Chip and pin fraud.

In article , Jim Ley writes

Indeed, got my nice shinny C&P card last month, tried to use it on Tuesday to pay a new car deposit and it wouldn't work, he had to swipe it, so much for technology.

Mike

In message , Tim writes

Tim - please email me privately and I will tell you more.

They don't have to. All *you* have to do is prove to the issuing bank it's not your signature and that's a lot easier if the forger doesn't have a sample.

two seperate things being discussed.

1 can fraud be prevented,and 2 does the owner of the account have to bear the cost. This thread started out about (2) and in this case the answer is no since it can be clearly shown that the signature doesnt match the REAL card.

You are now arguing about point 1, preventing the fraud taking place (though IIRC you started out arguing about 2, who would have to take the loss). I dont believe anyone else is talking about point 1 in this sub sub sub thread.

In message , Chris Street writes

This point is not in question though.

Where? Suspiciously, the wording for ATMs ('cash machines') is very vague, and nowhere does it boldly state the sort of statistics it does for other terminals 'X out of Y cash machines were upgraded by the end of 2004' for example. Near me there are several ATMs that havent changed for 2 or 3 years. So unless they were very early examples, they wont be C&P. Next time I'm there I'll have a look. I presume there should be a PIN change option on them if they are C&P enabled?

I've recently met a chap whose card was skimmed in Dubai. The skimmers (probably hotel staff) must have taken a photocopy of the signature and for some reason duplicated that as well as everything else. When he got to see the sales slips the fraudsters had signed, not even *he* could tell that they were not his signature!

The skimmers knew he had arrived from the UK on the same day they skimmed his card, and probably thought they were looking forward to several days of purchasing whilst he was on holiday. He is an airline pilot however, and the scam was picked up when he used his card the next day in Heathrow a few minutes after it had been used in a Dubai shop.

However the discussion was about who bears the coat and in the situation above it's easy for the cardholder to ensure it won't be him!

I think you have crossed threads. I am glad you agree with me.

In message , Tumbleweed writes

I dont follow that at all.

You dont need a new ATM for it to be C&P enabled.

Pardon,. Are you saying that if they aren't old (i.e. they are newish) then they wont be C&P?

I dont see why that should be the case. The link I posted makes it clear that an ATM's ability to change a PIN isnt necessarily the same as its ability to act as a C&P ATM for the withdrawal of cash.

I know from my own experience that HSBC & RBS say that I can change my PIN at any ATM from a list of banks that I cant remember because I only looked at those banks who maintained a branch close to where I needed one. The main point being that it wasnt a list of ATM locations or bank branches, it was a list of banks of which all their ATMs would do the job. On memory, it seemed to be all the clearing banks. I also know from personal experience that the local ATMs havent all been changed. I also know that ti doesnt need an ATM change for C&P to be implemented.

I dont think that the ability to change a PIN can not be relied on as an indicator that the ATM is C&P enabled.

I think the problem is with the 'privateer' ATMs in pubs etc.,

It doesn't. But is does definitely appear to say it has all been done. The other things are still only partly there, so they are stating the targets, and actuals.

How do you know?

They don't *look* any different, and there is no need to change the fascia, just the guts behind to install the new reader.

There should be. Although I'm not certain that all machines will allow all C&P cards to have their PIN changed. Some may only allow their "own" cards to be changed.

I may be wrong on this.

For all other machines, they gives quite precise statistics about how many were upgraded. They dont do this for ATMs.

ARe you sure? Dont you need a chip reader?

No, I was saying that I understood ATMs had to be relatively new to be C&P enabled. And since these ones haven't changed for 2 or 3 years, then unless they were amongst the very first C&P ATMs , they wont be C&P.

Dont you need new technology (ega chip reader) to let the PIN be changed, since its in the chip?

If it cant read the pin from the chip, it effectively isnta C&P ATM< its no different to any other ATM since it will have to read the mag stripe.

I think it must be, since if I'm right and the ATM has to 'talk' to the chip to change the PIN, you must have new equipment installed.

Where does it acually explicitly state that they have all been done? Or do you think its just sloppy wording and they meant to say that?

Good point.

In message , Tumbleweed writes

Yes, but tht doesnt necessarily mean a new machine.

Ahh! I misunderstood what you meant by 'early examples'.

See above

No, AIUI the ability to change PIN and its ability to handle C&P arent necessarily related.

Im not sure that you can make that deduction. Dont forget, about a year or so ago there were many people in this group who were insisting that with mag stripes AND C&P the pin must be held on the main computer and the pin was 'sent down the line' as it were. This was because the posters who couldnt see how it worked. But everybody now accepts that the PIN is checked by the chip.

"Tumbleweed" wrote

It's not a minute difference, it's the whole crux of the question. Mike said that card authorities "...pretend you have 'chip security' at an atm..." The article produced didn't show the card authority saying that at all.

"Tumbleweed" wrote

Well there you go! Ever heard of the Unfair Contract Terms Act & Unfair Terms in Consumer Contracts Regulations? Those terms would be held as invalid... [Or if they were found to be fair by a court, then there's no reason for you to be complaining about them!]

"Tumbleweed" wrote

That's the wording of the 'Unfair Terms in Consumer Contracts Regulations'. So, if that is true, the terms will be found invalid.

What was your point?

"Tumbleweed" wrote

This post is directly under John Boyle's post of 11/08/05 00:19, where he said: "If you have cloned any card, C&P or otherwise, once you have the blank cloned card in your possession you can write any old signature you like on it, and you will get away with it just so long as you can reproduce it. So you could write your own sig on it and it would be OK to the retailer because the sig on the sales slip would match the one on the card."

That sounds much more like your option 1, rather than your option 2.

The first one is definitely sloppy wording on page 6

------------------------------------------------------------------------- It involved upgrading more than 860,000 shop terminals and 40,000 cash machines, issuing 140 million credit and debit cards to 42 million customers and training three million retail staff.

-------------------------------------------------------------------------

That is sloppy because it gives the impression that all have been completed, before going on to talk about the proportion of the 860,000 and 42 million.

The second appears more clear, on page 18

---------------------------------------------------------------------- At the end of 2004, there were 55,000 cash machines in the UK. The upgrade to chip and PIN has required two types of technology enhancement. Firstly, all cash machines had to allow customers to change their PIN at any machine. Secondly, cash machines have now got the technology to read the chip rather than the magnetic stripe.

--------------------------------------------------------------------

This appears to say that they *have* all got the technology.

Alex Heney wrote: Come on Alex, last time you run away, lets see what you can do now

I presume that sandpapering the stripe off a C&P card would make it equally secure (that's what I was planning to do when my local Waitrose, where I get my cash from, moves to C&P in a couple of weeks)?

I'll still need a credit card with a stripe for US trips but I was planning to ask the issuer to randomise the PIN and not reveal it to me.

All attempts to get a Chip and Signature card at the three or four banks that I've asked (including my own) have been met with blank refusal.