So Much For Chip & PIN Security

[Mike Henderson]

Paying for a meal at a restaurant always make me think for a second about my CC security? Always a lot of trust involved when you send the waitress to the back room to charge your account with your CC.

For a waiter to steal credit card numbers, s/he would have to have some device to scan the card. It could be a device that attaches to a smart phone.

But if you've ever worked in a restaurant, there's not much that's secret between the workers. A lot of people would have to be in on the theft and that's not likely to happen. It'd be very difficult to get that many people to hide an illegal act. And the boss would definitely not be a part of it.

I won't say it can't happen, but I don't think it's very common either.

Mike

[I'll pass along a credit card story: A friend of mine did a lot of entertainment and used an American Express Card. One day, while traveling in another city, his card was rejected. When he looked closely at "his" card, he discovered it was not his card, it was someone else's card. The restaurant he had entertained in a day or so earlier had given his bill to another table and he got the other person's bill. Neither really looked at the bill or the cards and just signed and put the cards in their wallet. The other guy discovered the error, called AMEX and they cancelled the cards. It did get all straightened out in time.]

[Dan Hintz]

There have been instances of employees stealing cc numbers but they have to have a device where they scan the card and the number is stored in the device. So as long as you can see the handling of the card, you're pretty safe.

Tell that to the millions of people who have had their CC info stolen while slipping it into an ATM, gas pump, etc. that all had swipe scanners on them. It looks normal, but your card is read twice with one swipe/insertion... once by the illegal reader, and finally by the legal reader. At first glance, most wouldn't know there was anything wrong with the device.

So, I wouldn't say even watching your card get swiped means it's safe, as there's plenty of evidence it's not.

[Mike Henderson]

Tell that to the millions of people who have had their CC info stolen while slipping it into an ATM, gas pump, etc. that all had swipe scanners on them. It looks normal, but your card is read twice with one swipe/insertion... once by the illegal reader, and finally by the legal reader. At first glance, most wouldn't know there was anything wrong with the device.

So, I wouldn't say even watching your card get swiped means it's safe, as there's plenty of evidence it's not.

That's very true, Dan. But the comment was about a clerk at a major store who would take the card and scan it on the register. It's pretty unlikely that the register would have one of those devices on it.

I'm certainly aware of those devices but didn't discuss them. Certainly, people need to be aware of those devices.

Mike

[Brian Elfert]

I'd have to do a test, but you enter your card data at Amazon as part of your profile. It may be that they require the CVC when you enter that data.

Of course, once you become a regular buyer, they know your card is valid. It would only be someone who opens a new account, or wants to add a card to an existing account, and they may ask for the CVC at that time.

I just added a new card to my Amazon account within the past week and I am pretty sure I did not have to enter the CVC.

Gas stations locally have gone to putting security seals on both the card readers themselves and the actual door of the gas pump to help ensure a skimmer is not present. Enterprising thieves will probably just make copies of the security seals at some point. Skimmers will no longer be of any real value with chip cards, but gas stations have until 2017 to add chip card readers to pumps.

[Dan Hintz]

That's very true, Dan. But the comment was about a clerk at a major store who would take the card and scan it on the register. It's pretty unlikely that the register would have one of those devices on it.

Don't be so sure, Mike. There was a story just a year or two ago of a bar/pub in New York that had to "release" an employee back into the wild after the police came calling. It seems he installed a skimmer on the POS terminal near the kitchen. Managed to nab every server's transaction for several weeks (a month or more?) before the CC companies saw the explosion in fraud all tied to this one spot. The guy was a moron for doing it that way, but it does point out that hiding in plain sight is often a good way to go for those types.

[Dan Hintz]

Given the recent discussion of RFID-blocking covers, I thought this paper would be a good read for all involved in either discussion:
http://sec.cs.ucl.ac.uk/users/smurdo...hipandskim.pdf

It's well written, with a sampling of real-world examples of how the Chip and Pin solution isn't the panacea the creators thought it would be. The paper concentrates more on real-world problems/solutions rather than mathematical theory, but understanding the fine details is easier if you have a background in crypto. Still, anyone with a modicum of technical background should be able to enjoy the paper in its entirety.

This is just one of many, many, many papers I sift through on a weekly basis.