ChipAndPinFraud
Latest
Security experts hack payment terminals to steal credit card info, play games
If a payment terminal could be forced into servitude as a crude handheld gaming device, what else could it be made to do? Researchers at the Black Hat conference showed just what mischief a commonly used UK PoS terminal could get up to when they inserted a chip-and-pin card crafted with malicious code. That enabled them to install a racing game and play it, using the machine's pin pad and screen. With the same hack, they were able to install a far less whimsical program as well -- a Trojan that could record card numbers and PINs, which could be extracted later by inserting another rogue card. On top of that, criminals could use the same method to fool the terminal into thinking a transaction was bank-approved, allowing them to walk out of a store with goods they hadn't paid for. Finally, the security gurus took a device popular in the US, and used non-encrypted ethernet communication between the terminal and other peripherals to hack into the payment device and take root control. Makes you want to put those credit cards (and NFC devices) away and stick to cash -- at least you can see who's robbing you blind. [Original image credit: Shutterstock]
iZettle's chip-reading Square competitor will take your money, no swipes required (video)
Everyone seems to be getting on board with Square's iPhone credit card reader -- Apple started selling the device in its stores last week, and even Visa has taken a financial interest in the company. However, due to the popularity of fraud-fighting chip-enabled smart cards on the other side of the pond, Square's offering doesn't quite fit the bill. iZettle has a similar solution for Europe that includes the ever-so-necessary smart card reader, which the company is launching in Sweden this June. Not only does it enable you to accept credit card payments from friends or customers, the app adds a social twist. Merchants can email a photograph and receipt to buyers, who can then share their latest spoils on Facebook. Of course, if this starts to catch on, it could make explaining that "awesome deal" you scored on a new laptop that much more difficult when it pops up on your significant other's news feed. [Thanks, David]
Cambridge University finds credit card security flaw, uses the money for beer pong supplies (video)
Oh, those crazy kids at Cambridge University -- when not doing keg stands or playing Hacky Sack in the quad they're hard at work proving the vulnerability of the EMV verification used in credit and debit cards (or as it's called across the pond, Chip and PIN). We won't go into too much detail (because we don't have much detail) but a flaw has been discovered that allows one to convince the terminal that a card's PIN has been entered -- and you know what that means: free money! All you really need to pull it off is a fake smart card connected to a card reader containing the stolen card and some fancy software. (Place the contraption inside a hat box or bowling ball bag if you want to be slick.) What could be simpler than that? "We think this is one of the biggest flaws that we've uncovered - that has ever been uncovered - against payment systems, and I've been in this business for 25 years," said Professor Ross Anderson from the school's Computer Laboratory. Sure, this is a proof-of-concept thing, and not yet a clear and present danger, but we have faith that the hackers will see this one through. Maybe we weren't crazy to bury all that gold in the backyard after all! British TV news (with the appropriate dramatic music) after the break.
