AIUI, it wasn't a MitM attack, rather malware that listened to the conversations and batched up the information and sent it to the perps. Though they haven't said (to my knowledge), but it seems that it had to have been an inside job.
The merchant uses it to show he was "in possession" of the card (lower transaction fees, AIUI). The only information that's really needed is on the mag stripe, though. The perps can do enough damage just counterfeiting the cards.
I'll be reading more about it as details come out.
That's the purpose of the "swipe" rather than typing in numbers. Do you know if the 3 digit code is stored on the stripe?
I wonder how hard it would be to reverse engineer the algorithm used to create the 3 digit code?
Sure, the details are pretty sketchy and often contradictory but that's what passes for the "news" these days.
I'm not sure. It would seem that they would want a different code on the "swipe" to differentiate in-person and online transactions, but I don't know for sure.
I don't believe there is anything there to "reverse". AFAIK, it's a random code assigned by the bank. Sometimes the user is allowed to change it but that's really a XOR hash in front of the bank-assigned number, just as your PIN is (though this detail isn't important in this case). PINs are handled and stored cryptographically and, other than the keypad at the terminal, never used "in the clear". They're always encrypted.
The PINs are *never* encoded on the strip. It's the CCV code that we're talking about (which is the three (VISA & MC) or four (AmEx) digit verification code on the front or back of the card.
Thinking about it some more, I *highly* doubt that the CCV is encoded on the stripe. There is a reason it's only printed on the card, not part of the number. It's *supposed* to be manually entered to verify physical possession of the card. If it were also on the stripe, a skimmer would also have this code.
That's what I think too. If the CCV code was on the stripe it defeats the purpose of proving the card is in someone's hand at the time of ordering something online or paying for something by telephone.
Wikipedia has a good article on them. They actually follow an ISO standard. There are two tracks on the stripe (sorta like cassette tapes, where one track is stacked below the first).
Here is the data, some required for ISO and some bits are left open for the issuer to put custom data on it. Looks like the CCV code can be on there if the bank desires as "Discretionary data".
______________________________________________________________________________ Track 1, Format B: ______________________________________________________________________________ Start sentinel ? one character (generally '%') Format code="B" ? one character (alpha only) Primary account number (PAN) ? up to 19 characters. Usually, but not always, matches the credit card number printed on the front of the card. Field Separator ? one character (generally '^') Name ? two to 26 characters Field Separator ? one character (generally '^') Expiration date ? four characters in the form YYMM. Service code ? three characters Discretionary data ? may include Pin Verification Key Indicator (PVKI, 1 character), PIN Verification Value (PVV, 4 characters), Card Verification Value or Card Verification Code (CVV or CVC, 3 characters) End sentinel ? one character (generally '?') Longitudinal redundancy check (LRC) ? it is one character and a validity character calculated from other data on the track.
______________________________________________________________________________ Track 2: ______________________________________________________________________________
This format was developed by the banking industry (ABA). This track is written with a 5-bit scheme (4 data bits + 1 parity), which allows for sixteen possible characters, which are the numbers 0-9, plus the six characters : ; < = > ? . The selection of six punctuation symbols may seem odd, but in fact the sixteen codes simply map to the ASCII range
0x30 through 0x3f, which defines ten digit characters plus those six symbols. The data format is as follows:Start sentinel ? one character (generally ';') Primary account number (PAN) ? up to 19 characters. Usually, but not always, matches the credit card number printed on the front of the card. Separator ? one char (generally '=') Expiration date ? four characters in the form YYMM. Service code ? three digits. The first digit specifies the interchange rules, the second specifies authorisation processing and the third specifies the range of services Discretionary data ? as in track one End sentinel ? one character (generally '?') Longitudinal redundancy check (LRC) ? it is one character and a validity character calculated from other data on the track. Most reader devices do not return this value when the card is swiped to the presentation layer, and use it only to verify the input internally to the reader.
Service code values common in financial cards:
First digit
1: International interchange OK 2: International interchange, use IC (chip) where feasible 5: National interchange only except under bilateral agreement 6: National interchange only except under bilateral agreement, use IC (chip) where feasible 7: No interchange except under bilateral agreement (closed loop) 9: TestSecond digit
0: Normal 2: Contact issuer via online means 4: Contact issuer via online means except under bilateral agreementThird digit
0: No restrictions, PIN required 1: No restrictions 2: Goods and services only (no cash) 3: ATM only, PIN required 4: Cash only 5: Goods and services only (no cash), PIN required 6: No restrictions, use PIN where feasible 7: Goods and services only (no cash), use PIN where feasible
It's not just the inconvenience of waiting for a new card. First, anyone foolish enough to use a debit card has the funds removed from their checking account and then has to wait for them to be restored. Second, it's a real PITA to have to fix every automatic payment account every time your card is compromised.
the stolen numbers come with the zip code of the card owner.........
my debit card got canceled, bank is sending me a new card. then must change all the auto card withdrwaws like my ez pass.....
read this mess might cost target over 2 billion in fines for running a not secure system 90 bucks per card adds up......
While I agree that one should be very careful how one uses debit cards, I don't agree with your reasons. Yes, you will be out money from your account until it's reported but other than that, there really is no difference as long as the PIN isn't compromised. In our case the bank (CU) restored the money to our account while we were on the phone reporting the fraud. My wife watches accounts like a hawk so it was only one charge. We don't operate the account near zero, either, so that wasn't a problem. If you do run zero bank balances and don't watch your accounts, yes, you could be in trouble. You're in trouble anyway, IMO.
That's not needed if you're debiting the account directly. The number on the card is not your bank account number. If you're doing automatic payment using the card as a credit card, the same issue exists as a CC. They are treated exactly the same, in that case.
That said, I never use a debit card when I have to give the numbers to someone (phone or Internet) or where I have to give the card to another person (restaurant). I could have been in the Target mess, if I ever shopped at Target, though. I do use it frequently for purchases and to get money from ATMs.
A few years ago me and my roommate were installing new Cisco high security wireless access points in Marshalls & T.J.Maxx stores because someone got into their systems through the old wireless AP's for the wireless bar code scanners used for inventory control. I could pick up the signal from the parking lot and that's where miscreants accessed the network. We were installing the high security AP's in a number of different retail stores and pharmacies. We've never done any work in Target stores so I don't know what they're using, in fact, I've never been inside a Target store. ^_^
TDD
That's true. I limit the automatic payments to insurance and a storage unit I rent.
I have never had to "fix" an automatic payment for a compromised debit card, because I've never had a debit card compromised. Expiration date, yes, but the same thing happens with credit cards, so that's a wash. In fact, it's all a wash since compromised credit cards need to be "fixed" also.
Other than the time to restore funds, credit cards and debits have the same compromised and expiration dates issues.
Well, the debit cards also screw up your checking account and can lead to overdrafts, etc. If I have a screwed up credit card it doesn't directly (or indirectly for that matter) mess up my every day banking whilst it gets sorted out.
Your bank should be offering for you to opt out of overdraft coverage. The charge would be refused rather than pay it and sock you for about $30 for a screw up.
But the money would still be out of the main account so you wouldn't be able to pay electical bills, groceries, etc., until it got sorted out. With a credit card, it doesn't matter since you have at the very least
30 days or so to sort things otu and you'd still be able to buy stuff using your checking or savings accounts.
That's really the only difference between a CC and debit card (unless the PIN is compromised). If you're in the habit of running your checking account to zero, this is only one of the many problems that you're setting yourself up for (and it's reversible).
But even if you aren;t one who keeps it near zero, someone gets the PIN and loots the account, then you have no cash (essentially) to pay anything until the fix is made.
True, but the damage cannot go below $0 if they don't pay overdrafts and it can be sorted out in about 24 hours at a good bank. Not a perfect scenario, but not doomsday either.
On line transactions, I do use a CC rather than a DC for the reason you mention.
I can be much less than this. When it happened to me, the charges were reversed while my wife was on the phone with them. Technically, she shouldn't have been able to do it but...
Ditto. I never let the DC, or its number,leave my hands. I don't give it to waitresses at restaurants, for instance.
I only use the DC at ATMs and then only at banks and then only after I take the place to insert the card, give it a good shake to make sure it isn't a skimmer. Not that I am paranaoid or anything....(grin)
HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.