Credit card fraud, for the Paranoid

Citizen Jake

I'm not sure if this is the right place, feel free to move it. I've used a credit card for several years now and while I've been conscious and aware of credit card fraud - to my knowledge - have never been a victim of it. However, two incidents (if you can call them that) recently raised my hackles and have made me wonder if there's a danger of being frauded or if I'm merely being paranoid about it?

1. I bought a suit in a store in Blanchardstown about a month ago (impulse purchase) and when I was paying for it with my credit card, despite the presence of chip & PIN machines, the sales assistant swiped it through the card reader. She seemed to be having some trouble with it and when it eventually worked she asked for my signature. Then she did an unusual thing, on the receipt that the store keeps she ran a pencil over my card, thereby etching the card number on the receipt and shrugged her shoulders saying that the reader asked her to do it for security purposes. This annoyed me and made me wary but I said nothing and left the store. I meant to ring the bank about it but just let it go. Anyone know if this practice is normal or am I being paranoid?

2. This afternoon, I was in a sports store and bought a pair of cheap enough sunglasses and paid for the purchase with my credit card. The shop assistant took my credit card and handed me out the PIN entry console from the desk and placed it sideways. After entering the PIN number I glanced up to my right and noticed that I entered my PIN directly under a CCTV camera. Could it be possible that someone can make a clone credit card from a store transaction and make it usable having spotted the PIN number from CCTV footage? Or am I being paranoid again and should take these questions to a sanity forum on boards.

I just keep the one credit card - if you can't manage one you shouldn't have more than one - and despite personally being more of a danger to my credit history than some scumbag fraudster, loathe the very thought of being a victim. What do you guys think?

nesf

Moved to Business/Economy/Finance.

More people who might have an opinion read that board mate. Personally I'm paranoid and usually check my online statement for my CC every couple of days in order to spot any illegit transactions. Better safe than sorry and all that.

ACC

Worked on Chip and Pin implementation for one of the banks. its impossible to clone a chip and Pin card due to the nature of the chip. Also if you have used your card in an offline machine(cinema or car park) over a certain limit then it will do a security check

RainyDay

Citizen Jake wrote:

1. I bought a suit in a store in Blanchardstown about a month ago (impulse purchase) and when I was paying for it with my credit card, despite the presence of chip & PIN machines, the sales assistant swiped it through the card reader. She seemed to be having some trouble with it and when it eventually worked she asked for my signature. Then she did an unusual thing, on the receipt that the store keeps she ran a pencil over my card, thereby etching the card number on the receipt and shrugged her shoulders saying that the reader asked her to do it for security purposes. This annoyed me and made me wary but I said nothing and left the store. I meant to ring the bank about it but just let it go. Anyone know if this practice is normal or am I being paranoid?

Seems very unusual. I'd certainly query this with the shop manager.

Citizen Jake wrote:

2. This afternoon, I was in a sports store and bought a pair of cheap enough sunglasses and paid for the purchase with my credit card. The shop assistant took my credit card and handed me out the PIN entry console from the desk and placed it sideways. After entering the PIN number I glanced up to my right and noticed that I entered my PIN directly under a CCTV camera. Could it be possible that someone can make a clone credit card from a store transaction and make it usable having spotted the PIN number from CCTV footage? Or am I being paranoid again and should take these questions to a sanity forum on boards.

When using any ATM, I make certain that anyone overlooking can't see the PIN I am entering. I avoid stabbing at numbers with a single finger. I hold my hand over the keypad and enter the numbers by moving my fingers only, not my hand. This would make it difficult for anyone to pick up my PIN number. If there was a high-resolution camera which could slow down my movement frame-by-frame, I guess they could possibly beat me at this. However, given the image quality of most CCTV footage that you see on Crimeline, the chances of picking up individual finger movements are quite slip.

dahamsta

Citizen Jake, the odds are that the two incidents were relatively innocuous, however if you're concerned about them you should follow up with both the store and the credit card company. In the first case in particular - which sounds odd but not very surprising, since some store owners have odd ideas anyway - I think you should query it with the manager/owner, and then follow up with the credit card issuer to see if it is in fact policy. If it's not, you should lodge a complaint.

As to the second, you should complain about the placement to the retail outlet, and if the camera isn't moved, you should complain about it to the CC issuer. IMHO, obviously.

ACC wrote:

Worked on Chip and Pin implementation for one of the banks. its impossible to clone a chip and Pin card due to the nature of the chip.

Can we get more detail on this please? Nearly everything with a physical presence can be counterfeited, I'd like to know why chip cards can't.

adam

ACC

It is due to a couple of things. While obviously I won't go into too much detail basically the encryption used to store the data on the chip along with other security measures make it impossiblle (and I mean impossible) to sucessfully replicate a Chip and PIN card. If you look at the French they have had it since 89 and no confirmed case of a successful CHIP counterfieting has ever been recorded there.

dahamsta

ACC wrote:

It is due to a couple of things. While obviously I won't go into too much detail basically the encryption used to store the data on the chip along with other security measures make it impossiblle (and I mean impossible) to sucessfully replicate a Chip and PIN card. If you look at the French they have had it since 89 and no confirmed case of a successful CHIP counterfieting has ever been recorded there.

They said it would be imposible to forge every single banknote design that's every been released, and all but the most recent have been forged (and they'll be forged in time). I'm willing to bet the crowd responsible for DeCSS - the encryption algorithm used on DVDs - swore blind that it was uncrackable, but it was cracked by a teenager who wanted to play DVDs on his Linux box. I'm also willing to bet the people responsible for the original swipe credit cards said they couldn't be forged.

If you have physical access to the device, it can be physically reverse-engineered; and the encryption can be cracked, in time, by monitoring the inputs and outputs -- the encryption can't be that strong on a device that size anyway. It may not be cracked for a few years, but it will be cracked. Everything is. That's if it hasn't been cracked already...

There's no such word as "impossible" when it comes to cryptology; with the possible exception of quantum.

adam

GerardKeating

Citizen Jake wrote:

and when I was paying for it with my credit card, despite the presence of chip & PIN machines, the sales assistant swiped it through the card reader. She seemed to be having some trouble with it and when it eventually worked she asked for my signature. Then she did an unusual thing, on the receipt that the store keeps she ran a pencil over my card, thereby etching the card number on the receipt and shrugged her shoulders saying that the reader asked her to do it for security purposes.

You mentioned she had trouble with your card, check the your copy of the receipt, does your name appear? If your name does not appear, this means she had to manually enter the creditcard number. If she has done this, Visa / Mastercard rules mandate that an "impression" of the card is recorded, as proof the card was present in the store when the transaction is made.

nesf

dahamsta wrote:

There's no such word as "impossible" when it comes to cryptology; with the possible exception of quantum.

No, but there are the words, "by the time someone cracked the encryption the information would be useless to them".

I agree that there is a lot of misleading information on cryptology available, but unless there is a mathematical backdoor built in, most modern cryptology methods require brute force to crack them. Brute force is not efficient or particularily fast.

De Rebel

ACC wrote:

......its impossible to clone a chip and Pin card due to ........

Great word that, impossible.......

De Rebel

Citizen Jake wrote:

What do you guys think?

I think that there are lots of possibile ways in which you can get caught, restauraunts where they whisk your card away, web, phone bookings, overseas use etc. I use my card a lot, and put a significant number of transactions through it. I eventually got caught. Not by a fraudster, but by a big name in the retail anti virus software industry that isn't mcafee. Bought antivirus software online (one off) for a friend, and ended up paying his annual subs for 3 subsequent years. Try sorting that one out - a complete waste of time. And don't expect any assistance from the CC company.

The best thing to do? Now I ask for a replacement account every 12 months. This results in the cards being cancelled and the account being closed, a new account being opened, new cards being issued and most importantly a new number. A crude mechanism, but it wipes the slate clean and gives you a fresh start. Free of charge.

ACC

Don't know much about the cryptology part of it. But the IT contractors all said that because of the keys that the card used and the way all keys had to be verified online that it was next or near to impossible. It hasn't been done since 89 so i reckon if they could have done it it would have been done by now.

a_ominous

I don't know which encryption technique is being used, but anything with over 1024 bit encryption would take hundreds of billions of years to break with using brute force task of every possible key even on a supercomputer or a cluster of hundreds of PCs running something like SETI. Your credit card won't be used for that long, hence it is effectively impossible.

Most fraud and security breaches aren't as a result of technical failures, they're the result of social engineering type attacks. If you want to understand this more, read Kevin Mitnick's book "The art of deception". He's infamous for hacking, was jailed for a few years and has been barred from using a computer for many years. Google for his 'credentials'.

So the OP is right to be a bit paranoid. CCTV near the tills, okay I accept the shop needs that. But they also should provide a better screen around the PIN machine. I could remember a 4 digit number more easily than I'd be able to copy someone's signature. Can't see any justification for running a pencil over the card. But all that gives you is a CC number, which is on the docket anyhoo.

sceptre

a_ominous wrote:

But all that gives you is a CC number, which is on the docket anyhoo.

Generally it's not apart from the last four digits.

Ste.phen

Where i work the whole number (and auth. code) appears on the Shop copy of the receipt, but the customer copy has most of the numbers X'd out.
Presumably because we might need to have the card number handy, but the customer is likely to toss the receipt?

mike65

Igy wrote:

Where i work the whole number (and auth. code) appears on the Shop copy of the receipt, but the customer copy has most of the numbers X'd out.
Presumably because we might need to have the card number handy, but the customer is likely to toss the receipt?

Where do you work? The print out XXXX XXXX XXXX 4637 is to avoid fraud after stupid customers drop the receipt.

Mike.

a_ominous

But the _shop_ has to have a record of the card number. Not all customer receipts have the CC number blanked out. Agreed, some do it for security reasons, but the shop also has to have a hardcopy of the transaction with full CC number and signature on it. I presume shops get a statement showing all CC transactions each week/month.
But the shop has to be able to trace the card number, no? They'll be the ones out of pocket, not the CC company or the 'customer' with a dodgy card, I believe.

NewFrockTuesday

I dont have a credit card in my own name, but I do have one from bf that ive been using for nearly a year now. i signed his name at least once a week for the last year and never once has anyone checked the sig. i was a bit surprised at first , even tho he would usually be in the shop with me, but now i dont even think twice.
Once or twice ive forgotten to put his name on and signed my own and still noone has ever even glanced at it.

dahamsta

I've seen - as in me personally, not my mate's auntie's granny - at least two customer receipts with both the full credit card number and the expiry date. It was a good while back, while ecommerce was in it's first major spurt of growth, however telesales was still big business around the time.

Purdee, a guy in the states started signing his own receipts with obviously-fraudulent names like Mickey Mouse a while ago, and no-on ever challenged him on it. I think after he got bored of that he started drawing little pictures instead, but I can't remember the outcome. A google will probably turn it up though.

On the subject of impossibility, there's no doubt about the definition of the word, and it's a bit much to flip from "impossible" to "near impossible" now. It's not impossible, period, and as time goes on it'll become easier. Such is the beauty of modern computing.

adam

GerardKeating

dahamsta wrote:

I've seen - as in me personally, not my mate's auntie's granny - at least two customer receipts with both the full credit card number and the expiry date. It was a good while back, while ecommerce was in it's first major spurt of growth, however telesales was still big business around the time.

The rule requiring the pan to be "xxxx"'ed is new, it has been phased in over the past year or so. I think Mastercard mandated for for all slips sincde April 1st 2005, not sure bout Visa.

gerard

dahamsta

GerardKeating wrote:

The rule requiring the pan to be "xxxx"'ed is new, it has been phased in over the past year or so. I think Mastercard mandated for for all slips sincde April 1st 2005, not sure bout Visa.

Ridiculous. Even back then it was the norm not to put the full number on the receipt - which is why I was surprised - because it was a stupid thing to do. If I can recognise the stupidity as a consumer, how come it took them five years to recognise it?

adam

RainyDay

dahamsta wrote:

I've seen - as in me personally, not my mate's auntie's granny - at least two customer receipts with both the full credit card number and the expiry date. It was a good while back, while ecommerce was in it's first major spurt of growth, however telesales was still big business around the time.

Every time I clear out my CC receipts, I come across 2 or 3 which don't have the card number blanked out. I keep meaning to check the receipts as I receive them, but somehow I never quite remember.

vector

>impossible to copy chip

If something can be made legally then it can be copied illegally. Granted, it is imposible for you and me to do it, but when there is money to be made someone, somewhere will figure out a way.

Hey almost anything is possible with money, lets say you wanted to cross the atlantic in a zepplin with a picture of bertie ahern on the side, given enough money you could make it happen.

dahamsta

Bah, if you'd said "hot air balloon" I could've done the "or you could have just brought Bertie along and saved on fuel" joke.

adam

vector

what about a life size picture of [obese_public_hate_figure]
it would just fit

MiniMetro

Where i work the full number is printed on both copies of the receipt. Its an AIB terminal.

shoegirl

dahamsta wrote:

Can we get more detail on this please? Nearly everything with a physical presence can be counterfeited, I'd like to know why chip cards can't.

adam

A company that used to be part of the company I work for manufacture some cards used in Ireland:
http://www.axalto.com/banking/egalleon.asp

As far as I know the 8/16/32k chip probably contains personalised data that can only be read by password. Third prty companies (not your bank) hold the symmetric key cryptography data, so only authentic cards can be identified. Apparently its already a legacy technology!

The old cards were identified only by a single piece of info (magnetic stripe), the chip and pin cards have now two unique pieces of data (stripe plus chip) so both would need to be duplicated in order to counterfeit the card. Additionally they would also need to know the pin, so 3 pieces of info are required instead of one.

Of course the entire problem is that PIN technology, like passwords, depends on the user not revealing it to make it secure. But if people (and there are many of them), write down their PIN then chip and pin is worth nothing.

parsi

dahamsta wrote:

Purdee, a guy in the states started signing his own receipts with obviously-fraudulent names like Mickey Mouse a while ago, and no-on ever challenged him on it. I think after he got bored of that he started drawing little pictures instead, but I can't remember the outcome. A google will probably turn it up though.

Last week in TEsco Mahon Point i paid by laser and entered my PIN. Yer man handed me my receipt and asked me to sign it. I told him I didn't have to sign it (it was the laser receipt and hadn't anywehere to sign because I had used my PIN). He said to sign it. So I did. A big black X. And then, what did he do ? He handed me the receipt to keep....sheesh...

vector

dahamsta wrote:

...
Purdee, a guy in the states started signing his own receipts with obviously-fraudulent names like Mickey Mouse...

http://www.thescreamonline.com/cartoons/cartoons3-3/

doriansmith

shoegirl wrote:

The old cards were identified only by a single piece of info (magnetic stripe), the chip and pin cards have now two unique pieces of data (stripe plus chip) so both would need to be duplicated in order to counterfeit the card. Additionally they would also need to know the pin, so 3 pieces of info are required instead of one.

Of course the entire problem is that PIN technology, like passwords, depends on the user not revealing it to make it secure. But if people (and there are many of them), write down their PIN then chip and pin is worth nothing.

It's been said a few times in this thread that it's impossible to clone a chip and pin credit card. Well it just happened to me.

Happened to check my online banking today and my credit card balance immediately set off alarm bells. I've only used the card once in the past couple of months and suddenly I owed a fortune. Rang the bank straight away and turns out my card was cloned. it was used several times in the past couple of days to withdraw money from atms in London(i'm in Dublin). The woman i spoke to told me that someone had copied the magnetic strip on my card and cloned it. They couldn't clone the actual chip part because this can't be done but they still managed to clone the magnetic strip and create a new card. I dont know exactly how all this works but apparently this meant that they couldnt use the cloned cards in shops but could still take money out of atm machines no problem.

How this was done without my pin number I have no idea. Before people start saying I probably had my pin written down somewhere I am 100% certain that I don't. And i certainly wouldnt be stupid enough to have it written down in my wallet or near my card even if i did. I destroyed the slip sent to be by the bank with my pin number straight away when i received it and have never once written it down anywhere. The only place it's stored is in my head. It's also a completely random number, unrelated to DOB or anything like that.

So my chip and pin credit card still managed to get cloned and I had over 500 euro stolen in the space of a day. It's definitely possible folks. Luckily the bank have said they'll refund me. It's still pretty scary that this can happen so easily though. If i hadn't happened to check my online banking today this could have gone on for the next month until i got my next statement and by then who knows how much would've been stolen. I'll be really worried anytime I use a credit card from now on

vector

your credit card currently has a chip AND a magstrip

the eventual idea is to have only a chip

however until all readers (merchant terminals AND ATMs) have chip readers the magstrip will remain

fortunately most merchant terminals in out region have been upgraded, and in the near future the forgot PIN option will be disabled meaning that if a card has a chip then only the chip can be used.

However... and this is a big however... the upgrading of ATMs is much slower
because their primary function is to read basic ATM cards, which are always magstrips they do not have chip readers

thus the classic shoulder surfing and magstip lebanese loop copier still works

ask your credit card provider if they can aetup your card account so that only "chip and PAN entry are allowed and magstip entry is never allowed even at ATMs"