PIN fraud

"Ronald Raygun" wrote

I was thinking more of the case with PINs rather than signatures, & the victim purportedly needing to prove that he *didn't* make the dodgy transaction ...

"Ronald Raygun" wrote

... (s)he denies making the transaction with the PIN ...

"Ronald Raygun" wrote

signaturologist

So here's the main point :- how do the CCo people *prove* that it was the "victim" entering the PIN, and not the thief??

"Ronald Raygun" wrote

That is my point entirely!

But also - with 4-digit PINs, for every 10,000 cards stolen the thief will (on average) hit upon the correct PIN *at random* on the *first try* !! Bearing in mind that you usually get 3 attempts before it is "locked-out", then simply *on average* around 1 in 3,333 cards stolen can have their PINs

*guessed* by the thief.

Then for every 333,000-odd cards stolen, on average you'd expect around a

*HUNDRED* thieves to simply guess the PIN. How can the CCo *prove* that you are not one of those hundred??

The card may get reused at a retailer before it is next used at a bank, so the opportunity to update the PIN wouldn't exist unless all the retailers had the capability to perform the updates. If that's the case then the retailers may conceivably have access to the PIN while it gets programmed onto the card - possible security risk.

"tim" wrote

... but the cardholder can also claim negligence on the part of the banks/retailers, due to lack of proper shielding on Chip-n-PIN entry pads(!) ...

"tim" wrote

Again we're back to the "burden of proof" argument. You obviously think that the victim is guilty until proven innocent...

So was I, but by comparing it with the old signature system. I was simply underlining the point that with signatures it is *possible* to make reasonably sure whether a signature was forged (it's surprisingly difficult, I gather, to "forge" your own signature, i.e. make it look to an expert as though it had been forged, while at the same time looking genuine enough to an ordinary checkout chick -- unless you use an accomplice to do the forging for you). With a PIN this is not possible.

They can't. At best they can allege that the cardholder negligently let their PIN become known. Given that in general a PIN would be difficult to guess, that argument has some merit. However, the present design of keypads gives insufficient protection against the "bandit looking over your shoulder", and this, in my view, is enough to break down such an allegation of negligence.

The keypads are inherently insecure. They must either be open, as they are now, in which case prying eyes can watch, or they have to be totally enclosed (say with a rubber drawstring style curtain so nobody can peer along the customer's arm, and a restricted field of view adjustable visor so that only the customer can see his fingers and the buttons), in which case the enclosed box can have a camera planted inside it by a bandit posing as a normal customer, who subsequently returns to remove it after it's harvested a few hundred potential victims' PINs.

Not a very good return on the thief's investment in time. How long would it take one thief to steal 3333 cards unnoticed? Best part of a year, I should think. And all for a few goes at £300 a day? I don't think so.

It has a list of the hundred and you're not on it. In fact, it has a list of all 333000 cardholders who *all* claim to be one of the hundred. This means that they can be 99.97% certain that any (and therefore all) of the cardholders is/are lying. That's well beyond the "balance of probability" level of proof required in civil court cases.

:-)

I don't follow the logic here. I suspect there isn't any. The setup I'm positing is that there are two ways to update the PIN. One by the customer at a machine, the other by the customer on the phone. If the PIN is in the card, which I posit, then clearly a customer who has actioned a phone update must use the old PIN when shopping at off-line merchants until such time as the card next goes online to have the new PIN stored in it. If a customer updates the PIN directly, this would typically be done at an on-line bank machine. It would be possible, but not always desirable, for on line merchants to offer this facility as well, and it would likewise be feasible, though again not necessarily desirable, for off-line merchants to let a customer update the in-card PIN in situ, and the bank won't know about it until the card next goes on line.

True, but any retailer's equipment is in principle capable of being camera-monitored by an in-house thief, giving the opportunity to harvest PINs through normal use, never mind through update attempts.

Thats true.

Well with ATMs, PINs have always been the only method of using the card. The scenario you describe has occurred on numerous occasions in my personal experience. Users are notorious for claiming that their PIN is secure even when a senior accountant of the bank in question was behind the client's boyfriend when he used his girlfriends (the client) ATM card and saw him enter a PIN and saw the card come out of the machine with the name 'Miss A Smith' on it.

For Tumbleweeds info, the ATM was offline at the time. I know 'cos it was me who had switched it to 'offline' mode so that I could perform the daily balance. The data was stored in memory, also on a small cassette tape, and also printed on a tally roll. At numerous times during the day the ATM would go on line to send data. It would also go on line if the customer requested a balance or mini statement.

Agreed, the first court case is going to make chip and pin* look very silly

In that case, major money making opportunity here..... If the PIN is in the chip, and therefore the transaction as to whether the PIN is correct, is between the card and the terminal, all you have to do is steal a terminal (or even just buy one) and then in the comfort of your own home you can offer a PIN decryption capability. On average it will take 5,000 attempts per PIN, which is a few hours, but you can pay some kid to do that (or just connect a PC to the terminal and automate the process, plus speed it up big time) and then as long as the theft hasnt been noticed you can go shopping crazy. Harrods, here I come!

Plus, should you have a fraudulent withdrawl on your card, all you need do is point out this simple flaw that the banks never thought of ("MLord, I wish to point out that at least one C&P terminal has gone missing, and that many are left unattended at night") , and with one fell swoop C&P is destroyed....

...no, I dont think so.

I believe that the earliest ATM cards did hold the PIN. This might have been

1970's. But I installed a high security PIN decryption system on a mainframe computer (to be used for the purposes of checking PINS centrally) in, hmmm.....1986 or 7 maybe? And that was for a company that was just starting to do its own authorisations, so it was some years behind the curve.

FWIW, and AFAICR the reason for the high security machine (lets call it HSM) was that the PIN isnt sent down the line, but is mathematically combined with the account code or similar, sent down the line, into the mainframe and then into the HSM, which then does the reverse operation using the account code and the PIN. The reason its done in the HSM is so that you cant just use ordinary 'snooping' toools (debuggers or similar) to see what the PINS were in the mainframe, where they would need to be 'in the clear' at some point.

Plus this also made it more difficult for a programmer to sick a little bit of code in that read the PIN as it passed through, since the machine just says yes or no to the mainframe so even if you dumped the memory contents, all you'd see is encrypted strings of digits.

The HSM was ultra-secure, down to the level that if it was opened incorrectly it would wipe its entire memory of the encryption algorithms! Not something you'd want to happen of course. And AFAICR the algorithms / PINS were loaded into it by two different people, who each were sent 1/2 the data on tape, scrambled in some way and recombined only in the machine, so again they were never in the clear even when transmitted to the system.

"locked-out",

People will break into your car, cause a great deal of noise and damage, plus the chnace of being caught and going to prison, just to get a car radio that will be sold down the pub for a tenner. A card is worth much more.

I thinks thats what the banks are claiming!

I've declined to have a PIN with the New Type Chip and PIN credit cards. I've opted for a Chip and Signature Card, therefore I can't be held liable for being negligent with a PIN. I won't be able to draw money at cash machines but neither will crooks.

James

My point was that although the card is worth more, maybe 100 times more, if it takes a whole year to get one, it only gives a measly income of £1k per year. But it doesn't take 3 days to break into a car for a radio. He could probably do 6 a day. That's £20k a year, which is not bad given that the job tends to come with a new "company" car every week or two, tax free.

It's all about efficiency. Thieves go to business school these days.

The chip will lock up when it notices it's being bombarded with false PINs.

Source?

It doesnt take a year to get one, it may just take a few seconds. A few weeks ago, someone ran into a pub, grabbed a friends of mines handbag and jumped into a waiting car which sped off, like something out of "the bill" (except AFAIK they didnt get caught). Obviously they did that for the money and cards in the purse. Very high risk for an unknown amount of money, and cards which would be cancelled within minutes. But even cancelled cards are worth money, they can be sold on, used for low value transactions, used abroad, and so forth.

Perhaps you should go to thieves school if you think it takes a year to nick a card! Your calculation was based on faulty logic re guessing PINS. Even cards without PINS are worth money and traded (for about a tenner a time so I'm told).

BTW, if PINS are on cards, how come guessing wrong twice and then right once resets the counter? that must be done at a central site, otherwise one could simply write back to the mag stripe a count of zero after each failed attempt, and crack the PIN that way. Plus, its not just ATMS, we are also talking about low powered shop terminals that dont have enough smarts for doing PIN encryption, its pretty obvious that all they can do is send the PIN back to HQ for verification. Finally, different banks use different algorithms, look up tables etc. Its not practical to encode all that knowledge in one terminal (nor would the banks let it out anyway). So its back to the central server. You dont really beleive that if you put your card in a machine in say, China, that it knows how to talk to your card, what algorithms have been instituted by say, Egg, and does the transaction locally?

The problem you will have in future (???4 or 5 years , thats how long I guess it will take for the vast majority of people to switch over and use PINS routinely) is that shops will decline your card if you dont put the PIN in. Sure they'll lose your business, but they will also believe the chances of it being fraudulent are high, so they wont mind that.