Dads bank card cloned

matttye

JuicyJesus wrote: »

They are very secure. The unencrypted magnetic strip on the back of every single one however is not. In fact it's the opposite of secure, and it's the target of every skimming device going.

OP's dad's card was most likely cloned using a device on the front of an ATM reading the magstripe, which can be used to create a functionally identical magstripe-only card using inexpensive hardware and software. Nothing to do with Chip and PIN. Were the magstripe not present, cloned card fraud would more or less die out overnight.

What purpose does the magstripe serve, and can cards do without it?

JuicyJesus

Uxb wrote: »

Link to the case and subsequent appeal court overturning of the lower court's decision?

That does sound like complete b*llocks.

EDIT: Retracted, it isn't, stunningly, but is irrelevant to this discussion for reasons provided below.

grumbler

JuicyJesus wrote: »

OP's dad's card was most likely cloned using a device on the front of an ATM reading the magstripe, which can be used to create a functionally identical magstripe-only card using inexpensive hardware and software.

AFAIK there are no ATM in UK will accept such card. Are we not talking about an ATM withdrawal?

JuicyJesus

matttye wrote: »

What purpose does the magstripe serve, and can cards do without it?

Overseas, most/some countries don't use Chip and PIN, especially outside Europe. Also some UK ATMs don't support Chip and PIN (although most of the ones operated by major banks do, for fairly obvious fraud loss avoidance reasons).

Most people would find that if the magnetic strip on their card didn't work they'd never have a single issue. Personally I'm in favour of them being removed or being an opt-in feature, with Chip and PIN as standard. While it's certainly possible for CAP to be cloned, I've never seen any evidence that it's widespread enough to be a concern in the same way that magstripe fraud is.

grumbler wrote: »

AFAIK there are no ATM in UK will accept such card. Are we not talking about an ATM withdrawal?

Magstripes are accepted at ATMs as a fallback and also to support foreign withdrawals, as many foreign banks do not issue or use Chip and PIN cards.

ChumpusRex

matttye wrote: »

What purpose does the magstripe serve, and can cards do without it?

It allows the card to work in old equipment which has not been upgraded to chip & PIN.

Essentially all equipment in the UK is chip & PIN, but chip cards are not used in some countries like the USA; so cards need to have the insecure magstripe so they can be used abroad.

Link to the case and subsequent appeal court overturning of the lower court's decision?

I don't have a link to the court cases, and don't know how to search for them.

But, if you excuse my poor memory in the initial post, the victim was a police constable in Cambridgeshire called John Munden. He was convicted in 1994 (before chip & PIN, and therefore based upon a cloned magstripe card) and fired from his job.

His appeal succeeded in 1996.

If you know how to search court records, you should be able to find the case. If you have a link, I'd like to see this, as I only have some brief notes relating to this case.

JuicyJesus

ChumpusRex wrote: »

I don't have a link to the court cases, and don't know how to search for them.

But, if you excuse my poor memory in the initial post, the victim was a police constable in Cambridgeshire called John Munden. He was convicted in 1994 (before chip & PIN, and therefore based upon a cloned magstripe card) and fired from his job.

His appeal succeeded in 1996.

If you know how to search court records, you should be able to find the case. If you have a link, I'd like to see this, as I only have some brief notes relating to this case.

I don't even need to search for it (although, incidentally, I did). While that is wrong, and terrible, 1994 is a long time ago, and regulation is much, much more strict than it is now. Banks are required, not least by the Payment Service Regulations, to investigate and refund disputed/unauthorised transactions properly, with the Financial Ombudsman Service as a last port of call. None of this existed in 1994.

Moreover, this concerns magstripe, which as stated is so inherently broken and fraud-ridden (and certainly would have been 20 years ago) that it should be dropped like a hot potato as soon as is practicable, not Chip and PIN - which again, is not 100.000% infallible but which is so close to such as to make the chances of a cloned chip being used negligible. I would invite you, for a start, to have a look for the price of magstripe writers for the PC and blank cards, in relation to how much a fraudster can clear out of accounts using the resulting cloned cards.

grumbler

ChumpusRex wrote: »

...experts proved that the banks were wrong and that cloning was very possible. The bank eventually ended up paying £50 compensation.

ChumpusRex wrote: »

....(before chip & PIN, and therefore based upon a cloned magstripe card) ....

What does this case have to do with this thread topic then? Chip&Pin was introduced to prevent cloning and AFAIK nobody proved yet that cloning is possible.

ChumpusRex

grumbler wrote: »

What does this case have to do with this thread topic then? Chip&Pin was introduced to prevent cloning and AFAIK nobody proved yet that cloning is possible.

It was a mistake made by confusing 2 cases. It was a more recent case I was thinking of, but got confused with the details of the old case.

There was a more recent case in 2008, involving a chip & PIN card and a Mrs Jane Badger.

In this case, there were mysterious withdrawals from ATMs. The bank pressed charges of fraud after their transaction logs showed that the card was a chip & PIN card. Again, bank experts stated in court that the system was secure and Chip & PIN cards could not be cloned and that the transaction logs clearly showed that the original card was used.

However, in a chip & PIN transaction, the card's chip generates a secure, unforgeable digital signature at the time of the transaction, this is transmitted to the bank and is kept as proof that a specific chip was used to initiate a transaction. The defence asked for a copy of the digital signature for the transactions in question but the bank had no records of the signautres. In this case, the person was aquitted, but not without having been suspended from work.

What the technical reason for not having the signatures was never found. However, the defence successfully argued that the banks logs mistakenly recorded a magstripe read as a chip read (a cloned card with a fake chip), which would explain why no chip signatures could be found.

matttye

JuicyJesus wrote: »

Overseas, most/some countries don't use Chip and PIN, especially outside Europe. Also some UK ATMs don't support Chip and PIN (although most of the ones operated by major banks do, for fairly obvious fraud loss avoidance reasons).

Most people would find that if the magnetic strip on their card didn't work they'd never have a single issue. Personally I'm in favour of them being removed or being an opt-in feature, with Chip and PIN as standard. While it's certainly possible for CAP to be cloned, I've never seen any evidence that it's widespread enough to be a concern in the same way that magstripe fraud is.

ChumpusRex wrote: »

It allows the card to work in old equipment which has not been upgraded to chip & PIN.

Essentially all equipment in the UK is chip & PIN, but chip cards are not used in some countries like the USA; so cards need to have the insecure magstripe so they can be used abroad.

Definitely sounds like it should be an opt-in feature then. Not everybody travels abroad, so would benefit more from a more secure card!

Wywth

brutus1983 wrote: »

My dad went to draw soe money out earlier on and was unable to with it saying it reached his limits for withdrawals for the day which he hadn't used a cash machine that day

He went in the bank which they told him it was used at 11 am to draw out 250 which he hadn't as he was with me sitting in a jam on the m6 at that time they can't say where it was withdrawn yet


He's changed the pin and canceled the card and ordered a new 1 but the main question is will he get his money back or will he be out of pocket

Depends. Normally he'll get the money back, but if the bank discover he was involved in the fraud and/or negiligent in protecting his details, they may not.

How does your dad think his card could have been cloned?
More importantly, how does he think anyone else could have obtained his PIN.
Why doesn't he register here and ask himself?