We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
MSE News: Chip and Pin fraud danger uncovered
Options
Comments
-
philandstuff wrote: »So, given that cards get issued for three years, people will have SDA cards with this vulnerability until the end of 2013? It's simply not good enough.
If it worries you that much, you could always 'lose' your card and get a nice shiny new DDA one.The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts.0 -
Re duplicate Chipped Cards they were used within 30 minutes of each other - Chip Verified, and witnessed. I've no reason whatsoever to fib.
Anyway I've given you A solution see posting #6 above. Any comments?
Just to confirm, we are talking about the same two cards we were discussing in August 2008?
I really don't want to have to go over that again - thats why I posted the link to that thread. If you insist on resurrecting this point then I will challenge it - if for no reason other than to prevent you misinforming others.
Incidentally, I don't think you are fibbing. I've tried to explain why I think you have jumped to the wrong conclusion about those two cards. I don't know why you find this so hard to accept, but I might speculate that it has something to do with your frankly obsessive, if not indeed paranoid, perception of payment card security.The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts.0 -
Sigh, did they not learn anything from sky?
After all it is the same chip, Or a hybrid of it, and if you like , pin
It is also vunrable in other ways too, has been since it was launcedThats it, i am done, Blind-as-a-Bat has left the forum, for good this time, there is no way I can recover this account, as the password was random, and not recorded, and the email used no longer exits, nor can be recovered to recover the account, goodbye all ………….
0 -
Sky as in Sky TV and their viewing card? It's not the same chip at all. It's not even necessarily the same silicon manufacturer, and it's certainly not the same OS or application.0
-
Re duplicate Chipped Cards they were used within 30 minutes of each other - Chip Verified, and witnessed. I've no reason whatsoever to fib.
Anyway I've given you A solution see posting #6 above. Any comments?
Er, yeah. If I'm a fraudster and have 'cloned' or 'copied' your card, why on earth would I keep information to say your fingerprint should be used when there are much easier and better methods of countering this?
Your duplicates were obviously just that; duplicates. And it would only have been possible to do that at the personalisation bureau, where an audit trail would show who was responsible for the duplicate. This is in no way the same as a fraudster being able to steal your card and clone it.
BTW - specific to the attack being discussed in this thread, the MasterCard specifications already make provision for this attack to be defeated. They have a "Terminal Erroneously Considers Offline PIN OK" flag. Whilst Visa specs don't currently (v1.4) have this, the spec is being revised and due for release by the summer. There may be some similar provision in that. Even if not, individual card OS providers could provide some proprietary mechanism to accomplish this.
Meanwhile, the issuer systems could be upgraded to detect this attack when the transaction is sent online, and the cards' offline limits reduced to force them online. This can be done for cards currently out in the field. It all depends on how likely the banks and/or schemes and/or other mandating bodies believe this attack is to happen.0 -
Er, yeah. If I'm a fraudster and have 'cloned' or 'copied' your card, why on earth would I keep information to say your fingerprint should be used when there are much easier and better methods of countering this?
Your duplicates were obviously just that; duplicates. And it would only .
The whole point is that if you use the 'Thumbprint' system it's the CROOK who, if they wish to complete a transaction has to submit their PRINT.
Does the system work? A smilar system has been used by shops, car hire companies, petrol stations etc The big difference is that these users requested a customers print. The system I use/propose puts you in the driving seat by sending a message to crooks. If you want to used my card - you'll need to give YOUR Dab. Surprisingly very few do.
Main Topic:
Questions:
Could the 'flawed' method of entering any PIN with any valid Chipped Car be used at an ATM?
What incentive is there for retailers to try and spot and stop this sort of fraud, when, as long as a transaction is PIN verified, the retailer gets their money?
Thoughts:
When Chip & PIN cards were being rolled-out, theft on cards lost in transit went through the roof. Therefore apart from stealing cards from the individual, you'd expect fraud on cards lost in transit to increase too.
Back to the old nugget, your card is nicked, someone uses the method described in the News and we're back where we started (Liability Shift) - "You must have been careless with your PIN?"0 -
1. Unless the fingerprint is stored on the card, it's of very limited help. Then, are you proposing to ink everyone's thumb or provide biometric readers? Who pays? If no reader, why wouldn't a crook just file their print down?
2. This only works with offline PIN and therefore is useless at ATMs which use online PIN.
3. Transaction is not PIN verified. It's signature verified. The problem at the moment appears to be that the issuer isn't checking the CVMR against the CVR.
4. Most issuers now require the card to be activated before it can be used, coupled with a requirement for online authorisation on first use. Both these methods reduce (and potentially eliminate) card-not-received fraud - especially if the issuer does check CVMR.0 -
"The problem is that it doesn't cost the industry anything if they can just say "the receipt says it was verified by PIN so it's your fault". It costs the consumers money, not the industry, because the industry can deny a fraud has taken place and blame the consumer instead. Therefore, the banks are under no incentive to change because they don't stand to lose much under the current system."
Then that is also a failure of the regulators, nothing new there.
I thought banks couldn't just transfer the blame like that but I've not experienced it personally. I know in the example I gave all payments were re-imbursed, but that could be because they were abroad and the customers were clearly in the UK.
Come to think of it if what you say IS happening then the FSA, OFT, FOS an Pariliament need to get thier act together and get it sorted out.Mixed Martial Arts is the greatest sport known to mankind and anyone who says it is 'a bar room brawl' has never trained in it and has no idea what they are talking about.0 -
At the rate crooks overcome the security, we will all have chips in our arms like demolition man movie.
No system is ever 100% secure, you just need to make it so difficult/complex to overcome that a majority of criminals are unable to use a stolen card.Although no trees were harmed during the creation of this post, a large number of electrons were greatly inconvenienced.
There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.6K Spending & Discounts
- 244K Work, Benefits & Business
- 599K Mortgages, Homes & Bills
- 176.9K Life & Family
- 257.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards