Skimming using a mobile phone
Feb 11th, 2009 by Jesper Kråkhede
A rather interesting phenomenon has surfaced recently: skimming using a mobile phone. It is very simple to do this. Just take a picture of the front and back of the card and your done. The information printed on the card is enough to make purchases on for example poker sites and such where money easily could be moved and washed.
This is a perfect example where security architecture has failed to have a holistic approach on the possible risks connected with grouping of different types of information. In this case all information needed for making an online purchase is stored printed on a card. This is of course very simple for the customer as they only need to bring forward the card. But as there sadly are situations where you have to give the card to a merchant to be able to make a purchase a large risk for the customer opens as taking a photo of your card is done in seconds.
What would be the correct way to handle this? At first I would question the cvv code. It is printed on the card to validate the card´s presence during transaction. This is of course flawed from start. There is nothing preventing me from writing down all information, putting my card in a locked drawer and use my piece of paper instead. The cvv code does not show that the card is present during a transaction. Secondly the cvv code is a change in the security in transactions when looking at other ways to pay. Using your pin code is valid for making transactions, as a writing your signature. These are two types of two-factor-authentication. Cvv code is not as it is printed on the card. When looking at the PCI DSS requirements it clearly states that cvv is not allowed to store. From that perspective the pincode would actually be usable instead of cvv. Of course there are other risks connected to using the pin code, like creating a forged card and withdraw money directly. But nothing hinders to send the cvv code in the same way as the pin code: In an enveloped to be used when making purchases on internet.
All in all, this is a good example of when segregation of information has not been implemented correctly.