Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Crime Security The Almighty Buck Technology

Russian POS Pickpocket Generates New Interest In RFID-Blocking Wallets (thestack.com) 109

An anonymous reader writes: A Facebook post depicting a man apparently stealing from commuters by tapping a POS reader against them unobserved on public transport caused a sensation on Facebook before being removed earlier today. The provenance of the photo is uncertain, but unnamed authorities have said that it was taken in Russia. Since this type of opportunistic street theft requires a merchant business account through which any transactions would be easily traceable, the question arises as to how such acts of fraud are being made profitable. Comments on the matter have brought up anew the topic of RFID-blocking wallets as necessary everyday security.
This discussion has been archived. No new comments can be posted.

Russian POS Pickpocket Generates New Interest In RFID-Blocking Wallets

Comments Filter:
  • Russian POS? (Score:4, Insightful)

    by Anonymous Coward on Thursday February 18, 2016 @08:48AM (#51534011)

    A Russian piece of shit pickpocket? No need for attacking other countries today.... all pickpockets are pieces of shit.

    • by Bob_Who ( 926234 )

      A Russian piece of shit pickpocket? No need for attacking other countries today.... all pickpockets are pieces of shit.

      Point of Sale.... piece of shit, that is.

      • What a great idea! Invent a technology that makes theft easier. We've got DHS saying it's to protect children, and hinder the terrorists. Mean while, on the other side of the ponds, we hear the excuse of it's just the way we do commerce over here. What's amazing is that this weakness has been known for over 20 years. I remember when this shit came out in the early 1990's, others could remote read these chips then. What next? There's a App for that?
    • Forget RFID blocking wallets I want RFID blocking trousers to go with my tin foil hat!
    • Every time I see POS I think the same thing. Then again, most software systems are really a piece of shit.
      • by Punko ( 784684 )
        Every time I see POS and wonder how player owned stations from Eve Online have anything to do with the matter at hand
  • RFID (Score:5, Insightful)

    by NotInHere ( 3654617 ) on Thursday February 18, 2016 @08:54AM (#51534031)

    who said this is a good idea the first place?

    Contact-less payments are dumb, and lead to precisely this kind of abuse. I mean it could be a simple confirmation, a single swipe on the screen or something (when talking about smartphone based payments). And contact-less keys can simply have a button you have to press before unlocking.

    • by mwvdlee ( 775178 )

      Banks, store owners, governments... pretty much anybody who isn't on the paying end of RFID.

      Count of hands... who here did NOT see this coming?

      • Can one *pop* the RFID chips in ones cards with a quick trip in the microwave...10-15 seconds to blow the chip, but not harm the plastic card?
        • by bhv ( 178640 )

          The local Walmart's card slide reader won't even read the strip on chipped cards. They only work in the chip slot. I don't know if the teller has some sort of override available, maybe.

          If it's at Wally World it will be everywhere eventually.

      • Banks, store owners, governments... pretty much anybody who isn't on the paying end of RFID.

        Count of hands... who here did NOT see this coming?

        The bank / store owners eat the payment errors, not the user. If they think it's a good idea and will take the risk then presumably they think it is secure enough.

        • by mwvdlee ( 775178 )

          As a user you have to spot the error and report it. If the amount of money stolen is small enough, you likely won't notice.

          They eat the error only AFTER damage has been done.
          It's little consolation if you get your money back after a few months, meanwhile being unable to make purchases.
          Lots of people life on a budget that fluctuates around zero.
          Correcting a mistake afterwards is not the same as now allowing mistakes in the first place.

          It's like being the victim of burglary; the insurance company will "eat th

          • 1. One (or maybe two) person needs to notice this type of crime to reverse all the charges. Once they;ve identified a dodgy actor the whole account is stopped.
            2. If the amount is so small that you dont notice chances are you're not on the edge
            3. It takes one phone call and the charge is immediately reversed.
            4. The amount you can take contactless is limited to relatively small, I think it's less than £20.
            5. (most importantly) This system is already in widespread use. You're not critiquing a probable fu

            • by DarenN ( 411219 )

              The odder thing about this is kind of attempted fraud is the question - where does the money go?
              It can't go to an arbitrary account because the POS device is tied to a merchant. You need a merchant account at the bank (you can't just use your retail account for this). So the first time this is noticed, everyone involved should be trivially identifiable. The money HAS to go through the merchant's account.

              • Yeah, this is why it's the stupidest fraud possible. It *will* get noticed and the person is easy to track down.

                • Depending on how hard it is to set up that merchant account they can do the same thing that is done with other similar crimes. Hire some person in need of money to set up the merchant account, funnel the money through that account and then leave that person holding the proverbial bag while the real criminals are far away by the time law enforcement tracks down the merchant account owner.
    • Re: RFID (Score:2, Insightful)

      by Anonymous Coward

      That is the new standard coming to the us. All other countries that have it, say it is more secure. The change in law, made the business eat any other false charges. Not the credit card company. I expect to see fewer cards accepted by businesses as the false positives aggregate. After all, pay five ormore percent per transaction, and nothing for it? Or cash, check, with a 1% surcharge? Interesting. Or maybe a business could go back to a customer loyalty card, and start rewarding their customers instead of t

    • Actually this kind of protection (confirmation, fingerprint swipe, lock pattern, etc) are already used with NFC payments.

      My Galaxy Note requires it for contactless purchases.

    • Re:RFID (Score:4, Insightful)

      by AmiMoJo ( 196126 ) on Thursday February 18, 2016 @09:22AM (#51534173) Homepage Journal

      The story is bullshit.

      Look at the photo in TFA. The item in the guys hand is clearly not what they think it is. It's a phone. The button colours and shape don't match the POS terminal depicted.

      In any case, even if it was real, it would be a really, really dumb way to steal money. For the POS terminal to work, you have to have an account set up. That means vetting (okay, might be weak in Russia) and a paper trail. The money has to go into an account somewhere. That's why you don't see many "fallen off a lorry" scammers using POS terminals.

      • Re:RFID (Score:4, Informative)

        by rjforster ( 2130 ) on Thursday February 18, 2016 @10:36AM (#51534705) Journal

        Nope. The object in his hand looks just like the contactless payment (combined with chip and pin) devices that are all over the place (in the UK anyway). Granted it doesn't look like the telepower device on the right side of the picture but certainly DOES look like a contactless payment device.

        This doesn't rule out the story being BS for all the other reasons you give like needing to be tied to a traceable account...

        • by mjwx ( 966435 )

          Nope. The object in his hand looks just like the contactless payment (combined with chip and pin) devices that are all over the place (in the UK anyway). Granted it doesn't look like the telepower device on the right side of the picture but certainly DOES look like a contactless payment device.

          This doesn't rule out the story being BS for all the other reasons you give like needing to be tied to a traceable account...

          You dont need a card reader, you just need any NFC enabled device. Here's an app for any NFC enabled Android phone that reads card information [google.com], its censored because it's a demonstration, but the source code is available, or you could just follow the spec's available on Visa and Mastercards websites.

          The problem is that the information sent wirelessly isn't unique to contactless payment schemes. In fact it's everything on the front of your card (name, exp date and card number) which is all you need to make

          • by DarenN ( 411219 )

            The problem is that the information sent wirelessly isn't unique to contactless payment schemes. In fact it's everything on the front of your card (name, exp date and card number) which is all you need to make online transactions. So walking around a shopping centre with an antenna is an ideal way to anonymously collect card numbers.

            This, while true, is also mostly irrelevant The NFC card will still generate an ARQC that uniquely validates the transaction based on a key present on the chip which the attacker cannot gain without gaining the card.
            The data can only be used online if the attacker has the CVV2 from the back of the card, which is never transmitted.
            That card could be cloned and used via magnetic stripe but again you don't have the CVV1 (which is on the magnetic stripe and won't be transmitted via NFC because it uses another v

      • Please google "Pine Labs' iWL220", and compare to the picture from the subway. It's a GPRS-enabled POS-device.
        Look familiar? Being a Daily Mail story should put up a red flag, "may contain shitty editing and journalism".

        But yeah, getting such a setup probably isn't hard in Russia, using a fake identity and then shifting money around accounts.

        • by AmiMoJo ( 196126 )

          It's not an iWL220, the body colour and buttons below the screen are different. The buttons below the screen are the standard up/down scroll buttons on Nokia-clone brick phones.

          Well, okay, to be fair the photo is crap so we can't be 100% sure either way.

      • The item in the guys hand is clearly not what they think it is. It's a phone.

        Right, one of those phones with red, yellow, and green buttons on the bottom that I see everyone carrying.

    • Re:RFID (Score:4, Interesting)

      by wvmarle ( 1070040 ) on Thursday February 18, 2016 @09:38AM (#51534289)

      I've been using contactless payments for well over a decade now, and I love it. All buses, minibuses, trams, trains, ferries in Hong Kong take the contactless Octopus card for payment. No fuss with exact change (buses don't give change) or buying single ride tickets. Just swipe and move on, payment done in a fraction of a second. Use them for small payments in convenience stores and supermarkets, vending machines, etc. Many car parks are Octopus-only even.

      I have also never heard about any (large scale) fraud with these cards. I really don't know the ins and outs on how fraud is prevented, but obviously it works well. These cards were introduced some 20 years ago and pretty much everyone has one. There have been several technology upgrades which all have been seamless from the user pov.

      So I really can't say they're dumb. They're awesome. Wouldn't want it otherwise, it's just too big a big PITA to have to deal with all those small payments in cash.

      • Um, almost every city with mass transit has something like the Octopus. That isn't what this article is about. They are talking about credit cards.
        • OP was talking about "contactless payments" in general. That's what I responded to - just to show that it can work, and can work really well and securely.

      • by AmiMoJo ( 196126 )

        The reason there isn't much fraud is that to receive the money you have to have a merchant account. Getting a merchant account means going through various security checks. There is a big paper trail so the risk of being caught if very high. Much easier to just steal cash or card details to be used online.

        It's worth noting that there are two separate systems in use here. You have stored value cards that you load up and they store the current balance. They are commonly used on public transport systems (Suica/

        • Octopus is stored value - which may be linked to a credit card for automatic recharges.

          Other possible forms of fraud would be to change the balance on the card (and travel for free) or to create fake cards altogether. None seems to happen.

      • by unrtst ( 777550 )

        I really don't know the ins and outs on how fraud is prevented, ...

        Awesome.

        So I really can't say they're dumb.

        Nor can you say they're smart, since you (admittedly) have no idea what you're talking about.

        it's just too big a big PITA to have to deal with all those small payments in cash.

        This has NOTHING to do with the questions at hand. Contactless versus something-that-requires-contact-or-verification. Mag stripes would fulfill your requirements.

        Skimming a contactless card via RFID can (more-or-less**) obtain all the same information they would get from swiping the mag stripe, but they don't need to touch your card. That is one of the larger problems with that setup.

        Please note, this has l

        • You obviously don't know what you're talking about, at all. At least I admit I don't know HOW fraud is prevented, but I do know THAT IT IS prevented.

          Magnetic strips (as indeed used before the contactless) is too slow and cumbersome. Way too slow. Now I walk through the gate without stopping, instead of having to stop and fiddle with the card. Instead I just leave it in my wallet and swipe the whole thing (or what others do is swiping a hand bag, or mobile phone pouch, or a watch with built-in Octopus chip,

      • by mjwx ( 966435 )

        I have also never heard about any (large scale) fraud with these cards.

        Thats because a single standard has never been widely deployed. Nor has it had direct access to credit card numbers.

        Paypaas/wave are the same the world over. Unlike Oyster/Octopus and other schemes that use a GUID as an identifier, Paypass/wave use the card number, name and expiry date... So basically everything you need to make transactions on the internet. Theives are not interested in making $30 transactions in person (that's a

    • But.... but... the convenience! My freedom for CONVENIENCE!

    • Hate to break it to you but this system has been in wide use for years now without any real issues - the bank takes the risk because they know that anyone taking payments has to have a merchant account and are tracable if they start acting up. It's a very stupid criminal that tries to steal this way, it's doomed to end in trouble for them.

    • "Contact-less payments are dumb, and lead to precisely this kind of abuse. "

      Obligatory Fanboy Neener: If you're going to carry around a contactless payment device, make sure it's one that requires a fingerprint for authorization and that not even the FBI and the NSA can hack.

    • by mjwx ( 966435 )

      who said this is a good idea the first place?

      Contact-less payments are dumb, and lead to precisely this kind of abuse. I mean it could be a simple confirmation, a single swipe on the screen or something (when talking about smartphone based payments). And contact-less keys can simply have a button you have to press before unlocking.

      If contactless payments were using a unique GUID just for contactless then it would merely be dumb.

      However it actually sends your card number, expiry date and name (everything on the front of the card and all you need to start making transactions online) so it's actually the heir to the throne of the kingdom of stupid.

      In a few years, contactless will be a thing of the past because the cost of fraud will be so high they'll be forced to replace everyone's card.

      The whole contactless thing originated w

  • Contactless cards: how to avoid paying twice
    "Credit cards that you simply wave at a reader save time and are a boon for visitors to London. But they can also raid your bank account invisibly" (11 Nov 2014)
    http://www.telegraph.co.uk/fin... [telegraph.co.uk]
    or from slashdot back in 2012 "Android App Lets You Steal Contactless Credit Card Data" (June 21, 2012 )
    http://it.slashdot.org/story/1... [slashdot.org]
    Whats the new news AC? The risks of some of the newer cards and bank services have been in the tech media for years and been rep
    • Re:Whats the news? (Score:4, Insightful)

      by Anonymous Coward on Thursday February 18, 2016 @09:22AM (#51534175)

      You brought up something that's been troubling me: this increasing desire by business to make all too easy for paying without thought. They want people impulse buy. Apple is the biggest offender. In order to create an Apple ID on an IOS device you must give a payment method - you have to use a desktop system via the web to create an ID without a payment option. Why? They want people to impulse buy songs and apps.

      Roku does the same thing "for your convenience". I had their customer no-service people waive that requirement after having to listen to their bullshit how it's for "my convenience". It's idiotic that I even have to create an account with them to use the fucking thing since the streaming goes direct to the content provider.

      And of course, if there's a mistaken billing or fraudulent (many channels on Roku's service say they're free by when you click on them, a message pops up saying that they are charging me - it's a great thing I did not give them my payment information!!), good luck getting the money back.

      And unlike cash when you lose it, you just lost that, these electronic payment systems allow for thieves to clear you out and it takes weeks to get your money back or in the case of a credit card, you will find yourself SOL in case you're traveling.

      Until the financial services industry cleans up it's act, these types of payment systems shouldn't be allowed or forced on us.

    • Comment removed based on user account deletion
  • by EmperorOfCanada ( 1332175 ) on Thursday February 18, 2016 @09:10AM (#51534109)
    This attack is actually quite easy. The "Pickpocket" has one end of a transmitter not a POS system. The other end of the transmitter is waiting at cashier to make a payment. Effectively the system is fantastically dumb, just relaying the transaction requests back and fourth between the the checkout and the person's card.

    The "getaway" is that they are leaving with the goods. If the store doesn't get paid, it doesn't matter.

    This completely end runs the entire smart card encryption and every other security measure on the card. It is just a pair of repeaters that are extending the range of the card from 3cm to potentially miles.

    I suspect that there are timeouts on the cards but if the repeaters don't induce much lag the speed of light should not add much. Still, depending on how generous these timeouts have been set, it may be possible to fire these signals through an LTE pair of phones giving the pickpockets an international range.

    In theory a pickpocket could be having the signals relayed in a nice message queue fashion to a series of people waiting at automated checkouts. So the pickpocket could walk down a train while a small group of purchasers ring transaction after transaction through. Assuming a $100 limit per purchase not only could the pickpocket feed an easy 20 cards from a single train, but he could wait a few minutes before returning for a second pass down the train making it appear that the users were making a second purchase, and then a third and a fourth.

    Doing the math that could net $2,000 per pass with maybe 3 possible passes before the pinless swipe limit were hit.

    Then step out and do the next train car. Now we are looking at no less than $10,000 in goods per hour during rush hour.

    This is assuming that it isn't one long train. If it is a train where you can walk the length of a crowded train it could potentially be 100 cards in a single run if the queuing system is properly organized.

    When I first saw someone swipe a card without a pin this scheme popped into my head. I have just been waiting the years since for it to become public.

    I suspect the fix won't be that easy because merely being less generous with the timeouts will probably exceed the capabilities of many cards and many machines, causing them to become unreliable.
    • by Gr8Apes ( 679165 )
      The solution is even easier - require a PIN.
    • by AmiMoJo ( 196126 )

      This has been demonstrated with mobile phones that have NFC, reading cards in the US and making transactions in the UK.

    • by Anonymous Coward

      It's actually really difficult to run relay attacks over any kind of distance due to latency. There's a few papers on it, I found one with a brief google: https://eprint.iacr.org/2010/228.pdf [iacr.org]. The technology they used was Bluetooth, they considered and discarded SMS and GPRS/3G as having too high a latency to meet the NFC spec.

      Australian banks rolled out contactless payments years ago, there's been concern on and off since, but no major incidents reported. The kind of attack pictured in the photoshopped art

      • They will make money if they are making actual purchases. Holding my bag against someone's pocket for 2-3 seconds wouldn't be hard in a crowded train. Also my entire bag could be one huge pickup or set up pickups. The multiple card issue would certainly be a problem except that I could see some really good hackers actually doing a better job of reading cards than then original designers; plus the thief could have his hardware give him a red light and he would move on. Also bluetooth sucks when it comes to l
  • by OzPeter ( 195038 ) on Thursday February 18, 2016 @09:17AM (#51534143)

    I was in Australia over Christmas with my brand spanking new USA based credit cards (from major bank and CC companies) .. which have barely have chips in them. I was buying some stuff in a shop one day and handed over my credit card and the assistant took my card, looked at it, paused for a second and then finally said with an incredulous tone .. "Oh .. I have to swipe this, don't I".

    Talk about an abject lesson in how backwards my CC was.

  • It must be good because it saves Joe Dumbfuck from having to remember his PIN and spending 5 secs entering it!

    Seriously , if the banks and stores had suddenly suggested bring out a system whereby you just shove your card in the slot but don't need to bother to enter your PIN any more for the shop syphons off your cash there would have been an outcry. But because its contactless - Oooo! Magic! - no one seems to Get It.

  • Those tap transactions are insane, I disabled that functionality on all my cards the moment I found out that it became possible to tap my debit cars and have money taken from my debit account. Had to call the banks for that.

    As to how this guy does it, I don't know for sure, if I was doing it I suppose I would use stolen merchant accounts to run purchase transactions that would end up buying bitcoins or something, cannot come up with anything better on the spot, I have to deal with merchant accounts and pay

    • An idea from a few posts above:

      His co-conspirator is in a store about to pay for something. Their phones are linked to relay the RFID communications from the POS terminal between them. The terminal thinks it's communicating with the phone (or a modified card, linked to a phone) in the shopper's hand, but it's actually communicating with a card at a remote location.

      I have no idea if this would actually work. I would hope that the terminals at least enforce a minimum communication time delay but there probabl

  • by mykepredko ( 40154 ) on Thursday February 18, 2016 @09:31AM (#51534235) Homepage

    When I first read the headline it was "Russian Piece of Shit Pickpocket Generates Interest in RFID-Blocking Wallets"

    I know it's "Point of Sale", but too many years of experience with the other version of the acronym has conditioned me to read it a certain way with often, as in this case, coming up with a different interpretation of a statement.

    • by Anonymous Coward

      If you've ever worked on "Point of Sale" software you'll know that there really is no difference.

    • When I started working in the head office of a supermarket chain the first few meetings were quite confusing with the bullet point presentation mentioning POS transactions etc. :D

    • Sure, why not, how about Payment Integration Terminal Apparatus?

  • Swiping a little piece of plastic to get my big gulp and bag of funyums is just too difficult and time-consuming for me. Thank god these benevolent companies have given me a way I can save 0.8 seconds in my important, busy day. Because you know, all those little 0.8 seconds whenever I want to buy something in my day add up and drain my life away. Why, if you add up all the time I waste by having to swipe my card, it could add up to as much as maybe three or four seconds a day.

    Now excuse me while I go che

  • I'm here to help you.

  • Correlation (Score:4, Informative)

    by Thanshin ( 1188877 ) on Thursday February 18, 2016 @09:38AM (#51534287)

    "the question arises as to how such acts of fraud are being made profitable."
    "Comments on the matter have brought up anew the topic of RFID-blocking wallets as necessary everyday security."

    Seriously? You weren't able to see that relation?

    Read your own text slowly. This time, try to think while you read.

    Ok. I'm not sure you'll manage it. Let's try a simpler with the key words in bold:
    "OMG! How will anyone make a profit out of this?!" followed by "It's time to buy an RFID-blocking wallet!"

  • Saw these a lot since around 2009 in Japan.

  • easy. set up a company and a merchant account with the passport data of some homeless guy or from a stolen passport (takes only a few days), grab as much money as you can and disappear.

    this is how most russian scams are operated.

  • I never understood the "need" for contactless payments....is it so hard to buy stuff without pressing a confirmation button? Do you buy so much stuff that the time saved not pressing a button or whatever would really benefit you?

    Seriously, I never understood this...yes, I know that at its heart it's meant to make it easier to buy something in the hopes that you'll buy more useless shit, but do people really see this as some truly beneficial feature?

    • The credit card companies are pushing this. The easier you make credit card transactions, the more of them will be made, and the more money the credit card companies will make. It is worth the increase in fraud as the increase in transactions outwiegh the increase in fraudulent refunds.
    • Sure, it is a benefit, (clearly, arguable how big it is but it's obviously easier) and since the risk isn't on your end, it's with the banks why should you care?

      The payment-taker has to have a merchant account so as soon as they are caught, all the payments are reversed, and then boys are sent around his house to sort-'im-out. There is minimal risk and this has been running quite successfully in EU countries for *years* now.

  • Why aren't standard wallets RFID blocking now? I got snagged on an out of state trip around 3 or 4 years ago. I don't know exactly how, but I assume it was someone with a scanner in the TSA line at the airport. Ever since I used one of those hard plastic RFID blocking wallets when I travel or go somewhere with long security lines. A few months ago I switched to an everyday leather RFID blocking wallet. I got one from Hammer Anvil on Amazon, but there's other brands out there too. The thing is smaller

  • Look, I know pickpockets are not the nicest of people--they are petty criminals, after all--but to call them a POS is a bit harsh, isn't it?

  • For phones, at least they require some kind of authentication first. Don't chip & PIN cards require at least the PIN?

  • My Global Entry card came in a foil-lined envelope (like this [quoracdn.net]) that says on the outside, "Protect your card's sensitive electronics -- and your privacy. Keep the card in this sleeve when not in use." If the US Gov't thinks a Global Entry card could potentially be sniffed from a similar vector, why think this would be much different?
  • It's a bit naive to think "but there is an obstacle so it wouldn't work" this scam https://fakeletters.org/job-of... [fakeletters.org] has been used to get victims to sign up for an easily traceable merchant account in the past. Why would it not be used by a piece of shit with a POS?
  • The last wallet I bought claims to block RFID. I tested it at work and found that it blocked the POS reader in the coffee bar, but not the entry card reader on the door, which doesn't exactly inspire confidence. Perhaps the sort of low-powered device 'pickpockets' are likely to use would also be blocked, but there's no way to be sure. Do the manufacturers actually test these things?

  • I tried a few of those RFID blocking wallets, and although they block the signals and are cheap, they're still poorly made. The one I settled on has been tested by a few independent labs, and is every bit as high quality leather as my old wallet - yet has a faraday cage built into it. From the few basic tests I've been able to do on my own, it seems to do what it's marketed to do. http://silent-pocket.com/colle... [silent-pocket.com]
  • TFA claims that "one in three payments made in London are contact-less" ; I can only think that they get that number by counting every use of the "Oyster" card on the underground and buses. (I don't live in London and avoid the place if at all possible, but I don't think that there is any other use for this card.

    One of my banks sent me a contactless card last year. But that's OK, because that account I only ever use for online purchases, and the card never leaves the living room. I'm not even sure how you

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...