The real important thing to understand here, is for the Cambridge Chip & Pin fraud to work, the fraudster needs to have possession of the original debit/credit card (which has yet to be cancelled), and seemingly a laptop.
Now I have researched card fraudsters for years, and I can tell you they always tend to go with simplest methods of committing card fraud with poses the least risk of being caught, and as any security professional knows, bad guys always tend to go for the lowest hanging fruit.
So here's my main point, why would a card fraudster who is in possession of stolen card bother with the sophisticated technique as highlighted by the Cambridge boffins, when it is far easier and less risky to just damage the chip on card, forcing a magnetic swipe and signature payment, perhaps if needed requiring a bit social engineering against the cashier. Still it would be far easier and less risky to the card fraudster to use the stolen card with online transactions or even get away with small contactless payments which also don’t require any PIN knowledge.
Secondly I find card fraudsters tend to use stolen card details where the actual cardholder has no awareness of their card details being compromised. When the physical card is stolen, it tends to be reported by cardholder, so it quickly is cancelled preventing transactions from working on it, remember the Cambridge attack is all about the physical possession of the stolen plastic card, not stolen payment card details, which is where the bulk of card fraud occurs.
Just to prove how easy it is to get around Chip and Pin without having a PHD, I performed a demonstration yesterday at a “birthday card” retailer in a UK City. I used one of my own credit cards as opposed to a stolen credit card, the credit card I used just happened to have a damaged chip.
To be crystal clear, I did nothing illegal and unethical, and I certainly didn’t perform any social engineering or anything dodgy like that. All I did was place my credit card in the card reader as instructed by cashier, the card reader displayed invalid, and the cashier said this happens now and again and took my credit card out, swiped through a magnetic reader, then asked me to sign, I followed the cashier's instructions, so completing a transacton without using a PIN number.
Here's the receipt, note "Date" and transaction type "Swiped" and "Signature Verifed"
I personally reckon at least £1 Billion is stolen on British payment cards every year, and to my knowledge on how UK card fraudsters operate, I would say the Cambridge Chip & Pin attack could be responsible for just few percent of that fraud spend presently. I have not come across any fraudsters nor have I heard of any fraudulent incidents using this technique, however you can never rule out that the bad guys aren’t taking advantage of a known vulnerability (a golden rule in security). But I am very confident the vast majority of payment card fraud in the UK is not being made against this particular vulnerability at present, and I don’t see that changing in the future, as there are still far easier methods to commit fraud against UK payment cards.
If the payment card industry was serious about preventing payment card fraud, they should be looking into the types of things I mentioned in this blog posting.
http://blog.itsecurityexpert.co.uk/2009/10/how-payment-card-industry-could-stop.html
12 comments:
Can't help but think that quick propagation of detailed data re: how to exploit vulnerabilities is making prompt action to plug issues more important. The "low hanging fruit" principle is a particularly poignant one. Lag behind the latest vulnerabilities at your peril!
Many institutions limit access to their online information. Making this information available will be an asset to all.
The blog was absolutely fantastic! Lots of great information and inspiration, both of which we all need!
Chip & Pin Weakness Smoke Screen for Real UK Card Fraud <-- that's what i was looking for
Uk Dissertation Writers
This is really a good blog.I would like to recommended to my friend.
hi, nice post.I have been pondering this topic,so thanks for sharing
probably be coming back to your blog.
I am very thankful to you for posting such stuff.This really help me lot.
I am just catching up but holy crapoly, that sounds like an awesome tailgate! I have to say - they aren't all that amazing. Deep fried Prime Rib? My god. Thank you for providing this information.
Well, best of lot of money to that guy. I'm sure that most of those people in colleges are so out of get in touch with that they don't have any sign as to what this guy is up in arms. Remember: The earnings tell us that there is a lack of attorneys.
Yes its all over for your money safety that there are too many fraud cases are registered in police station so you are eligible to change the mode of payment. write my dissertation proposal || finish my dissertation proposal || quality nursing dissertation || get law dissertation || quality dissertation methodology || write my computer science dissertation
its good to have..it seems nice share i want to have it cara membuat blog praktis
In the world of crime, the robberies are increasing day by day so we always choose the safest place, safest decision, safest things, this security mechanism is really working at all & although it is very safe.
Post a Comment