A reliable credit-card skimmer detector: a card that detects multiple read heads

Originally published at: https://boingboing.net/2018/09/04/fuzz-buster-buster-buster-2.html


I guess we are safe, for the moment, at least until they come up with credit card skimmer detector detectors.


In lieu of using credit cards I guess I’ll go back to using cash, which I’ll withdraw from the ATM using my…aw crap.


I think you meant credit card skimmer detector skimmer detectors? :wink:

1 Like

It would have been nice if the authors of the paper had provided PCB files and schematics so people could download copies and make/order their own. I’d love to search for these things.


The design might not be ready for public use. Or the researchers have a reasonable concern that doing so would hand the tool directly to skimmer-makers, the better to develop countermeasures.


Or we could just, you know, finally do away with magstripes and require chip or NFC like the rest of the civilized world.


which will be broken in 3,2,1…[if they haven’t already been]


Please not NFC, that’s even easier to skim/eavesdrop than a magstrip.


NFC is plenty safe when it uses Dynamic Data Authentication (DDA) instead of Static Data Authentication (SDA). Skimming the data may get you the account number, but not a valid CVV needed to use it.

What they have to stop doing is accepting cards with SDA (mag stripes, CVV2 printed on the back, etc.)

1 Like

Australia has had NFC chips on cards for quite a few years now (10?); but despite this, I’m yet to see a credit card issued without the magnetic stripe, or an ATM that doesn’t involve me putting the card in the machine like they always have.

Presumably banks still want their machines to work with cards from overseas and their cards to work in other countries…


Chip cards and EMV (Chip and PIN) protocols have been broken several times in the past, and those protocols have been strengthened and re-strengthened as a result. The current protocols have been solid for several years now.

It’s not for lack of trying. There is a lot of incentive for crooks and researchers to defeat these protections.

The only avenue of exploitation open to chip card skimmers these days is to steal account numbers (which are not encrypted) and use them for Card Not Present (CNP) fraud.


Hm. I’m not convinced. Wireless devices with ‘baked in’ security and no way to update the firmware (which is what an NFC card is). That’s just waiting for someone to find a vulnerability.

I’d much prefer a need for physical contacts.


I’m all for doing away with 1928 tech from my money card but NFC is even worse. Chip and PIN seem the safe way to go these days. Still hack-able but not as easily.


Please world, stop using magstripe credentials - signed - someone who works with 'em and other credential types.


At least in the USA, NFC payments are almost exclusively done through mobile devices, which receive regular firmware updates (at least, Apple’s and some of the better Android phones do).

How is NFC worse? It’s easier to eavesdrop on the communications channel, but that’s only an issue if the protocol is broken. Assuming a broken protocol, NFC might be slightly easier to attack than chip (easier to put an antenna within range than to shim the contacts in the chip slot).

1 Like

It’s detectors all the way down.

1 Like

Hahahahahahahahahaha. Oof, Let me catch my breath. That’s a good one. :grinning:

But ok. On a phone it’s slightly less bad than on a card, which is still the main way NFC gets used here in the EU.

The transmission technology (wires, NFC) doesn’t matter. The account number not being encrypted shouldn’t matter.* What does matter, and the root of the problem, is unchanging (static) authorization data.

On a mag stripe card, the authorization to use the card comes from knowing the CVV value (not your account number, which is your identity). The mag stripe never changes, so every time you use it, the reader gets the same authorization number; this same number is used over and over again by you, and by anyone who copies it.

With an NFC card, mobile phone with NFC, or any chip card, this number is dynamically generated anew every time you use the card. A thief who skims it gets your authorization number for this one transaction, but you’ve already used it; and the bank won’t allow the same authorization value to be reused on another transaction.

Note that it doesn’t matter how the data is transferred as long as the card (phone, or payment device) has a secure chip that generates a dynamic authorization value, and the bank properly rejects duplicates.

  • Many things have to line up to assure the security of the system, of course, and an incorrectly issued card or misconfigured bank system can still be exploited. But most banks are getting better, because the penalties for incompetence are higher than ever.