Someone posted a reference recently which appeared to show that the stripe can easily be cloned. IIRC because many banks dont check all the strip, just some of it. Was US though so may only apply there and not to C&P...though I dont see why you wouldnt be able to clone the strip, what would stop you?
here we are
Bitstring , from the wonderful person john boyle said
That's what the Chip part of C&P does (or would do, if retailers/ATM insisted on the presence of the chip). The PIN part doesn't help with cloning .. actually if no cards had PINS (and there were therefore no ATMs for cash withdrawal) many criminals wouldn't bother ..
john boyle wrote: ...
There's no problem with a card. It's the banks' apology for a security system that's the problem.
"I may be paranoid; it doesn't mean they're not out to get me"
Tumbleweed wrote: ...
Apparently the US is delaying a switch to C&P cards. For some obscure reason, they expect their cards to work in any ATM in the world. Therefore, every ATM in the world must accept stripe-only cards.
The procedure is extremely quick. I saw the London ITV program a few months back - it took an old laptop, a card writer, some software (nice gui!) apparently freely available on the net and about 30 seconds of the demonstrator's time to scan a C&P card's stripe, edit, and write a new stripe-only card, which the presenter of the program took to an ATM and used successfully.
The EMVCO rep said in the same program it couldn't be done.
In message , GSV Three Minds in a Can writes
Ah Yes! We could eliminate cheque fraud by banning cheques as well!
Oh, and street robbery would be reduced if we banned cash,
and......
In message , Tumbleweed writes
But if we are talking about reducing card fraud, how does comparing them later prevent this?
In message , Tumbleweed writes
I dont think anybody disagrees with that. That is one of the man reasons C&P is with us.
I dont see how the cloning of the strip is relevant to C&P.
"Tumbleweed" wrote
Who do you think suggested it would be immediate, straight away, no questions asked? No, I think they would ask further questions. I'd then expect them to look at the video footage from the ATM camera, etc etc.
"Tumbleweed" wrote
"Tumbleweed" wrote
"Tumbleweed" wrote
"Tumbleweed" wrote
OK, seeing as you asked so many times(!) ...
The article referred to, points out that the bank said :- "We apologise that Ms Tomalin felt the letter sent regarding the fraud on her account accused her of forgetting about the transactions. This was certainly not our intention and, as you will be aware, we have already refunded the money to her." "We were merely trying to highlight that there were a number of possible explanations for the transactions. While this included the possibility of the customer not recalling transactions she made, we did not wish to imply that this definitely was the case."
So, it would appear that she simply received a 'standard' letter that attempted to point out a number of different possibilities, just to try to jog her memory. As it turned out that none of these applied, the money was refunded.
What's wrong with that story? It's what I would expect!
"Tumbleweed" wrote
I take that section to simply require a written (signed) disclaimer from the customer, saying that they didn't perform the transaction - which could then be produced in court as "evidence".
Then, when the bank later manages to prove that the customer *did* perform it, the customer will be in even deeper doo-doo at court! [Would show an attempt to deceive...]
Now let's look at sections 12.11 & 12.12 (those relating to liability for losses) :-
******** "Liability for losses"12.11 If you act fraudulently, you will be responsible for all losses on your account. If you act without reasonable care, and this causes losses, you may be responsible for them. (This may apply if you do not follow section 12.5 or you do not keep to your account's terms and conditions.)
"12.12 Unless we can show that you have acted fraudulently or without reasonable care, your liability for the misuse of your card will be limited as follows. - If someone else uses your card, before you tell us it has been lost or stolen or that someone else knows your PIN, the most you will have to pay is
The scenario that we've been considering is the second bullet-point under
12.12, "If someone else uses your card details without your permission, and your card has not been lost or stolen". In that case, it goes on to say quite categorically that "you will not have to pay anything.""Tumbleweed" wrote
I'd like to see you point out a single place where I have suggested that the money would be refunded *immediately*. You won't be able to - that's because I didn't. Also, if I *had* suggested that, I wouldn't be talking about taking the case to the FOS or the courts, now would I?
"Tumbleweed" wrote
Don't be silly. The ultimate jurisdiction in this country is the courts - anything that needs to be proven, would need to be proven there.
"john boyle" wrote
The point is that it could only be "resolved before that stage" if the bank accepts responsibility and refunds the money - otherwise, it has *not* been resolved to the satisfaction of the account holder. So, **even if the customer was wrong**, they could still then go to FOS.
"john boyle" wrote
Was there a reason to use the word "revealed" above, then? Which ways of obtaining the PIN were you not referring to?
So C&P cards do nothing to reduce the clonability of a card, and instead have massively increased the ease of spotting a pin number. Of course one day, they might do, but it would've made much more sense to offer seperate C&P and mag-stripe cards during the transition period.
because C&P cards all still have a strip.
Jim.
"john boyle" wrote
John, in that case was there any dealings between the investor & the IFA - such as the IFA stealing a policy document, or ever acting as agent with that investor?
If so, then I wouldn't count it as comparable to a situation where a thief (totally unrelated to an account holder, for instance never having stolen a card from them & never having even met them) walks up to an ATM with a cloned card & steals cash.
"john boyle" wrote
That's good news!
"GSV Three Minds in a Can" wrote
Of course it does.
If a thief cloned a Chip&Sig card (when they are able to clone the Chip), then all they do is write a signature on the back, in their own handwriting, and happily go shopping with it. Don't forget, that you can "steal" more than 500 per day (for instance) by shopping - say by buying a plasma screen, etc - than you can get cash out of an ATM.
On the other hand, if a thief cloned a C&P card, then they'd need to know the PIN...
Or they just say they have forgotten the PIN and sign instead.
Anyone know when they will stop accepting signatures on C&P cards?
EMVCO?
Did he say why the mag stripe 'couldnt' be duplicated when its obvious it can?
fair point it doesnt! But it does let the 'victim' prove it wasnt them what did it. M'Lud.
because it appears (see message upthread of here from Mike Scott) that ATMs will work with a card created just from the mag strip (no need for a chip), as long as the PIN is OK.
Hence the 'chip' bit of C&P is bypassed.
Tim wrote: ...
Unfortunately, the paragraph starts with the words "Unless we can show that you have acted fraudulently or without reasonable care,"
I believe the bank would argue that their systems are secure, therefore mere use of the PIN by a 3rd party is of itself proof of fraud or lack of reasonable care by the cardholder.
So I don't think that helps at all.
Not so, it was several letters and other contacts which culminated in them saying they wouldnt give her the money back.
"The new card arrived, but Ms Tomalin heard nothing more. Further visits to the branch and phone calls failed to elicit any more information.
Then in April, she received a letter from the bank saying that the debit card fraud unit had investigated and found that "the pattern of the withdrawals does not follow that of a typical fraudster..." It implied she had "acted without reasonable care in retaining a written note of the Pin".
After >>more letters and phone calls What's wrong with that story? It's what I would expect!
You would expect them to spend several months looking and then say they wouldnt be refunding the money?
"Tumbleweed" wrote
No, the reason they have C&Sig is their own paranoia!
"Tumbleweed" wrote
The "little old lady" wasn't accused of being a thief (according to the article) - and she got the money back.
"Tumbleweed" wrote
You don't have to. Check the Banking Code again - "Unless **we can show** that you have acted fraudulently or without reasonable care, your liability for the misuse of your card **will be limited** as follows:- If ..[A].. the most you will have to pay is 50; If ..[B].. you will not have to pay anything; If ..[C].. you will not have to pay anything; If ..[D].. you will not have to pay anything."
Seems a lot of "you will not have to pay anything"!! Note the only time you might lose out (when the bank can't **actually show** fraud or negligence), is [A] - where the thief uses your actual *card*, and you haven't yet reported it lost or stolen. Even then, you're only liable for upto 50, and no more.
"Tumbleweed" wrote
The bank's attitude is irrelevant. Ultimately, it's the court's attitude that matters.
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.