Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

66 cloned payment cards recovered in Dublin. How did they get 'cloned'?

  • 16-02-2020 7:43pm
    #1
    Impetus
    Registered Users, Registered Users 2 Posts: 1,667 ✭✭✭


    The article* does not say if the cloned cards had chips or otherwise. Cloning should/would not work if:

    a) All contactless cards only worked in contactless mode only (and using contactless + PIN > EUR 30).

    b) EMV chip cards without contactless should only work in EMV mode (ie chip only – the magnetic stripe should not be accepted by the terminal – POS or ATM). Chip cards should only work if they were DDA compatible. SDA cards should require retailer/bank to ask for photoID. Reason being the SDA card sends the same number each time, which can be cloned. DDA card ‘number’ varies ‘randomly’.

    c) The liability shift would make the retailer or bank liable for transactions involving magnetic stripe only (ie cards issued in some third world countries, which includes some US banks, and retailers – which are high risk anyway). It would be up to the acceptor of a mag stripe payment to check the ID of the cardholder, or bear the loss for fraud.

    Irish point of sale systems are largely rubbish. They refuse to take high security payment cards (eg those with high purchasing power). And they need to be updated to take contactless + PIN for all transaction amounts, because it is more secure than contact chip + PIN, using random encrypted tokens instead of transmitting the card number to the merchant device or ATM. It is probably just a firmware update on many devices. Much of the rest of Europe has changed to contactless + PIN. It is much faster for the retailer and customer to use. Chip technology has been in use since 1995 – and is past its sell-by date. In France it is illegal for a shop assistant to take possession of a customer's card. Aside from payment security, it provides added health safety in a world full of virus/viruses/virii/vira. There is no reason to handover your card in a contactless transaction, irrespective of the amount involved.

    There is also the matter of cards using deprecated encryption technologies – RSA, SHA1 and 3DES. Which is an industry wide issue. Unfortunately, the payment card industry has allowed itself to be dominated by dumb Anglo-Saxon countries, who couldn’t care less about YOUR security, and are more concerned with spying and anything to prevent real democracy, as one has in Switzerland.

    It is no different to browser security, and all the websites that allow depreciated security protocols. I have come across a bank website that allowed crap security protocols in their online banking system (a small bank), and they were hacked for 13 million EUR, remotely from Northern Ireland and other places. Presumably the negligent banks did this to facilitate the dumbest, cheapest client who had a 10 year old PC which was not being updated for patches to bank online. Avoid support calls etc at all costs. No website should be using less than TLS 1.3 today, with AES 256, GCM, SHA 384 etc, especially where value transfer or PII is involved, and no server should allow connections with lower security. Else breach of GDPR and other risks.

    Card payment systems (and derivatives – eg mobile phone payment) need to subscribe to the Concrete Security model.

    A certain Irish public servant recently questioned the need for encryption! How dumb is that? Perhaps he, and his friends would prefer MI5 & co take the country over? And they appear to have been doing this using stuff from crypto.ch (which gov.ie dumbly appear to have bought) allowing GB and US to snoop on government diplomatic/secret communications, and perhaps other stuff.

    With ‘friends’ like that, who needs enemies? It seems to me that this ‘public servant’ has his own agenda, and is trying to turn Ireland into an Anglo Saxon Trump/Johnson style police state....

    The Munich Security Conference was on this weekend. Was anybody senior from gov.ie there? As far as I can see there wasn’t. President Macron and Angela Merkel took the time to be there along with 100 global foreign and security ministers. As well as representatives of about 900 companies in the security industry. Zuck was there (Facebook). Nancy Pelosi, China’s Wang Yi, etc. Ireland has Facebook, Microsoft, Amazon, Google etc regional operations. And clueless politicians?

    Munich Security Report 2020:

    https://securityconference.org/en/msc-2020/agenda/#c1553


    Card scam in Dublin:


    https://www.irishtimes.com/news/crime-and-law/two-men-arrested-and-66-cloned-bank-cards-recovered-in-dublin-1.4175248 *


    Swiss newspaper reports on the fake 'encryption' software sold to Ireland and others by the CIA


    https://www.nzz.ch/schweiz/cryptoleaks-antworten-zu-spionageaffaere-um-zuger-firma-ld.1540009 [DE]

    https://www.nzz.ch/schweiz/der-it-spezialist-bruce-schneier-zur-crypto-affaere-ld.1540118 [DE]

    https://www.nzz.ch/schweiz/bespitzelung-von-freund-und-feind-niemand-war-sicher-vor-den-geraeten-der-crypto-ag-ld.1540103?reduced=true [DE]


Comments

  • #2
    un5byh7sqpd2x0
    Closed Accounts Posts: 1,862 ✭✭✭un5byh7sqpd2x0


    Impetus wrote: »
    There is also the matter of cards using deprecated encryption technologies – RSA, SHA1 and 3DES.

    :eek: SHA1 is not an encryption technology!


Advertisement