My experience is exactly the reverse. I have not yet seen *any* retail PIN terminal that is not easy to overlook. Whereas all bank ATMs are very hard to overlook.
I find it hard to understand how your experience can be so different.
"Mike Scott" wrote
I haven't seen/heard any "card authority" suggesting that you have "chip security" at an ATM. Can you point to a case?
"Mike Scott" wrote
Then the experts would have a job giving their evidence in court for the case in hand, if they couldn't "disclose or discuss any details of the system"!
Bitstring , from the wonderful person Tim said
The point is that it's hard to clone the chip. That's the secure part of chip & . Cloning where it's a number is trivial. 1234 .. there you go, now you have it too.
Except the going rate for turning dodgy goods into cash is way poor - 10 or 20% maybe. And the goods are traceable. Were bought in a shop with people present, usually. And cards have credit limits .. £500 cash is much the best bet.
ATMs and cash tell no tales. Now if all ATMs had CCTV looking at the drawer, maybe security would be reasonable. No face, no cash. But then they could just use fingerprints, and I'd stop objecting.
Which is easy - just stand behind someone at 10% of the chip-enabled shops. Which is what I object to. Which is where we came in.
In article , Alex Heney writes
Yes, that much is true, but could this be done when a UK card is used outside the UK on a non-UK machine?
If that were the case, then I agree that that vulnerability would be removed.
Bitstring , from the wonderful person Mike Scott said
Hmm, were you at Churchill by any chance? 8>.
If the foreign ATM or swipe terminal does not support the chip then the cloner could make a direct copy, which would only be usable abroad, which would claim that there should be a chip but the foreign system would not be able to verify the presence/validity of the (non-existent) chip.
Do you mean those exact words "chip security", or do you mean that you dont believe they claim that the mag stripe cant be usefully copied (because there wont be a chip in the copy)?
...and since the experts are usually called by the customer to prove the banks systems are insecure, perhaps the problem becomes obvious?
"Graham Murray" wrote
... and so the foreign bank/retailer would then be liable for any fraud (not the UK bank or the account holder) ... ?
unfortunately not, apparently there is a data in the magstripe which says if this is a chip card or not. The data in the stripe can be altered to say it isnt a chip card. SO no check would be made.
The only reliable way of combatting it would be a realtime check back to the originating bank to see if it should have a chip.
I find it absolutely trivial to shield what I am entering in both cases, though shielding the POS terminal is usually slightly easier than an ATM because I can turn the keypad to any angle so that it is facing away from any nearby person. The buttons are closer together meaning that I can cover several buttons with my fingers, and make it difficult to see which finger actually presses a button even if someone were able to overlook the keypad.
Of course, there are some people who enter their PIN by reaching out with a forefinger to the keypad at arm's length, and in that case it's difficult *not* to see what numbers are being entered.
Then, if someone *were* to see what PIN I entered, they'd still have to get hold of my card to use or clone.
I don't know, but I see no reason why not, provided you are in a country that does use the C&P system (and the same one).
And IME, most foreign ATMs do already validate with the issuer - I have come across occasions where for several hours none of the ATMs in an area would give out cash to UK cards because the links were down.
There is no way you are going to completely eliminate the vulnerability so long as there are countries without C&P readers, because they will not be able to validate the fact that the card has a chip.
Because very few bank ATMs have side walls close enough to the pad (which is quite large anyhow) to prevent viewing it past the person using it, unless they *really* hunch over.
While most (not all, but most) PIN terminals in shops have side "wings" that extend up at least as far as the back of your hand when using it, plus the fact that they are so much smaller makes it easier to hide them with your body even when the wings are not good enough.
"Alex Heney" wrote
That's easy to combat: If those countries want to make transactions with UK cards, then they'll have to (ie the foreign banks/retailers can) bear the responsibility for any fraud due to them not using C&P. Simple!
"Tumbleweed" wrote
Those are the exact words that Mike used, so yes - I do mean it!
"Tumbleweed" wrote
Nope. Mike said: "the card authorities ... thus pretend you have "chip security" at an atm". I haven't ever seen/heard them pretend that, at all. Have you?
"Tumbleweed" wrote
Then who is being called by the bank to prove that they are secure, then? They can't just say "we reckon it is secure" without proving it. In court.
If the bank doesn't prove that in court, then the court won't *assume* it is true...
In article , Alex Heney writes
Yes, my experience in France also and not just at ATM's
However, these validations IME are not always reliable. I find in order to save potential embarrassment it is a good idea to have a number of plastic ways of paying.
And no doubt they do the online validations on UK cards being used overseas for good reason. I expect fraud levels on those cards are quite high.
I wish I could remember the details. I had a copy of a fax somewhere sent in connection with the case, plus another document at least, obtained off the net; I've filed them "somewhere" though (quite possibly the wpb, as I know that PC has been replaced since :-( ).
Does anyone have any references readily available?
Tumbleweed wrote: ...
Which makes the flag on the card itself redundant then. You either check with the bank (flag not needed), or you rely on the card info (which could have been tampered with, so the flag is pointless).
Now if the magstripe info were signed by the bank's private key instead of having a simple crc or whatever ..... would you even need the chip?
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.