Chips aren't anymore secure, I can read the data off my card with a standard chip reader, and I have. The same data on the chip is on the mag strip.
Just because you are using the chip doesn't mean you are doing an EMV transaction. The unique transaction codes only happen with and EMV transaction, almost every time you dip your card it's a regular old card transaction, just as if you swiped the card. Why?
Getting EMV certified requires every part of the transaction chain to go through unified system testing, for each combination of hardware, software, card type, processor, issuing bank.
I've been eyeballs deep in this nonsense for the last year or so. We just can't justify the expense of getting EMV certified, so we just accept the chip and do a regular transaction.
As a consumer you have no way of knowing if your transaction is and EMV transaction or just a chip enabled regular transaction.
Hi! I have implement a complete payment terminal application with magstripe, chip and contactless capabilities.
I have also designed security protocols to keep the data and keys from the bad guys, including things like Key Injection Facility, loading and exchange protocols, etc.
These things (terminals, cards, HSMs) can be extremely safe. Not only there are protocols available that in my knowledge have never been breached but also the devices themselves are built in secure manner to prevent any physical attacks. The entire infrastructure can be made so that no single employee can get hold of any secret material.
The truth is, that there is a range of solutions and the secure ones cost. It costs to set them up and use correctly. It costs to produce chip card that can dynamically sign and encrypt the data. It is up to the issuer (bank) how much they pay for the security of their card and typically banks are not too eager to overpay. Rather, they take calculated risk.
Another problem is that North America is particularly behind in security standards. I remember, while working on this application (10 years ago) there was much more leniency for US users (issuers, acquirers) than the rest of the world.
Sorry I am probably ignorant here but, don't these guys just use mag stripe reader? They often just ask to see your credit card, lean down, swipe on their own device.
They aren't 'cracking' Key Injection Facility or messing with protocols. They just add a simple card reader? The reason they hit gas machines is the volume and most don't take chips (US).
Let's assume you swiped my card and now you have full contents of my credit card.
For the fraudster to receive any funds from my account they would have to go with that data somehow to my issuing bank and have their transaction request accepted.
My bank will never do this because my card is a secure one. They expect it to generate a signed document listing the details of my transaction along with the name (ID) of the merchant and terminal performing the transaction. The message also certifies that the PIN I entered was successfully verified by my card. The message can only be created by the card using my PIN. This requires the card to be stolen along with the PIN.
The only money I can loose in case my card is stolen without the PIN is up to a floor limit for offline transactions. It's peanuts but it allows for quick transactions for example from vending machines.
The gist of the story is to move to a bank that cares for security.
> The message also certifies that the PIN I entered was successfully verified by my card. The message can only be created by the card using my PIN. This requires the card to be stolen along with the PIN.
Forgive my ignorance, but aren't most sellers in America willing to process transactions (even large ones) without PIN entry?
I realize pin-and-chip is a largely secure scheme, but the chip rollout in the US hasn't actually implemented a two-factor system.
Credit card payment organization will hold merchants, acquirers, issuers liable for fraund if the party is lagging behind in security even if it can't be shown directly that the fraud was their fault. This is called liability shift.
The page you linked to says that gas pumps ("Automatic Fuel Dispensers") are exempted from liability shift until October of this year. But that's actually out of date information: the exemption for ATMs has been pushed to October 2017 (from the original date of October 2015), but gas pumps aren't required to go that route until October 2020:
The "shimmers" take advantage of poor implementations of the EMV standard, but the chances strike me as fairly high that there's going to be a lot of poor implementations of EMV out there in the wild. (Not only is the less secure "chip and signature" approach common in the US, I've made more than one purchase with what could be described as "chip and nothing": put my card in a chip reader and make a purchase without being asked for either a PIN or a signature.)
There was a presentation at either the latest Black Hat or Defcon (forget which, been watching presentations from both the past few weeks) with a live demo of a really nifty EMV fraud system. Rather than stealing card info, you'd install shimmers in a bunch of ATMs or other such places, then run a system where people could pay for access to the card at a certain location at a certain time. Walk up to the ATM and money comes out. The money comes from an account which (I believe) was being used at the time (or within a few minutes of it) on one of the far-away bugged machines.
Set up online merchant account (eBay is common), use software to scrape and copy listings for popular products that cost less than the floor amount but more than your costs. When someone orders a product and the payment clears automatically put in an order for the product on a different website (preferably one that allows a guest checkout). Automate more and more parts of the process as time goes on (e.g. using a different card when one is declined)
Keep the transaction volume low and you're basically printing money at the rate of the difference between card info cost and item cost.
This is a pretty common tactic to monetize large volumes of CC#s.
It doesn't help that most merchants don't cross reference billing address with the bank and some don't require the security code.
Clever, but how do you receive money in that scheme? You need an account under a fake name, right? That seems really hard to get (as it is a prerequisite for all kinds of crimes).
Stolen CC numbers sound like hard things to get in the first place, but they're available online. Fullz (identity-stealing kits w/ SSN and driver license info) and bank drops are similarly available, for a higher fee, as well as aged accounts for many sites.
So the skimmers in the article are pretty basic, but there are more advanced ones that have pin hole cameras to record pins too. You could also mitm the keypad too with another patch line.
Two years ago at defcon, someone presented on advanced skimmers that could read chips too. He claimed they need a network connection to work, as there's only a two minute window to reuse the same token.
> For the fraudster to receive any funds from my account they would have to go with that data somehow to my issuing bank and have their transaction request accepted.
Not quite. The one who gets your card info probably won't use it. They will more likely sell it. If the person who buys it can't use it, whoops, too bad.
You can't tell from the receipt? Home depot is well known for doing EMV, and the result I see on the receipt is a lot more detailed, with listings for AID, TVR, IAD, TSI and ARC. Chip-enabled regular transactions just seem to list the AID, an Approval #, and a Transaction ID.
I don't know about US, but over here with my Polish bank I have 100% control over the limits for each type of transaction possible with my card, I can set them myself through the web portal of my bank - the types are:
1) transactions with card present(chip+pin or signature)
2) transactions with card not present(someone types in your card number into the terminal)
3) internet transactions(card number + CVV from the back).
I can set any of them to zero, effectively blocking the transaction type completely. So yes, while you can read the card number and exp date from the chip, you can't get the CVV number from the back of the card, which means it's only useful for the second type of transactions - and I don't see any reason to ever change the limit on that to anything other than zero - so any information gained from just skimming the chip/magstripe is effectively useless without the CVV written on the back.
Setting limits to zero is kind of defeating the purpose of having a card in the first place.
The better solution is to have a bank with good reputation that expends effort in making your transactions safer.
My bank:
- has their cards well issued (and I know this since I have worked as credit card terminal developer for many years and I know every detail of how cards are personalized and designed actual security systems),
- sends me a code to verify my internet transactions (remember not to use your phone to do internet transactions!),
- processes chargebacks without fuss unless there is a reason to suspect cardholder is trying to defraud the merchant.
You should never use the same device to perform transactions and receive your codes. The security of the scheme lies on using two separate devices under your control.
If you were to enter your credit card details on the same device you use to receive codes (most likely your only mobile phone), the attacker having some kind of malware code could first steal your card information and then use your phone to receive the codes to complete the transaction.
This requires infecting just one device, so basically as a fraudster you create a malware and wait for people to have their phones infected. Then you defraud those that use phones for credit card transactions and either don't need separate codes to complete the transaction or use the phone for this.
It is much more difficult to get two devices infected that are used by the same user. This only typically happens in case of targeted attacks and is rarely seen.
My colleague at one of the companies I worked for lost the money he saved to buy a flat this way. He got his phone infected with malware and then over few days he got all his money sucked out of his account in a series of increasing transactions.
Except getting skimmed and disputing charges is annoying, not something I care to deal with. I'd rather we have more secure infrastructure that doesn't sustain criminal activity.
I've been skimmed twice, and both times the (major US) banks made it super easy to dispute and I had my money back in a matter of minutes.
Now I keep a low-limit branded gas card that can only be used at gas stations. Go ahead and skim me. All they can do is charge $30 worth of Munchos and beef jerky.
It takes 5 minutes and a few clicks on a web site now a days. I'm all for more security too but like OP it isn't really my responsibility nor my liability so I have little care.
My last bank made that easy. But required a new card and a new PIN, and immediately and automatically cancelled the old one. As I was abroad at the time, this was not a fun process. Not that it's particularly fast even if you walk into a branch.
This is one of the reasons I think it's important to have more than one credit card when traveling (especially abroad). Redundancy in case one get shut down at an inconvenient time in an inconvenient place.
You could take the approach that my wife and I do. We both have 1 card each linked to our checking account. We have a 3rd card that is signed up to all of our reoccurring payments (electric, cable, water, sewage, trash, netflix, etc) that card is stored in a safe deposit box.
The thinking is if either one of our cards get compromised we will can just replace that card, the third card will remain safe while locked up. That is unless the company or payment processor gets breached which is a larger issue in itself.
One of my card issuers [1] has a feature called "ShopSafe". ShopSafe lets you create virtual credit cards on top of your real card. Each virtual card has a separate lifetime charge limit and expiration date. Once a charge is made against a given virtual card, future charges on that card can only be made from that merchant.
For recurring payments I make a ShopSafe card per merchant. If one merchant has a breach all I should have to do is make a new ShopSafe card for them. All of the others should be unaffected.
If the underlying card is compromised and replaced the ShopSafe cards should continue to work as long as the underlying account is not closed.
This has worked out quite well. There are only three annoyances.
1. The interface is annoying. It is a small Flash window.
2. The expiration date can only be up to one year out.
3. Some merchants, like Amazon, use a variety of merchant names depending on what you are buying. For example, the shoelaces I bought recently from Amazon show up on my credit card statement as "AMAZON MKTPLACE PMTS AMZN.COM/BILLWA". The Kindle book I bought recently comes from "Amazon Services-Kindle 866-321-8851 WA". My subscription to the Kindle edition of "Analog Science Fiction and Fact" comes from "KINDLE-AnalogScien 866-216-1072 WA". (A few months ago, Analog came from "AMAZON DIGITAL SVCS 866-2866-216-1072 WA"). I also see in my Amazon purchase history things from "Amazon.com AMZN.COM/BILLWA".
Dealing with that would require five ShopSafe cards, and picking the right one for a given purchase.
There is a workaround I've heard for this with Amazon, but have not gotten around to trying. Buy Amazon gift cards with a ShopSafe card, and use them to pay for everything else.
[1] Bank of America. I believe that Citi has a similar feature.
This is exactly what my wife and I do, we both have our primary spending cards (her Discover It, my Capital One QuickSilver) that get used for everyday purchases - but I've also got a very basic Wells Fargo Platinum card that gets used for recurring payments (car insurance, unlimited car wash pass, internet bill, utility bill, etc).
We don't touch the debit card attached to our checking account unless there's no choice, however - which is usually just WinCo when we can't get what we want (or get what we want for a reasonable price) at Fred Meyer or Albertson's. All of our credit cards have $0 liability, and worst case if someone skims them and maxes our limits we have to temporarily switch to a backup card while the charges are reversed and a new card is mailed - someone draining my checking account leaves me with the inability to pay rent, electricity and gas and Wells Fargo is happy to drag their ass on reversing unauthorized debit card payments.
I do the opposite: I try to limit recurring transactions to one or two per card.
My cards have been compromised by Target, Home Depot, and other vendors. I never know exactly who, just get the notice from the bank that I'm getting a new card.
The side benefit for me is that these small transactions keep the cards active with regular on-time payments.
If one of them is compromised, I only have one or two recurring payments instead of having to change all of Netflix, Ting, Comcast, Virgin Mobile, Google Play, Apple, NY Times, WSJ, etc.
My defense, however imperfect, against having to deal w/ having to update subscriptions is to have a card I only use for subscriptions, so there's a low chance it gets skimmed. I use Mr. Swipey swipe all day long without need to (excessively) worry that someone illicitly cloning Mr. Swipey will affect my relationship with Mr. Subscribey.
Pfft. My new Amazon CC got compromised the day I got it. I used it precisely once, for an Amazon transaction.
I've probably had 5 cards compromised in the past decade. The biggest hassle is changing recurring payments. I don't track them, I just do my best ten wait for the bills to fail. What's annoying is sometimes they keep successfully charging my account for 4-5 months before failing. How they're able to bill the old number I don't know.
But yeah, they just call you and send you a new card. No need to select which transactions are fraudulent typically -- or at best 2 mins on the phone. No big deal.
Sucks when you're overseas but google voice + headphones and then Apple Pay means your new card is active the minute it's issued, even if you won't get it in the mail for 2 weeks.
I recently had to get a card replaced and what was interesting was that some companies with recurring subscriptions automatically updated to the new card number without any input from me. Not everyone did this but it was about half of my recurring charges. They must have some way of updating the info via the card provider. The expiration date and CVV changed as well but they magically already had it.
Visa's product is called Account Updater[1] and MasterCard's is Billing Updater[2]. It allows previously approved billers to get updated card information when a card is replaced due to expiration, loss, fraud, upgrade, etc.
It's a case of where consumer laws have been used against the overall public interest.
As a consumer using a debit card, you have lots of exposure. Bounced transactions, lots of paperwork and more bureaucratic pitfalls.
Credit cards with premium issuers are just a minor hassle. With Amex or Citi, you literally just need to click. With lousy issuers, you can be stuck dealing with a breach event for a long time.
This. And if these things happen to you with any frequency they aren't so friendly. I've gotten my debit card skimmed several times (I was able to determine through the process of elimination that my at the pump usage at the gas station was responsible). The last time, which of course happened to be the only time I got hit for any significant amount of money, the bank fought every step of the way and ended up ruling against me. I had to go back and forth with the BBB to finally get it sorted out. In the end, it was a months long process with lots of headaches.
With a debit card you have full liability if you don't report quickly vs $50 cap with a credit card. Not worth the risk of using a debit card ever IMO.
> Just because you are using the chip doesn't mean you are doing an EMV transaction. The unique transaction codes only happen with and EMV transaction, almost every time you dip your card it's a regular old card transaction, just as if you swiped the card.
By the way, do you have any reference on this? Everywhere I've searched, chip seems synonymous with EMV.
For background, I was developing those types of applications few years ago, professionally.
Every chip or contactless transaction is an EMV transaction. This is by virtue of EMV being the protocol that terminal uses to communicate with the card.
EMV allows for different types of transactions with different level of security.
For example, if the transaction can be done offline (gas pump unattended terminal situation) AND executing CVM rules (both terminal and issuer have their own rules) points to the possibilty of exchanging encrypted PIN, the PIN can be sent safely encrypted to the card for verification.
If the card or the terminal does not support encrypted verification then the PIN can be sent in the clear and vulnerable to skimming.
> Every chip or contactless transaction is an EMV transaction.
But the parent comment I was replying to says:
> Just because you are using the chip doesn't mean you are doing an EMV transaction.
I presume you're saying he's wrong in this? Or am I misunderstanding what you both mean?
I'm also confused by the PIN thing you mention. Why is there a PIN at all, and why is there an "encrypted PIN exchange"? We're talking about the US, right? The US is chip & signature, and there is no PIN involved. I thought it was supposed to be that the card generates a unique one-time authorization code (public-key signatures?) and the bank validates it? Where does a PIN come into play?
For each transaction a set of very flexible rules is being executed with the aim to perform a number of verifications.
Card Verification
- no verification (just read magstripe or magstripe equivalent from chip or contactless card that does not have any more advanced verification mechanism)
- static verification - for chip, card sends static signature along with the data so that the terminal can verify electronic signature
- dynamic verification - for chip, card accepts challenge and generate response so that the terminal can verify the signature. This also makes it much more difficult to copy the card because it is not enough to copy the available data, you also need to copy the key that is embedded in the card.
Cardholder Verification
- no verification -- sometimes no cardholder verification will be performed (for example contactless under certain limit, unattended terminals without PIN capability or on a plane when there is special rules for airline terminals because people are typically verified separately)
- Signature -- this is where US is stuck it seems
- offline plaintext PIN -- cardholder enters pin, terminal sends the pin to the card, card responds if the pin is correct -- this is the source of most of the skimming problem
- offline encrypted PIN -- same as above but the pin is being encrypted with a key established securely with the card. This is safe but the cards cost more.
- online PIN -- the PIN is never exchanged with the card, it is encrypted and sent to the bank and bank decides whether it likes it or not.
Transaction verification
- floor limit -- sometimes the transaction can be agreed between the terminal and the card. Typically there is some information stored on the card and set of rules that decide that this is possible. The card may be decreasing a limit of funds available offline and when it hits the limit it will force you to perform full chip transaction.
- online verification -- the message goes online to the bank and bank decides.
>- offline plaintext PIN -- cardholder enters pin, terminal sends the pin to the card, card responds if the pin is correct -- this is the source of most of the skimming problem
>- offline encrypted PIN -- same as above but the pin is being encrypted with a key established securely with the card. This is safe but the cards cost more.
what's the difference between the two? can't the attacker put a physical keylogger on the pin pad?
Honestly it doesn't make much of a difference when it comes to classic skimming, because, yes, as you say, you can put a keylogger on the pinpad.
The problem comes from physically stolen cards, if your card doesn't rely on cryptography to secure the request/response channel you can insert a shim between the reader and the card to fake acceptance of an arbitrary pin. This specific attack has already been demonstrated, and if my memory serves correctly it's already being used in the wild.
He's mostly wrong. The entire point of moving to chip is because liability stops being on the retailer if they implement EMV. Chip and EMV go hand-in-hand. Why bother upgrading your terminals for chip and not do EMV? Might as well stick with swipe then, its the same liability agreement.
Its all a stopgap measure to chip and pin anyway. Once everyone is used to EMV and all the terminals have been replaced, we'll have a sunset on swipe and then move to chip and pin, which will be a minor upgrade. This will all take time. Lets remember the United States has a quarter of the world’s credit card transactions, but only 4.5% of its population. Its a very big cc market and change isn't going to come quickly.
Interesting, is this a U.S. thing? Because I remember reading about attacks on EMV in Europe and they all seemed to boil down to forcing a fallback to magstripe.
I don't know about everywhere. But in my country, when the terminal fails to read the chip, it asks you to swipe the magstripe. Then it realises "oh this card should have a chip" and forces you to insert again.
After about 3 cycles, it gives up and accepts the magstripe (plus the pin)
In Norway, on the 3rd cycle, if it actually accepts more tries, you have to sign the receipt and if the purchase is more than 1000 NOK/130ish USD (might be higher) they have to phone the bank to verify/get a verification code to put on the shops receipt.
Often it will just deny the transaction completely and the shop queue grows _looong_
My understanding from working in a bank in the UK is that it is the shop's discretion to use signature instead of PIN with Chip & Pin however the bank does not refund/guarantee fraudulant signature transactions like it would a PIN code.
I've lived for long durations in the UK, France and Switzerland I've never seen this happen in any of them. However, I have seen it happen twice while traveling for a few days in Norway.
Curious question: can you request a replacement card be issued? Broken chip sounds like something reasonable to replace for (insert mumbling about poor user experience and whatnot here).
I had this happen with American Express. Went to two stores in a row where the chip failed and I had to use a different card. Went online to request a new card and they sent one out immediately with no charge or really any questions (I think I did say that the chip stopped working, but that was it).
Later, before the new card arrived, I tried using the old one again and it worked, so I just chalked the whole thing up to those two stores likely using the same payment processor that was having issues that day or something.
Most U.S. banks implement Chip and Sign, though, and enable the Magstripe fallback because retailers still haven't certified their systems end-to-end for Chip and PIN.
I curious how much slower the chip (EMV, or or 'old-style) is than the magetic swipe? Here in EU there is not difference, the transaction is done in couple of seconds max and most of this is the time spent waiting for authorization response. The entry mode chip/magtripe/contactless doesn't make that much difference.
It definitely feels like it takes forever and completely disrupts the motion I'm in by making me wait around to do nothing. I've never timed it but the 10 extra seconds I read [1] sounds pretty accurate.
Because it's a different experience in the US versus EU. I'm a US expat and my experience at registers abroad is way different with my PIN+Chip card -most of the time I use contactless, but for the few shops that have held-off upgrading their terminal, it's still pretty fast. I barely have enough time to put groceries in a bag before I feel my phone notify me of the transaction completion and the terminal tells me to remove my card.
It baffles me that the US is still struggling to get chip-and-pin working properly, when most of Europe has been using chip-and-pin for over a decade and is now transitioning to contactless. America seems weirdly bad at this sort of co-ordination problem.
Because the U.S. does not have chip-and-pin, we have chip-and-sign. The main reason is that federal law in the U.S. limits the credit-card holder fraud liability to $50, and does so with language around signatures. Those same laws also set out fraud penalties for people fraudulently signing.
Since all of the laws revolve around signing, we don't get PINs.
There is a second wrinkle to this for Europe: because there is no equivalent to these laws, in many cases Europeans are the ones completely on the hook for fraudulent transactions as the correct PIN number is seen as evidence the consumer having leaked it. So in cases of fraud the U.S. chip-and-signiture winds up protecting the consumer much more.
AFAIK ALMOST NO US-based banks issue chip+pin credit cards. Only chip+signature. Debit cards are indeed chip+pin, but in USA you'd have to be careless to ever use a debit card anywhere but an ATM.
This. I'd NEVER give thieves access to my bank account, that's what credit cards are for. Chip transactions take ~5 seconds, it just feels slow because with a swipe you can put the card away in your wallet while the processing is happening.
Chip+PIN doesn't really exist for US CCs. I've setup PINs on a few cards but they only work overseas where the terminal refuses signature.
In the UK at least, chip takes about 2 - 3 seconds. 4 or 5 would feel long. Contactless is usually instantaneous; I assume there's more caching involved somewhere.
I haven't seen anyone or myself swiped in about 10 years, and that was only because the chip reader wasn't working at the time.
Contactless transactions for smaller amounts are often offline approved without requesting approval from the bank/network. This takes off the 2-3 seconds of the transaction time.
Apparently, there's an optimization that needs to get done with the retailer's bank. Big retailers have this completed so their chip transactions are very fast. Smaller ones either don't or need to go through a middle-man servicer which adds time and god knows if the middle man has completed this optimization. Subway restaurants, which are individually franchised, are like this. They just have one of those cheap chip terminals and the transactions can take 30+ seconds. Meanwhile at Walgreens it only takes a few seconds.
A lot of this has to do with Quick Chip, which forgoes writing the host authorizer ID to the credit card's chip thus simplifying and shortening the transaction. QC rollouts happen at whatever pace retailers want, so you'll see some shops using QC and others that don't.
The end result in credit card fraud is purchasing something and using a mule to send the fraudulently purchased item to a fencer, who sells it for cash.
Having a requirement that all vendors use chip-enabled cards simply increases the cost of producing each cloned card; so the goal is to raise the cost of committing the fraud.
It depends on the issuer. Dutch banks by default block all transactions outside of the EU (specifically targeted at countries that still use swipe transactions). That pretty much completely eliminated skimming.
I recently traveled to the US, and stayed in a hotel of a major brand which had some outdated payment terminal that only used the magnetic strip of the card (without even a possibility to enter the PIN). The transaction was over a thousand USD. I had cards from two different banks: one failed because the PIN wasn't entered, and the second one got through. But after several months the second bank somehow freaked out and charged back about a third of the amount (probably flagging the transaction as fishy or something). I tried to contact the hotel to somehow return them the money that were mistakenly returned to me, but apparently there is no mechanism to do that.
To be fair, they're the ones that don't know how to conduct business transactions in the 21st century. Consider that they just paid a "you had better update your system" tax.
To be fair, there are vast swaths of America, larger than some European nations, where credit card transactions are necessarily done on carbon paper with the old imprinting machines. I was at a hotel that did it just last week.
Updating your POS system to chip-and-PIN doesn't help if there's no infrastructure (or reliable infrastructure) to plug it in to.
Why are they "necessarily done on carbon paper"? You would be hard-pressed to find locations in the US, where credit card holders generally wander, where there is no inet access..
I assume they're referring to national parks, Alaska, and so on.
Yellowstone is the size of Cyprus, and Death Valley is the size of Montenegro, to use two examples without much internet access. Alaska is three times the size of the Iberian peninsula and most of it does not have internet (though to be fair most of it has no population or tourism).
Satellite internet is cheap enough that I'd consider the only good excuse to be a complete lack of power. And even that is becoming less true as solar drops in price.
I live near the Adirondack mountains in New York, where internet access is still dial-up or satellite. In most places populated enough to have stores, however, there is 3G cell service and that allows for wireless POS terminals and ATMs.
The places I've seen either use that or accept cash only.
> some outdated payment terminal that only used the magnetic strip of the card
Sadly, this isn't all that "outdated" here. There are still lots of places in the U.S. that don't use the chip and basically none -- does anywhere? -- use a PIN with it. I don't even know if I have a PIN on any of my credit cards, much less what it is.
Your issuer can use a PIN in the US - my credit card through my credit union uses a PIN, which confuses the hell out of most clerks. Sometimes I have to walk around the counter to reach their machine and enter the PIN, sometimes they have me sign the receipt (just at the bottom, since it doesn't print a signature line) so they feel better.
I think Barclaycard is the only major CC issuer in the US to have actual PINs on their cards but it defaults to signature. Here's what they say about it:
>Your credit card is a chip and signature card with Personal Identification Number (PIN) capability. In most cases when you travel abroad, you'll be asked to sign for your transaction. However, at some unattended terminals, such as train ticket kiosks, you may be asked to enter your PIN instead of signing.
In addition to fairness, I also don't want to get on some anti-fraud black list, because it might look to them like I used their services and then avoided fully paying for them. And they have all my identity information (passport number, etc). It's a convenient hotel in which I may need to stay again in future, and I don't want to look like a fraudster in their CRM system.
Can a consumer even initiate a partial chargeback on their card without the original merchant being involved? I don't think they can, so you probably have nothing to worry about as far as fraud lists or something.
Can a consumer even initiate a partial chargeback on their card without the original merchant being involved? I don't think they can, so you probably have nothing to worry about as far as fraud lists or something.
I'm not sure what was the reason of the refund. It was a mistake of some kind. From what information I could get from the bank, they were trying to charge back the entire sum, but somehow got only part of it.
Maybe exchange rate movements? If you paid in USD the chargeback will only work for the USD amount which could be less at the time of the chargeback. If your card is in GBP and it was in 2016, a difference of 20-30% is easy to explain.
Doesn't look like that because exchange rate fluctuation was about 5%. I think it was some human factor issue - "hey, look at this screamingly insecure transaction for a large sum of money, it can't be right". The chargeback was initiated on my behalf, but they don't have any records of me requesting it. Basically, their response is something like "yes, we screwed up, but at least we screwed up in your favor, why should you worry".
I still don't get why all credit cards have magstripe when we have chip&pin for decades. Yes, I know it's required by a standard, but I see no justification for that. I have never used magstripe , but it's right there on my every card and there's no way to disable it (I've asked my bank for it), unless you deliberately destroy it (scratching or similar manner).
From the words in your comment, you don't live in the United States. The reason payment cards the world over still have a mag stripe is because, until a few years ago, chip cards were simply not a thing in the U.S. so the facilities for reading them simply didn't (widely) exist. Therefore, cards from other countries had to have magnetic stripes in order to work in the U.S.[0]
Even today, two years after the supposedly "drop dead date" for switching to chip cards, 40% of my transactions are by swiping.
0 - There are other reasons, like some ATMs reading the magstripe to ascertain whether a card has a chip and then prompting the user to leave the card in place. I've only encountered older ATMs that do this but it is another reason. But the most common one is that outside-the-U.S. issuers want their cards to work inside the U.S. if a customer of theirs travels there.
Which is problematic when you visit with a European card where only the chip works (swiping always gets declined). Luckily, some have contactless (mostly without the staff knowing about it) and for others it usually turns out that the chip reader does actually work.
when visiting Austin, US I went for a burger in Fridays near a highway and cashier was like "Oh my god, I have never seen this thing working!!!" after my contactless worked on their terminal :D Apparently it's too much magic and people just stopped trying to use chip, contactless or anything else. Just cash and swipe :)
Had the same at a McDonald's in Boston. They even called the manager to show him what happened. Turned out that no one working there was aware that they had contactless functions, despite the advertisement at the machine.
I even get that in Belgium. And the occasional cashier that double-checks the terminal's ticket/output because they suspect the transaction is invalid because "as far as they know contactless doesn't work".
I love the system and like that it's being used extensively in some countries (e.g. UK) and becoming more prevalent in others (e.g. Germany). What's annoying are the differences in rules. In the UK it only works up to £30 (but terminals show the logo for any amount), in Spain it will work but I'll have to enter a PIN for higher amounts, other countries have completely different rules around that.
Contactless was narrowly deployed in the US 10ish years ago. It never took off as too few vendors had the terminals to support it. I only ever used mine at the local grocery store. I don't think you can get an RFID card from a US bank any more.
The only place so far where I can safely use Apple Pay without causing any frustration from cashiers is Whole Foods, cashiers in the rest of the stores either have no idea if the Apple Pay is supported or the terminal itself is not "enabled" to support Apple Pay.
Some of the retailers in the States are protesting Apple Pay and disabling it on the terminals even though it would otherwise be fully supported. Home Depot did this awhile back, they were one of the first places where Apple Pay worked and then it stopped working due to some corporate hissy fit.
That's a political decision. Stores like you to use store cards wherever possible (where they get a profile of what you've bought). Banks have to share profits with Apple for Apple Pay which is why they try to avoid it.
"The reason payment cards the world over still have a mag stripe is because, until a few years ago, chip cards were simply not a thing in the U.S. "
So let them have it, why should I care and endure security risk? I've never been to USA nor I'm planning to (at least not unless they fix that gestapo-like border control), but still my every card has a magstripe waiting to get skimmed. If I ever need to go to USA, I'll get a suitable card.
> So let them have it, why should I care and endure security risk?
Because banks the world over are notoriously slow about doing anything that might nudge even a fraction of a percentage of customers over to a competitor. If they removed magnetic stripes (which, in the short run, would cost a bank money because that's a specialty card) and said "just contact us if you're going to the States and we'll overnight you a States-compatible card, no questions asked," nothing would stop a competitor from running adverts that say "why wait 24 hours and worry about not getting your card? We issue cards that work in the United States from day one!" Now the person who made the decision to delete the magstripe from cards issued by the first bank is out of a job and so now you see why his or her interests didn't line up with yours.
It's the same reason why chip-and-PIN isn't primary in the United States; chip-and-sign is. Over here, customers have been trained that entering a PIN means the money comes out of a checking (draft/demand/deposit) account while signing means it goes "on the card." Trying to get that mindset changed is more costly than just eating the potential stolen-card-being-used-before-being-shut-down fraud for most issuers.
(Some credit unions, primarily catering to people who travel overseas, and smaller banks that want to differentiate themselves are issuing PIN-primary cards but they are definitely in the minority. I happen to have cards from three of them--First Tech, Spokane Teacher's, and Target--for reasons of security and international use but I am also in the minority. Amusingly, it's large merchants who want PIN-based cards because it puts the onus on the cardholder, not the merchant.)
Because they could instead sell it as "an unskimmable card!". Many people I know have had their cards preemptively replaced by their bank because it was used at a store/ATM where other cards were skimmed. Avoiding worries/hassles like that could be a selling point.
Get rid of the magstripe and bad actors will steal your card info using cameras (pretty much all the info in the magstripe is also printed on the card, that's how online shopping works).
It would be good to raise the bar, but it won't be an end-all solution.
At the end f the day, it's going to take quite some effort to move the entire payment industry to something more secure.
The current state of affaires is good enough in terms of cost for the banks vs loss from fraud.
Wait, you guys don't use card readers for online payments?
Edit: My bad, just realized you use credit cards instead of debit cards we use in europe. CC here also don't use ccard readers for online payment.
To elaborate a bit on what amenghra said, the information you are asked for when you use your card for a "card not present" transaction (card number, card security code, name, billing address, expiration date) falls into three categories.
• information required by the bank,
• information that the bank will check if you supply it,
• information that is not checked by the bank.
The first category, required information, is just the card number for most banks (and the amount to charge, of course).
The second category, checked by the bank if supplied, is everything except for the card number and the expiration date and the amount. This information is used for fraud control. If a merchant supplies it, the bank tells the merchant if it was correct. With many banks the credit card fees are slightly lower if this information is supplied. Even if the merchant supplies this and the bank says it does not match the merchant can go ahead with the transaction, although such transactions have a higher risk of fraud (and therefore chargebacks).
The third category, information not checked by the bank, is the expiration date. The expiration date check is at the payment processor, and that check is simply:
if expiration_date < current_date()
reject_transaction()
The expiration date on a card is just when that physical card is no longer supposed to be used. It is not an expiration date on the underlying account.
This is one reason why many people have gotten a surprise when they have had some kind of subscription they no longer wanted, and instead of actually cancelling it they just let their card expire and think the re-billing will then fail. There are three problems with that approach.
1. If the merchant marks a transaction as a recurring transaction some payment processors skip the expiration date check.
2. Some merchants include something like this in their re-billing code:
if expiration_date < current_date()
expiration_date = date_add(expiration_date, interval(3, 'years'))
3. Visa, Mastercard, and Discover (not sure about Amex) have updater services. Merchants can send a credit card number and expiration date to the updater service, and the service will tell them the current expiration date and the current card number for the underlying account. This one can be especially surprising to people because it can update both the expiration date and the card number.
Are you sure that the expiration date is not checked for any vendor? I recently paid online (Mastercard I think) and the transaction got declined because I entered the wrong expiration date. The date was in the future, I just entered a wrong month. So there must've been a check. But could be that they used 3D secure (or equivalent) and it got declined there, the check often happens too fast to notice.
I believe this comes down to the cardholder bank. My local credit union doesn't check expiration date of cards (I've tried as far out as 2029). CapitalOne does.
Trying to use a non-US card in the USA is a pain: most online shops or machines (e.g. NYC Metrocard) require a 5 digit ZIP.
Cards from elsewhere don't have a 5 digit ZIP to enter. So usually I can't use those websites, at least if it's a machine I can pay cash.
The core of the problem is that visible info on the card is enough to authorise payment. Visible info is not secret. Info that you share with every seller is not secret. Public information should not be good enough to authorise payment.
Payment should require some kind of private information, either from the chip, or from the head of the owner (like a PIN), but preferably both.
I use a company called Revolut to manage a card of mine. One of the options in the app is to explicitly disabled Magstripe payments, so one wonders if you could ask your bank to disable it?
In the UK, I've recently had to swipe a card and sign the receipt as the card reader was misbehaving and that's what it wanted me to do. It's a reasonable backup. (I've also had to use a carbon-copy machine to print my card details onto a piece of paper to make a deposit a couple of years ago - now that was ancient tech!)
At least we use credit cards at all. I was surprised to learn recently that buying things in Japan in still a largely cash-based experience. It's lead to some weird consequences, like a ridiculously high number of vending machines per capita (1 for every 23 people).
Germany, too. I've only been to 38 countries and in very few has even magstripe transactions been common. (But that may be the fault of the countries I choose to travel in.)
But since most internet commenters never go anywhere, they buy into the "US is old and backwards and dumb" cliche that makes them feel superior to everyone else.
> But since most internet commenters never go anywhere, they buy into the "US is old and backwards and dumb" cliche that makes them feel superior to everyone else.
Because I am the OP of this comment chain, I feel that is directed at me.
Yeah, germany insists on eurocard, so often transactions for folks without one, you end up having to use cash. Really weird since credit cards are accepted most places on the continent EXCEPT germany.
Waiting for capitalism to reveal a profitable hole in the market is sometimes slow.
I'd blame the 5 companies that control 50% of global credit card terminals that decided to keep things low cost in the US. Much of the blame probably also rests on the 5 banks that issue the majority of the credit & debit cards in the US.
In fact I believe the current chip rules are there just to hobble new entrants in the space. Probably 10-20 startups like Square built readers that they provided for free or nearly free and gave millions of units away. Many of these are garbage as a result, and all of the mag readers will be eventually.
The chip (with conspicuously missing PIN) legislation was a pretty expensive attack on all of those companies, intentional or not.
There's probably an order of magnitude or three more readers and POS systems to switch over in the United States vs. Canada.
Considering that Canada's GDP is a rounding error compared to the United States, it's going to take a while to any payment method change to spread nationwide.
That said, I've run into far more "cash only" situations in Canada than in the U.S.
chip & pin never caught on here because the liability for identity theft/fraud is on the bank rather than the individual. so consumer's dont really care
It's a backup. I've heard from retailers that the failure rate on the chips is much higher than it is for swiping.
In Australia you pay for fuel after filling up, and one fuel station owner is dealing with an average of a driver or two a day who is unable to pay for fuel.
They don't carry cash, the chip/EMV is failing and they don't have the mag stripe linked to a facility since they're often debit cards.
Apparently the failure rate on phone based payments is also high(er).
It's one of those issues I wouldn't have considered before speaking to retailers.
That's why I always carry at least two cards. Cards fail, get blocked because of leaked data, bank fraud systems produce a lot of false positives etc..
The problem with a cashless society really is that you assume the tech is reliable. Unfortunately, that's often not the case.
When gas hit $4 a gallon in the US (yes that was considered expensive here), many of the stations disabled the "pump then pay" feature because of all the drive-offs they were getting (petrol theft). So you'd have to go inside to get the clerk to enable the pump.
I know you're speaking of NFC chips in cards, but you might know — Does the phone version (Apple Pay/Android Pay/Samsung Pay) still work when my phone's battery is dead?
Gas pumps are going to be among the last places to use mag stripes because they might not have network connectivity. Pretty much everything else is moving to chip'n pin or tap.
I look forward to having banks issue cards without any mag stripe on them.
"Gas pumps are going to be among the last places to use mag stripes because they might not have network connectivity."
Again, that's US-centric thing. Here in Europe, there's >99% cellular coverage (the remaining 1% is usually deep woods and mountains), so it's not a problem. What I don't get is why the rest of the world must still have magstrip and be open to the related risks, when virtually nobody uses it. I've never seen anyone using magstripe over here or see a place accepting it, but I hear about skimmed/cloned cards and emptied banks accounts regularly.
> What I don't get is why the rest of the world must still have magstrip and be open to the related risks
Because, like it or not, it doesn't make economic sense for the issuers to remove them.
The US is still a place where a lot of transactions are done, and despite the last 10-15 years of immigration bullshit, a ton of people still visit the US from abroad. A non-US card issuer isn't going to spend money to get a custom card without a mag stripe in the first place, and also then be at risk of losing customers who do travel to the US. Offering a special mag-stripe-free version of the card for an extra fee likely isn't worth it to them either, especially when they're fine eating the cost of fraud, and don't care that canceling your card is an inconvenience to you.
Again that Euro-centric thing. Remember that Europe is a very small place. There are gas stations in places with spotty or no cellular coverage not only in the United States, but all across Africa, Asia, Australia, and South America.
By all means, yes! That's where I'm getting -- there's no "one size fits all" solution and there's no point of carrying easily cloned magstripe in places where it is not used.
Another reason is fallback transactions. I get these a lot with my card, I assume because the contacts aren't in great shape.
I don't think any merchants have actually cared enough to check my card for intentional damage to the chip when processing a fallback transaction, but even with the magstrip I get asked for a pin (NZ). https://www.level2kernel.com/blog/index.html%3Fp=136.html
I have been developing credit card terminal applications and security systems professionally.
Magstripe is historically for fallback mechanism when the chip on the card or the reader in the terminal might be damaged.
There is also a class of terminals that may not have the chip reader altogether, for example airlines didn't bother with chip at all for very long time.
Because you don't need any checks. AFAIK, the PIN confirmation via chip takes at least a second. Online transactions take longer to confirm.
That's nicely solved with contactless. You get immediate confirmation that the card was accepted but the terminal still confirms online. The feedback comes 3-5 seconds later. That still allows the retailer to stop you if the card was declined but you can already use the time and don't have to wait until you can remove the card.
In addition to dx034’s answer, you put your card away right after swiping, but it’s still processing. With chip, you can’t remove it until it processes.
This is an awesome article breaking this down really well. So why are you all talking about Chip and PIN? Talk about the article and about the technology stop arguing politics of chip and pin.
Most interesting part is that they managed to get the hex dump of the software. Quick glance shows there are no copyright texts in it, bummer!
I'm not an expert in PIC assembly but it seems there is very little code and there are no obvious code paths, like a switch..case like construct for processing the serial commands. Lots of I/O and not much more. Most likely they are not decoding the magstripe data in PIC but just get the decoded data and store it.
I just tried disassembling the hex file. Unfortunately, the code protect bits are set (location 0x300008 is 0x00). This means that the ROM from 0x000800 to 0x007FFF will read as zero. And indeed, that entire space is filled with zero. So, I think we're missing much of the actual firmware.
Edit: And the reset vector begins with a branch to location 0x001ACA, which is all zeroes, so I'm pretty sure most of the firmware was not read out due to the code protection.
On some of these embedded chips there are methods to glitch the fuses for read protection by messing with the power (a form of fault injection attacks). These used to work a few years back but I haven't heard if they still do.
The first gas station chain that offers Apple Pay/Android Pay as a payment instrument gets 100% of my business. I'm really hoping Costco will enable the contactless payments on their pumps sooner rather than later.
I've noticed that Chevron is updating a lot of their pumps to have an Apple Pay/Android Pay option. In my experience with the two stations I use regularly is that the pump I choose has a 50% chance of working. But the annoyance is worth the security of not using my card.
The new gas station near my house does contactless. I think that now that the credit card networks are pushing liability onto the merchants we will start to see more and more of these popping up.
Heh unfortunately gas station pumps are exempt from the immediate liability shift and get an extension (https://usa.visa.com/visa-everywhere/security/emv-at-the-pum...) which means this will be a prime attack vector as the shift changes over the next few years.
A lot of the new Gilbarco 700 series are coming with them. We're looking at them now and are wanting to get them. Most of the Gilbarco 500 and series 700 can be updated to have them.
IIRC, when I lived on the East Coast in the 90's, Exxon was a pioneer with contactless payments. They had a little round thing that looked like a quarter of a pencil that you could put on your keychain to make payments at the pump.
Tried this last month, and it totally didn't worked. Tried 3 times and even went in to the cashier twice, who tried to figure it out. Never got it working.
In the second image here [1] there's a security seal on the payment closure as a whole; I'd imagine a simple security seal along the side of the card scanner intake would thwart most would-be card skimmers, no?
At that point the employees could just make it part of the standard inspection and it'd be more obvious to customers if they were missing.
It seems to me that you could just put some kind of sensor on the inside of the gas pump access door that notifies someone as soon as the door is opened. If you know there is a maintenance guy scheduled for that day/time, then you just ignore the notification. If not, then you know that there has been unauthorized access to the pump.
That requires money and ongoing effort on the part of whoever monitors that system. As the article stated, there is not a monetary incentive to the responsible party (the station owner) to make this happen. Even with an incentive, it's still an arms race with the bad guys. Things will only get better when we have more secure payments.
Lots of people have access to gas pumps and their keys. Not just the station owners, but the managers. Also city/county/state weights and measures regulators, the guy who maintains the attached screen that shows the local news and weather loop, and probably more that I don't even know about.
From what I've seen about gas pump locks, they look about as "secure" as those round keys that came with every IBM AT-clone in the early 90's. They kept the weak and the ignorant out, but you could unlock your buddy's rig at will.
So... is the trick to have your own key so you can open these things and have a look inside before you swipe your card? If the store is not going to offer me security, I'm going to take care of it myself.
> Are you angry that your card has been stolen, again? Contact your local congress person or senator and ask them to pass legislation that fines gas stations $100 for every card that is discovered on a skimmer in one of their pumps. It’s ultimately up to the gas stations and pump manufacturers to secure their pumps.
Suggesting a solution like it's an easy fix always bugs me a bit. Would a 100USD fine actually work here? The issue seems more with the fact that the US hasn't upgraded to a chip&pin style system. You might end up just costing the gas stations more money, when they don't actually have the power to do much about the problem.
It feels a bit like victim blaming, when in this case the victim has little choice but to work with the system as they find it.
The deadline for retailers getting on board with chip readers was October 2015. Gas stations pushed back and got it moved to 2020 because of the high costs (according to them) associated with swapping out card readers attached to pumps.
The way I understand, after the 2020 deadline, gas stations will be liable for fraudulent charges (or at least associated fees).
Also, I've had my debit card skimmed twice in the past 3 years. A smart gas station (or chain) would pay to put chip readers in NOW and advertise that feature. I'd got there exclusively.
Full service gas stations have a long history of "old fashioned" card skimming - at least from my experience in New Jersey. My mother uses a separate credit card explicitly for gas stations because her credit card has been skimmed at NJ gas stations a half dozen times over the years.
Full service stations don't preclude a lack of terminal tampering. If the gas station closes at some point in time anyone can tamper with it after hours when it is unstaffed. Additionally, tampering can occur by criminals paying off employees to install skimmers.
Didn't that partly change recently? When we were up in Oregon for the eclipse, one of the folks told us that you can now self pump between....some hour in the evening I can't recall and closing time.
It's not the gas stations that are committing the crime. Why should they be fined? It's the people breaking into the pumps and installing the skimmers.
Most stations do what they can with security seals, frequent inspections, I've even seen some that install hardware-store hasps and padlocks on the pumps.
I do wonder why they have not converted to chip cards though. Almost all other retailers have.
> Essentially, the perpetrator opens a pump using one of a few master keys, unplugs the credit card reader from the main pump controller, plugs the card reader into the skimmer and plugs the skimmer back into the pump controller. This reportedly takes less than 30 seconds.
So I'd say that at least those stations whose pumps can be opened easily with a master key should be liable if their careless handling of customer data leaks credit card details to skimmers. A fine would put additional pressure on the pumps with the worst security and might eventually lead to widespread deployment of something like the alarm system proposed at the end of the article.
Right but we're working with incomplete information. Who mandates the use of those pumps? Are better, more secure pumps available? Do the gasoline suppliers mandate that certain pumps are used? etc. etc.
So it's not clear that these things are purely under the gas stations control and that a simple fine would solve the issue.
Alternative solutions might include:
1. Mandating stronger security certification of public facing card readers.
2. The police more aggressively prosecuting these offenses (raising the cost to criminals who are caught and making the offense less profitable).
I don't have complete information, so it's not clear to me which solution is best. But it doesn't seem obvious and simple.
Here in Oregon, it's state law that only gas station attendants can fill vehicles. It seems that this would prevent some of this, but of course it doesn't prevent the skimmer from being installed after hours or by the attendants themselves..
A gas station with a skimmer is like a gas station with a gas spill -- it's a hazard on their property that is open to the public. They have a responsibility to maintain a safe environment, or else close off the property.
I assume when a gas station operator becomes aware of either a skimmer or a gas spill they remove it.
I guess in both cases what they can do to prevent those things from occurring at all is limited. Is anyone arguing that they don't monitor for skimmers on a regular basis? It's just that the criminals keep putting them back.
Hardware changes are annoying and expensive. Here in Canada where gasoline crested over $1.00/L it took an incredible amount of time for vendors to upgrade their equipment to handle the extra digit. Many locations had numbers physically taped on to their pumps and signs.
Pretty much all US cardholders have chip+pin now. I’d say about 75% of retailers support it.
(Not sure if this is how it works outside of the US, but we currently have cards with both magstripes and chips. You use the chip where it’s supported, the stripe where it isn’t.)
Very few credit cards are chip and pin, they're mostly chip and sign. And I don't think I've ever seen a gas station with a chip reader, so the chip's not really doing you any good if you're just swiping anyway. I believe the gas stations were given a longer timeframe to convert.
If you swipe an Australian-issued card in an Australian-issued payment terminal, it will insist that you use the chip instead. Only if there is a problem reading the chip are you permitted to use the magnetic strip. Either way, the correct PIN number is required.
I believe that the magnetic strip can still be used for certain low-value transactions by stable merchants (e.g. street parking meters) but such exceptions are rare. Certainly never the case in a normal retail situation.
Theres a loophole in Australian regs that I recently noticed. With a foreign card on credit, you can swipe and OK past the PIN prompt with no PIN. Most merchants don't know they are supposed to sign and verify after that.
Of the dozen times i've tried it i've been prompted once to sign - and in that case the card had no signature on it and the merchant waived it away.
I'm in the process of figuring out the scope of this issue and how to fix/report it - I think the solution will be for terminals to enforce prompting for ID/signature
> I'm in the process of figuring out the scope of this issue and how to fix/report it
Don't bother, the merchants and card issues are well-aware of this. You're supposed to reconcile your card statement with your expected transactions, and dispute irregularities. If you attempt to fraudulently claim that you didn't perform a transaction, the issuer goes to the merchant to get a copy of the signature & uses it as proof you authorized the transaction.
If a fraudster forged your signature, you simply assert that the signature is not yours. If you attempt fraud here (sign in an unrecognisable hand), the fraud investigations will try to put you at the scene with CC TV recordings/handwriting matching/etc. Hopefully you have not signed any affidavits that the signature is not yours, because then you'll be up for perjury as well as fraud.
pin-bypass is pain.
until people are all moved to just be chip/pin or even just pin then the only way is to add a bunch of prompts to hopefully force the staff to check for signature or to add delays/confirmations to make the process too annoying and force the customer to change.
I haven't found a single place so far that supported the chip+pin transaction. Everyone has the terminals but they are either set to not do the pin transaction or they are tapped off with a "broken" sign.
Here in Washington the chip readers are sometimes taped over... nearly always in, you guessed it, gas stations. They have the hardware but it's disabled.
If your credit card number is stolen you simply contact the provider and they will (usually) refund any fraudulent charges and send you a new card. In turn, the credit card companies simply do a charge back to the gas station (taking the money from the station and refunding it to the customer whose card has been stolen).
There is no charge back to the gas station, the cards are used to steal other things. They were just skimmed at the station.
It seems like one could make a bluetooth snooper that looks for people who connect to the skimmer? Then you could catch skimmer users when they download the data.
I'd guess the police don't have the resources/are not interested in this kind of crime. I also doubt it's much of an issue for the gas station itself. The card is skimmed at the gas station, but does that mean the cloned card will be used there?
I mean, sparkfun are great, but they're not pentesters. The fact that the police went to them probably means they didn't have the resources to hire a pentesting firm (or do it internally). I'd also guess they don't have the resources to police these crimes either (which would mean a lot of hanging around at gas stations).
It might be possible to make a small device (maybe using the same Bluetooth module as the skimmer) that listens for someone issuing the command to download the card numbers and then automatically calls the police, no need to have someone monitor it in person. I don't own a car, so I'm not that familiar with gas stations, but I assume most will have security cameras that can get you the perpetrators license plate. That ups the bar for successful skimming to also include fake car papers and will probably deter small-scale criminals.
If they already have security cameras, then they already have everything they need to catch someone installing the device.
This being the case, the criminals have likely either already figured out how to avoid the cameras (or park out of sight). Or the police are not acting on this information because it's not seen as a priority.
As there's only a few pump manufacturer's which means only a few master keys, it would make sense for the fuel station, to check each pump before opening up every day, if not open 24hr, and if they wanted to be more secure, to check all pump's every few hour's, then run back through any CCTV should a device be found. Yes it's more work, but unless there's penalties attached for fuel station's to keep their equipment secure, just like medical centre's need to keep their equipment secure, so repeat prescription's are not modified or other historical record's interfered with which could lead medical expert's down the wrong course of action which could be life threatening, (think removing penicillin warning's) then what hope do you have?
All consumer's can do, is use fuel station's which have good CCTV fitted, and if really unsure, to pay inside.
The companies that manufacturer these card's do so for many businesses, they are a high value target, one's like Oberthur, & Gemalto to name just a few and have global franchises with many. These guy's are under pressure to get card's out to customers for various entities as quickly as possible, so you'll find many card's are similar except in print design, and stamping. As a result hacking these card's due to being globally standard, make's life easier for hacker's as well, so I wouldnt be surprised to see similar technique's like card skimming being used in other outlets that accepted payment's especially where staff are not involved like some McDonald's outlets or vending machine's.
It seem's if you have intelligence, you can live freely or vastly reduced provided you can remain anonymous when old school CCTV and other methods are used to identify you.
Every morning just check each pump. Pretty basic stuff and that would mean easy-to-discover skimmers never sit for > 24 hours. You could then assign liability to undetected skimmers after a window of time.
Open known-clean pump. Take picture of inside. Give picture(s) to worker, tell him to look inside every day and compare to picture(s). If the inside of the machine doesn't look like the picture, call manager, and put "Out of order" sign on machine.
As a foreigner who travels to the US on occasion - and therefore doesn't actually have an US zip code - what's up with that? If you have a keypad installed anyway, then why the hell not accept the chip reader with pin code? Not complaining or anything, but it's quite baffling. Nowhere else in the world that I've seen, they don't restrict payments to locals....
Try using a pump in Israel. I had to ask for help every time. Not only is Israel still using mag stripe, there's also some sort of national ID # you have to enter into the pump. And the license plate # too I think. I think tourists are supposed to be able to use all 0, but I couldn't navigate it.
In Australia, we have this weird thing where you pump the fuel then walk into the shop to pay. It's just a ruse to get you to buy energy drinks and two chocolate bars.
In New Jersey (and I think Oregon), you can't pump your own gas. Full service only.
Years ago (this predated energy drinks by a couple decades) I filled up at a rural station in GA that had old mechanical pumps. I went inside to pay, having not taken note of the cost. When the cashier asked me how much I'd purchased and I told him I'd have to go check, he waved me off and pulled out a pair of binoculars to read the charge off the pump.
I like to think now he foresaw the coming age of skimmers and wanted his pumps to remain immune.
That's how it was in the US about 15+ years ago (in Oklahoma at least). I don't think there was any kind of law about it, it's just how it was done. You pumped, then when inside to pay. Occasionally, you'd come across a gas station in a bad area, and they had a sign to pay inside before you pumped (due to people pumping and then speeding off).
They don't restrict payments to locals. Usually if you don't have a zip code the machine accepts 00000. I've been to a couple gas stations that explained how to enter your postal code if you are Canadian (with letters substitution, I think I've only seen 0s for letters. So if your Canadian postal cost is ABC 123 then you enter 000123). If the machine is set to deny all cards without a zip code you can always pay for your gas INSIDE as the card terminals inside are "normal."
Nearly all US card issuers don't do chip&pin, it's chip&signature (yes, useless, I know). So the gas stations have little incentive to upgrade since there's nothing to sign. Another poster on this thread suggests that non-EMV chip transactions (which are the vast majority in the US right now) aren't any more secure than a mag strip swipe, so there's not much of a benefit.
I'm not sure, but I'd expect that if you don't have a US zip code you can just go inside and use your card with the cashier.
Yes, absolutely you can go inside and pay, the annoying part there is that you have to guess how big the tank on the rental car is, especially when returning it full.
Pay with cash, pump, then go inside to collect your change. That’s what I’d do. And if you prepay inside with your card, you still should be able to go inside for change.
Didn't work that way for me - last time I was filling up, I did pay a bit more before than fit into the tank and checked the bank account later - got charged for the full amount.
That's weird, they should just put a hold on for the amount you entered and then charge the actual amount pumped. Sometimes the holds appear as charges? Did you get a refund later?
The zip code is to prevent criminals from stealing gas (via vendor fraud chargeback) via a card stolen elsewhere, not to prevent criminals from stealing cards at the gas station.
The real reason for requiring zip code entry is a lower interchange fee for the station. If they didnt get a lower interchange fee they wouldnt care at all. It is also the only identity verification information that can be entered on a 10 key pad.
It might be the case that enough of the zip codes are the same as where the pump is located or a few adjoining areas that trial and error would work well enough.
I don't believe the most common skimmer has access to this, but the prevalence of required zip code with other transactions is so low it doesn't matter.
Most frequently required:
1. Card no.
2. Expiration
3. CVV
4. Full name
5. Zip code (or address)
But plenty of transactions will be fulfilled with just #1 and #2.
From the write-up, it sounds like these were just grabbing the card data. Where I live most pumps do ask for zip code but a non-negligble number don't.
The overwhelming "defaultness" of the whole thing makes me think these were actually intended as conversion adapters or something else that wasn't purpose-built for pump skimming. The complete lack of code protection (setting it is literally a single checkbox in the programming utility --- and almost all commercial products with an MCU will have this protection enabled), leaving the markings on the chips (I've seen more legal devices with them scrubbed off), and default password unchanged are the most noticeable.
Googling "bluetooth magnetic card reader" also yields quite a few results like this one:
I had my card skimmed while on vacation earlier this year. The next week I was eating at a restaurant and got a call from an unknown 800 number that I didn't answer. My card was declined at the end of the meal. I called the number back and it was the issuing bank's fraud department saying my card was used suspiciously and they've cancelled it. Because I was still on vacation it was a big hassle involving finding a place to fax a typed, signed letter to get my new card sent to an address I'd actually be at.
> I was eating at a restaurant and got a call from an unknown 800 number that I didn't answer. [...] I called the number back and it was the issuing bank's fraud department saying my card was used suspiciously and they've cancelled it.
Once, I was also eating at a restaurant when I got a call from an unknown number. I answered, and they said it was the issuing bank's fraud department, saying my card had a couple of suspicious transactions...
But the call itself was the fraud. Luckly, I knew from the beginning that it was a fraud (the value of one of the "transactions" was high enough that I would have received a notification SMS), so I strung they along to waste their time, and stonewalled the moment they asked for personal information. And just to be sure, I went to a bank branch nearby (it was lunch time, and there are several bank branches within a few hundred meters) and they confirmed the "suspicious transactions" didn't exist at all.
I can give you two good reasons. One is to not reward the scammers by giving them free money. The second is that my wife and I have had to replace our credit card about six times in the past three years. Contacting all the places where we have autopayments set up gets to be annoying quickly.
I went to LA for a trip this summer and a charge of $99 from a gas station appeared on my card 2 weeks later. I got it reversed, but it is still a hassle to change the card number everywhere.
Why are we still using magstripes? It's 2017! There's all this cool stuff happening! I have a laser-guided robotic vacuum cleaner. SpaceX is landing rockets on boats. The Navy has a real life railgun. We have self driving cars, which means it's only a matter of time before there's a country song about a guy who's truck leaves him. Yet... I can't pay for something securely.
Please, no more signatures. NFC or Chip/Pin please!
very thorough article - I've always wanted to know how these worked. I had no idea that many of them used Bluetooth / serial etc.
One revision to the post I'd like to see - I'd love to see a section on how they attach to the actual reader. I know they mentioned MitM attacks, but do these readers fit over the top of the skimmer? underneath? behind the entire skimmer? are the visible from the pump itself?
They open the pump face, unplug the back of the existing reader, plug the front of their skimmer into the back of the existing reader, and connect the first plug into the back of their skimmer.
It goes from ? --> reader
to
? --> skimmer --> reader
The face of the pump appears unchanged (unless they broke a security sticker and were unable to replace it)
Very interesting, just installed the app they created. Going to be driving all over the northeast for the next few months. I wonder if I will find any skimmers...
This should be fun for a while, but don't expect it to last. If the persons producing these haven't seen this article yet, they will soon. Surely next batch will use a different ID and password, but additionally they could set the HC-05/1234 combo to do something nefarious when attempted. (Probably just put the skimmer to sleep for a while, so it won't be detected. The things they could potentially program it to do will be somewhat limited by the cost of additional components.)
The people installing these skimmers aren't the ones writing firmware for them. They have been mass produced in China and sold around the world. There might be a v2 in the works that works better or is more difficult to detect but people will still be buying the original version because it does the job and works well enough to get at least some cards before being found. It is similar to the OBDII reader chip, ELM327. Elm made a decent v1.0 release for their PIC-based ELM327 and forgot to lock down the firmware. Everyone then proceeded to make pirate clones of the reader. It is much easier to just keep producing the exact same chip/firmware combo than it would be to actually go back and decompile/write new code to add some stealth features that aren't going to make your new v2.0 sell any better over the cheaper than dirt v1.0.
So if the attacker has to have a key to break into the machine and install the skimmer, isn't that the problem then?
And if the attacker opened the pump to install the skimmer, why would he need to use radios at all? Why not just log it to flash for a week, then go to the pump and fetch the skimmer again? Presumably you'd want to remove the skimmer from the machine to avoid detection anyway?
The attacker doesn't want to open the pump again. Can you imagine how much attention that draws? These devices are so cheap they are throwaway. Most crimes are that of opportunity: install the skimmer and try to get whatever you can get. If the attacker can keep revisiting the machine, posing as a customer, it's the least risky way to harvest data. If the skimmer gets found, aw shucks on to the next one.
> then go to the pump and fetch the skimmer again? Presumably you'd want to remove the skimmer from the machine to avoid detection anyway?
They care more about getting arrested than their skimmer getting detected - and physically removing a skimmer is the second most dangerous part of the scam (the first is installing one, of course.) These things are cheap enough that it probably makes more sense from a risk/benefit analysis to just leave there forever and pick up the results over bluetooth until the skimmer disappears.
Not quite. Most skimmers are affixed atop the actual card reader. From the outside it's just a bit thicker. You don't have to open the machine at all to attach them.
Yes, that kind of skimmer I'm familiar with. The reason those skimmers are so easy to detect is because they need to mount on the outside which makes it unnaturally bulky, and sometimes also contain a camera to monitor the keypad.
I'm not too worried about those because those are pretty easy to spot, especially those with cameras. But this internal skimmer is more like a pump "root kit" you can't see...
HC-05, is the module code and default name for the BT connection. Seems very lazy. If I were to do it, I would atleast generate a random name and maintain a list of such names, with a hash function forming the password derived from the name itself.
so you could download the data without needing to install a skimmer yourself, what if someone whitehatted it by downloading the data and contacting each bank.
Something tells me that doing so would raise eyebrows and require you to explain yourself. While it would be easy to say, hey I read this article and I figured I would help out. I cant help but thinking the bank would still press charges because you are in possession of stolen credit card information.
Additionally, while you can tell what kind of card it is from the CC#(3-AMEX/Diners club,4-Visa, 5-Mastercard, 6-Discover, etc) you cant always tell what the issuing bank is. Is it a capital one visa? is it a chase visa? do you want to do all that legwork, white hat or not?
> The Skimmer Scanner is a free, open source app that detects common bluetooth based credit card skimmers predominantly found in gas pumps. The app scans for available bluetooth connections looking for a device with title HC-05. If found, the app will attempt to connect using the default password of 1234. Once connected, the letter ‘P’ will be sent. If a response of ’M' then there is a very high likelihood there is a skimmer in the bluetooth range of your phone (5 to 15 feet).
Why isn't this just a part of the gas pump itself? (Or the payment station or whatever.) Is there a market for someone to make skimmer detector addons for gas stations? (If not, why not?)
If you read it, the scanner software they wrote is pretty specific to this exact skimmer. It looks for the default id of those Bluetooth modules and then sends a couple commands to see if it gets a particular response.
In other words, the scanner isn't really general purpose enough to have in every pump and it's easily defeated by very minor firmware tweaks or even just changing the Bluetooth id of the device. You'd have to have something much more complex to be reliable, and it'd have to have some sort of facility for updating it's signature database akin to a virus scanner. Gas station owners don't have much incentive to give a damn currently, especially not if it involves retrofitting a fairly complex device onto all of their pumps that they also have to pay for a service that provides updated device signatures.
Do gas stations have any incentive to provide skimmer scanning? I'd imagine most of their customers aren't even aware skimmers exist, so adding them probably wouldn't attract many new customers. And the margins they make selling gasoline are already pretty thin, so it's possible that the cost of adding scanners to all their machines is less than the extra money they'd make from the minority of people that would go out of their way to give their business to gas stations with scanners.
If gas stations are liable for losses that customers experience due to skimmers it's possible that gas stations would be interested, but they could just as easily decide that it's worth the risk of having to pay out lawsuits given that I'd imagine it's pretty hard to prove in court that your card was stolen by a skimmer at any one particular gas station considering how many different gas stations any one person uses on a regular basis, not to mention the variety of other vectors that your card could've been compromised through.
> Is there a market for someone to make skimmer detector addons for gas stations? (If not, why not?)
It would probably be best sold as a service instead of a device. It's not easy to train staff to operate equipment like this. Also, it's likely to engage a cat-and-mouse escalation which either means a headache-fueled field-updatable device (more complexities for gas station staff) or rapidly-obsolete devices.
But the service might be a hard sell -- the service would have to be more effective than manual pump kiosk inspections. Best to try and sell to an established brand that operates the stations themselves (are there any or are they all franchisees?) 7-11 operates gas stations in urban markets likely to be targeted, they might be a good client.
It would be easier to have a central device that could listen for any bluetooth signals that linger around the gas station all day long. Most people are gone within 5-10mins so it should be pretty obvious when there is a bluetooth device there for hours at a time that isn't a known device of someone that works there. But this would only be able to detect simple devices like these. Something a bit more advanced would stay in a listen only mode until the skimmer's owner came within range and would generate a random MAC addresses on bootup to evade pattern detection.
I imagine that gas pumps are much more costly to retrofit or replace. If such detection capability was built-in, it's much easier for the skimmers to adopt a different format to avoid detection by naive gas station operators who want something they can set-it-and-forget-it.
Just because you are using the chip doesn't mean you are doing an EMV transaction. The unique transaction codes only happen with and EMV transaction, almost every time you dip your card it's a regular old card transaction, just as if you swiped the card. Why?
Getting EMV certified requires every part of the transaction chain to go through unified system testing, for each combination of hardware, software, card type, processor, issuing bank.
I've been eyeballs deep in this nonsense for the last year or so. We just can't justify the expense of getting EMV certified, so we just accept the chip and do a regular transaction.
As a consumer you have no way of knowing if your transaction is and EMV transaction or just a chip enabled regular transaction.