News:

And we're back!

Main Menu

Credit card scam

Started by Monoriu, March 29, 2009, 09:10:06 PM

Previous topic - Next topic

DontSayBanana

Quote from: Admiral Yi on March 30, 2009, 12:56:20 PM
What does the chip do?
The chip lets low-frequency receivers pick up the card without being swiped, so it becomes a proximity card as well as a swipe card. It also contains information that wouldn't fit in the magnetic stripe within the ISO 7810 standard.
Experience bij!

Admiral Yi

Quote from: derspiess on March 30, 2009, 12:57:28 PM
All debit cards have PINs-- the banks prefer you to not to use it, though, if it's a Visa or MasterCard branded card.
I thought banks preferred you use the PIN because they get the intercharge on the debit transaction.  No?

Grey Fox

Quote from: Admiral Yi on March 30, 2009, 12:56:20 PM
What does the chip do?

Other then what dps already said, they are also more difficult(read : takes more then 10seconds) to clone then the magnetic bar.
Colonel Caliga is Awesome.

DontSayBanana

Incidentally, my problem with card security is that it's grossly easy to reverse engineer a card. No matter how many verification questions they ask you, it boils down to your name, your account number, your social security number, and your pin number. Since the information is publicly mapped out by ISO 7810 and its subsets, anyone who can dig up any two of those pieces of information could theoretically reverse engineer the entire card.
Experience bij!

dps

Quote from: Admiral Yi on March 30, 2009, 01:09:56 PM
Quote from: derspiess on March 30, 2009, 12:57:28 PM
All debit cards have PINs-- the banks prefer you to not to use it, though, if it's a Visa or MasterCard branded card.
I thought banks preferred you use the PIN because they get the intercharge on the debit transaction.  No?

Beats me, but I know that when I got my debit card, in the literature that came with it, the bank recommended using as if it were a credit card and not using the PIN whenever possible, because the less you use the PIN, the fewer opportunities for someone to steal it.

DontSayBanana

Quote from: Grey Fox on March 30, 2009, 01:11:20 PM
Other then what dps already said, they are also more difficult(read : takes more then 10seconds) to clone then the magnetic bar.
True, but cloning the magnetic bar usually just involves a spoofed reader. You could do the same thing with the RF transmitter.
Experience bij!

derspiess

Quote from: Admiral Yi on March 30, 2009, 01:09:56 PM
I thought banks preferred you use the PIN because they get the intercharge on the debit transaction.  No?

They make a lot more interchange off the signature ("credit") option than PIN ("debit").  Some banks reward you for using the signature option, some penalize you for using your PIN, and some do both.

Likewise, merchants like to make it as difficult as possible to select "credit" at the terminal, because they pay less interchange to the banks by pushing the transaction through a PIN network, rather than Visa or Mastercard.
"If you can play a guitar and harmonica at the same time, like Bob Dylan or Neil Young, you're a genius. But make that extra bit of effort and strap some cymbals to your knees, suddenly people want to get the hell away from you."  --Rich Hall

DontSayBanana

Quote from: derspiess on March 30, 2009, 01:35:45 PM
They make a lot more interchange off the signature ("credit") option than PIN ("debit").  Some banks reward you for using the signature option, some penalize you for using your PIN, and some do both.

Likewise, merchants like to make it as difficult as possible to select "credit" at the terminal, because they pay less interchange to the banks by pushing the transaction through a PIN network, rather than Visa or Mastercard.
Yeah. Case in point, TD Bank was recently raffling $1,000 per week to debit and credit card holders for each instance where they signed for a purchase last month. Anyway, from a security standpoint, it's best to leave as little info interceptable as possible, so PIN-less might be more secure. That could be debatable, though, since a lot of credit transactions still require you to put in the card identification number.
Experience bij!

derspiess

Quote from: DontSayBanana on March 30, 2009, 01:13:56 PM
Incidentally, my problem with card security is that it's grossly easy to reverse engineer a card. No matter how many verification questions they ask you, it boils down to your name, your account number, your social security number, and your pin number. Since the information is publicly mapped out by ISO 7810 and its subsets, anyone who can dig up any two of those pieces of information could theoretically reverse engineer the entire card.

I'm not sure that happens too often, though.  The most favored means of cloning cards is either 'skimming' the mag stripe with a simple card reader (this can either be done manually by a dishonest cashier or automatically with an additional card reader attached over top of the ATM or POS device card reader).  Once they have the mag stripe info, all they have to do is write that on to a blank card & bam, they can go around & use the card at will.

Another way, and one we saw late last year, is to hack into a processor's database to get card info.  There was a huge breach around September/October last year where a major merchant card processor got hacked, and apparently a few hundred thousand or so cards got compromised.  The hackers apparently sold the card info to individuals who took pre-paid cards and re-encoded the mag stripe with the stolen card info. 
"If you can play a guitar and harmonica at the same time, like Bob Dylan or Neil Young, you're a genius. But make that extra bit of effort and strap some cymbals to your knees, suddenly people want to get the hell away from you."  --Rich Hall

DontSayBanana

Quote from: derspiess on March 30, 2009, 01:47:05 PMI'm not sure that happens too often, though.  The most favored means of cloning cards is either 'skimming' the mag stripe with a simple card reader (this can either be done manually by a dishonest cashier or automatically with an additional card reader attached over top of the ATM or POS device card reader).  Once they have the mag stripe info, all they have to do is write that on to a blank card & bam, they can go around & use the card at will.

Another way, and one we saw late last year, is to hack into a processor's database to get card info.  There was a huge breach around September/October last year where a major merchant card processor got hacked, and apparently a few hundred thousand or so cards got compromised.  The hackers apparently sold the card info to individuals who took pre-paid cards and re-encoded the mag stripe with the stolen card info. 
Trust me, it happens more than you think. I'm sick of it because of the volume of it that came through my way. It's more popular with overseas identity theft because social engineering is so much cheaper and simpler than a technical probe.

I guess I'm not being clear about my problem with card security. There's not enough security in the physical makeup of the card itself. The card can be totally emulated through information, and it's information that can be propagated, there's almost no unique physical characteristics of the card that could slow the propagation of false card information, e.g. all of the information printed on the card is maintained in the swipe strip or the RF chip. There should be some info that bypasses the vendor for verification with the card provider.
Experience bij!

derspiess

Quote from: DontSayBanana on March 30, 2009, 02:08:40 PM
There should be some info that bypasses the vendor for verification with the card provider.

I agree, but any major upgrade like that will probably be pretty costly, and issuing banks probably wouldn't want to bear the cost unless we continue to have major breaches like last year's.
"If you can play a guitar and harmonica at the same time, like Bob Dylan or Neil Young, you're a genius. But make that extra bit of effort and strap some cymbals to your knees, suddenly people want to get the hell away from you."  --Rich Hall

garbon

I use my debit like a credit at places where I know they won't make me sign.  Otherwise, put in my pin is less hassle than signing electronically (:x).
"I've never been quite sure what the point of a eunuch is, if truth be told. It seems to me they're only men with the useful bits cut off."
I drank because I wanted to drown my sorrows, but now the damned things have learned to swim.

dps

Quote from: derspiess on March 30, 2009, 01:35:45 PM
Quote from: Admiral Yi on March 30, 2009, 01:09:56 PM
I thought banks preferred you use the PIN because they get the intercharge on the debit transaction.  No?

They make a lot more interchange off the signature ("credit") option than PIN ("debit").  Some banks reward you for using the signature option, some penalize you for using your PIN, and some do both.

Likewise, merchants like to make it as difficult as possible to select "credit" at the terminal, because they pay less interchange to the banks by pushing the transaction through a PIN network, rather than Visa or Mastercard.

My bank doesn't charge or reward me either way.

Since I'm not in management anymore, I no longer care about transaction costs to my employer, so I perfer that people use their cards as credit cards, because that means that I don't have to wait for some idiot to try and figure out what their PIN is.  And when I'm a customer, I sure don't want the person ahead of me using their debit card--some of them are worse than waiting for an old woman to fill out a check.

derspiess

Quote from: garbon on March 30, 2009, 02:46:52 PM
I use my debit like a credit at places where I know they won't make me sign.  Otherwise, put in my pin is less hassle than signing electronically (:x).

For me, it's signature all the way.  I pay as many bills as I can using that method.  Key Bank gives me 1 mile for every $2 I spend. 
"If you can play a guitar and harmonica at the same time, like Bob Dylan or Neil Young, you're a genius. But make that extra bit of effort and strap some cymbals to your knees, suddenly people want to get the hell away from you."  --Rich Hall

viper37

Quote from: Monoriu on March 30, 2009, 01:29:31 AM
Quote from: Syt on March 30, 2009, 01:10:24 AM
Is it considered impolite or do you lose face if you look at what bills you sign in China? :huh:

No.  Ok, consider the paper used for credit card receipts.  If the waiter places your bill on top, and someone else's bill directly underneath it.  You check the bill on top, then sign the slip.  Your one signature will appear on two sets of receipts.
at nearly every restaurant I go to, the bills are in separate pieces of paper, so you actually only sign one.
It seems China is a bit late with technology... are you still using the hand machine to get a print of the card??
I don't do meditation.  I drink alcohol to relax, like normal people.

If Microsoft Excel decided to stop working overnight, the world would practically end.