How was my debit card cloned ?

[Cube3]

Maybe they using one of the store camera's to view your pin code entry ???

 

[spiff]

That's probably the likeliest method. If it is you have to question how store managers don't pick this up.

In the UK it looks impossible for cashiers in supermarkets(at least at Sainsbury's, ASDA and Tesco) to do this because the devices, firstly arent portable and secondly they seem pretty hard wired to the till. There is no obviouse connector visible. This makes at all but impossible for a cashier to plug any device. In fact the way it works you don't even hand your card to the cashier. You place your own card in the device and type your pin.

Consumers should refuse to shop where they use portable devices

that's the first thing I noticed when I was in the UK. NO ONE touches your card except you! why don't they implement this in SA.

I get so pissed off with some of these arrogant MF tellers when they GRAB my card out my hand and thrust it into the card reader like it's a forking vibrator!! my "new" chip card is already split in half because of this! and when I tell them " HEY watch it" they just ignore me like I'm a piece of trash.

 

[Alton Turner Blackwood]

that's the first thing I noticed when I was in the UK. NO ONE touches your card except you! why don't they implement this in SA.

I get so pissed off with some of these arrogant MF tellers when they GRAB my card out my hand and thrust it into the card reader like it's a forking vibrator!! my "new" chip card is already split in half because of this! and when I tell them " HEY watch it" they just ignore me like I'm a piece of trash.

My cheque card is only expiring in 2016 and its looking like schitt already because of this. Doesn't help it if you try and look after your card

 

[Malasius]

Also had a standard bank cheque card "cloned" with various store swipes and had strange debit orders added to all the accounts on my profile (including never used savings accounts etc.). This all happened within a few hours of installing the official Standard Bank Android app, although that might just be a complete coincidence. Not sure how they had access to my profile all details etc?

 

[R13...]

that's the first thing I noticed when I was in the UK. NO ONE touches your card except you! why don't they implement this in SA.

I get so pissed off with some of these arrogant MF tellers when they GRAB my card out my hand and thrust it into the card reader like it's a forking vibrator!! my "new" chip card is already split in half because of this! and when I tell them " HEY watch it" they just ignore me like I'm a piece of trash.

I was at a filling station the other day after filling up I show the lady attendant that I'm going to be using a card and she makes to take it with her to the window. I said no, you bring the machine here. She got all sulky and refused to touch my card when she brought the machine so I swiped and did the transaction myself

Yeah I know this thread is old but it's revived.

 

[Tinuva]

that's the first thing I noticed when I was in the UK. NO ONE touches your card except you! why don't they implement this in SA.

I get so pissed off with some of these arrogant MF tellers when they GRAB my card out my hand and thrust it into the card reader like it's a forking vibrator!! my "new" chip card is already split in half because of this! and when I tell them " HEY watch it" they just ignore me like I'm a piece of trash.

You can do that mostly here in SA too. Whenever I go to pick n pay I never hand over the card, I show them I pay with card and then insert it myself into the card reader and enter pin. Tellers dont like it, but then I don't give them a choice.

The only places I found I don't have a choice, is Nandos who uses this backwards system where the card first needs to be swiped on the ordering till then inserted into the credit card machine, for some reason they use it to link the payment to the order from what I have figured out. Then there is most restaurants ect, but this is not a regular occurrence so that is ok.

 

[zippy]

Maybe they using one of the store camera's to view your pin code entry ???

they need to match the pin entry to the card number as well as the security no on the back of the card. The pin is only worth something if they get the card in their possession.

 

[AstroTurf]

I would imagine at a till the operator swipes and clones while the packer watches you enter the pin.

 

[spiff]

I was at a filling station the other day after filling up I show the lady attendant that I'm going to be using a card and she makes to take it with her to the window. I said no, you bring the machine here. She got all sulky and refused to touch my card when she brought the machine so I swiped and did the transaction myself

Yeah I know this thread is old but it's revived.

facepalm - that FU attitude gets me!!

 

[spiff]

You can do that mostly here in SA too. Whenever I go to pick n pay I never hand over the card, I show them I pay with card and then insert it myself into the card reader and enter pin. Tellers dont like it, but then I don't give them a choice.

Think I'm going to do this from now on.

 

[Pearson6]

@ lived666 sorry man was extremely upset when I got in this morning

 

[Sonic2k]

As for how cards are getting cloned....

The terminals, in many cases, have the default passwords on, which then allows criminals to view the previous transactions.
The default passwords are in a list that can be had online.

I have discussed this at a previous infosec and obtained a sample terminal via my employer. It took me 4 minutes to break into the system and see the PAN of the card I swiped. The PAN, and a standard card writer are all you need.

The terminal's manuals explicitly say the passwords must be changed when deployment takes place.. As this is South Africa, and idiots are used to do field installations, this rarely happens!

As for my interest in them- I write apps for them, as a side function of my job as a programmer/pentester!

 

[Chicken Boo]

As for how cards are getting cloned....

The terminals, in many cases, have the default passwords on, which then allows criminals to view the previous transactions.
The default passwords are in a list that can be had online.

I have discussed this at a previous infosec and obtained a sample terminal via my employer. It took me 4 minutes to break into the system and see the PAN of the card I swiped. The PAN, and a standard card writer are all you need.

The terminal's manuals explicitly say the passwords must be changed when deployment takes place.. As this is South Africa, and idiots are used to do field installations, this rarely happens!

As for my interest in them- I write apps for them, as a side function of my job as a programmer/pentester!

What can you do with a PAN and no PIN? (or no cvv if online)

 

[Swa]

You can do that mostly here in SA too. Whenever I go to pick n pay I never hand over the card, I show them I pay with card and then insert it myself into the card reader and enter pin. Tellers dont like it, but then I don't give them a choice.

Doesn't make much difference unless the person is a magician that can swop it in front of you. The biggest issue is they have access to the machine itself so can make mods to log pins and card details. Security is only as strong as its weakest link.

As for how cards are getting cloned....

The terminals, in many cases, have the default passwords on, which then allows criminals to view the previous transactions.
The default passwords are in a list that can be had online.

I have discussed this at a previous infosec and obtained a sample terminal via my employer. It took me 4 minutes to break into the system and see the PAN of the card I swiped. The PAN, and a standard card writer are all you need.

The terminal's manuals explicitly say the passwords must be changed when deployment takes place.. As this is South Africa, and idiots are used to do field installations, this rarely happens!

As for my interest in them- I write apps for them, as a side function of my job as a programmer/pentester!

Well idiots should have their hands held. Terminals must only allow transactions once they have been changed to non-default.