Chip and pin fraud.

Bitstring , from the wonderful person Alex said

Indeed. But now they have the option of doing the same thing with ALL the C&PIN credit cards. So tell me how Chip & PIN has made credit cards more secure?

No, rather the contrary, on principle. But consider the court in its impartiality would know neither you, nor the bank. The bank will produce lots of "expert" testimony saying they're secure. They don't have to tell you the details of their system so you can pick holes in it. You can't possibly provide any proof whatsoever that you kept your PIN totally secure. Call me a pessimist, but I can see which way the water moves......

The court *should* decide the facts of the case. Absent hard undisputed facts, they have to go with the probabilities. Bear in mind the banks stand to lose a lot of money if they lose cases like this - and they can probably afford correspondingly more and better legal beagles than you or I.

"Mike Scott" wrote

That's good, then :-

Customer: "M'lud, I have a *zero* past record of fraudulent transactions on my credit cards." [Probability of this transaction being down to the customer, based on past experience, = Nil.]

Judge: "So, what's the bank's past experience of fraud?"

Bank: "Oh ... um ... err ... yes, so what if we've had many thousands of fraudulent transactions on our cards?" !! [Probability of this transaction being down to the bank, based on past experience, = Greater than nil.]

Hmmm, let's see : ' "Greater than nil" > "Nil" ' -- so, on balance of probabilities, it is more likely to have been a problem with the bank!

In message , Tim writes

No it hasnt. Its been stolen from the account holder.

You know what, I really can't be bothered to argue with you, and it's not very often I can say that. Even when faced with such obvious facts, you still want to question the security of a random and copyable squiggle of name, as opposed to a 9999 combination number. Amazing!

Mike Hibbert wrote: ...

I think you may have missed the point. Indeed, a signature can be copied - but the 'owner' can readily deny it is his (maybe show he was somewhere else at the time of the transaction), and the problem is then the bank's (or maybe retailer's these days). The PIN number may or may not be more secure - but you try denying you have been negligent with it if there is any problem, and see how far you get. I refer you to the even that started this thread.

For most of mine I keep the original PIN notification letters stored safely away - with the tamper proof tag in place. If that is not proof that I have not been negligent with it, then that would by definition prove that the bank had been.

How depressingly naive .........or stoopid.

I think you are amazing .... in a 'how can this guy have the intelligence to breathe' ? way...

In many cases of fraud the signature nears no relationship to the correct one at all. Even when it does, there may well be fingerprints on the slip that show it wasnt the bank account holder. A PIN could have been entered by anyone and there is no documentary evidence to show by whom. Therefore, the onus tends to fall nto the account holder to prove they didnt disclose their PIN (tough to prove a negative).

"john boyle" wrote

How can it be? The money was passed, **by the bank**, to the fraudster

*without* proper authority from the account holder. It was the bank that gave the money, not the account holder. Therefore, the bank should not have deducted the amount from the account holder's balance (they didn't have the account holder's authority to do this).

That's fine - I've even done the same. But it does of course prevent the card-holder's use of the PIN, which would make the issue moot. If you know the PIN, you *cannot* prove you've kept it secure.

I bet you believe in the tooth fairy as well.

In message , Tim writes

The bank were conned into it. The loser is the account holder. The bank's negligence is another matter.

And even when you do, you apparently don't mean it ..

Fine, you copy my signature in a way that a handwriting expert can't demonstrate differs from my own (you get one chance with the sales clerk present) meantime I'll type your 4 digit PIN number, and we'll see whether that is demonstrably different from you entering the same thing, and how anyone can tell whether you told me it, or whether I shoulder surfed it, or just got lucky on my 2000th stolen card.

You'll have noticed there =are= handwriting experts. They even get called to court occasionally. There are no 'pin number entererer' experts. Guess why.

Yes, I'd cheerfully agree that biometrics or photographs or whatever could be more secure than a signature. A random 4 digit number is not a member of the set of 'whatever' though. In fact all it has to recommend it at all is that it's cheap to encode, change, enter, and verify (compared to retina print or fingerprint for instance). I was there when the French came up with the first 'smart cards' (Schlumberger), and 4 digit PINs were not, I assure you, selected on the basis of security.

When IBM make laptop PCs with 4 digit passwords, or when banks start accepting them as passwords for online transactions, I'll maybe reconsider - until then, I'll avoid the PINs, thanks.

You pay the first £50 if it's been taken via your credit card, don't you?

It only works for cards that I don't use in the shops*. And those that are not C&P. The likely hood of any of those being used in some sort of PIN fraud is probably miniscule - but since it takes very little to store the letters I've kept them as a safety measure.

As a side comment: Marbles issued a PIN automatically with the first card even though the card is not C&P. I assume they want to encourage people to get ATM cash advances as these pay them more in interest.

*i.e.. Balance transfer, online, telephone etc.

"Tumbleweed" wrote

Hold on, are we talking about the same thing here? A thief walks up to an ATM with a cloned card, and steals some cash?

I presume that the ATM, and the cash inside it, is owned by a bank (not the customer!).

Thus, the cash stolen was owned by the bank - not owned by the customer. The cash was obtained ("stolen") *from* the bank, not *from* the customer. The customer didn't ask/tell the bank to give the cash to the thief. The customer didn't even know about the transaction (at the time). None of the customer's property was left lying around at the ATM so it could be stolen.

So, which aspect of "it's been stolen from the bank rather than from you" was naive or "stoopid"?

The aspect that doesnt consider the fact that you have to persuade the bank to return the money to you? And that ist the banks perception that matters, not what actually happened?

Your statements of this happened/that happened are one persons perception. The banks perception is that you or an agent of yours removed the money. Its irrelevant what really happened, its banks perception that matters (or the courts if you have to sue).

It occurs to me we can try a simple thought experiment.

Someone, without your knowledge, clones your card and gets a copy of your PIN.

They then withdraw an amount equal to all the money in your account including overdraft.

You will then try to spend some more money.

If you can, indeed the money the cloner withdrew came from 'the banks money'. If you cannot, it came from your money.

If the latter, then according to you what will happen is that all you have to do is walk into the bank, say 'I didnt make that withdrawal', and you will find they immediately replace the money in your account as they realise they mistakenly took the money from your account and not their sepearet 'banks money' account.

Which do you think will happen?