[AmericanChopper]

I used to work with those payment gateways, and I always wondered about that attack vector. The terminal config (where you’d put your merchant ID, etc…) is protected by a PIN code, but suppliers typically just use the same PIN for their entire fleet. It’s not really a secret PIN either, because the terminal tech support will usually end up getting merchants to type it in if there‘s some remote support/debugging needed.

You could reprogram a terminal in a bar in a few seconds on a Friday night. Wait for the weekends takings to clear into your merchant account, and then take off with the money. The way that it falls down though, is that you need a merchant account, and there’s a lot of KYC and due diligence to get through if you want to set one of those up (there are a lot of merchant initiated scams, and your bank doesn’t want to be on the hook for them).

[PeterisP]

> Wait for the weekends takings to clear into your merchant account, and then take off with the money.

That's the difficult part - since the acquiring bank is fully financially responsible if you do so (they'll compensate everyone else involved for the fraud chargebacks, no matter if they can recover it from you), they generally take quite stringent steps to fight merchant-initiated scams, and the simplest step is simply freezing the money for some time; 30 days is not uncommon but I have even seen 90 days if the merchant's profile is risky or if the incoming payment volume suddenly increases significantly - the bank is effectively treating any payments to the merchant as a line of credit or letter of guarantee until it's clear that those payments won't be fraudulent or charged back. So a merchant can quite realistically do some shenanigans with a reprogrammed terminal, but they won't be permitted to take off with a large amount of money from the merchant account until a sufficient amount of time will have passed for the first chargebacks or complaints of fraud to show up.

[AmericanChopper]

I don’t know about every jurisdiction, but every place that I’ve ever been involved with payment terminals, the money clears to the merchant account in a couple of business days. So your weekend’s takings would usually be cleared by Tuesday. I can’t imagine any retail or hospitality business would be able to extend a 90 day line of credit to their payment processor on all payment card revenue.

I think the main reason this never happens is because there’s a lot of easier and more profitable scams you can operate as a fraud-oriented merchant.

[hnaccount_rng]

I would expect there to be a difference between a first time and a repeat thing. If you do out-of-normal-operation things, the bank will treat you more suspiciously, if you do your normal business, it can release your money immediately

[AmericanChopper]

Payments settle at whatever the interbank settlement timeframes are. Any type of payment escrow would be incredibly out of the ordinary.

[gregmac]

I built the first online payment system for my university' frosh week in the early 2000's (before that they only accepted cash). This is pre-shopify/etc, and if you were doing any moderate volume it was worthwhile to use a gateway that went direct to your own merchant account.

They started accepting signups a couple weeks before school started, and on the second day it was running, after several hundred signups (of ~$200 each iirc), apparently some security people from the bank showed up at the orientation office at the school basically just to confirm it was legit. (I don't remember if they suspended the account first or not)

I had built a few online store sites using merchant accounts by then, but nothing that went from zero to that volume so quickly; it was fascinating to see that check in action.

I wonder what volume it would take to trigger such scrutiny today, and what it would look like..

[AmericanChopper]

Different merchant underwriters have different processes. Visiting merchant locations was pretty common, usually just to check if it looks like a real operating business though.

[krisoft]

> they'll compensate everyone else involved for the fraud chargebacks,

But in this hypothetical would there be chargebacks? People went to a bar. They consumed, and paid for it. As far as the costumers know it went all good.

The one who is harmed would be the pub. And presumably they would complain and soon.

I don’t doubt that the whole scheme would come to light quick, i’m just questioning the exact mechanism.

[AmericanChopper]

Presuming the attack wasn’t initially detected, which is entirely plausible imo, it would be noticed by the merchant when the funds didn’t settle into their account. So if you do it on Friday, the merchant should notice by Tuesday at the latest. If they don’t pay close attention to their accounts, it might take a little longer.

[makeitdouble]

Don’t payment gateway request an initialization procedure that registers the POS with the remote gateway ?

During that procedure the terminal unique ID is sent, and depending on your environment, if you have a stable outgoing IP the connection might be filtered on that as well (assuming you do that on site, not at a POS provider). Jumping through a bunch of hoops you might still be able to hook a POS on another merchant account, but once the issue is detected there would be enough info to reverse the transactions (doing that after capture could cost fees, but it’s still better than nothing).

Looking at the delays between the transactions being cleared and the money appearing in your bank account, even with the best timing you might not see a penny of all of that.