It's been a while since I've posted anything; so here's some recent expierences I've had.
Recently I recieved a call from my bank, they had an automated attendant a recording advising me that my PIN had been comprimized; and I should visit my branch and have it changed as soon as possible. This plague had struck my significant other not even a month previsoulsy so I half expected it to hit me sooner or later.
I've noticed a trend lately; within the realm of security, espcially where merchants are concernd. PIN Skimming is defined as making a copy of the IDE card (your debit or credit card is called an IDE card, not to be confused with Integrated Drive Electronics; which are inside most old computers as a hard drive interface bus!).
Debit card fraud is on the rise; as are credit card fraud and various other forms; however this second version of fraud is interesteing in it's methods.
http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/1105142446966_16/?hub=WFive
The core issue to consider here is that plastic money is designed to be cheap; the security on a debit card is limited to a 4 digit pin that is usually never changed. As any novice LAN administrator will repeat; 4 digits does not a password make.
Now the equipment in question is also very cheap; pin pad's and readers are a cost sensitive industry; in that merchants will not implment a digital system if the cost is too high and banks will not sell systems if they cannot turn a profit on them so the unit manufactering cost must be low. The newer systems include two standards instead of a magnetic stripe but for the most part most systems remain the same.
Magnetic Stripe Cards are old
http://en.wikipedia.org/wiki/Magnetic_stripe_card
Smart Cards can be duplicated
http://en.wikipedia.org/wiki/Smart_cards
And Even RFID has been comprimised:
http://en.wikipedia.org/wiki/RFID#Exploits
In fact anyone with a university degree in eletrical engineering and working knoledge of comptuers and radio systems can setup a system to skim data; but my most recent expierence when speakign to my banking representative I asked them how they became aware of the breach? They replied; well certian merchant providers have firmware that is comprimized, so even the merchant is unaware of the skimming.
I thought to myself "That's pure ciminal genius!"; Don't bother to comprimise the bank, it's individuals or even the merchants but instead exploit the cheap equipment responsible for the client transaction by placing a keylogger in the firmware and duplicating the cards; most systems require network connections to process the Electronic Data Interchange transactions; therefore if your trojan firmware can skim data and send it off to a zombie network for processing you have an active database ripe for duplication withonout even the merchants bieng aware of the comprimized device. I bet the sales of the databases are the motivator for the crime in the first place.
I mean how much money will 7/11, Quickie and the like spend on security audits of their own merchant processing hardware? It's all leased from banks or 3rd parties whom simply wish to maintain cheap transaction costs as to remain competative. So it's the softest target; and therefore the most likely to be exploited.
It seems we now have a new exploit to contend with the soft pin pad merchant firmware exploit; I could only imagine of a few organizations that are capable of this kind of clout and money since you'd have to hire a developer that has worked on this machinerey previously; and developers are never cheap.
So the question enters the ring; as the security arms race continues when will biometrics be incroproated into our transactions?
Currently the authentication mechanisam is purely based on numbers and data in the case of credit (I mean you can challenge any charge that you have not signed; depending on the retailer), In the case of debit you have somthing you know and somthing you have; both of which can be taken via comprimized firmware within the device used, with no need for a camera, since you punch your pin into the device, there may be minor issues but even 3rd parties have demonstrated kayboard based exploits so I assume a pin pad may also be subject to the same type.
As this evolution continues the banks are borne to bear the weight and responbility; the merchants remain unaware and we the people get screwed.
No comments:
Post a Comment