Chip & Pin security (??)

bxcfilm

I’m not sure if this is in the right forum, but please re-direct me if necessary. It concerns credit card fraud and the security or otherwise of Chip & Pin.

Last month, I was in Mexico, and when I got back I saw two entries on my credit card account which were clearly fraudulent. They were for large amounts, both on the same day – and as the credit card company told me when I called, only 2 minutes apart. The merchant details, such as they were, were different for the two different payments. The company told me that their records showed the payments as having been made using Chip & Pin, so either I made them or I had carelessly given the pin number to someone, and therefore either way they did not accept liability. They have written me a final letter refusing the claim.

It did not take me long to discover that Chip & Pin is not in fact secure. See for example:

https://fastercapital.com/content/Terminal-tampering--Unveiling-the-Hidden-Dangers-of-Card-Present-Fraud.html

https://www.inetco.com/blog/tackling-rogue-payment-terminals/

https://www.thisismoney.co.uk/money/beatthescammers/article-12396705/How-fraudsters-stealing-BILLIONS-using-chip-pin-hack-banks-refuse-admit-scam-exists.html

Is this a subject that Martin Lewis has taken up? Is there a connection between this and the move to remove the payment limit for contactless payments?

 

jbrassy

I think chip and pin is secure, so long as you do not reveal your pin to other people. Having said that, scammers will always find ways to do this, e.g. install card skimmers and fake keyboards at ATMs. I fail to see the connection with chip and pin fraud and contactless payment limits.

If you believe you have been scammed and are unhappy with the verdict of your credit card company, you could write to them with a formal complaint. If that complaint is ignored, you could then raise it with the Financial Ombudsman Service. 

Finally, you said you were in Mexico at the time of the fraudulent transactions, but where did the fraudulent transactions take place? If chip and pin was used, the credit card company should be able to tell you the physical location of the transactions. If you were in Mexico and the transactions took place in the UK (or in another part of Mexico where you were not present at the time), this could be good evidence to show they were fraudulent. 

grumpy_codger

jbrassy said:

I think chip and pin is secure, so long as you do not reveal your pin to other people. Having said that, scammers will always find ways to do this, e.g. install card skimmers and fake keyboards at ATMs. I fail to see the connection with chip and pin fraud and contactless payment limits.

One of the linked articles says that this sort of fraud involves tampered chip&PIN terminals that show smaller amount than the one being authorised by a PIN. That's why it's worth keeping the paper receipts and checking them against the actual transactions.

If you believe you have been scammed and are unhappy with the verdict of your credit card company, you could write to them with a formal complaint. If that complaint is ignored, you could then raise it with the Financial Ombudsman Service. 

Finally, you said you were in Mexico at the time of the fraudulent transactions, but where did the fraudulent transactions take place? If chip and pin was used, the credit card company should be able to tell you the physical location of the transactions. If you were in Mexico and the transactions took place in the UK (or in another part of Mexico where you were not present at the time), this could be good evidence to show they were fraudulent. 

The same article says that typically FOS denies existence of the problem and sides with banks. 
And if it's a tampered terminal, without a receipt the location proves nothing.

sausage_time

The articles in the first post are from 2023 and 2024.

Disclosing the PIN was mentioned in the above posts - this would only be useful for a skimmed and cloned mag stripe on the original card.  But the OP @bxcfilm states that the credit card company asserted that the transactions were chip and PIN, and the chip cannot be cloned.

As above - were the suspect transactions also in Mexico?  

bxcfilm

Firstly, yes, the fraudulent transactions were apparently in Mexico.

"If chip and pin was used, the credit card company should be able to tell you the physical location of the transactions."

They did not offer that information.

"I fail to see the connection with chip and pin fraud and contactless payment limits."

What is becoming clearer is that:

 1. Banks are relying on insecure systems, because the terminals can be compromised. I think it's significant that, when I was on the phone with the complaints manager and raised the problem of compromised terminals, she didn't try to deny it, but instead stayed silent.

 2. The amount of money cardholders are losing is huge, so if the banks admitted the situation they would be on the hook for billions.

 3. Getting rid of the limit on contactless payments might be a route towards eliminating Chip & Pin altogether. Doing that would (might) allow the banks to slide sideways out of the problem.

I think there's a huge story here, but it needs someone influential to pick it up and help join the dots.

sausage_time

I wonder if @grumpy_codger is right and the amount shown on a compromised terminal is not what you were actually charged?  This way two genuine transactions could have been hijacked.  Can you match up all Chip and Pin transaction receipts with your statement?   Or are the suspect transactions over and above your actual payments?

bxcfilm

"Or are the suspect transactions over and above your actual payments? "

I never made those transactions.

"I wonder if @grumpy_codger is right and the amount shown on a compromised terminal is not what you were actually charged? "

The function of a compromised terminal seems to be to capture the card details and pin number for use separately soon afterwards.

grumpy_codger

bxcfilm said:

....

The function of a compromised terminal seems to be to capture the card details and pin number for use separately soon afterwards.

You are missing the point. You can capture the details, but you cannot clone the chip and make a chip&PIN transaction.

bxcfilm

I don't know how they do it, but from reading the articles I cited in my original post, it seems they do.

born_again

bxcfilm said:

Firstly, yes, the fraudulent transactions were apparently in Mexico.

"If chip and pin was used, the credit card company should be able to tell you the physical location of the transactions."

They did not offer that information.

"I fail to see the connection with chip and pin fraud and contactless payment limits."

What is becoming clearer is that:

 1. Banks are relying on insecure systems, because the terminals can be compromised. I think it's significant that, when I was on the phone with the complaints manager and raised the problem of compromised terminals, she didn't try to deny it, but instead stayed silent.

 2. The amount of money cardholders are losing is huge, so if the banks admitted the situation they would be on the hook for billions.

 3. Getting rid of the limit on contactless payments might be a route towards eliminating Chip & Pin altogether. Doing that would (might) allow the banks to slide sideways out of the problem.

I think there's a huge story here, but it needs someone influential to pick it up and help join the dots.

The transaction details are provided by the retailer. CC has nothing further than that. 

Remember that you are talking about Mexico here, so how they secure things in not the same as UK. 

Less than 10 years ago. US was one of the biggest countries that ATM fraud was conducted in. Due to the fact that they did not adhere to Chip & Pin on their systems. Americans could not cope with a 4 digit pin.. 

You think card holders loss is huge.. Have a look at the figures banks payout...

DullGreyGuy

bxcfilm said:

I’m not sure if this is in the right forum, but please re-direct me if necessary. It concerns credit card fraud and the security or otherwise of Chip & Pin.

Last month, I was in Mexico, and when I got back I saw two entries on my credit card account which were clearly fraudulent. They were for large amounts, both on the same day – and as the credit card company told me when I called, only 2 minutes apart. The merchant details, such as they were, were different for the two different payments. The company told me that their records showed the payments as having been made using Chip & Pin, so either I made them or I had carelessly given the pin number to someone, and therefore either way they did not accept liability. They have written me a final letter refusing the claim.

It did not take me long to discover that Chip & Pin is not in fact secure. See for example:

https://fastercapital.com/content/Terminal-tampering--Unveiling-the-Hidden-Dangers-of-Card-Present-Fraud.html

https://www.inetco.com/blog/tackling-rogue-payment-terminals/

https://www.thisismoney.co.uk/money/beatthescammers/article-12396705/How-fraudsters-stealing-BILLIONS-using-chip-pin-hack-banks-refuse-admit-scam-exists.html

Is this a subject that Martin Lewis has taken up? Is there a connection between this and the move to remove the payment limit for contactless payments?

The articles are sensationalist rubbish as usual, they are failing to mention that what they get from a tampered with machine is the basic card details and the PIN number. That is insufficient to make a new card with a chip, a fact that the ThisIsMoney article's expert acknowledges. 

What it can allow them to do is create the magnetic strip on a card or use the card for online purchases. He then goes on about sex workers who steal your card whilst you are "distracted" and then return it before you leave... are you thinking thats what happened to you? 

Skimming is the same, data to do a magnetic strip but not to create a new chip. 

I will potentially accept his argument that there is a way to trick a Chip and Signature to be reported as Chip and PIN but that would mean they need your card to do it as he agrees the chip cannot be replicated.