Posts Tagged: Europay


26
Jun 18

How to Avoid Card Skimmers at the Pump

Previous stories here on the proliferation of card-skimming devices hidden inside fuel pumps have offered a multitude of security tips for readers looking to minimize their chances of becoming the next victim, such as favoring filling stations that use security cameras and tamper-evident tape on their pumps. But according to police in San Antonio, Texas, there are far more reliable ways to avoid getting skimmed at a fuel station.

San Antonio, like most major U.S. cities, is grappling with a surge in pump skimming scams. So far in 2018, the San Antonio Police Department (SAPD) has found more than 100 skimming devices in area fuel pumps, and that figure already eclipses the total number of skimmers found in the area in 2017. The skimmers are hidden inside of the pumps, and there are often few if any outward signs that a pump has been compromised.

In virtually all cases investigated by the SAPD, the incidents occurred at filling stations using older-model pumps that have not yet been upgraded with physical and digital security features which make it far more difficult for skimmer thieves to tamper with fuel pumps and siphon customer card data (and PINs from debit card users).

Lt. Marcus Booth is the financial crimes unit director for the SAPD. Booth said most filling stations in San Antonio and elsewhere use legacy pumps that have a vertical card reader and a flat, membrane-based keypad. In addition, access to the insides of these older pumps frequently is secured via a master key that opens not only all pumps at a given station, but in many cases all pumps of a given model made by the same manufacturer.

Older model fuel pumps like this one feature a flat, membrane-based keypad and vertical card reader. Image: SAPD.

In contrast, Booth said, newer and more secure pumps typically feature a horizontal card acceptance slot along with a raised metallic keypad — much like a traditional payphone keypad and referred to in the fuel industry as a “full travel” keypad:

Newer, more tamper-resistant fuel pumps include raised metallic keypads (known in the industry as “full travel” keypads), horizontal card readers and custom locks for each pump.

Booth said the SAPD has yet to see a skimming incident involving newer pump models like the one pictured directly above.

“Here in San Antonio, many of these stations with these older keypads and card slots were getting hit all the time, sometimes weekly,” he said. “But as soon as those went over to newer gear, we’ve seen zero problems.”

According to Booth, the newer pumps include not only custom keys for each pump, but also tamper protections that physically shut down a pump if the machine is improperly accessed. What’s more, these more advanced pumps do a better job of compartmentalizing individual components, very often enclosing the electronics that serve the card reader and keypad in separately secured metal cages.

“Pretty much all these full travel metallic keypads are encrypted, and if you disconnect them they disable themselves and can only be re-enabled by technician,” Booth told KrebsOnSecurity. “Also, if the pump is opened improperly, it disables itself. These two specific items: The card reader or the pad, if you pull power to them they’re dead, and then they can only be re-enabled by an authorized technician.”

Newer pumps may also include more modern mobile payment options — such as Apple Pay — although many stations with pumps that advertise this capability have not yet enabled it, which allows customers to pay for fuel without ever sharing their credit or debit card account details with the fuel station. Continue reading →


16
Feb 16

The Great EMV Fake-Out: No Chip For You!

Many banks are now issuing customers more secure chip-based credit cards, and most retailers now have card terminals in their checkout lanes that can handle the “dip” of chip-card transactions (as opposed to the usual swipe of the card’s magnetic stripe). But comparatively few retailers actually allow chip transactions: Most are still asking customers to swipe the stripe instead of dip the chip. This post will examine what’s going on here, why so many merchants are holding out on the dip, and where this all leaves consumers.

chiptransVisa CEO Charles W. Scharf said in an earnings call late last month that more than 750,000 locations representing 17 percent of the U.S. face-to-face card-accepting merchant base are now enabled to handle chip-based transactions, also known as the EMV (“Europay, Mastercard and Visa”) payment standard.

Viewed another way, that means U.S. consumers currently can expect to find chip cards accepted in checkout lines at fewer than one in five brick-and-mortar merchants.

Why are so many chip-capable checkout terminals already installed that have not been enabled to actually accept chip cards? Allen Weinberg, co-founder of Menlo Park, Calif. based management consulting firm Glenbrook Partners, examined this very question in a recent column that pointed to several factors holding retailers back from enabling dip-the-chip.

WHAT LIABILITY SHIFT?

New MasterCard and Visa rules that went into effect Oct. 1, 2015 put merchants on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip. The chip cards encrypt the cardholder data and are far more expensive and difficult for card thieves to clone.

Despite the increased risk of eating the entire loss from counterfeit card use in their stores, many merchants are taking a wait-and-see approach on enabling chip card transactions. Weinberg said some merchants — particularly the larger ones — want to turn the often painful experience of training customers how to use the chip cards and terminals into someone else’s problem.

“They see [chip cards] as just slowing down lines and chose to wait until consumers learned what to do — and do it quickly — at someone else’s store,” Weinberg wrote.

Weinberg adds that for many larger merchants, switching on the chip readers also can be a big and expensive project. Part of the problem, he says, is that many integrated point of sale systems — particularly the electronic cash register software for these systems — were just not ready in time for the Oct. 2015 liability shift.

“Even if the software was ahead of the game, they faced long certification queues at many acquirers,” Weinberg wrote. “I believe this is going to be a problem for a while.”

Visa said based on recent client surveys it expects 50% of face-to-face card accepting merchants to have chip card transactions enabled by the end of this year. But even 50 percent adoption can mask a long tail of smaller merchants who will put off as long as they can the expensive software and hardware upgrades for accepting chip transactions.

“My dry cleaner isn’t worried about someone using counterfeit cards at his cash register,” Weinberg said, noting that many businesses meanwhile discount the chances that hackers will siphon customer cards by sneaking malicious software onto point-of-sale devices — a problem that has lead to one breach after another at brand name retailers, restaurants and hotels over the past several  years. Continue reading →


27
Oct 14

‘Replay’ Attacks Spoof Chip Card Charges

An odd new pattern of credit card fraud emanating from Brazil and targeting U.S. financial institutions could spell costly trouble for banks that are just beginning to issue customers more secure chip-based credit and debit cards.

emvblueOver the past week, at least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.

The most puzzling aspect of these unauthorized charges? They were all submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards in question haven’t even yet begun sending customers chip-enabled cards.

The most frustrating aspect of these unauthorized charges? They’re far harder for the bank to dispute. Banks usually end up eating the cost of fraud from unauthorized transactions when scammers counterfeit and use stolen credit cards. Even so, a bank may be able to recover some of that loss through dispute mechanisms set up by Visa and MasterCard, as long as the bank can show that the fraud was the result of a breach at a specific merchant (in this case Home Depot).

However, banks are responsible for all of the fraud costs that occur from any fraudulent use of their customers’ chip-enabled credit/debit cards — even fraudulent charges disguised as these pseudo-chip transactions.

CLONED CHIP CARDS, OR CLONED TRANSACTIONS?

The bank I first heard from about this fraud — a small financial institution in New England — battled some $120,000 in fraudulent charges from Brazilian stores in less than two days beginning last week. The bank managed to block $80,000 of those fraudulent charges, but the bank’s processor, which approves incoming transactions when the bank’s core systems are offline, let through the other $40,000. All of the transactions were debit charges, and all came across MasterCard’s network looking to MasterCard like chip transactions without a PIN.

The fraud expert with the New England bank said the institution had decided against reissuing customer cards that were potentially compromised in the five-month breach at Home Depot, mainly because that would mean reissuing a sizable chunk of the bank’s overall card base and because the bank had until that point seen virtually no fraud on the accounts.

“We saw very low penetration rates on our Home Depot cards, so we didn’t do a mass reissue,” the expert said. “And then in one day we matched a month’s worth of fraud on those cards thanks to these charges from Brazil.” Continue reading →


12
Sep 12

Researchers: Chip and PIN Enables ‘Chip and Skim’

Researchers in the United Kingdom say they’ve discovered mounting evidence that thieves have been quietly exploiting design flaws in a security system widely used in Europe to prevent credit and debit card fraud at cash machines and point-of-sale devices.

The innards of a chip-and-PIN enabled card.

At issue is an anti-fraud system called EMV (short for Europay, MasterCard and Visa), more commonly known as “chip-and-PIN.” Most European banks have EMV-enabled cards, which include a secret algorithm embedded in a chip that encodes the card data, making it more difficult for fraudsters to clone the cards for use at EMV-compliant terminals. Chip-and-PIN is not yet widely supported in the United States, but the major card brands are pushing banks and ATM makers to support the technology within the next two to three years.

EMV standards call for cards to be authenticated to a payment terminal or ATM by computing several bits of information, including the charge or withdrawal amount, the date, and a so-called “unpredictable number”. But researchers from the computer laboratory at Cambridge University say they discovered that some payment terminals and ATMs rely on little more than simple counters, or incrementing numbers that are quite predictable.

“The current problem is that instead of having the random number generated by the bank, it’s generated by the merchant terminal,” said Ross Anderson, professor of security engineering at Cambridge, and an author of a paper being released this week titled, “Chip and Skim: Cloning EMV cards with the Pre-Play Attack.”

Anderson said that the failure to specify that merchant terminals should insist on truly *random* numbers, instead of merely non-repeating numbers — is at the crux of the problem.

“This leads to two potential failures: If the merchant terminal doesn’t a generate random number, you’re stuffed,” he said in an interview. “And the second is if there is some wicked interception device between the merchant terminal and the bank, such as malware on the merchant’s server, then you’re also stuffed.”

The “pre-play” aspect of the attack mentioned in the title of their paper refers to the ability to predict the unpredictable number, which theoretically allows an attacker to record everything from the card transaction and to play it back and impersonate the card in additional transactions at a future date and location.

Anderson and a team of other researchers at Cambridge launched their research more than nine months ago, when they first began hearing from European bank card users who said they’d been victimized by fraud — even though they had not shared their PIN with anyone. The victims’ banks refused to reimburse the losses, arguing that the EMV technology made the claimed fraud impossible. But the researchers suspected that fraudsters had discovered a method of predicting the supposedly unpredictable number implementation used by specific point-of-sale devices or ATMs models.

Continue reading →