Comments on: Unveiling shoulder skimming

By: Fareed

Fareed — Tue, 09 Jun 2009 10:06:07 +0000

Chip cards have mag stripes as well. If the mag stripe of such a card is read thru a card reader, a clone card with the same data can be produced. so how does the CHIP ensure ‘better’ security than a mag stripe card in this case?

By: Adrian Pastor

Adrian Pastor — Thu, 10 Jan 2008 23:02:23 +0000

Hi Shoaib. I’m not claiming this is new. My point is that in places like in the UK, TV shows such as the Real Hustle have made skimming techniques used by – for example dishonest waiters – known to most people.

However, I feel that low-tech and primitive methods such as the one described here are being overlooked. In this attack the criminal doesn’t need a magstripe skimmer. All he/she needs is the merchant receipt and have a look at the 3 digit security code on the victims CC.

Even worse, some websites don’t even ask for the security code when purchasing items. I just bought flowers for my mom on a site of a company from Spain and I only had to enter the CC# and expiry date!

question: does the 100% dispute policy also apply to e-commerce sites, or only physical merchants?

By: Shoaib Yousuf

Shoaib Yousuf — Wed, 19 Dec 2007 09:21:54 +0000

Hi Adrian,

Method you just mention is way too old. Its been happening for years now. I have also seen cases where you can buy pack of 100 credit card numbers along with expiry and credit verification number for $5.

Visa and Master card has 100% dispute policy. In which merchant is held liable for not verifiying the owner and providing the service.

I have also seen cases where camera is fixed on the top of the roof which is recording your pin while you punching it on POS terminal.

Cheers

Shoaib

By: Adrian Pastor

Adrian Pastor — Tue, 18 Dec 2007 22:09:45 +0000

Meant to say “*that* 3-D secure is trying to verify”

By: Adrian Pastor

Adrian Pastor — Tue, 18 Dec 2007 22:07:40 +0000

@vindic – I’m not really in touch with the credit card fraud “scene” as part of my job, except for PCI DSS scans and knowledge of CC DB break-ins. As suppose you’re talking about querying online resources in order to attempt to obtain personal information and 3-D secure is trying to verify?

I’d be very happy if you posted more details on the attacks you’re mentioning such as “VBV bypass via wu”.

@NIX – no, it *doesn’t* make me pay with cash instead, but it DOES make me insert my CC in the POS terminal on my own, as opposed to letting the waiter do it for me ;-D

shining – remember the common “deliver to address different to billing address” option. Think of how many shitty online retailers there are out there where many of the basic security mechanisms (ie.: AVS) do not apply.
If I remember correctly the _minimum_ data required to perform a CC transaction is the CC number and the expiry date. This doesn’t only apply to online transactions, but also to MOTO (mail order telephone order).

By: NIX

NIX — Sat, 15 Dec 2007 08:02:05 +0000

@ap, you are right with the scenarios ..
but does this make u to pay at a restaurant or supermarket with cash?

By: shining whit

shining whit — Fri, 14 Dec 2007 11:22:10 +0000

Aren’t online retailers only supposed to deliver to the registered card holders address?

The goal of banks etc is not to make it 100% secure as this becomes an unfeasibly expensive pipe dream, the goal is to make it secure enough that the losses are negligble in the banks eyes, the banks do not care how much time or effort it costs you to get your money back.

Regardless of the method used people will find a way round it, money is a great incentive. I often wonder how many blackhats are ‘paid’ for their work as opposed to doing it just because they can, and how many there are versus the number of white(maybe slightly grubby) hats.

By: vindic

vindic — Thu, 13 Dec 2007 19:54:50 +0000

yea i think so, but again. if you will put them somewhere, someone else will be able somehow get them and use. i saw in london on one conference company which working on this, but i am not much happy, it’s not much good accessibile for ppl.

By: Makken Skeyes

Makken Skeyes — Thu, 13 Dec 2007 12:01:57 +0000

What about organic systems? Like finger-print or eye-scanners? Aren’t those much more secure?

By: vindic

vindic — Wed, 12 Dec 2007 20:17:18 +0000

Adrian, 3-D secure is shit. first problem of most countrys is, that they have avaible lookuping service for user data (uk – dob, usa – dob, ssn, mmn) then 3-D can’t protect you. Second prob is that this service have many bugs, maybe you know how attackers use VBV bypass via wu (which use firstadata online checking service [achex.com])
Chip and Pin is nice security, but nothing amazing, because 90% of skimmed dumps (skimmed credit card) are with PIN. many are from destinations like thaywan, moscow from hotels and restaurants where Chip and PIN working long time. Sorry for my english, if you want talk about it contact me via email