Credit Card Fraud

It was literally the night before this article came out that my friends and I were discussing the effects of the transitions from mag stripe credit cards to the infamous and highly touted chip cards.

My friends (a bunch of brilliant code monkeys--commonly referred to as geeks... although one would rather think of himself as a rapping gangster...) touted the high degree of encryption and the exponentially greater amount of data able to be stored on the chip.

Impervious due to its new encryption?, questioned one.

But of course, nothing is forever secure, remarked the other. Eventually someone will break it. But how.... If the encryption was so strong?

Much like Houdini, or the spies of the Cold War, the answer was there in front of us the whole time.... We just couldn't see it.

That is, we were focusing on the strength of the encryption while someone else took advantage of a split-second transmission of data off the chip--whether or not to verify the transaction via PIN.

Check out the rest of the article to learn how Python was used to hack 'Chip and PIN'.

SECURITY THREATS TOOLKIT: Chip and PIN is broken, say researchers
ZDNet - February 11, 2010, 17:01 GMT
Chip-and-PIN readers can be tricked into accepting transactions without a valid personal identification number, opening the door to fraud, researchers have found.
Researchers at Cambridge University have found a fundamental flaw in the EMV -- Europay, MasterCard, Visa -- protocol that underlies chip-and-PIN validation for debit and credit cards.

As a consequence, a device can be created to modify and intercept communications between a card and a point-of-sale terminal, and fool the terminal into accepting that a PIN verification has succeeded.

"Chip and PIN is fundamentally broken," Professor Ross Anderson of Cambridge University told ZDNet UK. "Banks and merchants rely on the words 'Verified by PIN' on receipts, but they don't mean anything."

The researchers conducted an attack that succeeded in tricking a card reader into authenticating a transaction, even though no valid PIN was entered. In a later test, they managed to authenticate transactions, without the correct PIN, with valid cards from six different card issuers. Those issuers were Barclaycard, Co-operative Bank, Halifax, Bank of Scotland, HSBC and John Lewis.

Continue to the rest of the ZDNet article.

Technorati Tags: Counterfeit Credit Card Fraud Hacking

Well, here we are in 2010 and look at all the interesting things going on.

Of course, when it seems like so many things are happening at once, whether the headlines scream of natural disasters, fiscal policy changes or credit card reform, such chaos can make way for opportunistic fraud.

To stay on top of the trends and for split second Canadian and International FraudInfo, stay tuned to FraudBlog on twitter with daily tweets.

Happy Investigating!

Technorati Tags: Canada Credit Card Fraud Fraud Prevention

As kids, we rolled the dice, hoped to land on some Free Parking and then argued over the rules as to whether we merited all or a portion of the money associated with this prized location.

Today, free parking is hard to come by. Or so it seemed until word got out that parking meters in the Toronto area were accepting bogus credit cards... Repeatedly.

A few things reign supreme in fraud prevention: Communication and timing. Once one has spent months or even years investigating something, the thought of having to take the time to retell the story for peers can seem daunting but is a must when seeking to fight something within an industry or community. All too often, information is not shared with other pertinent players.

Here we see the same: Information gathered from one card reader is not updated to the others in a timely enough manner as to be effective. And the community, albeit of parking meters, loses as a whole.

Too small of a hit to be relevant?

Last year, the TPA lost $2 million dollars to fraud. Relatively speaking, not a large hit but this small market for fraud exposes some of the pertinent gaps found in other industries.

The Fixer: Investigation | Overhauled meters still can't detect illegal use
theStar.com - Saturday, April 19, 2008, 04:30 EST
Credit card readers in Toronto's pay-and-display parking meters were recently upgraded at a cost of $10 million, but the new readers are as easily bilked as the ones they replaced.

An invalid credit card can be used in any of the 2,600 multi-space parking meters on city streets to get a dashboard parking receipt for free.

Only when the card number is included on the Toronto Parking Authority's credit card "blacklist" – which can take weeks – is a card supposed to be blocked. The TPA has lost more than $2 million due to fraud over the past two years.

Continue to the rest of the Star.com article

Technorati Tags: Credit Card Fraud