Bank Fraud! Santander!!!

JuicyJesus

TurnUpForTheBooks wrote: »

AFAIK ALL ATMs use ONLY the magnetic stripe.

You are completely and totally wrong.

Hominu

TurnUpForTheBooks wrote: »

AFAIK ALL ATMs use ONLY the magnetic stripe. Why else does the card need to go into the machine

Think of this situation:

You use your card in a PIN Sentry and enter the PIN wrong 3 times in a row. Your card is then locked.

You then remember the right PIN, visit an ATM and press the "Unblock PIN" function.

The card then magically starts working again in the PIN Sentry.

ATMs can read either the mag stripe, chip, or both.

henm2

http://www.theukcardsassociation.org.uk/individual/standard-features-payment-cards.asp

The above site confirms that the PIN is not on the card which is why fraudsters need hidden cameras to record you tapping your pin number in or need to shoulder surf you.

"The four digits of your PIN (personal identification number) are not held as a set of numbers on the chip.

Magnetic Stripe: The magnetic stripe holds some of the same information as the chip. As practically all UK cards have a chip on them, the magnetic stripe now holds a small flag to specify that the card has a chip on it to assist in fraud prevention. The magnetic stripe is remaining on cards so that you can still use your card abroad in countries that have yet to implement chip & PIN"

As others have said this case sounds like it is a close member of the family/friend doing the cash withdrawals

Uxb

The encrypted version of pin is on the card in the chip
That is why the above linked website was so careful to say it is not stored as a set of numbers....which left out quite a bit of how it might be stored
As ever its not what they say that matters - its what they don't say.

PS I sadly agree with other posters as to the likely person(s) doing the withdrawals

TurnUpForTheBooks_2

reclusive46 wrote: »

Err...No. How did you think you change your PIN at an ATM?

Well I do take the point that if the PIN was stored in the CHIP then you might assume that to change it at an ATM the ATM would have to read/write to the CHIP.

The PIN is stored on the card, would be difficult if the ATM couldn't read the chip. Most read the chip (And can read the magnetic stripe)

But I am not entirely convinced by that piece of presumed logic - in fact the only thing that attracts me to your view is that a stand alone CHIP reader as issued by many banks for Internet login security purposes would I think be able to verify a changed PIN immediately after it had been changed at an ATM. I don't think it can also read the first 20 mm of the magnetic strip but it is possible I suppose - I've never taken one apart to have a look!

Magnetic stripe ATMs don't even usually retain the card. You insert and swipe it back out again. Then select your options.

I've been using ATMs almost since they were first introduced i.e. way before CHIP & PIN. I don't recall that I ever removed my card and then selected my options afterwards but you might be right.

However, all this is a side-show the problem highlighted in the original post, isn't it? How dare Santander stitch up a customer so easily when it is plain to see that the banking industry's investment in card security is no more than lip service with a growing trend towards leaning on innocent customers since CHIP & PIN turned the tables with regard to risk?

In any event, customers have always paid collectively for card fraud, not banks. Card fraud is just additional turnover for a bank, plus a modicom of inconvenience and unpleasantness to manage when a customer notices. Police have no interest whatsoever in card fraud as I understand it is outside their jurisdiction by cosy agreement. It has to be, or police would be doing nothing else all day but investigating card fraud because they have thousands of hours of CCTV of fraudsters at work (as mentioned by earlier posters). Funny how they ignore it all, eh?

As for whether new cards and new PINs (or PIN reminders) can be requested simultaneously well I know they could be with credit cards at one time. Can anyone say if the debit card replacement system is any different?

I see no evidence to suggest that the fraud is being executed by any associate of the cardholder. This is merely the opening gambit used by banks and employees of banks and frankly it stinks - same as it always has, but instances where they have tried to make it stick in the past were not so blatant a try-on as is the only conclusion we can make of the experience reported by the OP.

Hazzanet

The PIN is stored on the the chip in an encrypted form. When you tap the PIN into an ATM or a PIN pad in a shop, that encrypts it and sends it to the chip.

The chip compares the two, and if they match, it says that the PIN was correct, if not it says that it is not correct and increases its internal "wrong PIN" counter by one.

If you're *really* bored, the technical specification and all the gubbins about encryption and how it works is here:

http://www.emvco.com/specifications.aspx?id=223

TurnUpForTheBooks_2

Yeah yeah, but how do you get cash from the machine if your card has no CHIP (I have an Electron card like that). And how do you get cash from a machine if your card has a chip but the ATM has no CHIP reader? Or if the CHIP is damaged and the CHIP reader can't read it? Has anyone ever heard of an ATM machine saying "Can't read the CHIP" or some such? ... I've seen "This machine is temporarily unable to dispense cash" and I have seen "Card retained - Contact your branch" but never "Come again? Can't seem to read your card, old boy!"

My understanding on changing the PIN is that it used only to be possible at your own bank for some reason. Is that perhaps because that's the only secure way that an encrypted PIN can be changed simultaneously on CHIP and magnetic stripe and your bank's servers (that's at least three locations if you hadn't realised)?

reclusive46

TurnUpForTheBooks wrote: »

Yeah yeah, but how do you get cash from the machine if your card has no CHIP (I have an Electron card like that). And how do you get cash from a machine if your card has a chip but the ATM has no CHIP reader? Or if the CHIP is damaged and the CHIP reader can't read it? Has anyone ever heard of an ATM machine saying "Can't read the CHIP" or some such? ... I've seen "This machine is temporarily unable to dispense cash" and I have seen "Card retained - Contact your branch" but never "Come again? Can't seem to read your card, old boy!"

My understanding on changing the PIN is that it used only to be possible at your own bank for some reason. Is that perhaps because that's the only secure way that an encrypted PIN can be changed simultaneously on CHIP and magnetic stripe and your bank's servers (that's at least three locations if you hadn't realised)?

Unless the electron card is not UK issued it should have a chip. The only issuers in the UK that does not have chip cards is Diners Club and emergency replacement cards.

ATMs still have magnetic strip reader and will read it if they can't read the chip but many issuers (Not all) will decline the transaction (especially after more than one withdrawal). They still have the reader for two reasons, one being international acceptance, they can take non-chip cards (Mainly Americans) and for the reason above if the chip is damaged or dirty.

Visa and American Express (I'm sure MasterCard do, but never seen it) have a system in place where it detects if an ATM or POS is falling back to the magnetic stripe a lot (Thinking there is something wrong with it), it will then tell issuers (Or itself and issuers in Amex's case) to allow the fallback transactions.

There are a few ATMs in the UK that don't have a chip reader, you can find these on Visa or MasterCards atm locator as you can select to view ATMs that have chip readers (For Europeans with VPAY or Maestro cards that don't have magnetic stripes).

JuicyJesus

TurnUpForTheBooks wrote: »

Well I do take the point that if the PIN was stored in the CHIP then you might assume that to change it at an ATM the ATM would have to read/write to the CHIP.

That's because it does.

But I am not entirely convinced by that piece of presumed logic - in fact the only thing that attracts me to your view is that a stand alone CHIP reader as issued by many banks for Internet login security purposes would I think be able to verify a changed PIN immediately after it had been changed at an ATM.

That's because they are right and you are wrong.

I've been using ATMs almost since they were first introduced i.e. way before CHIP & PIN. I don't recall that I ever removed my card and then selected my options afterwards but you might be right.

Some ATMs do work that way. A tiny minority. Typically the fee-paying sort you'd find in the corner of corner shops and petrol stations.

However, all this is a side-show the problem highlighted in the original post, isn't it? How dare Santander stitch up a customer so easily when it is plain to see that the banking industry's investment in card security is no more than lip service with a growing trend towards leaning on innocent customers since CHIP & PIN turned the tables with regard to risk?

Where someone's genuine original Chip and PIN card has been used with the correct PIN on the first try then it's fair to assume that the person a) had the original card and b) knew the PIN, meaning either they're the customer or the customer gave the card and/or PIN to someone else. That's basic logic.

Couple that with the fact that five transactions over five days is not normal fraudulent activity and it looks odd.

(This does not mean it's impossible, but virtually everything to do with these cases has to be decided on balance of probabilities. There are lots of unknowns, and the technological evidence is quite compelling in most cases.)

In any event, customers have always paid collectively for card fraud, not banks.

Oddly enough banks do pay for it, quite handsomely actually.

Police have no interest whatsoever in card fraud as I understand it is outside their jurisdiction by cosy agreement.

If the bank has refunded then they are the ones who have had the money taken and so they would have to be the ones reporting it. You are more than welcome to report non-refunded card fraud to the police. Indeed banks can insist on a customer doing so. There is very little the police can reasonably do about it though, since there are usually no leads whatsoever.

It has to be, or police would be doing nothing else all day but investigating card fraud because they have thousands of hours of CCTV of fraudsters at work (as mentioned by earlier posters). Funny how they ignore it all, eh?

You have a severely over-optimistic view of how many CCTV cameras there are, how many are pointed at ATMs and how many can conclusively identify a person who is otherwise anonymous.

As for whether new cards and new PINs (or PIN reminders) can be requested simultaneously well I know they could be with credit cards at one time. Can anyone say if the debit card replacement system is any different?

Depends on the bank's systems but there's no reason why not in principle.

I see no evidence to suggest that the fraud is being executed by any associate of the cardholder. This is merely the opening gambit used by banks and employees of banks and frankly it stinks - same as it always has, but instances where they have tried to make it stick in the past were not so blatant a try-on as is the only conclusion we can make of the experience reported by the OP.

The bank's position, as noted above, seems to have merit; the typical activity of a fraudster would be to whack the card for as much as possible before it gets cancelled. But if the OP really genuinely isn't involved they can follow the appeals process and hopefully it will get resolved.

TurnUpForTheBooks_2

So how can Santander abdicate responsibility with a system as flakey as one still commandable using cloneable magnetic stripes if that's what you are confirming reclusive46?

Banks suffer nothing from card fraud. As I have said they gain additional turnover from it and a bag full of excuses for freezing accounts when they feel like it. We pay via the various bank charges and rip off interest rates

As we are all too aware, banks have laundered money big time for profit so you can take any suggestion that they pay handsomely for anything with a pinch of salt.

Police will only give you a crime reference for card fraud losses if you insist upon it. They will not investigate. As I said, a cosy agreement exists that saves them the trouble.

If their CCTV is not up to standard then my assertion that they are not investing in security is correct, isn't it? If a bank sponsored football club can provide police with at least 90 minutes of HD coverage of the face of the occupant of every seat in a tens of thousand seat stadium for every game they play, then why can't banks have a decent camera on every ATM?

The truth is they do, but they aren't sharing the data they collect - it's bad for business and their business is turnover and nothing but.


And so we now hear that the OP apparently has no option but to enter into some kind of appeals process - one invented by the banks in recent years no doubt. So it seems a time has come to a position where some banks feel confident that they can safely introduce another level of obstruction between a customer and their own money - one where the bank can decide it will separate the two more often and more quickly now than it ever dared do in the past perhaps?

Reputational damage is no longer a worry is it, so what is to stop them? As I discovered in another thread today, a defining national characteristic seems to be that there are plenty of supposedly gainfully employed citizens who actually believe it is fair game to kick a person when they are down.

There's a moral in this thread I think - give Santander a miss, but do ask the others what they are doing in similar circumstances to see if you might also give one or two of them a miss too.

Meantime I'll stick with my CHIP-less VISA Electron and keep them on their toes