Searching \ for '[AD]: Project offer any one interested? ATM scams' in subject line. ()
Make payments with PayPal - it's fast, free and secure! Help us get a faster server
FAQ page: www.piclist.com/techref/index.htm?key=project+offer+any
Search entire site for: 'Project offer any one interested? ATM scams'.

Exact match. Not showing close matches.
PICList Thread
'[AD]: Project offer any one interested? ATM scams'
2005\02\20@235047 by Robert Rolf

picon face
Dave VanHorn wrote:

>> Well, the quality of his web pages, and the short leap from
>> task description to possible application as a credit card skimmer
>> didn't make me feel good either.
>
> You know of course, that your pin does not live on any of the three
> tracks, right?

Of course.
But micro cameras have made it pretty easy to get a PIN
from careless users. When was the last time you checked
your ATM machine valence for unusual or non-standard
coverings? Our national newsmagazine just ran a 1 hours show
dedicated entirely to the tricks of the trade, to teach
consumers what to be aware of. They showed how a group
of well organized crooks outfitted an ATM in a busy
Calgary location with a camera and faceplate card
skimmer, in LESS THAN 30 seconds.

http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/1105142446966_16/?hub=WFive

"In just two hours time, the gang got away with 35
customers' card information. In just a few days they
had collected enough information to steal nearly $650,000."

What really peeves me is that much more secure systems
than mag stripe technology exists (e.g. smartcards),
but the banking industry isn't YET loosing enough money
to justify the upgrade. Maybe we need to refuse to use their
systems until they upgrade them. And TELL THEM THIS!

"
Banking experts estimate it would cost the banking system in
Canada approximately $500-million to produce the chip
technology (smart cards) for the debit card system while
debit card fraud costs a mere $44-million in 2003 in comparison.
One might think the banks have concluded it's cheaper to pay
off the bad guys than it is to help the good guys."

It's only a matter of time before your area sees the same
criminal activity, so please be aware of anything 'unusual'
about your ATM.

Robert

2005\02\21@071706 by Martin Tedjawardhana

picon face
With a clever concealment like this, who would've tought...

http://www.tolee.com/html/ATM_fraud.htm


On Sun, 20 Feb 2005 21:50:54 -0700, Robert Rolf <spam_OUTRobert.RolfTakeThisOuTspamualberta.ca> wrote:
{Quote hidden}

> -

2005\02\21@075548 by Alan B. Pearce

face picon face
>With a clever concealment like this, who would've tought...
>
>http://www.tolee.com/html/ATM_fraud.htm

One exactly like that was used as part of a CSI (the original LA version)
broadcast here in the UK a few weeks ago. Not sure how far behind the US
broadcasts we are, but I suspect not much, a season at most.

It happens here in the UK as well, but I suspect mostly in the larger
tourist areas, or around the large shopping centres and cities. I tend to
use only one ATM in a small town, and it has a pretty battered front, so
something like this would be fairly obvious.

However with the move to chip in card, this will become less of a problem
anyway.

2005\02\21@081726 by Russell McMahon

face
flavicon
face
>> http://www.tolee.com/html/ATM_fraud.htm

If you allowed the card to feed through the dummy reader and into the
machine proper the system could function completely normally, allowing
proplonged use, as long as nobody noticed the changed machine.
Wireless output makes detection less likely. batteries could be
changed during  anight time ATM visit if pamphlet holder had a quick
change battery sustem

:-)


       RM



2005\02\22@091222 by Howard Winter

face
flavicon
picon face
Robert,

On Sun, 20 Feb 2005 21:50:54 -0700, Robert Rolf wrote:

>...<
> What really peeves me is that much more secure systems
> than mag stripe technology exists (e.g. smartcards),
> but the banking industry isn't YET loosing enough money
> to justify the upgrade.

UK banks obviously think it's worth it - credit/debit cards have had chips in them (as well as the magstripe)
for a number of years.  Both systems are running in parallel at the moment, wit a lot of retailers still only
having a swipe-reader, but dual-format readers will refuse to accept the swipe for a card that has a chip, and
the card has to be plugged in to read the chip.  Until recently this was still confirmed with a signature ,
and they almost always do check it (it still amazes me that US shops hand the card back before you sign the
slip, so checking the signature is obviously not common!).  UK banks are now introducing "Chip & PIN" whereby
at retail tills you plug your card into the reader and enter a PIN - I believe they didn't think it was safe
to use a PIN on the swipe of the magstripe, for the reasons being discussed.  Interestingly the PIN used by
"Chip & PIN" isn't the same as the one used in ATMs (my current debit card has a chip, and I use it with a PIN
in ATMs, including abroad, but it doesn't work as Chip & PIN in retailers - the next replacement will,
though).

Cheers,


Howard Winter
St.Albans, England


2005\02\22@091827 by Michael Rigby-Jones

picon face


{Quote hidden}

Personaly I feel the PIN is less secure than a signature in many ways.
Once someone has seen you type it in (and let's face it, it's not
difficult), they then just have to relive you of the card via
pickpocketing or mugging and they have no problems at all using it. No
tricky signature to come under the scrutinty of a shop assistant and as
a big bonus they can get cash directly from an ATM machine.

Mike

=======================================================================
This e-mail is intended for the person it is addressed to only. The
information contained in it may be confidential and/or protected by
law. If you are not the intended recipient of this message, you must
not make any use of this information, or copy or show it to any
person. Please contact us immediately to tell us that you have
received this e-mail, and return the original to us. Any use,
forwarding, printing or copying of this message is strictly prohibited.
No part of this message can be considered a request for goods or
services.
=======================================================================

2005\02\22@102404 by Herbert Graf

flavicon
face
On Tue, 2005-02-22 at 14:18 +0000, Michael Rigby-Jones wrote:
> Personaly I feel the PIN is less secure than a signature in many ways.
> Once someone has seen you type it in (and let's face it, it's not
> difficult), they then just have to relive you of the card via
> pickpocketing or mugging and they have no problems at all using it. No
> tricky signature to come under the scrutinty of a shop assistant and as
> a big bonus they can get cash directly from an ATM machine.

Actually, for anybody who has practised, forging a signature is
extremely easy. Especially considering most shop keepers don't check it
(in North America). OTOH smart cards are no secure solution either IMHO.
Sure, at the moment they are pretty secure, but ask the satellite
industry how great smart cards are, it's only a matter of time...

-----------------------------
Herbert's PIC Stuff:
http://repatch.dyndns.org:8383/pic_stuff/

2005\02\22@112650 by James Newtons Massmind

face picon face
Herb is on our side, however, so rest assured.

...just figured I should mention that.

P.S. Herb, when you going to mail those checks back? Did you put my wife's
signature on them yet?

---
James.



> {Original Message removed}

2005\02\22@114120 by Herbert Graf

flavicon
face
On Tue, 2005-02-22 at 08:26 -0800, James Newtons Massmind wrote:
> Herb is on our side, however, so rest assured.
>
> ...just figured I should mention that.
>
> P.S. Herb, when you going to mail those checks back? Did you put my wife's
> signature on them yet?

Hehe, I never said I was the expert! :) But I must say, I knew a couple
of people in grade school that were VERY good a forging signatures (they
practised their parents signatures for obvious reasons...). If a 10 year
old can forge a signature...


-----------------------------
Herbert's PIC Stuff:
http://repatch.dyndns.org:8383/pic_stuff/

2005\02\22@123217 by SavanaPics

picon face
I do ATM repair for one of the US's largest resellers and repair  services.  
There is a lot more to converting to the  system over to  smart cards than a
lot of people think.  Not only is there a huge cost in  software modifications
and hardware changes. You now have to deal with the  triple DES encryption.
This goes into effect within a few months and all new  installs as of this year
had to have Triple DES compatibility in the ATM  machines.

And to be honest.  I feel the  smart cards are less secure  than the mag
stripe cards.  Smart card programmers are very  inexpensive to buy these days. The
mag stripe writers are still out of the reach  of most people who are just
looking to play with the cards.  I have a box  of 500 blank cards that never
bought a writer for.  Thanks to the satellite  industry. smart card writers are  
available for less than 60.00 in some  cases. And forget about the coding., it
would probably be broken in a manner of  months thereby making the swap to
them useless.


About the only really sure way I can think of is either by fingerprint  
recognition (which you would never be able to keep clean) and retina  recognition.
( I have no knowledge of this one)

oh well. off to fix another one.....

73's, Eddie

2005\02\22@125804 by Kyrre Aalerud

flavicon
face
I Just wanted to mention...

Without modifying the ATM with a video camera one can see the pin used by
the last person.
Method: Thermal imaging.
A picture of the pad would reveal both wich digits are used and even the
sequence.
Scary, huh?

Theese thermal imaging systems are sensitive enough to see the tracks from a
tank on snow long after it is gone.
Fingers on buttons are a lot easier.

Kyrre


{Original Message removed}

2005\02\22@135349 by Robert Rolf

picon face
Eddie is probably correct. Banks are TOO CHEAP to
pay for truly effective security technology.

Even the supposedly 'secure' CASH card (Mondex) was
cracked years ago, yet is is STILL on the market.
http://www.efc.ca/pages/media/guardian.24sep97.html

"The U.K. Guardian
Wednesday, September 24, 1997

Plastic treasure ... not so smart after all
by Duncan Campbell

Chips used in the Mondex electronic cash card system can
be cracked, a leaked bank report reveals. Technical
weaknesses in the Japanese-made chip have privately
been known to participants in the Mondex system for
more than a year, and can allow secret data on the card
to be read. This could give dishonest merchants or users
a licence to print electronic money. "

Mondex then sued the person who had 'disclosed' the
proprietary information. DUH??
It was the CARD that was at fault, not the person who
did them the favour of pointing it out to them.

It would seem that the only 'secure' method is biometrics,
except that someone mugging you for the card would also
have to whack of your finger or take your eye as well.
In that context a PIN isn't such a bad idea.

There are now USB memory sticks with fingerprint readers
built in. Only $20 more than non secured versions.
In the kinds of volumes that bank cards are used, the
incremental costs would be much less, but still an order
of magnitude higher than the 5 cents a card costs.

Robert

Herbert Graf wrote:

{Quote hidden}

2005\02\23@045250 by Hulatt, Jon

picon face


> -----Original Message-----
> From: .....piclist-bouncesKILLspamspam.....mit.edu
> [EraseMEpiclist-bouncesspam_OUTspamTakeThisOuTmit.edu] On Behalf Of Michael Rigby-Jones
> Sent: 22 February 2005 14:18
> To: Microcontroller discussion list - Public.
> Subject: RE: [AD]: Project offer any one interested? ATM scams
>
>
>
> Personaly I feel the PIN is less secure than a signature in many ways.
> Once someone has seen you type it in (and let's face it, it's
> not difficult), they then just have to relive you of the card
> via pickpocketing or mugging and they have no problems at all
> using it. No tricky signature to come under the scrutinty of
> a shop assistant and as a big bonus they can get cash
> directly from an ATM machine.
>

The big security bonus for the PIN is when someone loses their card...
The "finder" (read Thief) won't have the PIN. But If they lose a signed
stripe card, then the thief has a copy of the signature to practise.

The next security bonus is avoiding the incompetence of a shopkeeper.
How often does the shopkeeper not bother checking the signature against
the card? When the user is forced to use a PIN- if they get it wrong,
they don't pay. It's checked by default.

Yes, the chip & pin system is flawed- if someone sees you enter your pin
in the POS terminal, then they can mug you for your card outside the
store, and use it. But I don't care. If someone wants my card; they can
have it- i'm not getting beaten up for a piece of plastic. UK law does
not regard handing over your card (and even your PIN!) under a threat of
violence as negligent- therefore my losses are the bank's problem.

IMO the best security would be biometrics- and forget crazy stuff like
fingerprint recognition and retina scanning. Why not just print a photo
on the card? The human brain is *very* good at facial recognition, and
this single measure would probably do more to protect against POS fraud
then anything else (assuming the shopkeeper is not part of the scam
too). A bank in the UK did this a few years ago, but it didn't catch on.

The thing that I dislike most about "chip&pin" is that it's sooooo
s.l.o.w. - often you stand there waiting for the little unit to even ask
you for your PIN... then you whack the PIN in in a couple of seconds,
and stand waiting while it is "processing".

2005\02\23@052340 by SavanaPics

picon face
The reason  they are usually so slow is the processor speed.   There are some
ATM machines here in the US running a whopping 25 mhz  chip.....yep  and the
new  fandanlged super duper  whopper  chopper versions slide in at a cool 800
mhz... Then add in that  some are  RS232/485 linked to a server 500 feet away,
which by the way is operating the  whole bank. Ohhh, . and let's not forget
the ones in the grocery/ convenient  stores on the good ole dialup at 9600 baud
(  maybe)

2005\02\23@052624 by Jinx

face picon face
> The next security bonus is avoiding the incompetence of a shopkeeper.
> How often does the shopkeeper not bother checking the signature against
> the card? When the user is forced to use a PIN- if they get it wrong,
> they don't pay. It's checked by default.

I remember a piece that 60 Minutes did. They sent stooges in to many
stores, from garages to jewellers, all with phoney credit cards. Like the
Japanese woman with a Mexican man's name on the card. No one was
challenged for name or signature. The staff of those stores were not told
of the sting but were given extra instruction on card checking. A week
later 60 Minutes went back in to the same stores, and once again no one
was challenged. And someone's paying for that inattention. Guess who

2005\02\23@055142 by Hulatt, Jon

picon face
Too true. A few years back, my father had his wallet stolen. The bank &
the police (for various reasons) thought it was an organised crime gang,
and decided to keep the cards active for a while, instantly replacing
the money in his account as it was withdrawn.

One of the withdrawals was made over-the-counter at a cashier in
barclays bank, in the town where i live. The culprit was filmed on
security camera. It was a Woman. The cashier gave them money anyway,
even though the name on the card said "MR HULATT". I'd expect that the
cashier got a good kicking from the bank.

Jon  

> {Original Message removed}

2005\02\23@122141 by Mike Hord

picon face
An interesting side story about this theft of cards...

A few weeks ago, my mother-in-law was on line at the
supermarket, and after paying she scooped up her
receipt and debit card, dumped them in her purse and
left.  Later that day, she bought gas (pay at the pump).
After filling and paying, she went to return her debit card
to her wallet and realized that it wasn't her debit card.

She returned the card to the bank (the cardholder's
account was with her bank) and asked that it be returned,
and that her account have the price of the gas she
bought transferred to the other account with her apologies.

The bank thanked her and deducted the money.

The next day, the police interrogated her for two hours
before finally charging her with identity theft.  Her court
date is next week.  Attorney costs are now at $1500.

Over $27 worth of gas, which they only know she spent
because she returned the card and requested her account
be debited.

Mike H.

2005\02\23@131318 by Bob Axtell

face picon face
I had my identity stolen right after the first Gulf War. I had
been on a contract design assignment  in Texas. I had almost
NO credit cards; I'm not a big user of them. I then returned
to Georgia and forgot about credit things.

Somehow, somebody got hold of a LOT of personal information,
and could sucessfully identify himself as me. Unknown to me, he
racked up $20,000 worth of accounts, which didn't show up for
almost 5 years. I paid off a few, negotiated some down to where
I could pay them. I filed a police report in Texas, tried to work
with these banks. I thought that was it. Now, 14 years after the fact,
I found that I "owed" another $15,000 worth of accounts that had
somehow been hidden for 14 years, never appearing in any of the
three credit-reporting agencies over all those years (and still don't
appear, I might add).

This time I hired a lawyer, who told me that there is a limit to how long
things can  be a potential threat; that a creditor who waits 14 years to
chase down ANY debt is a fool, that nobody needs to be paid back from
those days.

Police never caught the person who pulled this off.

What's odd is that during those Gulf War years, I thought my credit
wasn't good enough to bother applying, yet this guy gets $25,000+
with a minimum of ID, and fake addresses... What a country...

---Bob

Mike Hord wrote:

{Quote hidden}

--
Note: To protect our network,
attachments must be sent to
attachspamspam_OUTengineer.cotse.net .
1-866-263-5745 USA/Canada
http://beam.to/azengineer

2005\02\23@161608 by Russell McMahon

face
flavicon
face
> The next day, the police interrogated her for two hours
> before finally charging her with identity theft.  Her court
> date is next week.  Attorney costs are now at $1500.
>
> Over $27 worth of gas, which they only know she spent
> because she returned the card and requested her account
> be debited.

IANAL,T and presumably the attorney is up with the play, but the
questions I would ask would include:

What happened to her card?
Did someone else get it?
Did the supermarket still have it?
Can they confirm the above?


       RM

2005\02\23@174949 by Mike Hord

picon face
> IANAL,T and presumably the attorney is up with the play, but the
> questions I would ask would include:
>
>  What happened to her card?

Presumably, it went into her wallet.  The "found" card was lying on
the counter by the till, and got scooped up by habit.

> Did someone else get it?
> Did the supermarket still have it?
> Can they confirm the above?

After the bank got the "stolen"/"found" card back, no one but the
teller knows what happened.  It's possible that the teller used it
a bunch, then is allowing my mother-in-law to take the rap for
those charges.  I find that unlikely, but one never knows.

Mike H.

2005\02\23@180620 by Howard Winter

face
flavicon
picon face
Eddie,

On Tue, 22 Feb 2005 12:32:13 EST, @spam@SavanaPicsKILLspamspamaol.com wrote:

>...<
> About the only really sure way I can think of is either by fingerprint  
> recognition (which you would never be able to keep clean) and retina  recognition.
> ( I have no knowledge of this one)

Actually Iris recognition is a lot easier to do then retina, and is reckoned to be very secure.

Cheers,



Howard Winter
St.Albans, England


2005\02\23@180935 by Howard Winter

face
flavicon
picon face
Kerry,

On Tue, 22 Feb 2005 19:00:00 +0100, Kyrre Aalerud wrote:

> I Just wanted to mention...
>
> Without modifying the ATM with a video camera one can see the pin used by
> the last person.
> Method: Thermal imaging.
> A picture of the pad would reveal both wich digits are used and even the
> sequence.
> Scary, huh?

I'm not sure if the relative heat of the fingers would be different enough to tell the sequence, especially if
you do it quickly, use your fingernails, or have repeated digits.

> Theese thermal imaging systems are sensitive enough to see the tracks from a
> tank on snow long after it is gone.
> Fingers on buttons are a lot easier.

A friend used to demonstrate them by opening a telephone book at the centre, placing his hand on the middle
page for 5 seconds, then closing it and holding it up to a thermal imaging camera - the handprint is clearly
visible!

Cheers,


Howard Winter
St.Albans, England


2005\02\23@181527 by Howard Winter

face
flavicon
picon face
On Wed, 23 Feb 2005 05:23:34 EST, KILLspamSavanaPicsKILLspamspamaol.com
wrote:

> Ohhh, . and let's not forget the ones in the grocery/
convenient  stores on the good ole dialup at 9600 baud

Actually they use ISDN here (64k), unless they have a
permanent internet connection.  And they aren't sending
much data - a few dozen bytes should do it, even with
error correction and encryption.

Cheers,


Howard Winter
St.Albans, England


2005\02\23@182730 by Padu

picon face
From: "Howard Winter" <RemoveMEHDRWTakeThisOuTspamh2org.demon.co.uk>
>
> Actually Iris recognition is a lot easier to do then retina, and is
reckoned to be very secure.
>

Some banks are already using iris recognition in lieu of magnetic cards.
Airports too... Panasonic and Iridia (don't remember if that's the correct
company name, but do a search on John Daugman, he's the iris man) have a
hardware/software solution that seems to work very well with excellent
reliability.

Padu

2005\02\23@184622 by Alex Harford

face picon face
On Wed, 23 Feb 2005 11:21:38 -0600, Mike Hord <spamBeGonemike.hordspamBeGonespamgmail.com> wrote:
>
> A few weeks ago, my mother-in-law was on line at the
> supermarket, and after paying she scooped up her
> receipt and debit card, dumped them in her purse and
> left.  Later that day, she bought gas (pay at the pump).
> After filling and paying, she went to return her debit card
> to her wallet and realized that it wasn't her debit card.

Maybe the terminology is different in Canada, but don't you need to
enter a pin number for debit cards (Interac?)

Alex

2005\02\23@185412 by Russell McMahon

face
flavicon
face
> Some banks are already using iris recognition in lieu of magnetic
> cards.
> Airports too... Panasonic and Iridia (don't remember if that's the
> correct
> company name, but do a search on John Daugman, he's the iris man)
> have a
> hardware/software solution that seems to work very well with
> excellent
> reliability.

Does it beat the contact lens solution?
A James Bond film long ago used an iris system that was defeated by
such a solution.
Gave them a Victor  (Vulcan?) (afair) bomber and several nukes.


       RM


2005\02\23@194612 by Roy J. Gromlich

picon face
I am very curious about this as well.  I have an ATM card which has direct
access
to my bank account - I have to key in a PIN to use it.  I also have several
gasoline
company Credit Cards, which are simply pushed into the gasoline pump slot.
Those
do not have a PIN - but the card is ONLY good for buying gas (petrol) at a
given
companies pumps.

So I don't see how the confusion could happen - how she was able to buy gas
on
someone else's card without using a PIN.

RJG

{Original Message removed}

2005\02\23@203016 by Robert Rolf
picon face
Roy J. Gromlich wrote:

> I am very curious about this as well.  I have an ATM card which has direct
> access
> to my bank account - I have to key in a PIN to use it.  I also have several
> gasoline
> company Credit Cards, which are simply pushed into the gasoline pump slot.
> Those
> do not have a PIN - but the card is ONLY good for buying gas (petrol) at a
> given
> companies pumps.
>
> So I don't see how the confusion could happen - how she was able to buy gas
> on
> someone else's card without using a PIN.

It must have been a CREDIT card, since no PIN is required for use.
Just a signature (which is rarely checked) which the pump
would not be able to verify.

Beware of North American Esso "Speed pay" RFID dongles.
It's a widely used TI RFID module.
Apparently they have just been cracked by some university
researchers who say that only a few tens of dollars in parts
was required to pull the keys after eavesdropping on a few transactions.
Geeze guys, can't ANYONE get it right?

Robert

2005\02\23@210659 by Spehro Pefhany

picon face
At 07:46 PM 2/23/2005 -0500, you wrote:
>I am very curious about this as well.  I have an ATM card which has direct
>access
>to my bank account - I have to key in a PIN to use it.  I also have several
>gasoline
>company Credit Cards, which are simply pushed into the gasoline pump slot.
>Those
>do not have a PIN - but the card is ONLY good for buying gas (petrol) at a
>given
>companies pumps.
>
>So I don't see how the confusion could happen - how she was able to buy gas
>on
>someone else's card without using a PIN.
>
>RJG

Some of us have combined credit and debit(Interac)/ATM cards, as well
as credit-only and ATM/debit-only cards. In gas pumps, in credit mode,
no PIN is required (up to some fairly low limit, I think C$75). Sometimes
(Shell, for example) they don't seem to like cards from way outside their
normal trading area. The banks are trying to discourage the combined cards,
AFAIUI.

For some reason, in the US, debit cards seem to have a bad rep (like they
are only for people with terrible credit who can't get a real credit card).
I have one that is disguised as a credit card with the Mastercard logo.
But in Canada they are widely accepted at all kinds of places, you can even
get cash back (like visiting an ATM) at the liquor store, Sam's Club etc.
without the service fee you'd run into using an ATM from a non-bank network.
I tend to use the credit where there  is no penalty and where it's
accepted since they give me a nice kickback (adds up over time to enough to
take the family to Asia for free!)

Best regards,

Spehro Pefhany --"it's the network..."            "The Journey is the reward"
TakeThisOuTspeffEraseMEspamspam_OUTinterlog.com             Info for manufacturers: http://www.trexon.com
Embedded software/hardware/analog  Info for designers:  http://www.speff.com




2005\02\23@235819 by William Chops Westfield

face picon face
On Feb 23, 2005, at 3:15 PM, Howard Winter wrote:
>
>> Ohhh, . and let's not forget the ones in the grocery/
> convenient  stores on the good ole dialup at 9600 baud

I don't think the CPU is likely to be the bottleneck...

Communications (in the US) is normally 1200bps dialup using one of the
oldish protocols, at least for  the typical visa/etc verification.  
We've had numerous requests to implement assorted 'fast connect'
strategies on dial-in internet modems: the modem negotiation time for a
typical modern 9600bps modem is awful, and it usually does that BEFORE
it tries the lower speed protocols :-(  The credit card machines
usually use standard hayes command-set modems these days; one of our
hacks involved making our internet terminal server act like a hayes
modem, so that 'modern' stores with (ie) DSL internet connections could
avoid paying for the extra phone lines by doing their credit
verification over internet instead (without changing the (eg) gas pump
that expected to be talking to a modem...)
(faster, too!)

The details of the protocols tend to be annoyingly proprietary, so as
an async comm vendor, you pretty much have to settle for tunneling at
the async byte level.  Sigh.


BillW

2005\02\24@000835 by William Chops Westfield

face picon face

On Feb 23, 2005, at 4:46 PM, Roy J. Gromlich wrote:

> So I don't see how the confusion could happen - how she was able
> to buy gas on someone else's card without using a PIN.
>
You have your specific vendor credit cards, and you have your general
purpose credit cards.  The average "Shell" gas station will accept
either a shell credit card OR a visa card, but ONLY the gas stations
will accept the shell card, while the visa is good nearly everywhere.  
(there are also general purpose credit cards issued by gas companies.  
I believe I have "shell" mastercard that is issued by shell, suppored
by mastercard, and good anywhere mastercard is accepted (but with
special benefits at shell stations.)

It's all silliness caused by the fact that it so profitable to lend
people money...

BillW

2005\02\24@044345 by Peter L. Peres

picon face


On Tue, 22 Feb 2005 RemoveMESavanaPicsspamTakeThisOuTaol.com wrote:

> About the only really sure way I can think of is either by fingerprint
> recognition (which you would never be able to keep clean) and retina  recognition.
> ( I have no knowledge of this one)

So far only wallets and codes were stolen. Now it's time for eyes and
fingers.

Peter

2005\02\24@052454 by Jinx

face picon face

> So far only wallets and codes were stolen. Now it's time for eyes and
> fingers.

People have done it with relative's thumbs to collect pensions after the
legitimate owner of the thumb has gone to a better place

2005\02\24@054221 by Alan B. Pearce

face picon face
>So I don't see how the confusion could happen - how she
>was able to buy gas on someone else's card without using a PIN.

It could happen quite easily here in the UK, before chip & pin came in. card
gets swiped, docket signed as in any normal CC transaction, signature
assumed to be for that card, and not checked by person behind counter.

2005\02\24@054657 by Alan B. Pearce

face picon face
>> So far only wallets and codes were stolen. Now it's time for eyes and
>> fingers.
>
>People have done it with relative's thumbs to collect pensions after the
>legitimate owner of the thumb has gone to a better place

I'm thinking more along the line demonstrated in TV programs like CSI, to
get the fingerprint from a corpse, when the inner flesh is too far gone to
be stable enough to hold the skin. Scalp the skin off the finger, and use it
as a glove.

2005\02\24@055927 by Jan-Erik Soderholm

face picon face
Jinx wrote :

> > So far only wallets and codes were stolen. Now it's time
> > for eyes and  fingers.
>
> People have done it with relative's thumbs to collect
> pensions after the legitimate owner of the thumb
> has gone to a better place

Actualy, you don't have to steal the whole finger, it's enough
to collect an ordinary fingerprint.

An Swedish student showed how this can be done at
the CeBit electronics fair in Hannover/Germany last year.
Here is an article (in Swedish, but with a lot pictures) :

http://nyteknik.se/art/37392

In short :

- Collect a fingerprint from someone.
- Use traditional techniqes to save it.
- Etch a copy of it on standard PCB laminate material.
- Pour some rubber/plastic mould over the etched PCB.
- You will get a thin, transparent, faked "skin" that can be put
 on your own finger. It's hard to see the extra "skin" layer.

She was able to break most equipment for reading fingerprints
at CeBit.

Her work was based on a work done by someone from Japan,
here :

http://www.rootsecure.net/content/downloads/pdf_downloads/fingerprint_scanners.pdf

Interesting reading...

Enjoy !
Jan-Erik.



2005\02\24@060921 by Jinx

face picon face
> I'm thinking more along the line demonstrated in TV programs like
> CSI, to get the fingerprint from a corpse, when the inner flesh is too
> far gone to be stable enough to hold the skin. Scalp the skin off the
> finger, and use it as a glove

Boy, there've been some really great tips out of the list this week ;-)

2005\02\24@070109 by Russell McMahon

face
flavicon
face
>> I'm thinking more along the line demonstrated in TV programs like
>> CSI, to get the fingerprint from a corpse, when the inner flesh is
>> too
>> far gone to be stable enough to hold the skin. Scalp the skin off
>> the
>> finger, and use it as a glove

> Boy, there've been some really great tips out of the list this week
> ;-)

This one is a finger tip


       RM


2005\02\24@072229 by Hulatt, Jon

picon face

>
> > Boy, there've been some really great tips out of the list this week
> > ;-)
>
> This one is a finger tip
>
>
>         RM
>


Russell, that was painfully bad.

2005\02\24@080636 by Tony Smith

picon face


{Quote hidden}

Photo ID on the card has been tried, it doesn't work either.  Years ago a
newspaper or TV show in the USA tested this idea using cards with picture of
dogs, flowers, girls photo on mans card etc.  No-one noticed or cared.  Now
that I think about it, it could be a real promo idea for a bank - get a
photo of your dog on your credit card.  Beats football teams logos on some
I've seen.

No-one ever checks my signature, my card is usually back in my pocket before
I get the slip to sign.  I've demonstrated this by using other peoples
(girlfriend etc) cards to buy stuff with.

The last person to even make an effort (boss probably watching on CCTV -
they trust the staff less than the customers) held the card upside down when
'comparing' signatures.

Occasionally banks will track spending habits and call you if there is an
'irregularity' to get confirmation.  Old idea too, been around since the
'80s.  Some telcos were going to do this for mobile telephones as well, back
when people were 'sniffing' the codes and making cloned 'phones.  Hmm, we
noticed you were in New York, Sydney & Paris on the same day...

Most security ideas fail because you have a bunch of people on one side that
don't care, and a bunch of rather inventive people on the other who'll find
a way around your security.  Often they don't have to - they just take
advantage of the don't care bunch.

Unrelated but funny true story: Working at a telco, one day I was asked "Why
are we sending top secret brewery construction plans to people all over
Asia?".  How interesting, I thought.  We had a fax-back service that people
could ring and have a satellite TV guide sent to them.  The TV company was
responsible for keeping it up to date; they simply faxed the new schedule to
a certain fax number we gave them.  Before they could send the fax, they had
to key in a 4-digit password; so ring, enter password, hit start.  Standard
service.  They complained about the password step (It's toooooo hard...), so
it was eventually removed.  All went well until the brewery faxed plans from
one state to another, forget to enter the area code, and got our number
instead.  Hilarity happened, a one website puts it.

Tony

2005\02\24@120405 by Mike Hord

picon face
> > I am very curious about this as well.  I have an ATM card which has direct
> > access
> > to my bank account - I have to key in a PIN to use it.  I also have several
> > gasoline
> > company Credit Cards, which are simply pushed into the gasoline pump slot.
> > Those
> > do not have a PIN - but the card is ONLY good for buying gas (petrol) at a
> > given
> > companies pumps.
> >
> > So I don't see how the confusion could happen - how she was able to buy gas
> > on
> > someone else's card without using a PIN.
>
> It must have been a CREDIT card, since no PIN is required for use.
> Just a signature (which is rarely checked) which the pump
> would not be able to verify.

I guess my one-ended world view caused some confusion here.  I apologize.

In general, at least where I live, the most common debit card type also has
a Visa (usually, but sometimes Mastercard) logo on it.  Those cards can
be used anywhere a regular credit card can be used, by providing a signature,
or can be used anywhere a regular debit card can be used, by providing a
PIN.

I usually use mine in PIN mode; it alleviates the need to sign anything.
Even when I use it in signature required mode, the clerks only check it
about 50% of the time.  Less, if I swipe it myself.  In this case, she paid
outside the gas station by inserting the card into a reader on the pump
itself.  No verification is necessary in those cases; many readers won't
even allow you to use the card in PIN mode.  So double trouble: not only
was she not required to take any action that might have revealed the
mix-up (i.e., having her PIN refused), no other person looked at the card
to notice that the signatures didn't match.

In the end, she only noticed it because she tried to put the card back
into her wallet and discovered her card already there.  Since they were
issued by the same bank, they were identical except for the names.

I read of a study not long ago where someone signed number of receipts
for their own credit card as "Big Bird", "James Bond", "Barbara
Streisand", etc., and was never called out on it.

Mike H.

2005\02\24@123746 by Brooke Clarke

flavicon
face
Hi:


A little over a year ago a company started offering a fingerprint reader
that used an optical line scanner to read the visible print as the
finger was manually (or should I say digitally) scanned past it's
window. After reading about it the obvious way to defeat it was to do
something similar to the process in the link below. An email to the
manufacturer asking about this was not answered.

In the Jan 2005 issue of Sensors magazine the article "A Multispectral
Sensor for Fingerprint Spoof Detection" shows a new sensor where IR is
added to the visible light so not only does the visible image need to
match but also the heat below the skins surface.  See:
http://www.sensorsmag.com/articles/0105/25/

Some of the packages delivered by the USPS, Fedex, UPS, etc require a
signature.  Sometimes that's provided on an electronic touch pad rather
than with pen and ink.  Years ago there were articles that pointed out
that the dynamics of the signature were harder to forge than the
appearance of the signature.  By dynamics I mean the velocity,
acceleration and jerk in the X and y axis.  A PIC could be connected to
one of these electronic signature input devices and extract some key
dynamics values whose vector distance to a standard would be computed by
a larger computer somewhere else.

Either of the methods above, and/or others, will eventually be more
common since identity theft is a hot topic now.  In the U.S. many
congressmen/congresswomen have it as one of their legislative agendas.  
The internet, eBay, PayPal etc. are making identity theft more visible
than it used to be.

Have Fun,

Brooke Clarke, N6GCE

--
w/Java http://www.PRC68.com
w/o Java www.pacificsites.com/~brooke/PRC68COM.shtml
http://www.precisionclock.com



Date: Thu, 24 Feb 2005 11:59:26 +0100 (MET)
From: Jan-Erik Soderholm <RemoveMEjan-erik.soderholmEraseMEspamEraseMEtelia.com>
To: RemoveMEpiclistspam_OUTspamKILLspammit.edu
Subject: RE: [AD]: Project offer any one interested? ATM scams
Message-ID: <9229414.1109242766467.JavaMail.tomcat@pne-ps5-sn1>
Content-Type: text/plain;charset="ISO-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Precedence: list
Reply-To: "Microcontroller discussion list - Public." <RemoveMEpiclistTakeThisOuTspamspammit.edu>
Message: 12

Jinx wrote :

{Quote hidden}

Actualy, you don't have to steal the whole finger, it's enough
to collect an ordinary fingerprint.

An Swedish student showed how this can be done at
the CeBit electronics fair in Hannover/Germany last year.
Here is an article (in Swedish, but with a lot pictures) :

http://nyteknik.se/art/37392

In short :

- Collect a fingerprint from someone.
- Use traditional techniqes to save it.
- Etch a copy of it on standard PCB laminate material.
- Pour some rubber/plastic mould over the etched PCB.
- You will get a thin, transparent, faked "skin" that can be put
 on your own finger. It's hard to see the extra "skin" layer.

She was able to break most equipment for reading fingerprints
at CeBit.

Her work was based on a work done by someone from Japan,
here :

http://www.rootsecure.net/content/downloads/pdf_downloads/fingerprint_scanners.pdf

Interesting reading...

Enjoy !
Jan-Erik.

2005\02\24@130304 by Peter L. Peres

picon face


On Wed, 23 Feb 2005, Howard Winter wrote:

{Quote hidden}

I have an eye simulator (used for calibarting optometrical equipment).
Add a rubber mask, a slide with an iris shot of yours and a bag of warm
water to make the heat sensors happy and we'll go wherever you go after
fixing some details, such as the timing on the servo that will twitch
the 'eye' so it does not appear dead. I am not even sure all this is
needed, the slide alone and a warmed empty coffee mug to hold
behind it may be enough.

Peter

2005\02\24@133238 by Hulatt, Jon

picon face

> Some of the packages delivered by the USPS, Fedex, UPS, etc
> require a signature.  Sometimes that's provided on an
> electronic touch pad rather than with pen and ink.


But I can't sign those worth a damn; it's impossible to draw anything
that looks like my own signature, let alone anyone elses!

2005\02\24@140152 by Peter Johansson

flavicon
face
Alan B. Pearce writes:

> I'm thinking more along the line demonstrated in TV programs like CSI, to
> get the fingerprint from a corpse, when the inner flesh is too far gone to
> be stable enough to hold the skin. Scalp the skin off the finger, and use it
> as a glove.

Unfortunately a lot of the science on CSI isn't real.  Google for "CSI
effects jury verdict" for some interesting stories...

However, there was a graduate student who used common methods and
readily available chemicals to make fake fingerprints from *lifted*
prints that were good enough to fool many biometric devices:

  http://www.schneier.com/crypto-gram-0205.html


-p.

2005\02\24@150429 by Howard Winter

face
flavicon
picon face
Peter,

On Thu, 24 Feb 2005 14:01:51 -0500, Peter Johansson wrote:

> > I'm thinking more along the line demonstrated in TV programs like CSI, to
> > get the fingerprint from a corpse, when the inner flesh is too far gone to
> > be stable enough to hold the skin. Scalp the skin off the finger, and use it
> > as a glove.
>
> Unfortunately a lot of the science on CSI isn't real.  

But fortunately this one is!  I've seen it done on a TV programme in Britain about a real forensic scientist,
where he demonstrated getting a fingerprint from a corpse in not-too-good condition using precisely this
method.  Gruesome though - I couldn't have done it!

Cheers,


Howard Winter
St.Albans, England


2005\02\24@150715 by Herbert Graf

flavicon
face
On Thu, 2005-02-24 at 18:32 +0000, Hulatt, Jon wrote:
>  > Some of the packages delivered by the USPS, Fedex, UPS, etc
> > require a signature.  Sometimes that's provided on an
> > electronic touch pad rather than with pen and ink.
>
>
> But I can't sign those worth a damn; it's impossible to draw anything
> that looks like my own signature, let alone anyone elses!

Hehe, very true. The local grocery store in my area has just started
installing "self checkout" lanes. I use my credit card for almost all
purchases. When it comes to "writing" my signature on the pad I simply
draw a line. Noone has ever questioned it. Scary really...

-----------------------------
Herbert's PIC Stuff:
http://repatch.dyndns.org:8383/pic_stuff/

2005\02\24@161452 by Aaron

flavicon
face
Herbert Graf wrote:

>When it comes to "writing" my signature on the pad I simply
>draw a line. Noone has ever questioned it. Scary really...
>  
>
I do the line trick, too.  I've never been questioned, but I do get a
reprimand from my wife when she's along. :)

Aaron

2005\02\25@041444 by Alan B. Pearce

face picon face
>In this case, she paid outside the gas station by inserting
>the card into a reader on the pump itself.  No verification
>is necessary in those cases; many readers won't even allow
>you to use the card in PIN mode.

Hmm, good point, you can do this in the UK with the Pay-at-Pump that some of
the supermarkets use. You are limited to how much gas you can pump (IIRC it
is about GBP60 worth) but no pin is entered.

Now lets see, whose credit card can I pinch ...

2005\02\25@073912 by Gerhard Fiedler

picon face
Aaron wrote:

>>When it comes to "writing" my signature on the pad I simply
>>draw a line. Noone has ever questioned it. Scary really...
>>  
>>
> I do the line trick, too.  I've never been questioned, but I do get a
> reprimand from my wife when she's along. :)

I guess this means that you could dispute the charge. But if you do, you
probably won't be able to shop at that store again -- at least not with
that card.

Gerhard

2005\02\25@074243 by Gerhard Fiedler

picon face
>> Why not just print a photo on the card? The human brain is *very* good
>> at facial recognition, and this single measure would probably do more
>> to protect against POS fraud then anything else (assuming the
>> shopkeeper is not part of the scam too). A bank in the UK did this a
>> few years ago, but it didn't catch on.
>
> Photo ID on the card has been tried, it doesn't work either.  ...

I think one of the reasons it doesn't work is because it's so rare. If
every card had a picture of the holder on it, people would get used to see
the "right" picture on the card and IMO would get more attentive when the
picture is wrong. But too few banks offer this, and none requires it.

Gerhard

2005\02\25@084042 by Russell McMahon

face
flavicon
face
>> Photo ID on the card has been tried, it doesn't work either.  ...

> I think one of the reasons it doesn't work is because it's so rare.
> If
> every card had a picture of the holder on it, people would get used
> to see
> the "right" picture on the card and IMO would get more attentive
> when the
> picture is wrong. But too few banks offer this, and none requires
> it.

When the NZ photo licence was introduced the powers that be said that
it was NOT intended to be a universal national photo ID.  Yeah, Right.
I'm not a conspiracy theorist, the government is out to get you etc
type BUT I do like to be told the truth and the pervasiveness of such
an ID system introduced in a dishonest manner displeased me. So I
ensured that my photo was essentially unrecognisable as me. Quite by
mistake the signature also turned out to be nothing like my real one -
that was their fault due to the open loop nature of the signature
acceptance system and the use of electronic signature pads.

So far, in the 4 years or so since it was issued,  I have not been
asked for my license by a traffic officer. But every now and then I am
asked to show it as ID. Great hilarity ensues. But they ALL accept it
despite the fact that the person in the photo looks like a gang
member, bouncer and / or a tow truck driver and, unlike me, has a
shaved head, long sideburns and a large and bushy beard. And the
signature doesn't match. I had ONE young lady who wouldn't accept it,
but her boss did. Great fun. And proves something, but I'm not quite
sure what.


       RM

2005\02\25@105515 by Bob Ammerman

picon face
Put the photo in a smart card digitally and have it display nice and big on
a monitor at the point-of-sale. Makes it really difficult to tamper with the
image and maybe somebody standing in line behind the crook will catch an
attempt at fraud, even if the clerk is oblivious.

Bob Ammerman
RAm Systems

{Original Message removed}

2005\02\25@154831 by Peter L. Peres

picon face

On Fri, 25 Feb 2005, Bob Ammerman wrote:

> Put the photo in a smart card digitally and have it display nice and big on a
> monitor at the point-of-sale. Makes it really difficult to tamper with the
> image and maybe somebody standing in line behind the crook will catch an
> attempt at fraud, even if the clerk is oblivious.

I don't think they'd be looking. Most people look very unlike their
passport photos. Recognition after a months-old photo is not a natural
skill imho. It is taught for police officers and such afaik. Also, most
any witness would hesitate to interfere on the spot and probably avoid
to be cited as a witness in court later if he can.

What would work would be to store a digital photo of the card user until
the first transaction clears (can be a month + 15days for the cardholder
not to challenge the transaction). That would require a large data
storage system in the pos computer (100GB would be a little too small
according to my figuring, assuming 40k 480x320 jpg files and a busy
pos).

Alternatively, record the pos using time lapse video triggered by the
sale (recording the face of the user), and keep (rotate) the tapes over
a month. That would probably be 15 tapes per pos to store and rotate
(change tapes every 2 days).

Then, assuming some crook is caught on tape or digital pic, the shop
that operates the pos would be responsible for taking the card without
sufficient testing of the credentials. Would they want it ? I don't
think so. The owners may face questions or even refusal to pay the
transaction from the card company and the employees would risk their
jobs.

I think that it's a system cost thing. Fraud costs x % of revenues.
Until that x becomes bothersome nothing will be done about it. And the
people who determine the threshold are in the insurance business and
probably know much better than everyone else what works and what does
not.

Peter

2005\02\26@055844 by Gerhard Fiedler

picon face
Peter L. Peres wrote:

> I think that it's a system cost thing. Fraud costs x % of revenues.
> Until that x becomes bothersome nothing will be done about it.

Yes, exactly. And as long as the costs of the system are transparently (or
is that "intransparently"? :) embedded in the prices as a mix of all
different systems, there won't be much pressure to go to better/more
efficient/cheaper systems.

> And the people who determine the threshold are in the insurance business
> and probably know much better than everyone else what works and what
> does not.

But they may have a different angle. And they don't care whether cash is
cheaper or credit card or debit card... the shop says "we need all three"
and the insurance says "ok". The CC company says "CCs cost 3%" and the shop
says "ok". And both the CC customer and the cash customer pay a mix of the
cost, and we have no clue, because of course the CC companies don't say how
much of their "cost of doing business" is fraud. And this, in a way,
prevents you from knowing how high your "risk of doing business" with them
is.

Gerhard

More... (looser matching)
- Last day of these posts
- In 2005 , 2006 only
- Today
- New search...