Chip & pin


Ad

Advertisements

P

peterwn

Now, let's look at this logically. If indeed it is possible to 'clone'
chip and pin cards then use them in ATM's, this would now be a very
serious problem. The crook would still need the PIN, and theoretically
this could be extracted in the 'cloning' exercise.

But the scenario is this - the professor made a purchase with the card
- it got nicked and was used in a couple of nearby ATM's within
minutes. So it has the makings of a low tech fraud - other
explanations seem implausible. So look for the simplest possible
esplanation - someone in the shop saw him enter the PIN, nicked the
card then used it in ATM's before it could be reported.

Banks will bear some such losses depending on circumstances. Assuming
he was not in the habit of losing cards or going into overdraft, the
bank IMO was being excessively mean in this instance - especially as
he took immediate steps to report the loss.

A bank in such cases need to balance the cost of 'reimbursing'
customers in such cases with the benefit of retaining loyal and
valuable customers.
 
M

Mark Goodge

Now, let's look at this logically. If indeed it is possible to 'clone'
chip and pin cards then use them in ATM's, this would now be a very
serious problem. The crook would still need the PIN, and theoretically
this could be extracted in the 'cloning' exercise.
The card wasn't cloned, in this case. It was the actual, stolen card. But
that's not relevant to this particular form of attack.
But the scenario is this - the professor made a purchase with the card
- it got nicked and was used in a couple of nearby ATM's within
minutes. So it has the makings of a low tech fraud - other
explanations seem implausible. So look for the simplest possible
esplanation - someone in the shop saw him enter the PIN, nicked the
card then used it in ATM's before it could be reported.
If you read the article, that is not the scenario at all. The professor had
made no purchases with his card prior to it being stolen:

The fact that he did not use either card in Paris prior to the theft,
rules out the possibility he had been "shoulder surfed" – and had the pin
read prior to the snatch.

Mark
 
P

peterwn

The card wasn't cloned, in this case. It was the actual, stolen card. But
that's not relevant to this particular form of attack.


If you read the article, that is not the scenario at all. The professor had
made no purchases with his card prior to it being stolen:

  The fact that he did not use either card in Paris prior to the theft,
  rules out the possibility he had been "shoulder surfed" – and had the pin
  read prior to the snatch.
I was referring to the instance in the BBC article which rabbited on
about high tech frauds then gave an instance which had all the
appearances of a low tech fraud. Things are a bit confusing since both
victims were professors. There is no apparent explanation about the
case cited in the Guardian it would seem farfetched that someone
observed his PIN in the UK then passed it to an accomplice in Paris or
took a quick Eurostar ride. But if he was victim of a high tech fraud
one would expect that there would be a wave of instances.

I think the Norwich professor should bid Barclays farewelkl and look
for another bank - but then as far as I can see all the high street
banks are crummy.
 
R

Robin

I have seen no mention of a low-tech explanation: someone got lucky with
a guess at the pin.

The odds may mean that professional gangs don't usually bother trying.
But it'd be nice if the banks were to reveal how often (and where) case
withdrawals are attempted with lost/stolen cards and the wrong pin.
 
B

Big Les Wade

peterwn said:
I think the Norwich professor should bid Barclays farewelkl and look
for another bank - but then as far as I can see all the high street
banks are crummy.
That's really the problem. There was a rather similar story told on
yesterday's Moneybox programme, but about NatWest. The customer had
discovered multiple withdrawals of £50 or £100 had been made from his
account, adding up to quite a lot.

He reported them as fraudulent, and the bank said they had been made
over the counter at various branches without a PIN, under the bank's
system of "emergency withdrawals".

It was obvious that it wasn't him that did it, but they refused to
reimburse him, all the way up to the moment when they found it was going
to be the top story on Moneybox. One wonders how many times they refuse
to reimburse, but it *isn't* the top story on Moneybox or Money Mail.
 
Ad

Advertisements

M

Mel Rowing

I have seen no mention of a low-tech explanation: someone got lucky with
a guess at the pin.

The odds may mean that professional gangs don't usually bother trying.
But it'd be nice if the banks were to reveal how often (and where) case
withdrawals are attempted with lost/stolen cards and the wrong pin.
But how would such information be valid and what use could it be to
the user if he had it?

Who hasn't at some time in the past has had to enter their PIN a
second time ? The vast majority of errors of this type will be
inadvertant. I would assume that an ATM will only allow a certain
number of attempts in entering the PIN and any errors will be noted
whether cash is successfully withdrawn or not.

There is another aspect. Given the number of transactions that are
undertaken every day the number of frauds is relatively very small.
Whether somewhere a way has been found round chip and PIN one can
never know, bear in mind, succesful attempts have only been claimed by
highly competetent IT specialists usully working within the facility
of an IT department in a university.

However, assume that such a vulnerability is found and that is finds
its way into the criminal domain. It's my bet that the methodology
would spread like wildfire to the expent that the system would
collapse have have to be suspended. Bearing in mind the
interoperationability of the systems this would provoke a crisis in
the banking industry that would make the recent difficulties at Nat
West seem a slight glitch.

It hasn't happened. Instances of fraud would seem to be being
contained.There is and never has been any crisis. However, criminals
are not noted for keeping their own counsel. A good scam is handed on.
Aren't prisons supposed to be universites of crime. Further it is more
charateristic of criminal behaviour to plunder rather then clip a
source of income.

There will always be fraud within these systems just was ther will
always be pick pockets so long as we have wallets and purses. A small
minoriy of card users will always see fraud and misrepresentation as a
means of relieving financial embarrassment. There will alwys be those
of a criminal disposition working in banks call centres and retail
outlets. There will always be those who are untrustworthy yet are
nonetheless trusted. Bearing in mind the immense number of people with
some access to the system even if peripherally then the wonder is that
we have so little fraud.

These are surely the greatest vulnerabilites within the system
 
T

therustyone

Now, let's look at this logically. If indeed it is possible to 'clone'
chip and pin cards then use them in ATM's, this would now be a very
serious problem. The crook would still need the PIN, and theoretically
this could be extracted in the 'cloning' exercise.

But the scenario is this - the professor made a purchase with the card
- it got nicked and was used in a couple of nearby ATM's within
minutes. So it has the makings of a low tech fraud - other
explanations seem implausible. So look for the simplest possible
esplanation - someone in the shop saw him enter the PIN, nicked the
card then used it in ATM's before it could be reported.

Banks will bear some such losses depending on circumstances. Assuming
he was not in the habit of losing cards or going into overdraft, the
bank IMO was being excessively mean in this instance - especially as
he took immediate steps to report the loss.

A bank in such cases need to balance the cost of 'reimbursing'
customers in such cases with the benefit of retaining loyal and
valuable customers.
"retired professor", aren't they sometimes a bit absent minded ?
 
R

Robin

I have seen no mention of a low-tech explanation: someone got lucky
But how would such information be valid and what use could it be to
the user if he had it?
The information is directly relevant to the probability that the pin was
guessed. Eg if lost/stolen credit cards are commonly used to try to
draw cash with the wrong pin then it is more probable the user suffered
that than if they are very rarely used to draw cash. The laws of
probability would allow the user (or the ombudsman) to quantify the
risk. Indeed, I suppose one might expect the ombudsman has already
investigated this.

Who hasn't at some time in the past has had to enter their PIN a
second time ? The vast majority of errors of this type will be
inadvertant.
I was not referrring to the incidence of such errors. I was referring
to the incidence of errors entering the pin for a lost or stolen card.
 
F

Flop

The information is directly relevant to the probability that the pin was
guessed. Eg if lost/stolen credit cards are commonly used to try to
draw cash with the wrong pin then it is more probable the user suffered
that than if they are very rarely used to draw cash. The laws of
probability would allow the user (or the ombudsman) to quantify the
risk. Indeed, I suppose one might expect the ombudsman has already
investigated this.



I was not referrring to the incidence of such errors. I was referring
to the incidence of errors entering the pin for a lost or stolen card.
Many banks use a 6 digit PIN for online banking. Select any 3 or 4 for
access.

For some reason, I can remember 6 digit numbers easier than 4 digit.
[Possibly - 4 digit numbers begin to blend into each other].

It should be possible for ATMs to use the same principle. So that even
seeing someone entering their partial PIN would not help.

But would it be worth it? A more onerous system to reduce a relatively
small problem.

Flop
 
M

Mel Rowing

The information is directly relevant to the probability that the pin was
guessed.  Eg if lost/stolen credit cards are commonly used to try to
draw cash with the wrong pin then it is more probable the user suffered
that than if they are very rarely used to draw cash.  The laws of
probability would allow the user (or the ombudsman) to quantify the
risk.  Indeed, I suppose one might expect the ombudsman has already
investigated this.
If I wanted to deceive my bank into believing that someone else had
been using my card, I would go round a town creating a series of fake
errors. Finally I would draw the maximum amount allowable on the card
over a 24 hour period.

The reason I can't do that is because I do not know how many errors
the system will allow me before my account is locked out or over what
time period this allowance will be assessed. and any block maintained.
Neither do I know what would happen if my account was locked out.
Would I be told that there was an error on my card and to contact my
bank or would I be allowed to attempt access ad infinitum each attempt
extending the lock out period.

What about the CCTV cameras incorporated in ATMs and indeed retail
outlets?

These systems were not designed by idiots.
 
Ad

Advertisements

S

S

Now, let's look at this logically. If indeed it is possible to 'clone'
chip and pin cards then use them in ATM's, this would now be a very
serious problem. The crook would still need the PIN, and theoretically
this could be extracted in the 'cloning' exercise.

But the scenario is this - the professor made a purchase with the card
- it got nicked and was used in a couple of nearby ATM's within
minutes.
Where does it say that he made a purchase? The article states the
opposite: "... Black says he couldn't possibly have passed on his
Barclaycard's pin to the thieves, as Barclays has alleged, because he
doesn't know it, or ever use it. He says he only uses the card to make
holiday bookings over the phone, which doesn't require the use of a
pin. Barclays has confirmed that he has not made any chip and pin
purchases using the card."
 
S

S

If I wanted to deceive my bank into believing that someone else had
been using my card, I would go round a town creating a series of fake
errors. Finally I would draw the maximum amount allowable on the card
over a 24 hour period.

The reason I can't do that is because I do not know how many errors
the system will allow me before my account is locked out or over what
time period this allowance will be assessed. and any block maintained.
Neither do I know what would happen if my account was locked out.
Would I be told that there was an error on my card and to contact my
bank or would I be allowed to attempt access ad infinitum each attempt
extending the lock out period.

What about the CCTV cameras incorporated in ATMs and indeed retail
outlets?

These systems were not designed by idiots.
No, they were designed to shift the liability to the customer whenever
possible.
 
®

®i©ardo

No, they were designed to shift the liability to the customer whenever
possible.

But only where the card has been removed from that customer's care by a
third party, due to theft, carelessness and so on, exacerbated in many
cases by the PIN being kept with the card.
 
®

®i©ardo

But how would such information be valid and what use could it be to
the user if he had it?

Who hasn't at some time in the past has had to enter their PIN a
second time ? The vast majority of errors of this type will be
inadvertant. I would assume that an ATM will only allow a certain
number of attempts in entering the PIN and any errors will be noted
whether cash is successfully withdrawn or not.
Three attempts are allowed with First Direct, who are part of HSBC, and
I assume that the other banks do the same.
 
B

brightside S9

Three attempts are allowed with First Direct, who are part of HSBC, and
I assume that the other banks do the same.

Barclays say the same, see
http://ask.barclaycard.co.uk/help/brochure/1_security/incorrect_pin

I have been warned by a ticket machine at the railway station that I
have one more attempt and then the card will be locked. That
particular machine seems to have a duff chip reader so I go to another
ticket machine and very carefully enter the pin for the lat attempt.
It always works on that machine.
 
Ad

Advertisements

M

Mel Rowing

No, they were designed to shift the liability to the customer whenever
possible.
Then if that's what you think then there is no reason why you should
have one. They are not compulsory.

The fact is that everything is not always as it seems to be and
certainly not how people say it is. I would suggest that more
customers have attempted to defraud a bank than banks have attempted
to defraud customers.

It really isn't good for a bank's business to deraud its customers
becuase as sure as night follows day that customer will not only be
lost but he'll tella all a sundry about his experience.

Nonetheless there are some ciustomers and a business does not want.

In any case, any customer who feels ill used in this respect has
resort to the Financial Ombudsman ( a service I have personanly found
excellent) and, as a final resort, the civil courts.
 
P

Peter Turtill

I have seen no mention of a low-tech explanation: someone got lucky with
a guess at the pin.

The odds may mean that professional gangs don't usually bother trying.
But it'd be nice if the banks were to reveal how often (and where) case
withdrawals are attempted with lost/stolen cards and the wrong pin.
I have a distant memory of a policeman being jailed when he insisted
somebody had taken money out of his account:-(

I also have a distant memory of a QC eventually being able to disclose
something he had kept secret as he feared it would bring the banking
system crashing down. He disclosed that at one major bank at least
there were only 3 sets in PIN numbers in use.

pete
 
B

Bill

Peter Turtill said:
I have a distant memory of a policeman being jailed when he insisted
somebody had taken money out of his account:-(

Are you thinking of John Munden?

"John Munden, as you may recall, was one of our local police constables,
who complained about six phantom withdrawals on his account with the
Halifax Building Society when he returned from holiday in Greece. Their
response was to have him prosecuted and convicted for attempting to
obtain money by deception."


Discussed here:-

<http://www.doc.ic.ac.uk/~ids/dotdot/misc/titbits/phantom_ATM_withdrawals
..html?
 
Ad

Advertisements

P

peterwn

I have seen no mention of a low-tech explanation: someone got lucky with
a guess at the pin.

The odds may mean that professional gangs don't usually bother trying.
But it'd be nice if the banks were to reveal how often (and where) case
withdrawals are attempted with lost/stolen cards and the wrong pin.
Time has come when PIN's should be five digit (Decades ago Post Office
engineers figured that 5 digit numbers were as much as people can
handle - hence letters on dials in the large cities - so people should
be able to handle 5 digit PIN's).

And customers should be able to change PIN's or disable cards via
internet banking, and disable cards via telephine banking.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

chip and pin 12
Chip & PIN - Bin the PIN. 69
Chip & PIN in Saibsury's 54
Chip and pin fraud. 268
Chip & Pin ready? 29
Chip & Signature - confused by Chip and PIN! 22
Chip & PIn (AGAIN)!! 23
Chip&Pin cashback 6

Top