
Encoding Stolen Credit Card Data on Barcodes - mlacks
https://krebsonsecurity.com/2020/02/encoding-stolen-credit-card-data-on-barcodes/
======
exabrial
I think I'm missing something obvious... Why not just encode the information
into a magnetic stripe and pay like a normal credit card? What advantage to
the thief does it have to force a barcode scan?

~~~
jolmg
This might have something to do with it:

> When the transaction goes through, it’s recorded as card-not-present
> purchase.

> As a result of this emerging trend, instead of finding a large number of re-
> encoded credit cards during a search, a subject may only possess stickers or
> cards with barcodes that contain stolen card data,” the alert continues.
> “Additionally, the barcodes could be stored on the subject’s cell phone. If
> barcodes are discovered in the field, it could be beneficial to utilize a
> barcode scanning app to check the barcode for credit card data."

So, it sounds like the advantage is in doing something novel to avoid
detection and hide proof better.

------
rahimnathwani
Why didn't they embed the CVV and expiry date into the barcode? Maybe they
can't embed a '\r' into the barcode, or the characters after the CR would be
entered before the POS was ready to accept them?

~~~
rootsudo
because they probably didn't know you could jump fields.

But also because in an IBM POS the cashier has to physically press the enter
key and wait (with delay) for the month/date and CVV.

