Pickpocket scanners
May 29, 2016 8:53 AM   Subscribe

No PIN needed They enter an amount less than $50 and touch their phone to your pocket; money transfers immediately from your account.

British pickpockets scan your bus card, your gas pay-fob, or your wallet for instant cash transfer
posted by naight (56 comments total) 11 users marked this as a favorite
 
So do those scan blocking wallets protect against these?
posted by emjaybee at 8:56 AM on May 29, 2016 [1 favorite]


But don't you need a merchant account of some sort to accept these payments? How many could they do before people notice the transaction, complain, and the scanner goes to jail? I mean, they'd have to go to great lengths to get an account like this with fraudulent information and also be sure to cash the money out untraceably very often. It seems like there are better scams out there.
posted by dis_integration at 8:59 AM on May 29, 2016 [2 favorites]


Yep.
posted by Grangousier at 9:04 AM on May 29, 2016 [19 favorites]


It happened to my wife three times before we noticed. The merchant account as it showed up on the statement was a mobile phone network.
posted by Coda Tronca at 9:04 AM on May 29, 2016


This is why I'm staying analog until I die. I'm totally cool pulling a piece of plastic out of my wallet.
posted by ThePinkSuperhero at 9:15 AM on May 29, 2016 [6 favorites]


The UK Cards Association, the trade body for card payments, has confirmed to techradar there have been no reported incidents of this crime in the country.

Well my wife's bank refunded the 3 x £30 fraudulent withdrawals on her card... I guess her card could have been cloned and scammed in any number of other more traditional ways; the banks don't go into any details. But on the other hand, the banks have a strong interest in suppressing any fears about contactless payments.
posted by Coda Tronca at 9:18 AM on May 29, 2016 [10 favorites]


Yep, as stated above this is almost certainly bullshit because of the various hoops that must be jumped through to get a merchant account. Any scammer would be looking at a few days turn-around on a lot of effort that will almost certainly get them caught. There are pretty solid virtual and non-virtual paper-trails behind card payments.

Also, there's a reason contactless transaction limits are set so low - they're at a level at which the banks will almost certainly not bother to defend any chargebacks (i've sat in meetings were this was actually hinted at if not explicitly stated), so if you *are* a victim of this then you shouldn't have a problem getting the transactions refunded.

If that's still not enough then get yourself a card that will give you an instant notification when it's used and allows you to freeze/unfreeze it at will.
posted by lawrencium at 9:18 AM on May 29, 2016 [9 favorites]


This is why I'm staying analog until I die. I'm totally cool pulling a piece of plastic out of my wallet.

It's much more likely that your plastic card will be cloned than a contactless card will be compromised, just saying.
posted by Huck500 at 9:21 AM on May 29, 2016 [17 favorites]


But they're cloning the cards as well, right? We've had plenty of ATM machines with a scam thing fitted to them for this purpose. These scams might be quite attractive to crims because the investment is low, you can get your lowliest trainee guys to execute them and improve their skills/loyalty level in the process, and the chances of being caught are zero.
posted by Coda Tronca at 9:24 AM on May 29, 2016


Seems both plausible and, once set up, lucrative. How many wallets could you touch in a crowded train in an hour? Probably at least thirty, say a third yield something... This is maybe the interesting part - how lucrative is this scheme?
posted by From Bklyn at 9:29 AM on May 29, 2016


Compared to stealing thousands of #s at a time hacking into various merchant's sites from an undisclosed location with 0 overhead? Not very lucrative.
posted by Potomac Avenue at 9:39 AM on May 29, 2016 [4 favorites]


STEP 1: CONVINCE EVERYONE TO STRAP THEIR WALLET TO THEIR ANKLE
STEP 2: EQUIP CATS WITH SCANNERS
STEP 3: £££
posted by indubitable at 9:40 AM on May 29, 2016 [99 favorites]


In the UK you should worry more about the banks themselves committing fraud or criminally misstating your interest payments.
posted by srboisvert at 9:44 AM on May 29, 2016 [35 favorites]


Yorkshire Evening Post? Hardly a bastion of intelligent tech reporting.

Scaremongering tripe. And a single link to scaremongering tripe.
posted by Hobo at 9:44 AM on May 29, 2016 [4 favorites]


It's a good thing that Apple Pay, Samsung Pay, and Android Pay all have biometric authentication on the contactless payment side of things.
posted by Talez at 9:47 AM on May 29, 2016 [1 favorite]


I just set up a merchant account for our London baseball league, a charitable organisation. I'm pretty sure I had to provide more id and documents for every director than I would have if we were doing an off-shore account through Panama. It took weeks.

That said, contactless cards and modern passports should be protected in RFID shielding sleeves, as even the Oyster reader will charge your card by accident if careless.
posted by C.A.S. at 10:03 AM on May 29, 2016 [3 favorites]


FINALLY the total absence of sensible pockets on women's clothing pays off
posted by poffin boffin at 10:06 AM on May 29, 2016 [47 favorites]


If Moby can brush his penis against Trump, we at least know that the physical part is possible.
posted by clawsoon at 10:08 AM on May 29, 2016 [3 favorites]


But they're cloning the cards as well, right? We've had plenty of ATM machines with a scam thing fitted to them for this purpose.

That's simply reading the card number via the magstrip information, which has been a trivial thing to do for years. Combine it with a hidden camera to get the PIN and you have the keys to the kingdom.

When it comes to the physical chip, which is a requirement of online Chip and PIN + contactless transactions it's not possible to clone the chip so the attack vector is different[1]. You have to get hold of the original card. I'd be the first to admit that card payments are a mess of implementations, protocols, hacks, and technical debt, but this isn't quite the same thing.

That's not to say Chip and PIN is a panacea, if you can get the original card with chip then it's possible to fool card readers into accepting any PIN. Ross Anderson has some interesting reading on this if you're interested.

[1] Not *yet* i mean, it's simply a matter of time depending on the cryptographic implementation.
posted by lawrencium at 10:11 AM on May 29, 2016 [4 favorites]


It happened to my wife three times before we noticed. The merchant account as it showed up on the statement was a mobile phone network

It does seem more likely to me that the card was scammed another way and (perhaps still using contactless payment to get around presenting a pin) used to buy PAYG credit, given the usefulness of that as a money laundering route, than that someone (three separate someones? When you say 'three times' did this happen on different days?) is successfully impersonating a mobile phone network.

And if people can do the latter, the security of contactless payments seems of minimal concern by comparison.
posted by howfar at 10:37 AM on May 29, 2016 [2 favorites]


I've never seen a contactless bank card in the US; here's a wikipedia page about it. But apparently they exist here too? I've only ever used Apple Pay for contactless, and as noted that requires an active authorization from the user on the phone.

What a stupid design, why would I want something wirelessly broadcasting my credit card number + an implicit authorization to charge it? I mean I get the problem it solves, but the fraud is so obvious. I guess the banks are counting on their back-end security measures making it hard to steal money this way, you basically have to be set up to receive a credit card payment. But there's plenty of fraudulent credit card acceptors out there. And it shifts the burden to bank customers to watch their accounts for random transactions. Ugh.

(Come to think of it, I do have a contactless card in my wallet, my card for Bay Area public transit. But I assume that system is only able to send money to Bay Area transit authorities and thus is not a fraud target.)
posted by Nelson at 11:09 AM on May 29, 2016 [1 favorite]


The thing I find suspicious about this is that I have trouble getting contactless payment systems to read my card when I hold my card up to the machine. It doesn't work at all if you hold the card in the wrong direction, for example. So what are the chances that someone is bumping up against my purse, hitting on the right place to get at my contactless payment card and having it work?
posted by jacquilynne at 11:09 AM on May 29, 2016 [1 favorite]


STEP 1: CONVINCE EVERYONE TO STRAP THEIR WALLET TO THEIR ANKLE
STEP 2: EQUIP CATS WITH SCANNERS
STEP 3: £££


I have no idea how these people got their scanners wedged into their cats, or why.
posted by tivalasvegas at 11:10 AM on May 29, 2016 [41 favorites]


If you're interested in a long read in this same vein, Krebs on Security did a three part series about a bluetooth ATM skimming network he discovered in Mexico. Instead of the skimmers that are put on the outside of ATMs, an organized gang was coercing or paying off ATM repair men to give them access to the internals of the ATMs so they could solder a bluetooth module directly on to the motherboard. Then they could slurp the data from 20 feet away without touching the machine again. In some instances, he discovered compromised machines on the property of nice resorts and stood there warning off tourists, who sometimes ignored him and used the machine anyway.
posted by bluecore at 11:13 AM on May 29, 2016 [7 favorites]


clawsoon: "If Moby can brush his penis against Trump, we at least know that the physical part is possible."

There's a Moby Dick joke around here somewhere, and I shall find it and kill it!
posted by Splunge at 11:15 AM on May 29, 2016 [8 favorites]


ATM repair men

How can such guys exist? They must be the new Untouchables.
posted by Coda Tronca at 11:22 AM on May 29, 2016


I've never seen a contactless bank card in the US

I think they've only started rolling out in earnest in the last couple months. my first one showed up a couple months ago.
posted by wotsac at 11:24 AM on May 29, 2016


I'll post Xpen$iv $h1t since the conversation is going that direction.
posted by jeffburdges at 11:35 AM on May 29, 2016


There's a good short video by Prof Ross Anderson of Cambridge on card security and hacks. I'm not sure if it's the one where he describes one particular attack, very similar to the Bluetooth Mexican, where an enterprising bunch of crooks intercepted a shipment of retail card terminals between China and the UK and installed mobile phone modems inside them. After this had been discovered, some time after the terminals went into service, the criminals were tracked down but the banks refused to co-operate with the police because they didn't want the publicity - so no prosecutions.

Thinking about it, you can see the banks' point of view; it's not just embarrassment, but the severe problems that a general loss of confidence in chip and pin would cause - including the forced adoption of less secure systems. A harder call than it looks.
posted by Devonian at 11:48 AM on May 29, 2016 [1 favorite]


Meanwhile, in Leicestershire...
posted by marienbad at 11:57 AM on May 29, 2016 [2 favorites]


lawrencium: "If that's still not enough then get yourself a card that will give you an instant notification when it's used and allows you to freeze/unfreeze it at will."
And if that's not enough, get a card without the contactless payment functionality.

Oh wait, not possible.

I don't want it, and I don't see what problem it is supposed to solve. Why must I accept a less-secure card?
posted by brokkr at 12:11 PM on May 29, 2016


And if that's not enough, get a card without the contactless payment functionality.

Oh wait, not possible.


My card has the functionality. My bank asked me if I wanted it enabled. I said no.
posted by feckless fecal fear mongering at 12:15 PM on May 29, 2016 [3 favorites]


the criminals were tracked down but the banks refused to co-operate with the police because they didn't want the publicity - so no prosecutions.

Life goals: steal so much money from a bank that they're too embarrassed to seek prosecution.
posted by dephlogisticated at 12:17 PM on May 29, 2016 [15 favorites]


In some instances, he discovered compromised machines on the property of nice resorts and stood there warning off tourists, who sometimes ignored him and used the machine anyway.

This makes the tourists seem stupid but remember as far as they know he could be nefarious and directing users away from a safe machine to a nearby machine that is compromised in some way. The tourists have no way of evaluating the safety of the machine or the person.
posted by srboisvert at 12:25 PM on May 29, 2016 [6 favorites]


Here's one case of (alleged) internal fraud where the bank was apparently too embarrassed to prosecute.
posted by ambrosen at 12:29 PM on May 29, 2016 [1 favorite]


feckless fecal fear mongering: "My card has the functionality. My bank asked me if I wanted it enabled. I said no."
That's nice. I wasn't asked for either my Danish or German bank cards, and there is indeed no possibility to turn it off here.
posted by brokkr at 12:46 PM on May 29, 2016


Yep, as stated above this is almost certainly bullshit because of the various hoops that must be jumped through to get a merchant account.

Yeah, but Square really opened the floodgates on this kind of thing.

I worked for a major credit card processor (what you prob really mean by a "merchant account") 6ish years ago, and previous to Square, business categories like "Travel Agent" were seen as too risky to take on. But, when Square came out, they started started signing up any asshole who wanted to take credit cards. In fact, they actively marketed themselves to the "just some dudes on the corner/at the flea market selling whatever" business demographic.

The credit card processor is on the hook if the vendor flakes out/goes out of business/commits fraud/etc. and the credit card user does a charge back. Square decided that their investors and magical Silicon Valley money would cover the bill on this, so they vastly lowered the bar on what it took to be able to take credit cards. The rest of the processor industry had to also lower their standards to compete.

So, in short, the paper trail isn't as strong or defined as it used to be.
posted by sideshow at 12:58 PM on May 29, 2016 [12 favorites]


Why must I accept a less-secure card?

Arguably contactless is more secure than having to tap in your PIN as, in the event of the machine being compromised, you are not susceptible to your PIN being revealed through a MItM attack. If the attacker now has your PIN, and has read the magstripe because you stuck your card in the machine so you could tap in your PIN[1], they can pop around the local ATM and empty your account (or at least withdraw quite a bit more).

How many times have you used your Chip and PIN card in the last month? How many times did you have a good look at the POS terminal *before* you stuck your card into it and typed your PIN? Were any of these times at merchants you hadn't been to before? If a transaction is authorised with your PIN you will have a very difficult time disputing it, this isn't the case with a contactless transaction.

(BTW, i'm largely playing devil's advocate here. I'm all for a root and branch replacement of most payment systems because... well, i've talked about this before).

[1] I'm making the, probably flawed, assumption here that the data transmitted through contactless is not quite the same as reading the magstripe, so by using contactless the attack vector to clone a card is weakened.
posted by lawrencium at 1:01 PM on May 29, 2016 [1 favorite]


When it comes to the physical chip, which is a requirement of online Chip and PIN + contactless transactions it's not possible to clone the chip so the attack vector is different[1]. You have to get hold of the original card. I'd be the first to admit that card payments are a mess of implementations, protocols, hacks, and technical debt, but this isn't quite the same thing.

Yes it is. It's 100% possible. You compromise the reader, you dump the track 2 data, you write the track 2 data to a magstripe card. You have the PIN from the compromised reader. You go to Romania and withdraw $$$ from the local ATM. It happens every day even with chip cards.

Without tokenization any security is next to useless because the PIN pad becomes the next obvious (and easiest to compromise) attack vector after the card itself.
posted by Talez at 1:53 PM on May 29, 2016 [1 favorite]


This is another thread where, like the Venmo thread the other day, I get to feel smug about how old-fashioned I am.
posted by clawsoon at 2:09 PM on May 29, 2016


sometimes when i bring my sheep to barter for toilet paper at duane reade unscrupulous shepherds will set their sheepdogs on the back of my flock and steal away the stragglers
posted by poffin boffin at 2:12 PM on May 29, 2016 [31 favorites]


[1] I'm making the, probably flawed, assumption here that the data transmitted through contactless is not quite the same as reading the magstripe, so by using contactless the attack vector to clone a card is weakened.

Contactless will immediately disburse all of the information about the card on request. Since they only use a 16-bit dynamically generated CVV it's trivial to reverse engineer the information you need.

[Insert Vendor Here] Pay systems do three things which make a transaction actually secure:

1) They use a random PAN in place of the credit card number. So when you dump the information from the reader you can't use this PAN on the magstripe network.

2) They tokenize the transaction which needs to be authenticated with the network.

3) They require a second factor (PIN or authentication) on the USER'S DEVICE before authorizing the transaction.

If you're not doing that you're probably just asking to have your user's shit stolen by some Eastern European hacker either infiltrating PIN pads or making fake PIN pads.
posted by Talez at 2:14 PM on May 29, 2016 [3 favorites]


I've always wondered about the possibility of doing that with a Suica/Pasmo card. You can use those for things other than train fare, like taxis or convenience stores, so presumably it would be possible. But I don't know how easy it would be to have the system direct the funds to a random bank account.

I guess what I'm saying is, how do they deal with this? Is it more of a scale thing when you let everybody and their brother be a "merchant", now you can't watch them all?
posted by ctmf at 2:55 PM on May 29, 2016 [1 favorite]


Joke's on them - I'm broke!


oh, wait...
posted by lmfsilva at 2:55 PM on May 29, 2016 [2 favorites]


Ctmf, Japan's prepaid transit cards are a rather closed system — individuals simply can't sign up to be able to charge money from them, so far as I've been able to tell. I've only seen fairly large entities like convenience store chains even have the capability to use the cards/networks. Like, you can't set up Square to charge to an ICOCA card or something.
posted by DoctorFedora at 3:14 PM on May 29, 2016


If you want to disable the contact-less part of your credit card, I have four words for you: regular old hole punch.

Seriously. You can find the embedded antenna loop by holding the card at an angle to the light. (Well, I've been able to on all such cards I've had.) Punch a hole through the card along there where it doesn't intersect anything important: magstripe, number, name, signature blank, hologram, etc. There's a ton of room and it's just soft plastic so it's easy to punch out.

It's then trivial to verify that the contact-less part no longer works at terminals. The whole solution takes about a minute.

(This all came up because I sometimes hang out with a professor here who was monkeying with long-range readers using some simple COTS dev boards and some clever RF engineering.)
posted by introp at 6:16 PM on May 29, 2016 [7 favorites]


Lawrencium and Talez, if I understood correctly (and I'm not sure I did), your suggested means of duplicating a chip and pin card are based on reading the magnetic strip info and duplicating that onto a magnetic strip card. But don't you have to swipe a card all the way across to read a magnetic strip? When you use a chip card you only put it 1/4 or 1/3 ish of the way in. And you put it in a place that's totally away from the strip reader...I assume the magnetic strip reader device wouldn't even be possible to fit/arrange in the spot where the chip goes in, even if you don't need to swipe the whole strip to read it.
posted by If only I had a penguin... at 6:33 PM on May 29, 2016


Lawrencium and Talez, if I understood correctly (and I'm not sure I did), your suggested means of duplicating a chip and pin card are based on reading the magnetic strip info and duplicating that onto a magnetic strip card. But don't you have to swipe a card all the way across to read a magnetic strip? When you use a chip card you only put it 1/4 or 1/3 ish of the way in. And you put it in a place that's totally away from the strip reader...I assume the magnetic strip reader device wouldn't even be possible to fit/arrange in the spot where the chip goes in, even if you don't need to swipe the whole strip to read it.

All of the magstripe info is held on the chip and the chip will happily dump it to the terminal when asked. It's called Track 2 data.
posted by Talez at 7:00 PM on May 29, 2016


Huh...I thought the whole point of the chip was that it processed everything locally (on the card) so it didn't have to give up or send the information. Having the magnetic strip data on the chip seems like a bad idea.
posted by If only I had a penguin... at 7:23 PM on May 29, 2016


Just recently in Japan, there was a massive theft (over $12 million) that was evidently based on stolen information from a bank in South Africa. The thieves chose 7-11 because they accept foreign bank cards, and hit ATMs early and often, relying on the fact that by the time anyone noticed massive amounts of cash being withdrawn halfway around the world, they'd be gone. Between the NFC work arounds and things like this, I wonder if banks and retailers will be able to keep up with the people who just need them to slip up just a bit. The answer is almost overwhelmingly "hell no" yet here we are, being pushed to abandon cash and trust that banks have their shit together. I'm looking forward to this brave new world much less than I used to.
posted by Ghidorah at 9:10 PM on May 29, 2016


I have had contactless cards and was sort of excited to use them as a novelty but they never ever worked. I tried them everywhere. They rarely read correctly and when they did read correctly my bank would always decline the transaction and then email me to verify if I still had the card in my possession.

Banks don't really care if your card number gets stolen. I had a neighbor steal those balance transfer checks from my mailbox and pay his MORTGAGE. His address and loan# were on the check and when I asked the fraud department of my bank what they were going to do they told me "It's less than the amount that triggers any action." Which means: nothing. They had his address and his name but 900$ wasn't worth their time.

That's when I said screw it. I use my card everywhere. I don't care about shady websites or scammers or anything. Took me five minutes on the phone and I had a new card priority overnight and zero liability. To top it off someone stole the replacement card out of my mailbox(I live on a country road) and that morning my bank called me and asked if I was traveling south, I said no, and the teller said "Yeah I didn't think so, we're sending you a new card."

Granted this was all on a credit card, debit cards are a completely different beast and honestly should rarely be used. When it's "real" cash that disappears it takes much longer to get back. I treat my debit card as highly toxic and only use it at the grocery store. The grocery store I work for. Where part of my job is inspecting the card readers for any tampering. So I am pretty sure they are safe. Even so I would prefer to use the credit card but the store doesn't take credit.
posted by M Edward at 10:14 PM on May 29, 2016 [2 favorites]


Yes it is. It's 100% possible. You compromise the reader, you dump the track 2 data, you write the track 2 data to a magstripe card. You have the PIN from the compromised reader. You go to Romania and withdraw $$$ from the local ATM. It happens every day even with chip cards.

Yes, so my assumption was flawed in that the chip does give up the same information as the magstripe. My point still stands that having to input your PIN is thus less secure than contactless as, like you say above, having the PIN gives you access to all. Use contactless and that attack vector is removed, yes you can clone the card but you can't get the PIN, and if you have a card that has a longer PIN than the standard 4 digits you're slightly more secured from guess attempts.

Huh...I thought the whole point of the chip was that it processed everything locally (on the card) so it didn't have to give up or send the information. Having the magnetic strip data on the chip seems like a bad idea..

It's probably down to legacy systems and technical debt that this can't be done another way (i'm being generous here, it could also be a badly designed system). See the linked video above, which goes into some detail about this. Card payments are classic examples of "road to hell..." because the card schemes and payments associations keep piling on features that seem designed to protect cardholders but either fail in that way or others.

Talez's example above of one time use PANs, tokenization, etc are much better improvements. There is disruption starting to happen in the card payments space that will bring actual proper security, but it's going to take years (decades?) to filter down.
posted by lawrencium at 11:14 PM on May 29, 2016


There are quite a few contactless cards out there, in my experience (retail store owner in LA). Both MasterCard (cards labeled "PayPass") and American Express, predominantly. I think the new Costco-branded cards from Citibank that we just got are contactless, and are Visa, so I expect to start seeing a lot of those.
posted by jimw at 11:21 PM on May 29, 2016


Chip and pin cards do use a challenge-response architecture. I don't know about chip and signature cards because we don't have them in the country that the post is about. As for Romania being the best place to cash out on stolen mag stripe cards, it's possible it's right, but all the cash machines I used in Romania last year looked like chip and pin ones. I'm not sure, because it's hard to tell the difference.

As for why to use contactless, the benefit for me is that I take my card wallet out of my pocket and press it against a terminal then wait for the beep. When I've got an armful of shopping, I can fumble in my pocket and drag it out without having to worry about pressing any buttons or sliding a card in somewhere or ignoring the person I'm paying or worrying about shoulder surfers or any of the other 10 tricky things you need to do while concluding a purchase and moving on.
posted by ambrosen at 11:45 AM on May 30, 2016


I thought the whole point of the chip was that it processed everything locally (on the card) so it didn't have to give up or send the information. Having the magnetic strip data on the chip seems like a bad idea.

...

Chip and pin cards do use a challenge-response architecture.

Sure, between the card and the reader. And that exchange is all heavily encrypted.

What comes out the back end of the reader... not so much. And you can buy readers cheap from China.

Shmoocon 2012: Credit Card Fraud: The Contactless Generation
posted by flabdablet at 9:55 AM on May 31, 2016


I've never seen a contactless bank card in the US

Chase used to issue them, under the "blink" branding, but phased them out in 2014.
posted by We had a deal, Kyle at 1:00 PM on May 31, 2016


« Older The Graves of the Marines I Lost   |   Stradivarius also made guitars Newer »


This thread has been archived and is closed to new comments