Slashdot Mirror
Secret Service Warns of Chip Card Scheme (krebsonsecurity.com)
Brian Krebs reports of a new scheme where new debit cards are intercepted in the mail and the chips on the cards are replaced with chips from old cards. Thieves can then start draining funds from the account as soon as the modified card is activated. The warning comes from the U.S. Secret Service. Krebs on Security reports: The reason the crooks don't just use the debit cards when intercepting them via the mail is that they need the cards to be activated first, and presumably they lack the privileged information needed to do that. So, they change out the chip and send the card on to the legitimate account holder and then wait for it to be activated. The Secret Service memo doesn't specify at what point in the mail process the crooks are intercepting the cards. It could well involve U.S. Postal Service employees (or another delivery service), or perhaps the thieves are somehow gaining access to company mailboxes directly. Either way, this alert shows the extent to which some thieves will go to target high-value customers.
Nah, no need for such complexity - most non-US banks issue users with card readers that generate one time PINs for use in authenticating online and activating cards, so just require those in the US. It wont work without the proper chip in the card, so job done...
Frequently during holiday periods (high mail flow), postal hubs take on outside contractors to handle those overflows. And those guys can be real scummy, to say the least.
One Christmas, I sent a care package to grandparents, including gift cards, and those were removed from the packaging, slit open from the envelopes, snapshot/sold as images with codes online, then thrown back in the package outside the envelopes. I was able to track it down (with a postal inspector and Amazon) to one of these overflow contractors, and although there's a few cases where they've been caught with hundreds of stolen gift cards - the relationship with the contracting organizations largely shield these crooks pretty constantly.
The Post Office can't hire extra real folks - because they're held to a crazy (Republican) demand that every employee get an absurd portion of their benefits completely pre-paid for life into a pool - way more than any other organization is held to - just as one of many attempts to strangle the organization. So, they're forced to play these games, and shield the folks screwing with the mail, lest they be unable to cover during holiday periods.
I can only imagine who the contracting groups are paying off to make this all possible, along with this latest mail-intercept racket.
Ryan Fenton
Every time I have had something stolen from the mail, it was a USPS employee. It usually happens at the distribution point, before it is assigned to a delivery man.
The don't usually catch them, and even certified packages go missing and you can't get your money back.
Twice I have had relatively small packages containing audio/electronic items (e.g. MIDI devices) stolen this way. Filling out forms does nothing. IG does nothing. Package trace log shows the item at the postal distribution warehouse, where it vanishes.
Simpler solution:
You activate it by putting it into an ATM for you bank and entering your current PIN.
If you don't have a PIN, you go to your bank and set one up. They should be able to spot a tampered card even if you can't.
File under 'M' for 'Manic ranting'
this is a formidably difficult feat for any hacker. first you need to identify a solvent capable of loosening the chip in the card to the degree you need to remove it without damage. next, you need to add your chip with its poisoned firmware to the card without creating such damage that the modification goes noticed. finally you need to remove the solvent without damaging the cards plastic...which is also relatively difficult. friction could be used to keep the chip in place however a cyanoacrylate is likely a good choice to keep the chip from moving...assuming this application does not inadvertently insulate contacts.
This is likely only going to affect american chip cards because we impemented chip and pin in the most disastrously half-assed manner so as to placate the hand wringing of major brands and corporations terrified the technology would dissuade purchases due to its complexity. a good countermeasure against this type of attack would be to have readers not trust the hardware and go through the full or partial battery of RFC specific tests for the chips authenticity. Specifically, the certificate attestation tests were designed to thwart this type of interference.
Good people go to bed earlier.
The bank won't mail you a PIN. In my experience, you have to go into a branch and set up your PIN at least once. After that, any replacement card they send will use the same PIN until you go to a branch and change it.
File under 'M' for 'Manic ranting'
of government who don't believe in government then government doesn't do so well.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
If something dicey happens on your credit card, it is the vendor's problem -- the vendor does not have money yet. If something dicey happens on your debit card, it is your problem -- the money already left the account.
I do not have a debit card. After I cut up the fourth debit card and demanded a clean ATM card with no debit feature, the fifth time I just changed banks.
A few years ago SunTrust wanted to "upgrade" my ATM card to an ATM/Debit card. I wrote a letter to the President of SunTrust explaining my reasons for not wanting an Debit card but rather just an ATM card and threatened to move my accounts to another bank if they would not accommodate me. A week later I got a call from his assistant who told me they got many other such requests and would be sending me an ATM only card -- been using it ever since.
Apparently, when they switched from VISA to MasterCard as the vendor for their ATM, Debit and Credit cards, they initially chose to issue ATM/Debit and Credit cards, but not just ATM cards. They still issue ATM/Debit cards as the default but will now issue an ATM only card instead on request.
Debit cards are unnecessary if you have a credit card and you pay off your balance every month.
It must have been something you assimilated. . . .
All UK banks that I'm familiar with mail you out the initial PIN (on a weird sticker thing that's meant to make it impossible to read by shining a bright light through the envelope) and then suggest that you change it at an ATM.
I am TheRaven on Soylent News
It's one of two things. Either the transaction itself correlated with fraudulent transactions, or the transaction didn't correlate with your own spending habits. Banks build fairly complex statistical models of spending and flag any outliers as potential fraud. The most amusing one of these for me was the registration fee for a DARPA PI meeting. Apparently my bank believes that paying money to the US government correlates strongly with fraud. Somewhat less helpfully, they insisted on calling me during UK business hours (i.e. in the middle of the night where I was) to confirm. After a very grumpy 4am conversation (the third time they'd woken me up that night, but the first time I'd managed to get to my phone before it stopped ringing) they gave me a 24-hour number that I could call from anywhere in the world.
I am TheRaven on Soylent News
The other day my cc got used to make a $5 donation to some Christian website that I had never heard of.
That was a smart crook.
1) It validated the card was good or not.
2) If their victim was married, he might wait to call the bank until he talked to his spouse, because "giving to charity" is something many people would do without checking with their spouse first. This buys the crook time to do real damage.
3) Giving small amounts to charity is something a lot of people do, so it's less likely to be flagged by the bank as suspicious than, say, spending money at a far-away-from-the-victim brick-and-mortar store.
In your case, it was flagged. Perhaps there was something about THAT charity that raised a red flag with the bank. Perhaps there was a rash of "$5 charity donations" in the last few days so your bank or all banks were on the lookout for that type of transaction. Perhaps your bank figured out that you never give to charity using that credit card, so when you did, it raised a red flag. In any case, I think the "$5 charity donation" was a good gamble by the crooks. They lost, but it was still a good gamble.
I hope the crooks got caught and prosecuted.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
OMG, I met one! I finally met one! You're one of those mythical people I read about that believe making a law somehow stops crime. "we need to ban this" , "we need better gun control to stop criminals from getting guns", "we need a law that says...". How are you not besides yourself that criminals *gasp* don't give a shit about laws? There are two groups of people that think laws don't apply to them a) criminals b) elected officials. One can certainly argue that b. really is a member of a. with more damage control. Did you know that in every state, murder has been against the law, with pretty severe penalties, since 1787? It amazes me that anyone would even suggest we have a murder problem in the states, because the penalties for murder are pretty severe /sarcasm.