Skimmers

The gypsy problem is being overlooked due to the ""other"" problem

I use the ATM like once a year. The bank is close enough that I can walk and do anything I need with the teller. I pretty much never use cash anyway.

RFID/NFC in modern cards/phones prevents cloning fraud, but if a company still takes magswipes, those are easy to capture and clone.

How do they even cash them out?

Isn't it incredibly sketchy to get use them? Or do they just sell them online to drug addicts and other retards who aren't valuable so they can just get caught

stohlen credit caad

Doing the smallest thing at a large company requires 100 layers of management to sign off and give their rubber stamps.

Smaller companies are more nimble.

People usually sell magswipe data online because it's lower risk. They get as cheap as $1 per card

But how is it used after?

Seems incredibly sketchy and risky. What's even the point if it's so cheap... Seems really high risk low reward in general

This. At least in my realm of the payment processing world. I'm at a medium sized business, and EMV compliance for us means coordinating our POS software with a compatible payment gateway and merchant processor. It's taking the software company forever to implement a solution for EMV, because it's a pretty specialized market and nobody is going to drop them if they don't get it done. They are just rolling out their compliance update next month.

We could have pulled the trigger on EMV last year, but it would have been a total work around, much like described at the porn shop. Then we would have thrown all that hardware out and got a proper solution this year.

The problem in my industry is that nobody's stepping up to make an easy to use, highly compatible system for taking chip cards. I'm sure a lot of businesses were in the same boat as we are, thinking we'll just eat any fees so we don't end up wasting money on hardware that will be useless to us in a year

>Unfortunately many merchants in the US still process on the basis of the magswipe

The only places around me that still do magswipe are fast food places. Everywhere else I shop at requires me to use the chip.

>life in austria
>shop across the street got the third credit card machine in the last 8 years
>never had a problem with credit card fraud

you amerifats are brightening my day once again

well?

This shit is pretty confusing

>like for instance my girlfriend works at a porn shop
People still buy porn?

she sells a little bit more than porn in the backroom...

Where else do you swipe besides gas stations and ATMs? Everything else is mandatory chip now.

Australia does not havethis problem. Why dont banks just issue cards eith chips permanently?

>Everything else is mandatory chip now.
lolno

>Only about 17 percent of Visa's merchants have adopted the new technology, Visa CEO Charles Scharf said in early February during a call with investors, and getting 50 percent of merchants on board will likely take until the end of the year.

any place that's not a major chain usually doesn't have chip enabled

and even the major chains, it's a gamble if they have chip enabled

Are you a 3rd world country?

I just touch the register with my card and Im done. No dirty bra cash, no waiting for change. Anything over 20€ I just enter pin.

If you're actually curious about this, find an eBook copy of Darkmarket(How Hackers Became The New Mafia)

Basically,
Skimmer skims.
Skimmer sells card data online in a large batch.
Carders buy lists.
Carders use drug addicts, homeless and bottom rung of society to cash out from shitty alleyway ATMs and they get compensation, usually a percentage of the money.
Rinse and repeat until the cards no longer work.

It's actually pretty much that simple, but yeah. I'd read DarkMarket if I was you, quite a lot of insight into how everything works.

I'll check it out.

But I still don't get your explanation of it, I mean I understand it in theory but it seems simply way too sketchy with cameras at ATMs and such.

Why would the drug addict or whatever take a percentage of the money when he can take all the money? How would you even persuade him to do it?
>psst hey faggot wanna make $100?

you tell them if they do what you want they get drugs/money, if they try and steal they die

It's consistent work, basically.
>hey phaggot draw out 1k and ill give you 100 of it
>why the fuk would i wanna do that?
>because ill give you a 10% cut for every job we do over a year?

Or conversely
>hey phaggot draw out 1k and ill give you 100 of it
>yeah sure
Jew steals the money
>lucky we're in Eastern Europe and i can just find you and cut your head off out the back of a slav techno bar

The guys who do this are actually organised crime, that do this on the side. A smart man wouldn't promise to sell product for a drug dealer and then skip out on him. That's how you end up shot in a ditch. Considering the guys that do this are so poor already, I doubt they could hide from people like this.

Oh, I know a little about that side of the world.
Someone stole my credit card in 2011, and the person who used it was clearly not a criminal mastermind.
>cable bill
>two cell phone bills
>electric bill
>catering
>hair braiding shop

Then a couple years later some stranger calls me and tells me my card number is on the internet. I google recent results for my name and my credit card is on pastebin along with 499 others as a "taster" for a guy selling them.

>Then a couple years later some stranger calls me and tells me my card number is on the internet

How is that possible? Wouldn't it have been cancelled and you have gotten a new one?

Credit card companies don't really allow you to get all that shit without verifying it.

>Hmmmm this guy started billing this credit card from an entirely different state even though what seems to be the legitimate owner has just used it a local store in his city

Jesus. Is that recent news?

In the past several months I haven't swiped anywhere except at gas stations. The grocery stores, CVS, etc. that I go to are all mandatory chip readers. I guess it must vary a lot depending on what part of the country you're in.

>How is that possible? Wouldn't it have been cancelled and you have gotten a new one?
It was cancelled when I saw the fraud in 2011 (two years prior to the pastebin) but my name, address, full card number (that had previously been cancelled), expiration, phone number and CVV2 (three digits on the back) were part of the dump.

>Credit card companies don't really allow you to get all that shit without verifying it.
Yeah Wells Fargo didn't shine in the fraud prevention department that day.

>how bad are these getting in your local area?
literally never known anybody who has had their credit card skimmed except for like 6 people who all had it happen in LAX at random times over the past 10 years. sort your life out burgers

Still seems kinda retarded.

I can't imagine anyone would agree to taking on that much risk for only 10% rather than just reporting you to the police after telling you to fuck off

>HE THINKS NFC CCS ARE SAFE
PFFFFFFFFFFFFAHHAHAHAHAHAHAHAHAHHAHA

NIGGA I CAN READ YOUR DATA FROM 3 METERS AWAY

here
Here's the fraud affidavit that I had to fill out when it happened

You're showing the picture of the inside of the atm machine, the only people who could have possibly installed a skimmer on the inside are either other techs like you or the bank tellers.

here
geniuses kept trying for a couple days until they had realized that the card number no longer worked

Why do I feel like poor niggers are the ones who do this shit?

Makes me kinda sick desu, I can understand if it's a normal guy earning money for the sake of earning money but a Shaniqua saying to her children "Ay kids mommas gonna be able to pay da bills and buy us some dem groceries" seems kinda unsettling

Isn't the range of NEAR FIELD communication like in the millimeter range?

there are multiple presentations on this topic.
Look into defcon and blackhat,just google.
ex.
youtube.com/watch?v=x2rF3dD1Ns0

>swipe cucks BTFO

It takes a special kind of retard to pay utility bills with a stolen credit card

I don't know, but somebody had to go out of their way and buy my credit card number online to use purchases that were easily tied to them.

I signed the fraud form, the charges were reversed and I owed nothing. I don't know if my information was ever charged to prosecute the person who used my card or who sold my information.

i don't have it set up on my phone but using a visa/mastercard if you don't have it pretty much flush against the sensor it doesn't read correctly half the time. i'd say 1cm would be max

>It takes a special kind of retard to pay utility bills with a stolen credit card

Not him but let's look at the clues.

1. Detroit
2. Braids
3. Retarded enough to pay utility bills and cell phone bills(LMAO)
4. Retarded enough to KEEP using it(ok one charge might go unnoticed... but fucking 6? and then keep trying even when it's declined???)

This is without a doubt a nigger. Only question is how did a nigger figure out how to navigate to forums to buy this?

Retarded as fucking hell.

I don't get why they didn't just use it to order like 2 iPhones and then sell them. Would've been *A LITTLE* smarter than fucking paying utility bills, you'd think.

how do the new chip things stop credit card fraud?
cant someone just make a copy of your chip?

They check IDs at the apple store nowadays for a match against the name listed against the card. In any event that wouldn't have worked as by all indicators some store I shopped at online was compromised, they didn't have the magswipe track data to make a physical card.

I meant order it online.

No, that's the whole reason the chip exists. When the chip is manufactured it is made with a secret, a secret the chip will not reveal. This secret is given to the bank who keeps it on file.

With EMV a challenge is given to the card (say 123). This is processed with the secret. The terminal doesn't know and can't get the secret. In combination with a set number of things (the challenge, the time of the charge, and the secret itself) the output will always be the same. If a charge with challenge 123 at 12:52 PM should have a result of x1Z, then it always will. But only the card issuing bank can validate that.

The whole point of the chips is they're not cloneable. At least, theoretically. There are attacks on poor EMV implementations.

en.wikipedia.org/wiki/Address_Verification_System
wouldn't have passed AVS unless they shipped it to my house, Apple wouldn't have shipped it.

Maybe they could've used it to buy WoW gold or something and then exchange that for BTC?

say you have someones chip
what if you challenge it multiple times can you figure out what its 'secret' is?

Could have worked if they had done it quickly enough, possibly. I haven't played WoW in a while but they would ban accounts by association with farmers when I played, so people were very hesitant as to who they would buy gold from.

You can't derive the secret (at least not with currently known attacks) but if the terminal uses poor implementation of the unpredictable number in the challenge then criminals can harvest attempts and make fake transactions that look cryptographically sound to the bank from the chip. There's a good paper on it:
cl.cam.ac.uk/~rja14/Papers/unattack.pdf

I don't see how ordering an iPhone wouldn't work past address verification while paying utility bills for an address not even associated with the credit card and buying catering is fine.

It's common for people to have a vacation or second home and pay utility bills with a credit card under another address, unfortunately.

For shipping goods worth hundreds of dollars, Apple doesn't ship to addresses that the bank doesn't have on file.

Newegg is crazy about this too (they made a mistake and banned me for fraud because I had billto: myname, shipto: Brother's name for the same exact address because they got an AVS name mismatch code; they claimed that my card issuer told them it was fraud, but I called my bank's merchant services and they verified Newegg never called them. I called Newegg back and flipped shit and they un-suspended me and gave me a $25 gift card).

What if you do it as a "gift"?

Smart white guy sold it to him.

I did. Newegg's fraud department went full retard anyways. A mismatch on name for AVS is normal if the shipto recipient is different.

Desperate drug addicts and homeless aren't known for their decision making abilities. Nice to hear that you can high road these people, user

If you want to use a credit card to buy expensive goods, the way to do it is by buying gift cards to whatever store. Gift cards are sold in drug stores, convenience, etc. These places typically don't have proper ID verification procedures. You could then resell those cards for cash too.

her ass?

>Gift cards are sold in drug stores, convenience, etc. These places typically don't have proper ID verification procedures. You could then resell those cards for cash too.

>It gets reported
>Gift card number is flagged
>Go to buy something with it and police are called

Fucking Burgerland…

When I was there last year, everything used the fuckin ancient magstripe.

And sometimes I even wasnt asked for a signature. That's not supposed to work like this.

Next time I am there, I keep track of my spendings, and whenever I pay something with card, and do not enter my pin or sign something, I'll tell my bank that I did not make this payment and see what happens.

Or probably I should use the wording "authorize" instead of pay. I'm pretty sure it should not be possible to get money out of my CC without my signature, so my bank does have to assume fraud.

Or am I overseeing something?

you just don't understand freedom

>Land of the free
>People go to jail for possessing a plant

Pics of gf?

If you were American, your credit score would go down if you report it for fraud. That can fuck you over in a thousand different ways for the rest of your life so trying to get a few dollars back from all those over priced coffees you drank would not be in your interest. That includes if the fraud was real.

>When I was there last year, everything used the fuckin ancient magstripe.
The EMV migration started late last year

>And sometimes I even wasnt asked for a signature. That's not supposed to work like this.
Merchants figure convenience is more worth it to you than the fraud from small charge amounts... they pay if the cardholder claims the charge isn't legitimate (of course they have security cam footage if you're lying, then your bank will consider you to have comitted fraud).

>Land of the free
>People go to jail for having certain 1's and 0's in their hard drive

>it should not be possible to get money out of my CC without my signature, so my bank does have to assume fraud.
It is rather possible. Ever notice amazon doesn't use CVV? And with some card issuers, only a small portion of the info has to line up.

>RFID/NFC in modern cards/phones prevents cloning fraud

In competent scenarios, yes. Ignoring the inflammatory defcon videos HORRY SHIT IT SHOWS YOUR NAME AND A CARD NUMBER AND SOME SHIT!!!!

Basically, in modern NFC implementations:
1) The cardholder name may or may not be different.
2) The credit card number on the RFID/NFC is different than the number printed on the physical card. This usually involves a cap in value. Even if the number is captured, it can't be used for non-wireless transactions.
3) The expiration date is not included on most RFID chips nowadays.
4) The CVV1 and CVV2 values are not included on modern NFC/RFID chips. Even if you eavesdrop, you cannot use the captured data for a magswipe or card not present transaction.
5) In modern RFID chips (& NFC implementations), the CVV3 value is dynamic, it varies based on the terminal ID, the challenge from the issuer, and then it is transformed by the secret on the NFC secure element/RFID chip to a unique response. Basically, replay attacks are impossible, while main-in-the-middle attacks would require you to hold up a card to an NFC enabled device while it is networked to a second NFC enabled device that is being held against the antenna at a point of sale. It's not trivial. NFC on cell phones becomes even harder as you have to have the person's phone unlocked and in their wallet application.
6) NFC transactions in the US are usually subject to a $25 or $50 ceiling, although it depends on the store, reducing the incentive for fraud to occur.

This is really interesting. Where I live you give your card to the cashier, he swipes it and enters the security code and then the machine spews a little ticket, which you have to sign and also write your id number.

It's really painless for the user, although a little bit dated cause you get the ticket from the credit card machine thingy AND the ticket from the register AND the cashier gets a copy of both, a fucking waste of paper.

And you also would have to give it to the cashier.

>life in austria

>Amerifats still don't get how chip and pin works in 2016
>'Developed Country'
>'Technology Leader'

kek