Someone posted a reference recently which appeared to show that the stripe can easily be cloned. IIRC because many banks dont check all the strip, just some of it. Was US though so may only apply there and not to C&P...though I dont see why you wouldnt be able to clone the strip, what would stop you?
Bitstring , from the wonderful person john boyle said
That's what the Chip part of C&P does (or would do, if retailers/ATM insisted on the presence of the chip). The PIN part doesn't help with cloning .. actually if no cards had PINS (and there were therefore no ATMs for cash withdrawal) many criminals wouldn't bother ..
Apparently the US is delaying a switch to C&P cards. For some obscure reason, they expect their cards to work in any ATM in the world. Therefore, every ATM in the world must accept stripe-only cards.
The procedure is extremely quick. I saw the London ITV program a few months back - it took an old laptop, a card writer, some software (nice gui!) apparently freely available on the net and about 30 seconds of the demonstrator's time to scan a C&P card's stripe, edit, and write a new stripe-only card, which the presenter of the program took to an ATM and used successfully.
The EMVCO rep said in the same program it couldn't be done.
Who do you think suggested it would be immediate, straight away, no questions asked? No, I think they would ask further questions. I'd then expect them to look at the video footage from the ATM camera, etc etc.
"Tumbleweed" wrote
"Tumbleweed" wrote
"Tumbleweed" wrote
"Tumbleweed" wrote
OK, seeing as you asked so many times(!) ...
The article referred to, points out that the bank said :- "We apologise that Ms Tomalin felt the letter sent regarding the fraud on her account accused her of forgetting about the transactions. This was certainly not our intention and, as you will be aware, we have already refunded the money to her." "We were merely trying to highlight that there were a number of possible explanations for the transactions. While this included the possibility of the customer not recalling transactions she made, we did not wish to imply that this definitely was the case."
So, it would appear that she simply received a 'standard' letter that attempted to point out a number of different possibilities, just to try to jog her memory. As it turned out that none of these applied, the money was refunded.
What's wrong with that story? It's what I would expect!
I take that section to simply require a written (signed) disclaimer from the customer, saying that they didn't perform the transaction - which could then be produced in court as "evidence".
Then, when the bank later manages to prove that the customer *did* perform it, the customer will be in even deeper doo-doo at court! [Would show an attempt to deceive...]
Now let's look at sections 12.11 & 12.12 (those relating to liability for losses) :-
******** "Liability for losses
"12.11 If you act fraudulently, you will be responsible for all losses on your account. If you act without reasonable care, and this causes losses, you may be responsible for them. (This may apply if you do not follow section 12.5 or you do not keep to your account's terms and conditions.)
"12.12 Unless we can show that you have acted fraudulently or without reasonable care, your liability for the misuse of your card will be limited as follows. - If someone else uses your card, before you tell us it has been lost or stolen or that someone else knows your PIN, the most you will have to pay is
- If someone else uses your card details without your permission, and your card has not been lost or stolen, you will not have to pay anything. - If someone else uses your card details without your permission for a transaction where the cardholder does not need to be present, you will not have to pay anything. - If your card is used before you have received it, you will not have to pay anything."
********
The scenario that we've been considering is the second bullet-point under
12.12, "If someone else uses your card details without your permission, and your card has not been lost or stolen". In that case, it goes on to say quite categorically that "you will not have to pay anything."
"Tumbleweed" wrote
I'd like to see you point out a single place where I have suggested that the money would be refunded *immediately*. You won't be able to - that's because I didn't. Also, if I *had* suggested that, I wouldn't be talking about taking the case to the FOS or the courts, now would I?
"Tumbleweed" wrote
Don't be silly. The ultimate jurisdiction in this country is the courts - anything that needs to be proven, would need to be proven there.
The point is that it could only be "resolved before that stage" if the bank accepts responsibility and refunds the money - otherwise, it has *not* been resolved to the satisfaction of the account holder. So, **even if the customer was wrong**, they could still then go to FOS.
"john boyle" wrote
Was there a reason to use the word "revealed" above, then? Which ways of obtaining the PIN were you not referring to?
So C&P cards do nothing to reduce the clonability of a card, and instead have massively increased the ease of spotting a pin number. Of course one day, they might do, but it would've made much more sense to offer seperate C&P and mag-stripe cards during the transition period.
John, in that case was there any dealings between the investor & the IFA - such as the IFA stealing a policy document, or ever acting as agent with that investor?
If so, then I wouldn't count it as comparable to a situation where a thief (totally unrelated to an account holder, for instance never having stolen a card from them & never having even met them) walks up to an ATM with a cloned card & steals cash.
If a thief cloned a Chip&Sig card (when they are able to clone the Chip), then all they do is write a signature on the back, in their own handwriting, and happily go shopping with it. Don't forget, that you can "steal" more than 500 per day (for instance) by shopping - say by buying a plasma screen, etc - than you can get cash out of an ATM.
On the other hand, if a thief cloned a C&P card, then they'd need to know the PIN...
because it appears (see message upthread of here from Mike Scott) that ATMs will work with a card created just from the mag strip (no need for a chip), as long as the PIN is OK.
Unfortunately, the paragraph starts with the words "Unless we can show that you have acted fraudulently or without reasonable care,"
I believe the bank would argue that their systems are secure, therefore mere use of the PIN by a 3rd party is of itself proof of fraud or lack of reasonable care by the cardholder.
Not so, it was several letters and other contacts which culminated in them saying they wouldnt give her the money back.
"The new card arrived, but Ms Tomalin heard nothing more. Further visits to the branch and phone calls failed to elicit any more information.
Then in April, she received a letter from the bank saying that the debit card fraud unit had investigated and found that "the pattern of the withdrawals does not follow that of a typical fraudster..." It implied she had "acted without reasonable care in retaining a written note of the Pin".
After >>more letters and phone calls What's wrong with that story? It's what I would expect!
You would expect them to spend several months looking and then say they wouldnt be refunding the money?
No, the reason they have C&Sig is their own paranoia!
"Tumbleweed" wrote
The "little old lady" wasn't accused of being a thief (according to the article) - and she got the money back.
"Tumbleweed" wrote
You don't have to. Check the Banking Code again - "Unless **we can show** that you have acted fraudulently or without reasonable care, your liability for the misuse of your card **will be limited** as follows:- If ..[A].. the most you will have to pay is 50; If ..[B].. you will not have to pay anything; If ..[C].. you will not have to pay anything; If ..[D].. you will not have to pay anything."
Seems a lot of "you will not have to pay anything"!! Note the only time you might lose out (when the bank can't **actually show** fraud or negligence), is [A] - where the thief uses your actual *card*, and you haven't yet reported it lost or stolen. Even then, you're only liable for upto 50, and no more.
"Tumbleweed" wrote
The bank's attitude is irrelevant. Ultimately, it's the court's attitude that matters.
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.