Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
I iz your trusted friend
5787 posts

Uber Geek
+1 received by user: 137

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 828700 31-May-2013 11:31
Send private message

Be aware, the cards provided by the banks are the banks' properties... Do pay attention and read the Terms and Conditions.




Internet is my backyard...

 

«Geekzone blog: Tech 'n Chips Takeaway» «Personal blog: And then...»

 

Please read the Geekzone's FUG

 


1434 posts

Uber Geek
+1 received by user: 150


  Reply # 828701 31-May-2013 11:35
2 people support this post
Send private message

Does anyone else dislike that ad on TV? It makes everyone look like a robot, very de-humanising!

15 posts

Geek


  Reply # 828781 31-May-2013 12:38
Send private message

I'm concerned about neither. The bank's got my back.


Ever had a fraudulent transactions? They may have your back but it's a real pain in the arse.

My company AMEX got cloned whilst on a business trip and I had all sorts of low value transactions on it (I did not know AMEX also does one factor authentication with a swipe). Fortunately as it's my company AMEX I had kept all the receipts so I could claim my expenses, otherwise I would have had little proof that the three to four low value transactions per day (mainly Starbucks and other eating places) were not mine.

You have to prove you did not make the transaction, otherwise I could go on a business trip and just get all low value transactions voided.

They will not accept that I never drink Starbuck's crap coffee :-(

Awesome
4799 posts

Uber Geek
+1 received by user: 1060

Trusted
Subscriber

  Reply # 828784 31-May-2013 12:49
Send private message

trevor:

Ever had a fraudulent transactions? They may have your back but it's a real pain in the arse.



Yep, I've had two cards compromised in the last 5 or 6 years. In both cases they were not the result of an intercept, but simply a guess at the card number/expiry.

The luhn algorithm can be used to very easily generate a list of valid credit card numbers. Especially with well known and published card bin ranges available online.

If somewhere doesn't require a CVV, they then have about a 1/36 chance of getting your expiry right (based on a typical card life of 3 years). 1/36 is pretty damn good odds!

Basically the only way for my CVV to be compromised is by someone actually reading it off the card. It can't be skimmed or electronically read from the card. Therefore, retailers requiring CVV basically solves both the guessing of card numbers and the card cloning issue.

So, again. Really not worried. Cards get compromised, and its much more likely to be a guess at your card number than a physical compromise.




Twitter: ajobbins


3 posts

Wannabe Geek
+1 received by user: 6


  Reply # 828929 31-May-2013 18:20
6 people support this post
Send private message

Ok, there are a number of things that never seem to get mentioned in these threads, so lets clear up some facts. This information comes from my time as a fraud analyst at a NZ bank, a position I vacated only recently, so this info is as up to date as any you will get.

 

The idea that you can use NFC to just skim a card and then make transactions is crap.

 

1: All big NZ banks have fraud detection systems in place. These systems work well.

2: Skimming via NFC will grab a copy of the current data on the card. To the best of my knowledge all newly issued NFC-enabled cards in NZ support DDA (dynamic data authentication) which means that each time the card is used, the data updates. So the data that is skimmed is good for precisely one $80 transaction. The return on investment simply doesn't make it worthwhile to conduct fraud in this fashion.

3: Whilst it is frequently reported that you can skim data via NFC and use it to make purchases online, this will not be possible once the card scheme mandates requiring CVV authentication on all card-not-present transactions take affect. If I remember correctly, this is sometime next year. The reason being, the CVV that is skimmed via NFC is not (or at least should not) be the same as the one on the back of the card.

4: The banks wear liability for fraudulently conducted transactions (per terms and conditions and scheme rules) made via NFC. It is not difficult to make a fraud report, and I would be surprised if you were to receive a run-around regarding transactions. In the vast majority of circumstances, you would not be required to provide “proof” that you didn’t make the transactions.

 

Some general thoughts on card fraud.

Approx. 80+% of fraud attempted on cards is card-not-present fraud. Fraud resulting from the theft of cards is tiny, generally something like 7% of all attempted fraud. Counterfeit fraud is at similar levels.

The idea that removing the requirement for a PIN or signature will increase fraud is only based on a lack of understanding of the reality of the criminal landscape. Simply put, a magstripe transaction without a PIN is less secure than a NFC transaction without a PIN. While a NFC transaction with a PIN would be more secure, the convenience is vastly more worthwhile.

The idea of customers being able to customise this stuff is not reasonable in most situations. It creates an arbitrary level of complication and would delay the authentication of transactions massively. Whilst it might be technically possible, it would be a massive cost for something the vast majority of customers would not use. Honestly, your bank could spend the tens (if not hundreds) of millions to make a system capable of doing this. Wouldn’t it be better to have them actually creating useful products for a significant portion of their customer base?

Ajobbins: I would be exceedingly surprised if your cards were compromised as the result of a brute force (BIN) attack. It is very easy to detect these kinds of attacks and consequently, they are very rare (in over 4 years, I saw one or two and they were abject failures). It is more likely that it was compromised at a merchant that you had use and had subsequently been hacked.

 

Happy to try and answer any questions people may have.

26647 posts

Uber Geek
+1 received by user: 6151

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 829024 31-May-2013 20:32
Send private message

It's good to see somebody with knowledge bring some common sense to the debate.

All we keep hearing is Kyle Gibson spreading FUD at Kiwicon, and more recently Fair Go about how insecure NFC is.

Having spend the last week in the US you realise how vastly superior our credit card processing systems are.



Awesome
4799 posts

Uber Geek
+1 received by user: 1060

Trusted
Subscriber

  Reply # 829062 31-May-2013 22:14
Send private message

Arnifix:Ajobbins: I would be exceedingly surprised if your cards were compromised as the result of a brute force (BIN) attack. It is very easy to detect these kinds of attacks and consequently, they are very rare (in over 4 years, I saw one or two and they were abject failures). It is more likely that it was compromised at a merchant that you had use and had subsequently been hacked.

 

Happy to try and answer any questions people may have.


Just going by what they told me on the phone when it happened. This was NBNZ. In one instance, I got a call from a rep and they said something like "Did you just make a $2000 purchase at a printing company in Istanbul?". Of course, I hadn't, so they said it's likely they had guessed the card details, and it wasn't that uncommon. Cancelled the card and sent me a replacement. I'd never used that card online, but if it was skimmed, it seems odd they tried to use it in Istanbul rather than somewhere closer to here.

I can't remember the details of the second time.




Twitter: ajobbins


537 posts

Ultimate Geek
+1 received by user: 80

Trusted

  Reply # 829078 31-May-2013 23:02
Send private message

They didn't need to drill two holes, all they needed to do was break the connection between just one of the many loops of thin wire and it will stop working. E.g. Just one drill would have been way more than enough.

26647 posts

Uber Geek
+1 received by user: 6151

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 829104 1-Jun-2013 07:53
One person supports this post
Send private message

trevor:
Up until NFC my credit card has always been two factor authentication, i.e. I need the card and the PIN (or the correct signaure - but who does that anymore?)

With these new system it's gone down to one factor and this is therefore less secure than it use to be.

 


With the move to EMV (whether this be chip and PIN or NFC) your card is now more secure than it was before.

Your existing plastic card with your name, full card number and CVV code on it can be copied by anybody who sees this - if you hand it over at a café for them to swipe it in their terminal they've got full access to your card details and could make unauthorised purchases using this data. Despite having to enter the PIN or sign your security has been breached.

EMV (meaning chip and PIN and NFC) use DDA (and sometimes CDA and SDA) which effectively creates unique transaction data for each transaction. You can't clone a EMV chip, but even if you read the NFC data (essentially just the layer 2 data from the mag stripe) and clone this to a new card this can only be used for a single transaction, and because the person who captured the data wouldn't necessary have the CVV code they're very limited as to what they could do with it.

I've noticed that many retailers here in the US now have to manually enter the CVV codes into their POS systems to authenticate a credit card transaction. I've noticed things have changed a lot in the past couple of years since I was last here, back then you didn't even need to sign for most low value transactions, you simply swiped the card.

Credit cards are all about risk, and if you fail to understand risk you're going to completely miss the point when it comes to card security. The EMV standard includes multiple methods of cardholder verification, of one or a combination are used depending on the value and risk associated with the transaction or retailer.

Providing you didn't break your card terms and conditions you carry absolutely no risk of having to foot the bill for fraud.

1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Hawaiki Transpacific cable ready-for-service
Posted 20-Jul-2018 11:29


Microsoft Dynamics 365 Business Central launches
Posted 10-Jul-2018 10:40


Spark completes first milestone in voice platform upgrade
Posted 10-Jul-2018 09:36


Microsoft ices heated developers
Posted 6-Jul-2018 20:16


PB Technologies charged for its extended warranties and warned for bait advertising
Posted 3-Jul-2018 15:45


Almost 20,000 people claim credits from Spark
Posted 29-Jun-2018 10:40


Cove sells NZ's first insurance policy via chatbot
Posted 25-Jun-2018 10:04


N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.