Unveiling shoulder skimming

So now countries like the UK have converted most of their POS terminals to Chip and PIN. The idea is that if somone skimmed your magnetic stripe, they won't be able to make a purchase without your PIN. Of course, in reality most of the skimmed magstripes are simply being shipped to countries where Chip-and-PIN-like systems haven't been rolled out yet, which means that criminals will be able to make purchases without knowing your PIN. Another problem with entering your PIN every time you buy something (i.e.: at a restaurant or supermarket) is shoulder-surfing your PIN. However, this problem is beyond the scope of this post.

Another current issue to deal with is the so called fallback mechanism which applies to both POS terminals and ATM. Even if most ATMs and POS terminals have been upgraded to support PIN and Chip bypassing such restriction is trivial due to the fallback mechanism. By simply removing the chip (or damaging it) will cause the ATM/POS terminal to read the magstripe. So who cares if the chip cannot be cloned when criminals can still use the magstripe?

However, one problem I haven't seen discussed is what I like to call shoulder skimming. What if I told you that a dishonest employee can commit credit card fraud without using skimmers or any electronic device whatsoever! Are you familiar with merchant receipts? Unlike customer receipts which usually contain masked CC numbers, merchant receipts contain the customer's full credit card number, issued date and expiry date.

So here is the scenario: you're at your favorite restaurant and are about to to pay the bill using your credit card. The waiter then brings the fancy bluetooth handheld terminal. In this case, the malicious waiter can commit CNP fraud by simply shoulder-surfing your credit card security code (3 digits is easy to memorize) and then making a copy of the merchant receipt and writing down the security code. By having your full credit card number, issued date, expiry date and security code the criminal would be able to make online purchases on most online retailer sites. After that, the items can be shipped to a PO box registered using a fake ID and finally the items are sold in the black market.

Yes, initiatives based on Visa's 3-D Secure protocol (i.e.: Verified by Visa and MasterCard SecureCode) are now being introduced on some retailer websites to protect against CNP fraud. Problem is, there are still many sites out there that don't implement such measures.

Archived Comments

vindic

Adrian, 3-D secure is shit. first problem of most countrys is, that they have avaible lookuping service for user data (uk - dob, usa - dob, ssn, mmn) then 3-D can't protect you. Second prob is that this service have many bugs, maybe you know how attackers use VBV bypass via wu (which use firstadata online checking service [achex.com]) Chip and Pin is nice security, but nothing amazing, because 90% of skimmed dumps (skimmed credit card) are with PIN. many are from destinations like thaywan, moscow from hotels and restaurants where Chip and PIN working long time. Sorry for my english, if you want talk about it contact me via email

Makken Skeyes

What about organic systems? Like finger-print or eye-scanners? Aren't those much more secure?

vindic

yea i think so, but again. if you will put them somewhere, someone else will be able somehow get them and use. i saw in london on one conference company which working on this, but i am not much happy, it's not much good accessibile for ppl.

shining whit

Aren't online retailers only supposed to deliver to the registered card holders address? The goal of banks etc is not to make it 100% secure as this becomes an unfeasibly expensive pipe dream, the goal is to make it secure enough that the losses are negligble in the banks eyes, the banks do not care how much time or effort it costs you to get your money back. Regardless of the method used people will find a way round it, money is a great incentive. I often wonder how many blackhats are 'paid' for their work as opposed to doing it just because they can, and how many there are versus the number of white(maybe slightly grubby) hats.

NIX

@ap, you are right with the scenarios .. but does this make u to pay at a restaurant or supermarket with cash?

Adrian Pastor

@vindic - I'm not really in touch with the credit card fraud "scene" as part of my job, except for PCI DSS scans and knowledge of CC DB break-ins. As suppose you're talking about querying online resources in order to attempt to obtain personal information and 3-D secure is trying to verify? I'd be very happy if you posted more details on the attacks you're mentioning such as "VBV bypass via wu". @NIX - no, it *doesn't* make me pay with cash instead, but it DOES make me insert my CC in the POS terminal on my own, as opposed to letting the waiter do it for me ;-D shining - remember the common "deliver to address different to billing address" option. Think of how many shitty online retailers there are out there where many of the basic security mechanisms (ie.: AVS) do not apply. If I remember correctly the _minimum_ data required to perform a CC transaction is the CC number and the expiry date. This doesn't only apply to online transactions, but also to MOTO (mail order telephone order).

Adrian Pastor

Meant to say "*that* 3-D secure is trying to verify"

Shoaib Yousuf

Hi Adrian, Method you just mention is way too old. Its been happening for years now. I have also seen cases where you can buy pack of 100 credit card numbers along with expiry and credit verification number for $5. Visa and Master card has 100% dispute policy. In which merchant is held liable for not verifiying the owner and providing the service. I have also seen cases where camera is fixed on the top of the roof which is recording your pin while you punching it on POS terminal. Cheers Shoaib

Adrian Pastor

Hi Shoaib. I'm not claiming this is new. My point is that in places like in the UK, TV shows such as the Real Hustle have made skimming techniques used by - for example dishonest waiters - known to most people. However, I feel that low-tech and primitive methods such as the one described here are being overlooked. In this attack the criminal doesn't need a magstripe skimmer. All he/she needs is the merchant receipt and have a look at the 3 digit security code on the victims CC. Even worse, some websites don't even ask for the security code when purchasing items. I just bought flowers for my mom on a site of a company from Spain and I only had to enter the CC# and expiry date! question: does the 100% dispute policy also apply to e-commerce sites, or only physical merchants?

Fareed

Chip cards have mag stripes as well. If the mag stripe of such a card is read thru a card reader, a clone card with the same data can be produced. so how does the CHIP ensure 'better' security than a mag stripe card in this case?