We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

MSE News: Chip and Pin fraud danger uncovered

Options
13»

Comments

  • James
    James Posts: 2,059 Forumite
    First Post First Anniversary Combo Breaker
    Options
    [FONT=Verdana][COLOR=black][COLOR=black][FONT=Verdana]1. Unless the fingerprint is stored on the card, it's of very limited help. Then, are you proposing to ink everyone's thumb or provide biometric readers? Who pays? If no reader, why wouldn't a crook just file their print down?[/FONT][/COLOR]
    [/COLOR][/FONT]
    



    There is no need to store biometric print details on the Chip or to use biometric readers. All that is required is the information stored on the Chip & Magstrip that the credit card shows that the cardholder authenticates their transactions with their Thumbprint.

    Retailers would retain Transaction slips, complete with print just as they used to do, and still do with Chip & Signature Cards.

    Re crooks filing their Print down. First and foremost this system is Consumers Choice. Those embracing this system would need to be capable of providing a good print.

    Prints would be checked by the Retailer to make sure a ‘good print’ is submitted. If a retailer had any doubt they could then ask for a print from a different digit. A genuine cardholder would have no hesitation doing this. The second is for the Retailer to carry out a Code 10 Check. This is where the individual using the card speaks to the Card Issuer at point of sale and is taken through a serious of security questions. (Used to be common practice).

    Re method & cost: Inkless Thumbprint pads are used. These leave no mess on the Thumb yet provide a durable perfect print. (The U.S have been using these pads for cashing Cheques for many years now). The cost per transaction is less the ½ Pence. I carry my own.

    2. This only works with offline PIN and therefore is useless at ATMs which use online PIN.


    Yes you are right you can’t use such a Card at an ATM. But up until the early 2001 you weren’t issued a PIN with your Credit Card – you had to request one. (This obviously would be the Cardholders Choice.

    3. Transaction is not PIN verified. Its signature verified. The problem at the moment appears to be that the issuer isn't checking the CVMR against the CVR.


    The essence of Thumbprint system is it provides an auditable trail of the person who actually carried out a transaction. This means that if the transaction is genuine, the print or transaction slip would never be questioed. If however the genuine cardholder questions a transaction, they immediately have the means of proving it wasn’t them (no cardholder liability) who carried out that particular transaction and the transaction slip can then be supplied to the Police as forensic evidence.


    4. Most issuers now require the card to be activated before it can be used, coupled with a requirement for online authorisation on first use. Both these methods reduce (and potentially eliminate) card-not-received fraud - especially if the issuer does check CVMR.


    Once again if the Chip & Magstrip carried the details that the Genuine Cardholder – Thumbprinted. Then there would be little need to activate a card, although this would be a welcomed and additional security feature.

    Additional benefits are:

    You could quite easily adapt the Thumbprint method to deter fraud when purchasing goods via the Internet, by Mail Order, Phone or Fax. But this is another topic.

    Because the Thumbprint message to Retailers is contained covertly in the Chip or Magstrip, crooks would be very reluctant to use a stolen card anywhere in the world.

    If you have any doubts about the effectiveness of this system, check out the links in my previous posting. Crime’s reduced, Criminals are Identified and Caught, and Genuine Cardholders are never accused of First Party fraud or being Careless with their PIN.
  • Alex_LS
    Alex_LS Posts: 197 Forumite
    Options
    James wrote: »
    Because the Thumbprint message to Retailers is contained covertly in the Chip or Magstrip, crooks would be very reluctant to use a stolen card anywhere in the world.

    Covertly? Any indication that a print is required will be apparent to anybody who cares to check the card. Any merchant not using a reader will also be apparent. This will not significantly reduce fraud and has the added drawback that the cardholder is not authenticated. It may be fine from the cardholder's point of view (although there are privacy/security issues and other objections), but everyone else in the chain (merchant, acquirer, issuer) will not be satisfied that a fraudulent transaction can be authorised just because someone has a thumb. The actual print would have to be stored somewhere (on the chip for offline, at the issuer for online) and verified during the transaction.

    Biometrics sound fine in theory but, as has been said, criminals will tend to find a way around most (if not all) security measures given enough time and if this involves biometrics, you're stuffed. You can replace a card/PIN but you cannot currently replace your fingers, eyes or DNA.
  • INT1
    INT1 Posts: 1,257 Forumite
    First Anniversary Combo Breaker
    Options
    Oooh this Professor Anderson is so Anti Chip+PIN.

    Lets remember here that the guy is a "Professor" and has access to lots of electronic gadgets or whatever else is needed to do this.

    Do we really think firstly that a typical fraudster will go to so much effort to get the know how and money to get this going?

    Interesting read about using Biometrics, I would think financial institiutions would be warned of doing this in case a thief cuts off someones fingers for the sake of a ATM withdrawal etc...
  • catflea
    catflea Posts: 6,620 Forumite
    Options
    This is all very interesting reading guys. Thanky you.

    This wedge, are we talking a slim wedge that gets jammed down the back of the card? I cant see any easy way to do this covertly....
    Proud of who, and what, I am. :female::male:
    :cool:
  • James
    James Posts: 2,059 Forumite
    First Post First Anniversary Combo Breaker
    Options
    Alex_LS wrote: »
    This will not significantly reduce fraud and has the added drawback that the cardholder is not authenticated. It may be fine from the cardholder's point of view (although there are privacy/security issues and other objections), but everyone else in the chain (merchant, acquirer, issuer) will not be satisfied that a fraudulent transaction can be authorised just because someone has a thumb. The actual print would have to be stored somewhere (on the chip for offline, at the issuer for online) and verified during the transaction.

    .

    But it has dramatically reduced fraud & theft. See links in my previous postings.

    Just how do you authenticate a cardholder??? By a PIN which could be stolen, or in these postings - circumvented. By a signature which can be forged? May I suggest that the most trustworthy means at prestent of making sure it's the genuine cardholder presenting a card is for the retailer to obtain and hold a transaction slip complete with Print for X amount of months. Nothing changes from the pre PIN days when people signed apart from the Transaction Slip having the customers print.

    Believe me it works a treat.
  • Jemma-T
    Jemma-T Posts: 1,546 Forumite
    Options
    Nothing really new here. Those people doing the thinking at that university are just using well known methods that have been talked about before.

    Chip & PIN -as much as I like the convenience- is poor as it's ill-thought out tech used by banks keen to blam other people for fraud and/or error.

    And mind it was thought up by the bankrupt banks who love a bit of marketing.
  • Stickan
    Options
    I think this is exactly what might have happened to me.
    I had an Amex replacement card sent in the post to me, and it got stolen, and the person who took it had my pin.

    They purchased £8K of goods on a day when I was even outside of the country. American Express is saying it's me because the correct pin was used.

    Is there anything I can do?
    Thanks!
  • dealer_wins
    dealer_wins Posts: 7,334 Forumite
    Options
    Stickan wrote: »
    I think this is exactly what might have happened to me.
    I had an Amex replacement card sent in the post to me, and it got stolen, and the person who took it had my pin.

    They purchased £8K of goods on a day when I was even outside of the country. American Express is saying it's me because the correct pin was used.

    Is there anything I can do?
    Thanks!

    You could start by sending them your airline ticket, stamp in passport etc to prove you were out of the UK.
  • meer53
    meer53 Posts: 10,217 Forumite
    First Post First Anniversary Combo Breaker
    Options
    How did the person who took it have your PIN ? Did they steal that too ? If you can prove you weren't in the country can't see you having any problems in getting a refund.
  • INT1
    INT1 Posts: 1,257 Forumite
    First Anniversary Combo Breaker
    Options
    I can, who's to say that the person didn't give another person the card & PIN number to use whilst he or she was out of the country!
This discussion has been closed.
Meet your Ambassadors

Categories

  • All Categories
  • 12 Election 2024: The MSE Leaders' Debate
  • 344.2K Banking & Borrowing
  • 250.4K Reduce Debt & Boost Income
  • 450.1K Spending & Discounts
  • 236.3K Work, Benefits & Business
  • 609.7K Mortgages, Homes & Bills
  • 173.6K Life & Family
  • 248.9K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 15.9K Discuss & Feedback
  • 15.1K Coronavirus Support Boards