get you a PIN and nothing else. The communication with the chip is encrypted end-to-end and a compromised reader isn't going to be able to tap into this.

          1. Charles 9

            Re: Two part PIN?

            Still a compromised terminal can act as a Man In The Middle. Last I checked, the terminal performs some negotiation with the card prior to performing the transaction. Unless a number of exploits have already been addressed and new cards issued, these transactions can be altered to make the cards more vulnerable.

            1. Anonymous Coward
              Anonymous Coward

              Re: Two part PIN?

              If you're talking about Prof Anderson's attack whereby you present a compromised reader to a customer, and that reader wirelessly sends the details of the card to someone in another shop buying something expensive, yes it's been dealt with. The dropped the timeout down to a value whereby this attack could only work in a lab environment.

              1. TRT Silver badge

                Re: Two part PIN?

                The point was that the PIN is the same one for Chip and PIN as for magstripe & PIN, isn't it?

                So you compromise the mag stripe and capture the PIN. Or have I got that wrong?

  2. J P

    Electronic POS kit seems to be one big playground for the crims at the moment - use cash & they'll hide the takings from the tax man ( see http://www.oecd.org/ctp/crime/ElectronicSalesSuppression.pdf ) Use a card and they'll just rip the cash direct from your account - and the OECD report suggests that there'll be no shortage of willing recruits in eg the restaurant trade to give themselves a 'heads we win, tails you lose' attitude towards choice of payment method as well. Monday afternoon, and already I'm depressed and cynical about the nature of the world we live in. Thanks guys...

  3. Anonymous Coward
    Anonymous Coward

    mmm...

    " a card is swiped through the handheld device and a PIN entered - just as any customer would in a restaurant or shop."

    Not in the UK.

    If they are swiping my card, I want to know why.

  4. Ralph B

    Fingerprints

    Before someone suggests fingerprints: The crims could capture the biometric data passed through the terminal just as easily as a PIN.

    Maybe we need an RSA SecurID embedded in our finger that can be read via NFC simultaneous to the fingerprint authentication. I don't imagine anyone will object to that.

  5. TheTrouser
    Megaphone

    Why not use . . .

    . . . CASH!

    1. codejunky Silver badge

      Re: Why not use . . .

      @TheTrouser

      Because thats old school and not cool any more. Because it is safer using a magnetic strip to protect access to your entire bank balance instead of being mugged for the £30 in your pocket.

      I too prefer to use real money. I like the feel of it as well as the security of only carrying a tiny percentage of my entire bank balance.

      1. Lars Silver badge
        Pint

        Re: Why not use . . .

        @codejunky. I agree very much although I do have the strength of carrying my entire bank balance in one pocket, Quite a problem, no matter how you carry it, and with the internet, you can be busted even without carrying anything in your pocket.

  6. Xamol

    Captured PIN

    PIN pads on ATMs have to accept the PIN directly into the encryptor (with tamper protection to prevent people inserting secondary key membranes between the keys and encryptor), so that a PIN is never sent over a wire in the clear and the software on the ATM never gets to see a clear PIN. Why isn't the same thing mandated on POS terminals?

    OK, so your card details can be harvested but at least the PIN would be secure.

    1. GettinSadda

      Re: Captured PIN

      PIN pads on ATMs have to accept the PIN directly into the encryptor (with tamper protection to prevent people inserting secondary key membranes between the keys and encryptor), so that a PIN is never sent over a wire in the clear and the software on the ATM never gets to see a clear PIN. Why isn't the same thing mandated on POS terminals?

      Erm... that's fine for genuine un-tampered terminals. This is a fake terminal, or a tampered one. You can't stop someone making a fake item that looks like the real thing just by adding rules to the manufacture of the real ones.

      1. Xamol

        Re: Captured PIN

        Erm... yes you can.

        If the terminal has a secure hardware encryption module which is manufactured in a secure environment and contains the manufacturers private key, then it can be identified as a genuine terminal.

        The encryptor can also be used to validate any firmware updates so that it can protect itself from unauthorised updates as well as physical tampering.

        I'm not going to say that someone could never find a way around tamper protection but that depends on the implementation.

        1. AndrueC Silver badge

          Re: Captured PIN

          Erm... yes you can.

          Playing Devil's advocate here but how about a second keypad on the top of the first that just uses a mechanical linkage to push the real buttons? Obviously your fake keypad records the pin.

          1. Xamol

            Re: Captured PIN

            Keyboard overlays are already used on ATMs and I'm sure that they would be used on POS terminals as well.

            At least if there's a keyboard overlay, you have a chance to see it. That's why on ATMs they aren't as popular as covert cameras to capture the PIN.

            As ever, it's move and counter move - the alternative is to give up...

          2. Charlie Clark Silver badge

            Re: Captured PIN

            re. fake keypad

            you can't prevent that kind of abuse but the correctly set up system getting the PIN isn't much use. The whole transaction (amount, card info and PIN) are required. Magnetic stripes haven't been safe for years with or without PINs.

            1. Xamol

              Re: Captured PIN

              No need to get the whole transaction.

              All you need is the track2 data and the PIN. That's why ATM fraud generally consists of a skimmer/leb loop to get track2 from the mag stripe or the physical card and a camera/shoulder surfer etc to get the PIN.

              That won't change until EMV is global at which point the mag stripe can be made redundant. There are already cards out there with no useful data on track2 - only problem is they can't be used in countries without EMV - like the good ol' USA.

    2. Charlie Clark Silver badge

      Re: Captured PIN

      The delay in rolling out chip'n'pin worldwide which has the protection you suggest is down to the usual arguments about who's going to pay for it. Remember that, for a while at least, sales of card insurance brought the banks in more money than they lost through the fraud.

      The payment clearers, VISA et al., are liable for anyone the license to use their networks so they tend to close down direct abuse pretty quickly. The harvesting of full bank details for subsequent fraud is the nice twist on this scam as it becomes more of a whack-a-mole system. However, as the article notes, this kind of fraud is common in countries where the rule of law in terms of consumer protection is lax.

      1. Xamol

        Re: Captured PIN @Charlie Clark

        EMV is something a slightly different, it's more to do with security of the card rather than the PIN. PCI has separate mandates for hardware security that are outwith EMV.

        I take your point about willingness to implement security measures; the banks/retailers wont want to do it because of costs... My point is that it is possible to make a POS terminal far more secure than it currently is.

        The terminal manufacturers and PCI (VISA, Mastercard et al) will make the relevant mandates eventually because it's all revenue for them from either sales of kit or certification against the mandates.

    3. Anonymous Coward
      Anonymous Coward

      Re: Captured PIN

      This was a swipe transaction, not a chip and pin transaction, so the approval of the PIN has to be done at the bank end, or just record the pin and check it out when the bank gets the data.

      1. James R Grinter

        Re: Captured PIN

        Well never enter a PIN on a swipe transaction of course, but how do we make sure the public know that?

  7. bag o' spanners
    Pint

    Cash is king in the restaurant trade. Let them fiddle their taxes if they want to. It's their risk, not mine.. I still want to see a receipt before I tip.

  8. Anonymous Coward
    Anonymous Coward

    Cash only

    I've only used cash for a number of years now. There have always been skimming devices and I think there always will be. Cash takes you out of that arms race completely.

    1. Xamol

      Re: Cash only

      Cash has its own arms race - counterfeit notes...

      ECB rules for counterfeit notes state that they should be confiscated if they are positively identified as being counterfeit. In practice nobody wants to confiscate them because of all the hassle so they just won't accept them. I wouldn't want to try to deposit a counterfeit at a bank though. That might be testing your luck a bit too much and you might find yourself out of pocket.

      1. Don Jefe

        Re: Cash only

        Here in the US a merchant will keep your suspect counterfeit money and call the police to verify the bill(s) in a heartbeat. I'm not sure how the police are supposed to do that, but a lot of national chains have a 'counterfeit money awareness' program where employees get a cash reward for spotting false money.

        It makes sense I guess. Here the person holding the bill, regardless of its provenance, is the one that loses.

      2. jonfr

        Re: Cash only

        It's not ECB rules, it is country rules and they apply in every country. Many places that use the euro have counterfeit scanners to prevent people paying with them. I have seen such device in Flensburg, Germany in a electronic store named Saturn (I live nearby in Denmark).

        ECB does not have large website on anti-counterfeit measures.

        http://www.ecb.europa.eu/euro/html/counterfeiting.en.html

  9. John Smith 19 Gold badge
    FAIL

    And people who read El Reg did not know this?

    Bottom line don't use plastic in Russia.* If you do use plastic WTF swipes a card anymore?

    2 track mag stripe card readers have been around for decades

    You have a hand held wireless POS terminal but it cannot deal with a chipped card in the 2nd decade of the 21st century? Ar you f**king kidding me?

    *I'd also suggest that you set up a separate "Russia" account that has limited funds in it and does not have EFT links to any other accounts, and I'd suggest people talk to their banks and ask them to watch out for suspicious account activity.

    1. Anonymous Coward
      Anonymous Coward

      Re: And people who read El Reg did not know this?

      > Bottom line don't use plastic in Russia.

      You seem to think that card fraud is limited to Russia, or that it is rampant there. Neither assumption is true.

      1. TRT Silver badge

        Re: And people who read El Reg did not know this?

        Russian credit card fraud, American credit card fraud...

        Is all come from Taiwan anyways.

  10. Jamie Jones Silver badge
    Facepalm

    The stupidity of third party PIN-authorised systems

    The PIN secrecy was always meant to be sacred.

    I was quite taken aback when cash machines started appearing in shops and garages, and when I heard about chip and pin, i couldn't believe we would be expected to enter our PIN into third party devices - even more shocked when the banks started to say that this new system is so secure, any security breaches would solely be the fault of the customer.

    I'm only surprised this has taken so long!

  11. Graham Marsden

    Verifone VX 670 withdrawn

    I used to take card payments with a VX670 I got through Streamline, however they were withdrawn earlier this year.

    I don't know if it has any relevance to this story, nor what they did with the old ones, but I thought I'd mention it.

  12. Anonymous Coward
    Thumb Up

    True Democracy at work!

    This is excellent! It democratises entry into the corrupt banking system! Bring it on!

  13. realtimecat

    The U.S. Credit Card industry *MUST* go to 100% adoption of smart chip cards

    This is insane! I went to Europe in 2001 and found the biggest problem to my travels was that most merchants never used their swipe readers, and as a result they were too dirty to function reliably - this occurred over and over, both with large retailers and small businesses.

    In that time the U.S. credit card industry has actually stepped *back* from implementing smartcard readers. American Express attempted to push it out with their "American Express Blue" card, but the latest version of that card does not come standard with a smart chip on it.

    The U.S. Credit Card industry needs to wake up. This won't happen without *ALL* of the companies switching to the use of smart cards, and highly discounted readers for the merchants.

    The only reason that this has not happened yet is that they are all too interested in bilking the consumer on the interest for the cards along with charging merchants for their use and have forgotten that they have to invest a trivial percentage of that into keeping the infrastructure secure.

    1. Charles 9

      Re: The U.S. Credit Card industry *MUST* go to 100% adoption of smart chip cards

      They CAN'T.

      Some places are SO remote that TELEPHONE access is sketchy. These kinds of places aren't even on stripes but still use the good-old-fashioned IMPRINTING machine. If you can't convince these types of people to switch to stripes, how in blazes are you going to take them the additional step(s) needed to to to Chip-and-PIN?

      1. Anonymous Coward
        Anonymous Coward

        Re: The U.S. Credit Card industry *MUST* go to 100% adoption of smart chip cards

        Charles 9 - Actually they can, there is provision made in chip and pin for remote terminals which are disconnected, or only able to be connected sporadically.

        The chip itself has authority to approve certain transactions (ie: if you've got a good credit rating, any transactions, lower amounts of money if not.) The PIN is stored on the chip, so you still get chip and pin approval, just offline.

        1. Charles 9

          Re: The U.S. Credit Card industry *MUST* go to 100% adoption of smart chip cards

          I'd like to know how sporadic they account (as in, how many minutes per day on average). Plus, many of these mom-and-pops may lack the resources or the desire to step up, meaning the credit card companies face a possible trade-off: force them and some of them could walk away. Plus, card companies in the US may not see enough of a risk-benefit to moving to Chip-and-PIN (US laws ALREADY protect consumers in the event of credit card fraud, capping liability). They already have robust anti-fraud measures in place, and this does very little for the shoulder-surf-and-slug or for e-commerce where you're basically back to the old-fashioned way. Also, there's a competing push: contactless cards.

          1. realtimecat

            Re: The U.S. Credit Card industry *MUST* go to 100% adoption of smart chip cards

            Contactless cards / rfid - terrible idea! Yes, more and more US POS terminals are supporting it. The fact that this is considered any way more secure than stripes is unexplainable. A smart chip with cryptographic security cannot be casually cloned. This is why it is the best solution available today.

            I will never have a card that uses rfid or any other contactless system. Makes skimming cards even easier.

            In answer to previous comments about mom&pops still using imprinting. If as a card user you're comfortable with that it is up to you. The thing with an imprinted card receipt is it is accompanied by a physical signature; so fraudulent charges made in this manner also gain counts of forgery to their charges if they are apprehended.

            Just because the credit laws in the U.S. favor the consumer does not mean that the fraud doesn't cost real $$$ - we pay for it with higher fees to the merchants or higher interest rates to the consumer. Nothing is free. The price of changing over to smart chip cards is a fraction of what the losses to credit card fraud are with the current system.

            American Express provided smart card readers for use on PCs with the original release of Amex Blue. There is no reason this could not be done again. I much prefer the idea of using a pin protected smart chip to complete a network purchase over manually typing in numbers from the front and back of the card.

          2. Alan Brown Silver badge

            Re: The U.S. Credit Card industry *MUST* go to 100% adoption of smart chip cards

            "(US laws ALREADY protect consumers in the event of credit card fraud, capping liability)"

            They leave the merchants open to full liability instead

            Banks make far more money on chargebacks and "fines" for bad cards than they ever do on legitimate transactions, so they're very lax about rolling out better security. Most merchants would switch to chip'n'pin in a heartbeat if it was made available.

  14. Mad Chaz

    Some of the larger chains here, and even some of the smaller ones, found a very nice way of dealing with the issue. It involves a rather well tried method of bolting things down. In this case, the P.O.S. terminal. (surprising how many other words I can think to fit to those letters)

    This came about after a series of actual replacement of terminals while personel was distracted, usually helping an accomplice with something. Doesn't fix the crooked owner problem, but that can be more easilly spoted when people who start complaining all went to the same place.

    1. Don Jefe

      I always wonderd about the safety of equipment in department stores. The registers in Women's Clothing or Perfume and Cosmetics are always busy and staffed. The registers in Children's Formal Wear or Men's Accessories or the Muumuu department are always abandoned. You can sit there sometimes for 15 or 20 minutes and never see another customer, much less an employee.

      I suppose they're counting on cameras but if you weren't caught red-handed those tapes would be overwritten by the time the tampered with device was found.

  15. SirDigalot

    i used cash

    then found out after checking my bank statement that the ATM INSIDE THE BANK was compromised, it was not even a lobby ATM musta been an inside job.

    a phone call later it was all sorted, I do not know if they ever caught the perp don't really care never went back to that branch again.... makes me wonder if it was the ATM repair guy.

    however living out here in the frontiers (well floriduh) it is always a crap shoot to use your card since the US banking system is hoevering round the early 80's with its security and such, they are all scared the gubermint is gonna steal their ID's an guns and stuff..

    of course that is steal more information about them then they already post on the intarwebz, which really is quite a lot, why go to the trouble of stealing the info when you give the population a smartphone they give you all you need!

    my pin is "correct horse battery staple" well it would be if I could have more than 4 bloody numbers

  16. Anonymous Coward
    Anonymous Coward

    OTP must be added to these systems one way or another.

    It could be one of several keyfobs linked to the card or something like the google auth algorithm running on a smartphone.

    Most countries outside of Europe don't use the chip aspect of chip and pin so they still steal UK cards for use abroad and on the internet.

  17. Simon B

    I don't go abroad, I don't want the mag stripe. It's a compromise I'd be willing to accept, just give me the option mr BANK!!

    1. Alan Brown Silver badge

      "I don't go abroad, I don't want the mag stripe"

      A neobydium magnet works fairly well (or so I've heard)

This topic is closed for new posts.