Times: Fraud victims left in the lurch by banks

At 22:57:05 on 18/01/2006, Ronald Raygun delighted uk.finance by announcing:

Absolutely! Well, in the specific case above things such as file authentication will prevent unauthorised firmware/applications being executed.

Not true, the track 2 data contains discretionary data which doesn't appear on the front of the card. A track 2 constructed from the data on the front of the card would not work in most ATM's/PDQ machines without this discretionary data.

Peter

So, I'll take that as no evidence at any fraud at all then, just another example of the hysteria and neurosis to which I have previously referred.

Hey Hey Hey hey! Stop there!

Have you seen the stats ?

Hey Hey Hey hey! Stop there!

Have you seen the stats ?

Well this has been the system hitherto, and there have been so many campaigns for cashier training that I couldnt number them. You obviously have no knowledge of what is actually happening here RR. Sig comparison is so easily compromised it just isnt an option for the future. Are you saying that the card issuers have failed to try the most elementary of options after all these years?

Yes good thinking. Also the card could sample the users DNA by use of a minute pin which pricked their finger as the card was inserted into the reader, whilst at the same time pointing a laser at their eyes to measure whatever it is eyes are measured in all of which could be relayed back to a satellite geostationarilary located above every card reader with a link to every computer server in the world including patriot missile launchers which would be pointed at the pets of every card holder and the dogs would be forced to learn every combination of dates of birth and marriages and divorce which are used by cardholders to memorise their pins..................................................................... .......................................................... Finally, as the Doctor steps in the TARDIS..... Director shouts "CUT!. Bollocks lads, lets try it again form the top".

wow

In message , Ronald Raygun writes

But you said it should be solved by merely testing for a valid chip. This would be satisfied by somebody who held a stolen card. The chip would be valid. Are you suggesting that the holder of the stolen card should then be allowed to withdraw dosh? Or will you accept your logic was faulty?

Cashier Chick cant be trusted to check sigs.

Eh? Balderdash! sig check has proven to be frightfully useless

A separate line of fraud has developed through cloning, yes, but that is an additional cause of fraud.

Rubbish. Give one example of C&P accusations of fraud. ALL that have been used so far as examples of such fraud have really been examples of the old system, which is why it needs to be replaced.

You are confusing Credit card costs with debit card costs here.

I dont think you are a trader because the figures you quote dont seem to be consistent with such knowledge but I could be wrong. Therefore I dont think you really understand the 'risk' you feel you are taking.

In message , Ronald Raygun writes

Rubbish, but acceptable due to your lack of experience. The victim is the customer, not the bank. The customer must supply the information, not the bank The bank will gladly supply evidence as required if authorised by the customer, or by court order. I have never ever ever ever ever ever ever ever known a 'customer' charged with fraud in the circs of card misuse, but I have known a number of customers 'try it on' ( see posts passim).

Sense check? Suggest the word 'failed' is inserted between the words 'tested' and 'signature'.

No, sig copying technology is now pretty good and all attempts to defeat have failed due to cashier stupidity.

You are about ten years behind the criminals I think.

The only way to do this is to eradicate the chicks. Unless you have a new way of trying to train them? Your suggestion is so elementary. It was struggling to be effective as far back as 1973 (as far as I can remember)

No, it is still magstripe, just like my amex.

I note you start with the word 'no' which therefore means you agree with my assertion that the goal of reducing crime is acceptable, albeit not perfect.

I feel this means you agree that 'reduction in crime' is a sufficient justification for C&P even if 'eradication' is not possible.

Thank you.

Your not getting any were near my bottom matey!

At 23:12:33 on 18/01/2006, Peter King delighted uk.finance by announcing:

And isn't used in most transactions.

Perhaps not ATMs. Regular transactions don't make use of this data though.

If you sandpaper the numbers off the front and fill in the back with polyfilla, then you could refute cardholder-not-present fraud ;->

rgds, Alan

At 10:36:36 on 19/01/2006, Alan Frame delighted uk.finance by announcing:

But then, by rights, you wouldn't be able to use your card at all since the checkout chick wouldn't be able to check the card number matches that on the receipt.

No, that's not possible - the PIN number is not stored on the magnetic strip. The fraudsters must have got the PIN number from somewhere else.

You seem to be having a comprehension difficulty, old timer.

Card fraud falls into a number of categories, to wit:

(A) Cases involving copied cards (B) Cases involving stolen cards (C) Cases involving fraudulent use by the cardholder ("pretended" theft) (D) Other cases

You have indicated that (A) has to date been the most prevalent. (I'm avoiding the word "cloned" lest it introduce further misunderstanding)

Since chips make copying impossible, or so it is claimed, then when there is blanket introduction of chip readers which refuse to use magstripes for cards which have chips, or for cards they "know" ought to have a chip even though they can't sense it because the contacts have been lacquered over, the possibility of type (A) fraud occurring at all is completely eliminated, except of course for non-chip cards.

And that's all I've claimed. It is the existence of the chip which achieves this, irrespective of whether a signature or a PIN is needed at point of use, since the chip is what prevents copying. Given your claim that type (A) fraud is by far the most widespread, we have reduced the incidence of card fraud by a lot, namely to the other three types.

Now, prior to the introduction of chip cards, we've been using PINs only in cash machines, whereas we've been using signatures for all checkout-type transactions.

For cash machines we need PINs anyway, so I'll exclude cash machines from further discussion, and will consider only checkout transactions.

If we were to continue using signatures at checkouts as hithertofore, even with chip cards, I put it to you that there would be no change to the level of fraud from categories (B), (C), and (D), since fraud with signatures has already been possible and would continue to be possible. That is to say that refraining from requiring PINs to be used in future will not significantly boost the incidence of these other kinds of fraud, apart from a slight increase from criminals who formerly specialised in type (A) fraud, and are making the career move of re-training in one or more of the other types.

However, convincingly faking a signature is not *that* easy, and is, I believe, not a technique to date employed to excess, and in that belief I am supported by the very fact that cloning has been so popular. Assuming a supply of blank cards is available, all the crim needed to do was sign a blank signature strip with any old signature in his own handwriting, which thus would be easy to reproduce at point of use and would pass the scrutiny even of a handwriting expert.

Yes she can. Unless you mean the chick is in on the fraud, she can be forced to be more vigilant under threat of the sack for failing to observe her conditions of employment. Spot checks can be made by managers posing as customers and supplying obviously bogus signatures, to make sure she's diligent in her vigilance, and if in the slightest doubt would pass the buck to her supervisor.

That's a training issue which can easily be rectified.

Not really. I gather that Debit cards involve a flat charge of about 60p rather than a percentage, but if typical checkout transactions are for £30-£60, that's still 1% to 2%, which is only a little less than the 2% to 3% of credit cards. Which of credit and debit cards account for a greater proportion of traders' payment card turnover?

I'm not speaking as as a trader, nor indeed am I one. I speak as a customer of traders, and in that capacity I pay whatever overheads the traders are having to pay their card processing suppliers.

Well, of course it *has* a magstripe, but it does have a chip, and the card works in Asda's non-magstripe-reading chip readers, and it asks fro a signature and not a PIN (nor have I been issued with a PIN).

In my book, that makes it a C&S card.

No, what you say is what would happen in the case where a third party is the fraudster, and the bank believes this. Then the customer together with the bank would involve the police in an attempt to identify, apprehend, and charge the culprit.

What I was writing about is what would happen if the bank did not believe this, and suspected the customer of trying to defraud, erm, well, initially himself I suppose, but subsequently the customer would seek compensation from the bank and would therefore be defrauding the bank.

Not a reasonable comment. No-one needs to know of /existing/ fraud instances to point out the possibility of /future/ fraud. There's no point at all in touting new security systems unless they address /all/ relevant issues. PIN cards evidentally don't; the banks claim they do; there seems to be evidence around of banks' bad faith already in existing security issues. I just draw obvious conclusions.

john boyle wrote: ...

The goal of crime reduction seems to me reasonable. The problem is how to measure it.

Not at all. It may or may not be justified - I'm just pointing out that a possibility is that (a) fraud overall will be reduced and (b) the burden of future fraud will tend to fall on the customer not the bank.

Depending on which side of the counter you are, the perceived benefits will differ. As I said, what metric do you use to quantify "crime"?

You're welcome.

here's an example where a reduction in crime may not be thought to be desirable by customers, but would be thought desirable by banks (which is why I asked 'desirable for who?';

Pre C&P situation 150M in fraud annually, of which banks pick up 90% and customers 10%. (Such a high ratio because there is a signature strip that can be reviewed for forensic evidence ..handwriting, fingerprints, etc)

Post C&P situation, 50M in fraud annually, of which banks pick up 50% and customers 50%, because customers find it much harder to prove they didnt sign the slip.

These figures arent meant to be 'correct', they could be way out, but show that it is **possible** that a reduction in crime isnt necessarily a good thing for all concerned.