Wireless Registers May Expose Your Credit Card

flynt writes: "Found this article about people sitting in Best Buy parking lots with wireless sniffers and intercepting credit card numbers that the wireless cash registers inside the store are beaming about. Gives more credence to the idea of one time use credit card numbers. Now you don't even have to be online to have your number stolen."

Sucks

[loply]

Why didnt they just encrypt it, the whole network/transmission that is? That would be an obvious thing to do if I were programming anything of this nature. Heck, I went to the bother of XOR`ing the TCP stream on my high school computing project, surely the nitwit who wrote/engineered this system should have taken the time to add security to it?

How i gave away my credit card details.

[oliverthered]

I had a call the other day, from someone the BBC T.V. licensing department; or so I thought.(The BBC is a non-optout subscription service)

The caller said that I hadn't paid my licence for the year, and asked if I would like to.

Being a bit crap with bill payments I found this quite handy, I searched around for my credit card, but couldn't find it, so,

I told the caller that, "I couldn't find my card and would I be able to pay over the phone tomorrow". She said that, "they were open tomorrow", but expressed great concern, because they were, "checking licences in the area", so I had another look for my credit card and found it, gave the caller my details.

A few days later the T.V. licence arrived,
I have cancelled my credit card because I couldn't be sure if the caller really from the BBC, if so they've started demanding money with menaces.

More validation is needed

[min0r_threat]

Credit card transactions such as this validate the credit card number against an algorithm, and ensure that number matches the bank who issued the card and the type of card (VISA, Mastercard et. al.)

Fine, the number may be legitimate, and the card may be legitimate, but is the actual transaction legitimate? In other words, there is no validation that the card being used for the transaction really does belong to the person making the transaction.

The practice of skimming credit cards and capturing numbers over wireless networks will continue, and credit card fraud will continue because it is easy to commit . . . probably until some form of smart cards encompassing biometrics are in mass use in the marketplace. Incorporate a finger print into a smart card and small recognition scanner at the point of sale. If your fingerprint doesn't match that on the card then the treansaction will be denied. This won't help on-line fraud or fraud perpetrated during transactions when the cardholder isn't present, but it will cut down on innocent people being ripped off.

So why don't banks incorporate this? It's purely down to cost. They're not interested in consumers being defrauded, what matters to them is the money the banks lose. Fraud is a big problem, but until the levels of fraud amount to more than the cost of issuing and installing smart card or biometric technology, banks aren't going to be interested.

In the case of validation, European countries with lower levels of credit card fraud are those with higher levels of validation. Many countries in Europe require a matching signature as well as a PIN number. Sure, the PIN number may be picked up over a wireless network, but it goes to show that more stringent validation checks will reduce levels of credit card fraud.

And as for using encryption - surely that is just common sense?!

Re:More validation is needed

[GLX]

No way... What happens when I change my PIN? (something trivial to do with most banks...) They surely don't send me out a new card.

As well, a lot of credit card companies allow you to pick your PIN long after you've received the card...

Re:More validation is needed

[ddstreet]

the PIN is stored on the card itself

Nope.

You want to know what is stored on your card? Not much. US cards (foreign - e.g. Japanese - are different) contain 3 tracks (ISO tracks) which contain up to 98 bytes (track 1) + 46 bytes (track 2) + 139 bytes (track 3). Total up to 283 bytes. So that ain't a lot of info.

Oh, what exactly is stored on the card? Well take a look at this doc in the MSR (Magnetic Stripe Reader) section. Thar ya go.

Other Fraud mechanism.

[EasyTarget]

If the transactions are in plain-text, is there any checksumming etc.. that takes place.

It occurs to me that what you could do is be able to intercept (or pre-empt) and replace data in valid transactions.

Then sit in the car-park, and substitute a different card number in to any refund transactions encountered. Create an account specifically for this, and drain it before any fraud is likely to be detected, easy money.

All of this is assuming that the systems do not use basic checksumming double-verification etc.. but given that they already transmit them wirelessly and unencrypted, what chance is there that they take even basic protections against false data beiong injected into the network.

Re:Original source

[valdezjuan]

Securityfocus's mailing list Vuln-Dev is where the original post came through. There has been an interesting thread on the subject since the posting. You may want to check it out:

http://online.securityfocus.com/archive/82/27036 4/ 2002-04-29/2002-05-05/1

You can follow the thread by clicking the next article in thread link on the right.