Wireless Registers May Expose Your Credit Card 230
flynt writes: "Found this article about people sitting in Best Buy parking lots with wireless sniffers and intercepting credit card numbers that the wireless cash registers inside the store are beaming about. Gives more credence to the idea of one time use credit card numbers. Now you don't even have to be online to have your number stolen."
Sucks (Score:2, Interesting)
Re:Sucks (Score:2, Insightful)
encryption (Score:1)
Re:encryption (Score:4, Informative)
However, you can add encryption to the tcp/ip running over the wireless. With something like Cash Registers, you can be sure that they're all running the exact same software.
Enabling IPSec, or something similiar shouldn't be too difficult. it's not like you need to make sure it's compatable with all the different OSes.
Re:encryption (Score:2)
Hang on... (Score:2, Informative)
This is obvious gross negligence on behalf of the point-of-sale software/hardware vendor. How could any remotely security-conscious developer send credit card details in plain text, even over a wired network?
Absolute insanity. I am in awe.
Re:Hang on... (Score:2)
Wrong, wrong, what a wrong approach. This company should've turned encryption on by default. Then, if the stores choose to turn it off for some crazy reason, that's up to them. Meanwhile, if my cc number was to be stolen using this method, I think I could easily hold the manufacturer and the installer of these wireless registers responsible as well as the store.
Re:Hang on... (Score:2)
Of course, you only stand to lose probably $50 to fraudulent charges depending on your card agreement, and the card company would probably even waive that. When the card companies start losing substantial money, they'll be suing the wireless register manufacturers and installers for big bucks.
Just my luck (Score:1, Troll)
I've always thought it to be inconvenient, but if this is true maybe more people will purposely disable their cards in such a fashion.
Re:Just my luck (Score:2, Insightful)
??? How would this be more secure. The same data will still be transmitted, it's just a different entry method!
Re:Just my luck (Score:1)
Or I could be wrong. That's a possibility too.
Re:Just my luck (Score:1)
Credit cards *are* insecure (Score:3, Insightful)
i have developed a foolproof method of fooling them though, dont have a credit card, ok so they wont actully give me one yet but hey...
steal away. (Score:1, Insightful)
Re:steal away. (Score:3, Funny)
oh wait... I have been reading slashdot for too long!
Re:steal away. (Score:2)
Irresponsible? (Score:2, Insightful)
Re:Irresponsible? (Score:2)
If only that were the case. But in real life, people can do all sorts of irresponsible things with your credit card number and you don't really have any recourse, even if it damages your credit rating and costs you months to straighten out the mess. At best, you can hope that MC or Visa will punish them through their contractual relationship.
unFrickingbelievable (Score:1)
Re:unFrickingbelievable (Score:4, Funny)
The same guys who want to foist copy protected CDs as a standard on their customers? The ones who tried to arrest a customer for trying to pick up a video card that he bought on sale online? The ones with the ultra-crappy customer service?
If you're still shopping at Best Buy, this fiasco with the wireless registers should be enough to make you go somewhere else.
But its not just Best Buy (Score:2)
Re:But its not just Best Buy (Score:2)
http://online.securityfocus.com/archive/82/2002-0
WEP (Score:1)
that's why I don't like wireless (Score:2, Funny)
We've had a seminar recently at our university with a security expert talking about cellular phones. There's a lot of encryption going on in these devices, but it's apparently not very solid. In one standard made by the big boys of the industry, an example encryption method was presented that wasn't fully secure. The little ones didn't have the knowledge to implement their own, so they adopted the example. Only to pay a lot of cash to some experts afterwards to get it out again.
Now, them paying a lot of cash is not the dangerous part, but the lack of security is. It's only a matter of time before the first big virus strike in bluetooth-gsm-cash register-insert your favourite device here.
Come to think of it, that would be rather cool
security (Score:5, Insightful)
However, that's just covering up the symptoms of a greater problem. It would be better if credit cards used a public/private key system, where the acocunt number is sent to the central server which responds with a random encryption challenge, then a chip on the card encrypts the string using it's key and replies. That way no useful security information is being pased around for others to intercept and use.
Re:security (Score:2)
I as a profesional, understanding the issues, would accept a higher rate credit card, say 12% rather than the 10.74% for a public key challenge chip on a major credit card. If people were educated they would understand the value of paying more(not much more) for that little chip. Unfortunatly 48% of people don't know how long it takes for the earth to revolve around the sun.
Re:security (Score:2)
I as a profesional, understanding the issues, would accept a higher rate credit card, say 12% rather than the 10.74% for a public key challenge chip on a major credit card.
Why? Your liability limit is $50 anyway. I suppose there's also the inconvenience of having your card number stolen, but from a pure cost perspective I'd expect that the lower rate plus the risk of being out $50 would be cheaper.
Of course, it's the issuing banks and merchants who absorb the rest of the fraud above the $50 limit and a good part of that fraud cost gets passed back to you in the form of a higher interest rate, so, theoretically, getting a more secure card could potentially *lower* your interest rate.
Except: In most places in the world the fraud rate is so low that it costs less to just absorb the fraud than it would to spend an additional $2 per card to put a microprocessor in it. In the U.S. smart credit cards are being issued because they're cool and attract cardholders rather than because they provide any benefit themselves. Europe is a different story.
Re:security (Score:2)
Two reasons...
Usually I am not effected by interest rate to much because I make paying off my cards a top priority.
I am aware of the $50 but there is nothing in the law that says my account must be credited in 30 days of the report or some such thing. I could theoretically be held accountable for the money pending an investigation, or definatly if contest the card companies findings from an investigation. One of advantages of having a credit card is it's instant loan/buying power for emergancies. That is gone during that time. More credit cards could solve that problem but also mean more risk.
I agree that it would lower the card companies bills over the long run, so I would only accept a higher rate on a temporary basis.
I see what you are saying but I don't want to wait until the government steps in and forces the card companies to eat the cost of updating card info sending equiptment, registers, servers, cards, etc...
Re:security (Score:2)
I am aware of the $50 but there is nothing in the law that says my account must be credited in 30 days of the report or some such thing. I could theoretically be held accountable for the money pending an investigation, or definatly if contest the card companies findings from an investigation.
Have you ever been a victim of credit card fraud? I'll bet you haven't. I have, on a couple of occasions and I can tell you that it's no sweat. In neither of my experiences did they even make me pay the $50. In the first instance, I lost my card and called it in. They looked up the last few transactions, asked me which were mine and which were not. One was not. They sent me a new card and the fraudulent charges never even showed up on my bill. In the second case I got a phone call out of the blue from the issuer saying they'd seen some out of profile charges and asking if they were mine. I said no, they sent me a new card and again I never even saw the charges. These aren't unusual or isolated incidents, either. Virtually everyone I know who has had credit cards for 10+ years and used them extensively has seen fraudulent charges against their cards, and the issuers are very good about resolving it quickly, and at little or no cost to the cardholder.
The credit card business is so extremely competitive that the issuers know that anything they do to piss off a good customer will cost them more than it's worth, so they're very accomodating (the first few times, anyway; I imagine that if you had a consistent pattern of fraud reported against your account that they'd begin to get suspicious).
I see what you are saying but I don't want to wait until the government steps in and forces the card companies to eat the cost of updating card info sending equiptment, registers, servers, cards, etc...
Why would the government ever do that? Managing the level of fraud and the technologies they use to prevent it is something the credit card industry has done very successfully for 50 years. They started with paper documents then moved to plastic cards and then embossed plastic cards (so they could get an 'imprint'). When fraud got too high they added magnetic stripes and eventually holograms. In places where fraud is a significant problem today they have moved aggressively to smart cards. Time and again they've risen to the challenge and kept themselves profitable through a combination of legal and technological means.
Why would that change so much that the government would have to get involved?
In my opinion, you should just try to get the best service you can at the lowest price you can and let the banks figure out the most effective way to make money. It's what they do!
Re:security (Score:3, Informative)
I am developing a financial application for use over Bluetooth from a PDA to a cash register, and I can say from first-hand experience that the problem of security over a wireless domain is not trivial. Your solution to channel everything through SSH is not economically feasible when you consider the processor and memory requirements necessary for *every single* vendor system out there to do this. The problem gets worse when you start talking about cell phones and wristwatches transmitting credit card numbers to vendor systems.
Bluetooth and 802.11b both have link-level encryption built in, but they both need some work before I would trust them with my financial information. For example, brute forcing the Bluetooth's E0 cipher can be reduced from a complexity of 2^128 to 2^100, and generating a database of keys and sample encrypted data can reduce the problem to a complexity of 2 if a match is found while listening to the communications!
You will have to clarify what you mean by "the account number is sent to the central server." Is it encrypted before it's sent? Against what key? How does your solution deal with non-repudiation (the device is authenticated, but not the user)?
One idea I came up with while working on this project was to incorporate the one-time use credit card numbers with client-to-vendor system. Before you leave home, your financial institution transmits a set of randomly generated one-time numbers to your PDA, wristwatch, cell phone, whatever, and the client sends a different number from the set each time he wishes to pay for something. That way, it doesn't matter if the number is compromised after the transaction is completed.
Re:security (Score:2)
It would be better if credit cards used a public/private key system, where the acocunt number is sent to the central server which responds with a random encryption challenge, then a chip on the card encrypts the string using it's key and replies.
You can discard either the central system or the public key crypto. In fact the current smart credit card standards do use public key with off-line challenge/response verification. The terminal sends a challenge to the card which encrypts it and sends back the encrypted challenge, the card;s public key and certificate (signed by the issuing bank) and the bank's public key and certificate (signed by, e.g. Visa).
The terminal has the root public key and uses it to verify the bank certificate, then uses the bank public key to verify the card certificate, then uses the card public key to verify the response. The card and terminal also each have a set of rules that they evaluate to decide if the transaction can be conducted off-line. If both agree that it can, then the transaction happens off-line, otherwise a standard credit card verification process is done with the central server. It would be nice if the on-line part would also use the crypto.
That's the mode called Dynamic Data Authentication (DDA). There's another one called Static Data Authentication which omits the challenge/response and doesn't require the card to perform any computations. And yes, it's obviously much less secure.
As an alternative (which is workable but not used in any standard I'm aware of) strong authentication with a central system can easily be done with symmetric crypto; no need for the complexity and uglinesses of public key.
Original source (Score:3, Informative)
You can find what appears to be the original fwd'd (anonymized) copy of the mail from the guy who first checked this out at this location [personaltelco.net].
Re:Original source (Score:2)
Re:Original source (Score:2)
Symbol makes hardware used by IBM in its wireless point-of-sale terminals.
Now I do understand your point that it may be cheaper to do physical wire, but that doesn't seem to be preventing the many customers that they mention in the article, including Best Buy from purchasing and using this wireless POS technology.
Re:Original source (Score:2, Interesting)
http://online.securityfocus.com/archive/82/2703
You can follow the thread by clicking the next article in thread link on the right.
Who's still shopping at Best Buy? (Score:1)
Why are we suprised that they don't care about their customers, they've already proved that with the nVidia 4600 Ti scandal.
How i gave away my credit card details. (Score:2, Interesting)
The caller said that I hadn't paid my licence for the year, and asked if I would like to.
Being a bit crap with bill payments I found this quite handy, I searched around for my credit card, but couldn't find it, so,
I told the caller that, "I couldn't find my card and would I be able to pay over the phone tomorrow". She said that, "they were open tomorrow", but expressed great concern, because they were, "checking licences in the area", so I had another look for my credit card and found it, gave the caller my details.
A few days later the T.V. licence arrived,
I have cancelled my credit card because I couldn't be sure if the caller really from the BBC, if so they've started demanding money with menaces.
Re:How i gave away my credit card details. (Score:1)
seriously though, i didnt think the bbc where actually in charge of issuing licences, i thought they just got the money...
Re:How i gave away my credit card details. (Score:1)
get anyones credit card details,
Pick a number from the phone book,
Just phone up the TV licensing people, and enquire about 'your' license,
If it's about to run out etc... then
Phone the number in the phone book,
tell them there TV licence has expired,
Take there details,
Pass them onto the TV licensing people (so that they think evrything is ok).
And use there credit card details for making calls to phone sex lines, or whatever.
There should be system security inspections. (Score:3, Insightful)
Government inspection doesn't mitigate any responsibility that a food plant or an airline has. It merely provides the consumer with some assurances. And in most cases (not all) it works. Most of us buy food every week, and most of us don't die of food poisoning. Most planes take off and land safely. However, the food producer or the airline company is still responsible for the product.
As we rely more system security in our daily business transactions, I think that rigid standards of system security should be created and enforced.
If we start holding irresponsible retailers, like Best Buy in this case, accountable for damages, you'll see consumers *and* retailers lobbying for such an effort.
Why bother? Thieves can just guess. (Score:4, Insightful)
Social security numbers used as identification, credit card numbers, and a whole host of other "real world" identifiers and systems are simply extremely sloppy security. In the past, that meant that only a few customers got screwed. With modern computer equipment, a lot of people get screwed.
What is particularly annoying about it is that the companies that put this sloppy security in place never really have given a damn about protecting their customers--as long as the casualties are not too many and don't frighten the masses away, it's acceptable. In most cases, companies that use sloppy identifiers or security end up not even being legally liable for the trouble and expenses they are causing their customers.
Re:Why bother? Thieves can just guess. (Score:2)
However, what makes the scam your are linking to interesting, is not the fact that the criminals were brute forcing the numbers, but rather than they were using merchant accounts other than their own to do it. That way, some unsuspecting victim was stuck with the bill, rather than themselves. It was more an exploit of authorize.net's online card validation system than a problem with the credit cards themselves.
Re:Why bother? Thieves can just guess. (Score:2)
guessing doesn't work (Score:2)
You got it wrong. The social security number space (9 digits) is too small, but the credit card number space is perfectly adequate.
Most credit card numbers (not counting store-issued cards here) are 16 digits, for a total of 1E16 possible numbers. There are 6E9 people in the world, and less than one credit card per person. That leaves you over a million invalid credit card numbers for every valid one.
Now, granted, there are some regularities in the set of valid credit card numbers that you can use to increase your chances of guessing one, but that's not enough to overcome the million to one shot that you start out with. Moreover, in most cases, actually using a credit card number requires knowing the name and expiration date of the account as well.
I agree that banks assigning credit card numbers predictably is a problem, but this problem would exist regardless of the size of the number space. The size of the number space itself is not a problem.
Re:guessing doesn't work (Score:2)
And the first 8 digits are determined by your card. And the last 1 or 2 are determined by the checksum. So now we're down to 7 digits. 1 in 10 million. Then assume that there are 1000 other people using the card. Bam, you're down to 1 in 10,000.
Now add to that the expiration date and "signature code" and you have two more keys to verify you are holding that card in your hand. Sure, Credit Cards suck in and of themselves, but there is more to it than a number. More e-tailers I do busines with ask for those three things and sometimes a phone number to call the issuing bank.
Not surprised (Score:3, Funny)
Re:Not surprised (Score:2)
Most of these retail type places buy a turn key solution (::COUGH::
Someone sold them this wireless gear, they should be the onces concerned about the security.
Re:Not surprised (Score:2)
You don't? If I am going to pay someone to do something for me, I'm sure I would want him to know how to do it. I pay my doctor because she knows about my body. I pay my accountant because he knows about my finances. I pay my mechanic because he knows about my car.
Trust (Score:5, Insightful)
According to the article, Best Buy has since stopped using wireless cash registers. Still, I think the problem is not with wireless itself, but the particular implementation Best Buy was using. Couldn't they simply encrypt the data?
Of course, credit cards are inherently problematic. Although I use credit cards, I think the system is poorly designed. Basically, you say to a guy, "here's a key to my safe, please only take what you need." IMO, it should be the reverse. We should *give* them the money, possibly by authorizing a transaction via your bank (a cell phone would be the best way, so you don't have to trust an in-store terminal) Thus, everyone would be able to give, but not take. As it stands, credit cards have the worst security of anything. It's ironic too, since a lot of us computer enthusiasts will rant all day about how everyone should be using ssh and GPG, yet we give our login and password to the waitress next time we eat.
Re:Trust - bzzzt! wrong def? (Score:2, Informative)
that is the whole point of credit cards, after all. a way to deal with cashless transactions in a way that ensures your money is not technically at stake should something go tits up with the system. now, if we are talking about DEBIT cards, such as the Switch cards in the UK, that is a totally different kettle of fish, and your point about the safe is entirely correct.
nalfy.
Re:Trust - bzzzt! wrong def? (Score:2)
This is true. Using credit cards can sometimes be safer for an individual than other monetary transactions, because the credit card company will insure you if something goes wrong (within limits, as you say).
Still, this doesn't make the system technically better... it just moves the risk onto the credit card company. Although now that I think about it, would the average credit card user be able to handle the risk themselves if the system were implemented my way? We all know how people write passwords on their forehead.
Re:Trust (Score:2)
I agree.
Now, if the government could only standardize some way to do this. Perhaps instead of electronically, maybe some physical medium could be used to represent the money we have. We could actually hand these physical objects to the cashier on exiting a store. It would of course have to be small enough to carry around with us also. I hope to see this in real life one day!
No credit card fraud before the internet? (Score:5, Insightful)
Like you ever did need to be online to get your number stolen - easiest way to steal credit card numbers is to get a job in a retail outlet and record numbers of customers cards.
This is *the* classic error in security thinking - only consider the hardware, ignore the human factors.
Re:No credit card fraud before the internet? (Score:2)
Customer: Excuse me, sir?
Me: *stares at credit card*
Customer: Hello? Are you going to ring up that sale, or what?
Me: *stares at credit card*
Customer: What the hell are you doing??
Me: *stares at credit card*
Customer: You're not trying to memorize those 16 digits plus expiration date, are you?
Me: *stares at credit card*
Customer: That's it, I'm going to another store!
Me: *stares at credit card*
Me: Oh, sorry, I was just...umm...lost in the beauty of this blue swirly chip in the middle.
Re:No credit card fraud before the internet? (Score:2)
Re:No credit card fraud before the internet? (Score:2)
Or so I'm told [eisenschmidt.org]
Re:No credit card fraud before the internet? (Score:2)
Depends on what you're using the card number for. Not every company that accepts credit cards check those things throughly. For example, some smaller computer places just take the number and the expiration date and run the card manually.
I'm aware of a couple websites that offer services (not goods) that you can buy with a credit card that just do a LUHN check. If the number passes your service is provided. Billing is done by hand later. Credit card processors that can validate in real time (Verisign for example) are pretty expensive, much more so than printing out an email and keying it into a POS terminal.
Re:No credit card fraud before the internet? (Score:2)
Or to go to a restaurant and grab receipts off of tables.
When dining and paying with a credit card, never leave until the waiter has picked the receipt up. At least then you only have to trust the waiter, not everyone else in the restaurant.
Re:No credit card fraud before the internet? (Score:2)
Re:No credit card fraud before the internet? (Score:2)
I was scanning the replies to see if anybody else caught that before I posted. I used to work for a ver ubiquitous electronics retailer that loved to ask for your name and address. We had a few unscrupulous employees there that would go through the receipts at the end of the day and record credit card numbers with the bonus catch of their name, address, and in many cases their phone number.
The company tried to wise up by not printing the address on the ticket but it just took a quick dive into the computer system to retrieve this information. I know for a fact that nothing has changed at this company and I can only imagine what others are like.
Blah, ok the cats out of the bag (Score:2)
More validation is needed (Score:4, Interesting)
Fine, the number may be legitimate, and the card may be legitimate, but is the actual transaction legitimate? In other words, there is no validation that the card being used for the transaction really does belong to the person making the transaction.
The practice of skimming credit cards and capturing numbers over wireless networks will continue, and credit card fraud will continue because it is easy to commit . . . probably until some form of smart cards encompassing biometrics are in mass use in the marketplace. Incorporate a finger print into a smart card and small recognition scanner at the point of sale. If your fingerprint doesn't match that on the card then the treansaction will be denied. This won't help on-line fraud or fraud perpetrated during transactions when the cardholder isn't present, but it will cut down on innocent people being ripped off.
So why don't banks incorporate this? It's purely down to cost. They're not interested in consumers being defrauded, what matters to them is the money the banks lose. Fraud is a big problem, but until the levels of fraud amount to more than the cost of issuing and installing smart card or biometric technology, banks aren't going to be interested.
In the case of validation, European countries with lower levels of credit card fraud are those with higher levels of validation. Many countries in Europe require a matching signature as well as a PIN number. Sure, the PIN number may be picked up over a wireless network, but it goes to show that more stringent validation checks will reduce levels of credit card fraud.
And as for using encryption - surely that is just common sense?!
Re:More validation is needed (Score:4, Informative)
Not necesserily.. the PIN is stored on the card itself (one-way encrypted or sumething.. I'm not well-up on crypto stuff). So therefore the whole pin-processing can go on within the POS (Point-Of-Sale) terminal which just needs to return a success or denial message.
Re:More validation is needed (Score:2)
You got one thing right: you're not well-up on crypto stuff. Or common sense. How would this magical POS know if the PIN is valid or not? If PIN is hard-coded on the card, how is it different from the card number?
Re:More validation is needed (Score:2)
The PIN is obviously -not- stored plaintext, but as a DES encrypted number somehow. This may not be true for all systems but if you look halfway down here [physics.ubc.ca] or here [newsbytes.com]
You will get the general idea.
On the other hand, other sites tell you differently [howstuffworks.com].
Re:More validation is needed (Score:2)
I've been told this on several occasions by people who -are- well up on card security. The PIN is certainly stored on the card in some applications.
Some applications, yes, this application, no. Smart card-based credit cards may and often do store the PIN in the chip, but that's because the chip is fairly secure. The magstripe is not. There are some DES-encrypted verification codes stored on the magstrip, but not the PIN.
An easy way to prove that this is the case is to call your credit card company and change your PIN. You'll notice that they do not issue you a new card.
Re:More validation is needed (Score:2, Interesting)
As well, a lot of credit card companies allow you to pick your PIN long after you've received the card...
Re:More validation is needed (Score:3, Interesting)
Nope.
You want to know what is stored on your card? Not much. US cards (foreign - e.g. Japanese - are different) contain 3 tracks (ISO tracks) which contain up to 98 bytes (track 1) + 46 bytes (track 2) + 139 bytes (track 3). Total up to 283 bytes. So that ain't a lot of info.
Oh, what exactly is stored on the card? Well take a look at this doc [javapos.com] in the MSR (Magnetic Stripe Reader) section. Thar ya go.
Re:More validation is needed (Score:2)
The PIN information is called a PIN-Verification-Number, and may be stored in the mag-stripe data. The PVN can also be called an offset, but essentially think of it as a cryptographic-hash (usually DES based). Local verification of the PVN used to be much more common, especially when the only place to use debit cards were the ATMs owned by your bank. The banks would place their verifications keys in every ATM, so that they could perform transactions even when the ATM was not connected. Because of both security reasons and improved communications, this is pretty uncommon now for all but the smallest of banks.
There is now a trend in the industry to not use card-based PVN, and to instead rely upon central databases. As Point-of-Sale terminals and the cross-use of ATMs owned by different banks grew, local verification became impractical. The keys used to verify the PVN were very secret and the banks did not want to share them with other banks; let alone trust them to a POS terminal (Aside: POS terminals tend to be very price sensitive, and their security capabilities are usually as minimal as the purchaser can get away with. From bitter experience, I know that trying to sell a customer POS terminals with much better security at say $205; will loose because they will buy an insecure $200 model instead!).
Finally to address another comment in the thread: If you change your PIN, and your bank uses a card-based PVN, you will need to update your card's magnetic stripe (disclaimer: I helped design a system that does exactly that, used at a number of major banks such as Wells Fargo, Citigroup, etc.). If your card does not have a PVN stored on the mag-stripe (for example, most US credit cards), than obviously you won't have to update the card when changing your PIN.
Re: PIN (Score:2)
This is true only for the most common (US) algorithm, often called the IBM-3624 algorithm. Other algorithms handle PIN encryption differently.
Re:More validation is needed (Score:2)
In other words, there is no validation that the card being used for the transaction really does belong to the person making the transaction.
Sure there is. Your signature matches the signature on the back of the card. Good combination of something you have (the card), and something you are (the signature).
Why are fingerprints so much harder to copy than signatures? They're both biometrics.
Re:More validation is needed (Score:2)
For the most part, this isn't important with in-store transactions. Why?
1. Online fraud is more pervasive than in store fraud--20 to 1.
2. The type of fraud in which a person uses someone else's card is *extremely rare.* Most people who lose their wallets or have their wallets stolen are vigilant and get the cards cancelled quickly enough.
3. The in store fraud which does take place involve fake cards printed up by the fraudster with a new card number and expiration date, or sometimes they magnetize one of their own cards with the new card number/expiration date. Clearly those could be fought with a more complex (possibly biometric based) system...but the cost is astronomical in comparison to what it would stop. In fact, in the mid 90's there was this idea to put photos on credit cards, and that seems to have fallen by the way side. The cost to the bank of processing cards that way simply is not justifiable, especially since it doesn't achieve a damn thing. In store fraud simply is not the problem online fraud is.
but it will cut down on innocent people being ripped off
not directly. innocent people don't get ripped off because credit card issuers swallow the charges (even that $50 thing that we hear so much about is usually waived.)
however, on-line fraud is swallowed by the merchant, but that's a different story.
Truly a Best Buy (Score:3, Funny)
high tech credit card theft (Score:4, Insightful)
The cashier has access to your nubmer. the accountant has access to your number. the manager of the store has access to your nubmer. some stores print the entire number on reciepts so anybody willing to dumpster dive has access to your number. waiters and waitresses who carry your card off to the register in a restaurant has access to your number...
and now people in the parking lot have access to your number.
Re:high tech credit card theft (Score:2)
Exactly. My grandfather once had his credit card number stolen directly by a store worker who wrote it down on a piece of paper. Turns out she also had the unauthorized purchases shipped to her house, so the FBI came a knocking shortly later.
What about "People" transmitted credit card number (Score:2)
Most -- note that I said "most" and not "all" -- of the people that are going to defraud me by using my CC number are not going to have access to a computer with equipment capable of sniffing the air packets (that sounds kind of gross) to get that number in the first place.
Re:What about "People" transmitted credit card num (Score:2)
Why are you worried? (Score:2)
The worst that can happen is you have to make one phone call to your card issuer to tell him you didn't make the charges.
If they use your number, they are not defrauding you. They are defrauding the merchant by using a card that is not theirs (the issuer will cancel the transaction and the merchant will not get paid.)
One of the main benefits of credit cards are that the responsbility for validation rests on the merchant, not on you. Unless your card is physically stolen and you don't report it, you do not have to pay for fraudulent use whatsoever.
Other Fraud mechanism. (Score:4, Interesting)
It occurs to me that what you could do is be able to intercept (or pre-empt) and replace data in valid transactions.
Then sit in the car-park, and substitute a different card number in to any refund transactions encountered. Create an account specifically for this, and drain it before any fraud is likely to be detected, easy money.
All of this is assuming that the systems do not use basic checksumming double-verification etc.. but given that they already transmit them wirelessly and unencrypted, what chance is there that they take even basic protections against false data beiong injected into the network.
So can crooked cashiers... (Score:2)
Root password (Score:2)
One of the major reasons I dont own a credit card and haven't ever, is the loose security generally. By simply trusting the clerk wont look at the numbers on the card is a rediculous gamble with money you don't have.
Hey, gimmy your root password on a bit of paper and ill give it back to you if you forget. Promise I won't look.
Home Depot? (Score:2)
online credit card theft (Score:4, Funny)
right, before the internet, credit card numbers couldn't be stolen. I also understand that before the internet, no music was ever pirated.
---
180 degree turn? (Score:2)
Credit Card numbers get stolen offline? (Score:2)
This should come as no suprise seems it has been easier to steal credit card numbers offline than online for some time now. Think about that pimply faced waiter disapearing in the back with your credit card at a restaraunt. Who cares [mastercard.com] if you lose [visa.com] your credit card/number anyway?
One time credit card numbers? (Score:3, Funny)
Sounds like a great idea, one-transaction cards, with a unique number on each of them, all tied to one account.
But plastic swipe cards are too expensive to use once and throw away--make them out of paper, better for the environment.
While you're at it, you could eliminate the need for the seperate credit card reciept by putting the amount and signature on the (paper) card, and handing it to the retailer... you could even that funny non-carbon carbon paper if you wanted a reciept for yourself.
Print them up in a handy-little tear off pack, maybe throw in a balance sheet so you can keep track of your expenses (if you're so inclined).
If you let little old ladies get ones with puppies or kittens on them, this radical idea of yours might just be a success!
--
Benjamin Coates
Re:One time credit card numbers? (Score:2)
Then, once they are finally through, I swipe my card, wait 5 seconds for the receipt, sign it, and am on my way. And if my wallet is stolen, my maximum liability is $50, if the old lady's checkbook is stolen, she can be out the entire balance of her checking account.
Re:One time credit card numbers? (Score:2)
Re:One time credit card numbers? (Score:2, Funny)
Re:One time credit card numbers? (Score:2)
Another Reason (Score:2)
SecurID and Credit Card Companies (Score:2)
It should be somewhat easy to implement, credit cards would cost a bit more so of COURSE annual fees would have to go up at least 150%
I'm going to restate this over and over again. (Score:3, Informative)
Most say you are liable for fraud only if your CARD is stolen, and only for the time between it's theft and when you report it to the company.
Any other fraudulent use of your credit card number you are simply NOT liable for. Remember, it's not really your number, and the card is not really yours. It's the property of the issuer, it says so on the back. It's a (weak) security token they issue you in order to identify yourself as someone who has a line of credit. If someone uses that, fraudulently, it is a screwup on the part of the merchant, or the bank. You do not pay.
If your contract says otherwise, or puts any other liability on you (other than normal, responsible behavior of course), shop around and find something better.
I realize it's a pain if someone has your number, and starts using it. It can be really inconvenient. But my point is.. rather than treating this like property that they have stolen from us, just like stealing our cash, we should be looking to the credit card companies to make sure this does not become our problem... because ultimately, it's theirs.
Best Buy isn't the only one! (Score:2)
This setup is *extremely* commonplace.
Good idea (Score:2)
Folks, it's not that hard... (Score:2)
Re:wireless anything (Score:2)
Original message (FYI) (Score:4, Informative)
Subject: Wlan @ bestbuy is cleartext?
Date: May 1 2002 3:57PM
Author: Blue Boar
I was asked to anonymously proxy this question to the list. Here ya go.
BB
Re:is wireless really just for a quick and easy se (Score:2)
What about Canadfa too? - Re:European Card Readers (Score:2)
In the last few years I've been seeing an increasing number of wireless payment options. This is great in bars as it saves going and hanging around in an obscure corner with the wait staff constantly trying to squeeze by.
It makes me wonder how secure it is... I wouldn't want somebody to get my bankcard and PIN number.