Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

Search
  • FIRST POST
    • vantablack
    • By vantablack 16th Apr 19, 7:13 PM
    • 6Posts
    • 2Thanks
    vantablack
    One-off fraudulent card transaction
    • #1
    • 16th Apr 19, 7:13 PM
    One-off fraudulent card transaction 16th Apr 19 at 7:13 PM
    My partner has just spotted a transaction for just under 300 on her Nationwide current account debit card at the end of last month. It was at Boots in Barking - we've never been to Barking and live probably about 80 miles away. Coincidentally we were at the Olympic Park in Stratford, so not too far away, a few days prior to the event, however she only used her card once, in Caffe Nero, and that was a contactless payment.

    I'm trying to work out how this is possible - 300 would mean chip & pin, but she still has her card, so it must have been done with a fake card. So far as I can tell the pin (or a hash of it) is stored in the chip on the card but surely that's protected by some pretty strong crypto. The only thing I can think of is if chip & pin wasn't used, just the mag stripe, in which case it could have been cloned but surely a 300 transaction with a card that doesn't have a working chip would raise questions at the checkout? I'm also surprised/relieved that someone who went to the trouble of being able to make a shifty 300 transaction would then stop there and not use it more than once.

    Nationwide are of course investigating but I'm curious how this could be done...
Page 1
    • agrinnall
    • By agrinnall 16th Apr 19, 7:52 PM
    • 22,409 Posts
    • 18,424 Thanks
    agrinnall
    • #2
    • 16th Apr 19, 7:52 PM
    • #2
    • 16th Apr 19, 7:52 PM
    Card not present transaction is certainly one possibility - all you need is card number, expiry date and CVV2 (and probably cardholder name).


    https://en.wikipedia.org/wiki/Card_not_present_transaction
    • vantablack
    • By vantablack 16th Apr 19, 7:53 PM
    • 6 Posts
    • 2 Thanks
    vantablack
    • #3
    • 16th Apr 19, 7:53 PM
    • #3
    • 16th Apr 19, 7:53 PM
    Indeed, that's possible but the fact that it's Boots in Barking suggests in-store...
    • Terry Towelling
    • By Terry Towelling 16th Apr 19, 8:10 PM
    • 1,201 Posts
    • 968 Thanks
    Terry Towelling
    • #4
    • 16th Apr 19, 8:10 PM
    • #4
    • 16th Apr 19, 8:10 PM
    On the subject of cloning magstripes on CHIP cards, the magstripe contains a Service Code which tells the POS device 'I am a CHIP Card'. If no CHIP is present, a retailer will probably think it is an old fashioned magstripe card and simply swipe it. The Service Code will be detected by the POS device and prompt the cashier to read the CHIP (which isn't present).

    If a fake CHIP is printed on the card, the retailer will attempt a read, fail and possibly fall back to magstripe/signature.

    All magstripe transactions on cards with a chip Service Code will go online for auth. The Issuer will see it is a fallback transaction and probably decline the sale - or take the risk and approve it.

    If the counterfeiter has been resourceful enough to alter the Service Code in the magstripe of a UK CHIP card to say, 'I am a Magstripe card', I would expect any POS device in the UK to go online for auth whereupon the issuer will detect the wrong Service Code and ask for the card to be picked up.

    The transaction in question here is probably a card-not-present transaction. It would be interesting to see though.
    • vantablack
    • By vantablack 16th Apr 19, 8:32 PM
    • 6 Posts
    • 2 Thanks
    vantablack
    • #5
    • 16th Apr 19, 8:32 PM
    • #5
    • 16th Apr 19, 8:32 PM
    Thanks, interesting. Will defo. report back when we hear more.
    • Terry Towelling
    • By Terry Towelling 16th Apr 19, 8:53 PM
    • 1,201 Posts
    • 968 Thanks
    Terry Towelling
    • #6
    • 16th Apr 19, 8:53 PM
    • #6
    • 16th Apr 19, 8:53 PM
    My cards knowledge is very out of date but there could be all sorts of explanations. Possibly a counterfeit with neither CHIP nor functioning magstripe was key entered. I don't know what Boots procedures are for staff keying transactions in a card-present environment but 300 does seem rather a lot to allow without management intervention. It also seems a lot for Nationwide to approve.

    I'm not sure about the CHIP containing the PIN. I know the PIN can be verified by the CHIP but that's not necessarily the same as actually storing it as a numerical value in the CHIP
    • SnowTiger
    • By SnowTiger 16th Apr 19, 9:37 PM
    • 3,658 Posts
    • 2,655 Thanks
    SnowTiger
    • #7
    • 16th Apr 19, 9:37 PM
    • #7
    • 16th Apr 19, 9:37 PM
    My initial thought was that this was an online order and Boots uses a Barking address for such things.

    I made an online order from Boots in September 2018 and a Nottingham address shows on my credit card statement, so that's that theory dead.

    Given the 'card' was only used once by a third party, and the details posted here about the risks and difficulties of cloning a card and using it in store, my guess is that the transaction is genuine.

    But it has been applied to the wrong account.

    Impossible? I've been hit by two banking oddities recently. I had to take one to the FOS. The upshot was that they were caused by a series of unusual events.
    • vantablack
    • By vantablack 17th Apr 19, 6:22 AM
    • 6 Posts
    • 2 Thanks
    vantablack
    • #8
    • 17th Apr 19, 6:22 AM
    • #8
    • 17th Apr 19, 6:22 AM
    That's a possibility - she's also had an issue recently where she paid a deposit via bank transfer and when the deposit came to be repaid it went to the wrong bank account, which took some sorting out. I wonder if there's something a bit skew whiff with her current account.
    • jonnygee2
    • By jonnygee2 17th Apr 19, 8:40 AM
    • 1,153 Posts
    • 1,152 Thanks
    jonnygee2
    • #9
    • 17th Apr 19, 8:40 AM
    • #9
    • 17th Apr 19, 8:40 AM
    Duplicating a card chip is not possible by any method commonly used by thieves. It's the kind of thing that might be possible if GCHQ poured resources into it, or something, but it's not being done to steal 300 of vitamins.

    Extracting a PIN from a card is actually impossible because it isn't stored on the card.
    • Stephbaker
    • By Stephbaker 17th Apr 19, 8:44 AM
    • 11 Posts
    • 3 Thanks
    Stephbaker
    That's bizarre!
    • Uxb1
    • By Uxb1 17th Apr 19, 8:54 AM
    • 105 Posts
    • 124 Thanks
    Uxb1

    Extracting a PIN from a card is actually impossible because it isn't stored on the card.
    Originally posted by jonnygee2
    I thought it was as when you do a chip and pin transaction the pin correct message comes up on the screen almost instantly and then the rest of the transaction takes a time to be authorized.
    I assumed the POS machine had verified the pin correct in a nano second having interrogated the chip and was now contacting the processing centre to get authorization
    • jonnygee2
    • By jonnygee2 17th Apr 19, 9:13 AM
    • 1,153 Posts
    • 1,152 Thanks
    jonnygee2
    I thought it was as when you do a chip and pin transaction the pin correct message comes up on the screen almost instantly
    The card stores the 'public key' and the pin is the 'private key' https://en.wikipedia.org/wiki/Public-key_cryptography . The two together create an authorisation. It's an ingenious system :-)

    Most terminals do authorise the PIN online though, but also cards can verify the PIN via the card.
    • Chino
    • By Chino 17th Apr 19, 9:35 PM
    • 838 Posts
    • 518 Thanks
    Chino
    It's an ingenious system :-)
    Originally posted by jonnygee2
    and one that you evidently completely misunderstand.
    • agrinnall
    • By agrinnall 18th Apr 19, 9:05 AM
    • 22,409 Posts
    • 18,424 Thanks
    agrinnall
    and one that you evidently completely misunderstand.
    Originally posted by Chino

    Do feel free to give us your explanation then, otherwise we must assume it's you that doesn't have a clue.
    • jonnygee2
    • By jonnygee2 18th Apr 19, 12:38 PM
    • 1,153 Posts
    • 1,152 Thanks
    jonnygee2
    and one that you evidently completely misunderstand.
    Most probably, I'm not a cryptography expert! I'm all ears for a better explanation.
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

3,618Posts Today

7,393Users online

Martin's Twitter
  • Have a great Easter, or a chag sameach to those like me attending Passover seder tomorrow. I?m taking all of next? https://t.co/qrAFTIpqWl

  • RT @rowlyc1980: A whopping 18 days off work for only 9 days leave! I?ll have a bit of that please......thanks @MartinSLewis for your crafty?

  • RT @dinokyp: That feeling when you realise that you have 18 days of work and only used 9 days of your annual leave! Thanks @MartinSLewis h?

  • Follow Martin