RFID Flap Silences Security Researchers

But they've had far more experience at tapping phone and data networks than at catching and outing spies (our own excluded).

There was a credit card processing company (in LA, IIRC) that was hacked a week or two before the Egghead incident.

formatting link
snipped-for-privacy@yahoogroups.com

Reply to
Dave Houston
Loading thread data ...

Touche. (-:

I'm not buying into the whole sub-contractor mindset that's a craze in the business world. If I gave my card to Egghead and they hired Psycho Schlomo's Cheapest Credit Card Transactors to consummate the deal, I'm still blaming Egghead. They had the most to lose if things went wrong from outsourcing credit processing. I'll look into the final outcome when I get a chance. I do recall that there was a big breach at a middleman outfit.

The subs that Comcrass sends have names like "Nonstop Cable" and "Cable A Go Go" - no kidding - that's what shows up on the caller ID or the embossed plastic sign taped the side of the beat up old station wagon. Eventually, the subs will arrive dressed in their prison uniforms on work-release. There's been a steady downturn in quality of all the repair techs. The Bell repairman used to be a guy in his 30's or 40's with years of experience, who cleaned up after himself and who didn't lay cable across lawns for some other guy to bury.

-- Bobby G.

Reply to
Robert Green

...snip

I was under the impression that CVV2 was never supposed to be stored. Does anyone know if that's a law, a regulation of the credit card companies, or what?

Reply to
Larry

| I was under the impression that CVV2 was never supposed to be stored. | Does anyone know if that's a law, a regulation of the credit card | companies, or what?

I don't know about law or regulation, but any online order site that requires the CVV2 and that does not validate the transaction in real time must store it at least for a while. I have used such sites, though I always use a one-time number that gives me a one-time CVV2 as well.

Something that bothers me about the CVV2 is that the credit card companies and their proponents make a big point that the owner of the credit card is the only person who can possibly know the number. I often explain that anyone to whom I've handed my card, along with anyone who explicitly requests the CVV2 for a transaction may know it as well. I get the feeling that the CVV2--as with many "security" measures--may be more about non-reputability than authentication, i.e., it is intended to work against the customer in the event of a dispute.

Given that the CVV2 is not (as yet) used for card-present transactions, has anyone considered obscuring or obliterating it on the physical card?

Dan Lanciani ddl@danlan.*com

Reply to
Dan Lanciani

They didn't have a choice. No online store can directly process credit cards. Credit card companies, banks and processors (those intermediaries some rail against) have a lock on how it's done.

It's the same way with DISH Network and (I think) DirecTV. They hire sub contractors to do installations and/or service calls. With DISH if you're not happy with the work a sub does you can ask to have a regular DISH employee come out. Just be prepared to wait a lot longer.

Be happy. At least yours had uniforms. :^)

Reply to
Robert L Bass

The real purpose of CVV2 is to make "flimsies" (carbon copies of old style in-person transactions useless. Thieves used to dumpster dive behind stores to get the credit card slips.

It's obviously not 100% but it's one more brick in the wall. Card companies and merchants who accept credit cards need to do everything they can to prevent fraudulent purchases.

Since the merchant is the one who takes the loss it is in our interest to insist on the CVV2. I do. Without it, no sale. One regular CHAer who buys from us occasionally used to decline to give out his CVV2 number. At first we had an option to check "Number not readable" but I've since taken that option down.

Customers often worry about using cards online but the reality is that the risk is borne almost entirely by the merchant. We lose on average ~$20,000 a year to online fraud and we are but one small online vendor. Imagine what companies like Amazon are paying out in chargebacks.

If you swipe the card enough times it will wear off. That's Visa & MC. AmEx prints it on the front of the card.

However, more and more online merchants are beginning to insist on it so if you like to shop online you might want to reconsider. The reality is that giving it to the merchant does you no harm as long as you check your statements when they come in.

Reply to
Robert L Bass

| > Given that the CVV2 is not (as yet) used | > for card-present transactions, has anyone | > considered obscuring or obliterating it on | > the physical card? | | If you swipe the card enough times it will wear | off. That's Visa & MC. AmEx prints it on the | front of the card. | | However, more and more online merchants | are beginning to insist on it so if you like to | shop online you might want to reconsider.

Reconsider what?

Dan Lanciani ddl@danlan.*com

Reply to
Dan Lanciani

I haven't obscured mine, but I did notice, while inspecting for RFID chips in my new card, that the rough-surfaced paper signature block on the reverse is now colored and banded and has the last four digits of the card number stamped in front of the CVV2. It's thick enough that the strip it might be the RFID chip but the cards I've seen that have it are quite obviously RFID chipped. I assume the RFID chip has to be located outside the stamping area so it's likely not in the strip. But how will card holders really know if they are chipped without a scanner if the managed to sandwich it into the card unnoticeably?

I don't believe my newest card has RFID. But I am also a low volume card user. My suspicion is that RFID cards are going to people that use them frequently for in-person transactions. I haven't handed my card to someone who would take it out of my sight in 20 years, at least. That's when I

*first* learned about skimming while doing IT for local restaurants. And liquor watering. And triple bookkeeping. And so much more. There's a reason mobsters like restaurants. They are awash in liquor, credit card numbers, cash and transient workers as well as needing frequent garbage pickups.

As for CVV2's, in a recent series by Brian Krebs of the Washington Post on card theft rings,

formatting link
the lists of stolen numbers that command the highest premium are the ones that advertise as "all CVV2s and billing addresses included." Apparently knowing the billing address helps them fly under the automatic fraud detection software VISA and MC use.

As for the back of the card, one of the TV news shows had a blonde female tester using the unsigned card PHOTO card of a dark haired, oriental male producer for the show. Never a problem, although one clerk volunteered "you have to sign the card" but took it, unsigned, anyway. Look at it from the clerk's POV - who's to prove it wasn't signed a month from now when someone gets the bill? Also, if the woman DID sign the card that wasn't hers at the store, it would pretty obviously be a perfect match for the receipt that she just signed!

Bringing this back around to HA, wouldn't an RFID reader scanning a wallet generate a pretty unique "key" - if you have 5 different cards, the scanner should be reading the equivalent of a 80 digit security code? Part of the beauty and curse of RFID is that it can read a lot of tags in a single swipe. I wouldn't mind putting a reader at butt height that scanned my wallet to let me in the house.

-- Bobby G. (feeling better about using cash more and more!)

Reply to
Robert Green

I'd say "or what!" (-: My guess is that it's smoke blown by the card companies to make people feel more secure but it's not terribly effective. I have merchants ask me for the 800 telephone number on the back of the card as well as the CVV2. Why would they ask for those if they weren't going to store them?

-- Bobby G.

Reply to
Robert Green

Reconsider obscuring it. Of course, if you have it memory no problem. My problem is almost anything not written down I forget. :^)

Reply to
Robert L Bass

In article , no-sales-spam@bassburglaralarms (Robert L Bass) writes: | > Reconsider what? | | Reconsider obscuring it. Of course, if you | have it memory no problem. My problem is | almost anything not written down I forget. :^)

Writing it down is fine as long as it isn't on the card. If it is on the card then anyone to whom you hand the card can read it along with the card number. Since the CVV2 is not required for card-present transactions I'm not sure what the benefit is of having it visible on the card. N.B. I'm still not convinced that the CVV2 is in any way intended to benefit the card holder in the first place. I'd be interested to know if anyone has had additional trouble disputing a fraudulent charge where the correct CVV2 was provided.

Dan Lanciani ddl@danlan.*com

Reply to
Dan Lanciani

IMO it's primarily there to benefit the merchant.

We've had numerous fraudulent purchases (presumably the thieves went phishing). We don't take any orders without the CVV2. Still, if the CC holder disputes the purchase the merchant loses.

This is one of the reasons we never allow UPS to "leave it on the porch," even if the customer asks us to. I need a signature for proof of delivery.

Reply to
Robert L Bass

}>> Given that the CVV2 is not (as yet) used }>> for card-present transactions, has anyone }>> considered obscuring or obliterating it on }>> the physical card?

}> If you swipe the card enough times it will wear }> off. That's Visa & MC. AmEx prints it on the }> front of the card.

If someone wants to "wear" it off the card, it would be easy to keep it available at home to use when calling in an order or doing an online order. Keeping the two parts of the key (credit card number and CVV2) in different locations would prevent a waitress from copying the number while out of your sight.

Reply to
B Fuhrmann

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.