Wireless Registers May Expose Your Credit Card

flynt writes: "Found this article about people sitting in Best Buy parking lots with wireless sniffers and intercepting credit card numbers that the wireless cash registers inside the store are beaming about. Gives more credence to the idea of one time use credit card numbers. Now you don't even have to be online to have your number stolen."

Sucks

[loply]

Why didnt they just encrypt it, the whole network/transmission that is? That would be an obvious thing to do if I were programming anything of this nature. Heck, I went to the bother of XOR`ing the TCP stream on my high school computing project, surely the nitwit who wrote/engineered this system should have taken the time to add security to it?

Re:Sucks

[Namoric]

You are asking people to THINK. It just won't happen.

Hang on...

[enneff]

What the fuck?

This is obvious gross negligence on behalf of the point-of-sale software/hardware vendor. How could any remotely security-conscious developer send credit card details in plain text, even over a wired network?

Absolute insanity. I am in awe.

Re:Hang on...

[erasmus_]

Absolutely. The manufacturer states in the article that their equipment includes security, but whether the stores use it is up to them. Well, that sounds a lot like Microsoft's IIS - oh, it can be secure, they say, you just have to know how to do it.

Wrong, wrong, what a wrong approach. This company should've turned encryption on by default. Then, if the stores choose to turn it off for some crazy reason, that's up to them. Meanwhile, if my cc number was to be stolen using this method, I think I could easily hold the manufacturer and the installer of these wireless registers responsible as well as the store.

Re:Hang on...

[ShavenYak]

Meanwhile, if my cc number was to be stolen using this method, I think I could easily hold the manufacturer and the installer of these wireless registers responsible as well as the store.

Of course, you only stand to lose probably $50 to fraudulent charges depending on your card agreement, and the card company would probably even waive that. When the card companies start losing substantial money, they'll be suing the wireless register manufacturers and installers for big bucks.

Credit cards *are* insecure

[burts_here]

the whole concept of having a card with a number on which you can tell people down the phone, send down the internet, give to people in shops/restauratns is very very insecure, I've ordered stuff on my mums card before, do they care that i'm not my mum, do they shit. If people have to resort to wireless scanners to get card numbers they are throwing way to much money at the exercies, you can get card details much esier from bins, old till rolls etc...
i have developed a foolproof method of fooling them though, dont have a credit card, ok so they wont actully give me one yet but hey...

Re:encryption

[GrenDel+Fuego]

Yeah, wireless encryption sucks....

However, you can add encryption to the tcp/ip running over the wireless. With something like Cash Registers, you can be sure that they're all running the exact same software.

Enabling IPSec, or something similiar shouldn't be too difficult. it's not like you need to make sure it's compatable with all the different OSes.

Irresponsible?

[FyRE666]

Why on Earth would a store be "beaming credit card numbers about" with no though to security? Seems they've opened themselves to a wave of court cases and possible fraud. Then again, every time you give your card to a waiter or till operator there's a chance the underpaid employee will be stealing the details via a personal "swiper". There was a programme on UK tv recently discussing this widespread fraud...

Re:Irresponsible?

[j09824]

Seems they've opened themselves to a wave of court cases and possible fraud.

If only that were the case. But in real life, people can do all sorts of irresponsible things with your credit card number and you don't really have any recourse, even if it damages your credit rating and costs you months to straighten out the mess. At best, you can hope that MC or Visa will punish them through their contractual relationship.

Re:Just my luck

[FyRE666]

I've always thought it to be inconvenient, but if this is true maybe more people will purposely disable their cards in such a fashion.

??? How would this be more secure. The same data will still be transmitted, it's just a different entry method!

that's why I don't like wireless

[gobelijn]

It's nice technology, and has some pretty good uses, but overall people don't pay enough attention to security. And that's just plain dangerous.

We've had a seminar recently at our university with a security expert talking about cellular phones. There's a lot of encryption going on in these devices, but it's apparently not very solid. In one standard made by the big boys of the industry, an example encryption method was presented that wasn't fully secure. The little ones didn't have the knowledge to implement their own, so they adopted the example. Only to pay a lot of cash to some experts afterwards to get it out again.

Now, them paying a lot of cash is not the dangerous part, but the lack of security is. It's only a matter of time before the first big virus strike in bluetooth-gsm-cash register-insert your favourite device here.

Come to think of it, that would be rather cool :-)

security

[jaavaaguru]

Lock down all ports on the server except SSH, and force the cash register client machines to tunnel through SSH for everything. I use it at home, work and university. It's better to be over security-conscious than being to relaxed about it.

However, that's just covering up the symptoms of a greater problem. It would be better if credit cards used a public/private key system, where the acocunt number is sent to the central server which responds with a random encryption challenge, then a chip on the card encrypts the string using it's key and replies. That way no useful security information is being pased around for others to intercept and use.

Re:security

[Odinson]

"It would be better if credit cards used a public/private key system, where the acocunt number is sent to the central server which responds with a random encryption challenge, then a chip on the card encrypts the string using it's key and replies. That way no useful security information is being pased around for others to intercept and use."

I as a profesional, understanding the issues, would accept a higher rate credit card, say 12% rather than the 10.74% for a public key challenge chip on a major credit card. If people were educated they would understand the value of paying more(not much more) for that little chip. Unfortunatly 48% of people don't know how long it takes for the earth to revolve around the sun.

Re:security

[omnirealm]

I am developing a financial application for use over Bluetooth from a PDA to a cash register, and I can say from first-hand experience that the problem of security over a wireless domain is not trivial. Your solution to channel everything through SSH is not economically feasible when you consider the processor and memory requirements necessary for *every single* vendor system out there to do this. The problem gets worse when you start talking about cell phones and wristwatches transmitting credit card numbers to vendor systems.

Bluetooth and 802.11b both have link-level encryption built in, but they both need some work before I would trust them with my financial information. For example, brute forcing the Bluetooth's E0 cipher can be reduced from a complexity of 2^128 to 2^100, and generating a database of keys and sample encrypted data can reduce the problem to a complexity of 2 if a match is found while listening to the communications!

You will have to clarify what you mean by "the account number is sent to the central server." Is it encrypted before it's sent? Against what key? How does your solution deal with non-repudiation (the device is authenticated, but not the user)?

One idea I came up with while working on this project was to incorporate the one-time use credit card numbers with client-to-vendor system. Before you leave home, your financial institution transmits a set of randomly generated one-time numbers to your PDA, wristwatch, cell phone, whatever, and the client sends a different number from the set each time he wishes to pay for something. That way, it doesn't matter if the number is compromised after the transaction is completed.

Re:security

[swillden]

I as a profesional, understanding the issues, would accept a higher rate credit card, say 12% rather than the 10.74% for a public key challenge chip on a major credit card.

Why? Your liability limit is $50 anyway. I suppose there's also the inconvenience of having your card number stolen, but from a pure cost perspective I'd expect that the lower rate plus the risk of being out $50 would be cheaper.

Of course, it's the issuing banks and merchants who absorb the rest of the fraud above the $50 limit and a good part of that fraud cost gets passed back to you in the form of a higher interest rate, so, theoretically, getting a more secure card could potentially *lower* your interest rate.

Except: In most places in the world the fraud rate is so low that it costs less to just absorb the fraud than it would to spend an additional $2 per card to put a microprocessor in it. In the U.S. smart credit cards are being issued because they're cool and attract cardholders rather than because they provide any benefit themselves. Europe is a different story.

Re:security

[swillden]

It would be better if credit cards used a public/private key system, where the acocunt number is sent to the central server which responds with a random encryption challenge, then a chip on the card encrypts the string using it's key and replies.

You can discard either the central system or the public key crypto. In fact the current smart credit card standards do use public key with off-line challenge/response verification. The terminal sends a challenge to the card which encrypts it and sends back the encrypted challenge, the card;s public key and certificate (signed by the issuing bank) and the bank's public key and certificate (signed by, e.g. Visa).

The terminal has the root public key and uses it to verify the bank certificate, then uses the bank public key to verify the card certificate, then uses the card public key to verify the response. The card and terminal also each have a set of rules that they evaluate to decide if the transaction can be conducted off-line. If both agree that it can, then the transaction happens off-line, otherwise a standard credit card verification process is done with the central server. It would be nice if the on-line part would also use the crypto.

That's the mode called Dynamic Data Authentication (DDA). There's another one called Static Data Authentication which omits the challenge/response and doesn't require the card to perform any computations. And yes, it's obviously much less secure.

As an alternative (which is workable but not used in any standard I'm aware of) strong authentication with a central system can easily be done with symmetric crypto; no need for the complexity and uglinesses of public key.

Re:security

[Odinson]

"Why? Your liability limit is $50 anyway. I suppose there's also the inconvenience of having your card number stolen, but from a pure cost perspective I'd expect that the lower rate plus the risk of being out $50 would be cheaper."

Two reasons...

Usually I am not effected by interest rate to much because I make paying off my cards a top priority.

I am aware of the $50 but there is nothing in the law that says my account must be credited in 30 days of the report or some such thing. I could theoretically be held accountable for the money pending an investigation, or definatly if contest the card companies findings from an investigation. One of advantages of having a credit card is it's instant loan/buying power for emergancies. That is gone during that time. More credit cards could solve that problem but also mean more risk.

I agree that it would lower the card companies bills over the long run, so I would only accept a higher rate on a temporary basis.

I see what you are saying but I don't want to wait until the government steps in and forces the card companies to eat the cost of updating card info sending equiptment, registers, servers, cards, etc...

Re:security

[swillden]

I am aware of the $50 but there is nothing in the law that says my account must be credited in 30 days of the report or some such thing. I could theoretically be held accountable for the money pending an investigation, or definatly if contest the card companies findings from an investigation.

Have you ever been a victim of credit card fraud? I'll bet you haven't. I have, on a couple of occasions and I can tell you that it's no sweat. In neither of my experiences did they even make me pay the $50. In the first instance, I lost my card and called it in. They looked up the last few transactions, asked me which were mine and which were not. One was not. They sent me a new card and the fraudulent charges never even showed up on my bill. In the second case I got a phone call out of the blue from the issuer saying they'd seen some out of profile charges and asking if they were mine. I said no, they sent me a new card and again I never even saw the charges. These aren't unusual or isolated incidents, either. Virtually everyone I know who has had credit cards for 10+ years and used them extensively has seen fraudulent charges against their cards, and the issuers are very good about resolving it quickly, and at little or no cost to the cardholder.

The credit card business is so extremely competitive that the issuers know that anything they do to piss off a good customer will cost them more than it's worth, so they're very accomodating (the first few times, anyway; I imagine that if you had a consistent pattern of fraud reported against your account that they'd begin to get suspicious).

I see what you are saying but I don't want to wait until the government steps in and forces the card companies to eat the cost of updating card info sending equiptment, registers, servers, cards, etc...

Why would the government ever do that? Managing the level of fraud and the technologies they use to prevent it is something the credit card industry has done very successfully for 50 years. They started with paper documents then moved to plastic cards and then embossed plastic cards (so they could get an 'imprint'). When fraud got too high they added magnetic stripes and eventually holograms. In places where fraud is a significant problem today they have moved aggressively to smart cards. Time and again they've risen to the challenge and kept themselves profitable through a combination of legal and technological means.

Why would that change so much that the government would have to get involved?

In my opinion, you should just try to get the best service you can at the lowest price you can and let the banks figure out the most effective way to make money. It's what they do!

Original source

[Omega+Hacker]

You can find what appears to be the original fwd'd (anonymized) copy of the mail from the guy who first checked this out at this location.

Re:Original source

[erasmus_]

Very interesting, thanks. I wonder why his credit card number was not in the stream though, while others were, when he specifically made a transaction just to check it out? Perhaps some registers dial the line to verify the cc directly, while others beam it to another terminal equipped with a phone line?

Re:Original source

[valdezjuan]

Securityfocus's mailing list Vuln-Dev is where the original post came through. There has been an interesting thread on the subject since the posting. You may want to check it out:

http://online.securityfocus.com/archive/82/27036 4/ 2002-04-29/2002-05-05/1

You can follow the thread by clicking the next article in thread link on the right.

Re:Original source

[erasmus_]

I don't understand how you can say you're in the POS business and have never heard of this. They do not call them kiosks in the article, they specifically say:

Symbol makes hardware used by IBM in its wireless point-of-sale terminals.

Now I do understand your point that it may be cheaper to do physical wire, but that doesn't seem to be preventing the many customers that they mention in the article, including Best Buy from purchasing and using this wireless POS technology.

Re:unFrickingbelievable

[silentbozo]

This is WORST Buy we're talking about, remember?

The same guys who want to foist copy protected CDs as a standard on their customers? The ones who tried to arrest a customer for trying to pick up a video card that he bought on sale online? The ones with the ultra-crappy customer service?

If you're still shopping at Best Buy, this fiasco with the wireless registers should be enough to make you go somewhere else.

How i gave away my credit card details.

[oliverthered]

I had a call the other day, from someone the BBC T.V. licensing department; or so I thought.(The BBC is a non-optout subscription service)

The caller said that I hadn't paid my licence for the year, and asked if I would like to.

Being a bit crap with bill payments I found this quite handy, I searched around for my credit card, but couldn't find it, so,

I told the caller that, "I couldn't find my card and would I be able to pay over the phone tomorrow". She said that, "they were open tomorrow", but expressed great concern, because they were, "checking licences in the area", so I had another look for my credit card and found it, gave the caller my details.

A few days later the T.V. licence arrived,
I have cancelled my credit card because I couldn't be sure if the caller really from the BBC, if so they've started demanding money with menaces.

There should be system security inspections.

[Innominate+Recreant]

Each time I fly somewhere, I don't inspect the plane before boarding it. When I go to the grocery store, I assume that the government has inspected the facilities that produce the food I buy. The average consumer has neither the time nor the expertise to inspect each plane or food processing plant to decide if it meets a reasonable standard.

Government inspection doesn't mitigate any responsibility that a food plant or an airline has. It merely provides the consumer with some assurances. And in most cases (not all) it works. Most of us buy food every week, and most of us don't die of food poisoning. Most planes take off and land safely. However, the food producer or the airline company is still responsible for the product.

As we rely more system security in our daily business transactions, I think that rigid standards of system security should be created and enforced.

If we start holding irresponsible retailers, like Best Buy in this case, accountable for damages, you'll see consumers *and* retailers lobbying for such an effort.

Why bother? Thieves can just guess.

[j09824]

Credit card thieves can simply brute force the credit card numbers. Some banks helpfully even assign credit card numbers sequentially or predictably, and the credit card number space is too small anyway.

Social security numbers used as identification, credit card numbers, and a whole host of other "real world" identifiers and systems are simply extremely sloppy security. In the past, that meant that only a few customers got screwed. With modern computer equipment, a lot of people get screwed.

What is particularly annoying about it is that the companies that put this sloppy security in place never really have given a damn about protecting their customers--as long as the casualties are not too many and don't frighten the masses away, it's acceptable. In most cases, companies that use sloppy identifiers or security end up not even being legally liable for the trouble and expenses they are causing their customers.

But its not just Best Buy

[CodeMonky]

On vuln-dev (vulnerability development, a list on security-focus.com) there has been a discussion going on about this for over a week, and people are pointing out all the stores that have problems, and its getting to the point where it is easier to say who DOESN'T have a problem than who does.

Re:But its not just Best Buy

[ryanr]

The vuln-dev thread started yesterday, that's the source for the MSNBC story.

http://online.securityfocus.com/archive/82/2002-04 -29/2002-05-05/0

Not surprised

[dreamchaser]

Is anybody actually surprised that nobody at Best Buy knows how to configure an encrypted wireless network?

Re:Not surprised

[fooguy]

Let's be fair here.

Most of these retail type places buy a turn key solution (::COUGH:: ::COUGH:: IBM ::COUGH::). I don't expect my mechanic to know how to fix my car, and I don't expect a store manager to understand wireless encryption. A store doesn't have its own IT people, corporate does. Maybe (if they're lucky) corporate even had a helpdesk they can call.

Someone sold them this wireless gear, they should be the onces concerned about the security.

Re:Not surprised

[cdrudge]

I don't expect my mechanic to know how to fix my car

You don't? If I am going to pay someone to do something for me, I'm sure I would want him to know how to do it. I pay my doctor because she knows about my body. I pay my accountant because he knows about my finances. I pay my mechanic because he knows about my car.

Trust

[infiniti99]

Someone down the line knows your credit card number. If you hand your card to the person at the register, then you are placing trust in them. If your information is stolen by a 3rd party, then it is because of the incompetence of whoever you placed your trust in.

According to the article, Best Buy has since stopped using wireless cash registers. Still, I think the problem is not with wireless itself, but the particular implementation Best Buy was using. Couldn't they simply encrypt the data?

Of course, credit cards are inherently problematic. Although I use credit cards, I think the system is poorly designed. Basically, you say to a guy, "here's a key to my safe, please only take what you need." IMO, it should be the reverse. We should *give* them the money, possibly by authorizing a transaction via your bank (a cell phone would be the best way, so you don't have to trust an in-store terminal) Thus, everyone would be able to give, but not take. As it stands, credit cards have the worst security of anything. It's ironic too, since a lot of us computer enthusiasts will rant all day about how everyone should be using ssh and GPG, yet we give our login and password to the waitress next time we eat.

Re:Trust

[Geeyzus]

Although I use credit cards, I think the system is poorly designed. Basically, you say to a guy, "here's a key to my safe, please only take what you need." IMO, it should be the reverse. We should *give* them the money, possibly by authorizing a transaction via your bank (a cell phone would be the best way, so you don't have to trust an in-store terminal)

I agree.

Now, if the government could only standardize some way to do this. Perhaps instead of electronically, maybe some physical medium could be used to represent the money we have. We could actually hand these physical objects to the cashier on exiting a store. It would of course have to be small enough to carry around with us also. I hope to see this in real life one day!

No credit card fraud before the internet?

[p4k]

Now you don't even have to be online to have your number stolen.

Like you ever did need to be online to get your number stolen - easiest way to steal credit card numbers is to get a job in a retail outlet and record numbers of customers cards.

This is *the* classic error in security thinking - only consider the hardware, ignore the human factors.

Re:No credit card fraud before the internet?

[BreakWindows]

easiest way to steal credit card numbers is to get a job in a retail outlet and record numbers of customers cards.

Customer: Excuse me, sir?
Me: *stares at credit card*
Customer: Hello? Are you going to ring up that sale, or what?
Me: *stares at credit card*
Customer: What the hell are you doing??
Me: *stares at credit card*
Customer: You're not trying to memorize those 16 digits plus expiration date, are you?
Me: *stares at credit card*
Customer: That's it, I'm going to another store!
Me: *stares at credit card*
Me: Oh, sorry, I was just...umm...lost in the beauty of this blue swirly chip in the middle.

Re:No credit card fraud before the internet?

[fooguy]

Actually, the easiest way to steal a credit card number is to generate a number for yourself.

Or so I'm told .

Re:No credit card fraud before the internet?

[ShavenYak]

easiest way to steal credit card numbers is to get a job in a retail outlet and record numbers of customers cards.

Or to go to a restaurant and grab receipts off of tables.

When dining and paying with a credit card, never leave until the waiter has picked the receipt up. At least then you only have to trust the waiter, not everyone else in the restaurant.

Re:No credit card fraud before the internet?

[Peyna]

Exactly how my bank card # got stolen. I traced it to a clerk in a gas station, I had not used the check card anywhere else previously besides ATM machines, etc. and I visited said gas station the night before. Lucky for me he apparently tried to use it at some lumber supply company for a few thousand dollars to see how much he could get out of it, and they were kind of suspicious when he wanted to use 2 credit cards each with a name different from his own =] I wonder how many places would care enough to catch something like that.

Re:No credit card fraud before the internet?

[Peyna]

Haven't worked in retail much have you? I worked at a grocery store when I was 16 (4 years ago), and all credit card information needed was nicely printed on the roll of tape in the register that we had to take out at the end of our shift and give to the accounting folks. All you'd have to do is look at it later when the person leaves. I'm sure 3rd shift gas station attendants have plenty of free time.

Re:No credit card fraud before the internet?

[Bedouin+X]

Thank you!!

I was scanning the replies to see if anybody else caught that before I posted. I used to work for a ver ubiquitous electronics retailer that loved to ask for your name and address. We had a few unscrupulous employees there that would go through the receipts at the end of the day and record credit card numbers with the bonus catch of their name, address, and in many cases their phone number.

The company tried to wise up by not printing the address on the ticket but it just took a quick dive into the computer system to retrieve this information. I know for a fact that nothing has changed at this company and I can only imagine what others are like.

Re:No credit card fraud before the internet?

[fooguy]

You still need the exp. date, the cardholder's name, possibly address, and sometimes even the three digit number found on the signature panel. the only thing that the luhn algorithm is good for is validating that the card *might* be a valid card number, not a valid card.

Depends on what you're using the card number for. Not every company that accepts credit cards check those things throughly. For example, some smaller computer places just take the number and the expiration date and run the card manually.

I'm aware of a couple websites that offer services (not goods) that you can buy with a credit card that just do a LUHN check. If the number passes your service is provided. Billing is done by hand later. Credit card processors that can validate in real time (Verisign for example) are pretty expensive, much more so than printing out an email and keying it into a POS terminal.

Blah, ok the cats out of the bag

[LWolenczak]

Ok, I have known about this for about five months. Prirry sad huh? You can even pickup logins, passwords, and get EIGRP broadcasts from their router for best buy's data network. One thing I have noticed recently, as of last weekend, the best buy I pass as I head to work dosen't make my laptop beep twice.....

More validation is needed

[min0r_threat]

Credit card transactions such as this validate the credit card number against an algorithm, and ensure that number matches the bank who issued the card and the type of card (VISA, Mastercard et. al.)

Fine, the number may be legitimate, and the card may be legitimate, but is the actual transaction legitimate? In other words, there is no validation that the card being used for the transaction really does belong to the person making the transaction.

The practice of skimming credit cards and capturing numbers over wireless networks will continue, and credit card fraud will continue because it is easy to commit . . . probably until some form of smart cards encompassing biometrics are in mass use in the marketplace. Incorporate a finger print into a smart card and small recognition scanner at the point of sale. If your fingerprint doesn't match that on the card then the treansaction will be denied. This won't help on-line fraud or fraud perpetrated during transactions when the cardholder isn't present, but it will cut down on innocent people being ripped off.

So why don't banks incorporate this? It's purely down to cost. They're not interested in consumers being defrauded, what matters to them is the money the banks lose. Fraud is a big problem, but until the levels of fraud amount to more than the cost of issuing and installing smart card or biometric technology, banks aren't going to be interested.

In the case of validation, European countries with lower levels of credit card fraud are those with higher levels of validation. Many countries in Europe require a matching signature as well as a PIN number. Sure, the PIN number may be picked up over a wireless network, but it goes to show that more stringent validation checks will reduce levels of credit card fraud.

And as for using encryption - surely that is just common sense?!

Re:More validation is needed

[EasyTarget]

Sure, the PIN number may be picked up over a wireless network

Not necesserily.. the PIN is stored on the card itself (one-way encrypted or sumething.. I'm not well-up on crypto stuff). So therefore the whole pin-processing can go on within the POS (Point-Of-Sale) terminal which just needs to return a success or denial message.

Re:More validation is needed

[anthony_dipierro]

In other words, there is no validation that the card being used for the transaction really does belong to the person making the transaction.

Sure there is. Your signature matches the signature on the back of the card. Good combination of something you have (the card), and something you are (the signature).

Why are fingerprints so much harder to copy than signatures? They're both biometrics.

Re:More validation is needed

[RelliK]

Not necesserily.. the PIN is stored on the card itself (one-way encrypted or sumething.. I'm not well-up on crypto stuff). So therefore the whole pin-processing can go on within the POS (Point-Of-Sale) terminal which just needs to return a success or denial message.

You got one thing right: you're not well-up on crypto stuff. Or common sense. How would this magical POS know if the PIN is valid or not? If PIN is hard-coded on the card, how is it different from the card number?

Re:More validation is needed

[EasyTarget]

I've been told this on several occasions by people who -are- well up on card security. The PIN is certainly stored on the card in some applications.

The PIN is obviously -not- stored plaintext, but as a DES encrypted number somehow. This may not be true for all systems but if you look halfway down here or here
You will get the general idea.

On the other hand, other sites tell you differently.

Re:More validation is needed

[GLX]

No way... What happens when I change my PIN? (something trivial to do with most banks...) They surely don't send me out a new card.

As well, a lot of credit card companies allow you to pick your PIN long after you've received the card...

Re:More validation is needed

[ddstreet]

the PIN is stored on the card itself

Nope.

You want to know what is stored on your card? Not much. US cards (foreign - e.g. Japanese - are different) contain 3 tracks (ISO tracks) which contain up to 98 bytes (track 1) + 46 bytes (track 2) + 139 bytes (track 3). Total up to 283 bytes. So that ain't a lot of info.

Oh, what exactly is stored on the card? Well take a look at this doc in the MSR (Magnetic Stripe Reader) section. Thar ya go.

Re:More validation is needed

[swillden]

I've been told this on several occasions by people who -are- well up on card security. The PIN is certainly stored on the card in some applications.

Some applications, yes, this application, no. Smart card-based credit cards may and often do store the PIN in the chip, but that's because the chip is fairly secure. The magstripe is not. There are some DES-encrypted verification codes stored on the magstrip, but not the PIN.

An easy way to prove that this is the case is to call your credit card company and change your PIN. You'll notice that they do not issue you a new card.

Re:More validation is needed

[JimBobJoe]

Fine, the number may be legitimate, and the card may be legitimate, but is the actual transaction legitimate? In other words, there is no validation that the card being used for the transaction really does belong to the person making the transaction.

For the most part, this isn't important with in-store transactions. Why?

1. Online fraud is more pervasive than in store fraud--20 to 1.
2. The type of fraud in which a person uses someone else's card is *extremely rare.* Most people who lose their wallets or have their wallets stolen are vigilant and get the cards cancelled quickly enough.
3. The in store fraud which does take place involve fake cards printed up by the fraudster with a new card number and expiration date, or sometimes they magnetize one of their own cards with the new card number/expiration date. Clearly those could be fought with a more complex (possibly biometric based) system...but the cost is astronomical in comparison to what it would stop. In fact, in the mid 90's there was this idea to put photos on credit cards, and that seems to have fallen by the way side. The cost to the bank of processing cards that way simply is not justifiable, especially since it doesn't achieve a damn thing. In store fraud simply is not the problem online fraud is.

but it will cut down on innocent people being ripped off

not directly. innocent people don't get ripped off because credit card issuers swallow the charges (even that $50 thing that we hear so much about is usually waived.)
however, on-line fraud is swallowed by the merchant, but that's a different story.

Re:More validation is needed

[seaan]

Information about the PIN (not the PIN itself) may be stored on the magnetic stripe of a debit or credit card. The standards are pretty vague when it comes to PIN verification, and it is mostly up the individual institution to decide how to verify their customer's PIN. By contrast the standards are very precise about the location of account numbers and expiration dates, because they are needed interoperability reasons - everyone using that card needs to know about them. PIN verification is only performed by the "bank-card-owner" (or a designated stand-in processor).

The PIN information is called a PIN-Verification-Number, and may be stored in the mag-stripe data. The PVN can also be called an offset, but essentially think of it as a cryptographic-hash (usually DES based). Local verification of the PVN used to be much more common, especially when the only place to use debit cards were the ATMs owned by your bank. The banks would place their verifications keys in every ATM, so that they could perform transactions even when the ATM was not connected. Because of both security reasons and improved communications, this is pretty uncommon now for all but the smallest of banks.

There is now a trend in the industry to not use card-based PVN, and to instead rely upon central databases. As Point-of-Sale terminals and the cross-use of ATMs owned by different banks grew, local verification became impractical. The keys used to verify the PVN were very secret and the banks did not want to share them with other banks; let alone trust them to a POS terminal (Aside: POS terminals tend to be very price sensitive, and their security capabilities are usually as minimal as the purchaser can get away with. From bitter experience, I know that trying to sell a customer POS terminals with much better security at say $205; will loose because they will buy an insecure $200 model instead!).

Finally to address another comment in the thread: If you change your PIN, and your bank uses a card-based PVN, you will need to update your card's magnetic stripe (disclaimer: I helped design a system that does exactly that, used at a number of major banks such as Wells Fargo, Citigroup, etc.). If your card does not have a PVN stored on the mag-stripe (for example, most US credit cards), than obviously you won't have to update the card when changing your PIN.

Truly a Best Buy

[phunhippy]

Best Buy sends the credit card info cleartext over 802.11....... hmmmm maybe they really truly are best buy then! They went out and found the cheapest Wireless Point of Sale system.. to them it was the BEST BUY :)

Re:steal away.

[GutBomb]

but it's not really stealing if i ipurchase things with someone else's card because i would not have bought anything if i did not have someone else's credit card number.

oh wait... I have been reading slashdot for too long!

high tech credit card theft

[GutBomb]

with everyone paranoid about credit card theft using high tech means people seem to forget that while most internet transactions are safe, what you really need to worry about are people who actually handle your card.

The cashier has access to your nubmer. the accountant has access to your number. the manager of the store has access to your nubmer. some stores print the entire number on reciepts so anybody willing to dumpster dive has access to your number. waiters and waitresses who carry your card off to the register in a restaurant has access to your number...

and now people in the parking lot have access to your number.

Re:high tech credit card theft

[anthony_dipierro]

Exactly. My grandfather once had his credit card number stolen directly by a store worker who wrote it down on a piece of paper. Turns out she also had the unauthorized purchases shipped to her house, so the FBI came a knocking shortly later.

What about "People" transmitted credit card number

[Steev]

I don't know about you guys, but I'm much more worried about people writing my credit card number down and passing it to somebody else or overhearing me when I order something over the phone than I am about it being picked up wirelessly by some chump with a laptop in the corner of the store.

Most -- note that I said "most" and not "all" -- of the people that are going to defraud me by using my CC number are not going to have access to a computer with equipment capable of sniffing the air packets (that sounds kind of gross) to get that number in the first place.

Re:wireless anything

[GutBomb]

in a couple of decades encryption will be more powerful also.

Re:Trust - bzzzt! wrong def?

[nalfeshnee]

ummm ... last time i looked, using a credit card is patently NOT the same as handing someone the keys to your safe. the money is NOT yours, and if someone other than yourself manages to gain access to it, you do NOT have to pay it back (at least, above a certain limit, $50, whatever).

that is the whole point of credit cards, after all. a way to deal with cashless transactions in a way that ensures your money is not technically at stake should something go tits up with the system. now, if we are talking about DEBIT cards, such as the Switch cards in the UK, that is a totally different kettle of fish, and your point about the safe is entirely correct.

nalfy.

Other Fraud mechanism.

[EasyTarget]

If the transactions are in plain-text, is there any checksumming etc.. that takes place.

It occurs to me that what you could do is be able to intercept (or pre-empt) and replace data in valid transactions.

Then sit in the car-park, and substitute a different card number in to any refund transactions encountered. Create an account specifically for this, and drain it before any fraud is likely to be detected, easy money.

All of this is assuming that the systems do not use basic checksumming double-verification etc.. but given that they already transmit them wirelessly and unencrypted, what chance is there that they take even basic protections against false data beiong injected into the network.

Re:Why bother? Thieves can just guess.

[BlueUnderwear]

Usually, attempting to do this ("guessing" credit card numbers) would rack up rather high charge backs fees for each failed attempt. Those chargeback fees are exactly intended to foil such guesswork. The idea of makeing up numbers (with checksum matching) is fairly old, and has been used by spamfighters to "punish" spamvertised sites (pretend to buy an article, supply a bogus cc number, do it early, do it often, use open proxies, and watch as the outfit goes out of business due to chargeback fees).

However, what makes the scam your are linking to interesting, is not the fact that the criminals were brute forcing the numbers, but rather than they were using merchant accounts other than their own to do it. That way, some unsuspecting victim was stuck with the bill, rather than themselves. It was more an exploit of authorize.net's online card validation system than a problem with the credit cards themselves.

So can crooked cashiers...

[mcwop]

which is exactly what happened to me at Best Buy.

Root password

[Mattygfunk]

Presumably your PIN number for savings transactions on a bankcard would be processed at the handset, but this information would be serious concern for a lot of people if it was broadcast as well.

One of the major reasons I dont own a credit card and haven't ever, is the loose security generally. By simply trusting the clerk wont look at the numbers on the card is a rediculous gamble with money you don't have.

Hey, gimmy your root password on a bit of paper and ill give it back to you if you forget. Promise I won't look.

Re:What about "People" transmitted credit card num

[arkanes]

You're worrying about people stealing YOUR credit card number, and the people stealing want A credit card number (actually, lots of them). It's a waste of time to randomly tap phones, and the old writing them down from your retail job works but has alot of potential risk involved. Sitting in a parking lot for a couple hours with a laptop is practically risk-free (just need to find a Best Buy next to a McDonalads or something) and will let you gather LOTS of numbers. Therefore, while someone wanting your specific card isn't any better off, the odds of your card being stolen this way, and used in a way that will cause you a huge mess, is higher.

Home Depot?

[b1t+r0t]

I've noticed a wireless base station at the back of my local Home Depot. I seem to recall it had a directional antenna pointed at the cash register area. (And by extension, towards the parking lot as well.) I hope they have enough clue to use at least minimal encryption. The hell with parking lots. Get an iPaq or Zaurus with an 802.11b card and you could walk around the store with it turned on and hidden in your pocket. For as long as the batteries held out, anyhow.

online credit card theft

[hetairoi]

"Now you don't even have to be online to have your number stolen."

right, before the internet, credit card numbers couldn't be stolen. I also understand that before the internet, no music was ever pirated.

---

180 degree turn?

[Mattygfunk]

Will shop security turn the tide towards the Internet for secure transactions when it was previously critisized for being prone to "hackers"?

Credit Card numbers get stolen offline?

[pinkUZI]

Gives more credence to the idea of one time use credit card numbers. Now you don't even have to be online to have your number stolen.

This should come as no suprise seems it has been easier to steal credit card numbers offline than online for some time now. Think about that pimply faced waiter disapearing in the back with your credit card at a restaraunt. Who cares if you lose your credit card/number anyway?

Re:Why bother? Thieves can just guess.

[j09824]

These scams predate Internet credit card payments by many years. People used to guess credit card numbers and "verify" them over the phone or at various convenience locations. Banks have made this particularly simple by making valid, recently issued numbers easy to guess.

Original message (FYI)

[Denium]

To: Vuln-Dev
Subject: Wlan @ bestbuy is cleartext?
Date: May 1 2002 3:57PM
Author: Blue Boar

I was asked to anonymously proxy this question to the list. Here ya go.

BB

This past week I went to bestbuy to purchase a D-link wlan card... egar to get my laptop up and running while in the car I put my card in and installed the driver. I noticed the traffic light was lit up as if I had a connection. Out of curriosity I fired up kismet and sure enough there were packets flying through the air right infront of BestBuy. Well I decided to run in an try to make a Credit Card purchase real quick to verify that my info was not going all over the parking lot in the clear. Well after sorting out my logs I noticed what looked to be like SQL queries and table headers in my logs ... things such as CUSTOMER_ROUTEID, BANKNAME, REGISTER_ID and things of that nature... luckily no where in that data did I find my own credit card. Non the less I decided to run to the store next to BestBuy while I left me PC on grabbing packets. Well yesterday I sorted through the data collected and this time I did indeed find a RAW clear text credit card number....not mine ... but definately a credit card number.

Heres my delima... I checked out a few of the other best buy stores for "beacon packets" and everyone I drove by was sending them out...so I assume all BestBuy's are wlan enabled. What I need to find out is ... are BestBuys's Cash register terminals indeed using wlan and are they indeed sending out MY data in the clear... I am NOT comfortable using my credit card at ANY BestBuy as of right now... due to legality though I don't feel comfortable walking into the store and confronting someone about it.... for all I know it could be standard BestBuy corp. practices to use nonsecure wlan. I figured by starting a thread other people that have attempted this may have more info or some from BestBuy may be reading the list and they may pipe up.

guessing doesn't work

[David+Jao]

the credit card number space is too small anyway.

You got it wrong. The social security number space (9 digits) is too small, but the credit card number space is perfectly adequate.

Most credit card numbers (not counting store-issued cards here) are 16 digits, for a total of 1E16 possible numbers. There are 6E9 people in the world, and less than one credit card per person. That leaves you over a million invalid credit card numbers for every valid one.

Now, granted, there are some regularities in the set of valid credit card numbers that you can use to increase your chances of guessing one, but that's not enough to overcome the million to one shot that you start out with. Moreover, in most cases, actually using a credit card number requires knowing the name and expiration date of the account as well.

I agree that banks assigning credit card numbers predictably is a problem, but this problem would exist regardless of the size of the number space. The size of the number space itself is not a problem.

Re:guessing doesn't work

[Mr.Intel]

And the first 8 digits are determined by your card. And the last 1 or 2 are determined by the checksum. So now we're down to 7 digits. 1 in 10 million. Then assume that there are 1000 other people using the card. Bam, you're down to 1 in 10,000.

Now add to that the expiration date and "signature code" and you have two more keys to verify you are holding that card in your hand. Sure, Credit Cards suck in and of themselves, but there is more to it than a number. More e-tailers I do busines with ask for those three things and sometimes a phone number to call the issuing bank.

Re:is wireless really just for a quick and easy se

[BreakWindows]

Well, they allow us to get free credit card numbers!

Re:encryption

[saridder]

You can always use VPN's between the register and central computer. Then you bypass WEP.

Re:Trust - bzzzt! wrong def?

[infiniti99]

if someone other than yourself manages to gain access to it, you do NOT have to pay it back

This is true. Using credit cards can sometimes be safer for an individual than other monetary transactions, because the credit card company will insure you if something goes wrong (within limits, as you say).

Still, this doesn't make the system technically better... it just moves the risk onto the credit card company. Although now that I think about it, would the average credit card user be able to handle the risk themselves if the system were implemented my way? We all know how people write passwords on their forehead.

One time credit card numbers?

[BCoates]

Gives more credence to the idea of one time use credit card numbers

Sounds like a great idea, one-transaction cards, with a unique number on each of them, all tied to one account.

But plastic swipe cards are too expensive to use once and throw away--make them out of paper, better for the environment.

While you're at it, you could eliminate the need for the seperate credit card reciept by putting the amount and signature on the (paper) card, and handing it to the retailer... you could even that funny non-carbon carbon paper if you wanted a reciept for yourself.

Print them up in a handy-little tear off pack, maybe throw in a balance sheet so you can keep track of your expenses (if you're so inclined).

If you let little old ladies get ones with puppies or kittens on them, this radical idea of yours might just be a success!

--
Benjamin Coates

Re:One time credit card numbers?

[ShavenYak]

There's nothing (well, very few things) I hate worse than standing in line behind some schmoe paying with a check. It would be fine if they wrote everyhing but the amount out in advance, and then just had that to fill in once they were rung up - but that never happens. They wait for the cashier to finish, then ask to borrow a pen. Then they fill in the name of the store, the date, the amounts, something on the (pointless) memo line, then finally they sign the check. Now, the cashier has to validate the check, ask for an ID, perhaps call the manager over if the customer wanted cash back.

Then, once they are finally through, I swipe my card, wait 5 seconds for the receipt, sign it, and am on my way. And if my wallet is stolen, my maximum liability is $50, if the old lady's checkbook is stolen, she can be out the entire balance of her checking account.

Re:One time credit card numbers?

[MCZapf]

Why stop there? You could also make these paper transaction cards reusable - don't tie them to any single account. Each one would still have a unique serial number on it. For convenience, they could be available in nice, round-numbered denominations: $1, $2, $5, $10, $20. I don't know about puppies or kittens, but you could put portraits of dead presidents on them, I think.

Re:One time credit card numbers?

[sharkey]

Idea for the $10,000 paper transaction card: Put all the Presidents on it, they could have a party. Jimmy Carter would likely pass out on the couch.

Re:One time credit card numbers?

[ShavenYak]

Perhaps that was a bit of an exaggeration. Having my wisdom teeth removed was definitely worse, as was food poisoning, my first breakup, and any number of other things that don't come to mind immediately. However, waiting in line is something that happens quite often, and as Murphy's Law would dictate, always happens when I'm already running late for something, so it stands out more.

Another Reason

[Amazing+Quantum+Man]

Yet another reason not to shop at Best Buy

SecurID and Credit Card Companies

[OS24Ever]

SecureID and Credit card companies should get together. Those neat little keychain FOBs that change numbers every 60 seconds would be a good tech for the one-shot credit cards. If your card number changed every 60 seconds It'd be pretty hard to snag it and use it.

It should be somewhat easy to implement, credit cards would cost a bit more so of COURSE annual fees would have to go up at least 150% ;)

I'm going to restate this over and over again.

[mindstrm]

Check your credit card contract.

Most say you are liable for fraud only if your CARD is stolen, and only for the time between it's theft and when you report it to the company.

Any other fraudulent use of your credit card number you are simply NOT liable for. Remember, it's not really your number, and the card is not really yours. It's the property of the issuer, it says so on the back. It's a (weak) security token they issue you in order to identify yourself as someone who has a line of credit. If someone uses that, fraudulently, it is a screwup on the part of the merchant, or the bank. You do not pay.

If your contract says otherwise, or puts any other liability on you (other than normal, responsible behavior of course), shop around and find something better.

I realize it's a pain if someone has your number, and starts using it. It can be really inconvenient. But my point is.. rather than treating this like property that they have stolen from us, just like stealing our cash, we should be looking to the credit card companies to make sure this does not become our problem... because ultimately, it's theirs.

Why are you worried?

[mindstrm]

If someone taps your phone or otherwise gets your number and uses it, why does this concern you?
The worst that can happen is you have to make one phone call to your card issuer to tell him you didn't make the charges.

If they use your number, they are not defrauding you. They are defrauding the merchant by using a card that is not theirs (the issuer will cancel the transaction and the merchant will not get paid.)

One of the main benefits of credit cards are that the responsbility for validation rests on the merchant, not on you. Unless your card is physically stolen and you don't report it, you do not have to pay for fraudulent use whatsoever.

What about Canadfa too? - Re:European Card Readers

[Malc]

Here in Canada, the debit card system is called Interact. There're no signatures as it is all based on PIN numbers.

In the last few years I've been seeing an increasing number of wireless payment options. This is great in bars as it saves going and hanging around in an obscure corner with the wait staff constantly trying to squeeze by.

It makes me wonder how secure it is... I wouldn't want somebody to get my bankcard and PIN number.

Best Buy isn't the only one!

[Otto]

I know of several stores that use wireless point-of-sale systems. Most now use 802.11b. Not one of them uses WEP. I went war driving one time and found several stores networks. No WEP. Some obvious SSID's.

This setup is *extremely* commonplace.

Re:steal away.

[freeweed]

I think what you meant to say is that you can damn well do as you please with any signal that passes through YOUR body, after all, these are PUBLIC airwaves damnit!

Good idea

[ahde]

Visa doesn't give a shit about your credit rating, and they make a profit on every chargeback, so lets go to using one time pad encryption? The problem was solved a long time ago. What we need to do is make the credit card companies liable for lack of security.

Folks, it's not that hard...

[Adam+Wiggins]

http://trustcommerce.com/security.html

Re: PIN

[seaan]

The PIN is the DES-encrypted version of the card number (account number, whatever), translated to decimal digits by substitution from the encrypted block's hex representation. If you can specify your own PIN, you actually specify an offset between the above value and the value you type to the sniff^HATM keyboard.

This is true only for the most common (US) algorithm, often called the IBM-3624 algorithm. Other algorithms handle PIN encryption differently.