We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
One-off fraudulent card transaction
vantablack
Posts: 8 Forumite
My partner has just spotted a transaction for just under £300 on her Nationwide current account debit card at the end of last month. It was at Boots in Barking - we've never been to Barking and live probably about 80 miles away. Coincidentally we were at the Olympic Park in Stratford, so not too far away, a few days prior to the event, however she only used her card once, in Caffe Nero, and that was a contactless payment.
I'm trying to work out how this is possible - £300 would mean chip & pin, but she still has her card, so it must have been done with a fake card. So far as I can tell the pin (or a hash of it) is stored in the chip on the card but surely that's protected by some pretty strong crypto. The only thing I can think of is if chip & pin wasn't used, just the mag stripe, in which case it could have been cloned but surely a £300 transaction with a card that doesn't have a working chip would raise questions at the checkout? I'm also surprised/relieved that someone who went to the trouble of being able to make a shifty £300 transaction would then stop there and not use it more than once.
Nationwide are of course investigating but I'm curious how this could be done...
I'm trying to work out how this is possible - £300 would mean chip & pin, but she still has her card, so it must have been done with a fake card. So far as I can tell the pin (or a hash of it) is stored in the chip on the card but surely that's protected by some pretty strong crypto. The only thing I can think of is if chip & pin wasn't used, just the mag stripe, in which case it could have been cloned but surely a £300 transaction with a card that doesn't have a working chip would raise questions at the checkout? I'm also surprised/relieved that someone who went to the trouble of being able to make a shifty £300 transaction would then stop there and not use it more than once.
Nationwide are of course investigating but I'm curious how this could be done...
0
Comments
-
Card not present transaction is certainly one possibility - all you need is card number, expiry date and CVV2 (and probably cardholder name).
https://en.wikipedia.org/wiki/Card_not_present_transaction0 -
Indeed, that's possible but the fact that it's Boots in Barking suggests in-store...0
-
On the subject of cloning magstripes on CHIP cards, the magstripe contains a Service Code which tells the POS device 'I am a CHIP Card'. If no CHIP is present, a retailer will probably think it is an old fashioned magstripe card and simply swipe it. The Service Code will be detected by the POS device and prompt the cashier to read the CHIP (which isn't present).
If a fake CHIP is printed on the card, the retailer will attempt a read, fail and possibly fall back to magstripe/signature.
All magstripe transactions on cards with a chip Service Code will go online for auth. The Issuer will see it is a fallback transaction and probably decline the sale - or take the risk and approve it.
If the counterfeiter has been resourceful enough to alter the Service Code in the magstripe of a UK CHIP card to say, 'I am a Magstripe card', I would expect any POS device in the UK to go online for auth whereupon the issuer will detect the wrong Service Code and ask for the card to be picked up.
The transaction in question here is probably a card-not-present transaction. It would be interesting to see though.0 -
Thanks, interesting. Will defo. report back when we hear more.0
-
My cards knowledge is very out of date but there could be all sorts of explanations. Possibly a counterfeit with neither CHIP nor functioning magstripe was key entered. I don't know what Boots procedures are for staff keying transactions in a card-present environment but £300 does seem rather a lot to allow without management intervention. It also seems a lot for Nationwide to approve.
I'm not sure about the CHIP containing the PIN. I know the PIN can be verified by the CHIP but that's not necessarily the same as actually storing it as a numerical value in the CHIP0 -
My initial thought was that this was an online order and Boots uses a Barking address for such things.
I made an online order from Boots in September 2018 and a Nottingham address shows on my credit card statement, so that's that theory dead.
Given the 'card' was only used once by a third party, and the details posted here about the risks and difficulties of cloning a card and using it in store, my guess is that the transaction is genuine.
But it has been applied to the wrong account.
Impossible? I've been hit by two banking oddities recently. I had to take one to the FOS. The upshot was that they were caused by a series of unusual events.0 -
That's a possibility - she's also had an issue recently where she paid a deposit via bank transfer and when the deposit came to be repaid it went to the wrong bank account, which took some sorting out. I wonder if there's something a bit skew whiff with her current account.0
-
Duplicating a card chip is not possible by any method commonly used by thieves. It's the kind of thing that might be possible if GCHQ poured resources into it, or something, but it's not being done to steal £300 of vitamins.
Extracting a PIN from a card is actually impossible because it isn't stored on the card.0 -
That's bizarre!0
-
Extracting a PIN from a card is actually impossible because it isn't stored on the card.
I thought it was as when you do a chip and pin transaction the pin correct message comes up on the screen almost instantly and then the rest of the transaction takes a time to be authorized.
I assumed the POS machine had verified the pin correct in a nano second having interrogated the chip and was now contacting the processing centre to get authorization0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 354.3K Banking & Borrowing
- 254.4K Reduce Debt & Boost Income
- 455.4K Spending & Discounts
- 247.3K Work, Benefits & Business
- 604K Mortgages, Homes & Bills
- 178.4K Life & Family
- 261.5K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards