Blog article
See all stories ยป

An article relating to this blog post on Finextra:

Toys R Us shoppers hit by Eftpos skimmers

Police in Sweden are warning shoppers who bought goods in two Toys R Us stores in the last few weeks to cancel their bank cards after skimming equipment used to steal data was found on Eftpos terminal...


See article

Toys R US' Communications

Toys R US' comments made me laugh. If police found that the skimming device was used to save PIN and card numbers (meaning that Toys R Us accepts pin authenticated card transactions), then why would Toys R US comment that it wants to see CHIP and PIN introduced in Sweden? So that there will be more standalone terminals requiring PIN and deliver more 'cherry trees' to fraudsters?

Besides, that has nothing to do with the breach that they have in their systems.

Or are they simply using the same homage to Chip and PIN that TJX had to deliver as part of their settlement with VISA? Oh my...

5991

Comments: (5)

A Finextra member
A Finextra member 17 December, 2008, 10:54Be the first to give this comment the thumbs up 0 likes

A skimming device that collects Magstripe data and PINs is a crims dream.  Got the stripe, got the PIN, go get the cash - easy!  Write a white card and off you go ...

A chip and PIN terminal would have provided the crims with nothing more than the PIN and track 2 image from the chip, which (as I have said many times before) would be useless to the crims if the issuers had taken notice of the iCVV advice provided by MasterCard and Visa.  Ultimately, it is all very simple: if the cards are personalised properly, there are no "cherry trees".

Even so, Toys R Us haven't suffered, except for looking a bit stupid; and it's not like TK Max where the database was hacked and the clever crims got away with loads of data that TK Max should not have been storing.

A Finextra member
A Finextra member 17 December, 2008, 11:24Be the first to give this comment the thumbs up 0 likes

Concerning TJMAX :

"A wireless network that employed less protection than many people use on their home systems appears to be the weak link that led TJX Companies, the US-based retailing empire, to preside over the world's biggest known theft of credit-card numbers.

Despite a market capitalization of almost $13bn, it appears the company couldn't afford to secure its Wi-Fi network with anything more robust than the woefully inadequate Wired Equivalent Privacy protocol. (The much more secure Wi-Fi Protected Access has come standard on most routers for four years now.) It also failed to use firewalls or install software patches and disregarded requirements imposed by Visa and MasterCard concerning how card information is stored and transmitted.

"According to a front-page article in today's Wall Street Journal, the nonfeasance allowed hackers to use a simple telescope-shaped antenna and a laptop to intercept data flowing through a Wi-Fi network used at a Marshalls discount clothing store near St. Paul, Minnesota."

A Finextra member
A Finextra member 17 December, 2008, 18:41Be the first to give this comment the thumbs up 0 likes

David, you are correct. As long as non-DDA cards are issued, proliferation of standalone terminals will compromise cards. As it is, standalone terminals even in countries where only DDA cards are issued will still have to accept non-DDA cards. Also, Fallback will have to be prohibited to make DDA (ICVV) work.

A Finextra member
A Finextra member 04 February, 2009, 17:23Be the first to give this comment the thumbs up 0 likes

I know ... :o)

but you also have to consider the following:

DDA prevents the creation of cloned (chip) cards, as unlike SDA cards, they have their own public/private key pair, which protects them from being copied.  However, a crim can still harvest the track 2 from the chip and create a magstripe card using the data, and assuming the crim is also able to capture the PIN, whoopee!  

So ... only issuing DDA cards does not prevent data harvesting from POS terminals.  It only prevents the cards from being copied.

And ... iCVV has nothing to do with DDA, or SDA for that matter.  The iCVV allows the card issuer to spot where a magstripe-originated transaction has been initiated (in a foreign ATM, or maybe, a POS fallback) using a magstripe that has been constructed using data originating from a chip.  The problem is that the card issuers never bothered with iCVV, and so when a magstripe transaction comes in from a non-chip ATM, they can't tell if it's a duffer.  And, no amount of SDA, DDA rhetorical security claptrap will alter that fact.

If you can read the card, you can extract the magstripe data.  If you can then write it to a magstripe and use it in a non-chip ATM, job done!

The problem, as is often the case, is in the implementation.  There is no point in trying to solve these issues with technology, as the cause (certainly in this case) can be tracked down to stupidity.

A Finextra member
A Finextra member 04 February, 2009, 17:25Be the first to give this comment the thumbs up 0 likes

I know ... :o)

but you also have to consider the following:

DDA prevents the creation of cloned (chip) cards, as unlike SDA cards, they have their own public/private key pair, which protects them from being copied.  However, a crim can still harvest the track 2 from the chip (which is what they are doing now) and create a magstripe card using the data, and assuming the crim has also been able to capture the PIN, whoopee!  

So ... only issuing DDA cards does not prevent data harvesting from POS terminals.  It only prevents the chips from being copied.

And ... iCVV has nothing to do with DDA, or SDA for that matter.  The iCVV allows the card issuer to spot where a magstripe-originated transaction has been initiated (in a foreign ATM, or maybe, a POS fallback) using a magstripe that has been constructed using data originating from a chip.  The problem is that the card issuers never bothered with iCVV, and so when a magstripe transaction comes in from a non-chip ATM, they can't tell if it's a duffer.  And, no amount of SDA, DDA rhetorical security claptrap will alter that fact.

If you can read the card, you can extract the magstripe data.  If you can then write it to a magstripe and use it in a non-chip ATM, job done!

The problem, as is often the case, is in the implementation.  There is no point in trying to solve these issues with technology, as the cause (certainly in this case) can be tracked down to stupidity.

Blog group founder

Retired Member

Member since

19 Mar 2009

Location

Blog posts

5,566

Comments

5,867

More from Retired

This post is from a series of posts in the group:

Transaction Fraud Systems and Analysis

A community for discussion of Transaction Fraud systems and anlaytical techniques for bank card and financial services organisations.


See all