Credit Cards/Chip and Pin/ATM withdrawls

Our trans-pond friends could well have their cards cloned after the ATM upgrade. But you couldn't. Because at present, fraudsters can only clone the mag stripe of your card. If they put that into an ATM, the bank will inform the ATM that it should be a C&P card, and the ATM will only accept a transaction via the chip - which the cloned card doesn't have so it gets gobbled by the ATM.

Eventually, *maybe* fraudsters will be able to clone the chip - but it is several magnitudes more difficult than cloning a mag stripe, and may well prove to be practically impossible given that parts of the chip are inaccessible except with *very* sophisticated equipment.

I am not saying that, but even if it were, so long as the PIN is in an area of memory that it is impossible to read via the normal interface, and effectively impossible to get at even by disassembling the card, why should that make it insecure?

Nobody has said that it is 100% safe. Very few things (if any) are.

What I am saying is that it is a *lot* safer than chip & sig (so long as you are reasonably careful not to let the World see your PIN), and an order of magnitude safer than mag stripe & signature, which can be cloned & used without you even knowing that you have been robbed until you get your next statement.

Plus, if the forgery is good, you may have to get a handwriting expert

- who may or may not be prepared to make a positive statement that it is definitely not your signature.

Safer for who?

Equally though, he would not say it definitely /is/ your signature either.

Unlike a PIN, which most asssuredly would be yours.

By the way, I've just been queueing in two shops (Christmas rush, and all that). The people in front didn't even /try/ to hide their PINs when they entered them. I casually mentioned the issue to the cashier - not interested, unsurprisingly.

I have to confess I'm unclear as to who exactly has what info, and who talks to who and when.

I've seen a demo of someone cloning the stripe of a chipped card and clearing a bit /on the stripe/ that says in effect "look for chip". The result worked in one ATM. Obviously in that particular case, the bank wasn't consulted by the ATM, or presumably the cloned card would have been declined by the ATM. So have the banks changed their systems to always with check with the bank? And (if so) what happens when for any reason that can't be done? -- does the ATM revert to an offline mode (potential heyday for a fraudster), or just refuse to do anything?

Maybe; not that you clone the chip itself, just the contacts and some wires to a portable PC. But anyway, the "experts" thought WEP was secure :-). I'm afraid I take the view that if someone wants to break something badly enough, it /will/ happen. Paranoid perhaps, but safe(r).

In message , Mike Scott writes

AIUI C&P cards will rely on the C&P bit in the ATM and magstripe bit that carries the account data etc., is redundant.

At the moment the majority of ATMs do not have the capability to read the chip. So they cannot determine whether the card has a chip or not, so it is pointless taking any notice of whether the card *should* have a chip. The only ATMs that I have so far come across that reads the chip are private ATMs rather than bank ATMs. I have no idea what those machines look for in order to decide to use the chip. I know that there is indeed a bit on the mag. stripe that indicates that the card has a chip.

*Any* security measure can be broken or circumvented. The question is (1) the cost of doing so and (2) the probability of the fraudster being detected. The more difficult to commit fraud, the less people will do it. As technology advances, cloning the chip will become easier, and more people will do it. Sky cards use smartcard technology and AFAIK they have not been cloned for over 5 years - and there is negligible risk in using a cloned Sky card. So I really believe the C&P cards are safe from that sort of attack for many years yet.

As one technology becomes easy to forge, it is replaced by a better technology. Just think what the situation would be like if we still had banknotes from the 1920's in circulation. Any kid with a scanner & printer could make counterfeits that would be accepted at any retail outlet.

No, the fact that the correct PIN has been entered says *nothing* whatsoever about who entered it. A good forged signature OTOH is evidence that it was *you* holding the pen.

That fact does not compromise *your* security. The greatest danger from shoulder-surfing is not from the stranger behind you - who unless s/he can steal your card PDQ is probably never going to see you again. It is from your friend/neighbour who accompanies you on your shopping trip. They can remember your PIN for a time in the future when they get an opportunity to "borrow" your card. Perhaps draw out a few hundred pounds from a cash machine in the pub when you go to the loo? Women are more vulnerable IMO, because they often leave handbags with friends, whilst men seldom feel the need to give their wallet to someone for safekeeping when they go for a pee.

For both the cardholder *and* the bank.

At 10:57:27 on 20/12/2005, Mark delighted uk.finance by announcing:

They may not want to do it, but it certainly can be done.

At 10:16:52 on 20/12/2005, Mike Scott delighted uk.finance by announcing:

Yes.

No. If they do a direct clone of the mag stripe, the data itself will tell the ATM that there is a chip on the card. Even if they alter the data (and the ATMs haven't been upgraded to perform the CVM check) the transaction still has to go online to the issuer.

At 20:16:05 on 20/12/2005, Cynic delighted uk.finance by announcing:

The three digit service code will indicate that it has a chip.

At 09:19:35 on 20/12/2005, Tumbleweed delighted uk.finance by announcing:

Since when?

At 11:18:15 on 20/12/2005, Mark delighted uk.finance by announcing:

No. The secret key is a n-bit number, where n is currently recommended to be

1152.

Very simple to do. Get a sail cringle/tarpaulin eye reinforcement ring and clench it in place in the end of the card (NOT the chip end and near the edge away from the magstrip). It can then be used in chip readers, or in edge swipe machines - but will not go into the slot of an ATM.

It also allows you to tie it to your bikini bottoms when swimming, by threading one of the side ties through the hole.

It also gets very careful scrutiny - as does the bearer.

Of course, the cringle can be removed - but it needs tools and the card is never quite the same again..

At 20:45:39 on 20/12/2005, Palindr?me delighted uk.finance by announcing:

Or some PINpads...

Bitstring , from the wonderful person Cynic said

But 100% refutable if you can prove you were elsewhere. 'You gave your signature to a friend' doesn't actually fly very well, unless you have unusual friends.