We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Are portable PIN code machines safe to use in banks?
Comments
-
The Sign and Response modes I think are only used for online banking to verify certain transactions (after having already logged in using Identify), so would it not be odd if asked to use Sign or Response in the bank?
I tried the 00000000 thing with mine:
Entering a reference of 00000000 in Response mode does indeed yield what looks like a valid 8 digit code (is it correct to call that code the 'cryptogram'?) on my device.
But entering a reference of 00000000 in Sign mode followed by an amount of £0.00 at first seems to be invalid because nothing happens on pressing Enter. I thought for a moment that Gemalto or the card issuers perhaps had recently patched that particular hole via the latest card reissues but apparently not ... just pressing what looks like an unnecessary 0 when the default amount £0.00 appears, and then pressing Enter, does indeed generate what looks like a valid 8 digit code.
Now, it is all very well saying don't trust anyone that asks you to do this, but when someone asks you to put your PIN in their machine, only very few of us up until now would be alerted to what mode the machine was in and why, and whether the third party was entering further numbers e.g. 00000000 followed by 0 and Enter. So there we seem to have a big vulnerability if a valid Sign response code is actually useful to a fraudster
So again, in plain language, if a fraudster actually obtains one of these rogue Sign Response codes by tricking us, how easy is it then for them to use it? As I said earlier, I thought the Sign and Response routines were only used for internet banking, not by staff on the tills?0 -
VictimOfImpersonation wrote: »So again, in plain language, if a fraudster actually obtains one of these rogue Sign Response codes by tricking us, how easy is it then for them to use it? As I said earlier, I thought the Sign and Response routines were only used for internet banking, not by staff on the tills?
the only real avenue for fraud is by a fraudster capturing your login details, from there they need to add their account as a payee; typically this requires using the Respond function, but again, it varies by bank.
A fraudster who has your login could then phone you up, posing as someone from the bank ready to add their account as a payee... they tell you they're from your bank and that there is an issue with your card, they inform you that they want you to do a test transaction by using Sign with a reference of <whatever> and an amount of £0.00 - most will be duped into thinking this is fine because it's a zero amount, but unfortunately the <whatever> part is the fraudster's account and you are unwittingly giving them the response value they need to get their account added as a payee.
As I said in my previous post, this will only work on customers with a Barclays PINSentry device, no other readers will permit £0.000 -
VictimOfImpersonation wrote: »:In plain language, what do we look out for and how do we protect ourselves from that one?
If a Pin Entry Device has been tampered with there's no way you'd every know. (There's been numerous cases of this since C&P was introduced).
How can you protect yourself? - simple, get yourself a Chip & Signature Card0 -
Hi James
I vaguely recall you have long been an advocate of avoiding CHIP & PIN by insisting on something with a more traditional backstop ... which banks will still agree to a request/demand for CHIP & Signature?
Can you also remind us how that works for those of us that might be interested in changing?0 -
If a Pin Entry Device has been tampered with there's no way you'd every know. (There's been numerous cases of this since C&P was introduced).
How can you protect yourself? - simple, get yourself a Chip & Signature Card
and if the machine is tampered with, assuming that your magstripe is never swiped and assuming your card doesn't get stolen from your pocket after purchase, it doesn't matter.
Chip & Signature is a double-edged sword; if someone steals your card, they can use it fairly easily, but on the flip side, if they get the magstripe, they won't know your PIN. This is precisely why almost all merchants have terminals setup so that you insert the card yourself since it prevents this.
A better all-around solution would be to offer customers the option of having more than one PIN; one for retail purchases and one for use at the ATM... on a side note I'm also in favour of offering people a "panic" PIN which they can give to an assailant that would cause an ATM to present a false balance of a random nominal amount so that the most a mugger would get out of you is a tenner.0 -
-
VictimOfImpersonation wrote: »Hi James
I vaguely recall you have long been an advocate of avoiding CHIP & PIN by insisting on something with a more traditional backstop ... which banks will still agree to a request/demand for CHIP & Signature?
Can you also remind us how that works for those of us that might be interested in changing?
Just TELL your card issure you require a Chip & Signature Card. Beware though, it's a matter or speaking or writing to the correct person. Even now quite a lot of staff (through no fault of thier own) aren't aware Chip & Signature Cards exist. So stick to your guns and insist on one.
How do they work.
Obviously not in ATM's.
For face-to-face transactions you put your Chip & Signature Card into the machine (as normal). Rather than asking you to enter your PIN, a transaction slip is produced for you to sign. At the same time the person serving you is prompted to check the signature against the card.
So if you can live without ATM's (you can always get cashback in certain stores), then go for a Chip & Singature Debit Card.
Why any would want to use a Chip & PIN Credit Card beats me.
The bottom line is it's personal choice.0 -
As far as I was aware, Chip & Signature could only be requested if you had a disability which stopped you using a terminal. I'm going to look at Barlcays' rules again...0
-
iblametheparents wrote: »As far as I was aware, Chip & Signature could only be requested if you had a disability which stopped you using a terminal. I'm going to look at Barlcays' rules again...
This is what Card Issuers would have you believe.
All you have to say is you can't manage a PIN. If they ask if you have a disability. The correct reply is - this is personal and you have no right to ask.
There are many genuine reasons why people can't PIN. They could be numerically dyslexic. Have blank or senior moments when faced with an ATM or C&P device they simply can't remember. They just might not be able to remember more than one set of numbers. The list goes on.0 -
Of course it is worth stating that if you do get them to issue you with a Chip & Signature card, you will most probably be unable to use ATMs0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.7K Banking & Borrowing
- 253.4K Reduce Debt & Boost Income
- 454K Spending & Discounts
- 244.7K Work, Benefits & Business
- 600.2K Mortgages, Homes & Bills
- 177.3K Life & Family
- 258.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards