Hey, there! Log in / Register
Thieves have figured out how to bypass those new credit-card chips
By adamg on Thu, 02/21/2019 - 12:44pm
Dedham Police report they are looking for a couple who have figured out how to use somebody's credit-card number on a forged card despite the use of retail chip readers that are now in use at most stores these days - and are supposed to prevent that.
Police say the two are taking advantage of the fact that most card readers still will let customers swipe their cards the old fashioned way if something goes wrong with the chip reader.
Police say the two "skimmed" somebody's credit-card number - the victim reports she maintained possession of her card at all times - then used that to create an old-style magnetic strip for another card with a chip:
During the sales transaction, the male suspect can be seen manipulating the [point of sales] machine by inserting a credit card into the microchip slot and when the sales associate turns their back to the suspects, the male suspect slightly pulls the credit card out. This induces the machine to cancel the transaction which then requires that the customer (male suspect) to swipe the credit card.
Police say the two used the trick at two stores at Legacy Place, as well as at stores at Market Street in Lynnfield and Square One Mall in Saugus.
If they look familiar, contact Dedham Det. James Nikolaides at 781-751-9300.
Neighborhoods:
Topics:
Ad:
Support Universal Hub
Help keep Universal Hub going. If you like what we're up to and want to help out, please consider a (completely non-deductible) contribution.
Comments
its been known
Its been known for a long time that the chip isn't very secure. It is with End to End transactions (i.e. encrypted info and hidden card numbers), but with physical security, it really does have a long way to go.
Read their method
Their method isn't violating the chips at all though. It's a con job on the retailer. They fake a chip transaction which "fails" (as if the reader is broken) which then has the retailer fallback to the magnetic strip which is cloned from someone's strip in the old-school way of stealing someone's credit card details bypassing all of the additional security that the chip provides over a basic magnetic strip.
If the retailers had told them that it's chip or nothing, these guys would have gotten away with nothing.
Now, why we don't add PINs to our chipped cards and require chip-and-pin like the rest of the civilized world where it's basically impossible to rip someone off without also knowing something that's only in their head and your card doesn't have to leave your sight (or possession) nearly ever...I have no idea. It's like the American credit card industry likes dealing with loss prevention and charging us all more to do so. Hurray, capitalism.
That's exactly my point
In other countries if the chip fails, there's no recourse because magnetic stripes do not exist. Can't use your chip, no sale. Its the same as not having cash on you. Retailers in the US don't want to lose customers, so they just over look it, and crap like this happens.
Physical security and policies are key in data protection.They were able to use skimmers and the stupid store didn't actually do their job to see the card.
It's not retailers, it's
It's not retailers, it's MasterCard and Visa. They run the world with EMV, Chips, etc. They set the standard and decide how much $ they will eat. Retailers just have to play along.
But there are cost trade-offs to European-style
chip-and-PIN vs. the chip-and-signature system the US adopted much later. Chip-and-PIN only helps prevent fraud with lost/stolen cards, a comparatively small problem here. (Further, Euro thieves now focus on tech to help them steal PINs, so that arms race is still on.) US card issuers decided that the lost transaction volume from people forgetting their PINs and stopping using a particular card was too costly. Retailers tend to bear the PoS fraud costs here, and so pass them onto consumers.
The ideal solution is probably the kind of one-time passcodes used in tokens like SecurID vs. the current static PINs, but again, the cost trade-off there is currently unattractive. One way or another, consumers end up paying most of the costs of fraud; the issuers' and retailers' main incentive is to keep you spending and the lines moving quickly, only addressing the cheapest-to-solve fraud problems. Banks and other issuers decided years ago to focus instead on the back end of the problem, investing in AI-like systems to detect and flag suspicious transactions. Heavy up front, now largely automated, so very cost-effective.
Makes sense until you think about it
Sure...except what other card are they going to use? If they all go to Chip&PIN then what "other card" are you going to use when you stop using the one you forgot your PIN on? You're just going to stop using credit cards altogether? Come on. They could do this at any time and at no cost to them. Hell, dozens of cards already do Chip&PIN (you probably have one in your wallet). They just don't do it by priority because the card issuers refuse to force retailers to switch over to handheld transceivers in places like restaurants and things rather than using the PoS terminals to read your chip over at the servers' stations.
And the idea that people can't put one more 4-digit PIN in their head (hell they'd probably use the same one as their ATM card anyways) is ludicrous. For those morons, you can let the card fallback to chip and signature and let the retailer decide their risk of fraud if the person claims they can't remember their PIN.
And HALF of these banks issuing cards already issue Chip&PIN in the rest of the world because they're forced to by law. They're maintaining two systems. They just don't want to spend the extra time and money here to make our transactions and bank accounts safer because they can capitalize the risk, increase OUR costs, and probably even put some overhead on it to profit from the difference rather than be forced to upgrade the system as long as they lobby to keep the laws in their favor.
If we made a law that Chip&PIN must be used to protect consumers from theft, then they'd be able to roll it out in a heartbeat and they'd *probably* do better in the long run by unifying their global systems but in the short term, they profit from our risk-taking.
The average consumer has 3+ cards in his/her wallet. If you
can’t remember the PIN on one, you might pull out a competing card with one you can, or use a debit card, or pay cash. There’s also the shared risk of lower transaction volume because PIN problems can cause checkout delays.
Another Euro Thing that would help
Those card readers that your server brings to the table. Your card never leaves your hands.
But then you have to tip in
But then you have to tip in the server's presence. Imagine the internet firestorm when people realize they have to do that.
Another American issue
In most of the rest of the world, there is no such thing as tipping.
A few Boston restaurants use mobile card
readers, some attached to tablets, some standalone devices. In a couple of reviews (Dakzen in Davis Square and Momi Nonmi in Inman come to mind), I've mentioned the awkwardness of that moment when you have to fill out the tip line in the server's presence.
Headline ...
Changed.
i find it funny that at
i find it funny that at walgreens, etc... when i use my wifes debit card, the screen says 'enter pin' but hitting the yellow button will skip and just process without pin.
Debit cards are different
If you enter a PIN, you use it as a debit card, it goes through the bank and the merchant incurs a fee there. If you don't, it gets processed as a credit card and the merchant pays a fee to Visa or MasterCard.
The chip is much more secure, in the sense that it
requires much pricier tech and expertise to clone it. The mag-stripe is cheap and easy to clone, which is why chips were adopted in the first place. As long as the payment system allows swiping as a fallback to chip reading, this will continue to be a problem. Takes a bit of art at the point-of-sale to make this trick work, though.
I have a credit card. It had
I have a credit card. It had a picture on it. When they invented the new and improved chip, they put the chip where the picture was. Thus no more picture. Sounds like Colonel Klink is the master of security at some of these places, but what do I know , I am still trying to figure out Fotran .
Did somebody mention Fortran?
Oh, man, I actually took Fortran in college, back in the days when the entire computer-science department ran off a single DEC PDP (11, maybe?), and if you got to the computing center too late to work on your assignment, you had to use the TTY with one of those old-fashioned printers instead of a keyboard with a monitor, but WE LIKED IT! Well, OK, I didn't, was failing the course until the night before the final when a light bulb or something went off over my head and I finally got it and got a high enough grade on the final to pull my grade up to a C.
Um, where were we again?
You left out the part of the
You left out the part of the typing to make the cards.....
I must be missing something
Most of the places I shop have devices that allow both chip or swipe transactions. Why is the distraction and failed attempt necessary? Can't they just walk up and swipe in the first place? No one ever asks to see my card or says, "Why didn't you use the chip?"
The reader can tell if your card has a chip in it, and will
not allow a swipe until you have failed a chip-validation attempt.
Today's lesson
Hmmm. Good to know. Thanks!
Better mousetraps...
...better mice.
i wrote this program to read
i wrote this program to read magnetic stripes from a usb credit card reader for my wifes business:
https://www.linuxquestions.org/questions/linux-hardware-18/magtek-usb-cr...
My Credit Union Flagged This
Their credit card vendor contacted me.
Somebody tried to charge several hundred dollars at a store in Burlington Mall. The only reason it didn't fly was that I had charged a large sum for eyeglasses and contacts just a day before and the two together didn't equate to any common spending pattern of mine.
They sent me a new card ASAP.
My card never left my possession, either. I suspect it got skimmed at one of those places that used the square thing on the tablet to do the transaction. That's the only possible thing I can think of. The company may be able to figure it out through my legit transactions.
Card skimmers are everywhere: ATMs,
gas pumps, POS terminals in convenience stores. They are getting harder to spot every day. Some are completely invisible because the mechanism is hidden inside the mag-stripe scanning device.
I'm curious how this was detected as fraud
From where you live, the Burlington Mall is a reasonable local place to go shopping, and I'm not sure why shopping there after buying eyeglasses would be a red flag.
A combination of factors goes into a suspicious-activity
flag: location, time of day, day of week, day of year, type and size of purchase, history with the retailer, etc.
So they did notice when someone in Maryland was making big purchases at Best Buy with my debit card (probably stolen from an online retailer that didn't follow the rules about purging my card info after 30 days). I've gotten alerts right after I made a purchase on holiday overseas: "Are you really in Italy?"
They build a pretty detailed profile of your spending and life habits, the models are sophisticated at spotting anomalies, and thanks to machine learning, they get better all the time.
Spending patterns
They usually pick these things up from the spending patterns on the card.
It doesn't matter how close to home it is.
If someone does not typically rack up multiple expensive purchases in one short period, that's a red flag.
A good time
To remind folks to enable push notifications for all transactions on your credit cards so that you get notified of any fraudulent activity right away
As already mentioned, this is
As already mentioned, this is not a problem with the chip. The card still has a magnetic strip that can be cloned. It's like putting locks on all the doors in the house but leaving the porch door wide open for the thieves.
When the chip rolled out, people were complaining quite a bit about how much longer transactions were taking. I know it's anecdotal but I've experienced it many times at stores. Myself, I've started using my phone because it's much quicker but not all places support it.
Also, I'm not sure how it's possible with the chip, but Whole Foods is the only place I've seen where you can insert your card and pay before the transaction is finished, the way you used to be able to swipe.
Jerks like this are why I
Jerks like this are why I still pay for everything in cash and plan on doing so until I'm pushin' daisies.