Credit Card Scams

Cabby77

Hi,

this is some advise on things to look out for to stop your card details falling into the wrong hands.. I recently had my supposedly secure chip & pin card scammed - and it wasn't from a cash machine. was from a shop. and its easily done..!!

best tip ever - NEVER let your card out of your sight... in a restaurant or shop, never let them take your card, and come back with the chip and pin reader. retailers don't even need to touch your card...

and here is why...

on your receipt, you will see your card number all starred out, apart from teh last 4 digits - this is for "security" ***********1234 you will also see your expiry date..

the retailer copy has your entire card number, not starred out, along with the card expiry date, so all they need is the 3 digit CCV code off the back of your card, which they look at and write down / memorise when they take your card away to get the machine.!!!!!

they have all they need to spend freely..!!! can pay for things over the net, or over the phone using the "cardholder not present" facility...

its scarily easy, and can cause, what turned out for me, months of pain!

Eydon

To try to combat this both Visa and Mastercard are implementing additional measures for online purchases. Verified by Visa and Mastercard SecureCode both allow you to set up a password for your card. Once set up you will then need to enter this password as part of the purchase procedure (provided the merchant has signed up for it) in addition to all the usual stuff.

It's still being rolled out, but it's getting there.

As you say though, best not to let the retailer even touch your card.

oldagetraveller

Sensible advice but surely they would also need the cardholder's registered address to purchase online and by 'phone, that's my experience anyway.

willid

I see the BBC is reporting multiple cases of card cloning in Balsall Common, Warwickshire. The local Shell filling station is suspected of being connected. Over the last 2 years my local Shell station and its ATM machine has been suspected of being involved in several card scams. On the web, I see similar problems in Luton and Weybridge - all apparently connected with Shell stations. Should we be asking some direct questions to the Shell company about their security procedures? Maybe its time to take business elsewhere to make the point?

aramo

Eydon wrote: »

To try to combat this both Visa and Mastercard are implementing additional measures for online purchases.

Verified by VISA must be one of the most ill conceived schemes going, personally I hate it. At the critical step where you give your secret passphrase you are looking at a webpage which is clearly on the sellers website and yet you must accept that a certain part of that page is invisible to the seller. Added to that there have been many cases reported of XSS abuse.

My pet theory is that V-by-V exists simply so VISA can blame the card holder in the event that the card is used fraudulently, how do you explain the claim that the bad guys knew your top secret passphrase?

zfrl

oldagetraveller wrote: »

Sensible advice but surely they would also need the cardholder's registered address to purchase online and by 'phone, that's my experience anyway.

Not true. There are loads of websites who will deliver to any address. Been there! Had my details stolen - also in a shop. Fortunately I check all my transactions & spotted the dodgy one.

Chunkywannabun

willid wrote: »

I see the BBC is reporting multiple cases of card cloning in Balsall Common, Warwickshire. The local Shell filling station is suspected of being connected. Over the last 2 years my local Shell station and its ATM machine has been suspected of being involved in several card scams. On the web, I see similar problems in Luton and Weybridge - all apparently connected with Shell stations. Should we be asking some direct questions to the Shell company about their security procedures? Maybe its time to take business elsewhere to make the point?

Petrol stations seem to be renowned for card scamming, thats why when ever I fill up with fuel I always pay cash

Eydon

aramo wrote: »

Verified by VISA must be one of the most ill conceived schemes going, personally I hate it. At the critical step where you give your secret passphrase you are looking at a webpage which is clearing on the sellers website and yet you must accept that a certain part of that page is invisible to the seller. Added to that there have been many cases reported of XSS abuse.

My pet theory is that V-by-V exists simply so VISA can blame the card holder in the event that the card is used fraudulently, how do you explain the claim that the bad guys knew your top secret passphrase?

Actually, I'm no longer convinced about this additional "security". I was making a purchase a couple of weeks ago, and sure enough up popped the Verified by Visa screen. Horror of horrors I couldn't rememeber my password. I had two attempts and then it said that my account was now locked. Oh well I thought, I'll have to use another card.

But wait, unbelievably it gives you the option to reset your password there and then. All you need is your card number (well you've already got that to have got this far), the expiry date (ditto), the cvv (ditto) and your date of birth (ok you haven't had to enter that so far, but come on) and hey presto, your password is reset, your account is unlocked, and the payment is authorised.

simongregson

Having worked in a shop myself, I am a little suspicious of the 'not touching the card' idea. Although it stops the card user from having their 3 digit card copied off the back of the card, you also need the numbers from the cardholder address to make this number useful, for example if my address is 10 _____ street, SW1 1AA, the merchant uses these numbers AND the 3 digit code. The card contains other security features, for example a hologram, UV print, embossed characters, on the signature strip, microprint. When I worked in a shop before chip and pin it was actually quite easy to spot copied cards if you checked these features, which we did as we sold electronics. The problem then was more stolen cards. In a customer operated terminal these feature are not checked.

bert&ernie

The CVV2 is a very weak form of protection and 3D secure (the generic name for Verified by Visa and MC Secure) is half baked at best. The only realistic way of providing security for CNP transactions is to move towards multi-factor authentication methods. One way of doing this is issuing customers with security tokens - preferably with PIN entry devices built in. This will allow generation of one-time passwords. Better still, why not build it all into the card...
http://www.emue.com/devices001.html

Other ideas I've heard of are real-time telephone challenge - where the bank automatically dials out to you mobile when a transaction is attempted. Don't think this would work for card payments as the authorisation process is subject to strict time limits. Would work for transactions that are not as time sensitive such as balance transfers and online banking transfers. Also usefully for non-monetary transactions like name/address changes - this would help to spot account takeover/ID theft.

Richard019

Cabby77 wrote: »

Hi,

this is some advise on things to look out for to stop your card details falling into the wrong hands.. I recently had my supposedly secure chip & pin card scammed - and it wasn't from a cash machine. was from a shop. and its easily done..!!

best tip ever - NEVER let your card out of your sight... in a restaurant or shop, never let them take your card, and come back with the chip and pin reader. retailers don't even need to touch your card...

and here is why...

on your receipt, you will see your card number all starred out, apart from teh last 4 digits - this is for "security" ***********1234 you will also see your expiry date..

the retailer copy has your entire card number, not starred out, along with the card expiry date, so all they need is the 3 digit CCV code off the back of your card, which they look at and write down / memorise when they take your card away to get the machine.!!!!!

they have all they need to spend freely..!!! can pay for things over the net, or over the phone using the "cardholder not present" facility...

its scarily easy, and can cause, what turned out for me, months of pain!

EDIT Don't they also need the cardholders name? (largely a moot point as you'll see) /EDIT

If you think they need to take the card out of your sight to make a note of that then you're kidding yourself.

At work we're expected to take every precaution available to reduce the possibility of card fraud. Despite being sat at a till in a shop with the card reader fixed on top of a pole I can check the name, signature strip, and card type in less than a second when I put the card in, and by and large customers don't even realise I've done it.

NB: There's nothing sinister in that check. I don't want to be accused of anything if I accept payment from a woman using Mr Smith's card. The signature strip check is more for their benefit than mine, I'm only ever asked for a signature when I go into the bank and the amount of people that don't sign it because it's a C&P card is surprising and a discreet mention to them is usually received well (particularly where they've got a new card and forgotten). Card type I'm just checking to see if it's credit or debit (to offer cashback or not).