

A Burger, an Order of Fries, and Your Credit Card Number - ojbyrne
http://www.slate.com/articles/technology/technology/2012/03/verizon_s_data_breach_investigations_report_reveals_that_restaurants_are_the_easiest_target_for_hackers_.html

======
ayuvar
We had a rash of credit/debit card skimming locally as a result of crooks
coming into stores in the mall and replacing the store's point-of-sale card
reader terminal with one of their own which was rigged to skim before passing
on the information to the register, according to the local news.

Normally, I'd distrust the news when it comes to anything vaguely technical
but it got me wondering if the POS terminal does anything to guarantee that
its credit card reader is still "authentic" (hopefully, it at least used some
kind of good faith challenge-response mechanism, even if it could be easily
spoofed by a potential attacker).

Physically swapping them out - both to put the rigged reader in, and to remove
it once it's "full" - also seems pretty risky. It was probably something like
this story instead where the register itself was targeted remotely.

~~~
simcop2387
From what I know about them when helping install them in a new retail store
where i was working a few years ago, there's quite a few of them that act like
nothing more than a keyboard. the fancier ones with a display still hook up
over usb and i don't think they use a challenge response (I honestly don't
know there, i don't know the software for them). Even once I got them in if i
was skimming I wouldn't even bother removing them ever. Instead I'd use
something like the little XBee modules or some other wireless device to read
them and just walk in and act like a regular shopper leaving the retrieval
thing in my pocket the whole time.

------
brudgers
Related _All about Skimmers_ from Krebs on security:

<http://krebsonsecurity.com/all-about-skimmers/>

------
onemoreact
Having someone steal a Credit Card number is vary safe at worst your out 50$
and need to wait a few days to get another one in the mail. It's checks I
worry about, you can easily drain a bank account with the 2 numbers on the
bottom of them and you don't get your money back when that happens.

~~~
Zikes
Debit cards are particularly dangerous, as they are as vulnerable as credit
cards but do not offer the same protections.

~~~
rbehrends
This depends on your country. For example, in the UK, the Payment Services
Regulation 2009 makes no difference between credit and debit cards with
respect to a payer's liability. In either case, your liability is limited to
50 pounds (unless you acted grossly negligent, intentionally, or
fraudulently), regardless of the type of card used.

This is largely a consequence of article 60 and 61 of EU directive 2007/64/EC
[1] (some countries have been lagging behind in implementing the directive,
though, so don't expect it to be the law everywhere in Europe).

[1] [http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2...](http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2007:319:0001:01:EN:HTML)

~~~
edj
I think the parent was talking about the US, where liability depends on how
fast you report the theft of your card or notice fraudulent transactions in
your statement. If you don't catch these quick enough then your liability is
unlimited.

<http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre04.shtm>

------
rokhayakebe
Honest question: if a hacker is talented enough to create software to steal
thousands of dollars, are they not talented enough to make multiples more
legally?

~~~
blahedo
Possibly not if they're in a country with a weaker economy, lower cost (and/or
standard) of living, and no way to get a work visa someplace else?

