Keyboard loggers and credit cards

probe

A friend of mine used a hotel foyer internet terminal (regular windows XP PC setup) to reserve a room in another hotel for the following night, and during the SSL/TLS https reservation transaction gave a credit card number to guarantee the reservation. When the party mentioned that they had used a public internet facility with their credit card I suggested that they watch their card account every day (they have online banking*). Fraudulent transactions began to appear on the credit card statement within a few days. About 2000 € worth so far. (Under EU law the retailer is liable). It seems to me that there was a keyboard logger running in the hotel’s public internet terminal(s). This is a ***** establishment where one would expect them to take guest security seriously and run software to check for keyboard loggers and prevent the installation of unauthorized software.

The card in question is an EMV (chip) card issued by a British bank (the person lives in England). The brain dead bank immediately stopped all transactions on the card account – leaving the cardholder without a method of paying for hotels and meals for the rest of the trip, virtually penniless!

If your card details are compromised on the internet, the bank can stop all CNP (customer not present – ie internet type transactions). And still leave the card working for PIN authenticated transactions at ATMs and retail establishments where the cardholder can enter their PIN, until the cardholder gets home and can pick up their new card with a different card number.

There is no connection in terms of security risk between your card number getting into the wild on the internet (risk type A) and the cardholder’s card and PIN being stolen (risk type . Every transaction presenting itself across the Visa and MasterCard system can be segregated accordingly. One wonders if the Irish banks are as dumb as the British banks and don’t really understand the benefits of issuing payment cards with chips!?

.probe


*PS Don’t dream of using a public internet access terminal to access your bank account unless you have a user login that changes every time you access your account details. Ideally don’t use online banking at all unless the bank provides a continuously changing user login system to you. The PC you are using this minute could have a keyboard logger! Obviously the same applies to corporate e-mail access and your company’s remote desktop access, etc. etc.

biko

probe wrote:

When the party mentioned that they had used a public internet facility with their credit card I suggested that they watch their card account every day (they have online banking*).

Sound advice. It's very easy to install keyloggers on public computers in hotels, hostels and internet cafees unfortunately.

Random

They should all adapt the reboot system where each time a user goes to it they're presented with a fresh install of windows. Can't remember what it's called, live CDs I guess ..