Massive Credit Card Breach : Othor Games

» Tue May 15, 2012 2:53 am

I think all the card providers in the UK use this ridiculous 3D secure system, unfortunately (variously known as "Verified By Visa", I forget Mastercard's name for it) and they make it mandatory: a typical rollout is that you're invited to opt in, and the third time you use your card after the invitation you're forced to opt in. It reminds me of the "chip & pin" system where signing for stuff was replaced by entering a PIN instead; the card issuers claimed it was infallible, which was quickly demonstrated to be as ludicrous a claim as it sounded. The obvious intent of the banks was to shift the liability from themselves to their customers, but in a rare case of legislation being passed to protect the general public they were essentially forbidden from doing just that. It does seem that banking security is more about pointing the finger of blame at someone else rather than actually being secure, though.

Yeah, I noticed that. Growing up in the '70s, things were still exciting, the view of the future still optimistic, but by about the mid '80s everything had become cynical and money-obsessed and the hopes and dreams I remembered from my youth largely snuffed out.

IIRC most of the problems with chip and pin are due to the bank's implementation of it. The cards have a bunch of flags that they send to figure out what authentication method is used. The attack abuses the fact that no verification is done to make sure all devices (chip, POS, and bank) agree on the method. The attack uses a dummy chip that tells the real one that signature authentication is used so please gimme money. The same dummy chip is set to accept any pin and tells the POS pin authentication is accepted and so send this blob (the one from the real card) to the bank for payment. The bank have all the checks needed to verify the POS and chip are on the same page, but most don't.

Last I heard one uk bank did verify, but most banks world-wide that use chip and pin don't.

IIRC Cambridge university did a lot of research on this attack method including which banks are good and bad about verifying the info, but last I checked they haven't released the name of the good bank.

I also probably screed up somewhere in my recalling of the attack method. I'd recheck with the news on Cambridge's research and their chaos communication Congress panels done on the chip and pin attack rather than trust my recollection to be accurate and not missing any major point.

Here's the ccc panel video: www.youtube.com/watch?v=PWnH_yblgTc

» Tue May 15, 2012 11:20 am

Though I'm not UK, the way so much of our global world is tied into mandatory use of a credit card. I'd like to own a house one day, but the fact I NEED a credit score is just silly. If someone manages life well without a credit card, it should show they're much better at finances than with one. I know a lot of people have one on a 'just in case' basis, but I'm pretty much king of paranoid. For me, when a company offers 'Our security is infallible' tells me they're to secure in themselves and are more vulnerable than the obscure guy with the great protection.

I don't think credit scores are necessary here in Aus (after all, not having one kinda indicates a certain ability to handle finances). But I haven't had to take out any loans from banking institutions, so I may be wrong.

In other words, move to Australia

.

» Tue May 15, 2012 3:06 am

never needed credit.. :shrug:

» Mon May 14, 2012 10:41 pm

^{Just another planned step towards implanting identification and financial transaction chips in people.}

It seems every event that occurs is another step toward [insert conspiracy here].

Since the issue is non-secured data shared amongst companies, not people dropping their cards everywhere losing them, the suggestion of implantation has no realistic merit to it, but don't mind me..

» Mon May 14, 2012 10:58 pm

And this is why I deal with cash in hand and over the counter

» Tue May 15, 2012 6:15 am

That's unfortunate, but I'm not terribly worried. In every situation I've ever heard of of someone's credit card being compromised from friends and family, the company has taken care of it and reimbursed the charges.

I also don't get the irrational fear of credit cards. I understand that people are cautious about situations like this, but companies usually have decent enough policies and reputations to take care of the damages. Any other problems are usually on the fault of the consumer (late payments, overdrawing issues etc.). Yes, the fees in these situations are exorbitant, but at the end of the day the consumer should always keep up with their accounts and know when to not spend if they don't have the money available.