General > General Technical Chat

"FU^%ING" Credit-Cards!!!

<< < (10/27) > >>

Brumby:

--- Quote from: Halcyon on June 27, 2020, 12:31:26 am ---.... and I can't recall any time where someone else has physically taken hold of my card. Restaurants and retailers don't want to deal with that kind of liability. Either you use the terminal yourself on your way out or some places even bring a wireless terminal to your table. I can't think of any reason why someone else should be handling your credit or bank card, let alone taking it somewhere out of your sight. In fact, it would be in breach of most (if not all) credit card contracts to give your card to someone else (I don't have a credit card so I can't check the fine print).

--- End quote ---

I spoke to a retailer once and their attitude is - If I don't touch the card, then I can't be held responsible for anything that requires holding the card.  This approach has made dealing with the COVID-19 situation a non-challenge.

Brumby:

--- Quote from: gnif on June 27, 2020, 01:27:45 am ---
--- Quote from: greenpossum on June 26, 2020, 04:27:50 pm ---
--- Quote from: gnif on June 26, 2020, 03:56:04 pm ---No, it is not, the cards still have a mag strip on them but only for backwards compatibility with foreign countries. You can not use the strip in Australia.

--- End quote ---

Of course you still can. Lots of card terminals still have the magstripe reader. It's the second fall back after NFC and chip.

--- End quote ---

A colleague of mine works for a company that configures and services these units, unless it has been specifically requested, there is a valid reason for the request AND the bank authorizes it, by default the mag strip is no longer usable in Aus. Many countries have also completely blocked the use of the mag strip specifically due to fraud and many POS machines today do not even have the ability to read the mag strip.

--- End quote ---

I was in a retailer yesterday and there was a customer that tried to pay via NFC, but there was no response, so they tried the chip reader which had a "chip error" and the terminal told them to swipe - which worked.

I didn't know anything about the configuration policies until this ^^^.



Today, I have learned something.   :-+

free_electron:
Use one-time numbers. Certain banks offer that. no chance of stealing that. your real card stays at home in the RF protected safe.

gnif:
I have often wondered if NFC has been exploited like they did to break into cars with a wireless link between two PCs and a SDR. That way NFC could be used internationally.

All that said, at the end of the day it could be an exploit against the actual bank. About 2 years ago I was contracted to work on a large deployment for a certain international financial institution where we were building a system to report lost & stolen credit cards (I was on infrastructure). What I saw while working there was abysmal, if it wasn't for bad security practices it was very poorly written software. This system allows the various banks around the world to log in and report and/or check details on credit cards and here is what one of the outsourced "developers" allowed to hit production.

Pesudo Code

--- Code: ---static int userID = null;
void onLoad()
{
  if (userID == null)
    doAuth();

  do stuff...
}

--- End code ---

Code review and testing didn't catch the fact that once a user logged into the system, they could access and use the details of the first user that logged in until the JBoss service was restarted. This is bad, but even worse then one would think as this is a central system to the banks around the globe, so if a user at one logged in, the users at any other competing bank could access and use the system as the other bank.

When I explained to the developer the issue (which wasn't my job BTW) and that it feels like he had used a `static` to store the auth token/id, etc... he blamed it on infrastructure and tried to have me and my colleague fired (he was already blaming us actually which is why I investigated). When he provided an updated fixed binary (jar file) he claimed his company spent 10s of hours writing workarounds for our infrastructure and charged accordingly. I decompiled the old and new versions and identified a single change... literally removed `static` from the declaration.

This company is still in use by the largest carrier of bank data on the planet to develop credit card applications even after exposing them, and this is one of MANY issues we had with this "development company". They didn't even know what Git or Subversion was, source control for them was a samba share over a VPN to developers in India and they insisted that they have direct access to the production servers and couldn't understand why we wouldn't let them.

And add to that, that many ATMs still run Windows NT 4... One company I know of when I was still working there had machines running Windows 98 still!

The banks work to make us think they protect our cards/cash, but looking out from the inside I can tell you that their security is abysmal.

free_electron:

--- Quote from: dr.diesel on June 27, 2020, 12:56:50 am ---And yeah checks are HORRIBLE, I always get stuck behind somebody slowly writing a check, especially at the farm/utility/hardware stores.

--- End quote ---
And those are the kind of people that invariably wait until they see the total to write in the other information. like date , who the check is for etc ...
I have to work very hard not to kick them so hard they bounce of the ceiling and when coming down bounce once more off the floor ... i hate check writers.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod