The C&P company. [Something,] Mastercard and Visa company IIRC. See
formatting link
"She" as it happens. A case of proof blatant assertion, I'm afraid. I felt the program made her look a bit of a chump: not that making one person look a chump changes a single thing.
When I was at college, there was an impressively impassible main gate closed at midnight if I recall, in the traditional way. The idea was to encourage undergrads to be back by then. Being a modern college though, there weren't actually any walls either side of the gate - you just had to scale a 3 foot concrete step if I recall, and you were in. I feel C&P is rather the same - a marvellous technological edifice to prevent misuse, and an easy way of avoiding the edifice altogether.
*You* can take it that way...but its the way the *banks* take it that count. Lets use what we know, which is when people write to banks and state that they didnt make withdrawals, banks certainly do not seem to regard this as 'evidence', eg Clair T but many other documented cases.
I would take 'evidence' to mean something such as 'the withdrawal was from an ATM in Manchester but I can prove I was in Malaga at that time' (and even in such cases banks have refused, alleging collusion). But the point is, each of us have our own interpretation of 'evidence'..and they are irrelevant because its the banks interpretation that counts.
IF the bank manages that. Usually it comes down to the customers word 'I didnt do it' vs the banks 'our systems cant be cracked' or 'you are a liar'. Plus, there is also the danger (as in the case of the policeman vs halifax maybe 10 years ago) that you will be accused of fraud and prosecuted and convicted even though you arre innocent.
..but a few messages ago it seemed a simple case from you of 'well its the bank that was defrauded not you so you'll get your money back' now its having to go to FOS or Law....where of course you might still lose and might even be convicted of fraud. Bit of a change there?
How many people have got the resources (or the knowledge) to take it that far? Most would give up before that. One might cynically think that a good strategy for the banks, in all cases, is to refuse the customer up to the point they go to law, or perhaps publicity if they are a nobel prize winning author, because that will net them the biggest return (just the cost of a few letters and most people giving up).
That merely *suggests* that it *may* have been the cardholder, it doesn't actually " *show* that the customer *has* acted fraudulently or without reasonable care".
To go as far as "showing" that the cardholder *had* acted fraudulently / without reasonable care (not merely suggesting that they had), they'd need to give evidence of that particular cardholder performing the act.
But again, use of a secret password may well be take as prima facie evidence that the proper user and supposed sole 'knower' of said password has divulged it somehow.
Look at this another way. I have published the public half of my gpg key (it's on my website). The private half is stashed away here, in an inaccessible place (I hope!), password protected and never divulged to anyone else (of course). The idea, among other things, is that I can use my private key to sign a document, which can be checked using the public key. If a document pops up signed with my private key, you're quite entitled to assume that I, personally, signed it. It's the whole point. Either that, or I gave the key to someone who then used it. If I should want to disavow any such signature, I'd better have pretty strong proof it wasn't me or someone given the private key by me -- because only I have access to the private key.
Now it's a similar situation with a card. There's a secret (the PIN) supposedly known only to the proper user. Ergo, use of the PIN implies connivance of the cardholder in use of the card - whether in person or through divulging the PIN. It's the whole point of the PIN. I really can't understand why this seems so hard to grasp.
Of course, in practice, the PIN can be discovered by 3rd parties by various covert means as has been discussed over and over. But the cardholder would be hard-pressed to prove this has happened, which leaves the bank on the legal high ground, as it were.
I thought it was obvious - the cloning doesn't produce a C&P card, it produces a magstripe card. Even before C&P was introduced, this fraud was performed. It isn't new to C&P!
As soon as magstripe-only cards can no longer be used (because of the introduction of Chips), this fraud is eliminated.
NO, absolutely NOT. It's the way the *courts* take it that counts.
"Tumbleweed" wrote
No, again it's the court that counts. The banks aren't "a law unto themselves", you know!
"Tumbleweed" wrote
They'd need to prove that "beyond reasonable doubt". That's unlikely, if you are innocent (although I'll grant you it *might* happen).
"Tumbleweed" wrote
No change at all. I never said it would be *immediate*. As regards going to FOS/court, I'd actually expect (as in the case of Ms Tomalin) that the bank would refund the money *before* it got that far.
"Tumbleweed" wrote
Most of the frauds (according to the articles that have been cited) have been for less than 5,000. That would put it in the small claims court. Do it online!
"Tumbleweed" wrote
If they want to give up on their rights, that's up to them.
But the availability of Pins is dramatically increased, instead of using them just in an ATM where it's quite difficult to overlook with
3 sides blocked and the 4th where the person is, they're used in shops, where there's no sides blocked at all, and it's easy to spot.
The point is C&P has done nothing to prevent cloned cards - you can still clone the stripe which is on all C&P cards, so all it's currently achieved is an increase in opportunities for obtaining the pin. One day C&P may reduce cloning, but whilst it's still got a trivially clonable magstripe, it's not doing it. It's just increased risk.
Yet that's years away, especially as even in the shops with C&P units they seem to be broken down 25% of the time. It was a poor choice to go for the C&P&Magstripe, either a big bang approach to C&P or seperate C&P and Magstripe cards would've done a lot to reduce clonability, as it is, it hasn't.
But they *did* refund the money! As I wouldn't expect it to be done immediately, a 'few months' seems "not un-reasonable" for a comprehensive investigation (even though I might *hope* it could take less time).
The point is though, that "the way of avoiding the edifice" will be removed in future - no-one is trying to suggest that the current "transition-phase" is any more secure, just that the "end-result" will be.
But that "prima facie evidence" doesn't actually *show* that they did, it's only a *possibility*.
"Mike Scott" wrote
Are there only 3,333 different possibilities for that key? I think not!
"Mike Scott" wrote
On one in every 3,333 "goes" at cracking a card's PIN, the thief will guess correctly (don't forget that they have three attempts before the card is locked). Is that "similar" odds to your gpg key?? I doubt it!
How small would the "secret" have to be, before you accepted that guessing it was not "impossible"?
This is even before we get onto the problem of shoulder-surfing...
"Mike Scott" wrote
No, the point of such a simple security feature as a PIN, is to try to
*reduce* the incidence of fraud. There is no way that a 4-digit PIN can totally *eliminate* fraud. If you think that 4-digits are "fool-proof", then why do you use something as strong as a gpg key?
"Mike Scott" wrote
Only if you believe that the bank can reduce the balance on your a/c (and have that accepted both by FOS and the courts), without having any proof or evidence that *you* authorised the transaction.
At present, there are still some ATMs that cannot read the chip. Once they all can, any cards claiming to be "stripe only" will be verified by the machines.
It won't be possible to use a stripe only card against an account that is supposed to have a chipped card.
How long it will be before this is effective, I don't know.
Which will not happen until every country introduces chips. Even, once all UK cards have chips, if all the UK card terminals and ATMs were programmed to only accept cards from UK issuers if the card has a chip then there would still be possibility of a 'mag strip only' clone being used abroad.
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.