Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Expose New Credit Card Fraud Risk

Posted by kdawson on from the tamper-proof-isn't dept.

An anonymous reader writes "Researchers from the University of Cambridge have discovered flaws in the card payment systems used by millions of customers worldwide. Ross Anderson, Saar Drimer, and Steven Murdoch demonstrated how a simple paper clip can be used to capture account numbers and PINs from so-called 'tamper-proof' equipment. In their paper (PDF), they warn how with a little technical skill and off-the-shelf electronics, fraudsters could empty customers' accounts. British television featured a demonstration of the attack on BBC Newsnight."

8 of 219 comments (clear)

  1. Is anyone here really surprised? by suso · · Score: 5, Insightful

    Proprietary software AND hardware companies basically cannot be trusted. I've encountered countless amounts of commercial software, hardware products and services where the company states that they are very secure, but when investigating things myself, I find that its trivial to circumvent their security. You can read about some of the read about some of the poor security I've discovered recently with web hosting providers. Consumers deserve better than this and its all of our responsibilities to make all people aware of these problems. Ironically, this news program itself doesn't understand the value of open disclousure. I guess I can understand that as its human nature to want to hide things for fear of liability. But its not like they were doing something that's not so obvious that someone determined enough could figure out.

    First rule of security in my book: Someone who wants something bad enough, they will be able to circumvent nearly anything in order to get it. So its a matter of how badly they want it. Since its money in question, I'd say that a variety of organizations and people want it pretty bad.

  2. They're looking in the wrong place by blhack · · Score: 5, Insightful

    The huge security hole in the credit card system is the users. I flipped out at one of our vendors when they STORED my credit card number in their database, and just went ahead an charged it next time I was in the store.
    People will gladly give their credit card number over the phone to a shady pizza shop, just to get a 15 dollar pizza delivered to their door.
    We could build the most secure credit card system in the world, but the problem is that it has to be simple enough for idiots to use.

    --
    NewslilySocial News. No lolcats allowed.
  3. Re:Get rid of the damn things! by Anonymous Coward · · Score: 5, Insightful

    The data mining industry is so ingrained in our society that even if people started using $100 bills to pay for major purchases, the serial numbers on the bills would probably be scanned for tracking information. The only way you are going to get privacy in your monetary transactions is with a national privacy overhaul with penalties for data mining without permission. Since the government is one of the entities doing the data mining, this is probably not going to happen anytime soon.

  4. Why isn't it a PIN = SecurID + PIN by apenzott · · Score: 4, Insightful

    The PIN needs to be a moving target and much longer than 4 digits. Note that stateside that most automatic car washes are using at least 5 digit numbers to authenticate the sale as sold by the gas pump. (Example: SecurID or one-time pad.)

    (offtopic)
    My biggest pet peeve is why are account numbers (on checks) in the clear while the same is basically true of PIN numbers (without any added "salt")

    For checks I would like to see the account number + check number translated a 16 to 20 digit hash of which only the bank knows how to decipher to the correct account and check number?
    (/offtopic)

    --
    The Roman Rule: The one who says it cannot be done shall not interrupt the one who is doing it.
  5. Tough Interview by Crazy+Man+on+Fire · · Score: 5, Insightful

    Wow. The interview at the end of that piece has me floored. Imagine if industry people and politicians in the US were subjected to this sort of probing interview and actually responded. The interviewer had the representative from the credit card companies on the ropes the entire interview. Props to the BBC for doing some serious journalism.

  6. Most will for large-ticket items by davidwr · · Score: 4, Insightful

    While it's true they don't have to do business with you, most stores will accept a $50 rather than lose out on a $55 purchase. Ditto a $100 and lose out on a $101 purchase.

    It boils down to risk:
    Most people passing funny money will want to get change rather than goods they can only resell at diminished value.

    Also, many merchants use basic anti-counterfeit measures when accepting $20s and higher. Granted these measures have a high miss rate but they do catch amateurs.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  7. I can build an atomic weapon with a paper clip by wsanders · · Score: 5, Insightful

    >> "As described in some detail in our paper, the basic attack tool is a paper clip. In order to record and analyze transactions a couple hundred pounds' worth of equipment is required, in addition to some digital design experience."

    OK, a paper clip. PLUS A BUNCH OF OTHER STUFF.

    Well, shoot, I could probably build an atomic weapon with a paper clip. PLUS A BUNCH OF OTHER STUFF.

    --
    Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
  8. banks should be liable by nguy · · Score: 4, Insightful

    When banks deploy inadequate security, they should be liable for the distress and costs they cause their customers.