Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor. If investing please consider our affiliate links for new accounts: Sharesies or Hatch. To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification



View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5
richms
25280 posts

Uber Geek

Trusted
Subscriber

  #991332 20-Feb-2014 19:23
Send private message

Well it makes sense that they would render the card socket broken so they could get the card swiped thru the machine.




Richard rich.ms

Affiliate link
 
 
 

Affiliate link: Trend Micro provides enhanced protection against viruses, malware, ransomware and spyware and more for your connected devices.
Kyanar
3460 posts

Uber Geek

Trusted
Subscriber

  #991379 20-Feb-2014 20:24
Send private message

andrewNZ:
richms: I've had my chip card not work in a few dodgey places recently and the machine request a swipe. Always seemed dodgey. One was maccas at wairau in the drive thru. Another was bok mart in Mt eden and another was the Kwik e mart at auckland hospital.

Since my debit cards magnetic stripe is unreadable I ended paying with money rather than using my barely working old yellow swipe only eftpos card.

My understanding of this is that the machines can actually go offline and still take payments, but can't use the chips to do it. once it goes online again, it processes the transactions. I believe there's an agreement that the banks will honour transactions up to a certain value regardless.


Yup, EOV.  And if all else fails, then the merchant can record the details on (!!!) paper and submit paper vouchers to their provider as well.

andrewNZ
2487 posts

Uber Geek
Inactive user


  #991742 21-Feb-2014 11:56
Send private message

Kyanar:
andrewNZ:
richms: I've had my chip card not work in a few dodgey places recently and the machine request a swipe. Always seemed dodgey. One was maccas at wairau in the drive thru. Another was bok mart in Mt eden and another was the Kwik e mart at auckland hospital.

Since my debit cards magnetic stripe is unreadable I ended paying with money rather than using my barely working old yellow swipe only eftpos card.

My understanding of this is that the machines can actually go offline and still take payments, but can't use the chips to do it. once it goes online again, it processes the transactions. I believe there's an agreement that the banks will honour transactions up to a certain value regardless.


Yup, EOV.  And if all else fails, then the merchant can record the details on (!!!) paper and submit paper vouchers to their provider as well.

I've had to participate in this about 15 years ago. 
We went to the supermarket and EFTPOS went down as we got to the checkout. The girl had never done it before and, long story short, she screwed it up (I even pointed it out) and we never got charged.

We were pretty poor, and $130 worth of free groceries was awesome.



sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #991983 21-Feb-2014 20:35
Send private message

Word on the street is a massive compromise involving all banks. It'll be very interesting to see where this goes in two to three weeks time when somebody in the media finally picks up on it...



jourdant
44 posts

Geek


  #991984 21-Feb-2014 20:38
Send private message

I got hit with this two days ago... unfortunately my visa debit card was still without a chip.

Strangest thing was that the Kiwibank anti-fraud system didn't do anything to block it. I have no idea at what point the card was skimmed (I don't use ATMs so it had to be EFTPOS). But the account was completely emptied in $99 amounts from an ATM in India...

 

Having used my card in the morning (EFTPOS machine), surely the Kiwibank anti-fraud system should have known it would be impossible for me to then withdraw cash from a country further away than the time that passed!? It would make sense that it was a little relaxed with all my online orders from around the world. But surely it should have seen the fact it was an ATM!? Especially since I was charged the currency conversion and international ATM charges, haha.

On top of that, I was told that I now had to wait for the investigation to be complete before the funds could possibly be returned.

Fred99
13684 posts

Uber Geek


  #991985 21-Feb-2014 20:41
Send private message

There's something that I don't get about the original post.
Presumably, the skimmer sets up hardware stripe reading skimmer and camera (to capture PIN), or malware infected POS terminal. They need access to the POS site (I hope - as if they can do it remotely - then we're in serious trouble)
The banks clearly have systems in place - to intercept unusual transactions and block the card - such as happened. In that case - it wouldn't be hard to identify, and the bank is liable for losses over $50 (in NZ?), so surely they'd err on the side of safety - to protect their own interests.
The skimmers can't be complete fools - they have to plan and set it up. So why would they used skimmed card data for transactions bound to fail? Avoiding detection for as long as possible would be in their interests - so wouldn't discrete use, overnight, to withdraw cash from EFTPOS bank terminals close to the geographic location where the cards were skimmed be the way to go?

This thread kind of bothers me. I'm determined now not to use my EFTPOS only swipe cards, but chipped credit cards with PIN only, plug-in rather than swipe, and hyper-vigilant about protecting my PIN. But in the case of a malware infected terminal, can they extract enough data to produce a fake Eftpos swipe card to access other accounts linked to on the chipped card?

tardtasticx

3032 posts

Uber Geek


  #991995 21-Feb-2014 20:51
Send private message

Fred99: There's something that I don't get about the original post.
Presumably, the skimmer sets up hardware stripe reading skimmer and camera (to capture PIN), or malware infected POS terminal. They need access to the POS site (I hope - as if they can do it remotely - then we're in serious trouble)
The banks clearly have systems in place - to intercept unusual transactions and block the card - such as happened. In that case - it wouldn't be hard to identify, and the bank is liable for losses over $50 (in NZ?), so surely they'd err on the side of safety - to protect their own interests.
The skimmers can't be complete fools - they have to plan and set it up. So why would they used skimmed card data for transactions bound to fail? Avoiding detection for as long as possible would be in their interests - so wouldn't discrete use, overnight, to withdraw cash from EFTPOS bank terminals close to the geographic location where the cards were skimmed be the way to go?

This thread kind of bothers me. I'm determined now not to use my EFTPOS only swipe cards, but chipped credit cards with PIN only, plug-in rather than swipe, and hyper-vigilant about protecting my PIN. But in the case of a malware infected terminal, can they extract enough data to produce a fake Eftpos swipe card to access other accounts linked to on the chipped card?


Well I got a call from the ASB fraud team this morning, and asked them just that. I asked if I used a Visa Debit or MasterCard with dual-access, would it be safe from these attacks? She said no, as they can still read the data from the chip, and use the card in the US instead, where chip and PIN cards are nearly unheard of. They would simply clone it onto a blank, chip less EFTPOS, Credit or Debit card. 

It seems believable too, the people that do those sorts of things are one step ahead all the time. Chip cards would be safer though, much safer than a normal EFTPOS. But it still isn't fool proof.

edit: Also, I would assume the scammers would have multiple fake cards to try at once. One is bound to work eventually, as the bank won't pick up 100% of those cases, as evident by a previous poster about his account being drained in India.




Bachelor of Computing Systems (2015)

 

--

 

Late 2013 MacBook Pro with Retina Display (4GB/2.4GHz i5/128GB SSD) - HP DV6 (8GB/2.8GHz i7/120GB SSD + 750GB HDD)
iPhone 6S + (64GB/Gold/Vodafone NZ) - Xperia Z C6603 (16GB/White/Spark NZ)

Sam, Auckland 




sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #991996 21-Feb-2014 20:54
Send private message

Fred99: There's something that I don't get about the original post.
Presumably, the skimmer sets up hardware stripe reading skimmer and camera (to capture PIN), or malware infected POS terminal. They need access to the POS site (I hope - as if they can do it remotely - then we're in serious trouble)


99% of attacks are not infected POS terminal, they're compromised EFTPOS terminals. McDonalds in AU were compromised massively a couple of years ago, and Burger Fuel in Queen St had their EFTPOS terminal compromised in what was one of the first such cases in NZ.


Fred99
13684 posts

Uber Geek


  #992002 21-Feb-2014 21:01
Send private message

tardtasticx:
edit: Also, I would assume the scammers would have multiple fake cards to try at once. One is bound to work eventually, as the bank won't pick up 100% of those cases, as evident by a previous poster about his account being drained in India.


Yes but unless the scale/number of compromised terminals is huge, then multiple rejections from cards will be able to be data matched back to one terminal, and the banks could close down every card which has used that terminal quickly.  It might inconvenience many customers - but banks would far rather inconvenience customers than lose money.

Edit : afterthought on that.  If they set it up well, skim thousands and thousands of cards at high transaction number popular sites, sit on the data and wait before launching a large attack, even if the success rate per skimmed card isn't high, data matching by the banks to identify compromised terminals would be very hard.

So if what's reported by people above is true, then that leads me to believe that the suggestion that there is a major breach going on right now (involving so many compromised terminals that data matching would be difficult) may be true.

blakamin
4431 posts

Uber Geek
Inactive user


  #992008 21-Feb-2014 21:13
Send private message

sbiddle: Word on the street is a massive compromise involving all banks. It'll be very interesting to see where this goes in two to three weeks time when somebody in the media finally picks up on it...




Funny you mention that... @ANZ_AU tweeted today all ATMs will be offline next tuesday between midnight and 6am....

sonyxperiageek
2855 posts

Uber Geek

Trusted

  #992077 21-Feb-2014 22:39
Send private message

So if your card does get skimmed and money was taken out, then I'm sure the bank will reimburse you.. right?




Sony

 

--

 

NZ TechBlog Follow me on Twitter | My Geekzone blog | Sharesies Referral | Contact Energy Referral | UberEats Referral Code: eats-17atx


Archer77
131 posts

Master Geek


  #992147 22-Feb-2014 06:24
Send private message

http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11207499
 
This Geekzone thread has been picked up by the Herald, not that they mention Geekzone.

AidanS
458 posts

Ultimate Geek


  #992156 22-Feb-2014 07:28
Send private message

Is it safe to say that cards with "insert chips" in them, are safe from this skimming activity?

Or do I just have a false sense of security?

If anyone knows for sure, that'd be great :)

-A.

sonyxperiageek
2855 posts

Uber Geek

Trusted

  #992162 22-Feb-2014 08:12
Send private message

I wonder if PayWave can be "skimmed"?




Sony

 

--

 

NZ TechBlog Follow me on Twitter | My Geekzone blog | Sharesies Referral | Contact Energy Referral | UberEats Referral Code: eats-17atx


sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #992163 22-Feb-2014 08:21
Send private message

AidanS: Is it safe to say that cards with "insert chips" in them, are safe from this skimming activity?

Or do I just have a false sense of security?

If anyone knows for sure, that'd be great :)

-A.


Yes and No.

ATM's don't read the chip, they still use a MSR. Skimming devices fitted to an ATM are also designed to read the mag stripe as the card is inserted, so if the card has a mag stripe on it, it can be skimmed still.

EFTPOS terminals are another story entirely. EMV has been partially cracked due to a flaw in the encryption protocol, meaning a compromised EFTPOS terminal (ie typically one that has been replaced by a compromised terminal running the hx8ors firmware) could theoretically be capable of logging the card data and PIN but there are a lot of buts and assumptions and very little evidence to suggest such hacks have occurred in the wild yet.

There are also many things banks do which can further limit cloning. I believe all banks in NZ are using DDA, and BNZ's liquid encryption which will update the key on your card every time you use it in a BNZ ATM is very cool solution.



1 | 2 | 3 | 4 | 5
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Belkin Screenforce Tempered Glass Screen Protector and Bumper - Apple Watch
Posted 15-Aug-2022 17:20


Samsung Introducing Galaxy Z Flip4 and Galaxy Z Fold4
Posted 11-Aug-2022 01:00


Samsung Unveils Health Innovations with Galaxy Watch5 and Galaxy Watch5 Pro
Posted 11-Aug-2022 01:00


Google Bringing First Cloud Region to Aotearoa New Zealand
Posted 10-Aug-2022 08:51


ANZ To Move to FIS Modern Banking Platform
Posted 10-Aug-2022 08:28


GoPro Hero10 Black Review
Posted 8-Aug-2022 17:41


Amazon to Acquire iRobot
Posted 6-Aug-2022 11:41


Samsung x LIFE Picture Collection Brings Iconic Moments in History to The Frame
Posted 4-Aug-2022 17:04


Norton Consumer Cyber Safety Pulse Report: Phishing for New Bait on Social Media
Posted 4-Aug-2022 16:50


Microsoft Announces New Solutions for Threat Intelligence and Attack Surface Management
Posted 3-Aug-2022 21:54


Seagate Addresses Hyperscale Workloads with Enterprise-Class Nytro SSDs
Posted 3-Aug-2022 21:50


Visa Launching Eco-friendly Payment Solutions in New Zealand
Posted 3-Aug-2022 21:48


NCR Delivers Services to Run Bank of New Zealand ATM Network
Posted 30-Jul-2022 11:06


New HP Portfolio Supports New Era of Hybrid Work
Posted 28-Jul-2022 17:14


Harman Kardon Launches Citation MultiBeam 1100 Soundbar
Posted 28-Jul-2022 17:10









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







GoodSync is the easiest file sync and backup for Windows and Mac