I am the ghost of groovymother.com. Woooooo!

This is an old page from Rod Begbie's blog.

It only exists in an attempt to prevent linkrot. No new content will be added to this site, and links and images are liable to be broken. Check out begbie.com to find where I'm posting stuff these days.

Just Fancy That

March 9, 2011

Just Fancy That

We believe it is not in the best interest of the consumers, merchants and overall payment industry to publish the details of product designs describing potential attacks however remote those might be. Even if these attacks are difficult to be accomplished it gives the bad guys a leg up on research they would not have to do and encourages bad behavior.

Verifone in 2007 in response to security research showing their UK “Chip & PIN” credit card readers were insecure.

In less than an hour, any reasonably skilled programmer can write an application that will “skim” – or steal – a consumer’s financial and personal information right off the card utilizing an easily obtained Square card reader. How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.

[…]

Don’t take our word for it. See for yourself by downloading the sample skimming application and viewing a video of this type of fraud in action.

Verifone in 2011, after Square reduced their fees for credit card processing to well below Verifone’s rates.


Comments

On Wednesday, March 9, 2011, Gary Fonseca commented:

But... Isn't this post the same? It was just posted by comex who has Many many followers... And probably retweted by many of them... You are giving the idea to the bad guys that missed the new!

On Wednesday, March 9, 2011, Sergio Villarreal commented:

Gary: Not the same. The "vulnerability" in question is bullshit (the info you can capture is no more than what you can see when you hold the credit card), and pointing out that Verifone is doing a 180 on their own stated policy is different from publicizing an exploit (which is what they claim they did, even though they're lying through their teeth).

On Wednesday, March 9, 2011, pwb commented:

Not quite true: the mag stripe includes some critical information not found on the card.

On Wednesday, March 9, 2011, Bert JW Regeer commented:

VeriFone is being disingenuous in that the problem is inherent in mag stripe cards. I can get the tapehead of a 3.5mm->cassette convertor and use it to read data off the three different tracks on a Credit Card.

The data is not encrypted on the credit card, not only that but getting credit card readers is extremely simple, making it look like a legitimate scanner is even simpler, not like the consumer really pays much attention.

It is very much a competitor quacking in their boots because someone else has come up with something and done it better at a lower cost.

On Wednesday, March 9, 2011, Christophe Pettus commented:

You can buy mag strip readers from any number of places, including Amazon. None of them encrypt the data as it comes off the card, any more than Square's does; most of them just emulate a USB keyboard.

On Wednesday, March 9, 2011, Divebus commented:

HA! They're definitely quacking!

On Wednesday, March 9, 2011, Frank commented:

As per the least expensive magnetic strip reader on amazon: "Simply plug reader into USB port of your computer and you good to go! No software to install! When connected to the host computer as a keyboard wedge, the reader is completely compatible with the host's software. The decoded data appears to the host as if it were entered manually by the operator through the keyboard."


About This Site

This is an archive of groovmother.com, the old blog run by Rod Begbie — A Scottish geek who lives in San Francisco, CA.

I'm the co-founder of Sōsh, your handy-dandy guide for things to do in San Francisco this weekend.