Rory Cellan-Jones is discussing forums where people discuss credit card fraud.
In the last few days, I’ve entered a whole new web world. It’s a place where people speak of getting “dumps… sniffed from ATMs” or using “blinds to cash out” or getting data through “rj 45 taps.” The language belongs to a criminal community – the people who make a living out of credit card fraud.
I can’t say that I am over surprised by this. I’ve had credit cards for about twenty or so years. During that time, I’ve never had one stolen yet in the past couple of months two have been compromised. Fortunately, the compromise was spotted and nothing was lost. However, both are Chip’n’PIN, which is interesting.
Don’t let anyone tell you that Chip’n’PIN is secure. It isn’t – that is probably the biggest example of credit card fraud yet let loose on an unsuspecting public.
As one commenter points out:
So what exactly was the point of chip-and-pin? Since its introduction I’ve had my card used fraudulently on three different occasions, and the card has never been out of my possession.
Quite. My experience, too.
So if these rat-bags are able to clone cards and bypass whatever security the chip-and-pin system was supposed to provide in the first place, why did the banks bother with it?
To protect themselves, I suspect.
In your travels on this topic, have you come across the Cambridge University thoughts on the topic? Have a look at their blog “Light Blue Touchpaper” and the Phantom Withdrawals web site that they run. They also ran the Chip & Spin website when the banks first proposed offloading their liabilities in this manner.
Oh yes, your guess about self protection by the banks was spot on.
I hadn’t. I’ll check ’em out tomorrow. Thanks.
“To protect themselves…”
It certainly seems that way. My mother recently got a call from her bank to ask her if she was at home, or in China. Apparantly, she had used her card in the local Morrisons and one of the ‘back room’ boys had recently absconded with all the card details from their records (as we learnt from the local paper). Data security…?
At least it made a change for card-swiping at the till!
JuliaMs last blog post..Another Day, Another Outrageous Extension Of Powers…
I think you’re slightly missing the point here.
C&P is currently secure (not ‘uncrackable’, but ‘current technology makes it unviable to crack and there’s no evidence of anyone having done so’).
The frauds that take place involve the use of cards, whether or not they’re C&P-enabled, in non-C&P readers – either fake magstripes or cardholder-not-present transactions. And when you’re the victim of a fraudulent non-C&P transaction, the bank will always rapidly refund you and debit the merchant (as it’s the merchant’s responsibility).
C&P was introduced partly so that banks could justify shifting this liability to the merchant – but also because it is, really really obviously, more secure than magstripes. I’ve got no particular electronics/forgery skills, but I could clone a magstripe card given a few hours and £50 worth of kit; whereas even Ross Anderson currently can’t clone a chip-and-pin card.
john bs last blog post..Mental anti-pie
It’s unviable to crack the chips because there are softer targets, as the article suggests. Which, I suspect, is why I recently experienced inconvenience twice within a matter of days – the old cardholder not present fraud. I still don’t know where the security vulnerability occurred, so it is difficult to close the gap. To be fair to the banks concerned, they picked up the fraud quickly enough to stop any fraudulent transactions – all of those they questioned me about were legitimate. Something must have tipped them off, but they aren’t saying.
The other issue I notice cropped up in the discussion is the weakness inherent in keeping the magstrips. A webcam and reader at a cashpoint gives the fraudster all he needs – and the chip is irrelevant.
Chip ‘n’ PIN has been sold to the public by the banks as a means of reducing fraud. By directly copying chipped cards maybe, but is credit card fraud on the decrease? I wonder…
What it does appear to have done is allow them to shift the responsibility when things go wrong.
john b wrote: And when you’re the victim of a fraudulent non-C&P transaction, the bank will always rapidly refund you.
The track record is that they won’t. You can follow your link to Ross Anderson’s site and have a look at their Newsnight clip, or have a look at this one from Watchdog: Chip and PIN Fraud
Yay (?Watchdog ?Panorama) for dumbing-down-tacularity. The whole point about the Ross Anderson exploit is that it’s got no imaginable viability in real life, and absolutely couldn’t drive the frauds that the victims in the clip say they were done by.
It’s disappointing that the people in the video are too trusting to accept that people they trusted with their cards and PINs have nicked then and stolen their money; seperately, it’s quite possibly than a non-zero number of frontline call-centrists have given the wrong advice to people who’ve had their money stolen through magstripes or numbers.
But c’mon – unless you believe the Israelis did 9/11 and Henry Kissinger shot JFK, equating the convoluted stunt in the video to ‘chip and PIN fraud is a serious possibility given the current state of technology’ is a bridge too far…
john bs last blog post..Mental anti-pie
Responding directly to the comment, rather than my slightly drunken digression – if you’re a victim of a non-C&P fraud, then they will quickly refund you and there is no evidence otherwise because that’s just the case.
If you appear to be the victim of a C&P fraud, then you’ve got troubles – but given my comprehension (having read all of Ross Anderson and his team’s work) of the likelihood of hacking the system, vs my comprehension of how fraud pans out in real life (given a healthy following of the crimes reported in the local paper when I was a kid), I’d be amazed if they weren’t accounted for by people with access to the card and PIN who’d never do such a thing because they’re good boys and girls…
john bs last blog post..Mental anti-pie
Speaking to other people who have been affected, the speed of refund appears to be related to whether it’s a debit card or a credit card. Being really cynical here – it depends on whose money has been lost. In the case of the credit card, the retailer is left holding the baby and the bank loses nothing. If it’s a debit card, they seem a little more tardy with the refunds as the money has left the account and the bank will have to refund the money to the defrauded account holder.