I don't have a TV, so not sure if this has been in the media, but a check out person at Lowe's said the following to me today:
Don't use card as "Debit" in retail or public places. Instead, run your card as credit card.
The way the Target and other security break-ins have happened is a perp parks in lot and decodes your debit signal. Then empties your bank account. Credit card is better security.
Evidently a young Russian hacker has been selling these machines for 2000 apiece.
I can't verify the veracity of this, but it sounds believable to me.
Whether or not that's true, most card-holder agreements have move protections for signature-based transaction fraud over pin-based transaction fraud. Anecdotally, most of my cards have a fee, and many business charge a fee, for using Debit, where only some Gas Stations charge more for credit. My cash-back rewards usually offset the gas-station case.
Read your contract with your bank, see what legal and contractual protections you have. Those will protect you more than any other anti-fraud practice.
They hacked credit cards at Target, NM, Harbor Freight,etc.[Yeah, big spenders at Harbor Freight.] You should only use a debit card if you can't get credit.
Assume you are credit worthy, get a credit card at a bank where you don't bank. Then your credit card and bank are disconnected.
My brokerage house issues one card for everything: ATM, credit, debit. I had the credit and debit limits set to zero.
Most credit card companies have alerts that you can set up if you create an account online. Most of the time when I get hacked, the bastards are in east Europe or North Africa. I set up my card to email an alert to any foreign purchase.
For the most part, Amex seems to have the least amount of hacking. I've track how many times I've had a Visa card hacked. Probably 5 times in the last decade. My Amex has only been hacked once. And it actually wasn't hacked, but rather some bastard in North Africa was able to get into my Paypal account and got the card number.
One thing to note is in the last few months, all of these hacks have been done when you use the card in person. It used to be internet fraud, i.e. "card not present", was how you got hacked.
Far more lucrative are bit locker scams. The credit card hackers tend to get caught, but the bit locker hackers have been at it for some time without being apprehended. About $40 million has been lost to bit locker, and that is just the people who actually paid the ransom. Far more people where infected.
That won't necessarily make any difference although the rules for unwinding transactions may vary with your method of payment. It is hard to tell from the garbled story you have got which card attack you are talking about but this one is a verified researcher attack on EMV.
formatting link
AKA "Chip and PIN" verification that bypasses the need to know the PIN. Cloning cards on modified terminals has also been done.
One major city computer shop I know has a similarly garbled version of this vulnerability and were refusing to accept Chip&PIN entirely.
The main security difference between "chip and pin" vs "stripe and pin" is that the banks conned the customers into accepting responsibility for fraudulent use of chip and pin.
--
Ten seconds on "high" will secure your near-field card.
It's the only way to be sure.
--- news://freenews.netfront.net/ - complaints: news@netfront.net ---
Nonsense. If a system gets hacked you get your money back. Credit cards are just as sensitive to fraud. The only difference between a debit card and a credit card is that you can't spend more than you have with a debit card.
--
Failure does not prove something is impossible, failure simply
indicates you are not using the right tools...
nico@nctdevpuntnl (punt=.)
--------------------------------------------------------------
Although if it is "Chip & PIN" and the banks system says PIN verified OK you may need to employ expensive top quality expert witnesses and use massive publicity to get your money back. The bank will maintain it is all your fault and the PIN must have been written on the card.
Yes you can. It will spend right down to the limit of your authorised overdraft before refusing any further transactions. It will go even deeper if the bank ATMs are working offline due to a computer glitch (as in fact happened yesterday for one major UK network).
The local PIN is OK check is all the ATM machine can do on its own. Only when it forwards the transaction for clearing will the problem show. They limit the amount you can take out in cash per day.
There was a cute scam pulled whereby the crooks somehow hacked the bank system to increase daily limits.
They then conducted coordinated withdrawals at many ATMs in many countries virtually simultaneously, making off with something like $10million, with very little personal risk.
Best regards, Spehro Pefhany
--
"it's the network..." "The Journey is the reward"
speff@interlog.com Info for manufacturers: http://www.trexon.com
Embedded software/hardware/analog Info for designers: http://www.speff.com
Not true even if you have to give up your pin code: Many years ago one of my family members got mugged and had to tell her pin code. She got all her money back. Besides that the amount that can be withdrawn is usually limited on a debit card so the damage is small.
--
Failure does not prove something is impossible, failure simply
indicates you are not using the right tools...
nico@nctdevpuntnl (punt=.)
--------------------------------------------------------------
The protections offered to credit-card and debit-card are similar, but they are not identical. The financial impact of a debit-card hack can be significantly greater... your liability is greater and the "when you must report in order to be protected" deadlines are a lot tighter.
In practice, the biggest difference may be this: if your debit card is hacked/lost/stolen and is used fraudulently, the money's gone from your account immediately.
Even if you do get all of the money back (and that's not guaranteed by any means... any delay in reporting the loss increases your liability), you won't have the use of the money during the investigation.
If you, like many people, were counting on having that money available in order to pay important bills, you may find yourself missing bill-payments... and being penalized by your creditors for late or absent payments. Your bank isn't liable by law for these penalty payments and probably won't cover them.
There was quite a ruckus in the U.K. a year or two ago. Some of the banks there *had* been taking the position that electronic fraud for "Chip & PIN" cards was impossible without the card-owner voluntarily disclosing the PIN.
As a result, the banks would summarily deny "my card was stolen" claims involving any transaction which the records showed had been "verified by PIN" at the merchant. They'd claim that the cardholder
*must* have disclosed the PIN (either voluntarily, or accidentally by writing it down) and were thus responsible for the loss.
It was then shown that the card-to-terminal protocol has a security flaw, and that it's possible to pull off a "man in the middle" attack in which a stolen card could be used. The card itself "believed" that it was being asked to simply verify its identity, while the terminal "believed" that the card had reported "Yes, that's the right PIN". This trick allows a stolen card to be used without a PIN, but the transaction reports "Successfully verified by PIN" to the bank.
I haven't heard whether the UK banks have addressed this vulnerability (either by fixing the protocol, or changing their denial policy).
That is pretty short sighted. Using camera's or modified equipment is quite common over here. Actually so common that they upgraded all the equipment in the shops to no longer use the magnetic stripe and put anti-tampering stickers onto the equipment. UK banks not knowing is a complete joke... The thing is that the bank is responsible for handing out the money to the right person. If they mess up it is their mess to fix.
--
Failure does not prove something is impossible, failure simply
indicates you are not using the right tools...
nico@nctdevpuntnl (punt=.)
--------------------------------------------------------------
That is why I have three bank accounts: one for incoming, one for outgoing and one for savings. There is never much on outgoing so in case of an incident I still have money on hand. Besides that companies have no problem if you pay later as long as you have a good explaination. A police report helps a lot.
--
Failure does not prove something is impossible, failure simply
indicates you are not using the right tools...
nico@nctdevpuntnl (punt=.)
--------------------------------------------------------------
which is also why I don't think getting your money back in case of fraud is going to be a big issue anytime soon, the banks can't afford there to be any doubt about the safety of using a card, handling cash is too expensive so they are willing to take a loss if needed
Afaik the rules here is now that a merchant isn't guaranteed any money unless the transaction was done with a chip and pin
Once a long time some one got hold of my card numbers, the bank closed the card automatically after it was used I think five or six time to withdraw a $1000 at gambling site in a different country
I got my money back the next day, had to fill out a form and that was it
Since then I put a sticker over the three digit "security code"
That is a good idea. If it's run as "credit" (PIN not used) the transaction goes through the VISA or MasterCard networks, so is treated as a "credit" transaction and VISA/MC are responsible. They have the leverage to charge it back to the merchant who allowed the fraudulent transaction (or not). If you use the card as a debit card (PIN used), the transaction is up to your bank only. You have to work out the details with your bank. Some are better than others.
You have *far* more leverage with VISA/MC than with banks, even the best.
Nope. Target, and the other big ones, were insider attacks on the card processing centers. They had nothing to do with the guy with the black hat in the parking lot.
Nope. It was an inside job with malware inside the CC transaction processing department.
It is not, so your "if" is false. Chip and Pin is rare in the US.
If it's a signature transaction (with or without a signature) the processing goes through either VISA or MasterCard. They take responsibility (charging back to the merchant, more often than not). If it's a PIN transaction it's between you and your bank to figure out.
Not true, all ways 'round.
You're assuming overdraft protection. If you're paranoid, you don't have OD.
Our bank is online. The ATMs show our current balance, even though our bank it 800mi from here. There is a limit but that's to protect them, not you.
Handling cash is the small part. If people used cash, they couldn't get their 2.5%-4% vig on every sale.
I had me debit card ripped off a few months ago. I can only guess, but it must have been in the Harbor Freight breakin.
I had the money ($50) returned in an hour, basically as soon as SWMBO reported it to the bank. They weren't supposed to take her word for it but I was on business out-of-state when someone used my card here.
Den tirsdag den 28. januar 2014 02.04.58 UTC+1 skrev snipped-for-privacy@attt.bizz:
Denmark everyone uses "Dankort" a card in a coorporation between all the banks, it is debit and by law they cannot charge for using a debit card, is equivalent to cash. It is normally a combo with visa so it can be used outside Denmark too
I believe with something like Mastercard credit the shop can charge you what Mastercard charges them.
So it is only if you like paying extra you use a credit card
if you buy stuff online you have to put in a three digit code that is only written on the back of the card, I assume they assume that means you have the card in hand
Put a sticker over the numbers and will it takes more than a quick look at your card before someone can use it online
There *was* one break-in a few years ago which was of the "RF sniffing from the parking lot" variety.
formatting link
That was quite a while ago. You'd think that the big chains (and even the small ones) would have learned a lesson about keeping the POS systems on separate, firewalled networks, but from what I've been reading this isn't the case.
The Target attack seems to have been a malware-based exploit (and I've heard an insider connection alleged but not proven, I think). Dunno about the recently-announced possible attack on the Michaels arts-and-crafts chain.
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.