I hope you’ve heard about the new EMV chipped credit.debit cards. On the one hand, they’re a definite security improvement over the older style. The original chipped cards were straight RFID-style which simply copied the mag stripe info to the RFID, which could then be read in your pocket with a home-made near-field reader. The newer EMV is an active computing device. During a transaction, it actively communicates with the card system to create what amounts to a new, temporary ‘credit card number’ for each purchase. A crook might scan your new card, but it’ll only be good for one use… if he manages to use it before you do. If you get there first with your real card, the crook’s copied transaction number will expire.
That’s something. I still recommend an RF-blocking wallet for your chipped cards, because one hacked transaction can ruin you while you straighten it out with your oh-so-cooperative credit card company or bank.
But there’s another little problem with those new cards. You have to enter a PIN for every transaction. No PIN, no good. So if someone physically steals your card, he can’t use it.
Wrong. Turns out you can hack the card so it will accept any random string as a valid PIN. As near as I can tell, this works because the system relies on the individual card to approve PINs instead of comparing the PIN entered to the PIN in the company’s database.
OK, that’s so a processing company doesn’t have to go back to the card issuer for every transaction, because that’s complicated and would slow down the purchase process even more. But if they intend to field a card billed as secure, they better get off their butts and do it.
But believe it or not, all that wasn’t the main point. In the first article about the hack, they caught the bad guys.
By their cell phones.
The police obtained the international mobile subscriber identity (IMSI) numbers present at the locations where the cards were used and at the times they were used, and then they correlated those IMSI numbers to SIM cards.
Yep, they sifted through the sort of data the NSA has been collecting and matched it to otherwise unrelated activities. They didn’t just get the IMSIs of dumbasses talking on the phone while they ran hacked transactions; they got the IMSI of every phone turned on in the area.
That’s your tactical reminder for the day: Turn your frickin’ personalized tracking device off when you don’t need it.