Safety of bank plastic cards - myth or reality?
More and more people use plastic bank cards. Only a few know how one card is different from another. (Visa from MasterCard, a card with a chip from a regular magnetic stripe card). Many people keep money on a plastic card, because they believe that there they are more protected from theft. So until recently it was with me. A simple shopping trip costing 0 p. on the account and at the same time the card was never used. Is that possible? It turns out quite even. This post is more likely for those people who still believe in the security of a piece of plastic with a magnetic stripe and trust it with all their savings.
Today in use the most common are magnetic stripe cards and cards with a chip. The second option in its pure form is almost never used in Russia - as its alternative, they use the hybrid version (chip + magnetic stripe).
')
For this type of card information is recorded on a magnetic strip. Magnetic stripe cards come in three formats: ID-1, ID-2, ID-3 (the most common ID-1 format). The magnetic strip contains 3 tracks (most often they use only 2), on which the card number, its validity period, the cardholder's last name and similar data are recorded in coded form. The most complete and accurate cards with magnetic stripe are described in the standards:
Most types of plastic cards are defined in ISO 7810 ID-1. What means of protection (in addition to the magnetic strip, which contains information about the owner) allow us to distinguish this card among many others? Similar information is also recorded in the barcode. For example, with Svyaznoy Bank, when transferring money to an account, it is enough to know the bar code. It is also possible to identify the owner using a sample of his personal signature on the reverse side. Also, all cards have an identification number, expiration date, and a special CVV2 or CVC2 code on the back. This data is enough to make payments over the Internet. Many banks also apply holographic marks on their cards.
Unlike magnetic stripe cards, it is information from the chip that is used when making transactions. The chip has a large amount of memory, and the information on it is subjected to a more complex type of encryption. When making a transaction with a magnetic stripe card, it always has the same data identifying the card, which is transmitted to the bank. Therefore, you can copy them and make a fake card. The microprocessor card works differently: each transaction is confirmed by a code specially formed for it, and for each subsequent operation a new code is required, it is virtually impossible to make a duplicate. The hybrid variant got accustomed due to the difficult transition of the technique of the receiving card to a new data type. Now the chips can read almost all devices that accept plastic cards. If the ATM performed the transaction using only data from the magnetic strip, then this transaction can be challenged and the bank (the owner of the obsolete ATM) is obliged to compensate the damage caused to the cardholder.
Let us return to how it so happened that all savings were removed from the card (which is always with the owner with him). I can only guess, because all I have is education in IT and the Internet (who knows everything). The ill-fated card was one of the cheapest to maintain card types. An ordinary magnetic stripe card (not even a personalized one). What security measures were present on the card:
What does this work ?
The magnetic strip is successfully copied by a special device - a skimmer. After that, a duplicate card is made and all that remains is to recognize the pin-code of the card. To do this, usually in conjunction with a skimmer, a hidden video camera is used, or if it is the intruder in the person of the waiter or seller, then he tries to peep the pin code. An even more technological option is when an input reader is connected to the input device.
Also, phishing sites or mailings where cardholders are asked to enter their secret information (card number CVV2 or CVC2, etc.) are used to obtain data from the owners.
Quite common cases where intruders spoil the card reader so that the card is stuck there. If the owner leaves, the intruder appears and takes possession of the card.
There is a variety of another method - carding (eng. Carding - carding). In this case, the attacker seizes the base of an online store or some kind of online bank and withdraws money from the cards that can be accessed.
Now a more complex skimming version is gaining momentum - shimming (from the English. Thin strip). These devices, unlike skimmers, are not visible: a thin flexible board about 1 mm thick is inserted through the slot of the card reader and reads the data of the entered cards, allowing you to steal the card number and its pin-code. Experts reassured that this kind of fraud has not yet reached Russia, since it is quite expensive and difficult to implement. (In my opinion, I came across this particular option, so that experts can take notes on themselves).
Signed on the back . This type of protection is generally absurd, if the card as in my case is not personalized, because anyone who puts a signature can be the owner. In the case of a duplicate, nothing prevents you from putting your signature and your name, surname on the produced copy. From my own experience, it took half a year with a map where the signature on the back was erased, and only then they pointed it out to me and forced them to leave an autograph (which is even more absurd).
Hologram with the logo of the bank . As a way to confirm that you do not have a fake card on your hands, it may well be, but no more.
Barcode . It is enough to have a snapshot of the card and the barcode is easily duplicated.
My favorite part is SMS informing . A very useful thing, you will always see your money flowing away. My leaked in 2 minutes. It took about 1.5 minutes to wait for a response from the operator in the bank after a series of answering machines and redirects. It should be noted that the phone can be left at home at all, or it may be discharged or not have access to the network, and there is a lot more. So as a way of protection is very dubious. Tembolee as suggested by users of MyHabrahabr and SpiritOfVox there is a way to block the victim’s phone altogether at the time of the “gutting” of its card.
No matter how sad it may be, there is still no legislative basis regulating the responsibility of banks in carrying out fraudulent actions with plastic cards in Russia. All cases are considered by each bank separately. They conduct their own investigation and, as a rule, if you have violated at least one clause on the use of a plastic card (transferred to third parties, stored the pin-code in a place accessible to others, reported information about the service life, card number or cv1 / cv2 codes to third persons), then the refund will be denied. In order to have a basis and write an application to the bank - you need to wait for confirmation of the transaction (about 3 days). Up to this point, the money is actually in your account, and there are no grounds for appealing the transaction.
If an attacker manages to get a copy of your card without a chip and a pin-code, then most likely such operations cannot be distinguished from yours personally, and here too, a refusal arises.
Some tips:
1) If you still have a regular magnetic stripe card, change it to a card with a chip. (not so much it is more expensive, but the money will be more whole).
2) Set a limit on withdrawals during the day. When SMS informing is enabled, this will allow you to block the card with less losses.
3) Block the card immediately as a suspicious transaction appears, many banks allow you to lock / unlock the card by phone.
4) Carefully look at the devices into which you insert the card and do not transfer it to third parties.
5) If the card is stuck in an ATM, block it first, then you can throw it if there is no time or it is impossible to find a person authorized to remove the card from the ATM.
6) The most important thing is to remain human, do not steal other people's money. Everyone has dreams, but someone works half his life for their sake, and someone in just 2 minutes deprives an incentive to continue to believe in a dream .
Safe use of plastic cards
How else do they steal money from plastic cards
Read more about the data storage mechanism on a plastic card
UPD1:
UPD2:
The legal framework is all the same. True practice of its application vseravno questioned. (thanks scarab
UPD3:
Svyaznoy Bank - did not disappoint. Yesterday they finished their investigation (it took about 2 weeks) and returned all the money. And the new card was made at once personalized and chipged. Correct, it can not but rejoice.
Thanks to MyHabrahabr and SpiritOfVox for constructive comments.
Technical side
Today in use the most common are magnetic stripe cards and cards with a chip. The second option in its pure form is almost never used in Russia - as its alternative, they use the hybrid version (chip + magnetic stripe).
Magnetic stripe card
')
For this type of card information is recorded on a magnetic strip. Magnetic stripe cards come in three formats: ID-1, ID-2, ID-3 (the most common ID-1 format). The magnetic strip contains 3 tracks (most often they use only 2), on which the card number, its validity period, the cardholder's last name and similar data are recorded in coded form. The most complete and accurate cards with magnetic stripe are described in the standards:
- ISO-7810 “Identification Cards — Physical Characteristics”;
- ISO-7811 “ID Cards - Recording Techniques”;
- ISO-7812 “Identification Cards - Numbering System and Registration Procedure for Issuer Identifiers” (5 parts);
- ISO-7813 “ID Cards - Cards for Financial Transactions”;
- ISO-4909 "Bank cards - the content of the third track of the magnetic strip";
- ISO-7816 "ID Cards - IC Chip with Contacts" (6 parts)
Most types of plastic cards are defined in ISO 7810 ID-1. What means of protection (in addition to the magnetic strip, which contains information about the owner) allow us to distinguish this card among many others? Similar information is also recorded in the barcode. For example, with Svyaznoy Bank, when transferring money to an account, it is enough to know the bar code. It is also possible to identify the owner using a sample of his personal signature on the reverse side. Also, all cards have an identification number, expiration date, and a special CVV2 or CVC2 code on the back. This data is enough to make payments over the Internet. Many banks also apply holographic marks on their cards.
Hybrid card with chip
Unlike magnetic stripe cards, it is information from the chip that is used when making transactions. The chip has a large amount of memory, and the information on it is subjected to a more complex type of encryption. When making a transaction with a magnetic stripe card, it always has the same data identifying the card, which is transmitted to the bank. Therefore, you can copy them and make a fake card. The microprocessor card works differently: each transaction is confirmed by a code specially formed for it, and for each subsequent operation a new code is required, it is virtually impossible to make a duplicate. The hybrid variant got accustomed due to the difficult transition of the technique of the receiving card to a new data type. Now the chips can read almost all devices that accept plastic cards. If the ATM performed the transaction using only data from the magnetic strip, then this transaction can be challenged and the bank (the owner of the obsolete ATM) is obliged to compensate the damage caused to the cardholder.
Harsh reality
Let us return to how it so happened that all savings were removed from the card (which is always with the owner with him). I can only guess, because all I have is education in IT and the Internet (who knows everything). The ill-fated card was one of the cheapest to maintain card types. An ordinary magnetic stripe card (not even a personalized one). What security measures were present on the card:
- Magnetic stripe with information about the owner
- Signed on the back of the card
- Bank logo hologram
- SMS transaction information
- Pin
- Barcode
What does this work ?
The magnetic strip is successfully copied by a special device - a skimmer. After that, a duplicate card is made and all that remains is to recognize the pin-code of the card. To do this, usually in conjunction with a skimmer, a hidden video camera is used, or if it is the intruder in the person of the waiter or seller, then he tries to peep the pin code. An even more technological option is when an input reader is connected to the input device.
Also, phishing sites or mailings where cardholders are asked to enter their secret information (card number CVV2 or CVC2, etc.) are used to obtain data from the owners.
Quite common cases where intruders spoil the card reader so that the card is stuck there. If the owner leaves, the intruder appears and takes possession of the card.
There is a variety of another method - carding (eng. Carding - carding). In this case, the attacker seizes the base of an online store or some kind of online bank and withdraws money from the cards that can be accessed.
Now a more complex skimming version is gaining momentum - shimming (from the English. Thin strip). These devices, unlike skimmers, are not visible: a thin flexible board about 1 mm thick is inserted through the slot of the card reader and reads the data of the entered cards, allowing you to steal the card number and its pin-code. Experts reassured that this kind of fraud has not yet reached Russia, since it is quite expensive and difficult to implement. (In my opinion, I came across this particular option, so that experts can take notes on themselves).
Signed on the back . This type of protection is generally absurd, if the card as in my case is not personalized, because anyone who puts a signature can be the owner. In the case of a duplicate, nothing prevents you from putting your signature and your name, surname on the produced copy. From my own experience, it took half a year with a map where the signature on the back was erased, and only then they pointed it out to me and forced them to leave an autograph (which is even more absurd).
Hologram with the logo of the bank . As a way to confirm that you do not have a fake card on your hands, it may well be, but no more.
Barcode . It is enough to have a snapshot of the card and the barcode is easily duplicated.
My favorite part is SMS informing . A very useful thing, you will always see your money flowing away. My leaked in 2 minutes. It took about 1.5 minutes to wait for a response from the operator in the bank after a series of answering machines and redirects. It should be noted that the phone can be left at home at all, or it may be discharged or not have access to the network, and there is a lot more. So as a way of protection is very dubious. Tembolee as suggested by users of MyHabrahabr and SpiritOfVox there is a way to block the victim’s phone altogether at the time of the “gutting” of its card.
Results
No matter how sad it may be, there is still no legislative basis regulating the responsibility of banks in carrying out fraudulent actions with plastic cards in Russia. All cases are considered by each bank separately. They conduct their own investigation and, as a rule, if you have violated at least one clause on the use of a plastic card (transferred to third parties, stored the pin-code in a place accessible to others, reported information about the service life, card number or cv1 / cv2 codes to third persons), then the refund will be denied. In order to have a basis and write an application to the bank - you need to wait for confirmation of the transaction (about 3 days). Up to this point, the money is actually in your account, and there are no grounds for appealing the transaction.
If an attacker manages to get a copy of your card without a chip and a pin-code, then most likely such operations cannot be distinguished from yours personally, and here too, a refusal arises.
Some tips:
1) If you still have a regular magnetic stripe card, change it to a card with a chip. (not so much it is more expensive, but the money will be more whole).
2) Set a limit on withdrawals during the day. When SMS informing is enabled, this will allow you to block the card with less losses.
3) Block the card immediately as a suspicious transaction appears, many banks allow you to lock / unlock the card by phone.
4) Carefully look at the devices into which you insert the card and do not transfer it to third parties.
5) If the card is stuck in an ATM, block it first, then you can throw it if there is no time or it is impossible to find a person authorized to remove the card from the ATM.
6) The most important thing is to remain human, do not steal other people's money. Everyone has dreams, but someone works half his life for their sake, and someone in just 2 minutes deprives an incentive to continue to believe in a dream .
Useful resources
Safe use of plastic cards
How else do they steal money from plastic cards
Read more about the data storage mechanism on a plastic card
UPD1:
This is a kind of carding (online carding). Using dumps for shopping in physical stores and dump + pin combinations for cash out at ATMs is also carding.
UPD2:
The legal framework is all the same. True practice of its application vseravno questioned. (thanks scarab
Article 854. Grounds for withdrawing funds from an account
1. The funds are debited from the account by the bank on the basis of the client’s order.
2. Without a client’s order, the withdrawal of funds on the account is permitted by a court decision, as well as in cases established by law or provided for by the agreement between the bank and the client.
UPD3:
Svyaznoy Bank - did not disappoint. Yesterday they finished their investigation (it took about 2 weeks) and returned all the money. And the new card was made at once personalized and chipged. Correct, it can not but rejoice.
Thanks to MyHabrahabr and SpiritOfVox for constructive comments.
Source: https://habr.com/ru/post/190258/
All Articles