A Burger, an Order of Fries, and Your Credit Card Number
March 24, 2012 5:43 PM   Subscribe

"Why are small businesses such frequent targets? Because they offer hackers the easiest path to your financial information. In fact, security consultants say, there’s an entire underground industry built around extracting customers’ credit card numbers from retailers’ point-of-sale systems." Slate: Why it’s so easy for hackers to steal financial information from restaurants
posted by beisny (20 comments total) 7 users marked this as a favorite
 
Rich Mogull, an information security analyst who runs a company called Securosis,

That sentence is so funny in so many ways.
posted by George_Spiggott at 6:02 PM on March 24, 2012 [12 favorites]


I've always advocated a firewall system between your bank account and your transactions. Use a credit card you pay off monthly to make purchases, and never use your debit card to buy anything but cash at an ATM. You have a lot more protections with a credit card than a debit card.
posted by ifandonlyif at 6:18 PM on March 24, 2012 [4 favorites]


In recent news:

Rent-a-fraudster website operator gets nearly 3 years in prison

Pretty innovative, the guy was offering a service where someone who had stolen credentials could then hire an impostor with the right demographic profile to impersonate the victim.
posted by XMLicious at 6:57 PM on March 24, 2012


Yeah, I'm starting to think I need to just use my cash card to withdraw cash from ATMs and deal in a cash-only basis for most of my transactions.
posted by hippybear at 6:58 PM on March 24, 2012


Back in 2003 I put a video from Japanese TV on my blog, I translated a story from the news about how a gang of hackers would sneak into a restaurant at night, modify the credit card machine by adding a little circuit card that transmits the card data over wi-fi, and then lock up and leave no sign they were ever there. They could sit outside with a laptop and collect the data live as it came in. I'd link to the video but my video server is down while I work on some upgrades.

Now the weird thing was, I got tens of thousands of hits a month from people searching for the phrase "credit card skimmer" and then watching the whole video. It ate so much bandwidth, I had to obfuscate those words so it wouldn't come up in search engines. I felt like I was educating thieves on the latest techniques.
posted by charlie don't surf at 7:02 PM on March 24, 2012


Yeah, I'm starting to think I need to just use my cash card to withdraw cash from ATMs and deal in a cash-only basis for most of my transactions.

Careful, that's a good way to get singled out as a potential terrorist by the feds.
posted by briank at 7:15 PM on March 24, 2012


Well, thank goodness I never buy coffee! I'm safe from FBI surveillance!

Anyway, seriously? A link to PrisonPlanet? Can this be verified by any real sources?
posted by hippybear at 7:18 PM on March 24, 2012




Yeah, I'm starting to think I need to just use my cash card to withdraw cash from ATMs and deal in a cash-only basis for most of my transactions.

Not to be a Debbie Downer, but, well...
posted by Halloween Jack at 7:28 PM on March 24, 2012


For what it's worth, Kevin Poulson describes a number of such schemes in his book, 'Kingpin'.
posted by Multicellular Exothermic at 7:34 PM on March 24, 2012


This appears to be the actual flyer.

Ha! There seem to be a whole series of these produced under Grant Number 2007-MU-BX-K002.

Along with the Internet Cafe flyer, there's one for Farm Supply Stores, Beauty/Drug Supply Wholesalers, Construction Sites, Storage Facilities, Tattoo Shops, Package Handlers, Shopping Malls And Entertainment Facilities, Rental Cars... and this is where I got bored and stopped looking at links... ON THE SECOND PAGE OF THE GOOGLE SEARCH. (Most of them are from the first page.)

All part of the Communities Against Terrorism initiative, likely also produced under Grant Number 2007-MU-BX-K002. Your tax dollars at work, ladies and gentlemen.

/derail
posted by hippybear at 7:52 PM on March 24, 2012


Sorry for the Prison Planet link, it was the first one I got on a quick Google of "paying cash for coffee", but I think you've proved it for yourself at this point.
posted by briank at 7:54 PM on March 24, 2012


Haven't really proved anything. The flyers all say pretty pointedly that any single one of the listed factors aren't enough to draw the attention of law enforcement, and all of them include a disclaimer which says that just because people aren't like you doesn't mean they're terrorists. So paying cash for coffee combined with a bunch of other factors might raise a red flag, but simply living a cash-only existence doesn't mean squat.
posted by hippybear at 7:56 PM on March 24, 2012


I haven't read the DBR referenced in the article this year, although I really should have the day it came out.

Generally, if you are in the information technology space, even if it's not security focussed it's a very good idea to read the DBR's past and present. They are free educations on the evolution of information security vulnerabilities produced with the most comprehensive dataset by arguably the best researchers in the world.
posted by iamabot at 7:57 PM on March 24, 2012


and this is where I got bored and stopped looking at links... ON THE SECOND PAGE OF THE GOOGLE SEARCH. (Most of them are from the first page.)

They're also on the second link of my comment.

but simply living a cash-only existence doesn't mean squat.

It's not clear what point you're disputing here.
posted by George_Spiggott at 8:00 PM on March 24, 2012


Two factor authentication.

The CISSP definition of this is, in short, something you have, and something you know.

The single largest problem crdit and debit cards have, is that their users believe the card counts as something you have.

You. Do. Not.

The card is a way of transmitting something you know - your account information - with something else you know - your PIN number, your three-digit "security" code, your signature, or something that looks like it. Until consumers demand real crypto tokens, using your debit card is a crap-shoot, where the criminals all have loaded dice, and The House (your bank or credit union) just doesn't give a fuck... or worse... they actively work against you, because the law says debit card users are scum who deserve to get robbed. Who are the banks to argue with that?
posted by Slap*Happy at 8:11 PM on March 24, 2012


I've been paying cash at restaurants for years... ever since a sleazebag waiter changed the tip amount I'd written on a credcard receipt, giving himself an extra $5 on top of the tip I'd given him. (jerk.) Avoiding skimming fraud just seems like another good reason to keep on using cash...

(And yes, ATM skimmers exist too... there are some sites that can tell you what to look out for, though.)
posted by kira at 9:58 PM on March 24, 2012


I got skimmed twice. Once on our honeymoon and again three years later. Both skims happened at a gas station. Now I try to use cash for everything. An unexpected benefit of this is that I budget better.
posted by Doleful Creature at 12:32 AM on March 25, 2012


Yeah, gas station pumps are apparently prime targets for skimmers. They're out in public all night and nobody thinks twice about a car sitting next to a pump for 15-20 minutes while someone stands between the car and the pump. If there's ANYWHERE to actually decide to stop using your card, it would be pay-at-the-pump locations. If you have to buy gas at one of those places and it's 3am and there's no clerk around to run the card for you, prod, poke, twist, and compare the pump you're at with other pumps at the same location. Skimmers aren't invisible; they can be made to fool the unaware, but not the cautious.
posted by hippybear at 7:42 AM on March 25, 2012


We've had our credit card hacked TWICE in 5 weeks. I'm glad I just came upon this thread by accident. I bet it's a skimmer at a gas station I recently switched to.
posted by DU at 5:46 PM on March 31, 2012


« Older Okay, I have dropbox too...   |   Tsunami Debris Field Newer »


This thread has been archived and is closed to new comments