https://onlycoin.com/
I'm never paying with my credit card again in a restaurant or similar venue where someone walks away (out of sight) with my card. Paying at the register only.
Coin - copying credit cards for dummies
- Thread starter pmbug
- Start date
Welcome to the Precious Metals Bug Forums
Welcome to the PMBug forums - a watering hole for folks interested in gold, silver, precious metals, sound money, investing, market and economic news, central bank monetary policies, politics and more. You can visit the forum page to see the list of forum nodes (categories/rooms) for topics.
Why not register an account and join the discussions? When you register an account and log in, you may enjoy additional benefits including no ads, market data/charts, access to trade/barter with the community and much more. Registering an account is free - you have nothing to lose!
https://onlycoin.com/
I'm never paying with my credit card again in a restaurant or similar venue where someone walks away (out of sight) with my card. Paying at the register only.
DCFusor
Yellow Jacket
Well, security via obscurity strikes again (and again). A virtually identical device was shown in the movie Fast 5, FWIW - to clone a door lock card just as easy and quickly. It's only a bit of magtape, readers/writers are common (you can buy dev kits cheap at the electronics houses). Whether intentional or not, the format of the tracks on the mag stripe are public knowledge and have been for awhile.
At least this makes the ridiculous attack surface of a card more obvious, but the flaw was always there.
What scares me just as much...they can do this with the mag ink on checks as well, and essentially use them as debit cards. A few places I deal with have check readers. Pretty much the same attack surface, too - perhaps a little more diddling is required via an inkjet if you really want to clean someone out. A cashier could simply increment the check number...
And with either debit or check e-transfer - you can just ding them over and over till one bounces, so you don't have to know the accnt balance. And there is no buyer protection or challenge process for either debit cards or checks, unless you're real tight with your local bank. Forget the big banks, of course.
Really, the only thing that has saved us so far, is that guys like me who can do stuff like that (and have been able to for a very long time), have morals. It's what I call the martial arts effect. By the time you're really good, you don't go around starting fights anymore because you know you have nothing to prove.
And you realize, this is a lot of work. To steal via this mechanism, you have to either buy stuff and fence it - work, and possible getting caught on one side or the other if someone reports the card stolen before you find out - or xfer the money.
And now we know, CIA is monitoring all monetary transfers of any size...so they'll know who stole it, but will probably have national security reasons not to tell the cops (we don't want to reveal we know etc etc, ad nauseam).
Edit:
Bruce Schneieir has talked about this in another light, which is relevant. See, the card co's have no incentive to be secure as long as they can externalize the fraud cost via transaction fees, chargebacks, and so on. They are incentivised to not care, instead - they still get their transaction fees, interest, and so on no matter what. Till we change that, you won't see anything like a secure system. Why should they?
At least this makes the ridiculous attack surface of a card more obvious, but the flaw was always there.
What scares me just as much...they can do this with the mag ink on checks as well, and essentially use them as debit cards. A few places I deal with have check readers. Pretty much the same attack surface, too - perhaps a little more diddling is required via an inkjet if you really want to clean someone out. A cashier could simply increment the check number...
And with either debit or check e-transfer - you can just ding them over and over till one bounces, so you don't have to know the accnt balance. And there is no buyer protection or challenge process for either debit cards or checks, unless you're real tight with your local bank. Forget the big banks, of course.
Really, the only thing that has saved us so far, is that guys like me who can do stuff like that (and have been able to for a very long time), have morals. It's what I call the martial arts effect. By the time you're really good, you don't go around starting fights anymore because you know you have nothing to prove.
And you realize, this is a lot of work. To steal via this mechanism, you have to either buy stuff and fence it - work, and possible getting caught on one side or the other if someone reports the card stolen before you find out - or xfer the money.
And now we know, CIA is monitoring all monetary transfers of any size...so they'll know who stole it, but will probably have national security reasons not to tell the cops (we don't want to reveal we know etc etc, ad nauseam).
Edit:
Bruce Schneieir has talked about this in another light, which is relevant. See, the card co's have no incentive to be secure as long as they can externalize the fraud cost via transaction fees, chargebacks, and so on. They are incentivised to not care, instead - they still get their transaction fees, interest, and so on no matter what. Till we change that, you won't see anything like a secure system. Why should they?
Last edited:
The problem with a device like Coin is that it makes it easy for the masses. In any large pool of relatively low income earning people, there are bound to be a few opportunists with loose morals/scruples.
DCFusor
Yellow Jacket
You got it - that's the problem. When it's easy....
I have found that even in a small pool of high income earning people, there are often several opportunists with loose morals/scruples. :flail:
I really don't like just about everything being reduced to zeros and ones and readable.
Last edited:
DCFusor
Yellow Jacket
Or writeable. If you can't write, you can't make a copy...work from there.
The trouble with bits (my specialty) is when dumb humans give them too much respect.
Like back in the day, when computer billing first began, and was error-ridden (largely due to data entry errors, but also other things).
Then you'd dispute said bill, because it was wrong, and the monkey on the other end would say "well the computer says...whatever" - and that's that. Customer service access was read-only.
I would simply then mention my hourly rates for dealing with computer problems, and offer them a small discount to fix theirs, seeing as how they were already into me for an hour or more...
That usually got me escalated up to a level where a human could actually do something. You know, like reason, read, write, stuff humans do. And that usually got the problem solved.
It's the same trouble with all bank transactions now - and it's harder to claim the computer, it's programming, or data entry is at fault, because it usually isn't. Of course, now we have hackers, but it's pretty common to deny that's possible for a bank, even after a major data loss you can prove.
This device gives some form of plausible deniabity - to all parties. It will be interesting how it all shakes out. It *might* (not terribly likely) work for the consumer, but chances are, the usual "he with the gold makes the rules" golden rule will apply. We know who usually skims the slack in any situation - the big bad financial "engineers", right? Gawd, as if they had even a tiny fraction of the sophistication a real engineer needs to be good at his job...but they have "authority"...which trumps skill AND truth, till the rope or guillotines come out.
Note, I don't use "scare quotes" - that's not what I mean. When I use them, I generally am pointing to a word I feel is misused vs its true meaning.
The trouble with bits (my specialty) is when dumb humans give them too much respect.
Like back in the day, when computer billing first began, and was error-ridden (largely due to data entry errors, but also other things).
Then you'd dispute said bill, because it was wrong, and the monkey on the other end would say "well the computer says...whatever" - and that's that. Customer service access was read-only.
I would simply then mention my hourly rates for dealing with computer problems, and offer them a small discount to fix theirs, seeing as how they were already into me for an hour or more...
That usually got me escalated up to a level where a human could actually do something. You know, like reason, read, write, stuff humans do. And that usually got the problem solved.
It's the same trouble with all bank transactions now - and it's harder to claim the computer, it's programming, or data entry is at fault, because it usually isn't. Of course, now we have hackers, but it's pretty common to deny that's possible for a bank, even after a major data loss you can prove.
This device gives some form of plausible deniabity - to all parties. It will be interesting how it all shakes out. It *might* (not terribly likely) work for the consumer, but chances are, the usual "he with the gold makes the rules" golden rule will apply. We know who usually skims the slack in any situation - the big bad financial "engineers", right? Gawd, as if they had even a tiny fraction of the sophistication a real engineer needs to be good at his job...but they have "authority"...which trumps skill AND truth, till the rope or guillotines come out.
Note, I don't use "scare quotes" - that's not what I mean. When I use them, I generally am pointing to a word I feel is misused vs its true meaning.
I have to admit this "coin" concept has some appeal because multiple plastic cards in your wallet can be a hassle. You add to that all the membership and discount club cards you need to carry to get "points" discounts, etc. and it can be maddening to sort, so somebody trying to figure out a way to manage it is probably going to get rich, if it works. I'll probably give it a try myself because I am a sucker for new toys.
However, I live in a mild state of anxiety with all transaction records being electronic and still prefer paper statements now and again (old school) so there is some kind of record you can show to the occasional human teller. "Hey, there used to be money in my account, where did it all go???"
Plausible deniability is a growing trend. It appears to be one of the key strategies of the President. If it's good enough for him, it's good enough for the rest of us, I guess…..but jeez….what a terrible way to run a society.
However, I live in a mild state of anxiety with all transaction records being electronic and still prefer paper statements now and again (old school) so there is some kind of record you can show to the occasional human teller. "Hey, there used to be money in my account, where did it all go???"
Plausible deniability is a growing trend. It appears to be one of the key strategies of the President. If it's good enough for him, it's good enough for the rest of us, I guess…..but jeez….what a terrible way to run a society.
DCFusor
Yellow Jacket
Heck, it's almost as good as living in a small town, this coin thing.
I don't even have to bring payment to the store, myself. If I should forget, I just tell them I'll catch them next time, they just write it down. Yeah, there are still places like that.
They use a human being, and biometric ID - they know me, duh.
(Mr and Mrs Cognitive Dissonance from ZH are new neighbors here! We have yet to meet in person, but that'll be pretty soon. Some people walk their talk.)
A whole lot of things change right around the boundary where you know pretty much everyone in your immediate area. I'm originally from DC. Listen, there are no real Kojacks or other TV detectives in real life. Cops know no one, so they do random stops in the hopes of finding a car full of some obvious loot. Or now, with NSA's help, "parallel construction".
Where I live, we all know one another, and in the rare case of a crime, they know who did it kinda automatically - which is why crime is quite rare here. And if they know you're a good guy (I seem to be on that list) it's like you almost can't do wrong. Just don't mess up the other taxpayers, and then do whatever else you want, that's fine.
Too many humans....none of the major problems we're now facing would be here without all this company that apparently loves misery. It was obvious back when I had a decision about having kids, some 40 or so years back. And I decided not to. Because I'd have loved them. And this world is not a place to force someone I love to live in. I wasn't asked, so here I am, like it or not.
As I'm sure ancona would say - some days are better than others.
I don't even have to bring payment to the store, myself. If I should forget, I just tell them I'll catch them next time, they just write it down. Yeah, there are still places like that.
They use a human being, and biometric ID - they know me, duh.
(Mr and Mrs Cognitive Dissonance from ZH are new neighbors here! We have yet to meet in person, but that'll be pretty soon. Some people walk their talk.)
A whole lot of things change right around the boundary where you know pretty much everyone in your immediate area. I'm originally from DC. Listen, there are no real Kojacks or other TV detectives in real life. Cops know no one, so they do random stops in the hopes of finding a car full of some obvious loot. Or now, with NSA's help, "parallel construction".
Where I live, we all know one another, and in the rare case of a crime, they know who did it kinda automatically - which is why crime is quite rare here. And if they know you're a good guy (I seem to be on that list) it's like you almost can't do wrong. Just don't mess up the other taxpayers, and then do whatever else you want, that's fine.
Too many humans....none of the major problems we're now facing would be here without all this company that apparently loves misery. It was obvious back when I had a decision about having kids, some 40 or so years back. And I decided not to. Because I'd have loved them. And this world is not a place to force someone I love to live in. I wasn't asked, so here I am, like it or not.
As I'm sure ancona would say - some days are better than others.
mike
Ground Beetle
I got rid of all my credit cards right after I graduated college over 15 years ago. Since then, all I've had is one debit card, which only has access to a little spending money.
In yir face
In yir face
DCFusor
Yellow Jacket
Here's what the sec industry is saying about the coin.
http://www.theregister.co.uk/2013/11/18/coin_scorned/
Interestingly, there's an unsupported statement in that article that says you can only scan in cards you own. Really? How would it know who is holding it? Would it match names from what's printed on the card to what's set into the device? Could not the waiter set whatever he wanted into *his*?
The danger is your waiter owns one himself, and scans your coin into his, then uses it somewhere else, I think, as if he ripped you off from the restaurant, you'd know where it came from.
Edit:
Mike, same here, I use an identical plan. Debit-only, small balances (I have a few so I can get the bank to effectively keep my business and personal etc separate and do all the paperwork for taxes).
I had to make them turn off that stupid overdraft protection they keep wanting to turn back on, so an overdraft can't hit one of my large accounts via that path. They turn it back on periodically, and I have to keep track of that - they really have a policy of wanting those fees should I bounce one (never have, but...the entire point is to have one bounce if stolen and used). I even have a "special one" to use online or for "services" that like to auto-renew at the highest rates (shortest term) when you'd just as soon have them run out and turn off - Sirius, On-Star, most dating sites are among the worst offenders there (that I use, I don't use a cel phone co for example).
Once they have your CC number, they can be a right PITA to get stopped, even with a call, and never do they stop if you tell them to at the onset (eg tell them not to auto-renew), even though they promise to. Their little "wizard's apprentice" software evidently does not respond to what you tell their service reps.
This is especially annoying with services like Sirius (which I long ago got rid of after the free trial in some new cars I own) - they suck in lots of ways (fidelity, selection, price). Their prices are all over the map. Effectively ~$200/year if they auto-renew (for one month at a time at top rate) down to about $60/year I've had them tell me when they wanted me back - if you hold out, the price just goes lower and lower for a year, but they auto-renew at their highest price possible in one month chunks if you don't put a stop to them. Having the card bounce is one way...gets their attention, followed by an angry call asking for them to pay the bounce fees or face fraud charges for using a card without permission. They are a fundamentally dishonest outfit - if they can afford to sell me service for $60 - that should be the price, period, not this little game where they try for suckers first, then negotiate if they find someone who objects to being ripped off.
http://www.theregister.co.uk/2013/11/18/coin_scorned/
Interestingly, there's an unsupported statement in that article that says you can only scan in cards you own. Really? How would it know who is holding it? Would it match names from what's printed on the card to what's set into the device? Could not the waiter set whatever he wanted into *his*?
The danger is your waiter owns one himself, and scans your coin into his, then uses it somewhere else, I think, as if he ripped you off from the restaurant, you'd know where it came from.
Edit:
Mike, same here, I use an identical plan. Debit-only, small balances (I have a few so I can get the bank to effectively keep my business and personal etc separate and do all the paperwork for taxes).
I had to make them turn off that stupid overdraft protection they keep wanting to turn back on, so an overdraft can't hit one of my large accounts via that path. They turn it back on periodically, and I have to keep track of that - they really have a policy of wanting those fees should I bounce one (never have, but...the entire point is to have one bounce if stolen and used). I even have a "special one" to use online or for "services" that like to auto-renew at the highest rates (shortest term) when you'd just as soon have them run out and turn off - Sirius, On-Star, most dating sites are among the worst offenders there (that I use, I don't use a cel phone co for example).
Once they have your CC number, they can be a right PITA to get stopped, even with a call, and never do they stop if you tell them to at the onset (eg tell them not to auto-renew), even though they promise to. Their little "wizard's apprentice" software evidently does not respond to what you tell their service reps.
This is especially annoying with services like Sirius (which I long ago got rid of after the free trial in some new cars I own) - they suck in lots of ways (fidelity, selection, price). Their prices are all over the map. Effectively ~$200/year if they auto-renew (for one month at a time at top rate) down to about $60/year I've had them tell me when they wanted me back - if you hold out, the price just goes lower and lower for a year, but they auto-renew at their highest price possible in one month chunks if you don't put a stop to them. Having the card bounce is one way...gets their attention, followed by an angry call asking for them to pay the bounce fees or face fraud charges for using a card without permission. They are a fundamentally dishonest outfit - if they can afford to sell me service for $60 - that should be the price, period, not this little game where they try for suckers first, then negotiate if they find someone who objects to being ripped off.
Last edited:
Wow Fusor
thats one cool dude for a neighbour
I have links from him for most of his essays ...........
He is a bit like FOFOA, rather wordy but good for stretching the grey cells
I would love a ringside seat if ever the two of you disagree on something fundamental
Last edited:
Yes, that's mentioned in the FAQ page - I mentioned it previously. The coin device has some check against the name on the card. It's a software security feature. As I also mentioned before - it won't be long before some hacker figures a way to replace the COIN firmware/software with a skimmer's toolkit that lets the device copy any card without restriction.
DCFusor
Yellow Jacket
The card *reader* plugs into your cel phone (eg this is useless if you don't have one) and gets the ID check from that. So you could hack it on either end, since you know the name on the card etc.
It does some sort of short-range bluetooth pairing with that phone, and won't work without the phone near. Which means nada if you pair it with the bad guy's phone.
Or you just take the parts and the idea and make your own. It's not really hard, and a dozen electronics distributers will even sell you the reader/writer parts cheap. Maybe more, that's just the ones I know of.
Good security is HARD. Good security that's still usable is even harder. The info-sec guys don't get enough credit for what they know and how hard it is to learn, and they are largely ignored in the C suites of the planet, as most of what they want to have you do is more work and it costs money. The whole game is about the tradeoffs required. Obviously you can make a computer secure - unplug it from all wires (internet) and wireless, or turn it off. But it's a bit difficult to find a use for that. So here we are, stuck in the middle trying to have both things - and in truth, perfect security cannot occur with perfect usability, at least not so far. We can maybe increase the "dynamic range" of the trade-off, but that's about it with what we think we know now.
RB, I'll keep you in the loop. I've been corresponding with Mrs Cog regularly via email, and looking at her blog, which is a buncha different stuff - mostly homesteading/prepping. I plan to help them learn how to get the most out of living around here, if they let me (as well as get them into the good ol' boys club with a boost up). Surely we'll find something to disagree about, smart people almost always do. But I kind of doubt it will be something truly fundamental, though we might not agree about the definition of "truly fundamental" - I've not talked to Cog in quite awhile. We plan to get together in person once they are a little more settled in.
It does some sort of short-range bluetooth pairing with that phone, and won't work without the phone near. Which means nada if you pair it with the bad guy's phone.
Or you just take the parts and the idea and make your own. It's not really hard, and a dozen electronics distributers will even sell you the reader/writer parts cheap. Maybe more, that's just the ones I know of.
Good security is HARD. Good security that's still usable is even harder. The info-sec guys don't get enough credit for what they know and how hard it is to learn, and they are largely ignored in the C suites of the planet, as most of what they want to have you do is more work and it costs money. The whole game is about the tradeoffs required. Obviously you can make a computer secure - unplug it from all wires (internet) and wireless, or turn it off. But it's a bit difficult to find a use for that. So here we are, stuck in the middle trying to have both things - and in truth, perfect security cannot occur with perfect usability, at least not so far. We can maybe increase the "dynamic range" of the trade-off, but that's about it with what we think we know now.
RB, I'll keep you in the loop. I've been corresponding with Mrs Cog regularly via email, and looking at her blog, which is a buncha different stuff - mostly homesteading/prepping. I plan to help them learn how to get the most out of living around here, if they let me (as well as get them into the good ol' boys club with a boost up). Surely we'll find something to disagree about, smart people almost always do. But I kind of doubt it will be something truly fundamental, though we might not agree about the definition of "truly fundamental" - I've not talked to Cog in quite awhile. We plan to get together in person once they are a little more settled in.
Last edited:
mike
Ground Beetle
Wouldn't it be easier to get a card reader/writer and make your own cards?
mike
Ground Beetle
DCFusor
In a related note, none of my precautions prevented someone from stealing my identity in the US and getting 3 credit cards in my name. That was a pain to fix from here.
In a related note, none of my precautions prevented someone from stealing my identity in the US and getting 3 credit cards in my name. That was a pain to fix from here.
Once a software hack is available, it will spread. The pool of people who might utilize a hacked COIN is likely much larger than the group with the smarts and inclination to cobble one together from scratch/parts.
Sure, the technically inclined can likely make something right now, but it's not likely to be small and discrete like the COIN. A hacked COIN would look like a legitimate COIN and thus the opportunity for any service person (like a waiter/waitress) to use one (for skimming) without drawing much attention.
@DCF - I'd think replacing the software (firmware) on the COIN device itself would be a more elegant solution - no smart phone id checking (& no picture taking requirement?) = easy skimming.
DCFusor
Yellow Jacket
There are two parts of the thing. If they have the slightest clue (yet to be determined) the software on the fake-card part is in some odd uP like a PIC (from microchip), which has a feature that lets you scramble the code on read-out - so you can't easily reverse engineer it - that would make the battery last a heck of a lot longer since those are easily programmed to "sleep" and draw no power when not actively in use. It may not even be in flash, it might be in a real rom (but that'd be a surprise, since it costs more) for making rewriting impossible - you'd have to change out the chip.
I did product in PIC's for years for that reason - they were darned hard to copy or read anything but garbage out of (very little is actually impossible - but some things are so hard and expensive they're not worth it), so hard it was easier to look at what the thing did and then engineer your own. My product-dev customers loved that. Quite a few embedded-class uP's have that feature in some form, as well as a checksum that's hidden elsewhere and hard to change without some fairly expensive tools (and signing your name here and there, kinda leaves a paper trail). If they used house-numbered chips, you can't tell which uP they used and then might have to buy a whole bunch of dev kits (~ a few hundred bucks each with compiler and dongle for burning) before hitting on even the right processor.
It's true their hardware (at least the proto) is small and slick - they might not be showing what it's really going to take to make a product - time will tell. The scanner side might mostly use the phone CPU to do the heavy lifting, can't tell yet, but it's a fairly common practice, one my firm used a lot. In any multi cpu system (eg the product plus a PC in our case) we'd use the PC for all the real work we could, and the little guy as kind of a smart peripheral at most - just do the real time stuff as simple as possible, dump the data raw, and let the PC do the heavy lifting numerically and storage wise (which would map to the phone for this case). The reader need not be that small and slick though, at least not to be useful. Just portable enough to fit in a coat pocket (easy). If they can buy a tiny one, so can I. All it really is is a tape head with a few tracks, it's way not rocket science, and the margins for signal to noise are huge so the "real" readers almost always work, even when full of dirt and so on (think the readers in the stores). Anyone remember the old mag-tape days? A CC has a lot fewer bits/inch and is more primitive than even the oldest tape drives were. This is to allow for big mechanical clearances between the card and read-head, and dirt and what not, so the result can work for not-real-skilled customers.
In other words, the card reader part may be nothing more than a multitrack tape head with some comparators to get to TTL level signals, and simply send the raw data to something more capable (the phone) to figure out what this bit pattern means, and to normalize it for the speed of the swipe.
It's what I would do if I had zero worries about security. Which seems fairly close to them - they don't seem to understand the implications here (or don't want to make that public).
The writer (eg the card itself) need be no more than an electromagnet (one per track, but full length) that pulses at a rate (with the bit level/timing format you'd see in a swipe), simulating a swipe over a tape head that is reading what it thinks is one point at a time. It need not be fancy or an array of little electromagnets, since it's not actually writing a magstripe, just pretending to *be* one during reading. In fact, that's probably the basis of their "invention" - figuring out that's all you need there.
And they have that software security feature of bluetooth tethering, which is a total add-on over the basic function. Depending on how they did that, it might be no more than a cut trace or pullup resistor to defeat it - the devil there is in the details. To get to proto stage they probably grabbed a bunch of already working small chipsets "off the shelf" since that's less NRE cost than a custom SOC, and lashed them up, which means wires you can intercept between the chips. But that's a guess.
Or it could be possible to pair the thing with more than one phone. That would be a pain for the hacker, as I'd guess even a brain-dead "security via obscurity" coder would at least make sure the owners names match, but then again, you never know. Imagine a use-case for a whole household, they'd probably want to handle that, and all the cards might not be in the same name, and who knows how they would implement that one? Not me, not yet. I'm sure the gory details will come out in something like pwn2own or some 'con soon enough.
FWIW, the tech-inclined have been able to do this for a few decades if my memory serves, in fact, the junk you need is now more or less obsolete as a developer sales item - all the readers we need are already in place, not many are designing new ones. It's a bit harder if you have to write an actual magstripe so you hand the merchant something that looks like a real card (and is, just with fake data). In fact, there are reports of that happening, just not to any large scale. The real danger here is they are encouraging merchants to take these fake-looking cards, so if they do, then anyone can make something look-alike and expect to get it accepted. That would hugely embiggen the market for all those stolen CC numbers (all of them?) Seems long lists are cheap to buy and with all the leaks, they cover most of the CC numbers out there. They've been going cheap in cracker-land since it's hard to capitalize on those as things sat.
We now live in a society originally described by Harry Harrison, in the Stainless Steel Rat series (no it's not that great as writing, but fun). His point was, with surveillance, digital money xfer tracking and so forth, that it's a lot harder to get away with being a big-time crook now. To "win" the money has to come to you. Electronic payment means there's a trail unless you are very fast in getting it back to something physical and skipping town (or buying merchandise, then fencing it), which is why the aforementioned capability to make fake cards - long existing - rarely makes the bigtime news - it's just too hard to get away with very much, so all the crimes are relatively petty, and fairly rare - the perps tend to get off the street (and often into the greybar hotel) pretty quick unless they are very smart and very nimble.
Remember, you have to set up an account somewhere to accept the money, and that your picture is definitely taken every time you go into a bank to do that. Since you have to do that a lot to be nimble, that means you leave a trail of your pix everywhere you do it. Sooner or later you get recognized as this guy who starts a lot of accounts, gets money into them, then closes them. A fairly easy to detect pattern for law enforcement, and one the banks report on as is (so my banker told me when filling me in on the secret parts of the patriot act, at her risk - nice to live in a small town).
I've seen reports of ignorant mules hired to do that, so they are the ones who get taken down, then they spill that they were just working for someone who hired them over the 'net to do it for a small cut of the take. So the law enforcement types have to trace back to the boss, which can make things a lot more difficult for them, since they tend not to be real good at digital forensics, outside the intelligence community.
Most all reasonably smart people make more money without (outright) theft - for example, these guys, "selling shovels in a gold rush" might qualify as indirect criminals or alternatively, as enablers of crime without having to do crime themselves.
Of course, in the proto they almost certainly re-used some off the shelf overpowered CPU for which things like a USB and bluetooth software stack are already around, easy to prototype with and so on without having to know how to write a protocol stack. I've been seeing a trend of using microprocessors that are insanely overpowered, run things like linux or android or even win CE, to do really simple jobs - just because they save on NRE costs - you don't need a great set of programmers when the job is 9/10th done for you. Not only does that cost the customer a bit more, the resulting code is crummier, since the manuf never hired the real top of the class, just some code monkey - A little drag here, a little drop there and you have a running thing that takes 100x the cpu to run, but almost no cost for the programming.
I have some examples around here of that design philosophy. I have a mass spectrometer head that runs windows CE to create the other side of a DCOM active-x control, but which does exactly nothing else - the PC it's hooked to does all the math and sends the device every single parameter setting for this or that mass, tells it to read a current off the detector, and send it back to the PC.
So you have this big attack surface (DCOM is bad enough by itself) and an expensive and large board in the device when a tiny uP would have easily done the job and more - but would have required someone to know how to do tiny uP opsys, invent their own comm protocol and so on.
The manufacturer of this $40,000 thing didn't care about the customer's cost or attack surface, just the NRE it cost them on a fairly low volume (as you might imagine for that price) product.
My bet is all the smarts are on the phone itself, the rest is just interface parts for the phone. And we know phones are secure (not). So a hack on the phone side might be the main vector for someone, and those are not that hard to pull the guts out of in readable (for reverse engineering) form.
From 30k feet, that looks like the vector of choice here, for the coder-only sort of cracker, which includes nearly all of 'em.
Edit:
Note, I also have another mass spec that I bought surplus on the cheap. It only really took a z80 at 4 mhz to both drive a CRT display and output the results in ascii over a serial port. And even that Z80 is loafing to do the job, but the days where a low level expert is hired to do this kind of thing seem to be over, perhaps due to a shortage or the high price of such talent. Even a $2 (in ones!) PIC would be several times more CPU than that has - and it's a mass spectrometer, not a tape-stripe emulator which is a whole lot easier - the mass spec has to be real time, control a bunch of analog stuff (filament, voltages both DC and RF on the electrodes and input the current signal for each ion e/m ratio in a sweep).
And yes, ID theft is still pretty easy to do. Usually just a little social engineering after some web searching. But it's still hard to fix once it happens, as you almost certainly know.
I did product in PIC's for years for that reason - they were darned hard to copy or read anything but garbage out of (very little is actually impossible - but some things are so hard and expensive they're not worth it), so hard it was easier to look at what the thing did and then engineer your own. My product-dev customers loved that. Quite a few embedded-class uP's have that feature in some form, as well as a checksum that's hidden elsewhere and hard to change without some fairly expensive tools (and signing your name here and there, kinda leaves a paper trail). If they used house-numbered chips, you can't tell which uP they used and then might have to buy a whole bunch of dev kits (~ a few hundred bucks each with compiler and dongle for burning) before hitting on even the right processor.
It's true their hardware (at least the proto) is small and slick - they might not be showing what it's really going to take to make a product - time will tell. The scanner side might mostly use the phone CPU to do the heavy lifting, can't tell yet, but it's a fairly common practice, one my firm used a lot. In any multi cpu system (eg the product plus a PC in our case) we'd use the PC for all the real work we could, and the little guy as kind of a smart peripheral at most - just do the real time stuff as simple as possible, dump the data raw, and let the PC do the heavy lifting numerically and storage wise (which would map to the phone for this case). The reader need not be that small and slick though, at least not to be useful. Just portable enough to fit in a coat pocket (easy). If they can buy a tiny one, so can I. All it really is is a tape head with a few tracks, it's way not rocket science, and the margins for signal to noise are huge so the "real" readers almost always work, even when full of dirt and so on (think the readers in the stores). Anyone remember the old mag-tape days? A CC has a lot fewer bits/inch and is more primitive than even the oldest tape drives were. This is to allow for big mechanical clearances between the card and read-head, and dirt and what not, so the result can work for not-real-skilled customers.
In other words, the card reader part may be nothing more than a multitrack tape head with some comparators to get to TTL level signals, and simply send the raw data to something more capable (the phone) to figure out what this bit pattern means, and to normalize it for the speed of the swipe.
It's what I would do if I had zero worries about security. Which seems fairly close to them - they don't seem to understand the implications here (or don't want to make that public).
The writer (eg the card itself) need be no more than an electromagnet (one per track, but full length) that pulses at a rate (with the bit level/timing format you'd see in a swipe), simulating a swipe over a tape head that is reading what it thinks is one point at a time. It need not be fancy or an array of little electromagnets, since it's not actually writing a magstripe, just pretending to *be* one during reading. In fact, that's probably the basis of their "invention" - figuring out that's all you need there.
And they have that software security feature of bluetooth tethering, which is a total add-on over the basic function. Depending on how they did that, it might be no more than a cut trace or pullup resistor to defeat it - the devil there is in the details. To get to proto stage they probably grabbed a bunch of already working small chipsets "off the shelf" since that's less NRE cost than a custom SOC, and lashed them up, which means wires you can intercept between the chips. But that's a guess.
Or it could be possible to pair the thing with more than one phone. That would be a pain for the hacker, as I'd guess even a brain-dead "security via obscurity" coder would at least make sure the owners names match, but then again, you never know. Imagine a use-case for a whole household, they'd probably want to handle that, and all the cards might not be in the same name, and who knows how they would implement that one? Not me, not yet. I'm sure the gory details will come out in something like pwn2own or some 'con soon enough.
FWIW, the tech-inclined have been able to do this for a few decades if my memory serves, in fact, the junk you need is now more or less obsolete as a developer sales item - all the readers we need are already in place, not many are designing new ones. It's a bit harder if you have to write an actual magstripe so you hand the merchant something that looks like a real card (and is, just with fake data). In fact, there are reports of that happening, just not to any large scale. The real danger here is they are encouraging merchants to take these fake-looking cards, so if they do, then anyone can make something look-alike and expect to get it accepted. That would hugely embiggen the market for all those stolen CC numbers (all of them?) Seems long lists are cheap to buy and with all the leaks, they cover most of the CC numbers out there. They've been going cheap in cracker-land since it's hard to capitalize on those as things sat.
We now live in a society originally described by Harry Harrison, in the Stainless Steel Rat series (no it's not that great as writing, but fun). His point was, with surveillance, digital money xfer tracking and so forth, that it's a lot harder to get away with being a big-time crook now. To "win" the money has to come to you. Electronic payment means there's a trail unless you are very fast in getting it back to something physical and skipping town (or buying merchandise, then fencing it), which is why the aforementioned capability to make fake cards - long existing - rarely makes the bigtime news - it's just too hard to get away with very much, so all the crimes are relatively petty, and fairly rare - the perps tend to get off the street (and often into the greybar hotel) pretty quick unless they are very smart and very nimble.
Remember, you have to set up an account somewhere to accept the money, and that your picture is definitely taken every time you go into a bank to do that. Since you have to do that a lot to be nimble, that means you leave a trail of your pix everywhere you do it. Sooner or later you get recognized as this guy who starts a lot of accounts, gets money into them, then closes them. A fairly easy to detect pattern for law enforcement, and one the banks report on as is (so my banker told me when filling me in on the secret parts of the patriot act, at her risk - nice to live in a small town).
I've seen reports of ignorant mules hired to do that, so they are the ones who get taken down, then they spill that they were just working for someone who hired them over the 'net to do it for a small cut of the take. So the law enforcement types have to trace back to the boss, which can make things a lot more difficult for them, since they tend not to be real good at digital forensics, outside the intelligence community.
Most all reasonably smart people make more money without (outright) theft - for example, these guys, "selling shovels in a gold rush" might qualify as indirect criminals or alternatively, as enablers of crime without having to do crime themselves.
Of course, in the proto they almost certainly re-used some off the shelf overpowered CPU for which things like a USB and bluetooth software stack are already around, easy to prototype with and so on without having to know how to write a protocol stack. I've been seeing a trend of using microprocessors that are insanely overpowered, run things like linux or android or even win CE, to do really simple jobs - just because they save on NRE costs - you don't need a great set of programmers when the job is 9/10th done for you. Not only does that cost the customer a bit more, the resulting code is crummier, since the manuf never hired the real top of the class, just some code monkey - A little drag here, a little drop there and you have a running thing that takes 100x the cpu to run, but almost no cost for the programming.
I have some examples around here of that design philosophy. I have a mass spectrometer head that runs windows CE to create the other side of a DCOM active-x control, but which does exactly nothing else - the PC it's hooked to does all the math and sends the device every single parameter setting for this or that mass, tells it to read a current off the detector, and send it back to the PC.
So you have this big attack surface (DCOM is bad enough by itself) and an expensive and large board in the device when a tiny uP would have easily done the job and more - but would have required someone to know how to do tiny uP opsys, invent their own comm protocol and so on.
The manufacturer of this $40,000 thing didn't care about the customer's cost or attack surface, just the NRE it cost them on a fairly low volume (as you might imagine for that price) product.
My bet is all the smarts are on the phone itself, the rest is just interface parts for the phone. And we know phones are secure (not). So a hack on the phone side might be the main vector for someone, and those are not that hard to pull the guts out of in readable (for reverse engineering) form.
From 30k feet, that looks like the vector of choice here, for the coder-only sort of cracker, which includes nearly all of 'em.
Edit:
Note, I also have another mass spec that I bought surplus on the cheap. It only really took a z80 at 4 mhz to both drive a CRT display and output the results in ascii over a serial port. And even that Z80 is loafing to do the job, but the days where a low level expert is hired to do this kind of thing seem to be over, perhaps due to a shortage or the high price of such talent. Even a $2 (in ones!) PIC would be several times more CPU than that has - and it's a mass spectrometer, not a tape-stripe emulator which is a whole lot easier - the mass spec has to be real time, control a bunch of analog stuff (filament, voltages both DC and RF on the electrodes and input the current signal for each ion e/m ratio in a sweep).
And yes, ID theft is still pretty easy to do. Usually just a little social engineering after some web searching. But it's still hard to fix once it happens, as you almost certainly know.
Last edited: