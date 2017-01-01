Hacker News new | comments | show | ask | jobs | submit login
'Shimmers' are the newest tool for stealing credit card info (cbc.ca)
I'm having a surprising amount of trouble finding this information online: does the "chip" include some functionality (maybe called iCVV or dCVV) that allows it to individually "sign" transactions using internal secret keys, or does it not? This was my understanding of why the new system was supposed to be safer.

If the answer is yes, secret keys that never leave the chip are used to sign each transaction and the signature is verified by the bank, I'm not sure how these "shimmers" would be useful, since the secret key would presumably not be compromised and so the shimmer may obtain some data identifying the card and transaction but not the ability to sign new transactions. If the answer is no, none of this is happening, then I'm not sure what the point of the switch was in the first place.

Maybe the answer is something in between? Banks suck, so they've implemented chip cards in a half-assed way with gaping security holes?

The answer is yes, most chip cards can do public key cryptography to sign a transaction without compromising the secret key burned in.

Also, more frequently than I would wish banks or payment processors ask payment terminal operators for a "simpler", meaning less secure, transaction protocol. Most often it's for compatibility with some legacy system from the 80's somewhere in their payment validation backend.

From my experience in the industry, this happened very rarely in Europe but considerably more often in the Americas and Middle East.

This sounds like the attack presented at DEFCON 19 (in 2011!): https://www.defcon.org/images/defcon-19/dc-19-presentations/.... Basically, the chip used to contain all the information present on the magstripe, which made it easy to create a copy of the magstripe via the chip interface.

From the issuer side, the solution to remove this risk is simple (and I believe I was told it in an EMV implementation seminar 10 years ago):

If the incoming transaction lists that the terminal is chip&pin capable, so you'd simply automatically reject a magstripe transaction with a code that should result in POS showing "please insert card in the chip reader";

If the incoming transaction lists that the terminal is not chip&pin capable, the merchant has chosen to be liable for all fraud cases themselves, so it can't cause a loss for you and your customers. It is an inconvenience, but as all the fraud in the country concentrates on the (fewer and fewer) merchants accepting these transactions, it causes an increasing financial pressure on them to switch.

> the chip used to contain all the information present on the magstripe

Not all of it - the chip has a dynamic CVV that differs from the one on the magstripe. This only works if the bank isn't checking CVVs.

With that information i make the conclusion that it should not be a problem in countries that have moved 100% to "chip & pin".

Only for countries like USA which have not completed the move from magnetic readers.

> Maybe the answer is something in between? Banks suck, so they've implemented chip cards in a half-assed way with gaping security holes?

This is the problem. Some banks don't verify the signature/iCVV.

Not all terminals in the States support chip functionality, so for the time being chip & pin cards here still have normal mag strips and can be run as older, regular cards - the mag strips can still be read/stolen & used.

And it's unlikely that this will change anytime soon due to the lack on incentives on all sides.

Funny as it may be my debit card for some reason has a $500 (unmodifiable) limit on chip&pin purchases, but it has no such limit for swipe purchases. When I asked them how is that more secure, I got a verbal shoulder shrug.

Banks are in the business of underwriting. I believe at least on the corporate level they probably don't like the idea of fully secure, verifiable payments, because that would mean you don't need them anymore.

That's true, but the shimmers in question clearly have smart card pins. What you're describing is the traditional skimmer; a shimmer is not merely a thinner skimmer.

These devices read the data between the chip and the terminal. This would be fine, if payment processing consistently used iCVV/EMV, but it turns out they don't.

Magstrip only terminals are still widely used in the US.

This happened to me recently when my card data was stolen in a very respectable place where I've been a long time patron. It was totally unpleasant surprise. Right the next day the fraudulent transactions on my card started to popup all over the world - Beijing, North Carloina, etc. My bank promptly blocked the card - but I had to deal with the pain of calling in, going over my transactions list, verifying my identity and then waiting 2 weeks for a new card in the mail.

Krebs has a post on this as well:

https://krebsonsecurity.com/2017/01/atm-shimmers-target-chip...

“The only way for this attack to be successful is if a [bank card] issuer neglects to check the CVV when authorizing a transaction,”

I have not had the largest confidence in banks abilities to understand security. I've personally dealt with:

1) 'Two factor auth is on, you have to answer two security questions to access your account!' 2) 'Your password is limited to exactly 8 characters ... for security' 3) 'Oh, we now support SMS two factor auth' -- 4 months in, I've received 1 SMS challenge 4) 'You don't want a chip card, they are more hassle' 5) 'We allow systems like Mint to access your account when you have 2 factor auth on. No, you cannot opt out.'

Yeah, don't have the highest confidence that my bank(s) actually understand how to keep things safe.

Lots of comments here about magstripes and the failure of the US banks to get rid of them. Funny thing about that is this is a Canadian article about this happening in Canada, and shimmers actually steal data off chips - not magstripes.

Why would they do this? The assumption is that the thieves plan to use the chip data to create fake magstripe card or make online purchases somewhere that the CVV is not checked. Not checking the CVV is a complete failure, and apparently for once it's not a US failure (unless the thieves are targeting tourists??).

The article is lite on specifics, but my Canadian chip card will normally reject stripe transactions in Canada (or it did the last time I saw a stripe machine, several years ago), but happily perform them when I cross into the US.

So one possibility is that they're stealing magstripe data off the chips for cloning and use in the US banking system.

I would argue that numbers skimmed from retail stores are the stores responsibility. Even in a large store there's aren't that many POSs. They should have a procedure for checking the POS before close or on open.

That sneaky comment about using NFC instead.

Unlike skimmers, a shimmer — named for its slim profile — fits inside a card reader...

So shouldn't it be called a sLimmer?

I believe the idea is it is shimmied into the slot?

Slimming sheds pounds, this accumulates them.

