A very interesting story about finding and hacking a ATM Skimmer

CrimsonNagus · May 3, 2016

mittman said:
Scary stuff.

I can see it being even easier to capture a transaction from a phone pay app.

One thing I have gotten in the habit of doing is changing my PIN every month. Having a rotation of them based on something I can remember instead of just one makes me feel a little safer.

If you are talking about something like Apple Pay, then you are wrong. In fact, Apple Pay is probably more secure then actually using your card because the store never sees your actual cc number when using Apple Pay.

Here is a great article from Engadget describing the security in Apple Pay: http://www.engadget.com/2014/10/02/apple-pay-an-in-depth-look-at-whats-behind-the-secure-payment/

Here is Apple's security overview for Apple Pay: https://support.apple.com/en-us/HT203027

Engadget's Summary said:
While it remains to be seen if Apple Pay catches on with consumers, there should be no doubt that Apple Pay is an extremely safe way to make a credit card payment. In fact, it's likely much safer than how most users are currently making credit card payments today.

Remember that merchants in an Apple Pay transaction never have access to user credit card information and, as a result, users never have to worry about their information being compromised in a security breach. Further, security at the device level is effectively impenetrable as tokens, along with the encrypted keys responsible for the cryptogram, are all securely stored in the Secure Element.

And as an extra security precaution, iPhone owners will have the ability to unlink or temporarily suspend a token connected to a stolen device, thereby rendering Apple Pay inoperable until the device is retrieved.

So while the Apple Pay user experience has been set up to be impressively simple, there are a myriad of complex safety measures at work behind the scenes to help ensure that sensitive user data remains free from prying eyes. The use of token-based payments is something the banks have been pushing for and something the credit card networks are similarly excited for.

The only variable, really, is how consumers take to it. Safety, though, shouldn't be a concern.

This article and other documents published by Apple convinced me that Apple Pay was safe, more safe then swiping a card and I use it everywhere I can. I love knowing that the stores never see my card numbers or personal data so, if they are every hacked I don't have to panic.

Here is another article but, it is a little more technical. It also mentions how Android Pay/Google Wallet are not as secure as Apple Pay (at least not when it was written, things may have changed): http://lifars.com/2015/01/what-sets-apple-pay-apart-other-mobile-wallets/

mittman · May 3, 2016

RollTide1017 said:
If you are talking about something like Apple Pay, then you are wrong. In fact, Apple Pay is probably more secure then actually using your card because the store never sees your actual cc number when using Apple Pay.

...

I am very familiar with the technology and protections in place. I also have enough of a rudimentary understanding the of security, encryption and current authentication mechanisms. I don't doubt the security of the authentication and the storage. I also agree that it can be more secure than cards and PINs.

Bottom line is that you do not have to have the device to mimic a device. Capturing session data is half the problem. The other half does require a great deal of processing power, but someone will do it.

Bamaro · May 3, 2016

There are hand held skimmers too. Think about that the next time you hand your card to a waiter and its out of site for awhile.

TIDE-HSV · May 3, 2016

RollTide1017 said:
If you are talking about something like Apple Pay, then you are wrong. In fact, Apple Pay is probably more secure then actually using your card because the store never sees your actual cc number when using Apple Pay.

The problem is that I don't have an iPhone and never will...

CrimsonNagus · May 3, 2016

mittman said:
Bottom line is that you do not have to have the device to mimic a device. Capturing session data is half the problem. The other half does require a great deal of processing power, but someone will do it.

Apple Pay would not work with a mimicked device. Apple Pay uses a secure element which is a physical chip in the iPhone that does all the processing of a payment. The operating system doesn't even have access to the data stored on this chip. The only data passed between this chip and the OS is encrypted with AES-256 and includes a unique ID that changes each time you use Apple Pay. Any session data captured would would be useless as far as Apple Pay is concerned, unless they get a hold of the security element in your iPhone as well. The articles I linked to go over some of this.

In fact your cc number is not even stored on the device. When you add a card to Apple Pay, it contacts the bank and a unique number is created to represent your card and linked to that security element in the phone. A mimicked device wouldn't be able to process a transaction because the authentication keys wouldn't match without that chip. AES has been around since 2001 and hasn't been cracked so a thief is not going to crack those keys. AES-256, according to security experts, would take a billion years to brute force.

Look, I get passionate about this because I think Apple Pay, or a similar system, is the way we will pay for stuff in the future. It is much more secure to use Apple Pay at Best Buy them swiping your card. Could someone find away to compromise it in the future? Possibly, but credit cards have been compromised for decades and folks are still okay with using them. Folks with iPhones should also feel safe using Apple Pay.

I don't know anything about Android Pay security so, that could be a whole different ballgame.

mittman · May 4, 2016

RollTide1017 said:
Apple Pay would not work with a mimicked device. Apple Pay uses a secure element which is a physical chip in the iPhone that does all the processing of a payment. The operating system doesn't even have access to the data stored on this chip. The only data passed between this chip and the OS is encrypted with AES-256 and includes a unique ID that changes each time you use Apple Pay. Any session data captured would would be useless as far as Apple Pay is concerned, unless they get a hold of the security element in your iPhone as well. The articles I linked to go over some of this.

In fact your cc number is not even stored on the device. When you add a card to Apple Pay, it contacts the bank and a unique number is created to represent your card and linked to that security element in the phone. A mimicked device wouldn't be able to process a transaction because the authentication keys wouldn't match without that chip. AES has been around since 2001 and hasn't been cracked so a thief is not going to crack those keys. AES-256, according to security experts, would take a billion years to brute force.

Look, I get passionate about this because I think Apple Pay, or a similar system, is the way we will pay for stuff in the future. It is much more secure to use Apple Pay at Best Buy them swiping your card. Could someone find away to compromise it in the future? Possibly, but credit cards have been compromised for decades and folks are still okay with using them. Folks with iPhones should also feel safe using Apple Pay.

I don't know anything about Android Pay security so, that could be a whole different ballgame.

Again, I get all of that and am familiar with the everything you are saying. Yes under current MPS brute force cracking AES 256 is unfeasible. That does not give me ANY comfort. I know and have seen enough to NEVER accept that a physical chip could not be duplicated, and a device could NEVER be mimicked. Being familiar with the lengths people (and nation states for that matter) take makes me more cautious than not.

That said, I do not have a problem with people using that mode if they are comfortable with it. I am no technophobe (I can't stand 'phobe' words btw). You will not see me shouting from the rooftops that Apple Pay is dangerous, or that you are dumb to use it. However, I will not be. I rarely use Apple products anyway. Where I do have a problem is when those that are believe, and push for policies where, we do away with other modes, ESPECIALLY cash. This is a different topic altogether, but we need to preserve a ready means of making anonymous and offline transactions.

Search

A very interesting story about finding and hacking a ATM Skimmer

CrimsonNagus

Hall of Fame

mittman

All-American

Bamaro

TideFans Legend

TIDE-HSV

Senior Administrator

CrimsonNagus

Hall of Fame

mittman

All-American

New Posts

Latest threads

TideFans.shop - NEW Stuff!