What makes this bitcoin ATM experience special is that a user is greeted by a person, ready to answer any questions. Additionally, the ATM uses “biometric authentification”, allowing for extra security. Users will need their government issued ID’s, a personal verification number, and will have their face scanned and palm printed before having access to the bitcoin hardware.
The Bitcoin ATM was installed by Coinage, LLC in Mountin View, CA at Hacker Dojo community center.
There are Android (malware) apps with crypto-currency mining capabilities.
This malware is involved in the mining for various digital currencies, including Bitcoin, Litecoin, and Dogecoin.
The apps were injected with the CPU mining code from a legitimate Android cryptocurrency mining app; this code is based on the well-known cpuminer software.
The coin-mining apps discussed above were found outside of the Google Play store, but we have found the same behavior in apps inside the Google Play store. These apps have been downloaded by millions of users, which means that there may be many Android devices out there being used to mine cryptocurrency for cybercriminals.
My article in VentureBeat:
Lawsuit against Target and Trustwave gets the security standard all wrong.
This lawsuit could set a precedent, where the PCI security auditor is responsible for card data breaches even when the company they are auditing is fully in compliance with the PCI DSS.
Interesting view on U.S. EMV migration.
1. EMV solves the wrong problem – and an old one at that.
I agree with #1, #2, and #4.
As a technical guy, I don't care who pays for it (#3): eventually, it's us - consumers - who pay for everything.
I disagree with #5: ACH and bank transfer threats (and solutions) are completely different from merchants' payments security problems.
I would agree with #6 but I don't see "real opportunity": there is no mature payment technology available today that could become a real alternative to EMV. Crypto-payments (Bitcoin & Co.) is very promising trend but based on recent series of failures it is still on early proof of concept stages. And there is no single mobile payments technology that is secure enough to be accepted by mainstream consumers.
Bitcoin exchange Vircurex stops withdrawals due to "two incidents last year that lead to a loss of a significant number of BTC, LTC, FTC, TRC".
Possible credit card data breach at California Department of Motor Vehicles.
Consumer Alert: Credit Card Information
Bitcoin developers released the new version of client software which includes the fixes for transaction malleability bug. This bug enabled attacks on Bitcoin exchanges.
Transaction malleability-related fixes
These new mobile wallet apps will make it easier, not harder, for hackers to hijack your payment card
This essay was previously published by VentureBeat on March 13, 2014
As a payment security expert, I get a lot of questions from people about new payment technologies. Are merchants likely to accept them? How secure are they? A couple of recent startups in this space, Loop and Coin, have been generating quite a few of those questions, and my review of them shows some concerning vulnerabilities.
Loop and Coin are just two examples of mobile payments startups that try to bring an invention to market by marrying their new technology to an existing payment card system. The reason is simple: Their tech is more likely be accepted by the mainstream if merchants can reuse their existing payment hardware and software.
Both Loop and Coin are trying to keep alive the dying magnetic stripe payment system. However, they have another important “feature” in common: By replacing the original plastic cards with digital ersatz, they unintentionally simplify the flow of the stolen credit card data.
The core know-how of Loop is transforming the traditional magnetic stripe reader device (MSR), which merchants use to accept the magnetic credit and debit cards, into the contactless reader. The powerful magnetic field is generated by the mobile payment device (instead of the payment card’s magnetic stripe), so the card data can be transmitted wirelessly to the same reader.
Although this technique is very interesting from a technical point of view, there are several potential issues with accepting Loop as a mainstream method of payment. First, there is no real innovation here. It’s just a combination of old technologies. Second, from a security point of view, it’s the same nightmare as existing credit cards. It can be even worse because all my cards are now stored in one place. And the card data is not protected when it is transmitted from the mobile device and throughout the system, just like with traditional plastic cards.
Finally, Loop is less convenient than plastic cards, especially, with the fob required for iPhone. Instead of just swiping the card, I need to: hold both the fob and the phone, unlock the phone, find and start the app, select the card, then press the button on the phone and at the same time “swipe” the fob. Not to mention the fact that many card readers are deeply “hidden” inside the customer-facing hardware, such as a bank ATM or gas station’s fuel pump, and therefore cannot be reached by the Loop device.
But most importantly, this system is dangerous to merchants, issuers, and acquirers because it simplifies the credit card fraud process. Hackers don’t need to make the physical plastics anymore – they just load the dump of stolen card data into the single device, and voilà!
Loop’s developers say the app identifies the cardholder before the new card is added to the wallet, so it is impossible to add someone else’s card into your wallet. This “security control” is very weak, and anyone familiar with the design of magnetic payment cards can find a workaround. This protection measure is implemented by comparing the cardholder name, which is encoded on magnetic Track 1 of the credit or debit card, with the name on the Loop app account. A hacker who wants to enter and use the stolen track data can easily fake the name on the card and match it with the name on the Loop account because the cardholder name on the magnetic track is not protected by encryption or digital signature and can be changed to any combination of letters without affecting the payment approval process.
The idea of Coin is similar but more elegant: replacing several payment cards with a single card-like sophisticated device. The technology behind Coin is pretty impressive, but it raises exactly the same security concern as the Loop device. Normally, when carders want to use the stolen card data to make a purchase in a brick-and-mortar store, they need to produce the fake plastic card, which must look like a real credit card, and encode it with the stolen magnetic tracks. But with Coin, there is no need to produce a good looking physical plastic anymore. The stolen data can be encoded directly into the Coin device.
Carders would have to overcome one obstacle: taking a picture of the real card so they can enter the new card information into Coin through the iPhone or Android app. But I think generating a realistic virtual image of a credit card (so it can be photographed instead of the real card) is cheaper than creating a physical counterfeited card, which requires special equipment such as a PVC printer, an embosser, a tipper, etc.
I am sure that hackers, carders, and cashers will be among the first beta testers (and subsequently the most appreciative users) of such “innovative” technologies. More effective security controls — if they are feasible at all — must be designed for the mobile wallet apps that reuse the existing magnetic stripe technology.
Interesting facts about Target attack which confirm my theory that PCI compliance alone is unable to protect merchants from card data breaches.
Target was certified as meeting the standard for the payment card industry (PCI) in September 2013.
Company officials say its information security staff now numbers more than 300 people.
A three-year study by Verizon Enterprise Solutions (VZ) found that companies discover breaches through their own monitoring in only 31 percent of cases. For retailers, it’s 5 percent.
Poring over computer logs, Target found FireEye’s alerts from Nov. 30 and more from Dec. 2, when hackers installed yet another version of the malware. Not only should those alarms have been impossible to miss, they went off early enough that the hackers hadn’t begun transmitting the stolen card data out of Target’s network.
Even the company’s antivirus system, Symantec Endpoint Protection (SYMC), identified suspicious behavior over several days around Thanksgiving—pointing to the same server identified by the FireEye alerts.
the intruders had gained access to the system by using stolen credentials from a third-party vendor.
Sally Beauty confirmed this morning that 25,000 records of Track 2 have been stolen from their systems.
As we previously stated on March 5th, our systems detected an unauthorized attempted intrusion into our Sally Beauty Supply LLC network. At the time of this discovery, we immediately engaged a top-tier forensics firm (Verizon) to investigate this security incident. As a result of this ongoing investigation, we have now discovered evidence that fewer than 25,000 records containing card-present (track 2) payment card data have been illegally accessed on our systems and we believe it may have been removed.
Track 2 is one of two tracks of information encoded to the magnetic stripe of payment cards (either credit or debit). Track 2 contains information which is sufficient for hackers to create a fake duplicate card and use it for purchases in brick-and-mortar stores without any limitations. There are plenty of ways to steal Track 2 data from point-of-sale systems, even if they are PCI-compliant.
Track 2 sample:
Track 2 key elements:
4005554444444403 - Cardholder's PAN (Primary Account Number)
1512 - Card's expiration date (December 2015)
123 - CVV (Card Verification Value)