yahoogroups in vidatra99
Do You read the news? 2 Weeks ago, happen hundreds mysterious fund withdrawal case from various ATM in all the world. Banks at Canada, UK, Rusia indicate that is their Debit Card product. Stolen? Maybe if Credit Card case we are all know better. But if Debit Card?
People says, sopping with Debit Card (or we know with ATM ) it’s more secure because (not like Credit Card ) it has one level security addition : password a.k.a. PIN Number.
Credit Card is more easier to counterfeit, but the execution need arrangement that rather complicated because it involve many sides. On the contrary, Debit Card, with existed that PIN, it’s more harder to fraud. But if we got the PIN, yeah it’s where the money is.
But, if we see the case, the bandits apparently can estimate to getting around with this PIN obstacle. If the case only two that’s no problem, consider accidental, for example someone behind you try to peep you. But this is hundreds, even thousands ? Where they get account data number so much, and I was wondering : from where they know all of the PIN?
Okay, now we try to think how do they do that? Try to think if this possible to happen in here, in Indonesia. Again, this is about Debit Card, not Credit Card.
Unfortunately, all of the criminal ware is same.
Those pic is Skimmer, or in formal that is a Card Reader/Writer. That thing can read the data on magnetic-stripe card, then write the data again in a new plastic. Yes, for the thief, the function of this thing is : duplicate the card. It can save so many big data, then can be downloaded on PC via serial. The price is around $600, and the size is handful hand only. (Huh, if I remember this tool, I worried if I pay the transaction in Restaurant with Credit Card.)
So, they can duplicate the card. And in the night, after they work all day along on cashier, they can dump all of the data to the Notebook/Laptop, write the magnetic-stripe to the new card, run to the closest pavilion, put the fake card to the ATM Machine, then wait, they need to change the PIN.
Now, what is the data in that magnetic-stripe?
For the people who don’t know what is the data inside the magnetic-stripe. Magnetic-stripe is like a stereo cassette, material ferromagnetic than can be use to save the data (voice, picture, or bit-bit biner ). For the card it has 3 data track. (Why 3? Because of the standard from ANSI/ISO). Track 1 and Track 2 usually use. Track 3 formerly allocated for extended service, but the service is not show up so people not use this track.
It can work only on Credit Card and ATM Machine. (Can be different on Absent Card in Office) for example : if we extract the data, for example we use that skimmer, we can see the information like this on the VISA Card :
Is it appear for you? For example : % in the beginning and ? in the end of track 1, it shows Start Code and End Code. Font “B” show the Format Code, that is the “Bank Card”. 1111222233334444 is the card number. LASTNAME/FIRSTNAME explained itself. 9912 is the expiration date, 12/99. And 101 and so on is a special data. So, for this Credit Card, with skimmer in the amount of Handphone Nokia 9 Series,the thief can shopping in the Internet.
But not such as a ATM card :
Similar with Credit Card right? The different is instead of 101, we have 1201 for a special data of our Bank. And the 4 digit ”xxxx”, it’s diferrent in every cards. On encrypted PIN?
But likely may simply, the PIN will not be save plainly on the card. ( Except the Bank is very stupid ). We are ever read on the formerly, the IBM Machines that our Banking Costumers using DES (or 3DES ) to determine PIN. Either way, to crack the DES it can’t be straight-forward and need a long time.
Then the question remains, where they get the PIN ?
- A week ago, VISA gives warning that the third party software that use in POS ( Point Of Sales ) the property of merchant that can be use to save the information of the card. If they can store the information of the card, they should can logging the Customer PIN too, right? This may be possible. The question : Is the software logging us?
- The second alternative, MITM (Man In The Middle )attack? If you familiar with master session scheme or DUPKT that many use in Card Machine Processor like Hypercom in Supermarket, I think it’s difficult. That can’t be direct to wiretap or like hear person talk on the phone. But there is person thatcan make the prototype device that can be use to Man In The Middle between the card and the terminal.
The device is sitting on that, it can listening the PIN, don’t care about what type of the smartcard that use chip ( like a new rule from Indonesian Bank that make a new sensation for another bank )
Okay friends, now you know how it works. Maybe we must keep a distance if we want to sopping use Debit Card.