How could people smart enough to pull of this hack be so stupid as to keep using it at the same place? Smart nerds, stupid criminals.
-
Recommend Recommended 2
-
Discussion Recommended!
Recommending means this is a discussion worth sharing. It gets shared to your followers' Disqus feeds, and gives the creator kudos!
Find More Discussions
-
- Share
- Sort by Best
-
-
Doingitwronf IceTrey • 7 days ago see moreThat's the separation of Intelligence and Wisdom for you.
Just because you know how to make fire, doesn't mean you'll use it correctly. -
DarkLinkXXXX IceTrey • 15 days ago see moreI was thinking the same thing. Also, considering "other protections have been added to the system at the network level, which they decline to detail for fear of tipping off criminals", I doubt they put much thought into the fix.
-
-
Josh Walker • 15 days ago see moreSo they invent a revolutionary way of stealing money and then spend the stolen money on lottery tickets. That's deep.
-
phuzz Josh Walker • 14 days ago see moreBuying lots of lottery tickets is a bad idea if it's your money, but if it's someone else's cash then it's a good way to launder money.
-
Robert Walther phuzz • 13 days ago see moreLaundering money is intended to leave you with cash, not generate donations to government gambling. Laundering $680K would be a waste of time, energy, money and secrecy. It's not enough to bother with.
-
WestInEast Robert Walther • 10 days ago see moreWin money = clean money (if they don't track where the ticket was bought (or by whom)).
-
Robert Walther WestInEast • 10 days ago see moreYou do not 'win' playing the lottery - ever! I play, but not as an investment strategy. That is the definition of insanity.
-
WestInEast Robert Walther • 9 days ago see moreIt's not for investments. It's for laundering money. When you launder money you always lose a bit. You know 'someone' changes the money for you but it will cost you say 15-50% depending on the sum and who you are. With lottery tickets, if you do it right, you could probably a) get the same 'loss' b) nobody else is involved so it's safer.
Now if you pick a lottery where they keep more than say 20% profit, then don't use that of course. In Europe, where this took place, there are types of lottery where they pay out roughly 90% of what you put in. Here is some info about Iowa's lotteries ; http://www.ialottery.com/Games... . Roughly you can get up to 66% back. Not bad. Just buy enough tickets and the chance will be close to that 66%. Don't bet a large amount of a single (expensive) ticket of course.
-
Robert Walther WestInEast • 9 days ago see moreAll first world lottery outlets have digital cameras monitoring lottery terminals. This is to guard against outlet owner chicanery and protect winners in case of many potential misadventures. Any one who uses a credit/debit card scam to acquire anything other than cash is just plain nuts.
-
-
-
-
-
-
-
John Josh Walker • 15 days ago see moreEasiest way to get 50+ cents on the euro if you buy enough of them. Buying stuff to resell would probably give a little more but it would also create a lot of work and more chances of getting caught.
-
-
MarkG54321 • 13 days ago see moreCalling fake on this. The description of how the authentication works is totally incorrect. A man in the middle attck is FAR more complex than simply replying "yes".
Either wired have reported this wrong,, or the paper is wrong (don't assume that just because its cone from Cambridge, its not horseshit)
-
Abram Clark MarkG54321 • 10 days ago see moreAgreed and +1. This is very much not a man-in-the-middle, as one end of the authentication IS COMPLETELY DIFFERENT, and there is nothing in the middle of any communications. This is actually a "removing the security through obscurity" attack.
-
-
Ingq20001 • 6 days ago see moreEnter a PIN for a credit card with a chip? What PIN? From what I have seen these chip-enabled cards work the same way as a regular card except they go into the bottom of a reader instead of getting swiped. Plus, they get used by fraudsters...in France and rated as a physical transaction.
What is the difference between the chip cards and the old one? Nothing as far as I can tell.
-
-
pmshah • 13 days ago see moreSomething most certainly isn't right. Here in India I have an option to go on line and change my pin number. How can the new pin get recorded on my credit card? Secondly we have auto SMS system. As soon as any transaction takes place the card holder gets a message detailing the transaction on his registered mobile phone. So the cards would at most be good for one or 2 transactions until the owner blocks it. How do you get away with more than half a million Euros?
-
ken weiss • 14 days ago see moreNice job, but you forgot to tell our friends in Nigeria, Russia, China where to buy the hardware...imagine how annoyed they must be for you to explain how to defraud most of the civilized world without revealing where they can buy the stuff...come on Wired...give the crooks a break...oh, wait a minute...you just did...
-
Robert Walther ken weiss • 13 days ago see moreAny successful crime reported on this site happened a while ago, generally quite a while ago if it was really successful. The interesting thing about locks, whether digital or traditional, is that those making them know how to subvert them, and they always tell somebody. With digital security the hackers know there is always a way to hack and a contact to enable the hack. Russia, China, North Korea already make the equipment or steal it. Someone will always take the chance, even the legitimate manufacturers only need one tech with too much gambling debt or too much greed and the secret is out. None of these major thieves are learning organized computer crime from Wired articles.
I know you're white.
-
Abram Clark Robert Walther • 10 days ago see moreThe best current practices for authentication and encryption do not have known exploits, hence why they're the best practices. You're incorrect. However, it's extremely common for best practices to be ignored.
-
-
-
CarlPheneger • 15 days ago see moreWhy is the pin number kept on the card in the first place. The agency that verifies the account number should also verify the pin number. So the chip on the card only carries the account number. The person entering the pin and the computer verifying the pin are the only ones that know the pin. This way the thief has to steal the card and coerce the card holder to get the pin.
-
Freddie Ligertwood CarlPheneger • 14 days ago see moreNetwork connectivity is not always available, hence why the pin is stored and verified 'on card.' I also think transmitting the pin over a public network is probably a significantly higher security risk than storing it on the card - this attack doesn't extract the pin from the card, it attacks communication between the card and the terminal.
In theory this method *should* flag up transactions as high fraud risk because the response code from the chip would say that the pin was not verified; it also shouldn't work on cards which don't permit non-pin transactions. In practise, it isn't as simple as that!
EDIT: Just looked through the paper, I didn't realise that the contents of the response code were mostly set on the terminal rather than the card, so my second paragraph is complete bull for the EMV protocol, although additional proprietary extensions can fix this to some extent. There is also an option for online PIN verification which means this attack fails.
-
CarlPheneger Freddie Ligertwood • 14 days ago see moreThis is still worse than what I have proposed. Because if you steal the card you have all the information you need you just have to figure out how to read the card. If the pin is stored some where else you have to go to two places to get the information you need. Either hack the network and steal the card. Or steal the card and coerce the victim to give it up.
-
Freddie Ligertwood CarlPheneger • 12 days ago see moreRight, but extracting the pin from the card is, to all intents and purposes, impossible (give it a few years and I'll be proven wrong, I'm sure). Also your system requires transactions be performed online - which isn't always possible.
-
Will CarlPheneger • 14 days ago see moreStealing the card is not enough, did you even read the article? You need to add an extra chip in it to simulate the Pin verification. It's incredibly hard and therefore rare.
Significantly harder than hacking a network with who knows how many weak points.
I'm pretty sure you're just being a contrarian here, with no real evidence.
-
Freddie Ligertwood Will • 12 days ago see moreIt's not really any more difficult than hacking a network (assuming you have already stolen the card) - however, the pin verification takes place on card for good reason (namely, offline transactions). Hacking the network might also give you access to the pin number as opposed to just being able to force verification.
-
Will Freddie Ligertwood • 12 days ago see moreIt's not really any more difficult than hacking a network
Blatantly not true.
Hacking the network might also give you access to the pin number
Hacking the network does not let you steal the PIN, as it is stored on the card.
-
Freddie Ligertwood Will • 8 days ago see moreAssuming that one can buy simple stick on shims to implement this attack - which if you can't already, I'm sure will be possible soon - it is significantly easier than hacking the network.
Mr. Pheneger was arguing for verification of the pin over the network (which is already done when possible and enabled by the card issuer, although I don't know what protocol they use). Not sure why I thought you were saying the same thing. Sorry! ☹️
-
-
-
-
-
-
-
darryl • 15 days ago see moreJust goes to show, companies absolutely need to patch their security holes even if it seems remotely possible that anything will happen - especially if money is involved.
Sort of reminds me of some video poker machines from back in the 90's The programmers knew there were only a few billion possible card combinations possible with their system and reasoned that no one would bother going through them all to exploit it and it wouldn't be possible. Well it did happen, based on the a few hands of the cards being dealt, the criminals could then determine when the next big hand would be dealt and they exploited it.
-d
-
Robert Walther • 13 days ago see moreThe US will have about $8 Billion dollars in credit card fraud this year. The only way this is possible is that bankers are directly involved in the largest thefts.
