Russian POS Pickpocket Generates New Interest In RFID-Blocking Wallets

An anonymous reader writes: A Facebook post depicting a man apparently stealing from commuters by tapping a POS reader against them unobserved on public transport caused a sensation on Facebook before being removed earlier today. The provenance of the photo is uncertain, but unnamed authorities have said that it was taken in Russia. Since this type of opportunistic street theft requires a merchant business account through which any transactions would be easily traceable, the question arises as to how such acts of fraud are being made profitable. Comments on the matter have brought up anew the topic of RFID-blocking wallets as necessary everyday security.

Russian POS?

A Russian piece of shit pickpocket? No need for attacking other countries today.... all pickpockets are pieces of shit.

RFID

[NotInHere]

who said this is a good idea the first place?

Contact-less payments are dumb, and lead to precisely this kind of abuse. I mean it could be a simple confirmation, a single swipe on the screen or something (when talking about smartphone based payments). And contact-less keys can simply have a button you have to press before unlocking.

Re: RFID

That is the new standard coming to the us. All other countries that have it, say it is more secure. The change in law, made the business eat any other false charges. Not the credit card company. I expect to see fewer cards accepted by businesses as the false positives aggregate. After all, pay five ormore percent per transaction, and nothing for it? Or cash, check, with a 1% surcharge? Interesting. Or maybe a business could go back to a customer loyalty card, and start rewarding their customers instead of the banks.

Re:RFID

[AmiMoJo]

The story is bullshit.

Look at the photo in TFA. The item in the guys hand is clearly not what they think it is. It's a phone. The button colours and shape don't match the POS terminal depicted.

In any case, even if it was real, it would be a really, really dumb way to steal money. For the POS terminal to work, you have to have an account set up. That means vetting (okay, might be weak in Russia) and a paper trail. The money has to go into an account somewhere. That's why you don't see many "fallen off a lorry" scammers using POS terminals.

I have long known about this one

[EmperorOfCanada]

This attack is actually quite easy. The "Pickpocket" has one end of a transmitter not a POS system. The other end of the transmitter is waiting at cashier to make a payment. Effectively the system is fantastically dumb, just relaying the transaction requests back and fourth between the the checkout and the person's card.

The "getaway" is that they are leaving with the goods. If the store doesn't get paid, it doesn't matter.

This completely end runs the entire smart card encryption and every other security measure on the card. It is just a pair of repeaters that are extending the range of the card from 3cm to potentially miles.

I suspect that there are timeouts on the cards but if the repeaters don't induce much lag the speed of light should not add much. Still, depending on how generous these timeouts have been set, it may be possible to fire these signals through an LTE pair of phones giving the pickpockets an international range.

In theory a pickpocket could be having the signals relayed in a nice message queue fashion to a series of people waiting at automated checkouts. So the pickpocket could walk down a train while a small group of purchasers ring transaction after transaction through. Assuming a $100 limit per purchase not only could the pickpocket feed an easy 20 cards from a single train, but he could wait a few minutes before returning for a second pass down the train making it appear that the users were making a second purchase, and then a third and a fourth.

Doing the math that could net $2,000 per pass with maybe 3 possible passes before the pinless swipe limit were hit.

Then step out and do the next train car. Now we are looking at no less than $10,000 in goods per hour during rush hour.

This is assuming that it isn't one long train. If it is a train where you can walk the length of a crowded train it could potentially be 100 cards in a single run if the queuing system is properly organized.

When I first saw someone swipe a card without a pin this scheme popped into my head. I have just been waiting the years since for it to become public.

I suspect the fix won't be that easy because merely being less generous with the timeouts will probably exceed the capabilities of many cards and many machines, causing them to become unreliable.

Re:Whats the news?

You brought up something that's been troubling me: this increasing desire by business to make all too easy for paying without thought. They want people impulse buy. Apple is the biggest offender. In order to create an Apple ID on an IOS device you must give a payment method - you have to use a desktop system via the web to create an ID without a payment option. Why? They want people to impulse buy songs and apps.

Roku does the same thing "for your convenience". I had their customer no-service people waive that requirement after having to listen to their bullshit how it's for "my convenience". It's idiotic that I even have to create an account with them to use the fucking thing since the streaming goes direct to the content provider.

And of course, if there's a mistaken billing or fraudulent (many channels on Roku's service say they're free by when you click on them, a message pops up saying that they are charging me - it's a great thing I did not give them my payment information!!), good luck getting the money back.

And unlike cash when you lose it, you just lost that, these electronic payment systems allow for thieves to clear you out and it takes weeks to get your money back or in the case of a credit card, you will find yourself SOL in case you're traveling.

Until the financial services industry cleans up it's act, these types of payment systems shouldn't be allowed or forced on us.

Can we find another term for "POS"?

[mykepredko]

When I first read the headline it was "Russian Piece of Shit Pickpocket Generates Interest in RFID-Blocking Wallets"

I know it's "Point of Sale", but too many years of experience with the other version of the acronym has conditioned me to read it a certain way with often, as in this case, coming up with a different interpretation of a statement.