Chip & pin

But the scenario is this - the professor made a purchase with the card - it got nicked and was used in a couple of nearby ATM's within minutes. So it has the makings of a low tech fraud - other explanations seem implausible. So look for the simplest possible esplanation - someone in the shop saw him enter the PIN, nicked the card then used it in ATM's before it could be reported.
Banks will bear some such losses depending on circumstances. Assuming he was not in the habit of losing cards or going into overdraft, the bank IMO was being excessively mean in this instance - especially as he took immediate steps to report the loss.
A bank in such cases need to balance the cost of 'reimbursing' customers in such cases with the benefit of retaining loyal and valuable customers.
Reply to
peterwn

customer:
formatting link
>>
The card wasn't cloned, in this case. It was the actual, stolen card. But that's not relevant to this particular form of attack.
If you read the article, that is not the scenario at all. The professor had made no purchases with his card prior to it being stolen:
The fact that he did not use either card in Paris prior to the theft, rules out the possibility he had been "shoulder surfed" ? and had the pin read prior to the snatch.
Mark
Reply to
Mark Goodge
On Oct 7, 8:42 am, Mark Goodge wrote:
I was referring to the instance in the BBC article which rabbited on about high tech frauds then gave an instance which had all the appearances of a low tech fraud. Things are a bit confusing since both victims were professors. There is no apparent explanation about the case cited in the Guardian it would seem farfetched that someone observed his PIN in the UK then passed it to an accomplice in Paris or took a quick Eurostar ride. But if he was victim of a high tech fraud one would expect that there would be a wave of instances.
I think the Norwich professor should bid Barclays farewelkl and look for another bank - but then as far as I can see all the high street banks are crummy.
Reply to
peterwn
I have seen no mention of a low-tech explanation: someone got lucky with a guess at the pin.
The odds may mean that professional gangs don't usually bother trying. But it'd be nice if the banks were to reveal how often (and where) case withdrawals are attempted with lost/stolen cards and the wrong pin.
Reply to
Robin
peterwn posted
That's really the problem. There was a rather similar story told on yesterday's Moneybox programme, but about NatWest. The customer had discovered multiple withdrawals of £50 or £100 had been made from his account, adding up to quite a lot.
He reported them as fraudulent, and the bank said they had been made over the counter at various branches without a PIN, under the bank's system of "emergency withdrawals".
It was obvious that it wasn't him that did it, but they refused to reimburse him, all the way up to the moment when they found it was going to be the top story on Moneybox. One wonders how many times they refuse to reimburse, but it *isn't* the top story on Moneybox or Money Mail.
Reply to
Big Les Wade
But how would such information be valid and what use could it be to the user if he had it?
Who hasn't at some time in the past has had to enter their PIN a second time ? The vast majority of errors of this type will be inadvertant. I would assume that an ATM will only allow a certain number of attempts in entering the PIN and any errors will be noted whether cash is successfully withdrawn or not.
There is another aspect. Given the number of transactions that are undertaken every day the number of frauds is relatively very small. Whether somewhere a way has been found round chip and PIN one can never know, bear in mind, succesful attempts have only been claimed by highly competetent IT specialists usully working within the facility of an IT department in a university.
However, assume that such a vulnerability is found and that is finds its way into the criminal domain. It's my bet that the methodology would spread like wildfire to the expent that the system would collapse have have to be suspended. Bearing in mind the interoperationability of the systems this would provoke a crisis in the banking industry that would make the recent difficulties at Nat West seem a slight glitch.
It hasn't happened. Instances of fraud would seem to be being contained.There is and never has been any crisis. However, criminals are not noted for keeping their own counsel. A good scam is handed on. Aren't prisons supposed to be universites of crime. Further it is more charateristic of criminal behaviour to plunder rather then clip a source of income.
There will always be fraud within these systems just was ther will always be pick pockets so long as we have wallets and purses. A small minoriy of card users will always see fraud and misrepresentation as a means of relieving financial embarrassment. There will alwys be those of a criminal disposition working in banks call centres and retail outlets. There will always be those who are untrustworthy yet are nonetheless trusted. Bearing in mind the immense number of people with some access to the system even if peripherally then the wonder is that we have so little fraud.
These are surely the greatest vulnerabilites within the system
Reply to
Mel Rowing
The information is directly relevant to the probability that the pin was guessed. Eg if lost/stolen credit cards are commonly used to try to draw cash with the wrong pin then it is more probable the user suffered that than if they are very rarely used to draw cash. The laws of probability would allow the user (or the ombudsman) to quantify the risk. Indeed, I suppose one might expect the ombudsman has already investigated this.
I was not referrring to the incidence of such errors. I was referring to the incidence of errors entering the pin for a lost or stolen card.
Reply to
Robin
Many banks use a 6 digit PIN for online banking. Select any 3 or 4 for access.
For some reason, I can remember 6 digit numbers easier than 4 digit. [Possibly - 4 digit numbers begin to blend into each other].
It should be possible for ATMs to use the same principle. So that even seeing someone entering their partial PIN would not help.
But would it be worth it? A more onerous system to reduce a relatively small problem.
Flop
Reply to
Flop

If I wanted to deceive my bank into believing that someone else had been using my card, I would go round a town creating a series of fake errors. Finally I would draw the maximum amount allowable on the card over a 24 hour period.
The reason I can't do that is because I do not know how many errors the system will allow me before my account is locked out or over what time period this allowance will be assessed. and any block maintained. Neither do I know what would happen if my account was locked out. Would I be told that there was an error on my card and to contact my bank or would I be allowed to attempt access ad infinitum each attempt extending the lock out period.
What about the CCTV cameras incorporated in ATMs and indeed retail outlets?
These systems were not designed by idiots.
Reply to
Mel Rowing
Where does it say that he made a purchase? The article states the opposite: "... Black says he couldn't possibly have passed on his Barclaycard's pin to the thieves, as Barclays has alleged, because he doesn't know it, or ever use it. He says he only uses the card to make holiday bookings over the phone, which doesn't require the use of a pin. Barclays has confirmed that he has not made any chip and pin purchases using the card."
Reply to
S
No, they were designed to shift the liability to the customer whenever possible.
Reply to
S
Barclays say the same, see
formatting link
I have been warned by a ticket machine at the railway station that I have one more attempt and then the card will be locked. That particular machine seems to have a duff chip reader so I go to another ticket machine and very carefully enter the pin for the lat attempt. It always works on that machine.
Reply to
brightside S9

Then if that's what you think then there is no reason why you should have one. They are not compulsory.
The fact is that everything is not always as it seems to be and certainly not how people say it is. I would suggest that more customers have attempted to defraud a bank than banks have attempted to defraud customers.
It really isn't good for a bank's business to deraud its customers becuase as sure as night follows day that customer will not only be lost but he'll tella all a sundry about his experience.
Nonetheless there are some ciustomers and a business does not want.
In any case, any customer who feels ill used in this respect has resort to the Financial Ombudsman ( a service I have personanly found excellent) and, as a final resort, the civil courts.
Reply to
Mel Rowing
I have a distant memory of a policeman being jailed when he insisted somebody had taken money out of his account:-(
I also have a distant memory of a QC eventually being able to disclose something he had kept secret as he feared it would bring the banking system crashing down. He disclosed that at one major bank at least there were only 3 sets in PIN numbers in use.
pete
Reply to
Peter Turtill
In message , Peter Turtill writes
Are you thinking of John Munden?
"John Munden, as you may recall, was one of our local police constables, who complained about six phantom withdrawals on his account with the Halifax Building Society when he returned from holiday in Greece. Their response was to have him prosecuted and convicted for attempting to obtain money by deception."
Discussed here:-
Reply to
Bill
Time has come when PIN's should be five digit (Decades ago Post Office engineers figured that 5 digit numbers were as much as people can handle - hence letters on dials in the large cities - so people should be able to handle 5 digit PIN's).
And customers should be able to change PIN's or disable cards via internet banking, and disable cards via telephine banking.
Reply to
peterwn

BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.