Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5
22336 posts

Uber Geek

Trusted
Subscriber

  # 991332 20-Feb-2014 19:23
Send private message

Well it makes sense that they would render the card socket broken so they could get the card swiped thru the machine.




Richard rich.ms

3095 posts

Uber Geek

Trusted
Subscriber

  # 991379 20-Feb-2014 20:24
Send private message

andrewNZ:
richms: I've had my chip card not work in a few dodgey places recently and the machine request a swipe. Always seemed dodgey. One was maccas at wairau in the drive thru. Another was bok mart in Mt eden and another was the Kwik e mart at auckland hospital.

Since my debit cards magnetic stripe is unreadable I ended paying with money rather than using my barely working old yellow swipe only eftpos card.

My understanding of this is that the machines can actually go offline and still take payments, but can't use the chips to do it. once it goes online again, it processes the transactions. I believe there's an agreement that the banks will honour transactions up to a certain value regardless.


Yup, EOV.  And if all else fails, then the merchant can record the details on (!!!) paper and submit paper vouchers to their provider as well.

 
 
 
 


2122 posts

Uber Geek


  # 991742 21-Feb-2014 11:56
Send private message

Kyanar:
andrewNZ:
richms: I've had my chip card not work in a few dodgey places recently and the machine request a swipe. Always seemed dodgey. One was maccas at wairau in the drive thru. Another was bok mart in Mt eden and another was the Kwik e mart at auckland hospital.

Since my debit cards magnetic stripe is unreadable I ended paying with money rather than using my barely working old yellow swipe only eftpos card.

My understanding of this is that the machines can actually go offline and still take payments, but can't use the chips to do it. once it goes online again, it processes the transactions. I believe there's an agreement that the banks will honour transactions up to a certain value regardless.


Yup, EOV.  And if all else fails, then the merchant can record the details on (!!!) paper and submit paper vouchers to their provider as well.

I've had to participate in this about 15 years ago. 
We went to the supermarket and EFTPOS went down as we got to the checkout. The girl had never done it before and, long story short, she screwed it up (I even pointed it out) and we never got charged.

We were pretty poor, and $130 worth of free groceries was awesome.




Location: Dunedin

 


28114 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 991983 21-Feb-2014 20:35
Send private message

Word on the street is a massive compromise involving all banks. It'll be very interesting to see where this goes in two to three weeks time when somebody in the media finally picks up on it...



44 posts

Geek


  # 991984 21-Feb-2014 20:38
Send private message

I got hit with this two days ago... unfortunately my visa debit card was still without a chip.

Strangest thing was that the Kiwibank anti-fraud system didn't do anything to block it. I have no idea at what point the card was skimmed (I don't use ATMs so it had to be EFTPOS). But the account was completely emptied in $99 amounts from an ATM in India...

 

Having used my card in the morning (EFTPOS machine), surely the Kiwibank anti-fraud system should have known it would be impossible for me to then withdraw cash from a country further away than the time that passed!? It would make sense that it was a little relaxed with all my online orders from around the world. But surely it should have seen the fact it was an ATM!? Especially since I was charged the currency conversion and international ATM charges, haha.

On top of that, I was told that I now had to wait for the investigation to be complete before the funds could possibly be returned.

8462 posts

Uber Geek


  # 991985 21-Feb-2014 20:41
Send private message

There's something that I don't get about the original post.
Presumably, the skimmer sets up hardware stripe reading skimmer and camera (to capture PIN), or malware infected POS terminal. They need access to the POS site (I hope - as if they can do it remotely - then we're in serious trouble)
The banks clearly have systems in place - to intercept unusual transactions and block the card - such as happened. In that case - it wouldn't be hard to identify, and the bank is liable for losses over $50 (in NZ?), so surely they'd err on the side of safety - to protect their own interests.
The skimmers can't be complete fools - they have to plan and set it up. So why would they used skimmed card data for transactions bound to fail? Avoiding detection for as long as possible would be in their interests - so wouldn't discrete use, overnight, to withdraw cash from EFTPOS bank terminals close to the geographic location where the cards were skimmed be the way to go?

This thread kind of bothers me. I'm determined now not to use my EFTPOS only swipe cards, but chipped credit cards with PIN only, plug-in rather than swipe, and hyper-vigilant about protecting my PIN. But in the case of a malware infected terminal, can they extract enough data to produce a fake Eftpos swipe card to access other accounts linked to on the chipped card?



2958 posts

Uber Geek


  # 991995 21-Feb-2014 20:51
Send private message

Fred99: There's something that I don't get about the original post.
Presumably, the skimmer sets up hardware stripe reading skimmer and camera (to capture PIN), or malware infected POS terminal. They need access to the POS site (I hope - as if they can do it remotely - then we're in serious trouble)
The banks clearly have systems in place - to intercept unusual transactions and block the card - such as happened. In that case - it wouldn't be hard to identify, and the bank is liable for losses over $50 (in NZ?), so surely they'd err on the side of safety - to protect their own interests.
The skimmers can't be complete fools - they have to plan and set it up. So why would they used skimmed card data for transactions bound to fail? Avoiding detection for as long as possible would be in their interests - so wouldn't discrete use, overnight, to withdraw cash from EFTPOS bank terminals close to the geographic location where the cards were skimmed be the way to go?

This thread kind of bothers me. I'm determined now not to use my EFTPOS only swipe cards, but chipped credit cards with PIN only, plug-in rather than swipe, and hyper-vigilant about protecting my PIN. But in the case of a malware infected terminal, can they extract enough data to produce a fake Eftpos swipe card to access other accounts linked to on the chipped card?


Well I got a call from the ASB fraud team this morning, and asked them just that. I asked if I used a Visa Debit or MasterCard with dual-access, would it be safe from these attacks? She said no, as they can still read the data from the chip, and use the card in the US instead, where chip and PIN cards are nearly unheard of. They would simply clone it onto a blank, chip less EFTPOS, Credit or Debit card. 

It seems believable too, the people that do those sorts of things are one step ahead all the time. Chip cards would be safer though, much safer than a normal EFTPOS. But it still isn't fool proof.

edit: Also, I would assume the scammers would have multiple fake cards to try at once. One is bound to work eventually, as the bank won't pick up 100% of those cases, as evident by a previous poster about his account being drained in India.




Bachelor of Computing Systems (2015)

 

--

 

Late 2013 MacBook Pro with Retina Display (4GB/2.4GHz i5/128GB SSD) - HP DV6 (8GB/2.8GHz i7/120GB SSD + 750GB HDD)
iPhone 6S + (64GB/Gold/Vodafone NZ) - Xperia Z C6603 (16GB/White/Spark NZ)

Sam, Auckland 


 
 
 
 


28114 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 991996 21-Feb-2014 20:54
Send private message

Fred99: There's something that I don't get about the original post.
Presumably, the skimmer sets up hardware stripe reading skimmer and camera (to capture PIN), or malware infected POS terminal. They need access to the POS site (I hope - as if they can do it remotely - then we're in serious trouble)


99% of attacks are not infected POS terminal, they're compromised EFTPOS terminals. McDonalds in AU were compromised massively a couple of years ago, and Burger Fuel in Queen St had their EFTPOS terminal compromised in what was one of the first such cases in NZ.


8462 posts

Uber Geek


  # 992002 21-Feb-2014 21:01
Send private message

tardtasticx:
edit: Also, I would assume the scammers would have multiple fake cards to try at once. One is bound to work eventually, as the bank won't pick up 100% of those cases, as evident by a previous poster about his account being drained in India.


Yes but unless the scale/number of compromised terminals is huge, then multiple rejections from cards will be able to be data matched back to one terminal, and the banks could close down every card which has used that terminal quickly.  It might inconvenience many customers - but banks would far rather inconvenience customers than lose money.

Edit : afterthought on that.  If they set it up well, skim thousands and thousands of cards at high transaction number popular sites, sit on the data and wait before launching a large attack, even if the success rate per skimmed card isn't high, data matching by the banks to identify compromised terminals would be very hard.

So if what's reported by people above is true, then that leads me to believe that the suggestion that there is a major breach going on right now (involving so many compromised terminals that data matching would be difficult) may be true.

4431 posts

Uber Geek
Inactive user


  # 992008 21-Feb-2014 21:13
Send private message

sbiddle: Word on the street is a massive compromise involving all banks. It'll be very interesting to see where this goes in two to three weeks time when somebody in the media finally picks up on it...




Funny you mention that... @ANZ_AU tweeted today all ATMs will be offline next tuesday between midnight and 6am....

2649 posts

Uber Geek

Trusted

  # 992077 21-Feb-2014 22:39
Send private message

So if your card does get skimmed and money was taken out, then I'm sure the bank will reimburse you.. right?




131 posts

Master Geek


  # 992147 22-Feb-2014 06:24
Send private message

http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11207499
 
This Geekzone thread has been picked up by the Herald, not that they mention Geekzone.

456 posts

Ultimate Geek


  # 992156 22-Feb-2014 07:28
Send private message

Is it safe to say that cards with "insert chips" in them, are safe from this skimming activity?

Or do I just have a false sense of security?

If anyone knows for sure, that'd be great :)

-A.

2649 posts

Uber Geek

Trusted

  # 992162 22-Feb-2014 08:12
Send private message
28114 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 992163 22-Feb-2014 08:21
Send private message

AidanS: Is it safe to say that cards with "insert chips" in them, are safe from this skimming activity?

Or do I just have a false sense of security?

If anyone knows for sure, that'd be great :)

-A.


Yes and No.

ATM's don't read the chip, they still use a MSR. Skimming devices fitted to an ATM are also designed to read the mag stripe as the card is inserted, so if the card has a mag stripe on it, it can be skimmed still.

EFTPOS terminals are another story entirely. EMV has been partially cracked due to a flaw in the encryption protocol, meaning a compromised EFTPOS terminal (ie typically one that has been replaced by a compromised terminal running the hx8ors firmware) could theoretically be capable of logging the card data and PIN but there are a lot of buts and assumptions and very little evidence to suggest such hacks have occurred in the wild yet.

There are also many things banks do which can further limit cloning. I believe all banks in NZ are using DDA, and BNZ's liquid encryption which will update the key on your card every time you use it in a BNZ ATM is very cool solution.



1 | 2 | 3 | 4 | 5
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Disney+ streaming service confirmed launch in New Zealand
Posted 20-Aug-2019 09:29


Industry plan could create a billion dollar interactive games sector
Posted 19-Aug-2019 20:41


Personal cyber insurance a New Zealand first
Posted 19-Aug-2019 20:26


University of Waikato launches space for esports
Posted 19-Aug-2019 20:20


D-Link ANZ expands mydlink ecosystem with new mydlink Mini Wi-Fi Smart Plug
Posted 19-Aug-2019 20:14


Kiwi workers still falling victim to old cyber tricks
Posted 12-Aug-2019 20:47


Lightning Lab GovTech launches 2019 programme
Posted 12-Aug-2019 20:41


Epson launches portable laser projector
Posted 12-Aug-2019 20:27


Huawei launches new distributed HarmonyOS
Posted 12-Aug-2019 20:20


Lenovo introduces single-socket servers for edge and data-intensive workloads
Posted 9-Aug-2019 21:26


The Document Foundation announces LibreOffice 6.3
Posted 9-Aug-2019 16:57


Symantec sell enterprise security assets for US$ 10.7 billion to Broadcom
Posted 9-Aug-2019 16:43


Artificial tongue can distinguish whisky and identify counterfeits
Posted 8-Aug-2019 20:20


Toyota and Preferred Networks to develop service robots
Posted 8-Aug-2019 20:11


Vodafone introduces new Vodafone TV device
Posted 7-Aug-2019 17:16



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.