Debit fraud investigation.

reclusive46

grumbler wrote: »

This doesn't make any sense to me as if you put 3 wrong PINs in ATM your card gets locked similarly and can't be used for any PIN transactions.

Two different PINs technically though (They are just the same number). The offline PIN is used at card terminal (The PIN is psychically stored on the chip and checked) and this can be locked after 3 attempts. But when you put it in an ATM online PIN is used (The PIN is checked against the banks systems) and it doesn't look at the cards verification methods. The reason you can't use the card for 24 hours after entering 3 wrong PINs at an ATM is that the banks authorisation system basically puts a block on the entire card, so the PIN won't even be checked.

Also the transaction PIN block in theory shouldn't stop the card working as in places where it can contact the bank it will ask if the user can use a signature instead, which the majority of the time they will say no. This is done for a good reason though, if your abroad and can't unlock the PIN, some banks and credit card companies can arrange to enable signature verification until you get home.

Lets_get_sorted

meer53 wrote: »

You will only find out if your daughters bank tell you the chip has been read.

If the card and PIN have been used it doesn't really matter.

so they will always tell the truth ??

James

Just for Interest. Cards, such as Nationwide's CashBuilder Card are not chipped, they are magstrip only.


These cards can be used with a PIN to withdraw money at ATMs.

James

Lets_get_sorted wrote: »

so they will always tell the truth ??

I was issued two identical Chipped Cards several years ago. My card issuer acknowledged this. I would hope they've tightened up there manufacturing and issuing procedure since.


Who knows?

grumbler

James wrote: »

Just for Interest. Cards, such as Nationwide's CashBuilder Card are not chipped, they are magstrip only.


These cards can be used with a PIN to withdraw money at ATMs.

My understanding is that all ATMs are online and for every card they know if it has to have a chip. If the chip is missing or faulty, the card has to be rejected.
So a chipped card can't be cloned and used in ATM with a magnetic strip only.

VictimOfImpersonation

grumbler wrote: »

My understanding is that all ATMs are online and for every card they know if it has to have a chip. If the chip is missing or faulty, the card has to be rejected.
So a chipped card can't be cloned and used in ATM with a magnetic strip only.

It depends if your understanding is in any significant sense yet correct.

My understanding is that all UK debit cards still have a magnetic stripe. I think that UK VISA Electron cards ONLY had a magnetic stripe (no CHIP) up to a certain date and for withdrawals of cash could only be used in home bank ATMs.

I have a current magnetic stripe only Electron card which I can use in the home bank in Europe and in quite a few swipe type retail machines with PIN, but I cannot use it in the UK. It was manufactured by Gemalto.

There are so many different card manufacturers or even card manufacturer brands now. Just a few more are Oberthur, Gemal Tosgp, Gyd Iberica, Gemplus, Schlumberger, axalto, HiCo, ID Data, and I am sure there are a host of others. There are also a myriad of magnetic stripe cards used in other applications e.g. for Shell Petrol Pluspoints, Heathrow Rewards, some old door opening devices. We hear that when a card is "cloned" from stolen data (via secret camera to record a PIN being used and by skimming), the clone may not need to be an identical card to the original.

We have heard that there may be examples of cards being issued by mistake in duplicate (of course we would hope that even if a "duplicate" in all visible senses has been issued that every card nevertheless has an inbuilt serial number which makes it unique, but can every ATM record it?). We KNOW that if we report a damaged card that a new one will be sent out and that instantly means that two cards in two different places are viable at least until the new card is used when it then should become the only card. I think with some banks a replacement card will always now have a new 16 digit number, but perhaps not with all. I have at least one card that has been through several renewals which still has the same 16 digit number.

It is quite possible for a damaged card report to be made fraudulently and for the new card to be intercepted in the post at a vulnerable address e.g. those with post delivered to banks of shallow letterboxes at many blocks of flats.

The CHIPs out there are not so different to SIM chips but there are still many different designs in current use. Many are 5 row CHIPS but I have some that are current and may be valid another couple of years which are only 3 row CHIPS. I have no idea what differences in security they might represent, but I would guess for the moment that bigger was better. Clearly ATMs have to contend with both the old and the new and therein lies the greatest vulnerability I think.

The magnetic stripe they all carry as a secondary system seems to rely upon a fairly open standard that can be read by many legacy swipe machines. I think it has been established in this thread that most cards carry two independent systems (the stripe and the CHIP). Obviously there is some kind of rewriteable PIN algorithm in both the stripe and the CHIP which can be legitimately changed (rewritten) using a 'home' machine's "PIN SERVICES" routine. I am sure the PIN itself is not stored in any open sense, but clearly something stored in the magnetic stripe confirms whether one of the 9999 possibilities is the correct PIN and it also records incorrect tries if the stripe is read by a legitimate read/write device. I am no expert in this, but if an illegitimate stripe reader without a writer is used, then what prevents 9999 "tries" made made against whatever is stored on the magnetic stripe ? Only time I guess.

And if the mag stripe data can be skimmed off for leisurely brute force attack by some kind of computer program later, I feel sure it wouldn't take a rocket scientist to disassemble algorithms and come up with something designed to target certain types of cards coupled with certain types of machine loaded with different variants of software and protected by different types of physical security e.g. the type of 'jigger' mechanism.

I think it is totally dishonest for banks or bank apologists to say they are on top of it, or for them to deflect claims for immediate refunds by suggesting first person fraud or associate fraud. They are the ones who rushed to introduce and "support" so many diverse systems in the name of a free market, but it is this lack of strict standardisation which has in fact created the free-for-all which made us vulnerable. It's all their problem, so stick it back at them every which way you can.

The world's banks have managed quite well to standardise as cartels when it suits them. I wish they did so with card security systems. I think we can only guess that the reason they don't is because it does not suit them. Uncertainty of any kind breeds confusion. Banks love confusion as a smokescreen behind which they manipulate our simple ideas of money with their complicated ways of separating us from it.

grumbler

OK, OK....
I should have said "So a chipped card can't be cloned and used in UK ATM with a magnetic strip only."

But again, this is just my understanding.

VictimOfImpersonation

grumbler wrote: »

OK, OK....
I should have said "So a chipped card can't be cloned and used in UK ATM with a magnetic strip only."

But again, this is just my understanding.

But it isn't an understanding at all really, is it? It's surmise. We would all hope that as we have the most rife card dependant personal banking in the world excepting only USA that UK would in fact be standardised and safe. But I certainly don't believe it.

Why do you think some networks of ATMs have constantly updated software and physical protections (like the jigger)? It is because organised criminals have foot-sloggers out there "trying" various stuff sometimes electronic, sometimes physical (like a card on a thin string which at one time was something the criminals used to prevent the machine keeping the cloned card if it turned out to be an ATM which had been programmed well enough to try to snatch the clone).

Let's take the example of one main ATM manufacturer, Wincor. Wincor engineers are constantly on the road too, making modifications. But not on the basis that all their machines will be brought up to date on the same day or the same week or month, or even at all unless the particular bank has paid for it in the particular region to deter a particular problem as the bank may or may not have particularly interpreted it.

So with respect, grumbler, it isn't right to promote such broad sweep "understandings" as a general case. Surely you can see that from at least some of the pointers I have given. I am sure I have barked up a wrong tree or two also, but the general case is surely that it is a complete mish-mash out there. We customers surely didn't cause it so we should never be held to account for it by anyone other than a policeman on our doorstep.

grumbler

So, are you saying that not all UK ATMs are chip&pin enabled and/or that a magnetic strip is used as a fallback for the chipped cards?

Otherwise I don't see what serious 'modifications' and 'updates' are needed to implement what the common sense dictates and what I said above.
Also, I don't see any problem with stopping using the strip as a fallback if it is really the case.

jonesMUFCforever

grumbler wrote: »

This doesn't make any sense to me as if you put 3 wrong PINs in ATM your card gets locked similarly and can't be used for any PIN transactions.

I am trying to tell you that all ATM's are not chip and Pin enabled but read the magnetic strip.
You don't seem to believe me.

I did not say I put 3 wrong PINS in ATM but at a point of sale eg shop.