I work for a bank, but am not an expert on ATM systems.
That being said, I think Wedge is overblowing the risk a bit. The kind of hack described here appears to require extended physical access to the "PED" (box you swipe your card on). If one has that kind of access, they could also do what most USA ATM thieves do: put a fake reader over a real one and have the fake reader record EVERYTHING that slides thru it or is pressed upon it. This is much simpler and more reliable for the thief.
Overall, banking should always look to make transactions more and more secure, if it can be done without putting more barriers to legitimate business. Sometimes the balance point does not allow for absolute security in all circumstances.
The one thing that still concerns me is that apparently the reader is what decrypts the card, not the system itself. Of course, if the thieves have their own reader, sounds like they can already decrypt the card.
Wedge, Unfortunately, banks can not (as far as I know) enforce the specs for the readers their users make use of. They give out the specs for connecting to the system, and it is up to the store chains and/or the makers to make then secure. And, as with anything, the cheaper the product, the less secure it is bound to be.
I know that sounds like a cop-out, but it is reality. Bank's top priority in the 90s was to make debit and ATM cards ubiquitous to drive down costs. At the time, identity theft was rare and the hardware required to hack a reader was cost-prohibitive. (Why spend $10K to hack a reader, when you might only het $7000 out of it before you got caught?) Now, of course, Moore's Law has caught up and it is easier and cheaper, and identity theft is everywhere.
Even that being said, I'd worry less about CC scanners and more about the touchless/pinless cards being offered by everyone. Those pinless transactions can only be up to a certain amount, but can theoretically be read from across the room. So instead of hacking a single swiper, you can have a guy stand in the middle of Stop and Shop and harvest numbers by the hundreds.
I work for a bank, but am not an expert on ATM systems.
YanıtlaSilThat being said, I think Wedge is overblowing the risk a bit. The kind of hack described here appears to require extended physical access to the "PED" (box you swipe your card on). If one has that kind of access, they could also do what most USA ATM thieves do: put a fake reader over a real one and have the fake reader record EVERYTHING that slides thru it or is pressed upon it. This is much simpler and more reliable for the thief.
Overall, banking should always look to make transactions more and more secure, if it can be done without putting more barriers to legitimate business. Sometimes the balance point does not allow for absolute security in all circumstances.
The one thing that still concerns me is that apparently the reader is what decrypts the card, not the system itself. Of course, if the thieves have their own reader, sounds like they can already decrypt the card.
YanıtlaSil"You see, what you do is, you give them all your credit card numbers. And if one of them is lucky, then they send you a prize."
YanıtlaSilWedge, Unfortunately, banks can not (as far as I know) enforce the specs for the readers their users make use of. They give out the specs for connecting to the system, and it is up to the store chains and/or the makers to make then secure. And, as with anything, the cheaper the product, the less secure it is bound to be.
YanıtlaSilI know that sounds like a cop-out, but it is reality. Bank's top priority in the 90s was to make debit and ATM cards ubiquitous to drive down costs. At the time, identity theft was rare and the hardware required to hack a reader was cost-prohibitive. (Why spend $10K to hack a reader, when you might only het $7000 out of it before you got caught?) Now, of course, Moore's Law has caught up and it is easier and cheaper, and identity theft is everywhere.
Even that being said, I'd worry less about CC scanners and more about the touchless/pinless cards being offered by everyone. Those pinless transactions can only be up to a certain amount, but can theoretically be read from across the room. So instead of hacking a single swiper, you can have a guy stand in the middle of Stop and Shop and harvest numbers by the hundreds.