Be aware when using local ATM's

[kidley]

I call part-BS on that Daily Mail story.

 

"With just a mobile phone we created a point-of-sale terminal that could read a card through a wallet": if the 'PoS mobile' is not linked to an acquirer bank (i.e. it's just a standalone PoS, not tied over network to the acquiring system of the merchant's bank which supplied the PoS in the first place), it cannot perform any actual transfer.

 

There's a small Himalaya of procedures and forms to complete (i) for a bank to be approved as an acquirer by card associations then (ii) for a merchant to lease and operate a card transaction PoS from an acquirer bank, never mind a contactless one, before such a link can be create

 

That's why VISA rightly said that this is a lab-centric test and that the banking system would reject the transaction.

 

Are you B.S ing this as well, are you saying which are telling porkie's.

 

 

http://www.theguardian.com/money/2015/jul/23/contactless-card-is-too-easy-says-which

[blowfealt]

A friend of mine has just told me of a news article in the local press regarding a rise on ATM scamming again. Apparently a number of devices such as Lebanese loops have been found on cash machines throughout Yorkshire recently.

 

This is a useful link from Cumbria police, I know it states the obvious but I have linked it never the less as some people may find it useful.

 

http://www.cumbria.police.uk/advice-and-information/personal-safety/cash-machine-advice#

 

Thanks for the heads up, green_man - I will certainly be more vigilant in future.

 

Top post. .

[L00b]

Are you B.S ing this as well, are you saying which are telling porkie's.

 

 

http://www.theguardian.com/money/2015/jul/23/contactless-card-is-too-easy-says-which

Not really.

 

The Which? guys grabbed cc data with scanners and used that data with online purchases in the same way perps who get cc data with ATM skimmers use the data they manage to get. There's nothing in there saying that the Which? guys used their scanners to process a transaction like a PoS (which is what the guys in the DM claimed to have done, and that's what I called BS on).

 

Your apology will be gladly accepted.

[kidley]

Not really.

 

The Which? guys grabbed cc data with scanners and used that data with online purchases in the same way perps who get cc data with ATM skimmers use the data they manage to get. There's nothing in there saying that the Which? guys used their scanners to process a transaction like a PoS (which is what the guys in the DM claimed to have done, and that's what I called BS on).

 

Your apology will be gladly accepted.

 

Please explain this. as taken from the link.

 

 

Researchers bought cheap, widely available card scanners from a mainstream website to see if they could “steal” key details from a contactless card.

 

They tested 10 different credit and debit cards, that were meant to be coded to “mask” personal data, and were able to read crucial data that was meant to be hidden.

 

It then went shopping with the information it had obtained and was able to successfully place orders for items including a £3,000 television set.

 

“By touching volunteers’ cards to our card reader, we got enough details to allow us to go on an internet shopping spree,” a Which? spokesman said. “With these card details, the contactless transaction limit is irrelevant, because online transactions aren’t contactless.”

 

---------- Post added 06-08-2015 at 22:22 ----------

 

another thing, this is a discussion forum why are you talking apologies?

Edited August 6, 2015 by kidley

[the_bloke]

They tested 10 different credit and debit cards, that were meant to be coded to “mask” personal data, and were able to read crucial data that was meant to be hidden.

 

It then went shopping with the information it had obtained and was able to successfully place orders for items including a £3,000 television set.

 

“By touching volunteers’ cards to our card reader, we got enough details to allow us to go on an internet shopping spree,” a Which? spokesman said. “With these card details, the contactless transaction limit is irrelevant, because online transactions aren’t contactless.”

 

You don't actually need that much information to buy something online; the card number, expiry date, last three digits off the back. Things like checks against the account holder name and delivery address are website specific; when I did online purchasing QA against a Worldpay implementation, they had different levels of checks you could employ. It's feasible to buy things with a minimum of information if the site you are buying from has been weakly configured.

 

In order to get that information contactlessly though, the card information available contactlessly is either un-encrypted or is very easily decrypted. Once you get that information, you've got the same detail as you would as if you had cloned the card in an ATM, without the PIN.

 

That's my take on it anyway.

[kidley]

I would say you are about 100% correct the bloke

[AlexAtkin]

Please explain this. as taken from the link.

 

 

Researchers bought cheap, widely available card scanners from a mainstream website to see if they could “steal” key details from a contactless card.

 

They tested 10 different credit and debit cards, that were meant to be coded to “mask” personal data, and were able to read crucial data that was meant to be hidden.

 

It then went shopping with the information it had obtained and was able to successfully place orders for items including a £3,000 television set.

 

“By touching volunteers’ cards to our card reader, we got enough details to allow us to go on an internet shopping spree,” a Which? spokesman said. “With these card details, the contactless transaction limit is irrelevant, because online transactions aren’t contactless.”

 

That is not a flaw with contactless cards in general though, its a flaw with the specific implementation in the cards they tested. Its not supposed to give away your card number unencrypted.

 

So yes the problem clearly exists, but whoever manufactured those cards are responsible.

 

That said:

 

“It may be possible for a small percentage of cards to be read 15 to 20cm from the reader,”

 

Which suggests while they did get details off the card they shouldn't have, its still very unlikely to be something that can be done just passing people on the street.

 

Even so, keep the card in a shielded wallet, just to be sure.

Edited August 7, 2015 by AlexAtkin

[L00b]

Please explain this. as taken from the link.

I just did?

 

What the which? researchers did, was the contactless version of ATM skimming, then sucessfully shopped online using the obtained card data. No BS. Everybody and their dog can shop online with their PC, tablet or phone & card details.

 

What the Daily Mail-quoted researchers claimed, is to have configured a mobile phone into a PoS that allegedly processed a contactless transaction. BS called, because they didn't explain how they hooked their PoS-mobile phone into an acquirer bank (which would be a far graver matter than successfully intercepting contactless card data).

another thing, this is a discussion forum why are you talking apologies?

Your post initially looked like a dig to me, rather than just a question.

[Cyclone]

It would also be defeated by the online security, but not all websites implement it. The Verified By Visa bit that asks for letters from a passcode.

[breadcakes]