1. Home
  2. Categories
  3. Side Bar WTF
  4. Security fail

Security fail

  • Snooder

    @boomzilla said:

    @Snooder said:

    @boomzilla said:

    The Target thieves went for low value, high volume. The Neiman Marcus thieves went the other way.


    Thanks for that link btw. My stepmom apparently had 4 credit cards compromised in the past few weeks and when I told her about the Neiman Marcus break, she's pretty sure that was the vector.

    I think you forgot the humblebrag tag here.



    Naw. I don't shop there, my stepmom does. Since I'm not her, shopping at Neiman Marcus isn't really something to brag about. Now if I started talking about copping a sweet pair of Ferragamo bluchers, then you'll know I'm bragging.

    I'm really not kidding though, I went up to visit this weekend and while I was checking my email, I saw the lastest post in the thread. Just thought it was an interesting little bit of conversation fodder since I know she likes the store; but turns out she really was getting hit with messages that her cards were compromised and had no idea what happened. She was worried that someone had stolen her identity and taken out a new card or something.

     

    0
  • ender

    I really don't understand why the magnetic stripe data has to be accessed by the computer at all. At least here (Slovenia) the card terminals are separate from the computers (older terminals actually need the cashier to type in the amount, though newer ones do get that information sent), and they do all the card processing internally (the terminals have either phone [POTS, ISDN or GSM/3G] or network connection), and just report whether the transaction was successful or not. There were a few cases of thieves actually replacing the terminals with skimmers, but these were all small-scale operations, and since the cards have gone chip-and-pin long ago, the results were nowhere near as disastrous.

    0
  • dkf
    Discourse touched me in a no-no place

    @ender said:

    I really don't understand why the magnetic stripe data has to be accessed by the computer at all.

    Because the credit card IT infrastructure in the US is embarrassingly crappy.
    @ender said:
    just report whether the transaction was successful or not.

    Strictly, it should report a cryptographically-signed transaction record so that it is possible for the retailer to prove that they got an authorization. There have been cases in the past with banks trying to do it the other way with their ATMs, with a single bit response, and they turned out to be really easy to hack (replace communications part with something that always says “yes”, a trivial circuit!) It's not significantly more expensive to do it right in terms of time, and it stops all sorts of criminal activity.

    0
  • Ben L.

    @dkf said:

    @ender said:
    I really don't understand why the magnetic stripe data has to be accessed by the computer at all.

    Because the credit card IT infrastructure in the US is embarrassingly crappy.
    @ender said:
    just report whether the transaction was successful or not.

    Strictly, it should report a cryptographically-signed transaction record so that it is possible for the retailer to prove that they got an authorization. There have been cases in the past with banks trying to do it the other way with their ATMs, with a single bit response, and they turned out to be really easy to hack (replace communications part with something that always says “yes”, a trivial circuit!) It's not significantly more expensive to do it right in terms of time, and it stops all sorts of criminal activity.

    If someone can replace circuits inside an ATM, they can probably also access the money inside the ATM.

    0
  • B

    @dkf said:

    Strictly, it should report a cryptographically-signed transaction record so that it is possible for the retailer to prove that they got an authorization.

    Are you suggesting people move to some sort of… cryptography-based monetary system?

    0
  • Snooder

    @Ben L. said:

    If someone can replace circuits inside an ATM, they can probably also access the money inside the ATM.


    What kind of low-rent 2-bit criminal settles for stealing a few grand from an ATM when you can fraudulently transfer millions into an untraceable accounts via spurious deposits?

    0
  • Snooder

    @Buttembly Coder said:

    @dkf said:
    Strictly, it should report a cryptographically-signed transaction record so that it is possible for the retailer to prove that they got an authorization.

    Are you suggesting people move to some sort of… cryptography-based monetary system?



    Fuck your bitcoin bullshit.

    0
  • dkf
    Discourse touched me in a no-no place

    @Ben L. said:

    @dkf said:
    Strictly, it should report a cryptographically-signed transaction record so that it is possible for the retailer to prove that they got an authorization. There have been cases in the past with banks trying to do it the other way with their ATMs, with a single bit response, and they turned out to be really easy to hack (replace communications part with something that always says “yes”, a trivial circuit!) It's not significantly more expensive to do it right in terms of time, and it stops all sorts of criminal activity.
    If someone can replace circuits inside an ATM, they can probably also access the money inside the ATM.
    They hacked the phone line IIRC. You can't put that entirely within the ATM enclosure.

    0
  • dkf
    Discourse touched me in a no-no place

    @Buttembly Coder said:

    Are you suggesting people move to some sort of… cryptography-based monetary system?
    No. I'm suggesting they use a cryptography-based payments system.

    0
Log in to reply