Unknown amounts of Irish ATM cards skimmed

trellheim

from RTE

he Irish Payment Services Organisation has confirmed that the bank details of a number of customers have been stolen in retail outlets. Fraudsters fitted devices to sales terminals while pretending to carry out maintenance work on behalf of banks.

One of the banks affected, Bank of Ireland, has put restrictions on some of its debit card withdrawals as a result.

This scam was uncovered over the weekend and, according to the IPSO, involves a small number of the 55,000 retail outlets in Ireland.
Advertisement

The individuals involved entered the outlets posing as terminal operatives which allowed them to fit devices into point of sale terminals. This enabled them to gather the details of cards used at the shops.

IPSO says an investigation is taking place, but consumers should not be too concerned as people affected by the fraud will be refunded by their bank.

Retailers are being advised to check the identity of anyone claiming to be carrying out work on behalf of their bank, while those travelling abroad in the next week should make sure restrictions have not been put on their bank cards.

Bank of Ireland says it has restricted the daily withdrawal limit on several thousand of its debit cards for ATM transactions in certain countries as a temporary anti-fraud measure. This will remain in place until the customers concerned can be contacted and reissued with new cards.

All other Bank of Ireland debit cardholders will have a maximum daily ATM withdrawal limit of €250, for transactions outside of Ireland only, until further notice. The bank says most of its credit card customers are not affected.

You would think they would put us out of our misery and tell us which retailers were scammed.

Alun

trellheim wrote: »

You would think they would put us out of our misery and tell us which retailers were scammed.

Well, presumably if they know which retailers are affected, and the time frame during which these devices were active, then they'll also have records of who exactly used their cards in those retailers during this period, so can contact them all individually.

dub45

Alun wrote: »

Well, presumably if they know which retailers are affected, and the time frame during which these devices were active, then they'll also have records of who exactly used their cards in those retailers during this period, so can contact them all individually.

And in the meantime how about people who might have their accounts cleaned out? Are we not entitled to know exactly what has happened and who is responsible for such lousy security arrangements?

Bluetonic

trellheim wrote: »

You would think they would put us out of our misery and tell us which retailers were scammed.

A few branches Penneys were done.

Steve

I don't get this.
If the scammers were lifting information from the POS readers at the till, how come only BOI cards are affected?
Surely whatever they put in could read *any* card.

robindch

dub45 wrote: »

Are we not entitled to know exactly what has happened

Nope, you're not, though it would be nice to know. If it's of any interest, the attack is pretty much the same as one that was uncovered last week in the UK -- see here.

dub45 wrote: »

and who is responsible for such lousy security arrangements?

From the news at nine this evening, the criminals went into merchant stores posing as IT security people and swapped out the good terminals for the compromised ones -- this kind of social attack is extremely difficult to defend against, since it relies upon the ignorance and/or trust of the merchant to succeed. The merchant has his own domain-specific knowledge; he's no good at telling an honest computer technician from a corrupt one, and in all honesty, he shouldn't really need to.

In general, the compromised card data is only usable in countries which don't use chip and PIN which is why BOI has temporarily lowered the ATM cash withdrawal limit for withdrawals outside of Ireland. See here for BOI's announcement.

Sponge Bob

I heard about this in the middle of last week and it was in the west not the 'north and east' and obviously not at the weekend.

Proof !!!!

http://www.boards.ie/vbulletin/showthread.php?t=2055356168

dub45

I am amazed at how sanguine people are about this type of thing. We are constantly being pushed towards a cashless society and yet it seems that the security arrangements are not there to justify this push.

Its ok for IPSO to say that people that people should not be too worried -

IPSO says an investigation is taking place,but consumers should not be too concerned, as people affected by the fraud will be refunded by their bank.

They dont say when any refunds will take place nor what might happen in the case of an account being cleared out and direct debits being bouced and so on. (So far I know they are claiming that no money has actually being taken) but on the other hand people are being seriously inconvenienced who are abroad and whose access to funds is being restricted and people may not know why.

I would remind people to remember that 45 million names were obtained due to poor security arrangments at TK Maxx - http://news.bbc.co.uk/1/hi/business/6508983.stm while it is difficult to believe that the position outlined in this article is any different in Ireland -

http://technology.timesonline.co.uk/tol/news/tech_and_web/article4473266.ece

The Sunday Business Post reported last week that wep security was being used on wireless terminals here:rolleyes: http://archives.tcm.ie/businesspost/2008/08/10/story35087.asp

Up to a third of shops and restaurants on Ireland’s two busiest shopping streets are using wireless internet systems that are vulnerable to credit card thieves.
.............................................


The security system in question is known as Wired Equivalent Privacy (WEP). Conor Flynn, a security expert with IT firm Rits Information Security, said that getting by a shops’s internet security system does not guarantee access to customer records, but makes it significantly easier for cyber thieves seeking to steal credit card details.

You might say why all the fuss? You might recall the much publicised swoop sometime ago on people puported to have paid for access to paedophile websites with their credit cards? However you might have missed the follow up discussions around the net where it was revealed that many of those who appeared on the list had had their credit card details stolen and used on these sites?

Did you read in the Guardian last year how Police wrongly charged a woman who had her debit card skimmed for making a false claim? And how long it took her to get the case dropped?

In the meantime things can only get worse!!!

http://www.kirotv.com/news/16644505/detail.html

robindch

dub45 wrote: »

it seems that the security arrangements are not there to justify this push.

The principal issue is that not all the world has switched to chipcards yet. Chipcard security has not been compromised and isn't likely to be for some time.

At the moment, the issuer banks and the international networks to which they're connected, must carry out a risk-assessment leading to a business decision about whether (a) to permit non-chip transactions to take place on chip cards (ie, a chipcard holder in Moldova) or (b) to permit low-security mail-order transactions to take place. Generally, banks lean in the direction of facilitating the cardholder rather than blocking all avenues to fraud.

When chip is rolled out worldwide, the attack here won't work for type (a) transactions, while there will still be a security hole for mail-order transactions. There are schemes in place for dealing with certain classes of mail-order fraud but they are not widely implemented and card issuers are consequently generally ok with having the low levels of mail order fraud take place.

BaconZombie

Ahhh, It was cracks along time ago....

https://www.youtube.com/watch?v=L7QzOcZAwbg

https://www.youtube.com/watch?v=pHdX3ZYEvXw

Now three researchers from the University of Cambridge in the UK have cracked the Chip & Pin system in alarmingly easy fashion.

Check out this video from BBC’s Newsnight detailing Sarr Drimer, Stephen Rimmer and Ross Andersons physical attack on the Chip And Pin system. As you can see, for some unknown reasons, the manufacturers thought it would be a good idea to transfer the data from the PED (Pin Entry Device) to the terminal unencrypted. Allowing an attatcker to obtain the complete card details.

http://www.cl.cam.ac.uk/research/security/banking/ped/

robindch wrote: »

Chipcard security has not been compromised and isn't likely to be for some time.

robindch

BOFH_139 wrote: »

Ahhh, It was cracks along time ago....

No, it wasn't.

Despite the misleading text, you cannot clone a chipcard by knowing the PIN. The PIN's only useful if you show up at a magstripe-only ATM with a cloned magstripe card and your card issuer has specifically enabled magstripe fallback transactions on your card product.

Yes, the conversation between the PED and the terminal is unencrypted in the UK and Ireland, while in many other countries, it's encrypted, thereby preventing this attack. The EMV standards support both encrypted (expensive terminals and cards) and cleartext (cheaper terminals and cards) PIN's and which one is picked comes down to a simple economic choice. The security standards are available in Book 2 from here -- see Chapter 7 for the full details.

I've had it out with the Cambridge lads a few times about posting intentionally alarmist text on their website. And while they've updated it slightly in the past, they still spreading FUD far more than they're letting on.

BTW, off-the-shelf hardware which will carry out this attack is on sale in central Dublin:

http://www.acquirer.com/ph_scim

(disclaimer -- I wrote the software ).

.

dub45

robindch wrote: »

The principal issue is that not all the world has switched to chipcards yet. Chipcard security has not been compromised and isn't likely to be for some time.

At the moment, the issuer banks and the international networks to which they're connected, must carry out a risk-assessment leading to a business decision about whether (a) to permit non-chip transactions to take place on chip cards (ie, a chipcard holder in Moldova) or (b) to permit low-security mail-order transactions to take place. Generally, banks lean in the direction of facilitating the cardholder rather than blocking all avenues to fraud.

When chip is rolled out worldwide, the attack here won't work for type (a) transactions, while there will still be a security hole for mail-order transactions. There are schemes in place for dealing with certain classes of mail-order fraud but they are not widely implemented and card issuers are consequently generally ok with having the low levels of mail order fraud take place.

And what about wep being used on wireless terminals? That's appalling neglect.

One of the worrying things about the lack of security is that its not just money that's stolen its peoples identities and I have made points about this in my previous post.

robindch

dub45 wrote: »

And what about wep being used on wireless terminals? That's appalling neglect.

The whole point of EMV (chip and pin, aka chipcards) is that the card issuer needs to trust himself only in order to guarantee the security of his customers' cards. The terminals and acquirers and networks between the card and the issuing bank's mainframe can all be entirely compromised and with full EMV in place, the security of the transaction will not be reduced.

Unfortunately, as I said above, not all countries use EMV, and banks have taken a pragmatic decision to live with a small amount of fraud in order to facilitate the far greater amount of legit transaction traffic without incurring an even greater expenditure than they already have in implementing EMV.

Also, under new merchant agreements which require merchants to adhere to the PCI Security Standards, anybody who leaks confidential data is responsible for any fraud that takes place on the leaked data. This is what's happening with TKMAXX who are already liable for hundreds of millions of dollars, with more on the way.

Finally, the card and the magstripe will shortly contain different data (the "iCVV" change), so that what's transmitted from wireless terminal to a base station will no longer be sufficient to clone a magstripe card. It is possible, under certain conditions, to get around this security update, but these conditions are difficult to engineer, and less reliable in retrieving good data.

So, with iCVV in place, the recent attack is much more difficult to carry out. I believe that the Irish banks will be issuing iCVV-compatible cards from early next year, if they've not already started (I believe that AIB might have, and BOI may not have -- I'm subject to correction here).

craichoe

There are other Security features on your card for this very reason, any card can be cloned, no matter how secure they claim the system to be. They had the same claims with teh OV-Chipkaart and Oystercard systems.

Closed source systems are insecure, period.

Normal procedures for checking fraudulent cards should apply.
http://www.visa.ca/en/merchant/fraudprevention/cardfeatures.cfm

Besides, Man in the Middle attack is the oldest trick in the book

johnnyboy4711

So let me get this right!
anyone can just walk on into a store say they are from ABC and skim the machine.
nice work if you can get it!
Anyone check ID's or CCTV?
john