Markus points us to a story on card fraud by German TV reporter Sabine Wolf, who reported some of our recent work on how cards get cloned.She reports a number of cases in which German holidaymakers had cards cloned in Italy. In one case, a sniffer in a chip and PIN terminal at a skilift in Livigno sent holidaymakers’ card and PIN details by SMS to Romania. These devices, which apparently first appeared in Hungary in 2003, are now becoming widespread in Europe; one model sits between a card reader and the retail terminal. (I have always refused to use my chip card at stores such as Tesco and B&Q where they want to swipe your card at the checkout terminal and have you enter your PIN at a separate PIN pad – this is particularly vulnerable to such sniffing attacks.)
According to Hungarian police, the crooks bribe the terminal maintenance technicians, or send people round stores pretending to be technicians; the Bavarian police currently have a case in which 150 German cardholders lost 600,000 Euro; the Guardia di Finanza in Genoa have a case in which they’ve recovered thousands of SMSs from phone company computers containing card data; a prosecutor in Bolzano believes that crooks hide in supermarkets overnight and wire up the terminals; and there are also cases from Sweden, France, and Britain. Customers tend to get blamed unless there’s such a large batch of similar frauds that the bank can’t fail to observe the pattern. (This liability algorithm gives the bankers every incentive not to look too hard.)
In Hungary, banks now routinely confirm all card transactions to their customers by SMS. Maybe that’s what banks here will be doing in a year or two (Barclays will already SMS you if you make an online payment to a new payee). It’s not ideal though as it keeps pushing liability to the customer. I suspect it might take an EU directive to push the liability firmly back on the banks, along the lines of the US Federal Reserve’s Regulation E.
@Ross
“In Hungary, banks now routinely confirm all card transactions to their customers by SMS.”
There is a problem with SMS which is why you have to be carefull how you use it for Two Factor or any other security system.
Basically as far as the Mobile Phone Operators (MPOs) are concerned it is a secondary service (at best). They most certainly do not offer any gaurenty of delivery let alone timelyness of delivery.
There are two main reasons for this,
1, The MPO network does not know (or care) where your phone is at any one time (only that it is on or off).
2, The MPO network is very very expensive to impliment therefore they are as economical as possible with it’s usage.
When you send an SMS it only gets delivered there and then if,
A, your phone is where it was last registered on the network (ie turned it on or made a phone call or other primary service action).
B, The network is not congested with other (primary) trafic.
So if you send an SMS from Waterloo station (London) at rush hour to say you are “on your way home” there is quite a good chance you will get home before the message does on some MPO networks if you live within the Greater London Area.
Back in 2000 I ran up against this problem when designing a Two Factor Authentication scheam. After some cursing and subsiquent investigation I had sufficiently quantified the problem to work out a couple of solutions.
The first, Ignore the problem and send the next OTP to the phone when the user logs in with the previous OTP. Therfore as they are unlikley to log on / log off / log on again in a short period of time the chances are it will work most of the time.
Unfortunatly this system failed due to “lost” SMS’s and the fact that users (managment types) did have a habit of logon / logoff / logon. Investigation showed that they often loged on to get one bit of info logged off and then loged on again to get a second piece of info (it was likened to the Boss-Secretary Intercom issue which is well known to P.A.s etc).
The first scheam also had the very major disadvantage that the OTP sat on the users phone without any kind of security, therfore it was not to difficult to steal / delete without getting caught if you had access to the users phone.
The Second solution proved to be a good deal more reliable as it also provided feed back to the system of the state of the users phone (not the MPO’s network). Basically you sent the SMS waited a short period of time then phoned the mobile. If the phone rang after a short period the system new that the phone was on. If you got voice mail or unobtainable then you where fairly confident the phone was not likley to get the SMS.
This had the advantage that the system could send the SMS when the user tried to log on and could give a status message after a few moments if the SMS was unlikley to have been delivered.
The reason for phoning after the SMS is to get around the issue of busy MPO networks, for some reason due to their design if your mobile is in primary use (ie a call is in progress) the network will deliver any backed up secondary traffic (which is why you often here SMS’s comming in in the back ground when you take a call in your car).
It also gave rise to an idea for a third method of doing Two Factor that did not use SMS. Assume you have access to a local area exchange code (all to yourself) so you have +4420 7123 XXXX as your phone number range. When a user logs in you ring the users mobile phone randomly from one of the XXXX lines the user then types the last four digits of the displayed number in as the OTP at the prompt.
This might work well for a large organisation such as a bank but would be prohibitivly costly for small organisations.
Interesting that both the banks and the thieves use SMS.
Because SMS messages use telephone numbers for addressing, people tend to assume these addresses are as reliable as calling line ID for phone calls. This is not so: faking the sender is quite easy.
If you discover a sniffer using SMS, the destination phone number will probably be insufficient to catch them – it will be an anonymous prepaid (or stolen). But you could copy the originating phone number and send fake data which will set the alarm off when they try to pick up the money.
The thieves can also exploit this by faking the messages from banks to their customers. At the very least, this would lead to call centre overload.
Note on the previous comment: after the 7 July bombs in London, network overload made mobile phone calls almost impossible, but SMS text messages were still getting through. So in practice it can be a very good service too!
After the tube bombings, the situation with the mobile networks was complex. This Mayor of London blog entry gives the details.
The bottom line is that there was a distinct increase in calls (250% on Vodaphone) and also in texts (doubled) and a lot more mobile-to-mobile calls than usual. However, very significant was that the City of London police (without consultation) got O2 to implement an emergency blocking system (ACCOLC) which may have caused over a million call attempts by the public to fail.
Hence I don’t think the conclusions about SMSs and calls are valid. In particular at overload times (New Year) SMSs can be delayed for several hours. This was widely reported (eg here in the Sally Geeson murder case where a Cambridge student was abducted and killed on 31 Dec 2004.
Ross
We certainly seem to be having an epidemic in this part of south-east London in recent weeks. Each week dozens of people are reporting to one local forum attempts at card fraud (destination mainly Canada) after using certain local shops and two local ATMs belonging to one bank. Three reports in the last couple of hours (the last for £1,800).
Even the ‘better’ banks don’t seem to be particularly informed. My own bank was unaware that an ATM belonging to the same bank group is compromised (although the staff in a competitor bank across the road report being well aware of it). Some are notifying frauds by snail mail(!). And some do not seem keen on helping the customer: my own cannot put a block on all foreign transactions, for example (according to their own fraud department).
The level of local concern has pushed one supermarket chain which is suspected of involvement to put a statement on the interweb, along the lines of ‘your bank will pay you back’. We are not amused.
I don’t see retailers or banks being particularly concerned about what appears to be becoming a pandemic, which is starting to seriously affect people’s daily lives. We do need to change the balance between the customers and the banks on this one. Or perhaps we could rebel and return to drawing cash at teller and paying with cash only, and see how banks and retailers like that?