PIN fraud

In message , Tumbleweed writes

The HSM was offline.

Yes

Unlikely

No.

It was the card.

Yes.

No,.

In message , Tumbleweed writes

Not so. Chip & Pin specifically moves the risk to the issuer.

NNNNOOOOOOOOOOOOOOOO!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

In message , Tumbleweed writes

I dont think so.

You are a gentleman sir!

It was OK for me earlier, I can assure you I didnt knacker it to destroy evidence!

I can see from the c&p site etc. that the liability is moved from merchant to issuer - i.e. the merchant no longer has to check the signature - but the card holder must still have a liability regarding use of the PIN?

Do Chip and Pin cards have a modified set of Terms an Conditions?

The French claim that C&P has reduced CC Fraud by 80%, I would assume that this statistic should include PIN theft. Just because someone else is liable don't change the nature of the crime.

There could be a money making opportunity here though -for insurance salesmen .....

"James" wrote

Do you think that the local "Sharon" on the till will be trained well enough to accept this? Call her "supervisor"? ... who then says "must be a mistake, it's PINs now not signatures"... :-(

"Ronald Raygun" wrote

It doesn't take a whole day for a thief to "try out" ten cards in an ATM. Bearing in mind that the thieves will continue to steal cards, once they have them they then just need to decide whether to take a minute per card to try it in an ATM.

3,333 cards per year will take around 55 hours in total to try out. If they get 500 from just *one* of these, then they've earned 9 per hour - tax free - equivalent to 15 per hour if they do enough other "jobs" (I can't see a thief declaring their ill-gotten gains to the I.R.!).

No. The chips are designed by people with some security expertise. The pads are designed by artists.

Well, you've since conceded the last bit is not the case, but it is worth focusing on the other issue you note above. The cloning aspect. It seems reasonable that the drive towards chipped cards is a direct response to cloning being perceived to be a major problem.

If you clone a card, by copying its mag strip onto a fresh card which you are somehow able to manufacture, or steal (from the post, before its recipient has signed it), then you have a nice blank signature field you can write on yourself. This means you don't have to spend ages practicing a forged signature. Just sign "Betty Smith" or whatever in your normal handwriting and anyone comparing the card sig with the sig on the sales chit will find them a perfect match.

So the chips are a good thing if they prevent cloning. It's just a pity they're bringing in the inherently insecure PINs at the same time.

In message , Rob writes

I had an unfortunate experience in France in 2000. After a lunch stop at a service area on a French auto route, we were returned to our car when I noticed, quite by chance, that our rear near side (for France) tyre looked a slightly soft. ZR low profile boots so not immediately obvious. I reinflated it, all seemed okay, and we continued our journey to the ferry without mishap. The tyre seemed fine.

On arrival at Portsmouth we had the embarrassment of a flat tyre on the ferry and there was no room to jack the car up to replace the tyre. A P&O engineer was equipped with a solution: a compressed-air bottle which blew the tyre up a couple of seconds. He said that the tyre had most-likely been 'spiked' by Algerians who hang about French motorway service areas on the look-out for British-registered saloon cars.

A garage later confirmed that this was indeed the case: a small hole had been punched in the tyre's wall. The technique used by the Algerian gangs is simple. They punch their hole and trail the victim along the motorway until the motorist is forced to pull onto the shoulder with a flat tyre. They stop in front of the victim and offer to help, saying how dangerous it to be stopped. While the trunk lid is open and everyone is busy unloading, an accomplice, who had been hidden in the robber's car, does a quick rummage in the back of the car on the floor -- the usual place for bags containing valuables. Their object is credit cards because British cards don't require a PIN.

Couples without kids driving British-registered saloons are prime targets. Usually they're glad of help because they have a ferry to catch. We fulfilled all the requirements but our car's half-a-yard wide tyres don't deflate that easily. Nevertheless, a new tyre cost GBP160!

A friend later sent me a photocopy of an article in, IIR, 'Drive', detailing this operation.

PS: Had we been forced to stop, I would've lost a bag containing binoculars and camera, which would've been a pain, but that was all. When travelling in garlic-munching countries I always carry cards and cash in an armpit pit body belt.

Tumbleweed said on 18.04.04:

According to the Chip and Pin website, they do.

I don't quite follow you? Does the ATM erase the PIN from my brain by means of a hypnotic on-screen pattern or how can it steal my PIN?

Chris

I wasn't suggesting that. I was suggesting it might take a day to

*obtain* ten cards.

Sure, I was counting the trying out as virtually a zero-cost activity, paling into insignificance beside the hunting and gathering aspect. Cards don't grow on trees.

Nah. A card may take a minute to try, but also a minute to steal, plus ten minutes to lie in wait for the right moment. That's us down to about 75p an hour I think.

I can hear their union reps muttering NMW as we speak.

Neither would I put them in the 40% bracket if they did.

"Tumbleweed" schrieb im Newsbeitrag news:4082fd0d$0$28318$ snipped-for-privacy@news.easynet.co.uk...

I visited France last year and many people there pay using their national Chip&PIN cards. Some still use cheques (which are no longer accepted in Germany) and few pay in cash. In Germany the national debit cards still works with signiture, is well protected agaist fraud (chargebacks possible without reason) and is issued to anyone. Though most people here pay in cash. That makes me thing the Frensh people are satisfied with their system :)

I don't know about the British system, but here in Germany they are implementing something similar on our national debit cards. The PIN is stored on the cards and the card can authorize smaller transactions without conntecting to the bank server. When the card limit is used up the card forces the terminal to dail in order to check if there are still enough funds on the account. Unfortunatelly most banks don't issue chip cards for cost reasons and therefore the shops don't invest in chip terminals.

"Rob" schrieb im Newsbeitrag news: snipped-for-privacy@brightview.com...

There is a simple trick used by Eastern Europe gangs: They manipulate ATMs so that the card is copied during insertion and there is a tiny camera to catch the pin.

This is impossible with chip cards. Therefore you may lock your card immidiatelly when it's gone. Is it however copied you will only notice on your next statement.

Count Zero said on 19.04.04:

If I may jump in here? The German national debit card supports several ways of paying, some "official", some just direct debits created by reading of the magstripe. That can be either by PIN (electronic cash) or by signature (POZ or ELV).

Payments with PIN can not be charged back (unless cases of double billing or too much time elapsed between transaction and posting to account).

More information is available on

(still in it's infancy, but that part happens to be online already).

Chris

"Count Zero" wrote

Where's the protection for the poor merchants?

If all thieves (eg "anyone") can get hold of the cards, and make transactions, then ("without reason") have a chargeback - aren't the merchants paranoid of fraud??

"Ronald Raygun" wrote

Yes, but the point is that they are doing that *anyway*. It's only the extra time necessary to try them in an ATM that matters when considering guessing the PIN.

[They can still use them online, or over the 'phone, even without the PIN - so the cards are still worth nicking even if they don't guess the PIN ...]

"Ronald Raygun" wrote

In that case, the reward-per-hour from guessing the PIN at an ATM increases towards infinity!!

"Ronald Raygun" wrote

The payment for their 11 minutes waiting (10 mins) and stealing (1 min) will be found by using *every* card online and/or over the 'phone.

It's only the *extra* time necessary to guess the PIN at an ATM (etc) that matters when considering the ill-gotten gains from the "1 card per 3,333" on which they guess the correct PIN...

Without a hint of irony, "Tumbleweed" astounded uk.finance on 18 Apr 2004 by announcing:

It will block when 3 consecutive incorrect PIN attempts have been made. Source is the EMV specs, probably.

Without a hint of irony, "Tumbleweed" astounded uk.finance on 15 Apr 2004 by announcing:

It is not stored on the magnetic strip, but it is stored encrypted on the chip and never leaves the chip.

Without a hint of irony, john boyle astounded uk.finance on 16 Apr 2004 by announcing:

Only on chip cards, and then not even on all chip cards.

ATMs are online all the time, barring network problems. If the link is lost, they become "out of order".

They are on the chip.