Card cloning warning

[JJB]

I don't suppose anyone saw the front page of the Daily Express today? Highlighted the Chip and PIN 'epidemic'.

[danrees]

To be honest I am not sure why anybody shops at that supermarket on LL.

Overpriced, poor quality crap.

If you want crap food go to Iceland. If you want nicer food go to Sainsbury's.

Bring on the Co-op I say.

[MrBen]

Oh dear. Just been done myself. $1000 Candadian dollars taken from my Lloyds TSB debit card in Quebec yesterday. Was in Canada 6 weeks back but only used it a few times and never at an ATM. Now have to fill in a load of forms to get it back. But the banks must be getting stung. And someone doing this 5 times a day is getting very rich.

[Lizziedjango]

Darees, I like the Coop. Shame the one on Forest Hill Rd is so TINY.

I am too scared to use my card at the ATMs on LL after reading this thread!!!!

[Pandora]

As it happens, I'm off to Benin in a couple of days, where some of the cards on this thread have been used. I'm not planning to use my card while away (from past experience there's not going to be many places to actually use the card!) but I thought I should inform my banks.

One bank said that they can't make any note on my account but I should just go ahead and use it. Which doesn't fill me with confidence, because I would hope a transaction in Benin would be flagged up as unusual activity.. either I would be unable to use my card, or someone doing it illegally would be able to! However HSBC have put a note on my account and have given me international helpline numbers - they said it still may be flagged as unusual activity, but they would try to call me if they were concerned. Not sure what to make of their responses!

[Sharon_H]

My Hubby has had the dreaded phone call, used in India, it was used 3 times and but refused for the 3rd.

[mrs f]

Hi All, Just to let you know that I used the Barkelys bank ATM this morning (the one on the corner) and it had a thing over the card slot- then I checked all the other Barkleys ones and they did not have this thing. I cancelled my card straight away and I would suggest that you all avoid this ATM until the bank opens on Monday.

Hopefully it is nothing, but better to be safe than sorry!

[indiepanda]

I've not had my card cloned (yet!, *touches wood* etc)

However, my bank have been very good for checking when my card is used abroad. I recently tried to pay for a holiday in Italy and the Italian holiday company had the payment rejected and I had to phone the bank to authorize. And when I was in Dusseldorf last winter and the girl at the hotel didn't know how chip and pin worked (tried to put card in, type in payment, remove and then get me to enter pin), they called me on my mobile having put a block on further payments until confirmed if the payments were ok. And when I last went overseas I let them know in advance so they didn't block my payments and they didn't have a problem with noting that on my account, or mess up and block any payments.

So, if you want to bank with someone good, try First Direct - give pretty good service overall, not just in this matter. They don't have any of those annoying "press 1 to get lost in a chain of menu options, press 2 to get put through to the wrong department, press 3 to get put on hold for 10 minutes and cut off" menus on their phone line. I hate those things!

PS I don't work for First Direct/HSBC, just in case you are wondering.

[LibraCarr]

Hi,

As in my previous messages, you should alway's cover your busy hand, look to see if anyone is parked nearby that may be using a covert camera, and if you cannot do that use a bank that allows you access into the bank out of hours or a post office to withdraw cash. At the end of the day you do have a duty of care, the money provider could possibly refuse to reimburse you if you have been negligent.

Please refer to my ealier posting's which will advise you of the suspect shops and ATM's in East Dulwich.

Take care.

Libra Carr.

[louisiana]

I called First Direct yesterday, and spoke to - among others - their fraud department.

No, they cannot do a global block on all overseas payments on a card/acount, they told me (in response to my question). If effect, every transaction is treated individually

I do travel abroad regularly, but tend to use cash for small local payments, so would prefer all overseas activity to be blocked on this particular account (I have other accounts for business travel). But no can do.

Their fraud department says payments are analysed according to

1) 'we know where you are' (but they didn't know I was in The Hague and Nottingham over the last week, for example, so I'm not quite sure how that works. Presumably this can only come into action if there is a suggestion that you are in two places simultaneously)

and

2) a list of countries with known problems. They confirmed that Canada is on that list, but also said the do not reveal the last and 'even we don't have that list'. They did confirm that The Netherlands is not on their list, which might suggest that the Netherlands is chip and pin (ie in principle more secure). However, I made two card payments in Amsterdam and The Hague last week and only in one case was a pin required....

[ianr]

>Hi All, Just to let you know that I used the Barkelys bank ATM this

>morning (the one on the corner) and it had a thing over the card slot-

>then I checked all the other Barkleys ones and they did not have this thing.

For information, here are photographs I took at 12:28 today of the Barclays ATMs, on LL and the corner of LL/Ashbourne Grove, respectively. It's clear, BTW, from photos of the full fascia, that the machines are different models. I didn't see or feel anything that seemed obviously amiss or appended, and my amateur assumption is that they're both currently in their natural state.

But can anyone definitely confirm that the initial slot bit in the second is standard (probably an anti-tamper device?) and not a skimmer?

[monica]

Im away to the USA next monday with my trusty old nationwide card, I have been told that The Usa are hot on fraud, that is why they have not used the chip and pin service, so il see what happens when im there. After i posted last about the Dodgy Hsbc atm i was told it was ok, because our lovely PC mick bell had a look. Strange the Barclays Atm is going through the same thing. I now use cash in supermarkets. I say bring back signature, obviously chip and pin is not fraud proof, and why dont the americans use the same system. (?)

[Sue]

monica Wrote:

-------------------------------------------------------

> I say bring back signature,

> obviously chip and pin is not fraud proof, and why

> dont the americans use the same system. (?)

xxxxx

Anybody can forge a signature, it's easy - anyway, most people never checked them very thoroughly, just a quick glance, in my experience

[Asset]

In the States now they ask for a number to be entered which is the zip code connected to the card rather than a PIN. Not much good if you are not from the States! Had to use a signature instead.

Libra - you do mention covering the keypad but the card can be cloned without the PIN being taken.

[Loz]

One of the main security holes for cards is that the PIN for the chip is the same as the PIN for the mag stripe. This was raised in security circles before chip'n'pin was introduced, but they went ahead anyway on the (admittedly pragmatic) basis that people would never remember two PINs for one card and the vague hope that the mag stripe could be phased out at some stage. Magnetic stripes are trivial to reproduce; chips are much harder, but not impossible.

Given the explosion in the amount of fraud, I expect that the banks will solve this 'unsolvable' problem sometime soon as it the loss level becomes greater than the fix-it cost.

[candj]

monica Wrote:

-------------------------------------------------------

> Im away to the USA next monday with my trusty old

> nationwide card, I have been told that The Usa are

> hot on fraud, that is why they have not used the

> chip and pin service, so il see what happens when

> im there. After i posted last about the Dodgy Hsbc

> atm i was told it was ok, because our lovely PC

> mick bell had a look. Strange the Barclays Atm is

> going through the same thing. I now use cash in

> supermarkets. I say bring back signature,

> obviously chip and pin is not fraud proof, and why

> dont the americans use the same system. (?)

Monica, Just make sure you have your passport with you at all times because in the States they will ask you for ID (usually drivers license) and they may not recognise a UK one (assuming you don't have a US driver's license!). I don't know why we don't use chip and pin in the States. Too complicated perhaps?! :)

-C

[monica]

Thanks candj i will, it all seems surreal that this is happening, and nothing can be done about it

[arriety]

I've just discovered that Murco Service Station, the one near the Tesco Metro at the top of Goose Green, has been taking money from my card. No idea how they have done it. But be warned about that petrol station!

[SeanMacGabhann]

Beth

Are you sure the station itself is taking money from your card? Or do you suspect the card was cloned there and money is being taken from it elsewhere.

Many people seem to be assuming that the (high volume!) locations mentioned are "in" on this when that isn't nevessarily the case. They are more likely targeted because of the number of customers and then the criminals move on to somewhere else

[arriety]

That's a good point. I don't really know. Have discovered more fraud on the card, Somerfield in Mitcham and so on. So, you probably right, its the user not the service station that is at fault.

Nightmare.

[SeanMacGabhann]

Tis indeed Beth, a nightmare - I hope I wasn't sounding unsympathetic. At time of writing I haven't been affected (touch wood again) but it would definitely be a major hassle for me

[Loz]

Beth - that sounds like a cloning. Get in touch with your bank PDQ.

[arriety]

Just been in touch with the bank and cancelled my card. It's a cloning and they have my pin number, how i don't know!

[anna_ed]

My boyfriend had his card details stolen as well. They've taken ?1800!!! I'm not sure which ED cash points he's used but they have taken the money from Canada.

[AcedOut]

In the future, card companies will be able to locate you (at least technically). For extra security they could read the GPS info off your cell phone to ensure you're located at the same place the transaction is being made. Of course this will not work for telephone/internet transactions, so no system is infallible. The criminal would then have to steal your mobile or somehow fake the GPS location (not that hard actually, but replicating the GSM packets is tricky), although relatively simple algorithms could detect if you've suddely managed to travel at the speed of light to such places as Canada! In a decade or so, mobile phones will replace cards anyway and I'm sure this technique will be used. For internet transactions, 'Verified by VISA' will eliminated some of the online issues.

Someone else has already mentioned a password rather than PIN system where only 3 characters are requested. There is a cost issue associated with this though and also an issue of customer error/slowness. Remember, credit card companies make their $$$ on the vast number of transactions, so they don't want to slow this down!

As for ATM machines, I'd recommend to the banks digital image recognition. A camera/digitiser installed in the machine that can recognise if a device is attached. If this is the case - the machine would shut down and potentially activate a solenoid mechanism to eject given attached device! Pretty easy to implement, although prone to abuse. Other measures could be a photo of the card reader on the terminal screen to ensure the user knows what the reader 'should' look like. A simple redesign of the whole reader is required ideally, such that every machine is consistent and customers know what to look for.

There are dozens of ideas such of these, but the truth is, it's still cheaper for the banks to refund the customer from their insurance-backed fraud reserve accounts. VISA/Mastercard/AMEX/etc I think take the hit for non-ATM based fraud, although I may be wrong.

Other ATM security measures include: retinal scanners, finger-print readers, push-style card readers, random questions such as press 1,2 or 3 for correct address/DOB/phone number etc. The list is endless, but the banks can't be bothered. It's a small issue in comparison to their entire balance sheet!

For card readers, these are harder to make secure, since the retailer can manipulate/copy or do pretty much what they like. Why VISA/Matercard ever allowed non-secure wireless/BT readers is anyone's guess, but these must be removed from service! They would be transmitting the full card number, PIN, etc every time a card is inserted. Personally, I have always refused to use one and I'm currently (touch wood) one of the few that's never had a card cloned (I also ask my bank for a new card every month or every time I return from a holiday - just in case! They must think I'm very clumsy ;) )

We're of course talking about a global issues, so chip and pin and other such measures are pointless unless every country in the world adopts! You think VISA/Mastercard want to put up that capital?

Btw - does the aforementioned (less than)super market use wireless C&P terminals? I suspect the staff are using concealed cameras in their sleeves/shirts. This is the only way I can imaging they'd be able to clone in such quantities. I'd love to walk in that place with a radio/bug detector. Wouldn't be surprised if they're transmitting that data over to someone sitting in a dodgy LL bedsit or something. These criminal gangs are much more sophisticated than most people imaging and let's face it - how hard is it to get a job behind a supermarket checkout?

Chip and Pin was a complete waste of time in my mind. If anything it make it's worse, since the ATM pin is the same as the VISA pin, so cash can be taken from an ATM if someone gets a glimpse of you typing your pin at a retailer. Money would have been better spent on a random question process in my opinion.