Hard News by Russell Brown

Read Post

Hard News: A bigger breach?

112 Responses

First ←Older Page 1 2 3 4 5 Newer→ Last

  • Tracey,

    I'm guessing that in addition to your security number they will have changed your expiry date, which you do need to use your card on most sites.

    Westside • Since Nov 2009 • 3 posts Report

  • slarty,

    Personally for small-value transactions I'd prefer no PIN... less chance of disclosure. It's mainly there for contract, not security purposes!

    NZ has pretty much the lowest CC fraud rate in the world (it's 1/3 of that in Australia - but my info is a couple of years old). It's because we are quite unusual in a) only having 2 EFT switch networks and b) we've been real-time for a long time (many countries "batch" their CC transactions and process them overnight).

    Like I say, I have no qualms using my card in NZ. But when I go overseas I order a new card in advance, use that while I'm travelling and destroy it when I get back. My bank does this for nothing. A good alternative is the stored value cards (but they can be expensive...)

    And yes, a bit of common sense online is good! Visa, MC or the PCI site all have good, simple tutorials on what to look for...

    [H-T RB!]

    Since Nov 2006 • 290 posts Report

  • Idiot Savant,

    Isn't just assumed that John Key is personally responsible for everything even slightly crappy that has ever happened in the whole wide 'verse since just before the extinction of the dinosaurs?

    Government is a blame sink. By being in power, you get to be responsible for everything. And that shoe goes on both feet.

    Palmerston North • Since Nov 2006 • 1717 posts Report

  • Andre Alessi,

    Slightly off track.
    The appropriately named 'Your Telecom' service from Telecom has been offline for a week.
    Security breaches ?

    I'd be highly surprised if it was anything like that, from what I understand it's heavily integrated with other services which are still up and running, and there's no way to get "free money" (or free services for that matter) from it.

    Much more likely to be an issue with an upgrade or change to the backend of the service that had to be rolled back, resulting in the shutdown until they could get things fixed. It wouldn't be a priority at this time of year, unfortunately.

    Devonport, New Zealand • Since Nov 2006 • 864 posts Report

  • Rowsell,

    I'm guessing that in addition to your security number they will have changed your expiry date, which you do need to use your card on most sites.

    Ahh very true. I knew there was some detail I was missing.

    Auckland • Since Nov 2009 • 4 posts Report

  • Tom Isaacson,

    I'm still not entirely sure why the parking machines needed to retain credit card numbers, but if there is a need then why aren't they stored in an encrypted format?

    I can see the need for legislation that forces any device that stores credit card details to encrypt the data to prevent this kind of theft in the future.

    Auckland • Since Nov 2009 • 3 posts Report

  • Rachel Prosser,

    To buy tickets just insert your credit card in this handy machine

    Same goes for baggage trollies at airports - $1US at I think LAX or JFK

    Christchurch • Since Mar 2008 • 228 posts Report

  • Gareth Ward,

    Teh wife and I share a credit card account, but strangely only hers has been replaced so far.
    Did a bit of a scan of the account this morning after I saw the story, charges all seem legit. Unfortunately. Although there was an ACCOUNT FEE of $100 - at first I thought that seemed dodge, then considered it's probably just Westpac thieving legitimately from me, rather than Serge the Nasty Belarussian.

    Auckland, NZ • Since Mar 2007 • 1727 posts Report

  • Steve Parks,

    I hear BNZ is phasing in card with a chip, hopefully that might reduce fraud. We seem to be late bringing in the chip cards here though.

    Yep. I'm pretty sure all banks will have to switch to chip cards, as the card schemes (VISA, MasterCard... not sure about Amex) are insisting on it.

    Wellington • Since May 2007 • 1165 posts Report

  • Thomas Johnson,

    I have been travelling in the USA for the last three weeks. I used the BART train system in SF and the Amtrak routes in and out of SF too. To buy tickets just insert your credit card in this handy machine. No authentication required. None. I think I remember doing this in Europe too.

    This is fairly common in the USA, including Subway stores and gas stations.

    I was dealing with my bank on the phone a couple of weeks ago, and they suggested getting a second credit card with a low limit to use for internet transactions and similar.

    Wellington • Since Oct 2007 • 98 posts Report

  • slarty,

    I'm still not entirely sure why the parking machines needed to retain credit card numbers, but if there is a need then why aren't they stored in an encrypted format?

    Like I say, the most insidious form of attack...

    All devices connected to the EFT network must comply with PCI DSS... so this is almost certainly an aggressive attack, not just someone picking up a few numbers...

    Since Nov 2006 • 290 posts Report

  • Matthew Poole,

    Most credit card companies proactively monitor for this sort of thing and suspend your card until you say it's OK to proceed.

    I had the experience a few months ago of making a very substantial purchase from the US, over the phone, and before the phone call to place the order had even been completed I already had my bank's security team calling my cellphone to confirm that the transaction was legit. Their systems are very quick at flagging abnormal transactions.

    Auckland • Since Mar 2007 • 4097 posts Report

  • Russell Brown,

    Something I haven't got around to sorting out: an email yesterday from Xbox Live flagging a problem with the credit card it's automatically billed to.

    The URL clicked through to billing.microsoft.com -- which, amazingly, came up with an invalid certificate and a warning that this might not be the real billing.microsoft.com.

    As far as I could see, it looked real, but I figured I'd sleep on it.

    Auckland • Since Nov 2006 • 22850 posts Report

  • Rik,

    Russell - for me billing.microsoft.com re-directs to login.live.com and has a VeriSign certificate issued to Microsoft valid from 16/6/9 to 17/6/10. Looks OK?

    Since Jun 2007 • 130 posts Report

  • Alastair Jamieson,

    It's not credit card fraud that bothers me so much as extortion - how can Westpac Visa justify a 1/2% interest rate increase - just in time for Christmas?

    Auckland • Since Jan 2007 • 99 posts Report

  • Steve Barnes,

    Isn't just assumed that John Key is personally responsible for everything even slightly crappy that has ever happened in the whole wide 'verse since just before the extinction of the dinosaurs?

    Nah. he's done nothing, nothing I tell you.

    The URL clicked through to billing.microsoft.com -- which, amazingly, came up with an invalid certificate and a warning that this might not be the real billing.microsoft.com.

    That sounds suspiciously like Phishing to me. The golden rule is never use the link in an eMail purporting to come from anything to do with Banking or any financial deals, if you do DON'T fill in any request for passwords, account numbers or, in fact, anything. Always go to the Banking site proper.

    Peria • Since Dec 2006 • 5521 posts Report

  • James Harton,

    Regarding storing CC numbers: Don't do it!
    It's pretty interesting really, OWASP has been saying it for 10 years, but people seem to think that devices that aren't connected to the internet are somehow safer or exempt from exploit.
    A lot of people seem to forget that these devices are actually in a hostile environment at all times, just like on the internet, but different from the internet these devices aren't as well monitored or maintained.
    From what I can tell the attack is much more likely to be a skimming attack as there's a lower barrier to entry. If, against all odds, it actually is a penetration and the device stores CC numbers in the clear then one would think the operator may be opening themselves to criminal negligence.

    Auckland • Since Nov 2007 • 51 posts Report

  • Paul Campbell,

    It may be that there was a machine or machines at a car park that were fitted with a fake stripe reader - we had reports of someone doing this to ATMs in NZ a few years back.

    Of course while the cards with chips are 'completely safe' - they can still be read by a fake stripe readers since they still have mag stripes.

    On a slightly different topic US credit card companies are currently canceling cards or raising interest rates through the roof - not because of a fraud scare but because of a change in the federal credit laws coming up in Feb that basically means they will not be allowed to increase the cost of credit card interest retroactively - for example if you got a low interest card at say 6% and you put $10,000 on it if they increase the rate to 10% that can only apply to new debt you build up after the rate change.

    Dunedin • Since Nov 2006 • 2623 posts Report

  • Rich of Observationz,

    I had to use Paypal the other day. Now I have a USD card with an NZ address, which their retarded system can't cope with. I didn't want to pay exchange fees, so I tried entering my NZ address - wouldn't work.

    Then I entered a random US address (in New York with the correct 10001 zip code). That worked! So clearly Paypal isn't doing billing address matching.

    Back in Wellington • Since Nov 2006 • 5550 posts Report

  • Rich of Observationz,

    For "standard" EFTPOS gear as used in stores, the system is fairly robust. The pinpad has to be sealed and tamperproof/evident, the EFTPOS unit musn't pass card numbers to the shop computers (which stops them cookieing card numbers as an alternative to loyalty cards, for instance).

    But it's possible that isn't the case on car park machines. I'm thinking that like most such units, these are credit card only and don't check PINs, which makes them one step lower in security requirements than a machine with PIN checking. If they are PIN-based true EFTPOS machines, then they have the potential to collect card details and PINs, which is a lot more serious as a miscreant could easily withdraw thousands through cash machines before the card is blocked.

    Back in Wellington • Since Nov 2006 • 5550 posts Report

  • Russell Brown,

    That sounds suspiciously like Phishing to me.

    That's what I wondered -- and why I'll come back and go through the front door of the MS site to the billing section.

    Auckland • Since Nov 2006 • 22850 posts Report

  • Lyndon Hood,

    I'm remind of a story from the UK where it looked like somebody had put malicious hardware into the card readers at the factory.

    Wellington • Since Nov 2006 • 1115 posts Report

  • Glenn Pearce,

    Anyone near Downtown know what brand the Parking machines are down there ?

    This mob DPS are the gold standard in NZ for CC payment integration with websites, devices and internal corporate systems.

    http://www.paymentexpress.com/partners/parking_vending.html

    I see they list Auckland City Council among their corporate clients as well as various parking machine vendors.

    God help us if the problem is someone getting into their database. I would hope it's some sort of skimming issue instead.

    Auckland • Since Feb 2007 • 504 posts Report

  • Glenn Pearce,

    Those parking machines probably use wireless connection to the internet. They'll will likely have GPRS card in them.

    Possibly a breach in there ?

    Auckland • Since Feb 2007 • 504 posts Report

  • Gareth Ward,

    So here's a little something that amazed me the other day - if you want to run a merchant account for online payments from overseas (edited to add) in this country, you HAVE to do it with BNZ, you have no choice. Anyone understand different to that?
    Because it gives BNZ a pretty damn significant advantage in the "new economy" when anyone doing business online has to bank with them?

    Auckland, NZ • Since Mar 2007 • 1727 posts Report

First ←Older Page 1 2 3 4 5 Newer→ Last

Post your response…

This topic is closed.