Secret Service Warns of Chip Card Scheme

Brian Krebs reports of a new scheme where new debit cards are intercepted in the mail and the chips on the cards are replaced with chips from old cards. Thieves can then start draining funds from the account as soon as the modified card is activated. The warning comes from the U.S. Secret Service. Krebs on Security reports: The reason the crooks don't just use the debit cards when intercepting them via the mail is that they need the cards to be activated first, and presumably they lack the privileged information needed to do that. So, they change out the chip and send the card on to the legitimate account holder and then wait for it to be activated. The Secret Service memo doesn't specify at what point in the mail process the crooks are intercepting the cards. It could well involve U.S. Postal Service employees (or another delivery service), or perhaps the thieves are somehow gaining access to company mailboxes directly. Either way, this alert shows the extent to which some thieves will go to target high-value customers.

PIN

[zm]

Use it.

Re:PIN

[HelpTheNewOverlord]

Is it possible to have a debit card without pin? What for? Just to avoid having to press 4 to 8 buttons and confirm?

Re: PIN

Is it possible to have a debit card without pin? What for? Just to avoid having to press 4 to 8 buttons and confirm?

Yes, in the US you can always sign for the transaction.

But all such transactions are covered by zero liability waivers from the banks.

It take some time, but the banks will return all your money.

This whole article is just stupid.

Re: PIN

[AvitarX]

The summary implies they are using debit cards to get cash.

Re:PIN

PINs only hurt consumers since banks assume if the correct PIN was entered that you are at fault. I worked for a grocery store chain with well over a thousand locations that saved them. I even got hit myself with someone that used a cloned magstripe at Fry's with my PIN. I ended-up having to pay the >$800 anyway after my bank threatened to sue me..

Re:PIN

[Richard_at_work]

If they can intercept the card, and send it on to you without you suspecting anything, they can probably intercept the PIN and do the same to that.

Re:PIN

[glitch!]

Is it possible to have a debit card without pin? What for? Just to avoid having to press 4 to 8 buttons and confirm?

I have a debit/atm card from my bank. The ATM requires the PIN, but I just used it with a merchant and they did not take a PIN, but a signature on a receipt. So your answer is "yes", at least for merchants.

Re: PIN

> It take some time

Which is why you should never have a debit card. The law protects credit card holders. Bank policies protect debit card holders.

Re:PIN

[mark-t]

How would they do that, exactly, when you set your own pin at the bank branch?

Re:PIN

[Richard_at_work]

I wasn't aware that you do that in the US - in the UK, you get sent an initial PIN in the post, separately to your card, and you can change it at any ATM. If the card is a replacement to one issued previously, it continues to work with the old cards PIN and you do not get sent a new one.

Re: PIN

The summary implies they are using debit cards to get cash.

Hence the stupidity of this article. No such thing is happening.

Re: PIN

How would they do that, exactly, when you set your own pin at the bank branch?

By telling the bank that you forgot your pin and asking them to mail you a new one? I hope you aren't a brain surgeon.

Re: PIN

[Known+Nutter]

The summary implies they are using debit cards to get cash.

The summary says that they are "draining accounts". I know of know way to access cash with a debit card without a PIN. Presumably, the actors are using the debit cards/chips to make purchases processed as credit, which requires (typically) no PIN.

Indeed, the article makes no mention of cash.

Re: PIN

[Known+Nutter]

Fucked up the quote tags and know/no mistake. I'm tired... sorry. :(

Preview is a hell of a drug.

Re: PIN

[mark-t]

The bank won't mail you a PIN. In my experience, you have to go into a branch and set up your PIN at least once. After that, any replacement card they send will use the same PIN until you go to a branch and change it.

Re: PIN

[AvitarX]

Yeah, which makes me wonder, why aren't they targeting credit cards.

It seems way easier (there'd never be a question of using a pin), and I wouldn't call using a credit card draining an account.

Guess i should rtfa.

Re: PIN

Okay genius, where do we put our actual cash then? Under the pillow?

All checking accounts in the US come with a debit card no matter how much you say no it's part of the package.

Also, debit cards are made at the local bank branch. Just get your card/replacement in person and this "attack" becomes impossible.

Re: PIN

[evil_aaronm]

Okay genius, where do we put our actual cash then? Under the pillow?

I make all deposits to / write checks from my checking account, and never use my debit card. Except for the odd cash purchase, all other purchases - online and in person - I use my credit card. At the end of each month, I pay the credit card from my checking account. The only drawback I've encountered so far is if I have to cancel my credit card because it's been compromised. I'm stuck until the new one arrives. I'm going to get a second one as a backup, but it hasn't been a pressing priority so far.

Re: PIN

The bank won't mail you a PIN. In my experience, you have to go into a branch and set up your PIN at least once. After that, any replacement card they send will use the same PIN until you go to a branch and change it.

Your experience is strange. Every bank I've ever had accounts with in the US sends your PIN via mail. In a special envelope with markings to stop it being visible against the light. And on a different day and different carrier, eg UPS or fedex, to the original card.

All US banks do this. Which are you suggesting don't?

Re: PIN

[mark-t]

Well, I'm not in the USA for one... I live in Canada. Although I wouldn't have expected US banks to be very different in that regard. Both the Toronto Dominion bank and Royal Bank of Canada require the customer to set up their PIN in a branch before they can use their card for the first time. After that, any replacement card they send will be on the same PIN until you go and change it. I think you can change your PIN anytime you want at the bank ATM's as well, but setting it up for the first time definitely requires seeing a teller. I would expect that the policy for resetting a forgotten PIN would be similar.

Re: PIN

If your Debit Card has a Major Credit agency Logo (VISA MasterCard) on it, it has the exact same protections. And often more. As the Bank will have it's own standard $50 liability and then the Credit agency will have their liability which reduces yours to zero.

Re: PIN

[TheRaven64]

All UK banks that I'm familiar with mail you out the initial PIN (on a weird sticker thing that's meant to make it impossible to read by shining a bright light through the envelope) and then suggest that you change it at an ATM.

Re:PIN

[mjwx]

Is it possible to have a debit card without pin? What for? Just to avoid having to press 4 to 8 buttons and confirm?

Yes, there are two methods.

1. the numbers on the front of the card allow you to make transactions online without even using the PIN.
2. Contactless payments under £ do not require a PIN.

PINs are not great security when they aren't required. This is why we need to have two factor authentication but banks will never permit that as we'd all go back to using cash (which they cant skim a percentage off the top of).

Re: PIN

[SQLGuru]

I've had the option. I could set it myself or I could have them send me one. And of course, even if sent one, you can always go in and change it (sometimes you can even change it via the phone, but I would go it).

Even back in the early 90s, I was doing a co-op in California and opened an account with Wells Fargo. I got to set my own pin, so I had set it to a 10 digit number. It was super secure, but it made it a pain to use it out in public because most terminals expect a four digit pin.

Re:PIN

[pauljlucas]

Which is why I always use a credit card. Aside from the interest-free loan (since I always pay it in full), my liability is limited to $50. The one time when an old card was used for a fraudulent transaction, I actually paid nothing.

Re: PIN

What bank do you use that does? My local credit union requires me to go to a branch to change PINs for my debit card, and I had to set one when I set the account up originally. My credit cards, I don't typically have PINs set for liability reasons, but I could have sworn I did set one up once over the phone when I activated the card. Last time I had a PIN mailed to me was something like 2000.

Re: PIN

[GrumpySteen]

And how does you not using your present card prevent someone from intercepting a new card sent to you in the mail when your card expires?

You're as vulnerable to the scam described here as everyone else.

Re:PIN

The request for a PIN that you get in e.g. grocery stores in the US with a debit card are not based on the "Chip and Pin" technology commonly used in Europe, but rather the merchant effectively behaving as an ATM to withdraw money from your account.

If you buy from a merchant that doesn't have that capability, you're using credit card-style mechanisms, whether it be the old magnetic-stripe based way or the new "Chip and Sign" thing that US banks adopted (instead of Chip and Pin) to avoid upsetting small businesses.

Re: PIN

[e3m4n]

i havent had a PIN mailed to me in a very long time. I used to have that happen, only when I opened a new bank account and they had to assign a PIN. Once I went in and had my PIN changed to something else, every subsequent card always had the PIN I set up ahead of time.

With my Paypal card I set the PIN from my paypal account. The same with my MyVanilla card of pre-paid funds (I tend to load money on a prepaid card when I am vacationing out of state so if my card gets cloned the damage is limited).

Re:PIN

[Archangel+Michael]

If you make the merchants and banks liable for the fraud against their customers, then things will change. Things will not change until this happens. End Of Line

Re:PIN

[e3m4n]

yes, in the US, when your at a POS terminal (point of sale, not piece of shit), you're given 2 options Debit and Credit. Debit really means ATM at which time you have to use a PIN number, and any sort of cash-back is forfeit. Credit technically is what they used to call 'debit' in which its using Visa or MasterCard clearing houses to withdraw your cash and earns your 1 - 2% cash back, no PIN required. They used to compare the signature on the back of your card to your signed slip, but that doesnt work now that they give us plastic crayons to mark up a not-so-well-working touchpad titled at almost 90% to the floor.

Re: PIN

[e3m4n]

they are using the cards with chips to buy merchandise that they can then sell for cash AND/OR making purchases that eventually find their way into some other account. They aren't pulling physical cash from your account, but it gets drained nonetheless.

Re: PIN

[e3m4n]

the confusion is defining a 'Debit' card....

when they first came out they were called 'check cards'

there are two networks at play...

1) bank gateway services like Quest and Star, in which you use a PIN number at an ATM or POS terminal to conclude a transaction. This is using your Debit card like an ATM card

2) then there are the network services for Visa and Mastercard. This is using your Debit card like a Credit Card (ie sign for transaction)

at first they used to say ATM or Credit at the POS machines back in the 90s. Later when check cards got renamed Debit card, the implication was that you could use it as an ATM or a Debit (using Visa or MC networks). At some point the POS machines now say 'Debit' or 'Credit', redefining the word Debit to now imply ATM transactions.

In most cases a real Credit card vs a Debit card are irrelevant to the fraud perpetrated. The criminal is just grabbing any bank issued card and swapping out a chip. At the end of the day he just needs to complete a transaction where you sign on the POS terminal and go about their merry way to sell the now purchased goods.

To answer why anyone would use 'credit' instead of 'debit' at the terminal, it has to do with reward points and cash back. By hitting 'credit' the merchant has to pay a percentage or transaction fee depending on his volume of transactions. This can be as high as 4%. In turn the bank agrees to give you 1.5% cash back (such as Paypal) or gives you reward points. Hitting the Debit button and entering a PIN will deny those bonuses since they did not get that 4% loanshark fee from the merchant.

Re: PIN

[apoc.famine]

The only drawback I've encountered so far is if I have to cancel my credit card because it's been compromised. I'm stuck until the new one arrives.

I walk over to my local credit union at lunchtime and they print me a new one. Takes about 3 minutes. You might want to investigate your local places - I'm not sure how I'd ever go back to the timewasting stupidity of the big banks I used to get financially abused by.

Re:PIN

Use it.

Before I begin, bear in mind that all "Chip & PIN cards" DO USE the PIN, and they use it every time. (Read up on how Chip & Pin cards USE their PINs... they don't work how you think, if you think "PIN" and "use it," is a meaningful response to this issue. I believe they use them in every transaction, but it sounds as if you're confusing the PIN people punch in with the PIN the card uses to authenticate itself to the issuing bank. They really should have called it something besides a "PIN," such as a Card Authentication Number, so it doesn't confuse people. I know this because after the first time I bought something and it didn't ask me for my PIN, I called my new "chip & PIN" enabled card issuer, and asked, and they explained it to me.)

Whenever you get a new card in the mail, activate and immediately test it. Verify the transaction. If the card either doesn't work, or the transaction doesn't show up, call the number on the card, cancel it and request a new one.

As a personal aside, I can't help but wonder how different things would be if when they catch these guys, instead of just putting them in prison for theft, they also cut off their hands. Then put them in prison. Someone commits financial fraud, theft, etc., he loses a hand. Bet he won't do that again, and if he does, well, then you take the other hand as well. Bet he won't do it a third time. (If someone does, you simply sever the spinal cord just below the point where the control and sense nerves connect the brain and the innards, rip out eyes, ears, and tongue, and hook 'em up to life-support, and leave him there, so he can think silently for a few decades about what he did. I am against the death-penalty, but mainly because it lets people get away with their crimes. Death isn't a punishment, considering that heaven and hell aren't real, you don't either suffer after you die, nor are you rewarded. (If death WERE a punishment, then explain what "crime" a baby commits, since some babies die, and all babies EVENTUALLY die, since no one gets out of life alive.) You just end. Therefore, if there is any justice to be meted out, it needs to be done BEFORE death, and it needs to be made unpleasant enough NOT ONLY to deter anyone from trying the same thing, but also to assuage the rest of us that we aren't all chumps for following the damned LAW. Just saying.)

Re: PIN

[b0s0z0ku]

That's incorrect. I specifically asked for an ATM-only card for one of my accounts. It works at an ATM, with a PIN, and is not a Checkcard. i.e. it's only useful for deposits and cash withdrawals, not as a "credit card."

Re: PIN

[NJRoadfan]

Except that, unlike a credit card, your account is directly debited of the fraudulent charges and the money doesn't re-appear in the account until its reported (and the bank slowly gets around to handling it) and usually after some important auto-pay or checks bounce. In the case of credit card fraud, its the bank's money that goes missing.

Re:PIN

[david_thornley]

I have gone to precisely one store (Target) where I stick my card in and enter my PIN. Every other store wants my signature, unless it's below their threshold and they don't want anything.

Re: PIN

[evil_aaronm]

That's not a bad idea. I'll keep that in mind, in case my credit card provider pulls a Darth Vader and "alters the deal."

Secret service, will they protect Trump in prison

For life?

All your Chip

Are belong to me!

Re:All your Chip

I for one welcome our new I.T. closet cleaner chip overlord.

Re: All your Chip

Creimer spam, mod down.

Actiate, use, re-activate

[davidwr]

OK, how about a 2-stage activation:

When you first activate it, the first time you use it you will get an alert and have a few days to do a second activation.

Until the 2nd activation goes through, you will get an alert on all charges and if it's a high-dollar charge or even a medium-dollar charge at someplace that's not "normal" for you, the charge will be declined and alarms would go off at the bank and on my phone or email.

So, if someone pulls the switcheroo on my card they might be able to buy a $100 TV at a local merchant but I would know about it nearly instantly and call the bank and police. They wouldn't be able to buy that $5000 gold ring, the charge would be declined.

Re:Actiate, use, re-activate

[Richard_at_work]

Nah, no need for such complexity - most non-US banks issue users with card readers that generate one time PINs for use in authenticating online and activating cards, so just require those in the US. It wont work without the proper chip in the card, so job done...

Re:Actiate, use, re-activate

[olsmeister]

I assume these cards are being swiped from mailboxes, because the penalties for Postal employees tampering with the mail are pretty severe. If that's the case, just send the cards via certified mail, that should solve the problem.

Re:Actiate, use, re-activate

[Actually,+I+do+RTFA]

The penalties for stealing mail from a mailbox and opening it are very severe as well.

Re:Actiate, use, re-activate

[cstacy]

Every time I have had something stolen from the mail, it was a USPS employee. It usually happens at the distribution point, before it is assigned to a delivery man.

The don't usually catch them, and even certified packages go missing and you can't get your money back.

Twice I have had relatively small packages containing audio/electronic items (e.g. MIDI devices) stolen this way. Filling out forms does nothing. IG does nothing. Package trace log shows the item at the postal distribution warehouse, where it vanishes.

Re:Actiate, use, re-activate

[mark-t]

Simpler solution:

You activate it by putting it into an ATM for you bank and entering your current PIN.

If you don't have a PIN, you go to your bank and set one up. They should be able to spot a tampered card even if you can't.

Re:Actiate, use, re-activate

But the pool of suspects for that crime is much larger, and consequently much easier to hide in.

Re:Actiate, use, re-activate

[Leuf]

The other day my cc got used to make a $5 donation to some Christian website that I had never heard of. The charge got flagged as fraudulent and I got an alert. It's puzzling as to how they got the info and why they only charged $5 to it. I guess hoping to fly under the radar. Equally puzzling is how the bank managed to correctly flag that tiny charge as fraudulent. My point being that current fraud detection is already better than what you are suggesting. The tricky part would be with new customers who they don't have a charge history to base anything on.

Re:Actiate, use, re-activate

[ColaMan]

Equally puzzling is how the bank managed to correctly flag that tiny charge as fraudulent.

It's the same as with Google's spam detection: you just see one transaction on your card, but the bank sees hundreds of similar transactions on hundreds of cards.

Re:Actiate, use, re-activate

No, the penalties for *getting caught* are very severe.

Re:Actiate, use, re-activate

[TheRaven64]

It's one of two things. Either the transaction itself correlated with fraudulent transactions, or the transaction didn't correlate with your own spending habits. Banks build fairly complex statistical models of spending and flag any outliers as potential fraud. The most amusing one of these for me was the registration fee for a DARPA PI meeting. Apparently my bank believes that paying money to the US government correlates strongly with fraud. Somewhat less helpfully, they insisted on calling me during UK business hours (i.e. in the middle of the night where I was) to confirm. After a very grumpy 4am conversation (the third time they'd woken me up that night, but the first time I'd managed to get to my phone before it stopped ringing) they gave me a 24-hour number that I could call from anywhere in the world.

Re:Actiate, use, re-activate

[davidwr]

The other day my cc got used to make a $5 donation to some Christian website that I had never heard of.

That was a smart crook.

1) It validated the card was good or not.

2) If their victim was married, he might wait to call the bank until he talked to his spouse, because "giving to charity" is something many people would do without checking with their spouse first. This buys the crook time to do real damage.

3) Giving small amounts to charity is something a lot of people do, so it's less likely to be flagged by the bank as suspicious than, say, spending money at a far-away-from-the-victim brick-and-mortar store.

In your case, it was flagged. Perhaps there was something about THAT charity that raised a red flag with the bank. Perhaps there was a rash of "$5 charity donations" in the last few days so your bank or all banks were on the lookout for that type of transaction. Perhaps your bank figured out that you never give to charity using that credit card, so when you did, it raised a red flag. In any case, I think the "$5 charity donation" was a good gamble by the crooks. They lost, but it was still a good gamble.

I hope the crooks got caught and prosecuted.

Re:Actiate, use, re-activate

[e3m4n]

OMG, I met one! I finally met one! You're one of those mythical people I read about that believe making a law somehow stops crime. "we need to ban this" , "we need better gun control to stop criminals from getting guns", "we need a law that says...". How are you not besides yourself that criminals *gasp* don't give a shit about laws? There are two groups of people that think laws don't apply to them a) criminals b) elected officials. One can certainly argue that b. really is a member of a. with more damage control. Did you know that in every state, murder has been against the law, with pretty severe penalties, since 1787? It amazes me that anyone would even suggest we have a murder problem in the states, because the penalties for murder are pretty severe /sarcasm.

Re:Actiate, use, re-activate

[e3m4n]

I suspect it got flagged because there were already reports of fraud and stolen funds in which just prior to large amounts of theft, a $5 donation was donated to the same charity in order to verify the card is in working order before they hit it with a larger withdrawl. Once they realize that they have a large number of reported fraudulent charges, and in every case there is a small charge to a common place, they flag that place and trigger an alert. I suspect that these card companies probably share a security database the way we share db's of known spammers and query every transaction against it in realtime.

Re:Actiate, use, re-activate

[olsmeister]

Huh? My point was that certified mail requires a signature and so should solve a mailbox theft problem. Not everything is about guns, dude.

Re:Actiate, use, re-activate

[e3m4n]

your comment was that a postal employee could not be the culprit because there is a law that would punish a postal employee for stealing, therefore it could never be a postal employee. In most cases it is in facy occurring at the hub distribution centers. You implied the presence of a law implies noone would dare disobey it. I felt it necessary to give you multiple examples of how far from true that is. Organised crime usually always facilitates the need of having an inside man to complete the job.

Re:Actiate, use, re-activate

[olsmeister]

There are always some assholes who break the law. That doesn't mean laws are useless. If we said fuck it and didn't have any laws because some people break them, society would collapse quickly. Look, I worked in a Post Office in a previous life, and while theft does occur, the penalties DO discourage most people from trying. The only ones that do are idiots, because it's completely not worth it. We're talking federal prison time. You don't make laws because you expect them to be universally obeyed; you make them so that you can define acceptable behavior and punish those who deviate from it.

Re:Actiate, use, re-activate

[e3m4n]

laws exist so you can push the lawbreaker, agreed. There is quite a bit more fraud in the post office than you may be aware. Its possible you worked at a branch and were fairly isolated in this respect. Even in the 90s there was some reality 'cops' style show that followed postal inspectors. They in fact do more than just look for drugs being mailed. They spend a great deal of time investigating postal employees. One episode indicated that some branch in NYC were using 'temps' do do deliveries. Well, this one temp was more of a 'free paycheck' type and was dumping the mail into a dumpster and claiming she delivered it.

In this case I think its _much_ more of a case of organized crime, since the secret service is involved and not the postal inspectors. The secret service involvement suggests the crimes of fraud are on the scale of counterfeiting. They certainly aren't on the looking of some random asshole breaking the law. This is a bit more structured. There is most assuredly some inside people intercepting this and getting it to the crime ring involved.

Re:Actiate, use, re-activate

[lgw]

Aren't these being sent to corporate mailboxes? As soon as the mail is handed off from a USPS employee to a private mail contractor, the severe laws all vanish.

Re:Actiate, use, re-activate

[lgw]

My point was that certified mail requires a signature and so should solve a mailbox theft problem.

Mailbox theft seems unlikely here.

As far as "requires a signature", I once received a check for about $30k mis-delivered to me by certified mail. Postal carrier took my signature and went on about his day. Fortunately for the intended recipient, they were close by and I didn't mind walking it over.

Mail fishing

... is when a bad actor fishes stuff out of your physical mailbox, using some kind of weight with sticky tape attached, on a piece of string. It's been used for decades for identity theft. This looks like it would be a logical extension.

Of course, some mailboxes don't even need that much resource.

How the hell do they get the old chips ?

[Crashmarik]

Dumpster diving, seems ineffective and it shouldn't be too hard to make it difficult to swap chips on new cards.

Re:How the hell do they get the old chips ?

[Actually,+I+do+RTFA]

They presumably only use the new chips for a few days, draining as much cash as they can. Therefore once they collect enough chips to intercept cards for those few days, they're fine. Because then they have five day old chips they already used to send out.

Re:How the hell do they get the old chips ?

[Junta]

Just need a cosmetic replacement, doesn't even need to be a functional chip.

After all, the cards will look right, but they still won't work if they have an old, mismatched chip. In fact it may be even better if it seems like it doesn't work because of malfunction rather than having a key mismatch, might buy you a few more days before the cardholder gets it fixed (assuming the POS equipment flags an obviously wrong chip more clearly than chip malfunction).

Not really a 'chip card hack' . . .

[Wrath0fb0b]

In the sense that it doesn't have anything to do with the underlying technology at all. It's a weakness in the activation/verification scheme in that it verifies that the cardholder received something, not that they have received the genuine card.

An easy way to 'close the loop' would be to perform the activation at an ATM that could verify the authenticity of the chip. Then the 'activation' of the card would be tied to positive proof that the rightful owner had possession of it.

Re:Not really a 'chip card hack' . . .

[Tunefix]

Here in Norway, where chip and pin is the normal, when I receive a new card it is activated the first time I use it. At the same time, the old card is deactivated.

Re:Not really a 'chip card hack' . . .

[Wrath0fb0b]

Which just moves the problem to how you deliver the PIN associated to the new card.

But sure, once you've established that you can transmit the PIN from the bank to the (correct) customer without anyone else reading it, then you can use that to solve other problems :-)

Re:Not really a 'chip card hack' . . .

[ControlsGeek]

Here in Canuckistan the PIN is delivered by mail in a separate envelope several days before or after the card itself is delivered.

Re:Not really a 'chip card hack' . . .

[e3m4n]

which would not solve a situation of targeted mail intercept, only random mail intercepts. If your mailbox itself is targeted, then they would grab anything with your banks name on it.

Re:Not really a 'chip card hack' . . .

[e3m4n]

exactly, it sounds as if they replace the chip with any other chip on the card and reseal the envelope. Then with the orginal chip, they put it onto a cloned card. Then ususpecting customer gets card in the mail, and calls the phone number to activate their card, not knowing there is a duplicate floating around. I agree, it might be more hassle, but having to go to the bank or the ATM to activate the card would make sense. I am guessing that it would have to be a bank ATM equipped with a chip reader, since some that you see in gas stations only read the magnetic strip similar to a gas pump.

What really irritates me is that the most effective tool at identifying fraud is denied to us constantly by the banks. Its as if they want a system of fraud. Every time I use my paypal card I get a notification of a charge both via email and SMS within a minute or two of the transaction. I find it disturbing that my bank does not do this, nor does any credit card, or even my MyVanilla card, though the latter notifies me every time I add funds to confirm the process worked.

Re:Not really a 'chip card hack' . . .

[denbesten]

Every time I use my paypal card I get a notification of a charge both via email and SMS within a minute or two of the transaction. I find it disturbing that my bank does not do this, nor does any credit card, ...

My Discover card does this via Discover App installed on my phone. Normally, my phone beeps about 10 seconds after the card is approved. The fun part is that at gas stations and hotels, I can actually see the pre-approval go through when I start and the final purchase when I am done.

I'm hoping that their next step is to add some approval features to the app, requiring either proximity to the store or that I click "OK".

Pin?

Both debit and credit cards require a NIP over here. First time usage of an NFC enabled card also needs the NIP, you can't use the NFC to activate it. We did away with signatures LONG ago in Canada, that ain't a proper security measure.

Yeah - 3rd party postal overflow guys...

[RyanFenton]

Frequently during holiday periods (high mail flow), postal hubs take on outside contractors to handle those overflows. And those guys can be real scummy, to say the least.

One Christmas, I sent a care package to grandparents, including gift cards, and those were removed from the packaging, slit open from the envelopes, snapshot/sold as images with codes online, then thrown back in the package outside the envelopes. I was able to track it down (with a postal inspector and Amazon) to one of these overflow contractors, and although there's a few cases where they've been caught with hundreds of stolen gift cards - the relationship with the contracting organizations largely shield these crooks pretty constantly.

The Post Office can't hire extra real folks - because they're held to a crazy (Republican) demand that every employee get an absurd portion of their benefits completely pre-paid for life into a pool - way more than any other organization is held to - just as one of many attempts to strangle the organization. So, they're forced to play these games, and shield the folks screwing with the mail, lest they be unable to cover during holiday periods.

I can only imagine who the contracting groups are paying off to make this all possible, along with this latest mail-intercept racket.

Ryan Fenton

Re:Yeah - 3rd party postal overflow guys...

[bws111]

The Post Office can't hire extra real folks

Bullshit. The USPS can and does hire temporary employees (here is an example from last year), they do not have any impact on the retirement fund.

The demand that the USPS pre-fund its retirement system is not 'crazy', it is responsible. Note that most other organizations gave up on the pension system altogether and just give the employees money via 401K matches. The employee can then (wisely) 'pre-fund' his own retirement, or (stupidly) not - and be '85 and wanna go home'. About the only pensions that are not fully pre-funded anymore are public service jobs, because you can always just soak the taxpayer later, no sense in being fiscally responsible now.

Re:Yeah - 3rd party postal overflow guys...

[will_die]

Are you just really ignorant of the truth or trolling?
The PO can hire temporary seasonal employee and not worry about future health benefits.
But on the topic of that why do you hate the post office employees and don't think they should get the benefits they were told they would get?

Re:Yeah - 3rd party postal overflow guys...

[Solandri]

The Post Office can't hire extra real folks - because they're held to a crazy (Republican) demand that every employee get an absurd portion of their benefits completely pre-paid for life into a pool - way more than any other organization is held to - just as one of many attempts to strangle the organization.

That is the way pensions should be funded. The employer should pay their incremental increase in pension obligation at the same time they pay the employee. At that point it's reserved for the employee and untouchable by anyone else.

The way most of the government and companies do it - pay the employee now, worry about the pension later - leads to situations like GM retirees possibly losing their pension when GM was in danger of going bankrupt. Because GM didn't put aside enough money to pay all their retirees, they were siphoning off current operating funds to pay their pension obligations, meaning if the company went under those pension payments would cease. Not incrementally funding pension obligations as you go is like floating checks - the check is written but there may not be enough funds to allow the pensioner to cash it. Because there's up to a 45 year lag between when the pension check is written and when it can be cashed, that creates a huge amount of risk due to insolvency, mismanagement, or abuse. The company or government can renege on the pension that was promised to the employee or go bankrupt. Or, because the pension fund is still under the control of the government/company instead of being an independent fund, someone with fiscal control can embezzle the funds or divert them to other operations, leaving pensioners holding an empty bag. California's government is in a pension crisis because instead of actually paying money into the pension funds it was promising, it's been artificially inflating the value of those funds with overly optimistic estimates of fund growth over the next few decades. The housing recession caused that house of cards to collapse, and now they're having to not only pay for current pensions but also make up those past pension payments they avoided via those inflated estimates.

This is the problem with Social Security too. The money you pay into SS isn't held in some account waiting for your retirement. It's paid out to current retirees (with about a 7 year buffer, that the government abuses to try to make the national debt look smaller than it really is). And when you retire, your SS benefits will be payments made by people working while you're retired. It's done this way because when SS was first implemented, the then-retirees got payments even though they never paid a dime into SS. This is why SS is often accused of being a ponzi scheme (which is somewhat different). And gets into danger of default whenever a disproportionate number of people retire (e.g. baby boomers). And is sensitive to increases in the average lifespan (which changes the ratio of retirees receiving money to working citizens paying money, requiring the age of retirement be increased to restore the ratio to a healthy level).

Pensions really should be funded like a 401k. The employee should pick their investment fund and create an account in their own name, and the government or company employing them should pre-pay their pension into it every month of continued employment. That way the pensioner is guaranteed to get his/her money upon retirement regardless of what happens to the employer. To account for premature death, the employer can be listed as beneficiary upon death (after spouse or spouse+kids if the pension agreement includes them). So any unclaimed funds are returned to the employer upon death. If everyone did it this way (similar to the way the USPS now has to do it) all of the possible problems described above - risk of loss of pension through bankruptcy or altering the pension

How is that even supposed to work ?

[aepervius]

The chip is supposed to also contain keys and pins. How do the crook even replace that ?

Fry's has cameras everywhere Re:PIN

[davidwr]

If the statute of limitations hasn't run out, sue the bank for the money and subpoena Fry's for their camera footage.

not an easy task at all.

[nimbius]

this is a formidably difficult feat for any hacker. first you need to identify a solvent capable of loosening the chip in the card to the degree you need to remove it without damage. next, you need to add your chip with its poisoned firmware to the card without creating such damage that the modification goes noticed. finally you need to remove the solvent without damaging the cards plastic...which is also relatively difficult. friction could be used to keep the chip in place however a cyanoacrylate is likely a good choice to keep the chip from moving...assuming this application does not inadvertently insulate contacts.

This is likely only going to affect american chip cards because we impemented chip and pin in the most disastrously half-assed manner so as to placate the hand wringing of major brands and corporations terrified the technology would dissuade purchases due to its complexity. a good countermeasure against this type of attack would be to have readers not trust the hardware and go through the full or partial battery of RFC specific tests for the chips authenticity. Specifically, the certificate attestation tests were designed to thwart this type of interference.

Re:not an easy task at all.

No, you actually don't.

The attack being described is just swapping other chip's in to the new cards they're stealing; as long as they look undamaged to the person getting the card until they activate it, the chip doesn't even need to work on the old card.

So in this case? Mechanically cutting the chip region out is sufficient, the same way some scammers have sliced individual numbers of a lottery ticket or scratcher ticket, cutting only one layer of the paper.

Because it doesn't matter what THEIR chip-and-pin gizmo looks like, it can be a frankenstein's monster. And the card sent on in the mail doesn't need to even have a working chip-and-pin since the USA still has mag-stripe fallback for chip-and-pin read failures instead of rejecting the card outright.

So no, this is far less 007 Bond and far more just simple "write on a grain of rice" hand-eye coordination.

- WolfWings, too lazy to login to /. in too many years.

Re:not an easy task at all.

[thegarbz]

There's no requirement for poisoned firmware or for anything to even work after modification. The only requirement here is to get the old chip out of the card and patch up the card in a way that it looks okay. In some cases you could even take a generic blank card and print a picture of the card you stole, you don't even need to modify anything. You just need to fool someone who is unlikely to be paying attention.

Because of the chip+signature garbage in the USA just wait till the card is activated (normally a phone call), and then go on a spending spree.

If Chip+PIN was implimented then it wouldn't be an issue because the PIN is still unkonwn to the attacker.

To be more precise

[aepervius]

Imagine that instead of replacing the chip, they wait the card is activated , murder the victim and steal the card. Same effect they have an activated card. OK so no what ? Maybe for ecommerce you can use that, but then again so would simply write down the card number and write down the 3 digits number behind - no need to replace the chip. But you still cannot use the card to withdraw fund because you haven't have the pin...

Re:To be more precise

[e3m4n]

I once had a card cloned (before the days of the chip) and about a week later I got notified that a Home Depot in Miama (600+ miles away) just hit my card 6 times in a row for $100 each. They bought home depot gift cards. At that point the money trail stops and they can sell these cards to anyone for less than face value. I had suggested that since they knew which gift cards they had activated, they should go in and deactivate them. That way when the person buying the stolen card tries to use it, and gets denied, he goes back and puts a bullet in the asshole that took money from my account. People buying stolen goods don't typically take kindly to getting ripped off.

My suspicion is by swapping the chip, the card cloning process resumes in full swing. They cant do ATM withdrawls but they can certainly make point-of-sale purchases without a PIN for merchandise that they can then convert to cash. It used to be called fencing.

Don't assume theft Re:Actiate, use, re-activate

Sometimes things really do disappear at the post office.

I once had someone send me a package. It was "lost" at the regional postal center going "around and around" the automated system before someone or some computer realized it was "old" and pulled it off the line and did something with it.

Mail also gets mis-delivered. Every now and then I get mail for people with the same address as me except for one digit. At least they are in the same zip code.

Re:Don't assume theft Re:Actiate, use, re-activate

[cstacy]

Sometimes things really do disappear at the post office.

I once had someone send me a package. It was "lost" at the regional postal center going "around and around" the automated system before someone or some computer realized it was "old" and pulled it off the line and did something with it.

By "old" you mean "2 days" and by "do something with it" you mean "take it home themselves and sell it on e-Bay" LOL.

Funny how when you put people in charge

[rsilvergun]

of government who don't believe in government then government doesn't do so well.

Did Dr. Evil dream up this scheme?

This all sounds highly improbable. Intercepting the card. Removing and replacing chip. Something Something. Profit.

Debit cards are hazardous

[Comrade+Ogilvy]

If something dicey happens on your credit card, it is the vendor's problem -- the vendor does not have money yet.
If something dicey happens on your debit card, it is your problem -- the money already left the account.

I do not have a debit card. After I cut up the fourth debit card and demanded a clean ATM card with no debit feature, the fifth time I just changed banks.

Re:Debit cards are hazardous

[fahrbot-bot]

If something dicey happens on your credit card, it is the vendor's problem -- the vendor does not have money yet. If something dicey happens on your debit card, it is your problem -- the money already left the account.

I do not have a debit card. After I cut up the fourth debit card and demanded a clean ATM card with no debit feature, the fifth time I just changed banks.

A few years ago SunTrust wanted to "upgrade" my ATM card to an ATM/Debit card. I wrote a letter to the President of SunTrust explaining my reasons for not wanting an Debit card but rather just an ATM card and threatened to move my accounts to another bank if they would not accommodate me. A week later I got a call from his assistant who told me they got many other such requests and would be sending me an ATM only card -- been using it ever since.

Apparently, when they switched from VISA to MasterCard as the vendor for their ATM, Debit and Credit cards, they initially chose to issue ATM/Debit and Credit cards, but not just ATM cards. They still issue ATM/Debit cards as the default but will now issue an ATM only card instead on request.

Debit cards are unnecessary if you have a credit card and you pay off your balance every month.

Re: Debit cards are hazardous

There is no difference between an ATM and a debit card

Re:Debit cards are hazardous

Debit cards are unnecessary if you have a credit card and you pay off your balance every month.

Some of us thinks the opposite way. A credit card is unnecessary because I have money in my account. No need for little loans with fees (and bad interest if you ever forget to pay that balance every month.)

With a debit card, there is no bill to worry about later. Final payment happens when using the card. If the transaction succeeded, the business is done & completed. Just like cash without the weight.

There are those who see the credit as a reserve they can dip into. A debit card is rejected as soon as the account is empty. But credit is no different - a credit card is rejected when you reach the limit. Not spending all of a bank account isn't harder than staying above the credit limit - so no real difference in convenience.

Re:Debit cards are hazardous

[Karhgath]

As a non-us citizen, what is the distinction between an ATM and a Debit card for you? Here they are one and the same, I could always pay with the card I used at the ATM/Bank with my PIN. Maybe because we have a national debit network here.

Since you mentioned Visa/MC, do you mean a visa/signature "debit" card that does not need a PIN? Or simply an ATM card can only be used to withdraw cash at the bank and you are not able to pay anything with it?

Re:Debit cards are hazardous

Except that by law, you are liable for a maximum of $50 in fraudulent charges made on a stolen credit card, as long as your report the theft within 2 days and a maximum of $500 for fraudulent activity reported within 60 days of your billing date (and most credit card companies won't even charge you that). In contrast, if someone uses your debit card fraudulently, you're out however much the thief can take.

Re:Debit cards are hazardous

[e3m4n]

every time I have had an issue where unauthorized transactions have occurred on my account, I have been refunded within a week.

Re:Debit cards are hazardous

[e3m4n]

an ATM card or ATM transaction goes through a banking gateway service like Star, Quest, Paypass, etc. You usually get a fee for every transaction (like $2.50 now)

a Debit transaction uses the Visa and/or MasterCard networks to deduct money from your account, and the marchant usually eats the transaction fee's based on his volume. Small operations eat 4% or tell you that they will add 4% to use the card.

they are two completely different networks where one necessitates a PIN, while the other just wants you to scribble a 'signature' on a screen for anything > $50.

Re:Debit cards are hazardous

[Comrade+Ogilvy]

In theory, I would have such protections on my checking account, too, when it comes to obviously fraudulent checks. But when I heard the magic words "we will see if we can get your money back [emphasis added]", I realized that reality can be very different from the theory.

I am glad that things worked out for you. But I prefer to know with certainty that I am not completely screwed by keeping my money where it is far more certain who has authority to take money out. If things go very wrong with a credit card, I can tell them I will pay the real transactions, close the account, and walk away. They can come at me with the proof that the charges are real for inspection under the bright lights of a courtroom, if they have the $10,000 to throw away for a lawyer. I am game, if it comes to that.

Re:Debit cards are hazardous

[Hognoxious]

Just because you have one card that does both doesn't mean they're the same thing.

I had an ATM card when my bank didn't even have debit cards and I couldn't get a credit card since I hadn't been in the country long enough.

It worked at ATMs. I couldn't pay at a shop or restaurant with it.

Re:Debit cards are hazardous

[e3m4n]

yea, some of those reasons are why when I vacation I only use money I stuck on a MyVanilla card, and my Paypal card as a backup. It mitigates damages to hundreds, not thousands. I never use my bank card outside the state, and never at gas station pumps etc. I even go as far as to pay for gas with cash (throw $20 in the tank every couple hours) to avoid the risk of bluetooth card readers in the pumps.

Re:Debit cards are hazardous

[Comrade+Ogilvy]

I agree there is no important difference in convenience, under all common scenarios.

The difference is in the legal status and what the burden of proof would be under the bright lights of a courtroom, if things were to go very very wrong.

When things go extremely wrong with a credit card, I can still pay my mortgage, fill my gas tank so I can get to work, and feed my family -- with many months to sort out any problems while negotiations and discussions happen, before any legal actions will even begin to wend their way through the legal system.

When things go extremely wrong with a debit card, I can be stranded immediately and not able to buy food. Immediately.

Re:Debit cards are hazardous

[fahrbot-bot]

As a non-us citizen, what is the distinction between an ATM and a Debit card for you?

Typically, one can only use an ATM card with an ATM machine, while a Debit card can be used like a Credit Card with merchants. Some banks offer combined ATM/Debit cards that work with both cases. Those physical cards are usually issued by the bank through the vendor that provides the bank's Debit/Credit card services, like VISA or MasterCard. I don't want a debit card, just an ATM card. (a) I have a credit card with a high limit and pay it off every month and (b) don't want my checking account funds available directly through a debit card as it's less safe and see "a".

Debit cards are an immediate form of "check" payment. I'll use a CC in those cases, which (c) provides a 30-day float on my money and (d) more safety as none of my funds are exchanged until I pay the CC bill. Yes, debit cards typically provide fraud guarantees, but the money is taken immediately and you must request it be returned, unlike a CC in which one simply disputes a charge w/o paying it (or not) until the dispute is resolved.

Re:Debit cards are hazardous

[Comrade+Ogilvy]

Debit cards are not crazy at all, IMO, if you manage your liability by consistent care about how much cash is sitting in the relevant account. But I definitely do not authorize any magic "we will transfer from savings for you because it is so convenient" things. I want that isolated account to fail, and I will pick up the fees for my own mistakes, as a firewall from my pile of savings.

Re:Debit cards are hazardous

[apoc.famine]

Why would you have all your money in the account tied to the debit card? My wife and I have a joint debit account where we pitch in a portion of our pay every month to buy the normal monthly expenses. All the rest of our money is tucked safely away in other accounts.

I'm somewhat baffled by why people seem to think the only options are credit or "all my money is at risk". Does your bank not allow you to make multiple sub-accounts that aren't accessible by your debit card? If that's the case, you've chosen the wrong financial institution.

Re:Debit cards are hazardous

[Comrade+Ogilvy]

Your point makes sense, to a significant degree.

But why should my savings be vulnerable at all, even a single red cent? I can protect it completely with a credit card.

The extent that a credit card is actually really more convenient than a credit card does have something to do with how much is left vulnerable in that savings account. Furthermore, banks love to push "protections" like automatic transfers from savings in case of overdraft of the account tied to the debit card. I presume that some people fall for that one, even if I expect you know better.

Re:Debit cards are hazardous

[apoc.famine]

So I don't "bank" - I've got a couple of exceptional credit unions in my area, and use them instead. Because they're non-profit and member-owned, they don't do most of that bullshit. Truly exceptional service, and really robust online services as well. Their fraud policy is the same for debit as it is for credit, so there's no real risk on the debit side - they'll credit a large amount of what was claimed to be fraudulent before any investigation is final.

Credit cards are ok, but not always great. I have a handful of local businesses that are cash/debit only, and they tend to undercut the major chains by up to 30%. A part of that is not having to lose 3-4% on all credit card purchases, and not having to deal with much fraud because of that.

A second reason why we don't mind the small risk of the debit account is that it's a clear budget, unlike a semi-unlimited credit card. We've got a set monthly budget, and when we're getting near the end of the month, what's left in that account determines how much we go out, and how much we stay in. Sure, we could play accountant as a hobby while using the credit card, but that's extra work for minimal extra gain.

MODDOWN! ; creimer youtube spam post again!

MODDOWN! ; creimer youtube spam post again!

CREIMER' SUBMISSIONS UPDATE:
Note also that creimer is trying to regain karma by getting his submissions published as articles on /. so make sure to go to:
https://slashdot.org/~__aaclcg...
https://slashdot.org/~IDrinkFa...
https://slashdot.org/~_sharp'r...
https://slashdot.org/~crreimer
https://slashdot.org/~cdreimer
https://slashdot.org/~criss69
https://slashdot.org/~Anonymou...
https://slashdot.org/~FatCashe...
https://slashdot.org/~ILoveFat...
https://slashdot.org/~IHateFat...
https://slashdot.org/~IAteFatC...
https://slashdot.org/~ITapeFat...
https://slashdot.org/~IApeFatC...
https://slashdot.org/~IPrayFat...
https://slashdot.org/~FatCashe...
and mod down his submissions as well. The great thing is that you don't even need mod points to mod down a submission, just click on the "minus" icon!

Yes, believe it or not, creimer owns all the above sock puppet accounts. It is a mystery why Slashdot management tolerates it!

creimer wrote:

I don't bother with mod points. I'm doing something much more sinister. It took ten story submissions ? I'll have to double check the number ? to move cdreimer's karma from neutral to excellent without ever being exposed to the capricious mods. Mmmmmwwwwahahahahahahaha!

https://slashdot.org/comments....

Danger, Will Robinson, Danger! Creimy is posting more than 2 posts a day. Hurry! mod down otherwise /. will go to hell again!

Note: you can mod down even if already at -1 to lower karma and to prevent lost /. users to accidentally mod up.

creimer wrote:

All you need to do is find a website with a permissive TOS, say, Slashdot, create a Python script to scrape your own comments, sprinkle Amazon affiliate links in various posts, and then re-post past links whenever possible. Won't be long before you start making "coffee money" each month.

https://slashdot.org/comments....

C.D. Reimer is a renowned Slashdot collaborator, as he puts it himself; "Because of the quality of my posts and my article submissions, I'm a highly rated commentator and moderator."

But does anybody ever wondered what "C.D." stands for? Well, it stands for Creimy Dumpty of course!

Creimy Dumpty sat on the wall,
Creimy Dumpty had a great fall.
All the king's horses
And all the king's men
Couldn't put Creimy Dumpty
Together again.

Creimy's siblings video and theme song, very realistic, especially the pants, just like Creimy's:
https://www.youtube.com/watch?...

With "Vice President Pence Vowing US Astronauts Will Return To the Moon", we are sure they will need miracle workers up there, here is what it would look like. Note that Creimy takes care of bringing a lot of food to the moon as depicted below:
https://www.youtube.com/watch?...

Creimy's real pictures:
Before the sex change:

3rd party delivery

Likely using a 3rd party company. When I was at a hospital in Portland, OR I saw that their mail uses some local delivery company and not USPS trucks. The truck had left its back open while one person was unloading it. I could have taken bundles of mail and packages. Maybe be seen on some cameras but if I was a paid homeless person or such, not much of a trail there. A few well placed insiders and that truck could be a serious source of information.

Humor Irony

[LifesABeach]

The Secret Service doing anything except guard the president.

Re:Humor Irony

[david_thornley]

They started out dealing with counterfeiters. Guarding the President is just their most visible job.

I warned the banks 2 years ago

It doesn't just affect debit cards, it works on credit cards too. Also, intercepting the chips in the mail is unnecessary, anyone's drug addicted kid could simply steal the chip from their parents cards and go on a shopping spree. All EMV chips are susceptible to this type of fraud. I personally discovered this on my own a little over 2 1/2 years ago. Here's a link to the youtube video I posted about it: https://youtu.be/KMIWy-03rFg

I warned all of the banks, visa, mastercard, the consumer financial protection bureau, the federal reserve bank, way back then, so the secret service is only telling them something that they've known for years, but chose to try to hide.

This type of fraud is untraceable and due to the fallback feature, the Chip doesn't even prevent the type of fraud it was created to combat. In other words, EMV created a new type of fraud that is undetectable and was marketed to everyone as a "safer" way to pay. In actuality it greatly reduced the difficulty and the cost of tools necessary to commit both credit and debit card fraud. A $500 magnetic strip reader is no longer required, now all that's needed is $2 for a pocket knife and some glue.

how to hack

[kourtneybutts00]

Hello everyone! I had seen so many recommendations on ENRIQUE so I contacted him to help me Clone my husband's cell phone and WhatsApp. Just like Magic, I got the files to get it done and I have access to my husband's phone. He was really efficient and I have access to everything including phone calls, logs, sms, surrounding and location. What I like about the job is that it cannot be traced back to me. I have this working for 3 months now. I am just another satisfied customers. Thanks to ENRIQUE LEWIS , CONTACT: Email: enriquehackdemon11 @ g m a i l com Whatsapp no: +1 (628) 203-7005 Text no: +1 4 0 9 9 9 9 3 4 7 7 .