Times: Fraud victims left in the lurch by banks

john boyle wrote: ...

You said "with C&P (as far as I can see) it doesnt matter how many people know you pin, its whether they have your card that matters." Which appears to be an assertion that provided the card is kept safe, public knowledge of the PIN is immaterial. In other words, if you can keep the card safe, you don't really need any PIN to protect it - logically true perhaps but decidedly unsafe in practice.

john boyle wrote: ...

No mistake. Until all machines worldwide are C&P a stripe will work somewhere; probably abroad, where problems can I suspect be even messier to sort out. Now, what progress has been made in the US about moving to C&P, and do our cards work there? [Genuine question btw - I don't know the answer, but can extrapolate from what I've read]

john boyle wrote: ...

I may have misunderstood, but I understood the assertion to be that /cloning/ of cards was a major source of fraud. Therefore making a card clone-proof would significantly reduce fraud. The second assertion is that the chip is impossible to clone.

Given those assertions, it follows that merely testing for a valid chip would reduce fraud a lot, as it would validate the card itself.

Requiring a PIN to validate the /user/ is where the problems (and my own & others' objections) really start.

I don't think that's right. Our ATMs still have to accept US cards.

Not necessarily - crime can be moved from one area to another; even though there may be an overall reduction in the process, the new victims may well feel aggrieved.

Inflatable Mars bars? Whatever next!

Because the magstripe is clonable and the chip isn't. Therefore a chip card, as you've said, can't be cloned, and any card reader which relies on the chip instead of the magstripe can establish to its satisfaction that the card is genuine and not a clone.

AIUI there are a number of information exchanges which take place between the machine and the card, and the genuineness of the card can be established before a PIN, if any, is even entered. After all, one of the replies by the card to the machine is "I don't want a PIN but a signature".

No it isn't. There are many timid folk out there who will take the word of a wrong bank clerk as gospel. Even those who won't, have at least initially been victims of what I suppose you can call abuse by the bank.

Quit clowning around.

why not, if the information is on the chip it is presumably cloneable?

Because you can write said stripe information on a 50p card available over the counter using a £300 (??) stripe writer, likewise obtainable, and using software freely (or so I'm told) available over the 'net.

Apart from requiring a chip-manufacturing plant, said chip contains assorted secret keys programmed in, and reverse engineering would be expensive (albeit not totally impossible).

"tim (moved to sweden)" wrote

If they back down that easily, then they shouldn't complain about it!

wrote

So is fraud on a C&Sig card, or any bank a/c for that matter, etc etc.

So can we take it that you don't have any bank or cc accounts?

"Jim Ley" wrote

That's not within his remit, is it?

"Tumbleweed" wrote

But "works" for what, exactly?

You obviously don't mean a full "copy" that can be used in

*all* circumstances the same as the original card - because your cloned magstripe wouldn't work at a C+P terminal.

So you count a "copy" that only performs a *subset* of the original cards' functions.

Hmmmm. All my C+P cards work very well as ice-scrapers for the car windscreen. So, according to your definition of "clone", if I can make a card that will scrape ice off my car windscreen, then it is a "clone" of my C+P cards!!!

So he's required to just sit there and waste money?

If it's not it should be...

Jim.

At 23:59:27 on 16/01/2006, Ronald Raygun delighted uk.finance by announcing:

The checkout chick doesn't give a shit if you sign as Mickey Mouse.

As above.

At 23:52:11 on 16/01/2006, Ronald Raygun delighted uk.finance by announcing:

What's that got to do with it? French EMV is the same as British EMV. There is no 'ours' and 'theirs' except for the implementation. You may as well say "Their chips are better than theirs."

At 07:43:13 on 17/01/2006, davidof delighted uk.finance by announcing:

Exactly what it says.

The PIN verification system the French have been using was for debit cards only (not credit cards) and used the magnetic strip (not a chip). This is why all transactions went online (inability to securely store a PIN on a magnetic strip).

At 10:09:46 on 17/01/2006, Mike Scott delighted uk.finance by announcing:

They will. But they will reject UK cards which claim they have no chip.