
ATM Fraud at Aldi: Terminals modified in manufacturer's factory. - iuguy
http://news.softpedia.com/news/Hackers-Install-Tampered-Payment-Terminals-at-Grocery-Retailer-160163.shtml
======
drdaeman
<rant silly="probably">

There is no secret that the whole present-day credit card system is
conceptually screwed up. You have to trust way too many parties, starting from
your bank (that's okay) and ending with the passing-by stranger behind your
back (who can glance and memorize your card name and number, and that's not
okay) and store's security guard, watching the camera above your head.

The systems where a customer can use small and secure device to generate one-
time token for a specified amount of money and specified merchant are already
invented. They would almost completely stop the card fraud. But that not gonna
happen anytime soon, because most customers are too illiterate (since when
they gonna teach the very basics of cryptography at schools?) and business is
too lazy (this is why 3-D Secure failed - almost nobody cared to support it
because "everything works" the old completely insecure way).

</rant>

~~~
gaelian
Had an experience with 3-D Secure just last week:

* SO asks me to buy some printer ink for her at a particular online store that sells such things, SO gives me her Visa card.

* I do the deed and while I'm checking out online I come to a page that tells me it has been detected that I am a part of the "Verified by Visa" program and that I will be redirected to a page to facilitate said verification by Visa.

* I'm redirected to a page that by the URL and branding I assume is owned by the bank that provides the merchant facilities for the ink cartridge website. This page partially loads but then dies because my NoScript Firefox add-on disallows the JS on the page. I'm left looking at a button that says something like "Click to enter your password" but due to JS being disabled, it does nothing when you click on it and even if it did, I would not know what password to enter. I do some Googling on Verified by Visa and how it might relate to our particular bank, but find very little other than pages filled with sales-speak on how Verified by Visa makes things more secure.

* Conversation ensues: Me: "Do you have a password for your Visa card?" SO: "Password? I have a pin number..." Me: "No I think it's different to your pin number" SO: "I have no idea what you're talking about." Temperature starts to rise as it's late and it's been a long day. Conversation escalates but is defused just in time before it goes nuclear.

* I enable JS, the page then reloads and errors out because now it's been detected that I've done something out of the ordinary flow and it's all bets off. I get back to the original ink cartridge website to find my shopping cart empty.

* I select all the products I want to purchase once more and not realising at this stage what Verified by Visa actually is and my tired and befuddled mind already convinced that the bank has enrolled my SO in some added security scheme and that she's forgotten that they gave her a password, I try using my own MasterCard to pay and find out that actually I hit the same thing, only with MasterCard it's called MasterCard SecureCode. Fortunately, Since I enabled JS last time, I get through it this time, interestingly without having to enter any password, even though the explanatory text on the page still tells me I will need to. This is lucky because I have no password for my MasterCard either.

* The next day, SO goes to the bank, the person behind the counter has no idea what Verified by Visa or MasterCard SecureCode actually is. They tell her they do not supply passwords for credit cards. SO calls me and asks me to explain what happened to the person at the bank, more frustration ensues. SO eventually finds someone at the bank who knows vaguely what she's talking about and he tells her that they don't supply passwords for credit cards, but that you should be able to set one up through the checkout process of this random, not particularly trusted website that she buys printer cartridges from.

* I do more research and find out that yes, this is all in fact 3-D Secure under different names and I now have a rough idea of what the deal actually is.

I'm going to have to put some of the blame for this whole cluster fuck onto
myself because I'm meant to know about this stuff, I'm paranoid enough to be
using NoScript and that night was not my most blindingly brilliant moment of
deductive reasoning in general. But none the less, this was without a doubt
the worst experience of eCommerce that I have had in all the years I have been
buying stuff off the Internet. Regardless of the merit of 3-D Secure it's
self, if this is the current state of its implementation then yeah, no thanks.

~~~
iuguy
Oh god yeah, I've had a credit card in a permanently blocked state through
that exact thing. The credit card provider told me they couldn't unblock it.
Visa told me it wasn't blocked. Yet even in IE afterwards I still couldn't use
the thing.

This was not good for the Credit Card company, but a great way of me getting
rid of a balance.

------
there
this wasn't on ATMs, it was on the credit card payment machines at the
registers.

~~~
lliiffee
Which is odd since, doesn't ALDI not accept credit cards?

~~~
kingofspain
I've paid by debit card at my local Aldi (ham FYI).

------
iuguy
Sorry, I do apologise for mentioning ATM instead of the payment terminals. It
wasn't what I meant and I don't mean to mislead anyone off the back of it. My
bad. Sorry once again.

------
janzer
I don't see anything in there that would indicate the readers were tampered at
the factory. Am I missing it or is there another source that says this?

~~~
iuguy
Check the last sentence.

~~~
janzer
ahh, thanks.

------
rudin
I see we are still losing the rights for the moniker "Hacker".

