Re: Debit Cards HACKED now
- From: "Ed Weir \(ComCast\)" <Anon@xxxxxxxx>
- Date: Tue, 14 Mar 2006 15:28:19 -0800
"Anne & Lynn Wheeler" <lynn@xxxxxxxxxx> wrote in message
| shoppa@xxxxxxxxxxxxxxxxx writes:
| > Lots of outfits (including retail stores) use overhead video cameras
| > now, that probably do have a look-see at the PIN pad, and the video is
| > now stored digitally (don't want to put in a new tape every 6 hours?)
| > presumably on a PC at the store.
| > If also on that network you have the transaction-processing equipment,
| > this might be what they're talking about.
| regardless of the initial installation of any possible anti-fraud
| operation ... if it is a vector that can be used by crooks to get what
| they want ... then it also has to be maintained securely. This is
| compromise of anti-fraud equipment as precursor to the actual fraud
| .. common place is compromising the actual machines or substituting
| with counterfeit machines
| old "security proportional to risk" posting that looks at a slightly
| different aspect of the situation. example is when the systemic risk is
| possibly $50m or more, $1b? ...
| (i.e. value to the crooks), then, can a retailer afford the necessary
| security? especially if the actual value to the retailer might possibly
| be only a couple thousand?
| aside from the above, there is study about card fees already
| accounting for over half of convenience store expenses (ahead of
| labor) ... last paragraph in last article:
| note that there are also a number of studies that repeately highlight
| that the majority of fraud (even stuff that appears internet related)
| involve insiders. old post about survey highlighting insiders
| http://www.garlic.com/~lynn/aadsm18.htm#49 one more time now, Leading
Cause of Data Security breaches Are Due to Insiders, Not Outsiders
| and, of course, a few comments about such infrastructures then
| requiring the whole planet to be buried miles deep in (data hiding)
| crypto (but if the hidden/sensitive information may also be required in
| numerous different business processes, then it is impossible to avoid
| leakage ... especially when insiders might somehow be involved).
| http://www.garlic.com/~lynn/aadsm15.htm#21 Simple SSL/TLS - Some Questions
| http://www.garlic.com/~lynn/aadsm15.htm#27 SSL, client certs, and MITM
| http://www.garlic.com/~lynn/aadsm19.htm#45 payment system fraud, etc
| http://www.garlic.com/~lynn/2005u.html#3 PGP Lame question
| http://www.garlic.com/~lynn/2006d.html#26 Caller ID "spoofing"
| a 2002 article
| Phony Interac terminals steal PINs, personal info
| 2004 article (talks about skimming issues)
| Canada's First Debit Fraud Estimate Pegs Losses at $44m
| 2005 article ... comparing phishing to skimming for obtaining
| information enabling account fraud
| Turning Phishing into Cash: Criminal Convenience at the ATM?
| the above article doesn't mention it, but a much more convinient
| avenue for phishing account fraud possibly is something like online
| banking ... as opposed to creating counterfeit cards for use at
| physical machines.
| Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
As if all this weren't bad enough...
I am seeing credit card advertisements now about a card that you can use to
make purchases by mere proximity to a card processing unit. The transaction
is 'instantaneous'. It is clear to me that John Q. Public is ignorant about
his security, and probably doesn't give a damn anyway. Take his card and
swipe a party; from the looks of it, the transaction time doesn't allow for
stolen card recovery, so once stolen the card can be used almost
indefinitely at any proximity transaction site.
This is just too stupid... What the hell are these people thinking?
Oh yeah - it's just printed money anyway, right? (wrong)
Ed takes the remote, shaking his head... "Time to catch up on my DVR" he
"Up until this breach, everyone thought ATMS and PINs could never be
- Avivah Litan, a Gartner research vice president