There is something very wrong when the foxes have completely gamed the henhouse.
posted by bearwife at 10:56 AM on September 2, 2014

Wrote about this years ago -- never liked using a debit card because if you aren't being tracked, you're being hacked...
posted by Alexandra Kitty at 10:59 AM on September 2, 2014 [1 favorite]

In the UK, online fraud shot up when they adopted EMV. I expect the same to happen in the US - fraudsters gotta work too. Even if card-present payment became NFC from your smartphone, paying online with traditional card-not-present methods will be a big target. Until the economics align for the banks to come up with a more secure method, this is probably what we're stuck with. As it is, the banks can transfer risk to the merchants in almost all cases.

Bonus: breach suspected at Home Depot.
posted by These Premises Are Alarmed at 11:03 AM on September 2, 2014 [3 favorites]

Two additional strategies:

Use only ATMs in high-traffic, constantly attended areas.
Much harder to put a skimmer on a grocery store checkout reader than it is an ATM stuck in the lonely corner of a downtown street.
(Bonus: Much less likely to run into one of those $5 withdrawal charge types)

More importantly, don't keep a bunch of money in your debit card connected account, and certainly don't keep _all_ your money in it.
Keep just enough for daily/weekly living.
Someone getting your card number becomes more of an minor annoyance than a disaster when the scammers only get petty cash rather than your rent money.
posted by madajb at 11:16 AM on September 2, 2014

Chip and PIN isn't safe. Compromised terminals will quite happily take the banking details that the chip spits out and the PIN you just pushed in and let you turn them into a magstripe card with a known pin.

Conversation-capturing is the form of attack which was reported to have taken place against Shell terminals in May 2006, when they were forced to disable all EMV authentication in their petrol stations after more than £1 million was stolen from customers.[10]

In October 2008 it was reported that hundreds of EMV card readers for use in Britain, Ireland, the Netherlands, Denmark, and Belgium had been expertly tampered with in China during or shortly after manufacture so that details and PINs of credit and debit cards were sent during the 9 months before over mobile phone networks to criminals in Lahore, Pakistan. US National Counterintelligence Executive Joel Brenner said, "Previously only a nation state's intelligence service would have been capable of pulling off this type of operation. It's scary." Data were typically used a couple of months after the card transactions to make it harder for investigators to pin down the vulnerability. After the fraud was discovered it was found that tampered-with terminals could be identified as the additional circuitry increased their weight by about 100 g. Tens of millions of pounds sterling are believed to have been stolen.[11] This vulnerability spurred efforts to implement better control of electronic POS devices over their entire life cycle, a practice endorsed by electronic payment security standards like those being developed by the SPVA.[12]

And guess what, because the liability in EMV shifted from banks to customers it was a giant pain in the ass!

The reader should be treated as a fucking hostile device and EMV doesn't do anything in this regard. This is like security 101. The only thing a card should be doing is signing the the transaction to authenticate it and telling the pad who the issuing bank is. Dumping the card's entire bank details to a potentially hostile reader? NAH THAT'S PERFECTLY SENSIBLE FROM A SECURITY PERSPECTIVE.
posted by Talez at 11:21 AM on September 2, 2014 [10 favorites]

Why on earth do we put the burden of fraud detection on the consumer? Why isn't step 1, "Organize a class-action lawsuit against your bank"?
posted by indubitable at 11:22 AM on September 2, 2014 [19 favorites]

Why on earth do we put the burden of fraud detection on the consumer? Why isn't step 1, "Organize a class-action lawsuit against your bank"?

Word. Given how widespread these skimmers have become, banks really should have teams of people doing daily or even twice-daily (and at random times, perhaps) ATM checks for skimming devices, and be working on developing new ATMs with countermeasures. But, of course, this fraud only affects their small dollar consumer deposit customers who are already just sheep for the financial instrument slaughter anyway...
posted by dis_integration at 11:27 AM on September 2, 2014 [5 favorites]

I tend to get cash back at the grocery store. Seems safer.
posted by harrietthespy at 11:33 AM on September 2, 2014

For those in a position to use credit cards, they offer much better consumer protection than debit cards. The $50 consumer liability limit per card is normally absorbed by the credit card company so that the consumer winds up out no cash, just the hassle of reporting the fraud.

I'd heard of Krebs on Security before but I don't think I'd read the blog. It has some interesting stories.
posted by exogenous at 11:44 AM on September 2, 2014 [7 favorites]

Exogenous has it. My debit card was compromised a few years ago, and over $3k was stolen from my checking. Meanwile I've got the mortgage check in the mail, bills to pay, and zero cash to do it. The bank eventually sorted it out... two months later. I've since switched to only using the debit card at in-bank ATMs, period. Everything else, from groceries to gas to Amazon, goes on the credit card, which we keep paid off. The credit card has been skimmed a couple times, once at a gas pump, once at a parking garage. We had to change numbers, sure, but we weren't out any money and life went on as usual.
posted by xedrik at 11:50 AM on September 2, 2014 [7 favorites]

~Why on earth do we put the burden of fraud detection on the consumer?
Think carefully. Who is at the bottom of the economic food chain?


~Why isn't step 1, "Organize a class-action lawsuit against your bank"?
By using this card, you agree to binding arbitration...
posted by Thorzdad at 12:02 PM on September 2, 2014 [16 favorites]

Compromised terminals will quite happily take the banking details that the chip spits out and the PIN you just pushed in and let you turn them into a magstripe card with a known pin.

Unless you were *REALLY DUMB* and set your EMV PIN identical to your ATM PIN, this isn't true. Yes, you can generate a magstripe card, but the EMV PIN is useless for that, because magstripe cards are not PIN validated except at ATM machines, and that's (supposed to be) a different PIN.

No magstripe transaction is EMV, period. No chip, no EMV.

If you set your ATM PIN different, then a magstripe card can only make non EMV signature charges, which you can challenge easily. If you set it the same, then the bad guys can use that to withdraw money, but again, it's going to show as a non-EMV charge, but still, don't do that, set the ATM PIN differently than the EMV PIN and the most you can get from a compromised terminal is the info to create a magstripe card.

So far, nobody has shown that they could *clone* an EMV chip, even with full control of the terminal. If they did, EMV would be as useless as magstripe, security wise. All the C&P breaks involve forcing the transaction offline or to a non-EMV transaction. PIN capture on EMV is just as easy as PIN capture on anything else, but until we can put the PIN entry onto the card rather than on the terminal, there's simply no way to fix that.

So, guard your card, and if the bank tries to foist the charge off you, ask them for the full EMV details -- and check your local laws, because….


Why on earth do we put the burden of fraud detection on the consumer?

In most countries, it isn't. The burden of proof on an EMV transaction in the UK has been on the bank since Nov. 1st, 2009 and on a non-EMV transaction since 1979. Yes, before, they got to shove the liability onto the customer, but now they are explicitly barred from doing so. In the US, EMV is Just Another Credit Transaction, and the burden of proof is on the bank, just like any other credit card transaction. Most other countries are similar.
posted by eriko at 12:04 PM on September 2, 2014 [8 favorites]

Chip and PIN isn't safe. Compromised terminals will quite happily take the banking details that the chip spits out and the PIN you just pushed in and let you turn them into a magstripe card with a known pin.

Yes, except that a magstripe card is of no use to you if all the ATMs installed accept only chip-based cards - as is the case here in Europe.

Guess where ATM skimmers relay their data to when they operate in Europe?
That's right, to the US, the place that never fails to confound.
posted by oxidizer at 12:07 PM on September 2, 2014

That said, the real solution should be on the bank's side, and is probably technological -- asking customers to detect skimmers is, in the long run, both unreasonable, impractical, and unfair.

Commerce Bank in Missouri has a very clever system. They put colored seals around the keypad and reader. When you put your card in, a picture of the seals comes up and it asks "Do the seals match?"

They also change them fairly frequently. I had one ATM there where the seals were blue but the picture had yellow seals, so I went in and pointed that out. They pulled the plug on the ATM. I asked later, turns out that, yes, someone had just forgotten to update the picture, but they still pulled the ATM out of service and tore it down.

Now, if the bad guys get into the ATM's computer and change the picture to match the seals they put on after installing a skimmer, you lose. But if they can get into the computer, they'll probably just turn on the money dispenser, right?

How did I spend half a grand last month in liquor stores?

You read that thread about drinking being good for you?
posted by eriko at 12:14 PM on September 2, 2014 [8 favorites]

"Credit card fraud in the US might be hindered by forthcoming chip-and-PIN implementation, a mere 23 years after it was implemented for all of France (Google books preview)."

Eighteen years ago, I worked for Schlumberger here in the states at their Austin Research Campus (now an actual college campus) where they were doing a little of their smartcard work, and it was sort of taken for granted that the US would move to smartcards soon. Heh.

"Take a close look at the keypad. Try to see if there is a fake overlay on top of it."

So, back in the late sixties, when my mom had just started working at the bank in the small town we'd moved to when I was very young, one night someone just put together a big square metal box thing, put a label on it saying it was the night deposit box, and placed it in front of the actual night deposit box at the bank. A lot of merchants put their deposits into it that night and the thieves just came back and picked the thing up before the bank opened in the morning.
posted by Ivan Fyodorovich at 12:16 PM on September 2, 2014 [10 favorites]

Yes, except that a magstripe card is of no use to you if all the ATMs installed accept only chip-based cards - as is the case here in Europe.

Most of the UK readers are also magstripe compatible, and I'll bet that's true over most of Europe, thanks to the US.

Spotting Americans is easy. "What do I do with this?" Now that US banks are issuing Chip&Sign cards, it's a little easier. You put the card in the same way, but rather than the terminal asking for a PIN, it just prints the paper out for the signature. Had no trouble in the UK last time I was there with it.

Why Chip & Sign? Because America. But really, until we get Chip&PIN readers rolled out in the US, Chip & PIN just doesn't work.
posted by eriko at 12:18 PM on September 2, 2014

Most of the UK readers are also magstripe compatible

I was recently in the UK and it was painful trying to pay for things with an American credit card. I wasted 15 minutes trying to buy an oyster card for the tube at a machine. No notice anywhere that it wasn't magstripe compatible. Just unhelpful errors about not being able to read the card.
posted by bhnyc at 12:26 PM on September 2, 2014 [2 favorites]

If you live in the USA, the first thing you should do is ask you bank for a straight debit card with no Visa or Mastercard functionality. With a hybrid card you get the worst of both worlds -- easy stripe copying, no PIN needed for transactions, and lots more personal liability for fraud on your part. But the banks like getting fat credit-card % profits on purchases without any added liability, so they have become the default card given out.
posted by benzenedream at 12:26 PM on September 2, 2014 [1 favorite]

Most of the UK readers are also magstripe compatible, and I'll bet that's true over most of Europe, thanks to the US.

Implementing a chip card system and then allowing magstripe cards anyway would be a dumb move indeed.

While European ATMs will accept magstripe, they won't accept them from any country/region that has implemented a chip based system. And that is, at least to the extent of my knowledge, the case for Europe^*.

^* too lazy to look it up and make sure.
posted by oxidizer at 12:29 PM on September 2, 2014

Credit card fraud in the US might be hindered by forthcoming chip-and-PIN implementation

But the US isn't going with chip and PIN. Instead, they're going with the less secure chip and signature method. The only benefit I've found (over magstripe) seems to be that it's harder to clone a chip than a magstripe.

I want chip and PIN but can't get it. It's frustrating.
posted by dcormier at 12:52 PM on September 2, 2014 [2 favorites]

I tend to get cash back at the grocery store. Seems safer.

Nope.
posted by empath at 12:52 PM on September 2, 2014 [1 favorite]

The way it was explained to me was that the places in Europe that are least likely to accept magstripe cards are standalone terminals, due to the perceived cost of having a 24/7 network connection. In those locations, a payment terminal would be able to validate cards independently, then squirt up a batch of transactions in one cheap connection out (maybe even over a POTS line?).

(Unfortunately, those locations tend to be places that travelling Americans care about a lot, like buying train tickets from a machine or using self-service gas pumps.)

Then I read here (linked from the last article in this post):

EMV standards call for cards to be authenticated to a payment terminal or ATM by computing several bits of information, including the charge or withdrawal amount, the date, and a so-called “unpredictable number”. But researchers from the computer laboratory at Cambridge University say they discovered that some payment terminals and ATMs rely on little more than simple counters, or incrementing numbers that are quite predictable.

“The current problem is that instead of having the random number generated by the bank, it’s generated by the merchant terminal,” said Ross Anderson, professor of security engineering at Cambridge, and an author of a paper being released this week titled, “Chip and Skim: Cloning EMV cards with the Pre-Play Attack.”

Which seems to lead back to the scenario that was described to me before: someone is implementing a gas pump. You can't contact the bank for the "unpredictable number" on every transaction, so you write your own system to generate them. Some of the implementers do this badly and/or lazily, and that opens a big security hole.

There might or might not be a correlation there, but it did seem interesting to think about.
posted by gimonca at 12:55 PM on September 2, 2014

I remember when skimming was big in the news about 8 years ago, when I was on digg.com and the consumerist every day. Well, this is yet another reminder that I gotta get my family on credit cards.
posted by rebent at 1:21 PM on September 2, 2014 [1 favorite]

"If you live in the USA, the first thing you should do is ask you bank for a straight debit card with no Visa or Mastercard functionality. With a hybrid card you get the worst of both worlds -- easy stripe copying, no PIN needed for transactions, and lots more personal liability for fraud on your part. But the banks like getting fat credit-card % profits on purchases without any added liability, so they have become the default card given out."

Huh? That's the opposite of what you should do. If you have a debit card and need to use them for transactions always select "credit" when asked "debit or credit?" because if you select "credit" you get all the legal protections that come along with credit cards but if you select "debit" and your card number and pin get stolen then there's no legal requirement for the bank to get you your money back.
posted by I-baLL at 1:30 PM on September 2, 2014

One of my credit cards has an online widget that generates throwaway credit card numbers, tied to your main card, that you can use while shopping online, complete with security code and a credit limit and expiration date that you specify. It's incredibly useful and annoyingly downplayed by the website; you have to log in then click through 3-4 screens to find it in a nondescript gray box.

It would be handy though likely impractical to have a similar feature for brick-and-mortar shopping, maybe through a phone app or a little charge card like the gift cards sold at checkout counters.
posted by nicebookrack at 1:33 PM on September 2, 2014 [1 favorite]

FYI from a retail perspective: one reason that banks/credit card companies want you to charge transactions as a CC instead of debit is that the banks charge merchants more to process CC transactions. At my old store, the charges were a fixed rate for debit transactions vs the fixed rate + % of the amount charged for CC transactions. At a big retailer like Target this is no big deal, but it can be murder on small businesses.

Now how/if this relates to the extra security offered for CC, I have no idea. Does the bank charge merchants more for CC to recoup the losses they have for extra consumer protection on CC? Or does the bank offer extra protection on CC to encourage consumer to use CC so the bank can charge merchants more? Or something else?
posted by nicebookrack at 1:45 PM on September 2, 2014 [3 favorites]

PIN capture on EMV is just as easy as PIN capture on anything else, but until we can put the PIN entry onto the card rather than on the terminal, there's simply no way to fix that.

There are ways of getting around that. In fact, we've already gotten around it in the way that mobile phones work. If you were to have a cryptoprocessor that exposes only a "sign payment" function using an authentication key built into the cryptoprocessor.

They didn't manage to clone SIM cards during the first decade of GSM and then only because they were finally mathematically able to brute force the authentication key out of the card.

By selecting the proper values of RAND, an attacker can eventually determine the value of Ki by examining the SRES collisions. Using a smart card reader and some custom software, in April of this year the researchers demonstrated this attack by extracting the secret key from a Pacific Bell SIM in about eight hours. Their software repeatedly requested that the SIM execute the COMP128 authentication algorithm and examined the results, slowly piecing together the value of Ki. Once they had the secret key they copied it into another SIM card and effectively cloned a GSM phone.

With a properly implemented algorithm rather than a breakable collision prone hash we could have cards stupidly resistant to cloning. And then you'd at least need the physical card even if you had the PIN which makes it a hell of a lot easier to deter fraud.
posted by Talez at 1:47 PM on September 2, 2014

Bonus: breach suspected at Home Depot.

:( Let's see if I'll get two new credit card numbers in less than one year.

http://www.usatoday.com/story/tech/2014/09/02/home-depot-credit-cards-hack-russia-ukraine/14972179/

The breach could have begun in late April or early May of this year, Krebs reported.

If that is true, this incident could dwarf the Target breach, in which 40 million credit and debit accounts were compromised over a three-week period.

"This latest batch of cards is for sale from the same underground store that sold cards from P.F. Chang's and Target," said Trey Ford, a security strategist at Rapid7, a Boston-based computer security company.

Home Depot spokeswoman Paula Drake said she could only "confirm that we're looking into some unusual activity, and we are working with our banking partners and law enforcement to investigate."

The data put up for sale were labeled "American Sanctions."

Krebs interpreted the name "as intended retribution for U.S. and European sanctions against Russia for its aggressive actions in Ukraine."

Stolen information from cards issued by European banks that were used in Home Depot stores was sold separately and labeled "European Sanctions," Krebs reported.


Thanks, Putin (and U.S. card issuers)!!
posted by longdaysjourney at 1:54 PM on September 2, 2014

It should be almost equivalent, nicebookrack. The default should be that to authorize a transaction, your card has to communicate and authenticate with your bank, asking it to communicate with the merchant's computer to tell it that the requested payment has gone through. That way, every transaction would be unique and essentially have its own number. All communication between bank and card would be encrypted.

So it would go something like:

Card: Hello terminal, what do you want?
Terminal: $200 to pay for shoes, transaction number XXXX, merchant number YYYY
Card: Hey Bank, you there?
*Bank and Card establish a secure channel, authenticating each other*
Card: Bank, please give Merchant YYYY $200 for shoes, transaction YYYY.
Bank: OK
*Bank establishes a secure channel to Terminal*
Bank: Hey terminal, here's $200 for shoes, transaction YYYY.

The Terminal doesn't actually need to know the Card's identity, just that Bank is Bank and has authorized the transaction (the transaction number would be calculated from a number chosen by Terminal and another chosen by Card).

The main issue then becomes how to prevent Terminal from skimming the PIN, not the whole card (it still needs to be protected; you can get information out of a smartcard (like the secret key it uses to prove that it is Your Card) if you have access to it).

One suggested approach is to add a keypad on the card itself.

Smart cards are not immune to wholesale skimming: they are still electrical devices and small computers that can be screwed with. There have been practical attacks that were able to get the content of a card, but now manufacturers include countermeasures. It's possible (very likely) that newer attacks could counter the current countermeasures.
posted by Monday, stony Monday at 2:00 PM on September 2, 2014 [1 favorite]

Sorry if this has already been referenced; too lazy to read everything. This was a pretty good summary of how things stood as of last December; nothing's changed as far as I know:

All Tech Considered (NPR) Podcast on Chip 'N Pin

Outdated Magnetic Strips: How U.S. Credit Card Security Lags
by ALAN YU
December 19, 2013 5:34 PM ET
posted by randomkeystrike at 2:10 PM on September 2, 2014

exogenous: For those in a position to use credit cards, they offer much better consumer protection than debit cards.

xedrik: Exogenous has it. My debit card was compromised a few years ago, and over $3k was stolen from my checking. Meanwile I've got the mortgage check in the mail, bills to pay, and zero cash to do it. ... The credit card has been skimmed a couple times, once at a gas pump, once at a parking garage. We had to change numbers, sure, but we weren't out any money and life went on as usual.

Oh, hey! Another hidden cost of being poor.
posted by amtho at 2:29 PM on September 2, 2014

Yeah, I was considering the possibility earlier today that Russian hackers (or really any state-backed hacker group) could destroy the us banking system if they really wanted to. And what would our response be? I wonder how much economic pressure we could put on Putin before he decided to launch a cyber first-strike.
posted by empath at 2:32 PM on September 2, 2014

Ivan Fyodorovich: A lot of merchants put their deposits into it that night and the thieves just came back and picked the thing up before the bank opened in the morning.

We had one of those in Edmonton when I was young. According to the papers at the time, the guy would have got away with it if he hadn't tried to get on a plane for Mexico the next morning.

--

As a counter example, my debit card got skimmed a couple of years ago in Vancouver. The following weekend I got a call from the bank (National Bank of Canada (a Quebec bank, not a "National" anything, in spite of the name)) saying, "We've seen two $500 transactions on your card in Montreal, have you been there in the last 48 hours?" I said no, and that was the last I heard about it.

I don't know about other Canadian banks, but I was impressed by their diligence. Friends from India have made the case a couple of times that credit cards are more secure because the cc company has a clear incentive to protect customers they've worked hard to gain, and plan to earn considerable money from, as opposed to banks who simply offer a place to keep your money. Which makes sense, maybe more in some places than others.
posted by sneebler at 3:02 PM on September 2, 2014

I wonder how much economic pressure we could put on Putin

The answer to that is the same answer given to Arthur Dent about how much damage the bulldozer would suffer if it ran over him.

None at all.

The US of A gets a cut of the action by being the global currency just the The Pound was the Pound world round at one point.

When oil and other goods stop being settled in Dollars that will hurt FAR more than any 'pressure on Putin'.

And why is the credit/debit card situation the way it is? Because someone makes coin for being the middleman. Make noise about changing that middleman vampire role and change will happen.
posted by rough ashlar at 3:13 PM on September 2, 2014

And why is the credit/debit card situation the way it is? Because someone makes coin for being the middleman. Make noise about changing that middleman vampire role and change will happen.

The thing is, payments have to be settled in one way or another. Even Bitcoin, the raison d'être of the anarcho-capitalist libertarian cyberutopia gives away the specie to people to act as the collective middlemen of the network and propagate the transactions once the initial gold rush is over.

For a business settling in cash this involves security of the physical object. Do you risk it being pillaged? Do you risk transporting it to the a secure facility? Do you pay an armed someone to transport it to the bank? Do you buy an insurance policy on that transition to a secure facility for your cash?

For electronic commerce eventually the cash gets settled in one form of another. It's just hidden under so many layers of abstraction that it's hard to remember. If the bank has excess vault cash that needs to be transported to the fed eventually. If it's at the fed it might need to all come back out eventually.

As much as we like to rail against "middlemen", they provide a very important service. One that's so ubiquitous that it often appears to be trivial. But even Visa still made only 2 billion last year on 10 billion in revenue. That means it required 8 billion that year to run a global payment network on the scale of Visa. That's a number much larger than zero.
posted by Talez at 5:54 PM on September 2, 2014

Could this be the most eponysterical post on mefi ever?
posted by telstar at 10:17 PM on September 2, 2014 [1 favorite]

(a Quebec bank, not a "National" anything, in spite of the name)

You take that back! Banque Nationale is the most perfect expression of French Canadian business nationalism!
posted by Monday, stony Monday at 8:17 AM on September 3, 2014

The last ATM I used had a translucent green card slot with a light inside of it. I assume this is to make it easier to see if anything suspicious has been added to the card slot.

Why isn't this more common?
posted by yohko at 6:28 PM on September 3, 2014

Probably for the same reason that I reported a malfunctioning cathode-ray tube screen on an ATM earlier this year, and the same reason my credit union took out the ATMs it had on my block a few years ago.
posted by Monday, stony Monday at 6:56 AM on September 4, 2014