debit card fraud

This is the place for posts that don't fit into any other category.

Moderator: RichardW

mark_sp
Posts: 230
Joined: 13 Apr 2003, 00:47
Location:
My Cars:

debit card fraud

Post by mark_sp » 16 May 2004, 04:15

Not sure if this one will get thru as it's not really cit related but here goes anyway.
Does anyone have any experience or knowledge of debit card fraud as I have recently been on the receiving end to the tune of £1150.
The investigation is ongoing by the Bank and Police but it is looking unlikely that I will get the money back due to the fact that the fraud does not fit the usual profile.
My wifes debit card was cloned (we have identified when and where - a 2.5 hr period when the card was left unattended in my wifes bag in a locked hotel room) but instead of buying goods and obtaining cash back (the norm) the money was taken from a series of ATM's.
That is the sticking point, in theory a PIN number is required. Now we know that the PIN number was not with the card, in fact the number has never been written down and during the period in question we did not use an ATM so no one could obtain the PIN that way.
So logically there are only two conclusions:
Either we are lying and the PIn was written down, in the bag with the card - the Banks probable opinion.
Or the Fraudsters know how to bypass the requirement for a PIN - our Opinion.
No one I have spoken to has experienced this including our own fraud dept, and I work for a large Retailer.
So anyone out there any experience of fraudulent ATM withdrawls without the possibility of the fraudsters obtaining the genuine PIN ?
Oh just realised I could have bought a nice 1998 1.8 Xantia for the amount of money I've just lost, or maybe fixed the 70k HDI clutch failure ?
Worse things happen at Sea.
Mark
0x

alan s
RIP 2010
Posts: 2542
Joined: 26 Jan 2001, 16:53
Location: Australia
My Cars:
x 4

Post by alan s » 16 May 2004, 05:12

There has been a thing happening out here that was started & devised in Asia where they have mini cameras set above ATMs & terminals and record your PIN number.
Common places are usually busy situations where there's a constant stream of people & as a result the users don't have time to notice something a bit different like a disguised camera. I think it's called "skimming."
Most people who have been stung were unaware of how or when they were got at just like you are.
Might be worth doing a search on our news services to find a bit more detail on it.
Even our Government Agencies websites could have more info.
Alan S
0x

Sl4yer
Posts: 853
Joined: 12 Apr 2003, 04:29
Location: United Kingdom
My Cars:

Post by Sl4yer » 16 May 2004, 05:16

I know its late at night, and I've read your post a couple of times...but how do you know when the card was cloned? Its becoming more common to hear of these cash machines fitted with a 'false throat' to get the card and PIN details. There was a case recently at a supermarket in Gloucester.
I can't believe there is a way to bypass the PIN entry. Stick to your guns (that the PIN was not with the card). Most ATMs have a camera - suggest the police take a look at that instead! As far as I would be concerned, if it isn't you or your wife making the withdrawls, you're not liable. Don't give in!
0x

mark_sp
Posts: 230
Joined: 13 Apr 2003, 00:47
Location:
My Cars:

Post by mark_sp » 17 May 2004, 02:49

Sorry chaps but you have misread my posting. The card was not used by my wife in a cash machine so the PIN was not obtained there. We have identified the only time that the card was not on my wife and that was a 2.5 hr period when the card was left unattended in her bag in a locked hotel room while we ate dinner. The following day we departed the hotel and the fraudulent transactions started. We have no doubt that the card was cloned during this period, probably by a member of the hotel staff. The first fraudulent transactions were at an ATM only down the road from the Hotel, but of course we were 260 miles away by then.
Mark
0x

rossd
Posts: 420
Joined: 16 Mar 2001, 21:18
Location: United Kingdom
My Cars:

Post by rossd » 17 May 2004, 13:19

This must have happened over a period of time, dont banks limit the amount that can be withdrawn to something like £250 a day? Sorry to hear about it though, the scum that do this should be locked up and the key thrown away.
0x

Homer
Posts: 1428
Joined: 26 Feb 2003, 11:52
Location: Yorkshire
My Cars:
x 5

Post by Homer » 18 May 2004, 01:45

<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote"><i>Originally posted by mark_sp</i>

Or the Fraudsters know how to bypass the requirement for a PIN - our Opinion.
<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">
That may be your opinion but I assure you it is not possible. The way the systems work it cannot be done. The ATM sends your PIN (encrypted) to either your bank/BS or LINK. There is no way of getting money (or even a blanace) without it. If you have an idea how it can be done then I'll tell you why it won't work.
I'm afraid they have got hold of your PIN somehow.[:(] What did you do with the PIN advice slip after you recieved it?
How long was it between the time you think the card was cloned and the first transaction? What makes you think it was that period, it only takes seconds to clone a card, it could be missing and returned without you knowing.
Your one hope is that one or more of the ATMs did house a camera (there's more out there than you might think, I know 50% of our ATMs have a live camera) which will show you did not make the withdrawal. Even then the Bank may well take the attitude that you might have given someone else the card/PIN. But if they catch the culprit then you might find out how they got hold of the PIN, which could go in your favour.
0x

mark_sp
Posts: 230
Joined: 13 Apr 2003, 00:47
Location:
My Cars:

Post by mark_sp » 18 May 2004, 14:59

Homer
Your opinion is I'm afraid what I expect the Banks to be.
The PIN no was issued several years ago and was immediately changed to a more memorable number (for my wife) that was never, repeat never written down.
My assumption that the PIN was bypassed is based on the fact that during the period preceeding the fraud (the card was cloned while we were on holiday) my wife never used an ATM so there would be no way for the Fraudster to capture her PIN.
I did not realise some of the ATM's have a camera and as you say although it's only a slim chance it may be something in our favour.
Now with regard to encryption etc:
I work in the IT industry (although not in Finance) and it is my opinion that the old saying "what man can make, man can break" is still applicable.
I've done a little bit of research and discovered some interesting items (I won't call them facts) For example I have discovered that in the past there was a way to manufacture a card that when used allowed a PIN no to be selected, although this loophole was closed years ago.
Also there are only 10,000 possible combinations with a 4 digit PIN but there exists a formula to crack a PIN in only 15 attempts.
I have heard of one other case that is similar although I can't get hold of much detail but that person lost the lot.
Anyway took a quick poll at work and astonishingly (to me) approximately 1 in 3 people had been a victim but all had been the "card not present" type of fraud.
Mark
0x

Homer
Posts: 1428
Joined: 26 Feb 2003, 11:52
Location: Yorkshire
My Cars:
x 5

Post by Homer » 19 May 2004, 02:24

<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote"><i>Originally posted by mark_sp</i>

Now with regard to encryption etc:
I work in the IT industry (although not in Finance) and it is my opinion that the old saying "what man can make, man can break" is still applicable.<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">
Hmmm... It would require a level of access not available to your common criminal. Almost certainly an inside job. There <i>should</i> be checks and procedures in place to prevent such abuses.
<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote">I've done a little bit of research and discovered some interesting items (I won't call them facts) For example I have discovered that in the past there was a way to manufacture a card that when used allowed a PIN no to be selected, although this loophole was closed years ago.<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">
The Midland Bank (as was) used to print everything required to clone a card on the ATM reciept, all that was missing was the PIN. It was a simple matter to watch someone typing in their pin then cause them to leave without taking the reciept. They closed that one too.
<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote">Also there are only 10,000 possible combinations with a 4 digit PIN but there exists a formula to crack a PIN in only 15 attempts.<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">
You only get 3 attempts. Cracking it in that would be pure luck. Cracking it in 15 would require more feedback than you get from the ATM network.
<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote">Anyway took a quick poll at work and astonishingly (to me) approximately 1 in 3 people had been a victim but all had been the "card not present" type of fraud.<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">
I got stung for £700 on my Visa card, that was a web based transaction and I got the money back very quickly. Still none the wiser as to how or when they got my details.
<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote">The PIN no was issued several years ago and was immediately changed to a more memorable number (for my wife) that was never, repeat never written down.
....
(the card was cloned while we were on holiday) <hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">
Can you be sure the card was cloned while on holiday? I don't see how you can.
If there is really no way anyone could have found out or guessed the PIN then maybe the fraudsters just had a lucky guess (unless the PIN was 1234). It's not usually the way they go about things but it could happen. Usually they will take steps to get hold of the PIN, even ordering a new one and waiting for your postman.
I have heard a number of similar stories. Of those which were solved it turned out to be a friend or family member.
Stand your ground, the Bank may decide to take part of the loss.
Unfortunately the Bank can't simply accept your word because then they would have everyone claiming their cards had been used in the same way.
0x

PowerLee
Posts: 1256
Joined: 01 May 2004, 19:49
Location: United Kingdom
My Cars:

Post by PowerLee » 19 May 2004, 02:27

"Also there are only 10,000 possible combinations with a 4 digit PIN but there exists a formula to crack a PIN in only 15 attempts"
Ok then smarty
Try & crack the PIN to my Peugeots Keypad or my bank card in 15 attempts or less!
0x

Jon
x 48

Post by Jon » 19 May 2004, 03:28

Talking of all this, has anyone got a Chip and PIN card yet other than me??
What a shambles. My Credit card expired end of April and the new one issued is Chip & PIN. I read the letter with the new card, and a few days later the PIN number arrived too. No problem, I thought.
I went to use my new card last week to buy some diesel whereupon it was declined, which was pretty embarassing, luckily I had enough cash on me. (This was declined by ye olde traditional card machine). It seems that if the machine was a new chip and PIN type and I'd entered the correct PIN then it would have been OK.
I called the Card issuer and explained. Seems that theres very few chip & PIN machines about and my card must be "verified" by going to an ATM, keying in PIN then selecting the "Confirm PIN" option. So I did.
Then went to use card at Wickes 3 days later for a massive £15.92 and it came up as "Refer". Again I paid cash.
I should point out here that I pay my monthly bill by Direct Debit, I'm lots in "credit" and theres no reason to reject my card.
Security is all well and good, but if my experiences are anything to go by...... perhaps the banks hope that we'll all go to the Cashpoint instead and take out cash on our Credit cards thus making them a fortune? Forget paying for goods in a shop if my experiences are anything to go by.
Sorry about my rant and my sympathies to Mark and his partner anyway.
0x

Homer
Posts: 1428
Joined: 26 Feb 2003, 11:52
Location: Yorkshire
My Cars:
x 5

Post by Homer » 19 May 2004, 11:53

<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote"><i>Originally posted by Jon</i>

and it came up as "Refer". Again I paid cash.
<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">
If it is coming up refer then that is not the same as being declined. It means the bank want the shop to ring and make a few more checks to make sure you are who you say you are. At least that's how I understand it but I don't deal with CCs (well only as a customer).
I would guess you'll get the same thing until you get a shop assistant who actually knows what they are doing and can be bothered with the extra hassle. By aborting the transaction and paying cash you are making the attempted transaction look suspicious.
I've got a chip and pin card but not had the pleasure of using it with the pin yet (It's working fine in the old style swipe machines). Personally I can't wait, my signature is rarely anything like that on the card and I always have a moment of dread expecting to be turned down. The fact that my dodgy signature is never questioned is even more worrying.
0x

Dave Burns
Posts: 1916
Joined: 14 May 2001, 05:30
Location: United Kingdom
My Cars:

Post by Dave Burns » 19 May 2004, 23:47

My debit card is chip and pin, used it the other day at a branch of machine mart no problems at all, no problems with it old style either, not impressed by the wappy little hooded keypad though, any prying eyes wouldn't have much trouble getting a gorp at your number if you used it in a nonchalant fashion.
Dave
0x

mark_sp
Posts: 230
Joined: 13 Apr 2003, 00:47
Location:
My Cars:

Post by mark_sp » 20 May 2004, 20:13

Jon
I was sent 2 Chip and PIN cards, presumably because one was in the pipeline anyway and the other because my original card was stopped due to the fraud. I took both to my local ATM and tried them both to determine which one worked. I felt uncomfortable trying both cards but no one in the crowd of onlookers (whatever happened to the privcy zones ?)even tutted.
One fact that is worth remembering is that with a credit card you are spending the credit card companies money (okay it has to be paid back)but with a debit card you are spending your own money. This is very significant if you find yourself in my position, and probably also explains the better security measures that the credit card companies have.
Mark
0x

Jon
x 48

Post by Jon » 21 May 2004, 13:29

Re my Chip and Pin card, turns out that it had not been activated! Should have read the letter that came with the PIN more carfully, for extra security my CC Company do not activate the new card until you phone up and answer some security questions.
0x

dnsey
Posts: 1531
Joined: 20 Oct 2004, 01:39
Location:
My Cars:
x 11

Post by dnsey » 24 Oct 2004, 01:34

I've only just discovered this thread, but thought you might be intersted in the following.
Until recently, when it was refurbished, the ATM at the local branch of my Bank had two keys which were clearly worn more than the rest. It happens that these keys corresponded with two of the digits of my PIN - and presumably of most (or all?) other customers'! Rather inceases the odds of an intelligent criminal guessing the number, doesn't it? Interestingly, I remember reading about a similar technique being used to crack a security code in a fictional thriller, so I guess the technique is well known.
0x