PIN fraud

In message , Tumbleweed writes

Hitherto, PINs have been held on the cards as ATMs and tills are not online to the issuing institution all the time.

Im not sure that PINs on C&P are NOT on cards. If they werent then transactions could not be performed with a permanent link to the provider, as opposed to a link to an 'authoriser'.

Reply to
john boyle
Loading thread data ...

That's true enough, but it simply means the thief can fool the shopkeeper. When later on the nickee denies knowledge of the transaction, the nicker's forgery can be confirmed by a handwriting expert. With PINs it is impossible to tell who entered it.

It's not a question of preventing fraud, but of being able to prove after the event that it has occurred.

Not if you consider the possibility that the nicker is actually well known to the nickee and so has ample opportunity to nick the card, probably even at a well-separated time from when he observed the PIN being typed. And worst of all, he can nick the card and then put it back before the nickee notices it's missing. Then the poor old nickee will really be toiling to try to prove that it wasn't him who stole the £300 from the cash machine because he actually used the card as normal thereafter, and wasn't alerted to the problem until weeks later when he got his card bill.

Reply to
Ronald Raygun

Alison Having a PIN with your credit card is not compulsory nor a legal requirement. I've already arranged to have a Chip and Signature card by sheer persistance. Your card supplier has no right to ask you why you can't handle a PIN - tell them this. If you've not got a PIN with your credit card neither you OR a crook can get money at an ATM. If fraud occurs at any other place then the most you can be liable for is £50. However if you have a PIN, and your card issuer considers you've been negligent with it - you could get clobbered for the whole cost of the fraud. Another way to look at having a PIN with a credit card is their value to crooks - access to instant cash or they can use them in Chip and PIN compliant shops and walk away with expensive goods without ever being challenged.

James

Reply to
James

No no no NO, PINS are _definitely_ not held on cards at present!! Usually an ATM wont authorise if there is no connection, its up to a retailer whether or not to if there is no connection, or if the cost of the connection is more than the perceived risk, this is why they have floor limits.

Of course transactions can be performed without being on line, its just that the retailer takes the risk if they arent.

Reply to
Tumbleweed

Just wait until someone works out how to enter a transaction using your card, when you definitely did not give out the PIN, and try and convince the banks you either didnt give your PIN out through stupidity, or aren't just plain lying. THEN you'll see the problem!

Reply to
Tumbleweed

There was a thread somewhere or other discussing this, where a chap who claimed to work for a bank says the PIN is stored on the card, and that he was able to change people's PINs on the fly. I didn't believe it, but I've no way of confirming it.

To me it doesn't seem likely that it's on the card, as you can have your PIN changed just by making a phonecall; a few days later you'll have the new PIN in the post.

Reply to
Chesney Christ

"Ronald Raygun" wrote

Where does this concept of the victim being "guilty until proven innocent" come from?

You say that the cardholder needs to prove that they *didn't* use the card on any "dodgy transaction"; why can't the card company prove that they

*did* use it??
Reply to
Tim

In the old days the cash card PINs were stored on the swipe stripe, no doubt in encrypted form, together with a record of recent withdrawals and balances, so they could enforce at least daily limits even when the machine was off line. Now, the PIN will be in the chip, but more securely, not only encrypted but unreadable too. What happens is that the machine into which you type the PIN will ask the chip whether this PIN is correct and will simply get a yes/no answer, instead of asking the chip to tell it the encrypted PIN so that it can do the comparison itself.

Even the PIN sent by the machine to the chip will be encryted, in case someone slips a "man in the middle" device into the machine that could sit undetected between the machine and the card's chip to "harvest" data.

Reply to
Ronald Raygun

"James" wrote

Hmmm. Surely it cannot simply come down to what the *card issuer* "considers". There must be recourse to the courts - and then it would be up to the *court* to decide - not the card issuer!

Reply to
Tim

Very good point.

Reply to
Tumbleweed

Thats incorrect, and provably so. Firstly, why do you need to be online to tell if the PIN is correct, if the PIN was in the card there would be no need for that? Secondly, how do PINS get changed by banks without your card being involved? Oh, and thirdly, if the card is doing the authorisation, all I need do is make my own cards and have them always say 'yes this transacion is valid'. Thats how they are able to crack some mobile phones, because they alter the software inside the phone that then ignores the check against the sim card.

Its much simpler than that, the PIN is sent to a central system which checks to see if its the same. It will be encrypted as its sent of course.

The encryption is between the ATM/store terminal and the authorising system. The reason for the chip in the new cards is to check that the card itself is not a forgery, since its now easy to fake the magnetic strip on the old style cards.

Reply to
Tumbleweed

That is what they are saying, they are saying "only you know the PIN, its impossible to read the PIN from the card, therefore I have proved it was you that used it" (Or that you carelessly gave the PIN away, thereby also making it your fault)

Reply to
Tumbleweed

Because the bank can claim 'negligence' on the part of the card-holder to avoid having to keep to their part of the contract. The card-holder is then is the very difficult position of having to prove that they didn't do anything unreasonabe to compromise their pin, they never have to do this with a sig, cos everybody recognises that it is possible to forge a signature without any help for the card-owner.

tim

Reply to
tim

Of course there is.

This is not an open and shut case, the consumer may lose. If the bank loses they will likely appeal and appeal.

Scenario: The bank refuse to refund the 300 pounds that has been stolen from my account.

Oh look, I just happen to have this spare 300,000 with which to take the matter to court

Or not

tim

Reply to
tim

That's life, innit. - No, actually, that's not what I meant to imply at all. I meant that at least there exists a means to establish to a high level of confidence whether the signature was genuine or forged. I did not intend to say anything about on whom the onus of proof falls, and agree that it should not fall upon the victim.

Trouble is, the card company *can* prove that the cardholder did use the card. "Well, Sir, here's the chit and that's your signature." - "No it bloody well isn't."

It's just prima facie evidence, though, and the next stage is initially up to the cardholder. He has to deny that he signed it, and only after that will it be up to the CCo to call in a signaturologist if they wish to try to prove the cardholder is trying to defraud them.

This is no worse than if you stand accused of a burglary on the flimsiest of circumstantial evidence. There is an initial informal burden of proof of innocence upon you by, say, offering an credible alibi to eliminate you from their enquiries. It's not entirely fair, but a reasonable compromise to ensure the system can work.

Reply to
Ronald Raygun

But if it's plain for all to see that the PIN-entering keypads are in full view of every crook and his parrot (and it's a dead parrot, stuffed, with a mini camcorder peering out through the eyes), any such claim should be easily capable of being laughed out of court.

Reply to
Ronald Raygun

Do you? I'm not convinced. It's desirable to be online, but not, I would have thought, mandatory. Big shops are capable of being on line full-time, but surely the chip technology is intended to be capable of being used in, say, small B&Bs, where there's no way they will dial up each time. You could say one falls back to signatures in such circumstacnes, but I expect the intention is that they will be phased out completely in due course.

The card can be updated next time it goes on line.

I think you'll find "saying yes" is not as easy as simply pulsing a wire one way or the other. The chip will send a verifiably secure packet to the machine, which will contain the yes/no somewhere in it, but loads of proof of "I am genuine" in there as well.

Fair enough, that makes sense, but they could do so much more with it.

Reply to
Ronald Raygun

"tim" wrote

In the case of a credit card, you just refuse to pay the bill. You don't need to take the matter to court yourself - that's up to the credit card issuer.

Reply to
Tim

In message , Tumbleweed writes

When did this change?

Not in every case. The larger outfits have an arrangement whereby all their transactions are authorised by an 'authoriser' who may or may not be on line to the banks, but once so authorised the amount is paid to the retailer. The retailer carries no risk for an offline transaction.

Smaller retailers with those small readers that dial up whilst you wait operate in the way that you describe.

Reply to
john boyle

Sadly RR you are wrong here. They DO dial up everytime. The chip just carries more complicated encryption than that which can be carried on a swipe strip. I reckon the Pin is held on the chip though.

I reckon this is right, having recently changed the PIN on my EGG card I was told that my old PIN may be required for a while until I get a 'PIN wrong try again' message at which point I should use my new Pin but to be aware that I had one chance at getting it right.

>
Reply to
john boyle

BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.