Security flaw?


#1

I’m not sure if this is a bug, an unfortunate property of the Mastercard system or a potential future increased security feature for Revolut.

I had “Location based security”, “Disable magstripe payments” and “Disable e-commerce transactions” turned on for my card. I then took a taxi, and asked if I could pay by Mastercard, the driver said yes. But when I reached my destination, he pulled out one of those ancient old school zip zap machines where they stick your card in and take an impression of it, then get you to sign for the amount.

Later, I realised this wouldn’t work due to my security settings and had been trying to get hold of the driver (hard as the only contact I had for him was a a phone number which he never answered). But fast forward two weeks, and the payment magically disappeared from my card.

My impression from the Revolut security settings, was that I could just flap the card around in public like a crazy man, and no one could withdraw money from it without connecting via NFC or using the chip directly, along with my pin number. I thought that “e-commerce transactions” was just a reference to the card number being usable directly.

If an impression of the card can be used for doing transactions, then this could be used without our knowledge, much like any other “credit” card. So long as someone has your name, number etc. they can make their own fake impression of the card and start doing illegal transactions with it, making the “e-commerce transactions” block somewhat moot for stopping people using your card illegally (which is mostly what I had thought it’s purpose was for).


#2

Obviously I don’t mind the guy withdrawing money from my account. It was actually useful as it saved me the hassle of finding him. But it’d be nice to block this sort of thing in future, as I certainly hadn’t intended for my card to be able to be used in that way.


#3

A thief also has to fake your signature. The merchant is supposed to check the signature and, in case there is doubt, the identity of the card holder. If he fails to do that, he risks loosing the money if the card owner reports a transaction as fraudulent.

But of course, chip + PIN is safer than mag stripe + signature is safer than imprinter + signature. It’s not just safer for the card holder, it is also safer for merchants.


#4

But of course, it might be possible to block these kind of cheque like old school transactions. Maybe Revolut or its payment provider could refuse to settle them?


#5

Which is really quite meaningless as it’s trivial to forge a signature. Plus Revolut does not even have my signature, so they couldn’t authenticate with that anyway.

The taxi driver even commented on the fact that I had no signature on the back of my card for him to check. He processed it anyway.


#6

Not Revolt needs to check the signature. The merchant has to. It is about who covers the risk of the transaction. In case you would report this transaction as fraud, the merchant would have to present a valid and signed proof of authentication. Otherwise, he would have to cover for the assumed fraud. Different rules might apply in some cases, see this link:

http://www.transfirst.com/blog/when-does-credit-card-processing-require-a-signature

A merchant should always refuse to accept an unsigned card.

https://www.mastercard.com/us/merchant/pdf/Unsigned_Credit_Cards-(Global).pdf


#7

I don’t see how it’s possible to disable this type of transaction, since the card is embossed, meaning it can be run through the zip-zap machine. Only way to avoid it would be if the card were unembossed and marked “electronic use only”, but that would then limit its broader acceptability, which I would be against. Bottom line: sign the card and look after it as if it were a credit card, don’t let it out of your sight for transactions, etc. If it’s stolen, disable it immediately in the app. If both card and phone are stolen, you’re f#cked. Not really, but it’s a huge hassle (I know, my son’s Revolut card and phone were stolen), which is why REVOLUT NEEDS A WEB PORTAL. Do we have to keep screaming this till we’re blue in the face?


#8

But it could be run through a zip-zap machine but be rejected.


#9

As I said, if you want that kind of card, it needs to be unembossed (i.e. the lettering and numbers have to be flat, so that the machine can’t take an imprint). That’s just the way these cards work: embossed = acceptable in a zip-zap machine if the merchant follows the correct procedure, verifies the signature, and possibly asks for corroborating ID. The merchant may also be required to phone a number to check the card has not been stolen (though I guess that’s a risk the merchant takes, if they choose not to phone).

If the merchant follows correct procedure, the card company is effectively guaranteeing the payment, and can’t just reject it subsequently.

It seems that what you want is actually a version of the Revolut card that is unembossed and marked as “electronic use only”.

PS It’s quite common in hotels for them to take an imprint of the card with a Zip-Zap machine as a way of opening a tab. Once you’ve paid up at the end, possibly with a different card, or even electronically with the same card, they then tear up the imprint slip.


#10

You didn’t actually say that.

Thanks. That fits my description of “an unfortunate property of the Mastercard system”.

Then yeah, I’d like an unembossed card. I had been walking around with this thing in my pocket thinking that it was relatively safe from being skimmed, but it seems I was quite wrong :confused:


#11

Sure, there is always a chance for fraud. But with the switch to chip + PIN in a lot of countries and credit card companies changing their guarantee regulations, more and more merchants have an interest to use save autorisation methods.

Banks and credit card issuers are confident enough that there will not be much fraud with credit card imprinters, otherwise they would not emboss debit prepaid cards like the Revolut card. Since offline PIN autorisation does not work, the imprinter cheque might be the only way to spend more than is available on the prepaid account. It might be a pain in the ass to get money back in case of fraud (paperwork) but the consumer is relatively well protected against fraud, when he follows the guidelines of the credit card companies. That means: sign the card, don’t let someone walk away with it and report/block it as soon as it is missing.

And maybe, sometimes in the near future, credit card companies might allow issuers to not accept imprinter slips.

So yes, the Revolut card is “relatively” safe, in relation to cards where one can’t block wirless payments, e-payments, ATM use and the magsstripe separately. Could it be more secure? Well, yes. But even unembossed cards have risks. POS terminals allow sometimes to enter credit card numbers manually in case a mag stripe does not work.


#12

I would have expected that to be detected as an “ecommerce transaction” and be blocked by Revolut automatically (when ecommerce transactions are turned off in the app).

Although I also expected that to happen with the zip-zap machines, so apparently my opinion isnt’ worth much on this issue :confused:


#13

E-commerce transactions are typically transactions that are authorized with cardholder name, card number, date and security code. Usually it is an online transaction, the payment provider checks online in real time if the payee has sufficient funds. Such a transaction could be blocked in real time on the card issuer’s system.

POS transactions on the other hand are usually authorized with chip + PIN or signature, in online or offline modes. But only online authorizations can be blocked reliably within an app, the app is “just” an extension to the card issuers server system, it does not communicate with the card.

And a merchant can decide to take the higher risk of an offline payment. In that case, a POS terminal just collects data (like an imprinter “collects” name and numbers). As far as I know, a card issuer can of course block online transactions that are initiated via the mag stripe, but they can’t prevent a terminal from reading the data on the mag stripe that contains all the same informations that are printed on the card itself.

So, as long as any form of offline transaction in Mastercard / Visa networks are supported, blocking payments is limited. I would say mag stripes are far riskier than embossed letters.

I believe a payment processor could, in principle, decline all offline payments once they come in, sometimes days or weeks after the payment was made. Since one never knows when exactly offline payments are settled, it would be difficult to allow or block specific payments.


#14

Does the magnetic stripe contain the card number itself? Or is it just a hash of some sort? If the actual number is stored directly, then perhaps we should wipe the stripe physically off of the card to prevent it being accessed.

I wasn’t aware that the chip/pin setup could be used offline.

I’ve considered chiselling the embossed part of the card off, but then it probably wouldn’t work in an ATM machine :confused:


#15

I have no numbers, but I would assume that imprinter fraud is relatively rare. It takes days or weeks to settle the money transfer and fraudsters usually try to use a stolen card (or stolen numbers) in that small window of the owner not aware of the theft.

I would assume that magstripe skimming (reading the data and then copying it to a white label magstripe card) is the most common attack. And hacking websites for customer accounts with card numbers, of course.

And yes, the magstripe contains all data necessary to make a payment: account number, card holder name, expiration date. And some more. It is relatively easy to copy them. But since chip + PIN POS terminal adoption is slow in some countries (US), it is going to take some time until we can expect cards without magstripes.


#16

That’s not really a problem though since you can just re-magnetise the strip.


#17

Sure, you can do that. But then the card won’t work in a lot of places. I don’t have recent statistics, but chip + PIN was definitely the exception on my last trip to the US a little over a year ago.

http://www.theverge.com/2015/10/1/9432115/us-stores-chip-and-pin-credit-cards-deadline-today-not-ready


#18

I have two Revolut cards; one for online and one for the real world. I can just switch to the other one when travelling to places where magnetic stripes may still be necessary.


#19

There is a balance to be had between absolute security and flexibility of payment methods. I know that in a pinch, if I have no money and a retailer is offering me to use a card imprinter with my Revolut card, I’d take that method and I’d be grateful that the retailer was able to accept my card. Heck, I’m old enough to remember when all credit/debit-card transactions were done this way, and I’ve never had a payment go astray. Personally I want that flexibility.

It is possible for Revolut to issue the card as “electronic use only” and unembossed, in which case the card would only be usable in connected, online terminals that can check the balance in real time. This is a different kind of card. I’ve had such cards, and they are rubbish. They are limited in where they can be used and in which situations. Personally, I appreciate the fact that the Revolut card is a proper grown-up card which can be used as a flexible payment method.


#20

One of my main reasons for using Revolut is for increased security. If flexibility was main requirement, then I probably wouldn’t have started using Revolut.