Walk on subway cars with a POS-terminal and withdraw money. Can?

imageYou can walk, shoot, I think it is impossible. This is my first publication; I was led to write it by particularly confident comments that “you can withdraw money” in the articles on the development of contactless payments PayPass, PayWave and the entire NFC technology in general. In my thoughts, I rely on my own observations of the work of banking systems, on communication with bank employees and on general materials that are available on the Web. Let us first try to describe the situation as it is possible, in more detail, and then we will analyze it into the stages of post-processing already inside the banking system.

So, it is assumed that a certain “bad” person, by some means receives a mobile POS-terminal with PayPass technology, capable of accepting payments. This person uses public transport, probably, at rush hour, passes through the cabin and putting the terminal to the bags, passengers 'pockets, writing off not more than 1000 rubles from the owners' bank cards so as not to cause the pin code to be entered. Soon he should receive this money on the current account and withdraw it. It seems to have forgotten nothing.

Let's start in order. A person needs to have a valid legal entity. Then he has to open an account in one of the banks that provide payment terminals. Based on what I see in the shops, all terminals are represented by banks belonging to the TOP30 banks of Russia, and these banks probably have a significant security service. In other words, forgery of documents will be difficult. Then, when opening an account, the director of the company must personally appear at the bank and leave a sample of the signature. This is me to the fact that it would be possible to open an office for a homeless person, but you need a real, living person director. Plus, someone personally will have to “glow” in the bank at least to get a terminal. Go ahead.

Further, for certain, deep modernization of the terminal is required. After all, you need to force it to do and not to do some operations:

1. Automatically enter the payment amount, wait for payment and after payment enter the payment amount again and so on in a circle. Or maybe enter each time a different amount.
2. IMPORTANT !!! Do not squeak or make any sounds at all under any circumstances !!!
3. Do not print the slip (check) in duplicate.
4. Surely, you will need to modify the NFC antenna, it is possible to take it beyond the dimensions of the device and attach to the sleeve of the jacket so that it is convenient to scan imperceptibly.

In addition, you need to think of a way to have a feedback with the terminal, not causing suspicion among passengers, to know that the payment has passed and you can move on. We will assume that the terminal will respond silently to all the alterations, it will work normally and without errors.

I will not describe the stage of walking on wagons, neat waving hands in anticipation of "signs" and other man's tricks so that his actions would not arouse suspicion. I just want to remind you that for the most part, for all cardholders, the SMS alert service is enabled by default, and this moment is the first serious obstacle for our “hero”. After all, it is still possible to divert the attention of one person, but it will be almost impossible to divert the whole car from the sounds of incoming SMS. Moreover, SMS will come not very good-desired content, and the people will start to look around for reasons. But let luck be to our “hero” smile, and he will work only in the tunnels, where the connection does not work, and leave the carriage before notifications begin to arrive. But without communication, the terminal will not be able to process the payment. I want to add my thoughts, because the terminal is mobile and works on the basis of a cellular network, I would not be surprised that somewhere in the logs it writes and transmits data about its location where it should. And it may very well be that SAT will become interested in this data very quickly.

And now we come to the most interesting - post-processing payments. As we all know, card operations are divided into several stages. At the time of the transaction, the bank-equator (the one that gave us the terminal) sends the request through the NPCS (we are in Russia) to the issuing bank (the one that issued the card). Request for balance on the card sufficient for payment. After a positive response, our terminal (under normal conditions) gives us a slip (2 checks) on a successful payment, and the issuing bank blocks the amount (hangs on hold) until the transaction is fully confirmed. One of these confirmations is usually just the second copy of the slip, which the seller retains. Previously, when there were no chip cards and no PIN code request, we were asked to leave our autograph. And only when all the formalities are met, the cherished amount is debited from the account of the issuing bank and goes to the bank account of the office. But we have a special terminal and slipy does not print, so there may be questions. In addition, the amount is held on average for 2-3 days until a complete write-off, and this time, it seems to me, is enough for our subway passengers to call their bank and ask for evil about strange withdrawals. In this case, the issuing bank extends the hold on the amount until the EQ-bank and our “hero” prove that the payment was made in a fair fight! (just kidding). According to my observations, payments without a PIN code (the ones via paypass) can hang on the hold for a week or more. And these payments are disputed much easier than they were confirmed with a PIN code. It is considered that only the card holder can know the pin-code, therefore such operations are disputed much more difficult.

I think I described all the main aspects of this issue. I hope in the comments, we will see the other side of the coin and then the article will become more complete.

The world of finance is very sensitive to money, and all that concerns security and reputational risks is very closely monitored. I am sure that when the contactless payment system was introduced, all fraud options with this system were thought out. For some reason, so far I have not heard a single news, as hackers have removed a lot of money from bank cards using PayPass. A new Apple Pay, Samsung Pay, Google pay do not leave a chance to use this scheme in the future. It is easier to take money from people departing from an ATM)))

UPD. In the comment @Anynet just describes his attempts with the current terminal.
I, in turn, forgot to describe the easiest way to protect against any attempts to remotely scan your cards - just keep the NFC cards next to each other. Travel card Troika, even a ticket for the subway is already gone. Interference of signals from different cards will make reading the desired card impossible. Although they say that does not always help.

UPD2. Two habravchan introduced into the article the missing information:
enalco clarified the issue of breaking the terminal , and dr_begemot well described the time of reading several cards at once

Also popular now: