There is very little true security in retail establishments.
This lady simply swapped bar codes on expensive items for bar codes of inexpensive items. Got away with it for over a year and made as much as $30,000 per month in some months:
Hardly. Here's my perspective which will hopefully make you understand.
I live in a poverty stricken area. The supermarkets shove the following distribution of fruit out (I know this because my wife works in one as well):
- 20 bags of 5x apples for £1.89 each. 20% go in the bin.
- 100 pink lady apple at £0.75 each. 80% go in the bin.
- 20 cheap apples (one tray) at around £0.12 each. 0% go in the bin.
Now, why should I take the last single cheap apple which instantly prices out the poorer people which is clearly the intention of the supermarket which is to upsell to the pink ladies or bags of apples?
Fuck 'em to hell. There is no honour or integrity in capitalism. Trample over everyone to make profit.
I'm not selfish.
I'm not lacking integrity.
I'm not lacking honour.
Perhaps lacking in faith and respect for rules but that is my only crime.
Agreed. Shop/move elsewhere, especially if you are not a fan of capitalism. I, too, am not a fan of capitalism so it is my plan to remove myself from its constraints. But I don't steal and then try to justify the action because I'm against what they stand for.
I suggest the honorable way for you to deal with this is to find the wholesale supplier of those 0.12 apples, buy a box, and sell them yourself as a street vendor.
You refer to prices in pounds, which seems to indicate that you live in the UK. Your area is not poverty stricken, it is simply poorer than average for your country. Go live in Uganda to see what 'poverty stricken' really means.
Capitalism is a system which aligns incentives so, if people want to get rich, they will do so in a way which also helps other people. Competition in the free market should drives prices down, which is equivalent to spreading profits among all the customers. (Of course, this only applies when the free market works well, which often requires regulation and pesky things like human rights). Capitalism is a system which works very well, and it takes a distorted view of the world to see this as 'two wrongs make a right'.
To be clear: there are many businessmen who are greedy selfish exploiters. However, the purpose of capitalism is to take these natural human tendencies and make them into a force for good.
You could say the same thing about democracy. It's a game whereby people can seek power and influence without having to kill each other or their subjects. If you doubt that democracy is an effective solution, just read up about all the Wars of Succession that Europe has witnessed when those countries were monarchies. Elections are practically love-fests in comparison.
I am amazed at how many people do this (or put fruit through as 'onion' on self checkout). It isn't just completely stupid people that do it either, people with jobs to lose, a criminal record that doesn't need to be added to, posh people with a sense of entitlement - all kinds.
On learning of such a trait in someone I ask 'what if you get caught?', but actually it is not them getting caught that matters. Think of the people that work in that shop and the position they get put in having to deal with petty cheats. Also, would you really want to be banned from the store you get your groceries from? That would be a big inconvenience.
Actually people don't give a shit who work there (a big chunk of the staff steal produce or write it off and take it home as well), there are plenty of other shops to choose from, the police don't care (in the UK they send you a letter if you get mugged apologising for not coming out) and the business find it costly to deal with the people. It's only significant if it's more than a few pounds/dollars which is why high value retail tend to have competent security.
When capitalism pushes profit margins, some losses are insignificant not to invest in otherwise they will hurt the margins they are trying to protect.
Also if they gave a shit, they'd have staff on all checkouts and not use self-service checkouts. Staff are more expensive.
Also if they gave a shit, they'd have staff on all checkouts and not use self-service checkouts. Staff are more expensive.
They know; they just don't care.
While I agree that the stores "deserve" the amount of the theft through fraud that comes with replacing human checkers with automated checkout systems, that doesn't make your behavior in explicitly taking committing that fraud any more ethical.
Scan something wrong by accident, that's the store's fault for setting up the system to allow such accidents. But to intentionally exploit their system, that's on you.
I personally make it a rule to never go through automated check-outs because I think the stores that use them are not holding up their end of the social contract. I've even abandoned a few carts when I got to the check-out and found they had no human checkers (I found out the hard way that some grocery stores around here go 100% automated after 10pm).
you are effectively stealing from everyone else who is being honest. unless the store is incompetent compared to their competitors at controlling loss the cost is passed on to the other consumers who shop there.
This is another interesting case because it points out how vulnerable this part of the financial transaction chain is. Of course even after they catch the guys who were installing the skimmers they don't get the 'top' guys who make the fake cards and then withdraw funds in Serbia.
I did see a talk where the folks noted (but did not remove) such devices and then began tracking every account that went through the modified device. This was to figure out who the bad guys were. By watching the fraudulent transactions that happened later they were able to roll up a carding group in the Baltics. But it does take a more proactive approach.
From a future products prospective the use of cards with embedded processors seems better and better.
There are already scanhacks for iPad cash registers. Mostly consisting of a touchscreen overlay wired to look like its part of the protective case. So, forget that iSense of iSecurity, its not there ..
People need to be made aware of any and all threats to their security that may exist. They need to make sure such hardware is not deployed against them. And they need to design the vulnerability out of future systems.
I did read the article in full, also what does it matter who wrote it?
A skimmer and a keylogger are two very distinct things. When I read the title I was interested to find out how the skimmers were placed, placing a keylogger takes much less skill and craft, it's a piece you can buy in bulk, whereas placing a skimmer usually requires a different class of criminal, skimmers often have to be fabricated for each location.
It's a matter of semantics. What does "to skim" mean?
I read the article to mean that the bad guys were using key loggers to skim mag stripe images out of the keyboard data stream (from mag stripe readers attached via "wedges"). That's one level of threat.
Your link, however, calls to mind a higher level threat that happened in Rhode Island a while back. Bank customers were disavowing ATM withdrawals. Bank security noticed that the complaining customers had all used their debit cards at the same all-night Stop & Shop. A review of the store's security video showed a gang of four guys coming in during third shift and installing hacked PIN pads at the registers while keeping the thin staff distracted. They were busted when they returned to harvest their next haul of debit card details.
How they compromised the PIN pads I do not know. PIN pads are supposed to be sealed and tamper-proof. Your PIN is supposed to be encrypted before it leaves the keypad and decrypted only when it reaches the payment processor. The encryption key is supposed to be erased if someone tampers with the device. In order for the hack to work, they would need to be recording the mag stripe data along with cleartext PINs.
I see it happened to Barnes & Noble more recently and on a larger scale:
To skim means to remove "something" from the top(usually referring to liquids). Which makes sense to use to refer to a device that sits atop a card reader.
Not knowing this case, but the general way to read a pin is a cheap thermal camera filming the keypad. After you remove your hand, your presses remain hot for a short while, and they can even usually recover the order by the relative warmth too.
They also want to film the underside of the card to read the three digit code.
It occurred to me once upon a time that I could use just such a keylogger to capture my classmates' student ID card swipes when they went to release print jobs at any of the print stations on my university campus. I recognized this as a security flaw that (probably) didn't have many lucrative uses, but I never imagined such a technique might work for credit cards. I wrongly assumed that credit card readers would employ greater physical security.
hardware security aside, if credit card readers employ proper encryption, that in itself would probably be an effective deterrent against such leaks, but only IF such encryption is implemented.
I think a large factor in the lack of change in payment security (In the US anyway, I can't speak for anywhere else) is the rise of the "protected" card. I have no incentive to protect anything about my Amex.
Card got skimmed a few years ago somehow, Amex called, asked if I was in Nicaragua (I wasn't) they apologized, removed the $200 or so in charges and next-day aired me a new card. Almost zero hassle.
I'd hate to have my debit card skimmed but as far as a credit card... I'm not too worried. The risk isn't mine.
Visa/MasterCard is pushing for EMV/Chip & Pin technology. Previously, the liability of fraud is on the payment network. Visa/MasterCard have announced a liability shift from the payment network to the merchant for fraud if the merchant doesn't adopt chip & pin.
The rollout date is supposed to be Oct 2013.
As an end user, you are not able to protect from this type of fraud. That's why the liability doesn't reside with you.
chip and fucking pin. sigh This problem is solved, yet practically nobody in the US is demanding the established solution. Until we do, this is only going to continue.
In the UK and EU, chip and pin carry with it some nasty liability problems. That is, the consumer is now de facto liable for all fraud that happens, in spite of the statute.[1] A significant amount of skimming still occurs in the EU.[2] The protocol, just like the traditional charge card method, used is considered insecure.[3]
The U.S. method, where the low-security retailer is liable, is the most fair. The current charge back system works. Retailers that use inventory control, secure systems, and require ID with large purchases receive few legitimate charge backs. [4]
I work in the industry. Chip and pin is not statistically safer (fraud rates in Spain, UK, and US are all the same despite having very different payment landscapes). The fundamental problem is that in traditional chip-and-pin setups you also type the pin into the same machine... so adding a skimmer + video camera OR adding a skimmer that records pin is marginally possible and not that hard.
The real security would come with a second factor that the user controls, either by approving on your phone or by using one-time-numbers for each transaction. The reason why these do not exist yet is because they would impede transaction flow, and the basic math with these companies is if fraud rate > rate loss of transaction volume from security feature then use security feature. Otherwise, don't.
"fraud rates in Spain, UK," for what? Credit cards? Debit? There's always going to be fraud one way or another.
"you also type the pin into the same machine... so adding a skimmer..."
There's no copying of SIM Cards.
Yes, you can still copy the magnetic stripe that's there for backwards compatibility. So, yes, it's not going to be safer while there's support for old technology.
My (European) bank issued me a chip-and-pin card without the mag stripe, good for travels, where I won't risk getting my card skimmed again.
I would be careful with such statement :-) Security usually maters on type of card, but top range is pretty expensive. There are number of ways howto 'debug' chip using power consumption, xrays etc...
It is easy to copy GSM SIM card. Also operators usually give replacement SIM ( if original gets lost) to anyone with photo id. There were number of frauds in Europe.
"There are number of ways howto 'debug' chip using power consumption, xrays etc..."
The circuit on the chip is known, that's not important. The important thing is the information in rom. Difficult, but certainly not readable through x-ray.
"It is easy to copy GSM SIM card. Also operators usually give replacement SIM"
Of course they can give you a replacement SIM, they can reconfigure their systems to point the customer to the new SIM. That's not copying.
>and the basic math with these companies is if fraud rate > rate loss of transaction volume from security feature then use security feature. Otherwise, don't.
I seem to recall reading a while back that the overall credit card fraud rate is at the level of single-digit basis points. Is that really true? (I can't seem to find a good link.)
The US is getting chip cards in 2015 [0], although it looks to be chip and signature.
As another poster pointed out, chip and pin is not foolproof and may present a nasty liability shift to consumers when it comes to fraud.
There are also more practical issues with chip cards. First, merchants will be requires to buy new chip capable card readers. They will not be happy about it, but they'll be forced into it by their merchant agreements. Second, chip transactions take noticeably longer to process. From my casual observation a swipe takes 1-3 seconds, but chip readers took at least twice as long. Sounds silly, but it can really add up if there is a long line.
The idea is to use chip and pin for high value (>$50) purchases and PayPass/PayWave for amounts under that. That way you can pay for small purchases faster than cash while making large purchases more secure.
Unfortunately, at least in Canada, it seems like merchants were only obligated to buy the chip terminal so a lot of smaller businesses didn't bother with the wireless payments and force you to type in your pin for a $7 pita.
I usually swipe my card while items are still being scanned. Most card readers allow this. Would this not be possible with a chip card reader? i.e., does it use a private key on the card to sign the whole transaction (including final dollar amount)?
No, on legitimate ones. You put the chip in the reader, it tells you the total amount, you hit OK, then it asks for your PIN, then the transaction goes through, then you take the card out of the reader. I don't think there's any way to pay before the reader knows the final amount.
Sounds like it depends more on how sophisticated the readers are. The current ones are apparently pretty dumb, and just pretend to be a PS2 keyboard and send the info as keypresses, since the guys in the article just used a off-the-shelf keylogger to steal the data. You could easily make a chip and pin pad that did the same thing and was just as easy to compromise.
For real security, you'd need to do something like have the reader internally encrypt the data with the card processor's public key and only send an encrypted blob out of the device. If you're doing that, then anything's secure against this kind of attack. But the readers would have to cost like 10x more, and it probably isn't enough of a problem to bother replacing them all.
It's ridiculous how such an important infrastructure is so vulnerable. Magnetic stripes are easily copiable and without any other "authentication method" it's a done deal.
But they do not use Visa cards at the same rate as the US. I didn't pull that out of thin air. EU only makes up about 40M of the 200M+ daily transactions VisaNet handles.
I once worked for a retailer which was connected via Megapath (they outsourced to whatever local ISP is available at the store location). The internet setup was so abysmal in security, in some cases the stores used wifi to connect to the front registers with the password being (not kidding) [storename:storenumber]. That's it.
These fools are getting caught doing elaborate plants. That's not how real criminals key log (btw, this is not a skimmer, but is a 'keylogger' as joenathan points out). Real criminals sit in the comfort of their car or nearby coffee shop and scan for open connections and insecure use of credentials.
And the question is... why not just use secure card swipe devices? You load an encryption key onto the hardware, and then key loggers don't work any more. Sure, it won't solve all your problems, but nothing does.
There's a difference between "doesn't help" and "not a perfect solution". Secure readers eliminate the ability for non-savvy criminals to drop a keystroke logger in the terminal.
I may be mistaken, but I thought that the PCI/DSS forbids using such devices (unencrypted transmission from the keypad), and if a merchant uses them then they're automatically liable in full for all such fraud; i.e., banks just refund all cardholders for their losses and bill that+card replacements to that merchant.
There's no such rule. Virtually every internet gateway and mobile payment app lets you key in card numbers to make a charge. There is no encryption in your computer's keyboard. The first versions of the headphone jack swipers for phones (i.e. Square) didn't have any kind of encryption either.
The main reason I find this interesting is the hacker scene in South Florida is so small. I bet if they caught one of these guys, they could track it down to the mastermind faster than somewhere like NY or SF.
From technical standpoint very lame attack. There's no hacking involved at all. There has been technically much more sophisticated attacks modifying terminal hardware & firmware , off loading data completely out of band using 3g networks, etc. That's something that could be called hacking and proper (malhardware) engineering.
This lady simply swapped bar codes on expensive items for bar codes of inexpensive items. Got away with it for over a year and made as much as $30,000 per month in some months:
http://miami.cbslocal.com/latest-videos/?autoStart=true&topV...