Credit Card Security for EV (or a Bank)
The following video illustrates a typical hack for sniffing credentials from an ATM. Pretty easy stuff.
We added some additional information on the relative “ineffectiveness” of this attack below. See Q&A. Sometimes hackers seem to just hack for hack sake.
Now for Question and Answer
EV Charging Stations and their arguments that only tap to pay (Contactless) should be the only form of payment terminal. It is so wrong on so many levels. Nor is it (the most secure way of payment). The hacks on tap and cellphone-sucking tech has really advanced.
I just read a 2019 Techcrunch article punching the pay on tap thing and while it seems rational, it is not a solution, it is just another trendy way to pay.
Petro stations have to use card and keypad readers and so should EV charging (thank Nevi) for requiring them. So if anyone can enlighten me as to how tap to pay is the safest way for EV charging stations is the answer, watch the video and tell me why fraudsters would not do the very same thing.
Further, Tactile PIN is still a thing and I assure you blind people who hire their drivers would appreciate it if using debit which too is a requirement.
The Access-board is putting their NPRM on EV Charging rules for ADA adoption this sept 2023. It would be good for EV charging MFG to step up and get the ADA right from the start. To this day, I have not seen any EV charging enter thought into accessibility.
Answer
charge to charge offering
The private key/certificate used by the card to sign the transaction is never transmitted during the transaction and cannot be accessed. The private key/certificate is protected and encrypted on the card itself and the merchant does not receive sensitive data. Instead, a hash/encrypted number is passed to the reader. It’s never in the clear like it is on a mag strip so contactless skimming attacks are largely unfruitful. A rouge contactless reader like the one in the video would need to be attached to a legitimate merchant account that is doing fraudulent transactions for a fraudster to get any money. This is one of the reasons that there are many steps and security checks to get through to open a merchant account. If a fraudster was successful at opening a merchant account it wouldn’t be very long before it was flagged for fraud and closed and the cardholder would be insured for any losses. There are also limits on the value of contactless transactions set by the card issuer which can also be further curtailed from their by the processor based on risk.
Question:given the hacker probably doesn’t have a merchant account, whats the point? Maybe to get the info and sell to someone who does have a merchant account they are willing to abuse?
Answer (from Rob C.)
With traditional skimmers fraudsters harvested account data in clear text from the mag stripe. They would then use that account data to make fake mag stripe cards and buy merchandise they can fence for cash. Alternatively they would post the card numbers on the dark web and other people would make fake cards and try to buy merchandise they can fence for cash. With contactless EMV cards they can’t do that anymore as the rogue device would only be getting hashed account data from the card, and since as you said they likely don’t have a merchant account, that is why I said “contactless skimming attacks are largely unfruitful.”
Resources
- Charge to Charge now supports all-in-one Ingenico Self 3000 payment device, exclusively configured and deployed by Unattended Card Payments, Inc (UCP Inc).
- Ingenico — The Future of EV Charging: The Evolution of an Industry
Robert Chilcoat President: Operations at Unattended Card Payments