Hey, there! Log in / Register

Thieves have figured out how to bypass those new credit-card chips

Wanted people

Dedham Police report they are looking for a couple who have figured out how to use somebody's credit-card number on a forged card despite the use of retail chip readers that are now in use at most stores these days - and are supposed to prevent that.

Police say the two are taking advantage of the fact that most card readers still will let customers swipe their cards the old fashioned way if something goes wrong with the chip reader.

Police say the two "skimmed" somebody's credit-card number - the victim reports she maintained possession of her card at all times - then used that to create an old-style magnetic strip for another card with a chip:

During the sales transaction, the male suspect can be seen manipulating the [point of sales] machine by inserting a credit card into the microchip slot and when the sales associate turns their back to the suspects, the male suspect slightly pulls the credit card out. This induces the machine to cancel the transaction which then requires that the customer (male suspect) to swipe the credit card.

Police say the two used the trick at two stores at Legacy Place, as well as at stores at Market Street in Lynnfield and Square One Mall in Saugus.

If they look familiar, contact Dedham Det. James Nikolaides at 781-751-9300.

Neighborhoods: 
Topics: 
Ad:

Comments

Its been known for a long time that the chip isn't very secure. It is with End to End transactions (i.e. encrypted info and hidden card numbers), but with physical security, it really does have a long way to go.

up
Voting closed 6

Their method isn't violating the chips at all though. It's a con job on the retailer. They fake a chip transaction which "fails" (as if the reader is broken) which then has the retailer fallback to the magnetic strip which is cloned from someone's strip in the old-school way of stealing someone's credit card details bypassing all of the additional security that the chip provides over a basic magnetic strip.

If the retailers had told them that it's chip or nothing, these guys would have gotten away with nothing.

Now, why we don't add PINs to our chipped cards and require chip-and-pin like the rest of the civilized world where it's basically impossible to rip someone off without also knowing something that's only in their head and your card doesn't have to leave your sight (or possession) nearly ever...I have no idea. It's like the American credit card industry likes dealing with loss prevention and charging us all more to do so. Hurray, capitalism.

up
Voting closed 60

Their method isn't violating the chips at all though. It's a con job on the retailer. They fake a chip transaction which "fails" (as if the reader is broken) which then has the retailer fallback to the magnetic strip which is cloned from someone's strip in the old-school way of stealing someone's credit card details bypassing all of the additional security that the chip provides over a basic magnetic strip.

In other countries if the chip fails, there's no recourse because magnetic stripes do not exist. Can't use your chip, no sale. Its the same as not having cash on you. Retailers in the US don't want to lose customers, so they just over look it, and crap like this happens.

Physical security and policies are key in data protection.They were able to use skimmers and the stupid store didn't actually do their job to see the card.

up
Voting closed 17

It's not retailers, it's MasterCard and Visa. They run the world with EMV, Chips, etc. They set the standard and decide how much $ they will eat. Retailers just have to play along.

up
Voting closed 4

chip-and-PIN vs. the chip-and-signature system the US adopted much later. Chip-and-PIN only helps prevent fraud with lost/stolen cards, a comparatively small problem here. (Further, Euro thieves now focus on tech to help them steal PINs, so that arms race is still on.) US card issuers decided that the lost transaction volume from people forgetting their PINs and stopping using a particular card was too costly. Retailers tend to bear the PoS fraud costs here, and so pass them onto consumers.

The ideal solution is probably the kind of one-time passcodes used in tokens like SecurID vs. the current static PINs, but again, the cost trade-off there is currently unattractive. One way or another, consumers end up paying most of the costs of fraud; the issuers' and retailers' main incentive is to keep you spending and the lines moving quickly, only addressing the cheapest-to-solve fraud problems. Banks and other issuers decided years ago to focus instead on the back end of the problem, investing in AI-like systems to detect and flag suspicious transactions. Heavy up front, now largely automated, so very cost-effective.

up
Voting closed 5

US card issuers decided that the lost transaction volume from people forgetting their PINs and stopping using a particular card was too costly

Sure...except what other card are they going to use? If they all go to Chip&PIN then what "other card" are you going to use when you stop using the one you forgot your PIN on? You're just going to stop using credit cards altogether? Come on. They could do this at any time and at no cost to them. Hell, dozens of cards already do Chip&PIN (you probably have one in your wallet). They just don't do it by priority because the card issuers refuse to force retailers to switch over to handheld transceivers in places like restaurants and things rather than using the PoS terminals to read your chip over at the servers' stations.

And the idea that people can't put one more 4-digit PIN in their head (hell they'd probably use the same one as their ATM card anyways) is ludicrous. For those morons, you can let the card fallback to chip and signature and let the retailer decide their risk of fraud if the person claims they can't remember their PIN.

And HALF of these banks issuing cards already issue Chip&PIN in the rest of the world because they're forced to by law. They're maintaining two systems. They just don't want to spend the extra time and money here to make our transactions and bank accounts safer because they can capitalize the risk, increase OUR costs, and probably even put some overhead on it to profit from the difference rather than be forced to upgrade the system as long as they lobby to keep the laws in their favor.

If we made a law that Chip&PIN must be used to protect consumers from theft, then they'd be able to roll it out in a heartbeat and they'd *probably* do better in the long run by unifying their global systems but in the short term, they profit from our risk-taking.

up
Voting closed 10

can’t remember the PIN on one, you might pull out a competing card with one you can, or use a debit card, or pay cash. There’s also the shared risk of lower transaction volume because PIN problems can cause checkout delays.

up
Voting closed 3

Those card readers that your server brings to the table. Your card never leaves your hands.

up
Voting closed 8

But then you have to tip in the server's presence. Imagine the internet firestorm when people realize they have to do that.

up
Voting closed 1

In most of the rest of the world, there is no such thing as tipping.

up
Voting closed 5

readers, some attached to tablets, some standalone devices. In a couple of reviews (Dakzen in Davis Square and Momi Nonmi in Inman come to mind), I've mentioned the awkwardness of that moment when you have to fill out the tip line in the server's presence.

up
Voting closed 1

Changed.

up
Voting closed 4

i find it funny that at walgreens, etc... when i use my wifes debit card, the screen says 'enter pin' but hitting the yellow button will skip and just process without pin.

up
Voting closed 2

If you enter a PIN, you use it as a debit card, it goes through the bank and the merchant incurs a fee there. If you don't, it gets processed as a credit card and the merchant pays a fee to Visa or MasterCard.

up
Voting closed 7

requires much pricier tech and expertise to clone it. The mag-stripe is cheap and easy to clone, which is why chips were adopted in the first place. As long as the payment system allows swiping as a fallback to chip reading, this will continue to be a problem. Takes a bit of art at the point-of-sale to make this trick work, though.

up
Voting closed 10

I have a credit card. It had a picture on it. When they invented the new and improved chip, they put the chip where the picture was. Thus no more picture. Sounds like Colonel Klink is the master of security at some of these places, but what do I know , I am still trying to figure out Fotran .

up
Voting closed 2

Oh, man, I actually took Fortran in college, back in the days when the entire computer-science department ran off a single DEC PDP (11, maybe?), and if you got to the computing center too late to work on your assignment, you had to use the TTY with one of those old-fashioned printers instead of a keyboard with a monitor, but WE LIKED IT! Well, OK, I didn't, was failing the course until the night before the final when a light bulb or something went off over my head and I finally got it and got a high enough grade on the final to pull my grade up to a C.

Um, where were we again?

up
Voting closed 24

You left out the part of the typing to make the cards.....

up
Voting closed 4

Most of the places I shop have devices that allow both chip or swipe transactions. Why is the distraction and failed attempt necessary? Can't they just walk up and swipe in the first place? No one ever asks to see my card or says, "Why didn't you use the chip?"

up
Voting closed 3

not allow a swipe until you have failed a chip-validation attempt.

up
Voting closed 20

Hmmm. Good to know. Thanks!

up
Voting closed 5

...better mice.

up
Voting closed 6

i wrote this program to read magnetic stripes from a usb credit card reader for my wifes business:
https://www.linuxquestions.org/questions/linux-hardware-18/magtek-usb-cr...

up
Voting closed 4

Their credit card vendor contacted me.

Somebody tried to charge several hundred dollars at a store in Burlington Mall. The only reason it didn't fly was that I had charged a large sum for eyeglasses and contacts just a day before and the two together didn't equate to any common spending pattern of mine.

They sent me a new card ASAP.

My card never left my possession, either. I suspect it got skimmed at one of those places that used the square thing on the tablet to do the transaction. That's the only possible thing I can think of. The company may be able to figure it out through my legit transactions.

up
Voting closed 5

gas pumps, POS terminals in convenience stores. They are getting harder to spot every day. Some are completely invisible because the mechanism is hidden inside the mag-stripe scanning device.

up
Voting closed 2

From where you live, the Burlington Mall is a reasonable local place to go shopping, and I'm not sure why shopping there after buying eyeglasses would be a red flag.

up
Voting closed 1

flag: location, time of day, day of week, day of year, type and size of purchase, history with the retailer, etc.

So they did notice when someone in Maryland was making big purchases at Best Buy with my debit card (probably stolen from an online retailer that didn't follow the rules about purging my card info after 30 days). I've gotten alerts right after I made a purchase on holiday overseas: "Are you really in Italy?"

They build a pretty detailed profile of your spending and life habits, the models are sophisticated at spotting anomalies, and thanks to machine learning, they get better all the time.

up
Voting closed 2

They usually pick these things up from the spending patterns on the card.

It doesn't matter how close to home it is.

If someone does not typically rack up multiple expensive purchases in one short period, that's a red flag.

up
Voting closed 1

To remind folks to enable push notifications for all transactions on your credit cards so that you get notified of any fraudulent activity right away

up
Voting closed 2

As already mentioned, this is not a problem with the chip. The card still has a magnetic strip that can be cloned. It's like putting locks on all the doors in the house but leaving the porch door wide open for the thieves.

When the chip rolled out, people were complaining quite a bit about how much longer transactions were taking. I know it's anecdotal but I've experienced it many times at stores. Myself, I've started using my phone because it's much quicker but not all places support it.

Also, I'm not sure how it's possible with the chip, but Whole Foods is the only place I've seen where you can insert your card and pay before the transaction is finished, the way you used to be able to swipe.

up
Voting closed 2

Jerks like this are why I still pay for everything in cash and plan on doing so until I'm pushin' daisies.

up
Voting closed 2