Slashdot Mirror
Study: $1.8 Billion In Reshipping Fraud With Stolen Cards Each Year
An anonymous reader writes: Researchers from the University of California, Santa Barbara and others studied the economy of how criminals monetize stolen credit cards by operating reshipping scams as means to cash out, KrebsOnSecurity reports: "A time-honored method of extracting cash from stolen credit cards involves "reshipping" scams, which manage the purchase, reshipment and resale of carded consumer goods from America to Eastern Europe — primarily Russia. A new study suggests that some 1.6 million credit and debit cards are used to commit at least $1.8 billion in reshipping fraud each year, and identifies some choke points for disrupting this lucrative money laundering activity. [...] disrupting the reshipping chains of these scams has the potential to cripple the underground economy by affecting a major income stream of cybercriminals. By way of example, the team found that a single criminal-operated reshipping service can earn a yearly revenue of over 7.3 million US dollars, most of which is profit."
Wow, that sounds even better than the other MLMs, tell me more!!
Lost at C:>. Found at C.
I had to ask Google in order to know what is a reshipping scam... To summarize, criminal found stupid people on craiglist that will accept to have goods paid with stolen credit card shipped to their home in order to reship them to a foreign address.
Here it is in Google cache
If we really wanted to stop CC fraud, we could almost eliminate it. It's pretty simple, but we've abandoned this in favor of convenience.
The new credit cards in the US with chips are good, but why chip and signature? Why not chip and pin like much of the world does? Better yet, why not require two-factor authentication for large and online purchases where the card isn't swiped? If the purchase is large or the card isn't swiped, simply send a verification code to the customer's phone for that transaction that they have to enter. This is used for so many services now that are less sensitive than financial transactions, so why not use it for these as well? Even the "verified by Visa" program that required a password for online CC transactions seems to not be widely used.
Also, it's a different method of fraud, but a few months ago my CC was used to make a purchase from a fraudulent website. In this scheme, a transaction is made for a small amount of money, often less than $10, to a website that's not legit. In this case, the website is actually in on the scam. It was pretty obvious the website wasn't a legitimate business. The best thing that can be done is to do a chargeback and report the merchant to the CC processor, which in this case was Visa. If there are sufficient numbers of complaints against the merchant, who in this case is part of the fraud, they will be penalized and probably not allowed to make any more transactions. I provided my bank plenty of evidence that the merchant was fraudulent and asked them to do a chargeback, but they said they didn't want to bother and claimed it was simpler to collect insurance from the FDIC. It seems like merchants ought to be penalized when they're part of the fraud. It also seems like merchants that use poor security practices ought to be liable.
I'm convinced that there really isn't an interest in ending fraud, because the technology exists to make it far more difficult. We just don't implement it, which is frustrating.
Basically, there are many businesses in the USA who won't ship internationally for many reasons. Heck, some won't even ship to parts of the USA like Alaska (ask me how I know). Said reasons include customs difficulties, fraud, damage in transit, time, etc...
Thus, there's a market for 'reshippers'. People who accept packages on behalf of their clients and act as facilitators for international shipping. Good ones handle the customs requirements, any extra packaging, etc...
Thing is, they can be a bit like a pawn shop. You have legit ones, and you have ones that are more straight out fences.
Given the description, it sounds like they're ripe for some additional regulation.
I don't read AC A human right
I'm not opposed to regulating reshipping, but I'm not sure it's the right solution. The more straightforward solution seems to be to simply make CC fraud much more difficult. We have the technology to do so, but seem unwilling to implement it. The new CCs in the US are better in that they have chips, but inexplicably still use signatures rather than PINs. We could implement two factor authentication for large purchases and when the CC isn't swiped. Simply send an authorization code to the phone on record for the CC, and require it to approve the purchase. A similar process could be required for applying for a new CC. Reshipping wouldn't be as much of an issue if CC fraud was made more difficult.
I read the whole summary and I still don't understand what the fuck they mean by reshipping or how the scam is being done.. Don't they know how to summarise properly anymore ?
It would hardly be sporting for the editors to have any explanatory information in the summary, now would it?
Slashdot is one of the few paces that routinely publishes "summaries" that are 100% content-free. I always marvel at how they do it- you'd think that a stray bit of info would find its way into the summary by chance once in a while but that doesn't seem to be the case here.
Just cruising through this digital world at 33 1/3 rpm...
Basically, there are many businesses in the USA who won't ship internationally for many reasons.
Yup. I have a friend who lives in Cambodia and almost no one will ship anything there...so he buys stuff on Amazon, has it sent to my home, and I re-ship it to him.
Just cruising through this digital world at 33 1/3 rpm...
Basically, there are many businesses in the USA who won't ship internationally for many reasons.
There is also the market where these businesses will ship to foreign destinations, but charge a huge premium for the privilege. Thus making dealing with re-shippers attractive.
I am Slashdot. Are you Slashdot as well?
So, how do I get a cut of this sweet action? Why do only foreigners be getting some?
It's also the opposite - there are plenty of foreign businesses who won't ship to the United States. I have a friend who buys a lot of anime goods off Yahoo Auctions JP, and most of the sellers there will not ship outside of Japan. He pays an exorbitant sum to re-shippers to forward the packages to him.
On the business side, I once worked for a place that made airplane parts. One of their customers is a French firm that routinely shipped parts back to them in order to get them fixed. They also had to use a freight forwarder for it both ways, same for Honeywell's operation in the UK.
Regulating this kind of freight forwarding would probably be borderline impossible to do given the sheer number of different countries and their law sets involved.
he buys stuff on Amazon, has it sent to my home, and I re-ship it to him
Are you a stay-at-home mom making $3,000 per month working 2h a day, like in the ads?
lucm, indeed.
Safekey, 3DSecure, etc have some potential. AVS and shipping checks also.
But the simplest way is to use the stolen card to buy gift cards, use these to purchase merchandise, and fence that via reship or whatever, even eBay.
Once the gift card is used, the link to the original cardholder is lost, AVS is useless. In fact, use out of town mules to use the gift cards, bus them in and out, and even the video of them at the register is useless. Nobody in Seattle is going to look at mug shots from Sacramento to figure out who used that hot gift card at Nordstrom's.
EMV cards will stop this. Then it's on to Amazon Prime and same-day delivery to the mark's home address, where your mule just happens to be waiting in the driveway for their daughter - while the actual resident is at work. This scam is used to hijack cell phones ordered fraudulently and delivered home while the residents are away working for a living. AVS can't stop this. Only vigilance, and maybe SMS alerts of purchases over a certain amount, though with cell phone financing you can just put the down payment on the card and walk away...
Apple Pay got slammed with various signup scams initially, had to fix that, the issuers and processors have to be quick and responsive. The crooks are clever, and usually quicker..
deleting the extra space after periods so i can stay relevant, yeah.
I'm surprised this scam still works today. All of my cards automatically reject purchases where the shipping address isn't the billing address of my card. I can add addresses to the valid list, but I have to do it beforehand through their web site or through customer service. That should shut this kind of scam down.
Or the other obvious change of, instead of having the merchant charge my card, have me tell my bank/issuer to pay the merchant. Then the merchant never needs to know my card number and it's a lot harder for scam artists to operate.
I visited USA last year, and was horrified when my transaction went through when the merchant swiped the mag strip on my Australian chip-and-PIN card, without requiring my PIN or signature. I wasn't aware my card issuer would even allow such a transaction. I've since destroyed the mag strip portion of my replacement card.
MY advice to merchants? Don't ship to Singapore, Eastern Europe, or Central America. To processors, don't sign merchants in Singapore, Eastern Europe, or Bahamas.
deleting the extra space after periods so i can stay relevant, yeah.
I had to ask Google in order to know what is a reshipping scam... To summarize, criminal found stupid people on craiglist that will accept to have goods paid with stolen credit card shipped to their home in order to reship them to a foreign address.
And the idea is that you can disrupt credit card fraud by targeting this.
Which is ludicrous because you're relying on people being more sensible than they are stupid and greedy. Hoping the world runs out of idiots is like hoping the sky will be red tomorrow.
There are already several methods that would cut credit card fraud significantly but banks and the general public refuse to use them.
1) 2 factor authentication. This alone will kill a lot of card fraud as it would require the purchaser to enter in a code generated by an RSA device or sent to them via SMS when buying things online.
2) Using cash. Yes I know the card addled hate this suggestion, but a lot of the time people get their card compromised by sending it through a skimmer. Using cash for a lot of day to day purchases will cut down your risk of this happening significantly.
3) Keeping most of your money in offset and savings accounts. If you want to spend more than say $50, you need to log onto your net bank and transfer the funds.
Banks hate both of these ideas as they cant charge the merchant for accepting cash and they dislike 2 factor authentication because it kills a lot of impulse purchases.
Consumers hate 1 and 3 because it means they have to do something and are lazy bastards who will happily give their card details to any old Russian scammer if it means they dont have to do one extra thing to get their McLard and coke. Banks have also addicted people to imaginary rewards in order to prevent them from using cash. They do this because they charge the merchant for taking your card (its basically all profit for them).
Ultimately, stopping card fraud starts and ends with better practices by the card user... Yet another reason card fraud is nothing but a growth industry.
Calling someone a "hater" only means you can not rationally rebut their argument.
I was going to buy something from the US but the company only used a reshipper. It was going to cost $15US to ship to the reshipper and another $75US to send it to Canada for an order of about $160US. I did a quick check and with the same shipping company I could get a parcel from my place to theirs for $40 Canadian. I wrote them and politely let them know that they lost the sale because of their shipping policy. It's no good just not buying from them. If you don't let them know that they are missing out on sales then they won't make policy changes.
It is not only stores...I have to authenticate transactions with a PIN, except at toll gates and automated pump stations, for THEIR convenience.
Why horrified? What do you think your chip contains, a wireless connection to your private bank server? Chip-and-pin is no more secure than magswipes, it contains the same data and can often broadcast the data a 100m around you through RFID activation. A culture of accepting that anything makes your card more secure will allow CC companies to lay the blame solely with you in case it does get compromised.
I'd rather keep my mag swipe, in case it gets compromised or even a problem with the vendor (if they won't do a warranty return), my bank will happily take the charges off the card. Once I've entered a PIN or used any of their stupid 'security measures' (eg. Verified by Visa which is a horribly broken design), they assume I'm to blame for any problem with my card.
Custom electronics and digital signage for your business: www.evcircuits.com
Chip-and-pin is no more secure than magswipes, it contains the same data and can often broadcast the data a 100m around you through RFID activation.
RFID isn't a requirement for chip-based cards. In fact, one of my chipped cards doesn't support RFID. And you're kidding yourself if you think that the cryptographic chip is equivalent to the mag strip.
I'd rather keep my mag swipe, in case it gets compromised or even a problem with the vendor (if they won't do a warranty return), my bank will happily take the charges off the card. Once I've entered a PIN or used any of their stupid 'security measures' (eg. Verified by Visa which is a horribly broken design), they assume I'm to blame for any problem with my card.
You do that. Meanwhile, we don't use the mag strip in Australia, so I'll happily prevent my card from being compatible with the less secure USA methodology.
in 20 years they'll be no petty crime outside of the poor stealing from the poor and the occasional white collar crook who manages to steal things legally Bain style. Software will eat the world.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Most of the CCs that are stolen en-mass have 2 things in common:
1) the systems run Windows.
2) the company outsourced to India.
now some of you will say that it is not so , or that I am biased. Yet, nothing of the kind. Russians approach Indians and point out correctly, that the company that they work for pays them crap. In fact few make more than $9k / year. As such, Russian can offer them 90k to leave a back door. Once in, the Russian will clean it up and point elsewhere.
This will continue until western companies realize that security costs. First, do not run Windows( which will lower costs by switching off ), but then pay all the computer related decent salaries. You want them happy and not willing to hurt the company.
I prefer the "u" in honour as it seems to be missing these days.
2 factor auth is irritating. I really don't want to carry a bunch of dongles. I'd be open to using my phone for larger purchases, especially online. But what if I can't get SMS where I am? What if I'm on vacation in the carribean and need to book an emergency flight, and my phone isn't working properly there? Yeah, that seems far fetched, but its also happened. I want assurances that my card will work, more than I am concerned about fraud that ultimately doesn't directly cost me anything.
Cash is for chumps. Fraud doesn't cost me anything personally. Sure in aggregate i pay more for stuff because of fraud, but i don't get a rebate for paying cash. Meanwhile, I assume the risk of my cash being lost or stolen from my person, whether I'm pick-pocketed or robbed at gun point or I drop my wallet into the marina.
offset and savings accounts... transferring cash again confers risk onto me. If my visa has been stolen (and it has been) it ties up some credit for a while until it gets resolved; sometimes not even that much hassle. If my bank account is drained (even an offset with a small amount in it) im still out the money for the period of the dispute.
I think a low limit card card for online, small, and riskier purchases is a sensible precaution though. But its tricky... I can spend several hundred in a day easy (gas, groceries, restaurants, clothes, etc), and I don't want to bother with paying my card off every day, or multiple times a day. (And that goes double if I'm travelling.)
No more secure? The secret of the card nevers leaves the fsking card thats pretty much the point. The pin is a secondary factor.
Now it would be much better if you never typed your pin into anything shared. Phones with NFC come to mind some companies got a keypad and display to a cc size package. Some got a per transaction "cvv" generated on the card.
Really it is a half step should have moved to NFC based transaction how many people are still walking around with dumb phones?
No sir I dont like it.
You do that. Meanwhile, we don't use the mag strip in Australia, so I'll happily prevent my card from being compatible with the less secure USA methodology.
Its worse than you think here. They are finally rolling out chip based cards in the US, and the system is just "Chip" .. no PIN required.
I am Slashdot. Are you Slashdot as well?
Regulating re-shipping or breaking re-shipping? I use a mail forwarder because I live in Panama. There are many things I can buy online that are simply not available locally, from my wife's designer shoes for her tiny feet whose size no store ever carries stock, to the latest computer parts for me. They all get shipped to my mail-forwarder in Miami (took all of 15 minutes to set up an account), and it all gets re-shipped to me. Takes about a week to clear customs, etc, and it's expensive as hell since we're talking air freight, 10-50% duty on CIF depending on what I buy, and inflated handling fees. But in my income bracket it's not such a big deal because the alternative is not having it at all - it's cheaper than flying to the US and staying in a hotel and bringing stuff back myself (something I used to do long before re-shipping was invented).
The point I am making is that re-shipping has valid, legitimate uses and it creates jobs. Customs Panama is happy they get revenue on stuff I buy. The airline is happy. The freight forwarding company is happy. And the store is happy. However sometimes existing regulations and policies make it difficult. Sometimes an online store won't take my credit card because it's not emitted by a US bank. All foreigners must be money launderers, right? Sometimes my mail forwarder is in someone's database and they simply refuse to ship (Apple is famous for this. OMG heaven forbid I buy a super secret tech iPod made in China and ship it to my mail forwarder, no, I must wait 10 months for them to decide to sell it outside the US and pay an extra $400 mark-up to the local retailer for the privilege of having it in his store for a day or two). Screaming for regulation is only going to make it even more difficult for legitimate people like me to get legitimate goods delivered to far away places.
What you need to do is to go after credit card fraud. THAT is the problem, but banks don't want to talk about it. It's easier for them just to pay some losses as a cost of doing business and only go after the really big fraudsters. And often these fraudsters are getting the credit card info DIRECTLY from the databases of the banks themselves, either by hacking the software or hacking the people (ahh those corruptible humans). Fix the problem at its source, don't try to make it harder for people to practice international shopping.
Seven puppies were harmed during the making of this post.
It wasn't always like this. Slashdot seems to wield a universal bike shed field only instead of everything tasting like chicken everything tastes like bike shed. Useless summary is the universal chicken sauce of click to view.
The more straightforward solution seems to be to simply make CC fraud much more difficult. We have the technology to do so, but seem unwilling to implement it. The new CCs in the US are better in that they have chips, but inexplicably still use signatures rather than PINs.
I personally know of 9 methods of scamming a chip-and-PIN system. The only real value they have are to the credit card company, and the merchant, both of which get to blame you, instead of being blamed themselves, for when one of these scams is run. The intent is clearly to offload the cost of fraud onto the consumer, rather than keeping it the problem of the large financial markets that have some hope of being able to curb the abuses, by virtue of economy of scale approaches to the problem.
The typical Russian Mobster who gets scammed simply has the scammer killed.
We could implement two factor authentication for large purchases and when the CC isn't swiped. Simply send an authorization code to the phone on record for the CC, and require it to approve the purchase.
This requires that I carry a tracking device with me everywhere I go, and it requires that I only make purchases in cellular service areas. This usually sounds like a great idea to Europeans, who are going to be on camera everywhere they go anyway, and whose urban density is such that, everywhere they go, they have cell service. So while that may count as "simply" in Europe, it doesn't in Montana, and it doesn't in large parts of California.
In fact, AT&T is taking down 2G towers because they legally have to grandfather the unlimited data plans which they only offered on 2G service, and in order to force people off those plans, they are pulling down the 2G service, even though it's not like they are replacing it with 5G, and it's not like the same tower electronics and antenna weren't capable of 2G and 3G anyway. They've specifically discontinued the "booster" (actually a CISCO Systems box that is a cellular/VOIP bridge, also known as a microcell) for 2G, even though the CISCO documentation says 2G is supported. They do this by refusing to put the 2G IMEI's into their database, even though it would work perfectly fine, were they to do so.
So relying on cell service for two factor -- even long established cell service, which would allow you to roam to other carriers like T-Mobile or MetroPCS -- is not really an option for about 70% of the U.S..
A similar process could be required for applying for a new CC. Reshipping wouldn't be as much of an issue if CC fraud was made more difficult.
Good luck with that, given the known problems that already exist with chip-and-PIN systems. Credit card fraud is here to stay; there's only damage control after the fact, and that's going to become more difficult for defrauded consumers, due to the pretend safety of chip-and-PIN systems.
Personally, I'm fine with how things are currently, but then I'm not a bank or a credit card company. Not that I have a great deal of sympathy with them at all, given that it's pretty common for card companies like Capitol One to offer credit to students, and the credit card debt is no longer easily discharged through even the heavy handed option of bankruptcy. That law changed under Clinton, and they're about as hard to get rid of as a student loan.
But the simplest way is to use the stolen card to buy gift cards, use these to purchase merchandise, and fence that via reship or whatever, even eBay.
Once the gift card is used, the link to the original cardholder is lost, AVS is useless. In fact, use out of town mules to use the gift cards, bus them in and out, and even the video of them at the register is useless.
Have you tried buying a gift card with a credit card? There are a few mall locations which allow you to do this, on camera, but if you try it at a grocery store, they'll deny the purchase. They'll let you buy it with a debit card, but not a credit card (I got to watch an insistent lady in front of me in line try very very hard to throw a hissy fit until they let her get away with it; it was like watching a 19 year old trying to buy alcohol).
I took my US chipped-credit card with me to Austria this summer. It ran in the European chip readers just like the readers in the US, with no PIN required. Clerks didn't bat an eye, so it must not have come across as suspicious or unusual.
Since most Canadians live within 100 miles of the US border, it's not really necessary to reship anything. There are lots of parcel holding facilities along the border that will hold your package, for $5 a parcel or whatever. They even handle cars. So you get your stuff shipped to them and then pick it up at your convenience. All it requires is a drive across the border.
I visited USA last year, and was horrified when my transaction went through when the merchant swiped the mag strip on my Australian chip-and-PIN card, without requiring my PIN or signature.
Signatures are not required on charges of $25 or less, since the store is indemnified against a loss up to that amount, when they fail to collect a signature. Over that amount, it usually requires a signature, and then your signature is floating around as a digital copy for a forger to use.
Chip-and-PIN has reduced brick and mortar fraud, but online fraud is alive and well, as is ATM fraud. Just expect that, as in Europe, the U.S. incidence of card skimming, card trapping, and cash trapping to go through the roof. Expect also to see a rise in chip-and-PIN "preplay" attacks. Expect also that the "foreign currency loophole" will be scammed on contactless cards. Martin Emms of Newcastle University in the UK demonstrated this attack at a conference at the end of last year.
NB: Your NZ card would still be susceptible to the "foreign currency loophole", even if there is wide scale deployment of chip-and-PIN everywhere -- anywhere the transaction isn't taking place in the local currency... no PIN is required.
PS: Doug Johnson of the American Bankers Association has stated that banks prefer that we move to one time token systems, like ApplePay and SamsungPay, in any case.
Driving for ~4 hours round trip (including *2* border crossings and gas money) to save a net of $20 (the difference between $40 direct shipping and $15 within-US shipping, minus the $5 parcel holding fee) is not worth it 99% of the time.
The great lakes region is one of the most populated parts of that 100 miles thing, so 4 hours is pretty conservative to go around the lake and then across a busy bridge. I know where I grew up it's more 12 hours total (6 out and 6 back).
how many people are still walking around with dumb phones?
Quite a few. Some, like myself, don't walk around with any sort of phone.
Patent litigation: A doctrine of Mutually Assured Destruction... in which everyone seems willing to push the button
Chip-and-pin is no more secure than magswipes, it contains the same data and can often broadcast the data a 100m around you through RFID activation.
You're mistaken about a few point. First, these cards use near field communication technology, not RFID, and is readable at a distance of less than a few centimeters. Second, the card doesn't re-broadcast your credit card number. It uses on-card encryption to respond to queries without ever giving away the private key. And third, each transaction has a unique code generated by the card itself for each transaction, so replay attacks are not possible. This makes things like ATM skimmers much less practical for these types of cards, as the cards are difficult to reproduce with only externally-available data.
You should really read up a bit on the technology to see how things things really work. Chip-and-pin is definitely more secure than the old magnetic strips we use here.
Irony: Agile development has too much intertia to be abandoned now.
So what happens if you order over the web or phone? I'm guessing the front door looks like a bank vault and the back door is a flimsy screen door as always.
To really be secure, the card should be usable with a small terminal to sign web transactions.
...with no PIN required. Clerks didn't bat an eye, so it must not have come across as suspicious or unusual.
That's because you can disable PIN authentication at your bank (or require it only above a certain amount), so normal (modern) card users can choose that path as well.
I'm not sure why you would want to do that unless you get paid without doing work, however.
You're right. It is worse. With a magstripe, the cost of fraud often gets eaten by the credit card company. With crypto chips, the cost always gets eaten by the vendor because of the presumption that the system is secure. Unfortunately, that couldn't be farther from the truth. The reality is that these days, most credit card fraud doesn't involve people visually reading the number off the card. It involves cracked card readers. The crypto chips are just as vulnerable as anything else to those sorts of attacks.
Specifically, there's nothing preventing the reader from authorizing more than one transaction at a time. One could easily come up with a scheme where a bunch of cracked readers communicate with one other over a darknet, and when the botmaster inserts a card with a particular chip, the readers randomly choose a victim card and use it to pay for that transaction instead. Short of proving where the code came from, you'd never be able to catch the criminals responsible, in practice.
Also, I think that the chip's communication probably includes the card number, expiration date, and CVV information, which means that an 0wn3d card reader can provide that information to someone for making purchases online (where chips aren't really supported). Then, they could simply have something delivered to someone who is unlikely to be home at the time, wait for it to be delivered, drive by, and pick up the package. This sort of fraud happens all the time, and in fact is probably the most common form of credit card fraud, yet the chip-and-pin systems (as far as I know) do nothing to prevent it.
Check out my sci-fi/humor trilogy at PatriotsBooks.
I suppose, any sort of credit card scam can be linked that way. The credit system was introduced primarily to help people set up their business. Now it is a business in itself. Good Job Loan Sharks.
You're right. It is worse. With a magstripe, the cost of fraud often gets eaten by the credit card company. With crypto chips, the cost always gets eaten by the vendor because of the presumption that the system is secure.
That's a policy issue, not a technical issue. It's also short lived, very soon all fraud on the magstripe will be eaten by the vendor as incentive to migrate to the chip. If the vendor has a cracked crypto chip reader, well, it's their responsibility to prevent that.
Safekey, 3DSecure, etc have some potential to make peoples systems less secure
FTFY.
If they make the system so much more secure, why do I have to allow cross site scripting for them to work?
Why do I have to enable javascript for them to work?
I changed my credit card provider because I could NEVER get it to work properly. It still sends me to the "XSS attack page" so I have to click "unsafe reload" but I don't have to provide a password or DoB.
With my old provider I would get a message saying that the transaction hadn't worked. Try again. Try again. Discover that I've been charged multiple times.
Last week I was buying theatre tickets. This time it told me that it had failed however the merchant site was showing the tickets as bought. So I called them up. "Yes, it's all gone through fine". A few days later I get an email saying "Your payment hasn't gone through". Fortunately they held my tickets to let me pay again (over the phone which always works)
God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
To really be secure, the card should be usable with a small terminal to sign web transactions.
They added this functionality - it works on all my cards. But only Barclays online banking seems to use it (at least of my cards).
I believe the sticking point is that people don't want to walk around with the card reader device. I can understand it but I do think it's a shame that you cannot voluntarily use it for online purchases instead of all the error ridden javscript XSS that you have to work through instead which has the "enhanced security" of requiring you to know your DoB.
God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
When you put these numbers in perspective with what is legally stolen from us, it looks ridiculous.
Article says "carded consumer goods from America to Eastern Europe — primarily Russia".
I don't think that Putin would like Russia to be seen as part of Europe. Look at the fuss that he made when Ukraine was getting too close to Europe.
You know... I've been carrying cash for years and not had a problem. I do have a high value credit card and a debit card and I do usually use those as the former is automatically paid every month and I think they give me some sort of rewards but it gets me much better service than normal and different hotel rooms and the likes. It's a long story but, suffice to say, it's a decent card.
Anyhow, I'm currently on the road - gallivanting or appeasing my wanderlust. I am doing something I do every couple of years which is just grab a car, no destination, and no real return time expected and driving. I go to a new state, hope off the interstate at an interesting exit, and drive until I am bored. Sometimes I sleep in the car but I often get a hotel room. I even leave the country though I probably won't be this time for reasons which should become clear.
Either way, I always carry cash. In fact, I was unable to stock up on the Friday before I left and had to wait until Monday to get enough cash at my credit union. They did ask me to come back later in the day but I declined. I was on a mission. I keep a stack of cash in my pocket at all times - especially when traveling in 'seedy areas.' I make sure to absolutely carry a stack of cash in my pocket when traveling south of the border. I keep a variety of cash in each and every one of my pockets - including the fifth pocket. Each pocket has a different value and different denominations for reasons that should be obvious.
In fact, to be technical, I probably have a sum greater than many people's life savings (ha! implying American have savings) in my hotel room and no - I'm not a drug dealer. In fact, it fits nicely in my gun safe. And no, while I can legally carry my gun I very seldom do. It stays in its safe and goes into hotel rooms with me.
I've been mugged. I've had shit stolen. I've had to pay my 'documentation' fees at a variety of borders. I've even lost large amounts of cash when I used to drink (today's my third year of not drinking - it sucks but I do spend a lot less money).
Hell, at one point I was just coming across the Everglades - I don't know the town's name but it's the smaller highway with lots of alligators on it, and coming into Dade county area. I was mugged there and the thief probably would have done some damage had I not had cash - they were pretty sketched out. I talked to them politely and calmly and gave him my wallet - I took my ID out of it as that's in a separate compartment and took the hidden cash out of that and gave that to him as well. I kept my ID and cards.
He had started the "conversation" with something like, "You're better not have credit cards too or I'm going to kill you." I'm inclined to believe I was not his first victim of the night. He handed me the wallet back after taking my money. At one point he was acting sketchy so I told him to "calm the fuck down, you're acting stupid and going to get caught." The process was politely concluded after what felt like a couple of minutes but was probably less than one.
The thing is, it was a little Jennings .22 and given the misalignment of the slide I don't think it was put together properly so it probably wouldn't have fired. However, he was a mighty big man and I am not a stupid man. He'd have done some serious damage to me. As an aside, it's kind of ridiculous to see a giant man holding a tiny pistol.
Anyhow, I carry cash and prefer it. It has helped in many situations - such as the above. On this particular journey I have a larger amount than normal but that's because I expect I'll buy a couple of cars and have them shipped back. This process is quickest and easiest if you have cash. When you encounter a "puesto de control policial" outside of a random village in southern Mexico you can rest assured they don't accept plastic. (Es no gusta Espanole, mi Espanole es muy mierda."
So, to wrap up this novella - much longer than I expected, I don't see why people don't like cash. What the hell do you do when the power goes out
"So long and thanks for all the fish."
I would have thought that a system of address verification between merchant and credit card issuer is they way to go. Merchant will only ship to addresses approved by the card holder via their card issuer. Then merchants won't ship to a random re-shipper address unless it's approved by the card holder. However we already have AVS which is a great start and I'm surprised that any merchants are willing will to take the hit of not doing it. All e-commerce systems I've worked on used AVS to verify shipping location, at least for the first few purchases for an account.
Then you go without. Just like a non-driver needn't worry about additional driving license regulations.
Way back in the early 2000s a magazine called eWeek had an article about a different schemata. It was a dongle, a PIN, and a hashed value of certain aspects of your thumb print. Something you have, something you know, and who you are. I thought it was probably a pretty good idea. I generally assume any such transaction is unsafe and act accordingly to minimize my personal risks but that's just me. It would be kind of neat to see something like the above tied into a cell phone.
As for you not carrying a phone, I am not sure why you think that matters. What in the name of hell makes you think you're entitled to access something you'd not use or why would you try to prevent progress because you're unwilling to adapt to a new payment method? It's not like it is going to impact your ability to buy goods. You just won't be able to buy them in the way that you profess to not want to buy them in the first place. Did you whinge when vendors started taking credit cards? If they don't accept your method of payment then move along. You'll be alright.
"So long and thanks for all the fish."
And I misread your post. *sighs*
My bad. My sincere apologies. I will say three hail RMS' and donate to EFF immediately. I blame lack of coffee - I'm out in my room and the lobby hasn't made any yet.
"So long and thanks for all the fish."
And third, each transaction has a unique code generated by the card itself for each transaction, so replay attacks are not possible
Well, almost. If correctly implemented. Unfortunately, the security depends on an 'unpredictable number', which in a lot of devices is a simple incrementing counter, so if you can do one transaction with your real card and intercept the signals (you can buy off-the-shelf things that look like a credit card and contain a couple of extra chips for this) then you can predict it for the next transaction and bypass much of the security. Oh, and the fact that the bank authenticates the card but the card doesn't authenticate the bank also makes some MITM attacks possible. Much more secure than a mag stripe, but still quite flawed. I found it particularly entertaining that the USA waited until a load of the flaws were published before deciding to adopt the system.
I am TheRaven on Soylent News
Was your Pa raped by a European or something? Regardless, your knowledge of Europe seems to be based on European Vacation. It's not helping you seem at all knowledgeable.
Um, samzenpus, Russia is part of Asia you dipshit. God, you have got to be the stupidest motherfucker ever to be given an editor title at Slashdot.
You're exactly right, but the CC companies have little interest in ending fraud. Instead, they just pass along the costs. Think about it: it's actually kind of shocking that the credit cards collect a percentage of gross, i.e., the full purchase price on every transaction. In terms of processing, it doesn't matter if a transaction is for $5 or $500. This more than covers the costs of fraud, and the charge is ultimately passed on to the consumer.
Meanwhile, they impose very strict security requirements on the merchants, make the merchants pay not only the standard fees, but also transaction fees, the cost of the terminals (from certified providers, who pay fees), fees for required quarterly network security scans, etc, etc... Always another fee - and it all winds up in the price tag of the products.
In truth, Mastercard and Visa essentially hold a monopoly. They don't compete with each other, because all of the big banks are involved with both. If Google gets investigated over and over for anticompetitive practices, why do we never see an investigation by MC/Visa? It's long overdue...
Enjoy life! This is not a dress rehearsal.
You could have read TFA to find out, but apparently that's too much to ask.
" One could easily come up with a scheme where a bunch of cracked readers communicate with one other over a darknet, and when the botmaster inserts a card with a particular chip, the readers randomly choose a victim card and use it to pay for that transaction instead."
Sure, or you could beat them with a hammer untill they give you the PIN code. Copying the magstripe is super easy, chip / PIN actually works really well. Sure, if you give your card to someone they can just copy the number and "security" number and use it online or whatever, that however, is still harder than just writing the same stripe to a blank magstripe and then going on shopping spree.
After all, is it illegal, if the prosecutor will not charge the criminal? I have heard of many of the reshippers go to jail, for arrest. But i have never heard of one getting jail time of more then a year, for doing it. Felonies go to jail for 30 days. Murderers go to jail to be bonded out and never prosecuted. Credit card stealers, get a slap on the wrist, and i bet if i got caught jwalking it would be a year in jail. So it must not be illegal.
Foreigners taking all the good American jobs. We used to dominate the Organized Crime sector of the economy, but now the real crime innovations aren't coming from the New York regional crime labs of the old days (AKA "Sicilian Valley").
We've lost our edge.
Pretending this is my office full of bitter coworkers..
> What the hell do you do when the power goes out or there's some sort of emergency?
Hasn't happened yet, so why would people worry about it?
Happens where I live every year - multiple times a year.
"So long and thanks for all the fish."
Are you a stay-at-home mom making $3,000 per month working 2h a day, like in the ads?
I wish. I'm a stay-at-home slacker making omelettes and excuses.
Just cruising through this digital world at 33 1/3 rpm...
TPM etc, your secure bits are not on the phone rather a simple stable module with a well defined access method. The TPM only has one part you still need a pin if your realy worried about it your pins can be one time. It's pretty trivial to print out a few pages of business cards and mail them to you, cross off a pin as you use them in order. So yea if you pown the phone you could get access to have the TPM sign a transaction and a PIN that was entered. If you're that worried about it making a stand alone device that is a tpm chip, nfc, a small screen and keypad much like a cheap solar calculator could be made by many vendors and associated to one or more accounts.
No sir I dont like it.
Have you tried buying a gift card with a credit card? ... if you try it at a grocery store, they'll deny the purchase.
Yes, I do it all the time, and no it doesn't get denied. The only catch is that if I buy one and put enough money onto it, the POS terminal asks for my DL# for verification.
So I don't know where you got your information from, but it's flat out wrong.
http://cylan.deviantart.com/gallery/
The credit card companies should ask people if they want to lock down their credit cards so that they can't be used to purchase items being shipped to addresses different than their billing addresses without their ok.
Given the description, it sounds like they're ripe for some additional regulation.
While I don't disagree, it should be noted that one of the reasons companies don't ship internationally is to preserve their local distribution models. From Australia it's often impossible to buy certain big brands (IIRC, things like North Face) from places like Amazon - they have local distribution locked down so they can control the price points globally (Moosejaw have a list of some of these brands.
As a result, reshippers became quite popular in Australia. So much so, that our national postal service actually created a dedicated reshipping agency called ShopMate!
If you get fraud on your card FDIC should pay you 3 times the amount for your trouble.
Want to see it all go away very fast.
So carry cash? Making a small stand alone device that's a tpm (crypto processor whatever) chip, an nfc controller small keypad and lcd display to ack as one or more CC is pretty trivial. Hell you can get a fingerprint reader into that form factor.
NFC and similar removes the form factor of having something that has to swipe or plug in. There are a plethora of authentication protocols to provide a second factor that does not matter if it's compromised and do not require it be sourced from your bank. Maybe you like a nfc watch or want something in a traditional CC form factor. Maybe I use NFC on my phone, a one time pin from a printed card in my wallet (that is generated and authenticated by a server I own or a 3rd party besides my bank), a pin and I have to approve the amount on my phone. Point is to have a framework that allows varying levels of security and devices.
Online I like what some european (probably elsewhere as well) banks have one time CC numbers for online transactions. Want to be secure you generate a one time CC number and use it it's limited to the amount you specify and/or a specific number of transactions. Can also do recurring transactions limited to how many times a month and for how much.
At the end of the day you can not make a system that it's impossible to steal from. You can make it hard and you can limit the exposure.
No sir I dont like it.
I think you whooshed. I mean you are talking to someone on your plain old telephone circa 1970 and read your card details off to pay for something. No TPM, no chip, just like the insecure old days. If that goes through, then none of the new measures matter much in the long run, they just shift the problem a bit.
I'll try to be brief in response. For starters I do carry cash, not much mind you. When I travel internationally especially outside of major cities or in smaller / less developed countries, then I carry more cash. Because you are right there are all sorts of situations that can arise, especially traveling, where cash.
But, I *only* use case for those situations. If I used cash more then I'd need to carry a lot more cash. Because if I want to have a couple hundred on me for unexpected situations then I need to either stop in at the bank multiple every day to top up, or start the week with $1000s on me. Neither appeals to me.
How the hell do you buy drugs without cash?
I don't.
You can't throw a credit card (though I've carried gift cards for reasons such as this) into a busker's guitar case.
The average busker, even the above average busker doesn't entertain me. But yes, there are a few places where the street performers are worth it.
In many jurisdictions you can't bail yourself out with a credit (or debit) card but have to have a third party come do it for you which is quite a process.
This has never come up. And I'm skeptical that having some cash on me, and more in my hotel room would save the day.
You can't throw a credit card into a panhandler's cup.
I don't think supporting panhandlers that way achieves anything but to create professional panhandlers. My acts of charity are directed elsewhere.
At the end of the day I've lost more money by having cash on me than I've ever lost to fraud. I don't want to carry more cash than I do. (And to your points, I wouldn't want to carry less either.)
I live in Russia and I think that this information is not completely true. Please note that $1.8 billion is a lot of money. What can I see here is that this service is not offered to a general public. It is not advertized, I knew nothing about it before reding this article.
That means that the situation when many Americans are constantly sending things to many Russians is very improbable. What are the alternatives?
They can send these goods to few companies or persons which later resell them in Russia. But here comes Russian customs service that tracks packages from abroad. And in this case it is technically difficult to bribe them, because there is no single customs officer who is responsible for all those packages.
Thus, two possible scenarios, when many people send packages to many people and when many send to few are improbable (however not impossible).
There is no exception. Your chip still contains (in most cases in the US) the plain text version of your card information just in case you need to do a transaction when the system is offline (read and weep https://en.wikipedia.org/wiki/...).
I know because I have a chip reader for POS testing and I can often get the plain text information from both the mag swipe and the chip. The only difference with the chip is who gets to hold the responsibility in case it does get compromised.
Custom electronics and digital signage for your business: www.evcircuits.com
Wrong, that is one of the capabilities of these chips but often, for convenience sake, the chip still contains the same information as the mag swipe in plain text. I have a chip card that I blocked non-encrypted transactions and the chip on the card simply doesn't work at any Wal Mart stores (it does at other stores), eventually (after 3 times chipping) the system will give in and allow me to swipe it.
Custom electronics and digital signage for your business: www.evcircuits.com
They wouldn't really need to carry the device around, they could just connect it to their PC (USB would be more than fast enough) for ordering over the web.
That's better. I was under the impression that cash was for "chumps" as you'd said so figured you mustn't be a chump and thus wouldn't carry any. I mean, nobody is willingly a chump if they can control it.
Personally, I've got a couple of "nice" (read damned expensive) credit cards that I don't actually bother using. I carry a few debit cards, I typically use those. I keep them linked to special accounts with limited amounts of money in them. I have shared banking with my credit union and can just go where I want and use any other branch that's in the same program - which is many/most of them from what I've seen.
I love cash. It's simple. It's effective. I tend to always have some on-hand and keep some stored about my body. I guess that's partially due to a number of unique experiences that I've had or might have had.
"So long and thanks for all the fish."
Heh, well, unlike you I still don't advocate actually USING cash. For me, its the lowest common denominator. I carry some because sometimes you do need the lowest common denominator; but given the choice to use cash vs credit I'll practically always choose credit.
I'm not sure I follow why you use debit cards instead of credit cards. The protection afforded you in terms of fraud protection, dispute resolution etc is far more favorable to the card holder with credit than with debit.
It stops me from spending more than I should. It's a checks and balances thing. I tend to forget how much I spend, more so since selling my business and retiring. I've had some very interesting monthly credit card statements.
"So long and thanks for all the fish."
Automatic approval was only for small amounts, usually $25 or less. I didnt care becasue im covered by the bank anyways. We are moving to Chip and PIN now so its moot, i just got mine in the mail yesterday
Good-bye
See subject + this link http://slashdot.org/comments.p...
Just a point of fact: the above is 100% false. The EMV transaction includes some info, but less than the full magstripe, so it cannot be used to make a "Target" style fake magstripe card. This is why all the Target style breaches have been in the pre-EMV USA.
> What the hell do you do when the power goes out or there's some sort of emergency?
Hasn't happened yet, so why would people worry about it?
You mean like the Northeast Blackout of 2003?
Apocalypse Cancelled, Sorry, No Ticket Refunds
It's not that bad. In the US, I'm only liable for $50 from fraudulent credit card transactions, and the card companies waive that. (I don't know how it works with an Australian card, or in Australia, but that's not the normal case for US merchants.)
I check my credit card statements when they come, to find fraudulent transactions. If I report them, I'm fine. I don't have to pay, and it doesn't hurt my credit rating.
This means that I'm not paying for security problems, but rather some combination of merchant and credit card issuer. They set the security to what they think will make the most money for them. If they think they'll make more money just swiping for $50 transactions, that's their business. If they make more money asking for a signature, they will.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
In 1970 they were probably hanging up and calling into the CC company to get an auth. It was insecure.
No sir I dont like it.
The mag card info is not the secret not even close.
No sir I dont like it.
The PHONE would be circa 1970 (no reader, no nothing, just voice), the transaction could be taking place this very moment and the chip in the card does nothing. That is, all that supposed extra security can be readily bypassed by a carder, and so it isn't really all that secure.
Checking ANI's has been a staple of call center security for a long time now. Dialback verification works rather well at stopping fraud. Overall that is leaving a lot more traces than a carder wants to. Simple SMS verification can lock down voice transactions pretty well it's, up the the banks to actually do it, as long as the losses are on the business they have little incentive to fix it.
No sir I dont like it.
So they'll order by mail or the web.
You still seem unable/unwilling to understand that the chip and pin is totally worthless as a security measure for anything but a card present transaction.
You do that. Meanwhile, we don't use the mag strip in Australia, so I'll happily prevent my card from being compatible with the less secure USA methodology.
We certainly have a mag strip on our cards and it's to allow them to be used in countries that don't have chip and pin.
While the RFID doesn't duplicate the chip, it can provide enough information to an attacker to duplicate the mag strip and the info on the front of the card, so that they can send that overseas to an accomplice to write on a dummy card and shop for easily sold goods.
.
Australia is no liability, no ifs, no buts, unless you were negligent---negligent is defined as being similar to such things as telling people your PIN, or writing it down undisguised and storing it with your card.
So, how do I get a cut of this sweet action? Why do only foreigners be getting some?
You referring to the "Reshipping profits action", or the "black penis" action? ;-)
Well, don't you worry none, son. You go for one, you get the other "action" too, eventually.. no charge. They a package...
> What the hell do you do when the power goes out or there's some sort of emergency?
Hasn't happened yet, so why would people worry about it?
Wow. "hasn't happened yet, so why would people worry about it...". You read about numbnuts that really are that stupid, but you never expect to actually meet one...
You're missing my point. There have already been dozens of cases of folks breaking into point-of-sale terminals and compromising the card reader systems. Unlike hitting someone with a hammer, those compromises can happen A. mostly anonymously, and B. remotely from anywhere in the world. Once a communication endpoint (defined as a display terminal in the case of the customer endpoint) is compromised, no transactions made through that endpoint are trustworthy, period. And once you've compromised the terminals, there's nothing stopping them from turning any arbitrary chip-and-pin card into a master key that can be used to make purchases for free.
It doesn't matter that it is harder to crack a terminal than to add a skimmer, because people have already done the work. It's like DRM; once one person breaks the crypto, the movie is out there in the wild. Once one criminal organization cracks the POS terminals, it becomes trivial for anyone to access those systems by trading with someone who already has access. And it just becomes one giant silk road or whatever, but for credit card transaction abuse instead.
Check out my sci-fi/humor trilogy at PatriotsBooks.