Wireless Registers May Expose Your Credit Card

flynt writes: "Found this article about people sitting in Best Buy parking lots with wireless sniffers and intercepting credit card numbers that the wireless cash registers inside the store are beaming about. Gives more credence to the idea of one time use credit card numbers. Now you don't even have to be online to have your number stolen."

More validation is needed

[min0r_threat]

Credit card transactions such as this validate the credit card number against an algorithm, and ensure that number matches the bank who issued the card and the type of card (VISA, Mastercard et. al.)

Fine, the number may be legitimate, and the card may be legitimate, but is the actual transaction legitimate? In other words, there is no validation that the card being used for the transaction really does belong to the person making the transaction.

The practice of skimming credit cards and capturing numbers over wireless networks will continue, and credit card fraud will continue because it is easy to commit . . . probably until some form of smart cards encompassing biometrics are in mass use in the marketplace. Incorporate a finger print into a smart card and small recognition scanner at the point of sale. If your fingerprint doesn't match that on the card then the treansaction will be denied. This won't help on-line fraud or fraud perpetrated during transactions when the cardholder isn't present, but it will cut down on innocent people being ripped off.

So why don't banks incorporate this? It's purely down to cost. They're not interested in consumers being defrauded, what matters to them is the money the banks lose. Fraud is a big problem, but until the levels of fraud amount to more than the cost of issuing and installing smart card or biometric technology, banks aren't going to be interested.

In the case of validation, European countries with lower levels of credit card fraud are those with higher levels of validation. Many countries in Europe require a matching signature as well as a PIN number. Sure, the PIN number may be picked up over a wireless network, but it goes to show that more stringent validation checks will reduce levels of credit card fraud.

And as for using encryption - surely that is just common sense?!

Re:More validation is needed

[ddstreet]

the PIN is stored on the card itself

Nope.

You want to know what is stored on your card? Not much. US cards (foreign - e.g. Japanese - are different) contain 3 tracks (ISO tracks) which contain up to 98 bytes (track 1) + 46 bytes (track 2) + 139 bytes (track 3). Total up to 283 bytes. So that ain't a lot of info.

Oh, what exactly is stored on the card? Well take a look at this doc in the MSR (Magnetic Stripe Reader) section. Thar ya go.

Other Fraud mechanism.

[EasyTarget]

If the transactions are in plain-text, is there any checksumming etc.. that takes place.

It occurs to me that what you could do is be able to intercept (or pre-empt) and replace data in valid transactions.

Then sit in the car-park, and substitute a different card number in to any refund transactions encountered. Create an account specifically for this, and drain it before any fraud is likely to be detected, easy money.

All of this is assuming that the systems do not use basic checksumming double-verification etc.. but given that they already transmit them wirelessly and unencrypted, what chance is there that they take even basic protections against false data beiong injected into the network.