Comments on: Point of Sale skimmer that prints out real-seeming receipts

By: Antinous / Moderator

Antinous / Moderator — Tue, 18 Dec 2012 23:01:00 +0000

Is a false negative less suspicious than a false positive?

Yes. Frequently, when I have a potassium level drawn, it comes back life-threateningly high, presumably due to hemolysis. I go back for a redraw and it comes back normal. The doctor accepts the normal value and rejects the abnormal value. Think about it.

By: ZikZak

ZikZak — Tue, 18 Dec 2012 19:03:00 +0000

Have it always reject the first PIN entered, or maybe just randomly.

Is a false negative less suspicious than a false positive? You can be sure you entered the wrong PIN, but how sure are you really that you entered the right PIN? This tendency has been exploited by phishers for a while, where they have you enter all your info on a fake site, then when you submit the page, they give you an authentication error and bounce you to the real site to “try again”.

Also, why is being connected to ethernet a reassurance?

By: Chris

Chris — Tue, 18 Dec 2012 19:02:00 +0000

I imagine this is something that would be implemented at a non-permanent location. A farmer’s market, street fair, art show type event where they are mobile and can disappear easily afterwards.

By: semiotix

semiotix — Tue, 18 Dec 2012 18:43:00 +0000

Debit cards may not have precisely the same built-in legal protections as credit cards (I don’t know), but as a practical matter, I know from repeated experience that banks and/or their affiliated finance companies treat them the same way. You report the fraudulent charges, they do a cursory investigation, the money reappears in your account. At least that’s the case in the American context.

I’m not one to give banks a lot of credit in this or any other regard, but debit card numbers get stolen all the time, just like credit card numbers. Nobody would use debit cards at all if there were no recourse.

By: Marios P.

Marios P. — Tue, 18 Dec 2012 17:53:00 +0000

couldn’t someone replace one of those without the owner noticing and reaping the “profits” ?

on a side note I remember hearing in the UK that there was some guys sticking an mp3 player-recorder on the phone line of an ATM and recording pins and card numbers by sound…

By: Terry Fairbrother

Terry Fairbrother — Tue, 18 Dec 2012 16:52:00 +0000

Not really, its possible you could have a device switched by a member of staff, or even someone brazen enough to pass themselves off as a member of staff. I imagine its best situation is outdoor cafes etc. watch the waiter/ess deliver the receipt then the fraudster walks over with the pad and does the transaction before the staff member comes back.

The weakness on this device is its portability, so in my mind the easy test is a fake pin, if it accepts it its a phoney since a real pinpad checks the pin thats held on the card – you get 3 attempts so you can afford one test.

Counter / fixed pinpads at least are connected to Ethernet / phoneline so there’s some reassurance that its genuine.

By: xzzy

xzzy — Tue, 18 Dec 2012 16:11:00 +0000

Makes a decent argument for ditching debit cards. Either pay cash, or use a credit card. Credit card info can still be stolen but at least there’s a process in place to have fraudulent charges reversed. If they get your debit card and clean out your bank account, there’s no recourse available.

By: SamSam

SamSam — Tue, 18 Dec 2012 15:27:00 +0000

It seems to me to be fairly unlikely to encounter one of these. The store owner would have to be the one trying to steal your card information, they would have to be losing out on every store purchase (since this thing doesn’t actually send anything to VISA etc), and they’d have to be hoping that none of the people that whose accounts they clear out will look at their transactions and notice one missing, or remember the last few places in which they used their card.

A more worrying situation would be a firmware hack on a real POS device (or a router that simply stores the info and some good decryption) that allowed transactions to still go through but recorded the details, allowing the owner to sell the occasional card number at a much later date. My guess is that the encryption on POS devices makes this second senario much less likely, however.

By: nowimnothing

nowimnothing — Tue, 18 Dec 2012 15:27:00 +0000

You must be in one of the more enlightened countries. Over here in the technological backwaters of the U.S. magnetic strip is still king. Sure some of the fancier stores may have the tap to pay option, but it is always alongside a mag stripe reader.

By: pebird

pebird — Tue, 18 Dec 2012 15:09:00 +0000

Martijn:

The US doesn’t have Chip and PIN implemented yet – everything still on the swipe (except PIN). Good idea to enter an erroneous PIN.

By: revdj

revdj — Tue, 18 Dec 2012 15:05:00 +0000

So, exactly where and how would this be used? Wouldn’t the merchant have to be in on the scam?

By: Martijn Vos

Martijn Vos — Tue, 18 Dec 2012 14:44:00 +0000

I’ve always wanted to know: how do you copy the chip on the card? I don’t know any place where they still use the magnetic strip, so you might as well wipe that.

Also: if you’re suspicious, type the wrong pin first. If the payment is approved, you’ll be glad you didn’t type the correct pin.

By: oasisob1

oasisob1 — Tue, 18 Dec 2012 14:31:00 +0000

Next gen will include a cellphone to send data directly home, no worries about getting snarfed up by the police when you access the device for downloading data. Yay, progress!