Visa card compromized

[Senegoid]

Some information about how those card reader / pin-pad devices work, that you see connected to cash registers in retail outlets:

The relevant sensitive information is communicated between the pin-pad itself, and the credit card processor company at the other end of the internet. The cash register itself, at least in modern ones, is just a passive messenger, passing blocks of encrypted data between the end-points at the pin-pad itself and the processor company.

When the software is installed and configured at the store, the processor sends some kind of encryption data (a public key, I suppose) to the store. The cash register gets this, and simply passes it on to the pin-pad. Thereafter, customers’ card data is encrypted there in the pin-pad itself, and the encrypted data is passed to the register, which then passes it on to the card processing company. The processor can then decrypt the data. At no point does the cash register have any access to any unencrypted sensitive data.

I think the card number itself is NOT sensitive encrypted data. For debit cards, the PIN is sensitive and encrypted. I don’t know that credit cards (lacking a PIN number) have any such protection. I can’t understand why credit cards haven’t always used PIN numbers just like debit cards, and I can’t understand why they aren’t all converting to use PIN numbers like debit cards.

The cash register itself could build a data file of all the card numbers (NOT including those extra 3 or 4 digits printed on the card), and this used to be a common thing for them to do. There are now some security standards that, among other things, forbid the cash register to collect or retain any such information. Modern cash register either do (or ought to) NOT keep this data.

[Chefguy]

Hari_Seldon:

In Canada, the merchant no longer ever sees the card. He gives you the machine (mobile if it is waiter), you stick it in, agree to the amount the merchant or waiter has entered, you may be given the chance to add a tip, you enter the pin and, when the machine tells you to, you remove the card. No skimming is possible. On the the other hand, if a cracker breaks into the CC site…

I noticed that on our recent trip to Victoria. Also, the machine gives an alert that you’re using a swipe card, not a chip, and do you want to proceed.

[Joey_P]

IceQube:

Wouldn’t the cameras on ATM machines deter the installation of skimmers?

As others mentioned, put on a ski mask and install it, put it on to take it back off the next night. Or a hoodie/hat/sunglasses. Besides, no one is actively monitoring this.

md2000:

yea, in the pic note the camera as a chunk on the top left.
In Canada, some ATMs have a row of blinking LEDs around the feed slot. This makes it a bit more obvious if something is covering the slot.

Two things about the blinking lights…
1)If you look online (do a GIS for ATM skimmer blinking lights) you can get a skimmer with blinking lights, or grey plastic or black plastic or whatever you want to make sure it matches. I saw one that was translucent so the ‘blinking’ will just match whatever blinking is going on underneath it.
2)Would you ever drive up to your ATM and say “Hey, it’s not blinking, something’s wrong” Probably not.

If skimming became a bigger problem, they’d find a way around it. Say, put something on the screen that says “Look at the lights around the card slot and enter the number of times they blink” Of course, that wouldn’t work for very long before the skimmers have a sensor so they can repeat the blinks.

As of right now, it’s just not that big of an issue. The banks eat the charges, hand out new cards and try to educate people here and there.