[js2]

Even with EMV transactions, they are apparently able to get the card # which is transmitted in clear text by the chip. And the PIN from the keyboard overlay for debit transactions. Later they can clone the card # onto a fake mag stripe card and use the fake card for card-present purchases.

They probably cannot make card-not-present (online) purchases since I don't think they can get the CVV.

https://krebsonsecurity.com/2021/02/checkout-skimmers-powere...

https://security.stackexchange.com/questions/151081/shimmers...

> In addition to the track-two data on the magnetic stripe, EMV cards generally have identical data encoded on the chip, which is read as part of the normal EMV transaction process. If an EMV reader is compromised to the extent that the conversation between the card and the terminal is intercepted, then the attacker may be able to recover both the track-two data and the PIN, allowing construction of a magnetic stripe card, which, while not usable in a Chip and PIN terminal, can be used, for example, in terminal devices that permit fallback to magstripe processing for foreign customers without chip cards, and defective cards.

https://en.wikipedia.org/wiki/EMV#Opportunities_to_harvest_P...

[e28eta]

They might not need CVV, if the transaction looks “good” otherwise:

> A payment can still be successful even if the CVC or postal code check fails. This is because card issuers take many signals into account when making a decision about whether to approve or decline a payment. In some cases, a card issuer may still approve a payment they consider legitimate, even if the CVC or postal code verification check fails.

source: https://stripe.com/docs/radar/rules#built-in-rules

[js2]

:-(

I recently went through the opposite of this. A purchase at denon.com was declined, got a "please verify" email from my issuer which I approved and re-did the purchase. My issuer authorized the payment the second time, but then it got held up by NoFraud who sent me their own "please verify" email which I did. I had used an iCloud Hide My Email address for the purchase so a day later I get another email from NoFraud:

> Thank you for confirming your recent order. We are the fraud solution for the merchants website. We flagged the order for additional review before we notify the merchant to process it. To complete the verification for approval, we require an alternate email address for the cardholder. Please respond with an alternate email address.

At that point I tracked down NoFraud's phone # and called them to finally get the transaction approved.

[techsupporter]

> I had used an iCloud Hide My Email address for the purchase so a day later I get another email from NoFraud

I got hit by a merchant using "NoFraud" as well. After making an order from the merchant's site, using Apple Pay on the web (which is, allegedly, rather hard to fake), I received an email saying my order was canceled as it "appears that a merchant-specific email address was used" and to "please resubmit the order using your personal contact details".

They were right, because I always use [merchantname]@subdomain.mydomain.com. Whatever it was couldn't have been that important because I didn't bother redoing it if they're going to be that picky.

(I can't find the purchase confirmation and subsequent email in my email, probably because I deleted it out of annoyance, so I'm not naming who I think I remember it being just in case I'm wrong)

[huslage]

as if Email is some sort of durable identifier in the first place.

[js2]

This is the thing that got me. Where the heck is NoFraud getting its training data[1] and why is an email address even considered relevant to the safety of the transaction? The item was shipping to my home address which matches my CC billing address.

[1] "NoFraud’s multi-layered solution analyzes thousands of data points fusing machine learning."

[MBCook]

EMV doesn’t transmit the full card number in the clear. I don’t know how they’d get it. IIRC the track data is sanitized, but maybe it wasn’t always. I’m not even sure all cards give it in a modern EMV transaction.

The old mag stripe emulation mode of contactless did, but that’s legacy and many places won’t accept it and cards won’t do it.

However the good old “break the slot or chip reader so they have to use mag stripe and scan the card things the old fashioned way” technique still works great.

[js2]

Googling "EMV sniffer" returns a bunch of sketchy sites that claim they get the card number from the chip, not the mag stripe. That's also what seems to be implied by the submitted link. Here's another post claiming the card # is readable from the chip:

https://security.stackexchange.com/questions/161493/what-inf...

[jackson1442]

I believe it’s at least stored on the EMV chip: if you tap a credit card to a flipper zero you’re able to read the full card number and expiration date, and contactless is just over-the-air EMV as I understand it.

[MBCook]

Oh yeah, it must be in there. If you were to etch down to the chip with acid I’m sure you could see it.

Contactless has two forms. The old one is mag-stripe emulation. It would literally just respond with the information from the mag-stripes. It was exactly as secure as mag-stripe. Probably worse because you didn’t need to physically move the card over a read head.

That’s no longer supported in many (most?) modern cards. I know ApplePay refuses to do it. I think card brands have said to stop using it but I’m not positive.

The other mode (absolutely dominant in contactless) works through encrypted EMV tags the same as you get when using a physical slot. The order of things is a little different but it’s just as secure.

[whoopdedo]

Some skimmers have a camera to capture an image of the card's CVV as well as another copy of the name/number/date.

[Terr_]

Here I was thinking that my near-illegibly worn-away CVV was a reason to get a replacement card... but instead it's a surprise security bonus! :p

Actually, I spoke too soon... the signature-strip has been worn away too and now that I really look at it, I can make out the word "Void" underneath.

[zirgs]

Good thing that the back of my phone has neither of those.

Seems like a good idea to wrap the card in something opaque.