An unintentional side effect of this system is that it also minimizes the risk posed by ATM skimmers, since I don't keep much in the ATM account.
That's horrible. Not to try to minimize, but something doesn't sound right, though (in the US). Risk of loss on debit cards should be up to $50, if you notify your bank within the first 48 hours, under the Federal Electronic Fund Transfer Act.
They went into the wrong bar apparently, and upon leaving were told that they forgot to pay the cover charge. Which was $100 a head apparently.
So they grabbed one of the men and literally started beating him in front of the partygoers until they all emptied their debit cards into the ATM at the door of the club.
Large transactions are more difficult to pull than smaller ones and I guess the guy was sampling the limits of the card with reasonable sized chunks.
But to rationalize the actions of a heroin junkie is hard and I won't try.
I've never had any traumatic experiences like these, but I always picture myself seeking revenge.
How did your friend cope with the anger?
My friend was working out of town in a suburb of Lisbon and had to take a train everyday in the reverse flow ( commuters were coming in to the center, he was going out ) so the train was pretty empty one day and he was alone in the carriage.
Two guys walk in, sit next to him and one of them produces a dirty syringe, says he has HIV and that the my friend better cooperate or else.
They escort him out on the next station and go into the tunnel where the syringe guy held him for all that time.
For the next few days he was completely paranoid and he had a friend in the police who tried to find the robbers but unfortunately they couldn't.
"All is money" at the time ( he was 19 ) was around $3000 in today's money, and the bank didn't help ( it wasn't a credit card ). He had no form of insurance either.
He was always a very shy and inward person and that episode made him much more so.
But the years have passed and now he is quite normal and has become a really good 3D artist.
I haven't met him since I left Portugal but I guess he doesn't like to talk about this episode.
Another friend of mine was beaten up when he refused to give his pin and two other friends just gave it without resistance.
This is why I always have just enough money for daily expenses on the card bank account. It means I have to constantly top up that account which could be another security problem but at least if I am confronted with a violent situation I'll just give my stuff away and minimize my risk of physical damage.
[EDIT] Actually I was just on his website looking at his recent work and maybe he was more affected than what I imagined.
For a longer list, see: https://krebsonsecurity.com/all-about-skimmers/
The one with the keylogger-featuring keypad is what has me most worried, someone could rob me of my card a bit later. Then again, they might as well rob my card and demand the code, having someone else try it while keeping me at gunpoint. Yeah guns are outlawed here, but that doesn't mean they don't have 'em.
Crypto is cool, until you mention physical security. Obligatory: http://xkcd.com/538/
Incidentally, one of my banks by default blocks all use of Maestro (the European debit card system) outside of the Eurozone. You have to activate use of Maestro abroad on a trip by trip basis. One of my other banks automatically blocks credit cards used in the United States unless preceded by cash withdrawal at an ATM.
* Some banks cards were vulnerable due to faulty crypto. The banks phased those cards out.
* Attacks based on a malicious PIN pad logging the PIN code, then feigning a chip error and telling the user to fall back to the magstrip, thus turning to traditional skimming.
I haven't read anything that attacks the chip itself on current cards. Do you have any links?
edit; Just found http://en.wikipedia.org/wiki/EMV#Vulnerabilities
edit2: Wikipedia TL;DR: There are two currently-relevant attacks:
* One lets attackers trick a terminal into initiating a PINless transaction in order to use a stolen card. This information is sent to the issues as part of the authentication, so a bank could deny all PINless chip charges if they wished (I'm not sure what cases this legitimately used in?), plus there's a clear trail that the cardholder isn't liable.
* The latest attack tricks the card into downgrading to an older, plaintext method of transferring the PIN from the terminal to the card, allowing the PIN to be skimmed. I'm not sure how this is useful in recreating the card to steal money.
I haven't been able to find very much on this in a few evenings that I searched for info on it, but from what I've been able to find I'm quite sure that it's possible to do. The chips give a boolean response as to whether the PIN number is correct and lock themselves after 3 attempts. Combined with the knowledge that 6 pins (=6 parallel bits) are used for 4 digit PIN numbers (log(10^4)/log(2)=14bits), you can deduce that it must have at least persistent storage and computational capabilities. A complete Von Neumann machine. This makes it feasible to implement algorithms like RSA and AES (asymmetric and symmetric encryption) on the chips. The POS/ATM then provides power and a connection to the desired bank, and all should be fine.
I don't really think they are that good to connect to the bank directly, but the idea that the chip is capable of this kind of crypto makes me feel better than with magnetic strips.
EMV is a contact system that requires physical metal pins to touch multiple contacts on the top of the chip itself.
What happens is that they clone the magnetic strip, so sometimes that and pin is enough to produce a card that does withdraws.
And then your card is useless when in a place that only reads the stripe (like, that uses Square)
And afterwards, if the bank knows that it is supposed to be a chip-capable card; and the location (country) is supposed to be chip-capable, then all mag-stripe transactions are rejected even if the "all required information" is correct.
On the other hand, the card doesn't slide all the way in anymore. Just far enough so that it sticks and it can read the contacts, so at least they can't grab all the information on it.
"Hey, Bob! Let's place our ATM skimmer right in the middle of a bunch of FBI goons and security experts!"
They're impossible to spot unless you plan on trying to pry off the front of every payment kiosk, which as far as I know most banks and gas stations frown upon...
From continuous images, seamless faces to make it obvious something is added on, to screen based keyboards. I am sure a lot of thought is put into it. I would hazard that the losses are not sufficient to fix it.
It's not easily avoidable.
The solution? Adding a plate with random bumps to each machine, and also adding a contraption infront of the card slot into which you place your card and then slide it in (see http://blog.webwereld.nl/wp-content/uploads/2009/08/nspas.jp... ). This last solution seems to be patented BTW.
I seriously doubt this method is ever used for that, as it would massively increase the risk when your card gets stolen (along with the PIN list you'd have to keep on hand). Additionally, I don't think it would work with international payment/withdrawal networks like Maestro.
What I don't understand is why don't ATMs in Europe use chip and pin yet? All the stores do. That would solve this problem.
Many of them do - one security feature is to have the ATM pull the card very, very slowly into the slot whilst oscillating them to prevent skimmers reading the mag strip, as it's no longer required (unlike the US, nearly all ATMs here in the UK feed the card in automatically, rather than manually dipping it). If you're not used to this you might think the machine was on the way out.
Even with ATMs that support EMV (chip and PIN) you still run into the problem that a) ATM design inherently involves pushing the card into something, which could allow the mag stripe to be raed, and b) as long as there are ATMs and places that don't use EMV then there's always going to be a way to get money out / buy product with cloned cards.
That was a weird moment.
> you still run into the problem that a) ATM design inherently involves pushing the card into something
Makes that moot. Interesting about the card readers that wiggle the card in, I think I've seen one or two of those. I wonder how hard that is to defeat with a more intelligent skimmer (wheel to measure how fast the card is moving to compensate?).
Most if not all of them do. But the cards still have the mag stripe to be compatible with ATMs all over the world that don't - and those are where the cloned cards are then used.
This may not be exactly how the system is set up, but I think I'm not too far off.
Came back to my desk, fired up HN, and read the article upon which we are commenting. Simmered in paranoia for a little while, then called up my bank and told them my card might have been compromised. New card with new number on the way.
Now just have to remind myself to check my transactions until the new card arrives.