Speaking of "chip cards" I notice that my banks are stuffing my wallet with contact smart cards, but I haven't seen a single vendor in the U.S. that accepts those. Subway in my area, for instance, has terminals that accept ony contactless cards, and my local Target has gone so far to stuff up the slots for contact cards.
What will happen with people who travel from abroad in a few years?
Places like Latin America aren't even thinking about changing cards (heck, we're still adopting the old magnetic cards in most stores!).
What'll happen when I visit Canada with my card in one or two years? Will those still be accepted?
I've seen a bunch of terminals that have a place for a chipped card, but they don't work yet- I assume that a firmware update will enable them sometime soon.
Same here. I asked once and the checker said it was supposed to be activated later this year. I have made exactly one chip payment so far, at a Toyota dealership for service.
Later this year, there is going to be a concerted public education movement on the chip card. Once that happens, you'll see merchants actively push you towards using the chip vs the magstripe.
"The important fact to point out is that even knowing this password, sensitive payment information or PII (personally identifiable information) cannot be captured," Verifone said. "What the password allows someone to do is to configure some settings on the terminal; all executables have to be file signed, and it is not possible to enter malware just by knowing passwords."
I wonder what is available in the settings interface? For example, is there some gateway address that could be changed to a MITM transparent proxy? They act like this is no big deal, but 9/10 of these machines has the same password!
Yeah but if the password is for an account that doesn't have any access, who cares? I guess some kind of privilege escalation would be news, but that's a separate vulnerability.
Presumably (and I have worked on devices like these, but not for Verifone) there is some sort of encryption going on.
I.E. some protocols I've worked with have had all sensitive data protected by ANSI X9.24 Appendix 1 (I think...) derived keys, or keys derived by various other standard means, such that being able to read the data stream is pretty irrelevant.
> Presumably ... there is some sort of encryption going on.
Color me skeptical. I would presume similarly, but I also would have presumed that they did not have the same password, either. A failure of that scope seems like it could be indicative of a systemic disregard for security.
>> A failure of that scope seems like it could be indicative of a systemic disregard for security.
Well, all the security systems have to be audited and signed-off by third-party testing labs approved by the payment card industry body (PCI) so your cynicism should be unwarranted.
But then I've seen code that got through those labs that I would be thoroughly ashamed of, so who knows really...
Ingenico have a set-up password, too. Once you enter it you can change network settings which could be dangerous in the context of a poorly segmented network.
Given this I am wondering what kinds of settings are available in the Verifone secret menu. Is there anything like IP address, which could facilitate an MITM if an attacker walked up and changed it?
Yes. In large scale retailers, the payment terminals would either be connected via Ethernet to the private point of sale (POS) network in the store where they could only talk to the POS controllers, or they would be connected via USB or custom serial cables (IBM) to the POS register itself and all communications would run through the software on the POS terminal.
This password isn't the encryption key. Usually keys would be injected into the terminal either remotely through the POS terminal, POS controller or by shipping a special card w/a magstripe to the store where the manager or loss prevention person would swipe the card on each terminal that has the new key on it. PCI standards dictate that the retailer rotates the keys on a schedule with a documented procedure.
Changing the merchant ID probably would have little effect in most operations because the transactions aren't going directly to the MC/VISA/etc network, but are passing through a dedicated link to the merchant's acquiring bank. I've never tested this, but I would imagine that the acquiring bank would reject transactions that are for merchant IDs that do not belong to the customer that is leasing the connection. This situation actually happens quite often by merchants just mis-keying the merchant ID when setting up new stores.
Thanks for this insight. During a low point in my career I took on some contract work to deploy new POS at some QSR. I had to visit the secret menu on the Ingenico card terminals to verify network settings and in some cases (when whatever provisioning process did not work) manually set them. The terminals were to communicate with a local device in a 10.* IP scheme, and were supposed to get their own network settings via DHCP.
I've also had Walmart refund partial purchases without my payment card being present. This shows me that it's possible that Walmart stored the payment card information.
So there are a few things here I could maybe clarify, having worked in all sections of the chain from on-device security to issuing bank systems. (Remember I said maybe!)
You're right, not all POS talk directly to the bank. One of the products I worked on was a store-level switch, the POS would talk to that. However the store-level switch did not have the requisite keys to decrypt all of the data the POS would put out. In particular there are some pieces of data (PIN is one) that must, by card-scheme rules, be encrypted from the point of entry all the way to the bank. The keys used to achieve this are injected into the terminal during manufacture or during an update process that can only be activated using further keys held by the banks, not at the store level.
On your refund - Walmart may well be able to process a refund simply by specifying an amount and a transaction reference - they don't necessarily need to have had the card details to do that. Their bank can take that reference number and apply a refund against the transaction, looking up your account details in their database in order to inform your issuing bank about it. In some cases they may not even need to supply an account or card number to the issuing bank, just a transaction reference.
Saw this an' stars and stones, first thing that popped into my mind. Was Barnaby Jack that rascapllion. I figure he would've had something to say on the matter.
Interestingly, this last year, many businesses I frequent updated to new Verifone terminals. My credit card doesn't read on only that brand of terminal (works everywhere else i use it), unless I wrap it in a piece of receipt tape or plastic bag before sliding it thru, then it works after a try or two. Not sure why, but I haven't replaced the card yet simply because it is an interesting experiment.
Yes. We're just now transitioning to chips. My cards are gradually being replaced with chip cards, starting last year. In October of this year, new rules will come into effect that basically require all cards and terminals to use chips, by putting the liability for fraudulent magstrip transactions onto whatever party was responsible for not being able to use a chip. (In other words, merchants will foot the bill for fraud if they don't upgrade their terminals.)
We're taking our time, but we're finally moving there.
Edit: despite having chip cards, I've yet to be able to use the chip in the US. Many places now have chip-enabled terminals, but often not set up to use the chip part, and after a few failed attempts I just gave up on it.
This happened to me at Costco the other day. Chip capable terminal but it didn't do anything. The guy at the register had never seen anyone try to use it before. He didn't even know the new slot was there.
Good question. Looks like the answer is, yes, you will be liable just like anybody else, and just like other providers, Square will start providing chip readers. They have a page about it here:
I believe they've been using a modem sort of setup for a while, and this is probably the same sort of thing.
Their original reader was pretty much a magnetic reader head hooked straight to the microphone port, decoded by Square's software on the phone. You could record your card's stripe using a voice recorder program (I tried it for fun) and you'd get this fun squeaking noise from it.
Square's competitors eventually tried to discredit them by pointing out that this data was unencrypted, and that meant that Nefarious People could Steal your Precious Card Data using a Square reader. Square eventually responded by changing over to a reader that encrypted the magstripe data before communicating it to the phone, meaning there must be some sort of digital communication happening over the audio port.
OK, that's interesting, I had assumed that the older readers had simply transmitted the analogue signal generated by moving the mag strip through the reader, and was wondering if maybe the new one just attached to the mini-jack port and did its actual comms over bluetooth. But if they've already got a digital data transmission system in place then that's a whole different game.
here's Square's FAQ page for the liability shift. the short answer seems to be yes, starting in october if you're using square you're liable for any fraud.
No idea. There might be different rules for foreign cards. Otherwise, the card issuer which could have issued a chip card but didn't would be liable, as I understand it.
My understanding is that merchants are already liable in most cases. What happens in october is the possibility for the bank to be liable in case the merchant supports chip and pin but the bank does not.
I'll just add that starting in October, the merchants will be liable for magstripe transactions completed with counterfeit cards but not for those coming from other type of frauds (e.g lost/stolen cards) as long as the merchants have proper card acceptance procedures.
Yes, but we also don't have to pay for it when someone steals our card. (Well, not directly anyway.) Don't most countries with Chip & PIN place at least some liability for fraud on the consumer?
Legally (in countries I know about, Europe mostly), the liability is with the bank. They might ask if you gave your PIN to anyone else (you should not do this!) but there's no consumer liability.
The liability shift with Chip & PIN is from the bank to the merchant. If the merchant accepts an old-fashioned stripe transaction they accept the risk for themselves.
Until 2009 the liability with chip and pin was with the consumer to prove that they had not told anyone their PIN as there seemed to be a legal assumption that the system was secure, only recently has the bank been forced to prove that the customer has been negligent, after Cambridge security researchers proved that chip and pin systems have exploitable vulnerabilities.
I've been subject to fraud that could only have taken place because someone observed my PIN (or obtained it some other way). The actual fraud took place in another country where there is no EMV though.
I know the Cambridge research has turned up some interesting stuff - it's possible to use a man-in-the-middle between the card and the reader to convince the reader that a PIN has been entered and verified when no such thing has taken place - but I wasn't aware much of that had been seen in the wild.
--edit-- and it still involves a stolen card at that point doesn't it?
Someone could have man in the middled an online purchase and then used your card details that way. Buying online while using wifi or mobile can be hijacked with a fake router or base station.
>> Someone could have man in the middled an online purchase and then used your card details that way.
Not if they were using my PIN as that's never used online. Had to be a physical purchase to get that. As a workmate was subject to similar fraud at a similar time we figure it was probably a bar or restaurant we'd been to together, where our cards were skimmed and someone either watched or recorded us entering PIN details.
They shift the burden of proof to the consumer, but fraud is still covered in some cases. You're probably not covered if you give the pin to someone or if you transfer the money yourself. There are many cases of people losing tens of thousands of pounds this way.
>> There are many cases of people losing tens of thousands of pounds this way.
??
I frequently work in this area and have not heard these stories. Fraud is always covered on credit cards in the UK (for example), by law, and I'm pretty sure it is on debit as well.
I think it goes like this: If you gave someone your PIN you broke contract with the bank, but you also authorised the transaction. Similarly if you did the transaction you can't argue that you didn't authorise it - mistakes happen, but the bank isn't usually liable for your mistakes.
And how exactly do you PROVE you didn't give anyone your pin? If the only way they put the liability on you is if you admit you gave someone your pin, it seems stupid to even bother.
To me, knowing how things usually work in the US - they'll claim it's an on your honor system, and then suddenly it will be "well we think you gave someone your pin so we aren't covering the charges". Conveniently a lawsuit will be more expensive for you, the consumer, than just paying off the fraudulent charges.
But then my (chip) card was cloned to a mag-swipe card and someone attempted to use the clone in an ATM in Canada. I don't really know what happens if someone manages to get your original card and your PIN. AFAICT there's not a lot of fraud that happens this way.
I think the bank could argue you didn't take reasonable care if you spoke the PIN but if you typed it in ... technically you didn't give it to a person? Everything I've read says the bank have to prove you didn't take reasonable care; I suppose that a convincing enough fraud would mean you were safe from that accusation whilst just "give me your PIN and I'll go to your bank for you" wouldn't. Not sure if there's any caselaw to follow none of the newspaper reports on fraud convictions like this seems to mention it??
>And how exactly do you PROVE you didn't give anyone your pin? //
In the cases I've heard of it's something like a conman comes to the door, wants money "for a building job" or just "for charity", whatever. Says they'll get you the money from the bank, you give them the card and PIN, the bank then isn't obliged to cover the loss.
The measure in the Lending Code (a UK financial institution code of practice) is that provided you've taken "reasonable care" then they cover frauds; giving someone your PIN or writing it down with your card constitute not taking reasonable care.
And hopefully the chip effectively kills those... hopefully. I know a few flaws have been found.
The only time I've been subject to fraud in recent years, incidentally, was when my card was skimmed in London and then the clone used to attempt an ATM withdrawal in Canada. So clearly the skimmer had seen me enter a PIN, skimmed the magnetic stripe and then sold the details to someone who could use it in a country where those two things were enough.
Needless to say, I got the money back pretty quickly.
That's not giving it, it's having it taken. What constitutes giving your PIN is someone saying "give me your PIN" and you saying "it's XXXX"; similar provisions apply if you wrote the PIN on the card, or made the PIN available in an obvious place. Basically then you've subverted the potential protection of having a PIN.
I was thinking of the courier fraud but that seems to be covered. The other version of that where they make the victim make a BACS transfer doesn't seem to be covered in the same way.
I used to work at a retailer and I know the password myself.
This is a prime example of hyperbole. The password only allows you to change things like what is printed on the receipt (the banner), merchant ID and other such things. It basically allows you to enter into a menu to set a few settings. It's not as if you can get a dump of card swipes.
Just a few researchers spreading fear about what has been known for a long time.
I once heard a story about a store-clerk who, upon finding their POS setup was broken, went down the street and 'borrowed' a configuration file from another store in the area that they happened to know had the same software.
Blissful in their ignorance of what was going on they then happily continued accepting transactions for the rest of the day. Oops.
68 comments
[ 0.22 ms ] story [ 224 ms ] threadhttp://blogs.wsj.com/corporate-intelligence/2014/02/06/octob...
My understanding is that since there are countless local banks in the US, adoption of technology changes is difficult and slow.
Places like Latin America aren't even thinking about changing cards (heck, we're still adopting the old magnetic cards in most stores!). What'll happen when I visit Canada with my card in one or two years? Will those still be accepted?
I.E. some protocols I've worked with have had all sensitive data protected by ANSI X9.24 Appendix 1 (I think...) derived keys, or keys derived by various other standard means, such that being able to read the data stream is pretty irrelevant.
Well, all the security systems have to be audited and signed-off by third-party testing labs approved by the payment card industry body (PCI) so your cynicism should be unwarranted.
But then I've seen code that got through those labs that I would be thoroughly ashamed of, so who knows really...
Given this I am wondering what kinds of settings are available in the Verifone secret menu. Is there anything like IP address, which could facilitate an MITM if an attacker walked up and changed it?
This password isn't the encryption key. Usually keys would be injected into the terminal either remotely through the POS terminal, POS controller or by shipping a special card w/a magstripe to the store where the manager or loss prevention person would swipe the card on each terminal that has the new key on it. PCI standards dictate that the retailer rotates the keys on a schedule with a documented procedure.
Changing the merchant ID probably would have little effect in most operations because the transactions aren't going directly to the MC/VISA/etc network, but are passing through a dedicated link to the merchant's acquiring bank. I've never tested this, but I would imagine that the acquiring bank would reject transactions that are for merchant IDs that do not belong to the customer that is leasing the connection. This situation actually happens quite often by merchants just mis-keying the merchant ID when setting up new stores.
I've also had Walmart refund partial purchases without my payment card being present. This shows me that it's possible that Walmart stored the payment card information.
You're right, not all POS talk directly to the bank. One of the products I worked on was a store-level switch, the POS would talk to that. However the store-level switch did not have the requisite keys to decrypt all of the data the POS would put out. In particular there are some pieces of data (PIN is one) that must, by card-scheme rules, be encrypted from the point of entry all the way to the bank. The keys used to achieve this are injected into the terminal during manufacture or during an update process that can only be activated using further keys held by the banks, not at the store level.
On your refund - Walmart may well be able to process a refund simply by specifying an amount and a transaction reference - they don't necessarily need to have had the card details to do that. Their bank can take that reference number and apply a refund against the transaction, looking up your account details in their database in order to inform your issuing bank about it. In some cases they may not even need to supply an account or card number to the issuing bank, just a transaction reference.
The US are still using magnet stripes?
We're taking our time, but we're finally moving there.
Edit: despite having chip cards, I've yet to be able to use the chip in the US. Many places now have chip-enabled terminals, but often not set up to use the chip part, and after a few failed attempts I just gave up on it.
How does this affect Square and similar peripheral readers for mobile devices? Will users of those now be liable for fraud?
https://squareup.com/emv
Interestingly, it looks like this may be the end of the model where the reader is so cheap they can give it away for free, as they list it for $29.
Their original reader was pretty much a magnetic reader head hooked straight to the microphone port, decoded by Square's software on the phone. You could record your card's stripe using a voice recorder program (I tried it for fun) and you'd get this fun squeaking noise from it.
Square's competitors eventually tried to discredit them by pointing out that this data was unencrypted, and that meant that Nefarious People could Steal your Precious Card Data using a Square reader. Square eventually responded by changing over to a reader that encrypted the magstripe data before communicating it to the phone, meaning there must be some sort of digital communication happening over the audio port.
Thanks for the insight!
https://squareup.com/townsquare/emv/
What about tourists and alike?
Legally (in countries I know about, Europe mostly), the liability is with the bank. They might ask if you gave your PIN to anyone else (you should not do this!) but there's no consumer liability.
The liability shift with Chip & PIN is from the bank to the merchant. If the merchant accepts an old-fashioned stripe transaction they accept the risk for themselves.
http://krebsonsecurity.com/2014/10/chip-pin-vs-chip-signatur...
I've been subject to fraud that could only have taken place because someone observed my PIN (or obtained it some other way). The actual fraud took place in another country where there is no EMV though.
I know the Cambridge research has turned up some interesting stuff - it's possible to use a man-in-the-middle between the card and the reader to convince the reader that a PIN has been entered and verified when no such thing has taken place - but I wasn't aware much of that had been seen in the wild.
--edit-- and it still involves a stolen card at that point doesn't it?
Not if they were using my PIN as that's never used online. Had to be a physical purchase to get that. As a workmate was subject to similar fraud at a similar time we figure it was probably a bar or restaurant we'd been to together, where our cards were skimmed and someone either watched or recorded us entering PIN details.
??
I frequently work in this area and have not heard these stories. Fraud is always covered on credit cards in the UK (for example), by law, and I'm pretty sure it is on debit as well.
To me, knowing how things usually work in the US - they'll claim it's an on your honor system, and then suddenly it will be "well we think you gave someone your pin so we aren't covering the charges". Conveniently a lawsuit will be more expensive for you, the consumer, than just paying off the fraudulent charges.
But then my (chip) card was cloned to a mag-swipe card and someone attempted to use the clone in an ATM in Canada. I don't really know what happens if someone manages to get your original card and your PIN. AFAICT there's not a lot of fraud that happens this way.
In the cases I've heard of it's something like a conman comes to the door, wants money "for a building job" or just "for charity", whatever. Says they'll get you the money from the bank, you give them the card and PIN, the bank then isn't obliged to cover the loss.
The measure in the Lending Code (a UK financial institution code of practice) is that provided you've taken "reasonable care" then they cover frauds; giving someone your PIN or writing it down with your card constitute not taking reasonable care.
That seems quite fair to me.
http://www.choose.net/money/guide/faqs/credit-card-fraud-vic... gives good detail. The Lending Code website doesn't but the full code is at http://www.theukcardsassociation.org.uk/individual/lending-c... with additional info, again the UKCA is an association of credit/debit card issuers in the UK.
See http://krebsonsecurity.com/all-about-skimmers/ for more on how that happens.
The only time I've been subject to fraud in recent years, incidentally, was when my card was skimmed in London and then the clone used to attempt an ATM withdrawal in Canada. So clearly the skimmer had seen me enter a PIN, skimmed the magnetic stripe and then sold the details to someone who could use it in a country where those two things were enough.
Needless to say, I got the money back pretty quickly.
That's not giving it, it's having it taken. What constitutes giving your PIN is someone saying "give me your PIN" and you saying "it's XXXX"; similar provisions apply if you wrote the PIN on the card, or made the PIN available in an obvious place. Basically then you've subverted the potential protection of having a PIN.
In the UK being caught by a skimmer does _NOT_ mean you didn't take reasonable care, your maximum liability by law is £50. See eg http://news.bbc.co.uk/1/hi/business/3256799.stm.
I was thinking of the courier fraud but that seems to be covered. The other version of that where they make the victim make a BACS transfer doesn't seem to be covered in the same way.
This is a prime example of hyperbole. The password only allows you to change things like what is printed on the receipt (the banner), merchant ID and other such things. It basically allows you to enter into a menu to set a few settings. It's not as if you can get a dump of card swipes.
Just a few researchers spreading fear about what has been known for a long time.
Blissful in their ignorance of what was going on they then happily continued accepting transactions for the rest of the day. Oops.