Plastc Swiped $9 Million From Backers, Now It Plans To File For Bankruptcy and Shut Down (theverge.com) 169
Plastc announced today that it is planning to file for bankruptcy and will shut down on April 20, 2017, after raising more than $9 million through preorders and shipping to no backers. "Plastc launched in 2014 with the promise of shipping a single card that could digitally hold 20 credit or debit cards that a user could switch between," reports The Verge. From the report: With that, all backers' money is lost, and no Plastc cards will ship. Plastc announced the news on its website today along with the fact that all its employees have been laid off. Its customer care and social media channels have also been shut down. The company explains that it thought it would close $3.5 million in funding in February this year, but that fell through. Another possible investment deal of $6.75 million fell through, too. What's not clear is how more than $9 million wasn't sufficient to get backers their orders. Backers will likely have questions and want their money back, but with no one to turn to from Plastc, they'll likely be out the cash.
will shut down on April 20, 2017 (Score:2, Informative)
Uh, guys? You check the calendar? You're a little late with this story, don't you think?
Re: (Score:1)
That's how language of news actually works - not everyone will be reading the story the same day.
The announcement is they will cease operations on the 20th, so that's what should be reported.
Re:will shut down on April 20, 2017 (Score:4, Insightful)
To be fair, /. got the story up within 24 hours, which is actually faster than average for them.
The company didn't announce their shutdown in advance, so nobody could have reported it before yesterday afternoon when the message went up on the site and all their social media shut down.
Re: (Score:2)
It's also 420...duuuude... Coincidence? Totally!
Re: (Score:2)
So basically, you're saying that backers' money went up in smoke?
Re: (Score:2)
Yes, it was a pipe dream.
Re: (Score:2)
You could say their plastc cards hit their credit limit.
No chip and no near field transactions - why carry this around when you already carry around a smartphone that can mimic a credit or debit card?
Re: (Score:2)
True, in other news:
"Plastic executive staff now being used for sniper practice"
Details at 11:00
Gret (Score:1)
Bettr thn gret, fantastc!
This is why we can't have nice things (Score:4, Insightful)
If one were to look at the long term history of the financial industry (going back to before wall street was wall street), you'd find bankers, stock brokers et al were inherently distrusted. Financial fraud is/was easy so they did it... Over and over and over.
This is why there has historically been heavy regulation and oversight.
Re: (Score:2)
Re: (Score:2)
As much as I understood crowdfunding, you are not ORDERING anything but INVESTING. If your investment is doing well, you'll get a product as profit.
Re: (Score:2)
You don't understand crowd funding. Every single crowd funding site that doesn't want to get smacked down by the SEC will explicitly tell you, in no uncertain terms, that contributing to a crowd funded project is not an investment. You are making a non-tax-deductible donation to a private corporation in the form of the crowd funding administrator. This company will transfer most of your gift (minus their vig) to the project you donated to. The project may, at their discretion, offer thank you gifts at va
Re: (Score:2)
A lot of this is reputation. I contribute to Kickstarter campaigns when either I generally trust the people and/or company involved or I'm willing to gamble the money on the chance of getting the product.
Re: (Score:2)
They're possible for the same reason Android Pay is possible.
Re: (Score:3)
Re: (Score:2)
Some stores do still have carbon-copy card copiers which will work on real cards with raised numbers.
When was the last time you used one? I recall using one at some sort of sale when I was in college, 20 years ago. I don't recall what the event was, but I do remember the card roller as, even twenty years ago, it was an archaic device and I hadn't seen one in years. Since then I can't think of single time I've used one. When the power was out or the network was down, they've always stopped accepting CC transactions.
Re: (Score:2)
I used one in a mountain hut in Taiwan in 2016.
Re: (Score:2)
Well PF Changs did it recently after they were hacked! I can see that situation being relatively common going forward.
Re: (Score:2)
There are two cards I use. One is completely flat, with a printed account number, and one has very slightly raised digits for the account number, but on the back of the chip. I don't know how that would do with one of those carbon paper thingies, since my name and the account number are on opposite sides of the card.
Re: (Score:2)
Last time I used one of these was two years ago, when the power went out in my local bar and I had to pay with a card before it came back. Ancient
Re: (Score:1)
You're going to shoot someone over losing $155
How else do you propose we keep people from steeling $155 from others?
Chip work too (Score:2)
Actually, they're one of the copy-cat companies which jumped on the idea when the originating company published their idea. That company is still alive, though struggling. The biggest setback was chips. You're supposed to pay using your chip now, swiping is reserved for the restroom. These multi-card cards don't have chips.
Some do [swisspass.ch].
The idea is that you're not trying to *copy* the data from the source card's chip to the multicard's chip.
The mutlicard's chip has it's own private credential on the chip.
What you do is you register said credential as yet another acceptable ID at the other company.
(So the company isn't accepting only info of Card A - that also got copied on card B. But the company is accepting any of the private key on the chips of either card A or card B).
I can open a shared car with my train pass, because the cars
Re: (Score:2)
I'm saying I don't like getting ripped off. It brings out the very worst in me. Watching the rich bastards walk away from a scam like this with their golden parachutes leaves me in a rage. If the sons of bitches ended up living in the street living out of a garbage pail it would be different.
It happens (Score:2)
Re: (Score:1)
Re: (Score:3)
Of all the problems that needed $9 million... (Score:2)
...having too many credit cards in your wallet was not one of them. Can't say I'm surprised it turned out to be a scam. The latest crowdfunded crap I've seen being promoted on Facebook: some shysters trying to convince investors that a Samsung Tablet with VNC installed on it is a novel invention.
These days, crowdfunding seems to be less garage/backyard tinkerers, and more already wealthy con artists using it as an easy source of income. Can't say I blame them - if I had the means to promote and profit fr
Re: (Score:3)
Re: (Score:2)
Arguably I'd be better off with fewer cards in my wallet, but only three of those deal directly with money. I've got a car insurance card, health insurance cards, a card good for a discount at Holiday gas stations....
Normal practice in Corporate America (Score:5, Insightful)
The three types of suckers are investors, clients and workers. The most profitable form is to steal from all three and keep the fraud rolling along indefinitely. That is the fundamental model for the financial industry. All the top banks, investment houses, hedge funds, etc skim the wealth generated in the country and put it in their own pockets. That's, along with regressive taxes, underlies the ever increasing wealth disparity between rich and poor.
So what do you think will happen to the scam artists who pulled this off? Will they suffer any economic or reputational damage? No way. They all got out fat and happy, and their business reputation will be enhanced because of their successful raid on a gullible public. I expect they will get better positions with larger companies because of their proven track record of theft.
I expect no change, although it might get worse. I just wish they would stop calling it capitalism.
Re:Normal practice in Corporate America (Score:5, Interesting)
1. I am not sure about US banks, but in my country banks earn money by transforming the maturities and amounts of deposits and spreading around risks to give loans, as well as providing other services such as card payments. Competition forces them to work relatively efficiently.
2. In my country, people who do not display "due care" when acting as officers of a limited liability company can be sued.
3. I very much doubt that being publically dragged through the dirt for wasting $9m of customers' money will look good on their CVs, let alone help them get better jobs.
I do admit that sometimes scams and fraud happen but I do not share your conviction that the whole environment we live in is built on it alone.
Re: (Score:3)
3. I very much doubt that being publically dragged through the dirt for wasting $9m of customers' money will look good on their CVs, let alone help them get better jobs.
Depends on how they spin the story and how well their alternative facts get accepted.
I'd wager that failure is very common in entrepreneurial circles and some kinds and amounts of failure may be seen as merely good experience or even some kind of requirement.
So unless this was a particularly notorious example of fraud, once the details are forgotten this is one more didn't-quite-take-off entrepreneurial story to tell.
Re: (Score:2)
1. I am not sure about US banks, but in my country banks earn money by transforming the maturities and amounts of deposits and spreading around risks to give loans, as well as providing other services such as card payments. Competition forces them to work relatively efficiently.
That was the case in the US from the Great Depression until the 1990s. Then we repealed the law that required banks to be so boring.
Now banks can invest in derivatives and all sorts of interesting and exciting things. When those exciting investment vehicles turn out to be garbage, we get the 2008 recession
(The 2008 recession in the US was primarily caused by bundled mortgages. Banks and bank-like entities would make a mortgage loan to any vaguely human-like entity that could demonstrate they were alive.
Re: (Score:2)
Re: (Score:2)
I was working in the industry at the time it started to go down. I was a contractor implementing predictive models. I learned that bundles of mortgages were sold in "tranches", where the first of four tranches got all the money collected up to a fourth of the bundle, and the second, third, and fourth got what was left.
The model dealt reasonably well with rising property values. The possibility that property values could fall seems to have never occurred to the modelers (nor did they have the data to b
Re: (Score:2)
The idea that the companies were selling people who don't do this finance thing very well was that they'd get the house, live in it for a while, and even if they defaulted on the mortgage the house would be worth more than the value of the mortgage, so they would at least be able to walk away without debt or even with some profit.
The secret was refinancing.
You take out your NINJA loan (also known as a Liar's Loan) because you can't qualify under normal conditions. After 3 years or so you refinance. And you keep that pattern up until the loan-to-value on the property is low enough that you can qualify for a normal loan.
It worked great until property values stopped shooting up, and thus you couldn't pull off your next refinance.
Re: (Score:2)
The Wells Fargo workaround is to insinuate to their workers that they can make fake accounts, and then put enough quota pressure on to make sure they have to. Then, when this is found out, the poor saps on the front line get thrown to the wolves, while the management that forced them to break the law or lose their jobs gets to claim innocence.
Re: (Score:3)
Annoying for small projects (Score:5, Interesting)
Three years ago I did a small crowdfund for a solid state laser cutter; we got 300% funded, delivered our backers' orders in 120 days, and everyone was happy. Small problem: I tell people this now, and nobody takes me seriously because "oh, crowdfunding? must have been a scam of some kind".
I'm ready to go with my next product and since my last one was "too small scale" investors won't talk to me.
As usual, a cool new ecosystem was ruined by parasitoids and saprophytes.
Re:Annoying for small projects (Score:5, Interesting)
I think you got one thing wrong. The "cool new ecosystem" was not ruined by 'parasitoids' it was ruined by a lack of accountability.
Look at the Skully-AR1 funding on Kickstarter. This was a product with genuine potential, had working prototypes etc.
It's not that the founders were running out of ideas or their project was jeoperdised by scope creep or the like. They were blatantly using the money they got from backer for buying cars, last minute flight tickets to vegas, hotels, strip clubs and when the product did not arrive and there were delays they eventually filed for bankruptcy and made excuses.
Look at the shit they bought on campaign backers' money:
Rent for the brothers' personal apartments in the Marina
Security deposits for an apartment in Dogpatch used by the Wellers
Weekly apartment cleanings
Personal grocery bills for the Wellers
All restaurant meals for the brothers
Mitchell Weller's Dodge Viper, which was claimed for insurance following an accident, as well as the new Viper purchased by the company to replace it
Check here -> https://www.buzzfeed.com/nitas... [buzzfeed.com]
On the back of that, at the time, I pulled out of a major indiegogo funding campaign because I no longer had faith in the model. When I signed up to to it it had a large "back out at any time" message on the page. After considering the matter of Skully I decided to back out and was confused as to how this is done from my backers page. I read the FAQ and it simply said that I go to my backers page and hit the "Refund order" button. So simple except THERE WAS NO REFUND button.
I asked and I was told that SOMETIMES there is no refund button and that funds have gone to the campaign owner. So I cannot get a refund from Indieggo because they do not have the money. I emailed the campaign owner and got no response for two months. As I had no other information to go on I researched the campaign, backer and related company and sent them letters threatening to sue as they are subject to EU law (Luckily because US law is really shit on these sort of things). After some haggling I got my funds -12% for various fees, 2% were to Indiegogo...and you know what I was lucky to get anything at all.
They have since clarified their refund policy further -> https://support.indiegogo.com/... [indiegogo.com]
Simply do not believe ANYTHING a campaign page says. It might very well say "hassle free refund." but really should say "limited refund options occassionally available, terms and conditions apply. If you believed this was honest and bought based on that assumption you're a sucker hahahaha"
Now ask Skully-AR1 backers if they got anything yet? Helemt? Refund? An apology? - There is ZERO accountability.
We MUST convince Indiegogo and Kickstarter - basically crowd funding in general to do more.
Firstly I would like FULL DISCLOSURE expense reports of backers money. There is NO excuse not to let backers of your porject know how you spent their money.
Secondly I want the crowd funding site to review sufficiently large projects, say over $1 million with a third party registered accountant to check this is not all BS.
Lastly, for blatant misuse of funds amounting to fraud I would like for Kickstarter/Indiegogo to sue these people to the ends of the Earth on backers behalf. I will pay good money, more than my original investment to make sure fraudsters are dealt with as harshly as possible.
Without any safety checks and so on I tell you now I will never ever back any product that has not been released and review or a has a money back guarantee I can trust.
Re: (Score:2)
Thing is quite a lot of failures aren't scams either. Turning something into a physical product is much, much harder than most people realise, especially if you're aiming for mass manufacture. It's not even easy to hire people to do it: if you don't know enough about it then even figuring out if the engineer in front of you is good or not is incredibly difficult.
There are some successes like yours (and a few I've backed), some fail due to legit business reasons (one I backed), some fail due to wild optimism
But what do you do? (Score:3)
So what is the alternative though? Middle men who evaluate prospective investments and allocate your savings accordingly? That is basically how the financial world outside crowdfunding works, and the result has been that central banks have to keep bailing out the bad investments to the point where almost every asset class is detached from any fundamental valuation, and people are paying governments to borrow money from them.
I actually think we are closer to a working system in crowdfunding. Yes there are a
Re: (Score:2)
What I did for my indiegogo was update the page with how far along I was ("Today the heat sinks came in! Today we finished machining holes in them! Today the PCBs came in! Today I bought a toaster
Re: (Score:2)
Another pair of American cowboys (Score:1)
takes off with the loot. This is just one more in a long string of heists that Americans have pulled off using crowdfunging websites. It's the American business model I guess, find someone who is willing to pay or invest, then just make off with the money, knowing very well there was a clause in the contracts or agreements that allowed you to.
If you're an American, you may have some chances to recover your money or investment. Which also gives the signal to Asians, Russians, and Europeans: if the business i
Job killing regulations (Score:2)
It is quite easy to steal small amounts of money from a large number of people. Most people will not pursue any serious legal action.
This is a limited liability company. All profits and assets will flow one way to the owners, all liability will stop with the entity that goes bankrupt. But corporations a
Re: (Score:2)
If you can prove fraud, you might be able to claw back unspent money from the assholes behind the corporation. In the US, it isn't going to be easy, and if the fraudsters have already spent the money you're SOL.
Sucker born every minute (Score:2)
Because Lord knows I want to trust my financial transactions to a start up with no proven record of performance or trustworthiness, and pay for the privilege!
Not a preorder!!!! (Score:2)
Re: (Score:1)
I had a Coin (basically the same idea), it worked OK for about two months, then chips became a thing.
I assume that's what actually killed these guys too. Not that it was a scam, but that they couldn't deliver.
Not copy authorized (Score:2)
The way actually successful [swisspass.ch] implementations [swatch.com] of this idea work, is that the card is yet another chip with its own identity and keys, and you can register it as an authorized id at the other companies.
i.e.: you do not *copy* 20 different credit card on it, you ask your 20 credit companies to accept also the key inside this card as ID proof.
that works nicely because wireless NFC / RFID (and contact smartcards for the LUDDITES! still using that ;-) ) is standardized, meaning that in practice it really all boils
Re: How to copy? (Score:5, Insightful)
Welcome to America. We don't have chip and pin, we have chip and sign, but actually, fuck signing most of the time.
The chip does NOTHING in the USA except make the whole process take longer. Cloners have been available in the US for these cards for years. And you can still run the, as mag swipe (or even phone-in/ "offline" transactions) at a whole bunch of exempted places that don't have to get their act together anytime soon.
Re: (Score:1)
Fun fact, call ins and internet orders happen everywhere.
I'm also not convinced the chips are clonable.
Re: (Score:2)
my recently cloned card was *only* used at swipe terminals, they did not use the chip feature.
Re: How to copy? (Score:5, Informative)
The chip does NOTHING in the USA except make the whole process take longer.
I agree with you, but just to clarify.
It's not the chip that makes the process take longer, it's the US regulation that comes with the US chip that makes the process take longer. And the American regulation requires that the chipped card checks the bank balance and do all the handshakes between multiple networks in real time before it allows the transaction to take place, hence the extra delay.
As opposed to Europe, where the European chipped card could work in a place with no phone reception and no network access, the balance would be kept on the card, and the balance would later be reconciled in a central ledger at the end of the day, or at the end of the week (I'm not sure which). But this of course made the card super fast to use.
In other words, let's say you have one thousand dollars in your checking account. In the US, a cloned card could effectively steal that $1,000 from you. But in Europe, let's say you have 1,000 Euros in your bank account, you make 1,000 clones, and you ask 1,000 criminals to all use the card at the same time by sending them the pin via text messages all at once, then it would mean that the bank could potentially lose 1,000,000 Euros by the time it adds up all the transactions of 1,000 Euros when it finally reconciles everything.
Of course, I'm skipping over some technical details, but that's basically the gist of it. Also, I should mention that it's much easier to crack one card in a couple of weeks and clone it 1,000 times than having to crack 1,000 separate cards to clone them once. And also, some chipped cards are allowed to be used without the pin, because not everything on a chipped card is encrypted, and that's ok for some businesses because they'll limit the amount of the transaction when the pin is not used, and also they can take other security measures, like video recording the person, or video recording the car of the person who used it, or something else entirely. And in the end, no system is perfect, and that's ok. A security system just needs to be difficult enough for criminals to crack and low reward enough to make the risk too high for most criminals to want to take.
Re: How to copy? (Score:2, Insightful)
AFAIK In Europe connection generally IS made to the banks (on occasion this can be slow, or fail and need to be retried, which have both happened to me), but provision is made for disconnected terminals. For your hypothetical attack people would need to find unconnected POS terminals, which are pretty uncommon now. Contactless is another matter, but there is a low transaction limit.
Re: (Score:2)
Or they would need to do a ddos attack on the relevant phone lines or networks, or cut an underwater fiber cable to a bunch of islands, or blow something up, or wait for a semi-predictable natural disaster to occur, or even find ways to affect the power grid because many handheld POS systems in Europe are portable and battery powered.
Re: (Score:3, Interesting)
I do think that below a certain threshold amount, making the connection isn't mandatory. That's usually when it goes quickly and it do
Re: (Score:3)
Well, I was at a restaurant at a ski station really high in the mountains, the prices were really expensive, and the handheld POS device didn't have a connection.
And yes, I do realize that many ski resorts in Europe have ok cell phone coverage, I remember seeing the billboards of cell phone companies advertising that fact on top of the mountain itself, but I don't remember seeing those billboards at all the ski resorts I've visited and like I said, at least one restaurant at the top of a telepherique didn't
Re: (Score:1)
Besides, all it needs is a phone line.: Classic POTS for the terminal base to be connected (the handsets can be wirelessly connected to it), and if those people
Re: (Score:1)
Re: (Score:2)
While Val Thorens is not the most expensive ski resort in Europe, it still ranks pretty high up there because of its altitude. If you're going to have the benefit of not needing artificial snow when other ski resorts do, then many of your customers during the late season are going to be top government officials and CEOs, and cell phone networks (not to mention the NSA and the Russian FSB) will do everything in their power to make sure those types of people have the illusion of perfect coverage and perfect s
Re: (Score:2)
In all seriousness though, removing the part about the CIA and the FSB, the top ski resorts in France do have giant advertisement billboards on top of mountains in the middle of nowhere (reminding that a particular cell phone network still works there).
And this is in no small part due to the fact that some CEOs will see some of these billboards and that some of those CEOs control companies with 10,000+ employees (all possibly requiring a company cell phone).
Re: (Score:2)
Re: (Score:1)
From my understanding, in Europe, the chip and pin does make a connection. Terminals generally do have a connection.
Normally, they have a connection, yes. Real-time banking is not instantaneous, but usually faster than counting out change for cash. If the connection is down, they usually fall back to printing receipts that you have to sign to validate use of the card.
If anything, I do not think that it's the card that stores the transaction. It would not make any sense at all. Imagine I do a 1000€ purchase, and it would be store-on-card. At that point, I destroy the card or never use it again. My card never gets the chance to "synchronize" with anything.
Doesn't work that way. Of course any offline transaction is stored in the sellers terminal - at some point the seller go online & synchronize with the bank, and then the money is pulled out of your debit card account. (Or charged to some credit card you
Re: (Score:1)
*of course* it doesn't... That's was the whole point of the thought experiment.
That would be a reasonable assumption. I wouldn't count on it... Overdraft fees are the bread and butter of banks ;-)
Re: (Score:2)
That would be a reasonable assumption. I wouldn't count on it... Overdraft fees are the bread and butter of banks ;-)
Yes, but in some European countries, like in France for instance, those kinds of fees are heavily regulated by the government.
1000 terminal attack (Score:2)
Granted, it doesn't change anything in your scenario, but given European chip 'n pin do connect, I doubt you attack would be feasible (ignoring the fact you need a 1000 unconnected terminals, which is doing to be very hard to find).
That attack would definitely be feasible.
*BUT* the unconnected terminals would be limited to a small amount only.
So at the end of the day, the bank only loses a couple of thousands of EUR, (Well within something they can live with)
or bounces the transaction back and a thousands of shops are a few dozens bucks back. (Again, well within something they'll survive with)
Contact less payment are basically the same but even lower (only a few bucks are accepted without asking for a PIN)
Re: (Score:1)
Technically feasible... Practically, though... much less.
Re: (Score:2)
How your comment currently sits a a number 3 considering you have very little truthful information in your statement if quite interesting.
First, the "speed" has nothing to do with the US regulations. The initial speed has everything to do with the conversation that happens between the card and the terminal (ATM and POS). This is what unlocks the card to allow the transaction selection process to continue. In Europe, the PIN of the card is entered to actually unlock the card, in the US, the card is just "unl
Having worked with Verifone (POINT - US) and Ocius (Score:1)
You need to do more research. Nearly all vendors allow for offline transactions. They merely shift the liability for failed transactions back to the merchant and provide a floor mechanism to be specified by the merchant.
If the merchant wants to accept $5 sales and is willing to take the liability (most do), no problem. If the merchant doesn't want to accept liability....also no probl
Re: (Score:2)
Why does the balance need to be sent to the card at all? POS terminal sends "I need to authorize a $30.47 charge", bank sends back "Approved" or "Denied" along with a transaction ID. Why would the POS terminal ever need to know a balance associated with a card?
Re: (Score:2, Informative)
As opposed to Europe, where the European chipped card could work in a place with no phone reception and no network access, the balance would be kept on the card, and the balance would later be reconciled in a central ledger at the end of the day, or at the end of the week (I'm not sure which). But this of course made the card super fast to use.
I haven't seen any chip and pin device in Europe that DOESN'T require an authentication / authorization step. If it's allowed at all it would only be on small transactions - train tickets, snacks etc. The same is true for contactless transactions which don't require authentication on small payments but will still authorise payment usually by asking a server.
It also doesn't make the process any slower in my experience than paying by swipe. If chip and pin is slow in the US it's probably more to do with peo
Re: (Score:2)
If chip and pin is slow in the US it's probably more to do with people being unfamiliar with the process, inconsistencies between different stores / banks, or people forgetting their pin etc.
Yes, it's some of that, but not only that.
I have experience using both kinds of cards, both in the US and in Europe, and in the US, the process of using a chipped US card with a pin is definitely a lot slower than using a US magnetic-only debit card with a pin. For one thing, the system won't even let you enter your pin for a chipped card in the US until the connection has already been made, so there is no kind of caching that is even allowed.
And I guarantee you that if you ever come to the US and tried an
Irony of ironies (Score:2)
Of course, I'm skipping over some technical details, but that's basically the gist of it. Also, I should mention that it's much easier to crack one card in a couple of weeks and clone it 1,000 times than having to crack 1,000 separate cards to clone them once. And also, some chipped cards are allowed to be used without the pin, because not everything on a chipped card is encrypted, and that's ok for some businesses because they'll limit the amount of the transaction when the pin is not used, and also they can take other security measures, like video recording the person, or video recording the car of the person who used it, or something else entirely. .
Not your fault as your points are sound, but I find your statements to be a bit ironic. You see, you started your post because somebody bitched about how the chip does nothing in the USA except delay the whole process. I guess you don't know because you're not like this, but the people who say stuff like "The chip does NOTHING in the USA except make the whole process take longer." are also the super paranoid people who find everything to be an invasion of their rights, so they'd also never agree to your s
Re: (Score:2)
The chip doesn't do that much, really. Most attacks on credit cards for the past decade have been attacks on the payment terminals themselves, and there's nothing fundamentally preventing someone who has already compromised a bunch of payment terminals from setting up a C&C server, and using it to let them make purchases for free by making the payment terminals recognize their chip in some way and relay the request through a different payment terminal to somebody else's card.
The only thing that would t
Re: (Score:2)
I was under the impression that the chip signed the transaction with a challenge response.
transaction log:
-terminal sends transaction request to bank with card ID, trans amt
=bank responds with challenge OR declines if no funds (end of trans)
-card chip signs challenge
=bank validates signature and sends auth code to terminal OR bank fails signature and sends denial
(end of trans)
-nB
Re: (Score:2)
Which is worthless if the payment terminal is compromised, because the card can't know it the payment terminal is sending out messages on its own behalf or on behalf of another hacked payment terminal on the other side of the country.
Transaction log:
Re: (Score:2)
Re: How to copy? (Score:4, Informative)
And the American regulation requires that the chipped card checks the bank balance and do all the handshakes between multiple networks in real time before it allows the transaction to take place, hence the extra delay.
That is not typically the reason for the delay. The fact of the matter is that the US region required online processing for EMV because at least 90% of the transactions in the US were already online only. There are some significant attacks against offline EMV that are entirely mitigated by online processing. There are no known attacks on Online EMV with card present. Even without a PIN, you cannot duplicate someone's card or skim it. You can steal someone's card and use it, but you cannot create a cloned copy of the card and use it.
The problem in the US is entirely with poor implementations. The most inexpensive terminals manually check a list of supported brands against the card's brand(s) one at a time. The brands have IDs that can be incredibly specific. A lot of the processors I've worked with want to manually add each and every ID to their configuration basically saying "I support North American MasterCard. I support Australian MasterCard. I support European MasterCard..." for basically every region in the world when they could just say "I support MasterCards of all types." So the card terminal sits there for a solid 10- 20 seconds just going through its list asking the card "Are you this brand?" Literally. Regulations in the US require you to support "US Common Debit" if you're going to allow debit transactions. There is literally one additional ID that is required to be supported in the US versus other regions. Furthermore, you'll find that transactions go online and receive approval in Europe somewhere on the order of 70+% percent of the time and are still faster than US transactions. I'm working on a project right now for a company halfway across the world from me and, when I have control of the terminal flow, I can run through the entire process from the US, 8000 miles, back to the US for issuer authorization, then back that 8000 miles to the processor and back to me in about 300-400ms. With a processor who lives in the same city, I can complete a transaction in 100-200ms on a slow day.
When I say that, I'm obviously excluding transactions that require prompts, but one where I have the terminal flow set to run the transaction from end to end the instant the card is inserted into the terminal with no further human interaction required.
As opposed to Europe, where the European chipped card could work in a place with no phone reception and no network access, the balance would be kept on the card, and the balance would later be reconciled in a central ledger at the end of the day, or at the end of the week (I'm not sure which). But this of course made the card super fast to use.
They have not done this in Europe or anywhere else in a long time. I think the last card issued that behaved in this way was around 2007. Some of them haven't expired in their countries of origin and you still have to support this capability in some regions, but it's being phased out. You cannot trust a balance from an offline transaction. The terminals all have a transaction ceiling which, when hit, a transaction is forced to be processed online. In the US that limit, from a liability standpoint, is $0. For most European merchants, they use somewhere on the order of 20-40 pounds/euros/whatever. Basically a high enough limit that you can recharge your metro card. That limit is also based on the type of merchant as well. The majority of card fraud occurs at gas stations and the industry has completely different rules for unattended gas pumps.
And also, some chipped cards are allowed to be used without the pin, because not everything on a chipped card is encrypted, and that's ok for some businesses because they'll limit the amount of the transaction when the pin is not used
Re: (Score:2)
Ahhh, I suspect that is why my "tap" functionality has a limit (found that out a couple weeks ago). Makes sense, as I think the cap is like 100$, so sure someone might run around with a bunch of cloned or stolen cards, however at 100$ per tap, they would have to use it a LOT to actually steal any amount of money (in a relative sense from a bank). Using it so much, probably means they get caught also.
That said, the whole business plan for the service seems to be flawed in so many ways.
1st of all, most people
Re: (Score:2)
Actually, they haven't. You can clone the mag strip, but most cards now register that they have a chip. The bank won't authorize it by mag strip if a smart card is present; you can still copy the mag strip and use it for offline attacks (e.g. use it to buy crap through Paypal).
A smart chip--the type of tool embedded in an EVM card--is a miniaturized computer with an I/O protocol. When attached to the reader, it's powered up and accepts commands. It doesn't release the key, and only performs digital s
Re: (Score:2)
I've used chip&pin at Target, and it works well. Everywhere else that I've had to use the chip, my experience agrees with yours.
Re: (Score:2)
> Cloners have been available in the US for these cards for years
Prove this statement because it smells like bullshit to me.
Point me towards a cloner (or even an article that describes how to) for chip & pin cards or stfu with your hyperbolic bullshit. HINT: incorrect implementations of emv. (ie: using non-random UN's) aren't clones.
Again, we don't have chip and pin in the USA. We have chip and LOL. It's a farce. Cloners have been available for years.
Re: (Score:2)
> Cloners have been available in the US for these cards for years
Prove this statement because it smells like bullshit to me.
Point me towards a cloner (or even an article that describes how to) for chip & pin cards or stfu with your hyperbolic bullshit. HINT: incorrect implementations of emv. (ie: using non-random UN's) aren't clones.
Again, we don't have chip and pin in the USA. We have chip and LOL. It's a farce. Cloners have been available for years.
Can you point us to a resource that shows that you can clone a chip for online processing? To my knowledge, you cannot. Since the US has a floor limit of $0, all transactions go online and you cannot use a cloned card. Not to mention that Chip + PIN is completely possible in the US, and is expected to roll out in the next year or two. In my experience, it's actually the US based credit card processors that don't want to support PIN right now, and not the issuing banks.
Re: How to copy? (Score:1)
Why is it a farce exactly? Works fine in europe and asia.
Re: (Score:1)
Possibly because you're a fucking moron who can't comprehend the written word.
Re: (Score:2)
Why is it a farce exactly? Works fine in europe and asia.
Because Europe and Asia don't use chip and sign. Chip and sign is for Americans getting odd looks from retail personnel when we present a credit card in those areas.
Re: (Score:2)
Depends on whether there's fraud or not. I've heard of a case where the bank insisted that a guy who spent time in South Africa must have snuck into the UK again to use his chip&pin to withdraw money.
Re: (Score:2)
Why is it a farce exactly? Works fine in europe and asia.
Because Europe and Asia don't use chip and sign. Chip and sign is for Americans getting odd looks from retail personnel when we present a credit card in those areas.
Canada has chip-and-pin and have for a long while. I don't know what's wrong with the US banks and why they want to do their own, less secure option. Perhaps they plan on going to chip and pin once a certain percentage of card readers have been upgraded to support chip. There are still about 40% of the vendors (restaurants, etc.) that I deal with that have the chip part blocked off because their system doesn't support it.
Re: (Score:2)
In the US we have about the same percentage of new chip readers masked off because the software to run them is not installed yet. The difference between our systems is that when the US readers are all working, they will support the same crappy chip-and-sign that does nothing to aadd security. You will have real chip-and-PIN.
Re: (Score:2)
It's not clear, but speculated that with chip and sign, it is entirely possible:
https://www.wired.com/2015/09/... [wired.com]
However, what has actually happened is that most fraudsters, who are as technically capable as your average script kiddie, have just found other ways of defrauding you rather than try to solve a hard technical problem. The most popular method now, and which I personally know many people have been facing, is opening a credit card in your name and using your potentially great credit score against y
Re: (Score:2)
Technically, you're actually both wrong. The chip has both an encrypted part and a public part.
Not copying (Score:2)
That's why 'plastic' could never mimic a chip card; because to mimic the behaviour and 'signing capabilities' of such a card would require knowing that secret information along with associated algorithms
Or, inversely, it could hold its own sets of secret information, and the plastc compagny would register these as an acceptable form of ID / as altenate accepted signing to the other companies.
(I.e.: when you "copy" a credit card or an access card to it, what actually goes behind the curtain, is that in the DB of the bank or some other company the plastc is added as yet another accepted form of ID for you next to whatever contactless card / RFID fob you were already using).
At lest that's how it is actually [swisspass.ch] i [swatch.com]
Re: (Score:2)
Dumb ass millennials say "oh I am investing in this glorious business"
except it's just some idiot making promises that can't be met and then the idiot runs off with whatever money was pledged
Yeah but how the fuck are you gonna say no to Waffles the Memory Foam Corgi?
https://www.kickstarter.com/pr... [kickstarter.com]
Re: (Score:2)
You think he'll stop at 8?
Re: (Score:2)
Re: (Score:2)
There was a time when I only bothered with one card. Then I woke up and realized that this was a bad idea as all your eggs are in one basket. Mostly because I had my wallet stolen and it was a right pain and that was 20 years ago. It would be worse today.
Now I have one debit card, and two credit cards. I hardly use the debit card other than to withdraw cash from an ATM. Almost every card purchase is done with a credit card and I *NEVER* use the debit card on the internet. I only carry one of the credit card
Re: (Score:2)
Lose your wallet all the cards and IDs in it are at risk.
Sad that so many backers thought this was something. NFC can do this job. I just don't see a viable future for a separate digital card.
But then, if you lose your phone you've lost a lot.