Re post #6 Rob, yeah my wife used to be a cash only person.

Then I got her to use a Com Bank DEBIT card (mastercard).
NOT a f.....g CREDIT card!!!!!!!
Needs a trip to the bank to set up and can be activated at the bank or by computer.
Linked to her combank account so you can check it on line and monitor usage in real time
Three years later she wondered why she did not have it 10 years ago.

No more purse chokko with coins.
No more stuffing about with notes and pennies and getting change back loaded with monkey virus after the till operator has coughed on it and wiped their nose on the coins.
Worried about keypad virus, WEAR GLOVES.
We do.
Most small purchases are by wave or tap on reader I think its a $100 maximum tap only thing any more required to touch in a PIN.

I do a lot of purchases by Bpay and Paypal on line, so simple no more writing checks, no more doing what ever the hell I used to do just click or wave the card.
Security, no problem, find a person who had first person experianced their account being milked.
Does not happen unless you hand the card to a friend and tell them the pin number as well.

Embrace the technology!
No valves used, but so much easier!
Fred.

Yeah Fred,
I normally like to carry cash ,op shops ,garage sales etc ,but I have completely stopped using cash now because,I feel it's probably carrying too many bugs .It's easier to just use my card and then I can clean it.im trying everything to avoid that bug.

Pete

Tap & Go without a PIN number is being upped to $200. Supermarkets will get the upgrade first - let's face it, what family weekly shop is below $100 these days? Other businesses will get upgraded following this. It is a trial for three months but I think it should be made permanent. People who are forgetful or lose their cards all the time need to be more responsible with their possessions.

One day about 2 years ago I got a phone call from the Commonwealth Bank checking if I was in Australia.
Apparently someone in the UK had gone out to dinner ,then they went clothes shopping all on my card !
I had not lost my bank card but apparently the details had been stolen from when I used it at the shops etc, The bank told me that places like petrol station can be where this often occurs.
At that time I was going to a servo where I did not feel they were honest types.
Anyway about 3000 was spent in the UK on a spending spree.
The bank covered it and In the end I was not out of pocket.

It is easy enough to clone a card with some guesswork. All they really need is the number. Most cards have an expiry date of either two or three years after the date of issue, so it is a matter of guessing the month and year. It only needs doing a maximum of 36 times.

NOTE: Not all websites require the card holder to enter the CVV number either.

Not all websites require the card holder to enter the CVV number either.

They would be way behind the times. Sounds like they are creating the payment transactions manually, behind the scenes. Most financial institutions now demand the CVV when validating incoming transactions in real time.

They are supposed to but not all EFT gateway providers enforce it. Australian providers generally do but if the company is based offshore then it's a different story.

The Woolworths website only says that using a card is preferable to cash. It does not say that cash is banned. I visited both Coles and Woolworths this week and both were happy to accept my cash, as well as every other place I shopped at.

Further, I did not wear a mask or gloves, and nobody complained or looked aghast. Business as usual in my book.

Currently in circulation there are a number of data capture software programs that are very well written and are aimed at Point of Sale systems running on Win 7. They hide in the keyboard RAM and monitor for card details and PIN codes which are then transmitted to scammers elsewhere. These software bugs are not ready detected by standard anti-virus programs. I got caught when I used my Mastercard to pay for hotel accommodation in Adelaide (I had the card in my sight all the time) and then drove to Melbourne. When I tried to pay for meals at a restaurant eight hours later that evening I found that the card was locked. On checking with the bank I was told that apparently I had detoured via South America and bought furniture to the value of $6000 USD. Fortunately the bank realised that my old Ford was not quite that fast so my account was reimbursed. I made a point of speaking to the hotel manager to check on their POS system and was told I was one of many who had complained. The following year my wife and I were on a tour in Central Europe and in a jewelry shop I saw they had the same POS running on Win 7. I insisted that my wife pay with cash but some others in the group used credit cards. I was not surprised that the next day those who used cards found that their accounts had been emptied or locked.

You really have to work hard to proof Windows from this kind of thing. Now Linux on the other hand....
I know of someone who had this happen in Canberra. Fortunately she could track it down to a petrol station.

I would have thought that by now most POS systems would be Linux hosted. Apparently not.

As one who is intimately involved in eftpos/atm systems in Australia let me assure everyone that your PIN never goes anywhere near the POS system. Certainly some older POS systems may capture the PAN (primary account number or card number) for loyalty programs but this is also increasingly unlikely.

PINs are encrypted immediately upon entry in a secure cryptographic device, a hardware device that is highly resistant to penetration and modification and remains in that encrypted state until it arrives at the Acquirer's system (usually, but not always a bank). At the acquirer's site the PIN is decrypted (using a key that is known to only the terminal and the acquirer) and re-encrypted (using a key known only to the acquirer and the card issuer) again using a tamper proof hardware device resistant to tampering, before forwarding to the card issuer where the PIN is tested and the transaction approved. At no time does the PIN ever appear in the clear anywhere, not even in the card issuer's systems

There are no EFTPOS terminals in Australia running Windows 7 but there are many running versions of cut-down Linux, there are some ATMs that run old versions of Windows but no consumer grade versions. However even in these you don't enter the PIN into the Window's system/keyboard but rather the PIN gets entered into another secure hardware device commonly called an encrypting PIN pad or EPP, in which the PIN is encrypted immediately upon entry. The EPP is a tamper-resistant, tamper-evident module that contains all the cryptographic keys and processing that is required to keep the PIN secure between the ATM and the acquirer.

Sorry for the long winded response but having spent the last thirty odd years keeping Australia's ATM/Eftpos systems secure I feel it is important that we don't let misinformation proliferate. (note that PANs and on-line purchases are another matter - but your PIN is secure, provided you don't enter it into your PC)

Joe

Most of these windows hacks occur because the machines haven't been kept up to date with the latest windows updates. That big ransomware thing a few years back only happened because people hadn't added a patch that Microsoft had released 3 months earlier.

Also, Linux isn't as foolproof as you think. Hackers have been working overtime recently (last few years) and have uncovered plenty of holes in unix-based systems. Owners of those systems generally think they are safe and so never update.

Up until around fifteen years ago, most ATMs were still running OS2 - the precursor to Windows NT3.5. Why? Because it worked. These were replaced with machines running late versions of Windows and these are still in service. They are reasonably safe as they are not directly connected to the public Internet. Banks are recipients of huge daily attacks of various types. I doubt they'd be risking hundreds of billions of dollars if Windows wasn't up to the task they require of it. As for EFT terminals, they generally run Windows because they interface with accounting software, which is more often made for Windows than other operating systems.

At work we had a paging system which ran Windows 2012. It was as solid as a rock until the disc died late last year. It never missed a beat before that. It was replaced with a system running Linux. It's also good but it took a long time to programme and set up both at an OS level and application level. Paging systems communicate with nurse call systems in TAP. Diagnostics on Linux is a pain in the arse and this is coming from the programmer who knows just about every Unix command by heart.

Windows NT and Linux can both go the distance if things are done properly and both also have their quibbles. Windows 9X on the other hand - Bill Gates did the world a big favour by cremating that line of products.

The EPP is a tamper-resistant, tamper-evident module

Well, my faith in tamper-proof hardware was shaken when the McDonald's card skimming scam emerged about 10 years ago, where compromised (IIRC) Ingenico PX318 and/or PX328 PIN pads were somehow substituted in the stores by criminals. The fact that they managed to insert skimming components without the PIN pad deciding it had been tampered with made a mockery of PIN encryption, as the crims skimmed all of that data 'in the clear' before any encryption took place.

As for skimming generally, for many years crooked restaurant and hotel staff manged to skim hundreds of credit cards by taking the card out of sight of the owner and double-dipping it: once through the POS system and again through a pocket sized skimmer they kept on their person. Putting PINs on credit cards was supposed to stop that practice, but well placed video cameras can catch PINs.

I'm not sure of how that happened either. Skimming on an ATM is done by blue-tacking the skimmer in front of the card slot and they are easy to make look like they are part of the machine by being made of similar plastics. That isn't so easy with an EFTPOS terminal. I just assumed that they swapped the terminals so that:-

1. Cards would be skimmed using the new terminal's hardware to record the card details, and;
2. Redirect the funds to a different account.

The finer details of how it all worked didn't seem to appear in the news bulletins though and there was a time when this happened at several popular shops, McDonalds being but one of them.

EFTPOS machines are an Australian invention, so it is interesting that these scams manage to happen here.