| What Happened to the Premise that Chip and PIN was a Silver Bullet for Card Fraud [message #386537] |
Mi, 10 Mai 2006 15:29 |
|
Chip and PIN is being defeated, allegedly by Eastern European Gangs.
Britain is now the latest victim of debit/credit card fraud, which is
becoming a major issue, worldwide.
http://fraudwar.blogspot.com/2006/05/fraudster-gangs-deal-bl ow-to-chip-and.html
|
|
|
| Re: What Happened to the Premise that Chip and PIN was a Silver Bullet for Card Fraud [message #386539 ] |
Mi, 10 Mai 2006 15:44 |
|
On 10 May 2006 06:29:47 -0700, tedrichardson9925 [at] sbcglobal.net wrote:
>Chip and PIN is being defeated,
Yeah, a couple of articles in the GFT about it today, saying that the
information on how to do it is on the web.
Tiddy Ogg.
http://www.tiddyogg.co.uk
|
|
|
| Re: What Happened to the Premise that Chip and PIN was a Silver Bullet for Card Fraud [message #386540 ] |
Mi, 10 Mai 2006 16:27 |
|
I heard this first hand from a friend who owns a business in Shoreham on Sea
1 week ago.
He was sitting at his serving desk (which has a chip and Pin terminal on it)
when, according to his discription, a 'scrawny looking Chinese guy' came in
and placed a little black box on his desk. The guy then goes on to explain
that by fitting it under his desk, close to the Terminal, my friend could
record ALL pin numbers entered on said terminal. He would then have all the
info he need to rip off his customers at a later date.
Obviously I questioned my friend closely on this to make sure what he was
saying was correct.
This is worrying stuff!
I took a look at the wires which connect these terminals to their bases and
they are very flexible. All the thin coax I've used is a might stiffer than
these and I'm wondering if the wires are screened and whether these Boxes
are able to pick up any RF from this sorce?
At this rate there is an up and coming market for a keyring transmitter
that swamps the localised area with disrupting RF.
Be careful out there..
Sharky
"Tiddy Ogg" <tiddyogg [at] madasasheep.com> wrote in message
news:ffr362t6g7mhou80av1clucpj7mv2dvr2b [at] 4ax.com...
> On 10 May 2006 06:29:47 -0700, tedrichardson9925 [at] sbcglobal.net wrote:
>
> >Chip and PIN is being defeated,
> Yeah, a couple of articles in the GFT about it today, saying that the
> information on how to do it is on the web.
>
>
> Tiddy Ogg.
> http://www.tiddyogg.co.uk
|
|
|
| Re: What Happened to the Premise that Chip and PIN was a Silver Bullet for Card Fraud [message #386604 ] |
Mi, 10 Mai 2006 20:44 |
|
Sharky wrote:
> I heard this first hand from a friend who owns a business in Shoreham
> on Sea 1 week ago.
>
> He was sitting at his serving desk (which has a chip and Pin terminal
> on it) when, according to his discription, a 'scrawny looking Chinese
> guy' came in and placed a little black box on his desk. The guy then
> goes on to explain that by fitting it under his desk, close to the
> Terminal, my friend could record ALL pin numbers entered on said
> terminal. He would then have all the info he need to rip off his
> customers at a later date. Obviously I questioned my friend closely
> on this to make sure what he was saying was correct.
> This is worrying stuff!
> I took a look at the wires which connect these terminals to their
> bases and they are very flexible. All the thin coax I've used is a
> might stiffer than these and I'm wondering if the wires are screened
> and whether these Boxes are able to pick up any RF from this sorce?
> At this rate there is an up and coming market for a keyring
> transmitter that swamps the localised area with disrupting RF.
> Be careful out there..
It may be technically possible, but I would be suprised if it could be done
with a "little black box" . I expect that the scam is this: business owner
buys the little black box. Finds out that it does not do anything like it
was advertised as doing. Bussiness owner then has choice of accepting he
has been conned - or of taking legal action against the chinese man if he
can find him.
"Yes officer, the man said this device would let me steal money from my
customers and it does not work!"
|
|
|
| Re: What Happened to the Premise that Chip and PIN was a Silver Bullet for Card Fraud [message #386707 ] |
Do, 11 Mai 2006 11:52 |
|
At 14:29:47 on 10/05/2006, tedrichardson9925 [at] sbcglobal.net delighted uk.finance
by announcing:
> Chip and PIN is being defeated,
No, it's not. It's the same old clone mag stripe and capture PIN fraud, albeit
switched from ATMs to terminals.
|
|
|
| Re: What Happened to the Premise that Chip and PIN was a Silver Bullet for Card Fraud [message #386718 ] |
Do, 11 Mai 2006 13:13 |
|
"Alex" <no.spam [at] mail.com> wrote in message
news:xn0em3k4d5hgxd004 [at] news.individual.net...
> At 14:29:47 on 10/05/2006, tedrichardson9925 [at] sbcglobal.net delighted
> uk.finance
> by announcing:
>
>> Chip and PIN is being defeated,
>
> No, it's not. It's the same old clone mag stripe and capture PIN fraud,
> albeit
> switched from ATMs to terminals.
It might be more accurate to say that C&P is being undermined. If, as
appears, C&P is making it *much* easier to do "the same old clone mag stripe
and capture PIN fraud" then ultimately there is going to be a big problem
and they may well fall into disrepute.
--
Tumbleweed
email replies not necessary but to contact use;
tumbleweednews at hotmail dot com
|
|
|
| Re: What Happened to the Premise that Chip and PIN was a Silver Bullet for Card Fraud [message #386729 ] |
Do, 11 Mai 2006 13:58 |
|
Tumbleweed wrote:
> It might be more accurate to say that C&P is being undermined. If, as
> appears, C&P is making it *much* easier to do "the same old clone mag
> stripe and capture PIN fraud" then ultimately there is going to be a big
> problem and they may well fall into disrepute.
"Fall into"?
|
|
|
| Re: What Happened to the Premise that Chip and PIN was a Silver Bullet for Card Fraud [message #386842 ] |
Sa, 13 Mai 2006 11:41 |
|
Tumbleweed wrote:
> "Alex" <no.spam [at] mail.com> wrote in message
> news:xn0em3k4d5hgxd004 [at] news.individual.net...
> > At 14:29:47 on 10/05/2006, tedrichardson9925 [at] sbcglobal.net delighted
> > uk.finance
> > by announcing:
> >
> >> Chip and PIN is being defeated,
> >
> > No, it's not. It's the same old clone mag stripe and capture PIN fraud,
> > albeit
> > switched from ATMs to terminals.
>
> It might be more accurate to say that C&P is being undermined. If, as
> appears, C&P is making it *much* easier to do "the same old clone mag stripe
> and capture PIN fraud" then ultimately there is going to be a big problem
> and they may well fall into disrepute.
>
C&P has no effect what so ever on "the same old clone mag stripe and
capture PIN fraud" as in the 'old' days this was done by putting a
skimer and camera on ATM's.
It can be claimed that C&P will lead to a *NEW* "clone mag stripe and
capture PIN" fraud because you are entering your PIN in more places.
In most cases though, while your pin may be more exposed, there is not
the oportunity to skim the card, it is less likely to be out of your
sight, and the majority of C&P terminals do not let the card go in far
enough for the stripe to be read. It should be obvious to the user if a
terminal has been modified to skim the card (although it should also be
obvious if a ATM is modified but lots of people are stupid).
NB: I realise that many supermarkets have swipe+park readers, but
skiming fraud is traditionally associated with smaller shops and
restaurants.
|
|
|
| Re: What Happened to the Premise that Chip and PIN was a Silver Bulletfor Card Fraud [message #386845 ] |
Sa, 13 Mai 2006 12:19 |
|
Peter King wrote:
> NB: I realise that many supermarkets have swipe+park readers, but
> skiming fraud is traditionally associated with smaller shops and
> restaurants.
The only recent public example being that small chain of gas stations?
|
|
|
| Re: What Happened to the Premise that Chip and PIN was a Silver Bullet for Card Fraud [message #386847 ] |
Sa, 13 Mai 2006 13:01 |
|
Colin Forrester wrote:
> Peter King wrote:
>
> > NB: I realise that many supermarkets have swipe+park readers, but
> > skiming fraud is traditionally associated with smaller shops and
> > restaurants.
>
> The only recent public example being that small chain of gas stations?
You may have missed the word 'traditionally'
|
|
|
| Re: What Happened to the Premise that Chip and PIN was a Silver Bullet for Card Fraud [message #386848 ] |
Sa, 13 Mai 2006 13:13 |
|
On Sat, 13 May 2006 02:41:24 -0700, Peter King wrote:
> It can be claimed that C&P will lead to a *NEW* "clone mag stripe and
> capture PIN" fraud because you are entering your PIN in more places.
>
> In most cases though, while your pin may be more exposed, there is not
> the oportunity to skim the card, it is less likely to be out of your
> sight, and the majority of C&P terminals do not let the card go in far
> enough for the stripe to be read. It should be obvious to the user if a
> terminal has been modified to skim the card
According to <http://www.theinquirer.net/?article=31547>, the
modifications that were made to the Trintech Smart5000 terminals (as used
in the recent Shell scam) were not obvious:
"It is impossible for members of the public to distinguish a doctored unit
from a standard chip and pin card reader, as the skimmer is inserted
inside the unit, unlike with cashpoint card skimmers."
> (although it should also be obvious if a ATM is modified but lots of
> people are stupid).
I think it's somewhat unfair to categorise that as 'stupid' (although,
obviously, if a skimmer is dangling from the ATM and someone inserts their
card anyway...)
The problem is that there are many different models of legitimate ATM (and
C&P terminals for that matter) and so it's hard for non-expert users to
determine the difference between legitimate,
legitimate-but-illegitimately-modified, legimate-but-legitimately-modified
and illegitimate models.
Best Regards,
Alex.
--
Alex Butcher Renew for Freedom! Renew your passport in May 2006 and
Bristol, UK resist compulsory UK ID Cards and National ID Database
PGP/GnuPG ID:0x5010dbff <http://www.renewforfreedom.org>
|
|
|
| Re: What Happened to the Premise that Chip and PIN was a Silver Bullet for Card Fraud [message #386850 ] |
Sa, 13 Mai 2006 13:37 |
|
At 12:01:40 on 13/05/2006, Peter King delighted uk.finance by announcing:
>
> Colin Forrester wrote:
> > Peter King wrote:
> >
> > > NB: I realise that many supermarkets have swipe+park readers, but
> > > skiming fraud is traditionally associated with smaller shops and
> > > restaurants.
> >
> > The only recent public example being that small chain of gas stations?
>
> You may have missed the word 'traditionally'
And the fact that a lot of Shell stations are franchises.
|
|
|
| Re: What Happened to the Premise that Chip and PIN was a Silver Bullet for Card Fraud [message #386859 ] |
Sa, 13 Mai 2006 18:36 |
|
On Sat, 13 May 2006 12:13:58 +0100, Alex Butcher
<alex.butcher.news0306 [at] assursys.co.uk> wrote:
>According to <http://www.theinquirer.net/?article=31547>, the
>modifications that were made to the Trintech Smart5000 terminals (as used
>in the recent Shell scam) were not obvious:
>
>"It is impossible for members of the public to distinguish a doctored unit
>from a standard chip and pin card reader, as the skimmer is inserted
>inside the unit, unlike with cashpoint card skimmers."
>
An old time electronic engineer guessing here but could it possibly be
that the trintech terminal was originally designed to accomodate a
stripe reader, and adding or enabling that functionality was trivial?
DG
|
|
|
| Re: What Happened to the Premise that Chip and PIN was a Silver Bullet for Card Fraud [message #386860 ] |
Sa, 13 Mai 2006 18:51 |
|
At 17:36:27 on 13/05/2006, Derek ^ delighted uk.finance by announcing:
> On Sat, 13 May 2006 12:13:58 +0100, Alex Butcher
> <alex.butcher.news0306 [at] assursys.co.uk> wrote:
>
>
> > According to <http://www.theinquirer.net/?article=31547>, the
> > modifications that were made to the Trintech Smart5000 terminals (as used
> > in the recent Shell scam) were not obvious:
> >
> > "It is impossible for members of the public to distinguish a doctored unit
> > from a standard chip and pin card reader, as the skimmer is inserted
> > inside the unit, unlike with cashpoint card skimmers."
> >
>
> An old time electronic engineer guessing here but could it possibly be
> that the trintech terminal was originally designed to accomodate a
> stripe reader, and adding or enabling that functionality was trivial?
It actually does have a 'hybrid' reader so they either stuck an extra reader in
there or utilised the existing one. If they modified the software to capture
the PIN then I'd have thought they'd just use the existing MSR as well.
|
|
|
| Re: What Happened to the Premise that Chip and PIN was a Silver Bullet for Card Fraud [message #386923 ] |
So, 14 Mai 2006 19:05 |
|
On 13 May 2006 16:51:10 GMT, "Alex" <no.spam [at] mail.com> wrote:
>> An old time electronic engineer guessing here but could it possibly be
>> that the trintech terminal was originally designed to accomodate a
>> stripe reader, and adding or enabling that functionality was trivial?
>
>It actually does have a 'hybrid' reader so they either stuck an extra reader in
>there or utilised the existing one. If they modified the software to capture
>the PIN
That wouldn't be easy.
We have some very high falutin' programmers at work who still cant
edit some simple object code written in 1990 for a 6802 processor so
our machines can work with a capacity of 65 units (as of today)
instead of 50 units (as of then)
>then I'd have thought they'd just use the existing MSR as well.
If the thing was designed and/or constructed (badly) in a modular way
it might be possible to get an unencrypted signal out from the
cardreader module to, say a PDA if the boss wasn't over fussed by
extra wires, or was complicit.
I'd imagine the PIN handling gubbins *was* secure to get the device
past it's type approval. The pin could be obtained by overseeing
keyboard entries one way or another. You don't have to be successful
every time, a few every day would suffice.
DG
|
|
|
| Re: What Happened to the Premise that Chip and PIN was a Silver Bullet for Card Fraud [message #386930 ] |
So, 14 Mai 2006 19:52 |
|
>I think it's somewhat unfair to categorise that as 'stupid' (although,
>obviously, if a skimmer is dangling from the ATM and someone inserts their
>card anyway...)
In the US criminals simply buy their own fully working ATM, no
modifications
required..!
|
|
|
| Re: What Happened to the Premise that Chip and PIN was a Silver Bullet for Card Fraud [message #386987 ] |
Mo, 15 Mai 2006 14:31 |
|
Alex <no.spam [at] mail.com> wrote
>At 14:29:47 on 10/05/2006, tedrichardson9925 [at] sbcglobal.net delighted uk.finance
>by announcing:
>
>> Chip and PIN is being defeated,
>
>No, it's not. It's the same old clone mag stripe and capture PIN fraud, albeit
>switched from ATMs to terminals.
I was less than pleased when paying for petrol at Sainsburys today.
I inserted my C&P card in the keypad, only for the screen to say "Swipe
Magnetic Strip" or words to that effect, and had to pass the card
through to the employee behind the glass.
I complained that this by-passed the Chip security and he told me that
"This is secure". I said that because I recognised him as a long
term employee I would accept that, but pointed out that he could be
swiping the card through anywhere!
The weakness of C&P is when the chip isn't used!
I am wondering where to enquire how long this state of affairs will
continue in Sainsburys filling station(s)....
--
Gordon Harris
|
|
|
