logo

Chip and PIN Fraud - Keep it secret!

Last month I spent another weekend in Scotland, mountain-biking about the Glentress trails (Domino site!).

In our digs on one of the nights I was stood next to the guy who organised the weekend — a policeman who works undercover in Nottingham's homicide department — as he paid for a round by card at the bar. He put his wallet over the card reader even though I was the only person about. I said something to the effect of "Don't worry, you can trust me", to which he replied "It's a force of habit".

On Friday this came to mind when I went to my bank to get £1,600 cash out to pay the decorators who've just finished our hallway. Wanting to be prepared for every eventuality I took my passport, driving licence and a utility bill. However the girl behind the counter wasn't interested. "We don't need any of that" as apparently "Since we went chip-n-pin you can withdraw up to five thousand in cash if you have the card and know the PIN, without any ID". A conversation ensued with the two girls behind the plate glass and the lady at the counter next to me. She and I agreed this was pretty scary, while the girls on the other side remained noncommittal but I could tell they agreed.

By coincidence, the day after, the very same policeman was here with his wife (Karen's colleague) for dinner. I recalled the above and reminded him of the time at the bar the month before. "If you knew what I knew you'd do it every time too" was his response and he went on to list a variety of scams involving cash machines and shop-based card readers. Apparently the master criminals now fix whole new fronts to ATMs, complete with video camera trained on the keypad — hence the wallet over the fingers.

The more I learn about this new Chip and PIN system the more wary I am of it. I don't like it at all. As I understand it, the banks are no longer at fault if you are defrauded of your money via this system. It's now our responsibility to keep secret these four digits. From now on I plan on forcing myself in to the habit of hiding my fingers...

Comments

    • avatar
    • Scam
    • Mon 19 Nov 2007 05:37 AM

    I believe, though, that the banks will still repay any monies lost to ATM fraud, as a gesture of goodwill towards their customers.

    It will be interesting to see if they move away from that position in the future though.

  1. Out of interest, does anyone know if it is possible to use more than 4 digits? Compared to the hoops that I need to jump through to access internet banking, 4 digits for the pin code on the chip/pin seems inadequate.

    • avatar
    • Jake Howlett
    • Mon 19 Nov 2007 05:51 AM

    Interesting thought. I assume it's only 4 digits, but more would make sense.

    One of the banks I use has a ridiculously OTT login process. So much so that 9/10 times I visit I have to call the helpline to get them to reset the password. Resetting the password is as easy as knowing the sortcode/account# (easy to get) and then knowing the two numbers they ask for from my four digit security code (not the PIN though). Getting this right by guessing has odds of 100/1. No matter how complex they makes onlines login there's always as easier way in!

    • avatar
    • PaulG
    • Mon 19 Nov 2007 06:17 AM

    The other party chip and pin removes responsibility from is a retailer.

    Previously the retailer had to check your signature matched that on the back of your card. No more, as long as the pin matches the retailer is happy.

    It's one of the reasons retailers are quite strict about enforcing chip and pin - it's very much in their favour to do so.

    • avatar
    • Lee
    • Mon 19 Nov 2007 07:53 AM

    That's not the only fraud being perpetrated - £1600 to decorate your hall ????!!!!!!

    • avatar
    • Jake Howlett
    • Mon 19 Nov 2007 07:56 AM

    On the contrary Lee, it was a bargain.

  2. Pay with a Chip & Pin credit card and you will always be covered for fraud - use a debit card at your peril.

    Just clear the balance at the end of the month aka charge card.

    • avatar
    • staggered
    • Mon 19 Nov 2007 08:47 AM

    £1600 to decorate your hall. Seems fair to me - as long as you mean the Albert Hall.

    • avatar
    • Martijn Mulder
    • Mon 19 Nov 2007 08:50 AM

    If the criminals really fit whole new fronts to the ATM's isn't it kind of useless to hide your hand typing in the PIN code ? I guess they will also just read out the keypad ?

    • avatar
    • Jake Howlett
    • Mon 19 Nov 2007 08:53 AM

    Half of the 1600 was on wallpaper (20 rolls of it). If anybody is guilty of robbery it's the paper manufacturers. That'll teach us to pick the one we like without looking at prices!

    Dunno Martijn. I guess so.

    • avatar
    • PaulG
    • Mon 19 Nov 2007 09:01 AM

    From what I've seen of these ATM attachments, it's a two part process.

    The first is a reader that goes over the card slot and reads the mag strip for info, so that the card can be cloned. At this point (even as a cloned card) the pin is still encrypted, so the second part is a crude webcam affair, that allows the person to see the pin as you type it in.

    So then they have a clone of your card and your pin, and away they go.

  3. Coupla tips for the very paranoid.

    Get your credit card company to give you a card that'll set off alarm bells. Never ever use it, leave it in your wallet. A nice surprise.

    Using a thick marker pen, write a pin number on the back of your card.

    Not YOUR pin number, of course. That'll get at least two attempts.

    ---* Bill

  4. I always do my best to cover the keypad myself, but sometimes that's not enough. Last Thursday my wife left her computer bag unattended in what she believed was a pretty secure area (you need a key to get in) for an entire 5 minutes. Apparently someone got in, found her wallet, and took about $30 USD and 2 credit cards (not all of them, or the whole wallet - so it wasn't obvious!!!) They then proceeded on a shopping spree for the rest of the afternoon (~$2,500 USD). We probably wouldn't have noticed anything until our next statement arrived, except one card was a business credit card. Citibank decided the purchases were probably not business related and fortunately gave us a call.

    We're still sorting out this big mess, but unfortunately this time of the year is when many purchases are made in a short period of time and checking signatures, while still the retailer's responsibility, doesn't always get done properly. So PIN or no PIN, keep an eye on your statements and balances, and keep a photocopy of the front and back of any cards you carry with you, so you know what's missing and have the numbers handy to call to cancel them.

    I have no problems giving to charities I believe in, but you can bet this wasn't one of them....

    • avatar
    • Nick
    • Mon 19 Nov 2007 01:16 PM

    I had something interesting happen a few years back. About 10 years, but I have a 'backup' credit card that I use when places don't use Discover. Well, I got a call from the credit card company saying that there were about $500 in charges in a different state, etc.

    I informed them I had never been there, and that I was currently well south of there. I would have never known, because my credit card was still in my wallet.

  5. The easiest thing to do is to have a low credit limit on your card. Minimise any exposure to fraud.

    • avatar
    • andy
    • Tue 20 Nov 2007 05:46 AM

    The Wife had her Credit card stolen last month....

    ..I haven't reported yet - ( The thief spends less than the wife.)

    ; )

    ( ahh the old ones are always the best )

    • avatar
    • Robert Lozano
    • Tue 20 Nov 2007 01:37 PM

    well, this movie has something to do with the subject. May you visit {Link} when you have time. Banks will allow frauds to continue until people get fed up with it and accept the RFID...

    • avatar
    • Mark C.
    • Tue 20 Nov 2007 02:09 PM

    I read about this kind of stuff last year, it's a cause for concern, no doubt.

    Check out Bruce Schneier's security blog : {Link}

    He's got lots of stories of what people do with ATMs.

    The

    • avatar
    • Robert Lozano
    • Wed 21 Nov 2007 09:17 AM

    People, we need to look a little beyond. Everything is being laid out for the RFID. I've seen a lot of useful information in these websites. Yet I don't feel there's a compelling reason to panic. I've had three credit card frauds in my life. I've never ever had to pay 1 cent. It's just a matter of checking often, at least every 3 days, notifying the credit card company and move on. These panics the frauds are causing are nothing to be scared. We are being injected fear everyday by people who want to gain control of your lives. We can't let the RFID in or we'll lose our freedom. watch the link I posted up there. Part one, you might consider offensive... but part II, III, and IV to me are excellent.

    • avatar
    • Robert Lozano
    • Wed 21 Nov 2007 09:27 AM

    Credit Card fraud could be erradicated using text messages and webservices. you text back at the text message and the charge proceeds. Everyone nowadays has a cell phone.

  6. ATM fraud I read about. Only works on older machines: Use your own card, take out few hundred bucks from an ATM, but leave the top and bottom bill still in the machine, and wait. After a few seconds, the machine will think no one took the money, suck it back in, and reverse the charge.

    Never tried it, but it sounds plausible.

  7. It is possible to use more than 4 digits depending on the bank. I know as one of my credit cards has 5 digits. However I can not set any other card the same pin, as the bank allows just 4 digits.

    Hope all banks make their enhancements for more digits.

    • avatar
    • Clarkey
    • Tue 27 Nov 2007 08:55 AM

    After being bombarded with offers for the new Barcley's Paywave card I thought I would take a look at the risks, whilst googling EMV which the new technology is called for this card I found this site {Link}

    worrying isn't it?

Your Comments

Name:
E-mail:
(optional)
Website:
(optional)
Comment:


About This Page

Written by Jake Howlett on Mon 19 Nov 2007

Share This Page

# ( ) '

Comments

The most recent comments added:

Skip to the comments or add your own.

You can subscribe to an individual RSS feed of comments on this entry.

Let's Get Social


About This Website

CodeStore is all about web development. Concentrating on Lotus Domino, ASP.NET, Flex, SharePoint and all things internet.

Your host is Jake Howlett who runs his own web development company called Rockall Design and is always on the lookout for new and interesting work to do.

You can find me on Twitter and on Linked In.

Read more about this site »

More Content