📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

Chip & PIN Security goes on Trial

James
James Posts: 2,059 Forumite
Part of the Furniture 1,000 Posts Combo Breaker
in Credit cards
A trial that could prove to be a test case for the security of chip-and-PIN card technology starts today.

Alain Job is suing Halifax, claiming that a fraudster withdrew £2,100 from his account at cash machines despite the fact he did not lose his card and changed his PIN as soon as he received it. The bank refused to refund the money, claiming that its chip-and-PIN system is secure.

Article click here:
«134

Comments

  • Paul_Herring
    Paul_Herring Posts: 7,482 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Photogenic
    http://www.pcworld.com/businesscenter/article/164159/phantom_withdrawal_case_concludes_in_uk_court.html
    Job admitted at one point during testimony to putting his cash card in his garden outside one night for some inexplicable reason, according to Alistair Kelman, an attorney who watched the proceedings in Nottingham County Court.

    :rolleyes:

    Case concluded today - decision expected in a month.
    Conjugating the verb 'to be":
    -o I am humble -o You are attention seeking -o She is Nadine Dorries
  • Alex_LS
    Alex_LS Posts: 197 Forumite
    What the...?

    That counters his previous claim that his card remained in his possession.

    "The PIN must also be used for credit- and debit-card transactions, rather than in the U.S., where a signature completes the transaction."

    But the US doesn't use EMV, and we're talking about ATMs in any case. I've never used an ATM (even in the US) that's asked me for a signature :p

    "Studies done by researchers at the University of Cambridge have looked in depth at the chip-and-PIN system and highlighted weaknesses."

    Looks like they just dropped that in there for good measure. No explanation; no detail. :rolleyes:

    Whatever the verdict, it will be interesting to see what actual evidence was presented - if we get to see it.
  • Alex_LS
    Alex_LS Posts: 197 Forumite
    And the court rules in favour of the bank.

    No absolute evidence though:

    The judge based his ruling on printouts from log files to show that Job's real card had been used for the transactions.

    The suit was filed after two critical pieces of evidence once held by Halifax were destroyed, including the original ATM card and the Authorisation Request Cryptogram that could have proven that the card's chip had been read and authenticated by the machine.

    http://www.finextra.com/fullstory.asp?id=20102
  • Paul_Herring
    Paul_Herring Posts: 7,482 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Photogenic
    Scanned copy of the judgement: http://www.alikelman.com/jobhbos.pdf
    Conjugating the verb 'to be":
    -o I am humble -o You are attention seeking -o She is Nadine Dorries
  • Alex_LS
    Alex_LS Posts: 197 Forumite
    Well, reading through that it seems clear that the balance of probabilities is firmly in favour of the bank. His 'previous' and the account usage around the disputed period is quite 'interesting.'
  • Paul_Herring
    Paul_Herring Posts: 7,482 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Photogenic
    Mr Job plans to appeal, and is asking for volunteers in a similar position to himself:

    http://www.getreading.co.uk/news/s/2052591_credit_card_fraud_victim_appeals_for_help_to_fight_high_street_bank

    Given the judgment (#5 above) I can't help but think he's onto a loser, even if others have been in a similar position and come forward.
    Conjugating the verb 'to be":
    -o I am humble -o You are attention seeking -o She is Nadine Dorries
  • td_007
    td_007 Posts: 1,212 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    The Chip and Pin technology are not as secure as the banks would like us to believe. I have had £300 withdrawn twice on my debit card somewhere in Romania - no I have never been there! This card was in my possession at all times and the PIN is in my head:confused: Again how come the fraudsters managed to withdraw £600 in a single day when the max that can be withdrawn is £250? There is big black hole in that banks are trying to cover up and make customers liable because the banks do not want to update their technologies.
  • Paul_Herring
    Paul_Herring Posts: 7,482 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Photogenic
    td_007 wrote: »
    The Chip and Pin technology are not as secure as the banks would like us to believe.
    When actually used, it probably is.
    I have had £300 withdrawn twice on my debit card somewhere in Romania - no I have never been there! This card was in my possession at all times and the PIN is in my head:confused:
    Mr Job's case does not relate to your experience, since C'n'P (I suspect) isn't an issue in your case - since I highly doubt Romania have C'n'P enabled devices/networks, thus a PIN could not have been used in this instance.
    Again how come the fraudsters managed to withdraw £600 in a single day when the max that can be withdrawn is £250?
    Assuming no PIN, and just the cloned mag-stripe, then there was probably no on-line check of whether the money could be withdrawn, and all withdrawls were subsequently booked against the card later on.
    There is big black hole in that banks are trying to cover up and make customers liable because the banks do not want to update their technologies.
    Yours sounds like a simple case of cloning the mag-stripe on the back of your card, and has nothing to do with C'n'P.

    Unless your bank has told you otherwise?
    Conjugating the verb 'to be":
    -o I am humble -o You are attention seeking -o She is Nadine Dorries
  • Viper_7
    Viper_7 Posts: 1,220 Forumite
    One can derive the PIN and PIN OFFSET from the MAG-STRIPE if you have the know how. Every card has a natural PIN
    Hence the move to CHIP and PIN.
    The MAG STRIPE is still on the card as many countries can't support CHIP and PIN yet.
    Even with CHIP and PIN the raft of security features available with it, are not yet in use - again as most Acquirers can't support it.
    One can withdraw more than the daily amount if you know when the counters are reset.
    most fraud occurs around midnight. Max out the card at 23:55 max it out again at 00:00. surprising how many banks reset the daily withdrawal totals at midnight.

    The problem is the Mag- Stripe the sooner devices are updated out there to accept CHIP the better.
    Many issuers now though don't allow fall back to magstripe read as it is less secure.
  • Alex_LS
    Alex_LS Posts: 197 Forumite
    Viper_7 wrote: »
    One can derive the PIN and PIN OFFSET from the MAG-STRIPE if you have the know how. Every card has a natural PIN

    This has not been the case for many years (ever since you've been able to change your PIN, in fact). Then, prior to the introduction of the chip, the PIN was stored only on the issuing bank's system and transmitted - encrypted - online to the issuing bank for verification. This is still the case for ATM transactions, but now there is the addition of an offline PIN which is stored in the chip.
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 350.5K Banking & Borrowing
  • 252.9K Reduce Debt & Boost Income
  • 453.3K Spending & Discounts
  • 243.5K Work, Benefits & Business
  • 598.2K Mortgages, Homes & Bills
  • 176.7K Life & Family
  • 256.7K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture