- Jun 24, 2001
- 24,195
- 857
- 126
For the last 10 years I assumed that these kind of things didn't broadcast your actual info, especially when the news came out about older systems in other countries (I think India was one of them) were the only ones "hacked" so that cards and info could be cloned/stolen.
Firstly, I figured that it would work more like the CVV system, where your info is only associated by a remote database (CVV is not in the mag stripe and can not be generated by the card number, for example. The only way to associate it is to have both and have it remotely verified by the card company). So I expected it to be a completely different set of info than your card number, name, and expiration date.
Secondly, it just seemed logical to me that it would work kind like an HID/Prox card where the field generates enough inductive current to power a small chip which then responds to a randomized inquiry to make a calculation and return a result BASED on the info, but not return the actual info, thus, results could be compared based on the same inquiry at the remote end to verify the same data set and a sniffed session would do no good because the random seed would be different.
Then, my mother started freaking out because of something she saw on Fox News:
http://www.idstronghold.com/
Are these guys for real? They certainly seem it. Also, they say that it is enough info to make a mag strip on a clone card, which I always thought had a lot more than just your card number and expiration date and required an ACTUAL skim to copy?
If it only transmitted the first and last four and then their readout fooled people with random numbers in between (or using that formula for valid card numbers), then they are liars who deserve to go to jail (I can imagine first and last 4 being acceptable to transmit). If they could really make a functional mag swipe for the copied info without skimming, I'd also be surprised. I don't think they are lying, considering the high profile reports they are working with, but they are a company that sells products that profit off of scaring people, so I wouldn't put it past them. They obviously do stretch the truth (if he could really get 2,000+ numbers at an event he would need to tap the wallets of 8,000 men who happen to keep their wallets there... and catch them all among a lot more women and such who don't), all without being noticed at the gate tapping everyone in the ass. Obviously, they will stretch the truth if they make that claim.
That said, if it's all true, why DON'T these technologies work the way I always thought they did? Who was stupid enough to make them transmit this info directly? Even without a random-seeded challenge/response based on a unique number, a unique number that can only be associated to the account by the credit provider is the only way I would have ever considered transmitting fixed info.
Firstly, I figured that it would work more like the CVV system, where your info is only associated by a remote database (CVV is not in the mag stripe and can not be generated by the card number, for example. The only way to associate it is to have both and have it remotely verified by the card company). So I expected it to be a completely different set of info than your card number, name, and expiration date.
Secondly, it just seemed logical to me that it would work kind like an HID/Prox card where the field generates enough inductive current to power a small chip which then responds to a randomized inquiry to make a calculation and return a result BASED on the info, but not return the actual info, thus, results could be compared based on the same inquiry at the remote end to verify the same data set and a sniffed session would do no good because the random seed would be different.
Then, my mother started freaking out because of something she saw on Fox News:
http://www.idstronghold.com/
Are these guys for real? They certainly seem it. Also, they say that it is enough info to make a mag strip on a clone card, which I always thought had a lot more than just your card number and expiration date and required an ACTUAL skim to copy?
If it only transmitted the first and last four and then their readout fooled people with random numbers in between (or using that formula for valid card numbers), then they are liars who deserve to go to jail (I can imagine first and last 4 being acceptable to transmit). If they could really make a functional mag swipe for the copied info without skimming, I'd also be surprised. I don't think they are lying, considering the high profile reports they are working with, but they are a company that sells products that profit off of scaring people, so I wouldn't put it past them. They obviously do stretch the truth (if he could really get 2,000+ numbers at an event he would need to tap the wallets of 8,000 men who happen to keep their wallets there... and catch them all among a lot more women and such who don't), all without being noticed at the gate tapping everyone in the ass. Obviously, they will stretch the truth if they make that claim.
That said, if it's all true, why DON'T these technologies work the way I always thought they did? Who was stupid enough to make them transmit this info directly? Even without a random-seeded challenge/response based on a unique number, a unique number that can only be associated to the account by the credit provider is the only way I would have ever considered transmitting fixed info.
Facebook
Twitter