Seems like a lot of TLDR; :)
The article says exactly how it works.
> The usage is very simple: Insert the tool into the payment terminal’s chip card slot. If it can insert fully, the terminal is safe. If it gets stopped, there might be a skimmer!
If they find a skimmer, they will probably go back over the video until they find who put it there. Former Target security guard: "All cameras are functional and can look in any direction. Many are 4K and can zoom."
[1] https://www.paypath.com/Small-Business/why-target-is-the-wor...
Imagine that the misdemeanor — a fine and a few months in prison — would sufficiently deter an individual from ever stealing again, or at least from Target. Target's theft problem is resolved, and the individual goes on with a more abiding life.
In the actual case, Target allows this person to believe the theft is easy and rewarding. When Target preps the legal case, this person serves years in prison.
Target has lost additional inventory meanwhile, Target has paid for the case-building, the individual serves a long sentence, and the individual loses future job candidacy.
Society also pays for the prison time and must support an individual with a difficult-to-employ problem. Everybody is worse off.
I didn't read OP's paragraph and think that they intended to make Target sound bad, but I was able to make the case myself, I think.
The skimmer binds to the payment slot, some payment slots change shape to prevent skimmer binding, and now the tester-block binds to check that nothing is already bound...
(1) Terminal has a scale built into its feet/mount. It periodically weighs itself, and if (ignoring fluctuations) it weighs too much, it shuts down. It's hard to build a skimmer that weighs 0 grams.
(2) Proximity sensors in key locations on the housing. My smartphone can disable its touchscreen when I hold it against my face, so a payment terminal should be able to detect when something is covering a part that isn't supposed to be covered.
(3) Light sensors. Put some in an area where skimmers need to cover (near card slot) and other where skimmers probably can't cover (the display), and detect whether they get roughly the same amount of light.
(4) Microphones. Same idea as light sensors but with sound.
It is still not 100% impossible, but the "overlay" type of skimmer this protects against has been eliminated for a few years now.
But then it would cost more than their competitors. With much more maintenance for false positives, etc. And the vendor doesn't really pay the price for skimmer fraud..
1) Contactless merchant fees are lower than dip or swipe 2) Payment terminals are cheaper 3) Less fraud/shrink
This hunk of plastic from Target is a solution looking for a problem.
“Just use contactless” doesn’t work in the US.
Just yesterday a friend was commenting that he got a new credit card (old card expired) and the new one still doesn’t have contactless. Seems his bank decided it wasn’t worth it.
But that’s not all. Target gift cards don’t have contactless. Don’t think Visa/MC/AmEx gift cards do either. I bet EBT cards don’t, I think a rule requiring them to have chips was just passed.
I know other countries are ahead of us, and that major banks have been issuing chip cards for a while. But there are still a lot of people that leaves out.
And target wants to sell to them.
When you're dealing with tens of thousands of terminals that you want to check on a regular basis across thousands of stores, having a device that verifies things quickly is a solution to a real problem.
It's nice that someone got this through the default corporate deny policies.
They probably cannot make card-not-present (online) purchases since I don't think they can get the CVV.
https://krebsonsecurity.com/2021/02/checkout-skimmers-powere...
https://security.stackexchange.com/questions/151081/shimmers...
> In addition to the track-two data on the magnetic stripe, EMV cards generally have identical data encoded on the chip, which is read as part of the normal EMV transaction process. If an EMV reader is compromised to the extent that the conversation between the card and the terminal is intercepted, then the attacker may be able to recover both the track-two data and the PIN, allowing construction of a magnetic stripe card, which, while not usable in a Chip and PIN terminal, can be used, for example, in terminal devices that permit fallback to magstripe processing for foreign customers without chip cards, and defective cards.
https://en.wikipedia.org/wiki/EMV#Opportunities_to_harvest_P...
> A payment can still be successful even if the CVC or postal code check fails. This is because card issuers take many signals into account when making a decision about whether to approve or decline a payment. In some cases, a card issuer may still approve a payment they consider legitimate, even if the CVC or postal code verification check fails.
The old mag stripe emulation mode of contactless did, but that’s legacy and many places won’t accept it and cards won’t do it.
However the good old “break the slot or chip reader so they have to use mag stripe and scan the card things the old fashioned way” technique still works great.
The actual user of the stolen card dump will cause the terminal to allow a magstripe fallback (typically with a bad chip on a fake card that won't read) -- "aw jeez my stupid chip isn't reading" is still every much a valid excuse to a cashier to go to magstripe.
I can’t remember having to fall back from the chip to a swipe in ages, and I have a couple of cards, so I could keep one as a backup with a working stripe just in case (long ago I found myself far from home and low on gas, with no cash, a dead cell phone and a “suspicious transaction” blocked credit card, and I’d rather not repeat that experience).
My understanding is: They don’t. If you stick to contactless payments, you’re not at risk.
They seem to have the sensor on the pumps, but they never work.
Why I still can't register a public key with my bank and say "do not under any circumstance honor a transaction unless it's signed with my private key" is beyond me.
I'm assuming you are thinking about an attack where a compromised terminal processes an attacker-issued transaction (relayed from elsewhere) instead of the genuine one.
It seems like a solution to this would be for the card to issue a challenge to the reader and only provide a very short timeframe to answer, so that relaying it elsewhere is impossible due to speed of light and all that.
At minimum, EMV would need to be verifiable. Ideally rotatable. Best case: chooseable.
- an on-card UI. Yubikey-style one-button-tap is not enough, you actually need to verify the transaction details.
- integration with backend systems to support rotation and recovery because otherwise folks will screw this up and lock themselves out
There's a reason webauthn passkey has obfuscated PKI to oblivion, because they simply can't figure out how to entrust end users with keys.
To be clear, I'm a PKI fan and want all of these things to exist, but we're very far from it. In the interim, a bank-managed PKI is a welcome improvement.
Like, I understand what you are talking about, most of the readers here understand what you are talking about, but I also understand that almost everyone else doesn't.
What you are describing is Bitcoin.
Though it could just be cost given that Target could just pay for a plastic injection mold overseas and then pay peanuts yearly to make a 60k batch for their yearly renewal they mention, compared to $20*60k each time
I think the most obvious circumvention would be for the criminal enterprise to focus on altering the length of the verification devices, since an EasySweep does not appear to have a formal method to verify its own correctness. A shortened card tab on EasySweep would provide feedback that the terminal was ok since the keypad finger support presses against the terminal.
impressive.
I need a solution that lets me, the card holder, check these. This ain't it.
Hell, some of the internal skimmers just solder jumper wires to pcb pins/testpoints don't they? There's nothing mechanical for a card to touch. Target's got so many telescreen cameras in the store, they could likely get the pin numbers straight from that, no need to intercept that.
it allows any Target team member to easily
sweep a store for skimmers
A second guy distracting the clerk helps, too.