Thousands of credit cards recalled

dahamsta · 23-06-2003 5:57pm #1

Curious.

Thousands of credit cards recalled
23/06/2003 - 2:19:52 pm

Thousands of Visa and MasterCard customers are having their credit cards re-issued.

This follows an internal security scare in the US.

AIB, Bank of Ireland and Permanent TSB has written to up to 3,000 customers whose cards may have been compromised.

However, the exact nature of the problem has not yet been revealed. It is not known if clients attached to other banks may have been affected.

zz03 · 24-06-2003 9:37pm

Originally posted by dahamsta
Curious.

Glad I’m not one of these cardholders depending on a card branded by either VS or MC from an Irish bank left moneyless while on holiday or on a business trip.

While they haven’t disclosed what type of fraud is involved both companies have been grossly negligent in not converting all cards to the smart variety over the past 20 years or so as they did in France.

If everyone had to use a PIN at the point of sale and when shopping online the card number itself would be useless in a card scam. (The 3 digit security code printed on the signature band is a real useless dumb down and can be copied by any waiter when he goes for a walk with someone’s card while they are finishing coffee).

Anyone attempting to guess the PIN would only have three attempts to get it right. And the card wouldn't leave their sight because the card machine would have to be brought to the table for PIN authentication.

The Irish banks say don't let the card out of your sight - yet they refuse to install wireless PIN based card machines in establishments such as restaurants. Why? What is www.odca.ie doing about it? Nothing. What is www.centralbank.ie doing about it? Nothing.

One doesn’t perhaps mind card companies being negligent if one doesn’t have to pay or suffer inconvenience as a result (ie it comes out of their pocket), and they pay you €100 per hour between the time they stop your perfectly good card and deliver the replacement to you by messenger!

Unfortunately it is the cardholder or the innocent retailer that invariably suffers. I did a quick search and aside from the Netherlands there hasn’t been any mass stoppage of cards reported. In the NL case they were stopped on the 13th of June. A week before the Irish banks pulled the plug!

Doesn't pass the smell test.

zz..

sceptre · 24-06-2003 10:45pm

Excellent post/rant, zz03. Agree with all of it.

LumoColor · 25-06-2003 1:00pm

This is not the first time this has happened, a couple of years ago I got a credit card statement with loads of PC equipment ordered from a web-site in the US. After spending x-amount of time trying to sort it out with the card issuer, I finally got to the bottom of what had happened.

The whole batch of 2000-4000 cards had been comprimised and some nasty hacker types had the numbers, check digits and expiry dates, went on a massive spending spree on-line in the us, hitting all the cards to the limits.

Dumb really, they should have simply checked the delivery address against the card-holder address's.

Bottom line is that the e-tailers' involved took the hit. Just my card was hit for 4000 ukp. Id love to imagine what the total for the batch was.

dogs · 25-06-2003 2:33pm

Originally posted by zz03
While they haven’t disclosed what type of fraud is involved both companies have been grossly negligent in not converting all cards to the smart variety over the past 20 years or so as they did in France.

Good point but at the moment it would appear that credit card companies are happy to live with the cost of theft and fraud and see no real need to change it. It's a pretty insecure system riddled with large gaping security holes especially when it comes to physical security. How many times have you gotten a credit card receipt with your full card number on it ?

I dont think there will be any real change until the level of fraud or consumer fears gets so high that they simply have to.

theciscokid · 25-06-2003 2:41pm

Originally posted by LumoColor
Dumb really, they should have simply checked the delivery address against the card-holder address

Lots of people use their mates credit cards to get stuff which would be shipped elsewhere (abroad too!) or book things and get the goods/services delivered to an address which isnt the cardholders

theres so many transactions like this these days, its hard to tell what would be genuine and what would be fraud

Imposter · 25-06-2003 2:47pm

Originally posted by LumoColor
Dumb really, they should have simply checked the delivery address against the card-holder address's.

Eh NO..
What if these purchases were presents to be delivered direct to the recipient of the pressie?
What if (like me) you live abroad and want something delivered to your proper address and not some friend/family member in Ireland or wherever?
A lot of ECommerce sites do this and they lose a lot of business because of it. Also getting an answer from them as to why they have such policies in place (considering the CC company coughs up on the insurance in the event of a problem with the card) is impossible.

.. and other what if's I haven't thought of yet.

LumoColor · 25-06-2003 7:27pm

Most decent e-tailer's ask for 2 addresses, card holder address and delivery address. A good example of this is dabs.com or overclock.co.uk.

As for the insurance company coughing up, not in this life. The credit card companies line on this is "card-not-present transactions are retailers risk" hence the retailers are the ones losing out, whilst the credit card companies sit back and cash in on thier transaction fee's (typically 2-7%) of transaction value and provide a totally unsecure service.

zz03 · 25-06-2003 8:17pm

Originally posted by dogs
Good point but at the moment it would appear that credit card companies are happy to live with the cost of theft and fraud and see no real need to change it.

Because they pass the CNP fraud risk (cardholder not present) to the retailer. Other fraud costs are passed on in the form of the high interest charge imposed on suckers who borrow on their cards and fees paid by retailers. Or to the cardholder who doesn't spot the odd fraudulent entry on their bill.

It's a pretty insecure system riddled with large gaping security holes especially when it comes to physical security. How many times have you gotten a credit card receipt with your full card
number on it ?

Not only your full credit card number, but the card expiry date and the cardholder's name! All on the same slip of paper. This is happening particularly in shops who do their own card processing on their POS system.

I dont think there will be any real change until the level of fraud or consumer fears gets so high that they simply have to.

If the Irish banks don't PINize credit and debit card at the point of sale fraud rates in Ireland will go through the roof shortly. Britain has the largest card fraud in the EU at present. When British plastic card processing requires a PIN, the large body of criminals living off card fraud in GB will have to move to a neighbouring country. They would be wasting their time in France so where will most of them go? Me thinks IE. This will transplant a large sack of fraudsters into a much smaller economic pool. The impact on Ireland could therefore conceivably be much greater.

zz..

zz03 · 28-06-2003 9:47am

Articles in the IT yesterday and this morning state that Visa International knew about the stolen card numbers on April 30 and only alerted the Irish banks recently. "We were alerted probably on the Monday or Tuesday," (of last week) an AIB spokesman said.

The scam was discovered when security cameras picked up the license plates of a black Lexus leaving a shopping mall in "Montgomery Co" the driver having bought 3 x DVDs for $400 each using a skimmed card copy - which led investigators to their home, bla bla bla.

1) This fraud would be impossible in a smart card environment.

2) Why did it take Visa two months to alert the Irish banks? I have noticed in the past when one reports a stolen card to Visa international while travelling, they start sending "teletypes" (presumably basically old fashioned telex messages) to their European field office in London England and then a few days later the London England office sends another teletype to the cardholder's bank. Can take several days - meanwhile the crook who stole your card is probably using it to his/her hearts content.

In the Lexus they found 600 pages of credit card numbers (40,000 cardholders). Surely Visa should have immediately OCR'd those card numbers and at a very minimum have a mechanism in place to put a warning flag on the issuing bank's system against each affected cardholders' account - within hours? Why did it take two months?

Is it any wonder that card fraud is so prevalent when the main parties involved are so grossly negligent?

Is it not time that Europe had its own card clearing system like Japan? One that doesn't involve cost inflating conversion of transactions into dollars? Smart cards only. With the option of text message verification for abnormal transactions? (eg you buy a PC for EUR 3000 and the bank sends you a text message to your mobile requesting that you reply with a yes or no before they release an authorization code).

zz..

sceptre · 30-06-2003 10:27pm

BBC article

Now the Pin is mightier than the pen

Say goodbye to signing your credit card slip. As the pen makes way for the Pin in a new pilot scheme, beating high street fraud is now a hi-tech challenge.

Shoppers who pay for their goods by card rather than cash can forget about signing on the dotted line in future. Instead, we will be asked to tap out a Pin number to authenticate the card.

The change is part of a new drive to stamp out credit card fraud, a crime which accounted for losses of almost £½bn in the UK in 2001.

Shops and shoppers in Northampton are already trialling the new system, which, it is claimed, will almost wipe out the card counterfeiters overnight.

The scheme, which will be rolled out across the UK and the rest of the world, is known as Chip and Pin because it relies on the combination of a microchip embedded in the card and a Pin number.

In the more distant future, the technology could be adapted, say those who helped develop it, to use "biometric" testing such as iris and fingerprint scanning.

Its introduction will be welcomed by the likes of politician Ann Widdecombe, who became a high-profile victim of credit card fraud when her Barclaycard was cloned. The culprits went on a 10-day spending spree which culminated in them running up a £2,500 bar bill.

Every year, thousands of card users are shocked to find rogue transactions listed on their monthly statements - the result of card counterfeiting.

Much of this is down to so-called skimming - the copying of details held on a card's black magnetic strip. Counterfeiters simply write the copied information on to a bogus card and go out shopping. The receipts are charged back to the original cardholder.

However, cards with embedded chips are much harder to clone, and the growing number of these helped cut counterfeit losses last year from a 2001 peak. The latest step of adding a Pin number deals with the problem of criminals forging signatures on stolen cards.

The French introduced their own Chip and Pin system 10 years ago, and saw card fraud drop by 80%. Australia and New Zealand also use a similar scheme.

"At the time the French didn't have much card usage - only about 20-25,000 places accepted them," says Mike Hendry, Chip and Pin's technical and operations manager. "But they also had relatively much higher fraud than us. So the urgency was greater and it was easier to do something."

But the French security is not tight enough, says Mr Hendry, hence the need for new technology. The system being used in Northampton is based on a new international standard, developed with the world's two biggest credit card companies, Mastercard and Visa, and will be rolled out globally in the coming years.

A chip holds the same personal data as a magnetic stripe - cardholder name, number, expiry date - but can lock it in more effectively, using sophisticated encryption.

But while Chip and Pin tackles counterfeiting, a big growth area for fraudsters is "card-not-present" purchases, such as goods bought on the internet and over the phone.

Fraud in this sector grew by 15% last year, accounting for losses of £110m. Usually card details are taken from discarded receipts or copied down without the cardholder's knowledge. In the future, says Mr Hendry, mobile phones could be fitted with card slots, to verify these sorts of transactions.

So does this new system spell an end to card fraud? Probably not, admit the experts, who are locked in a cat-and-mouse game with criminals.

"Protecting a card transaction is like protecting any other asset. You build your walls based on how high is the highest ladder," says Mr Hendry.

But the in-built flexibility of the Chip and Pin system leaves room for improvement. One day biometric information unique to the individual, such as fingerprint details or iris patterns, could be stored in the card.

Other options are for signatures to disappear from the back of cards and be digitised in the memory of the chip instead, and for voice recognition. But such security additions are not cost effective at this stage and the technology is not up to the job.

Further in the future, says Mr Hendry, the credit card might shrink to the size of a thumbnail.

"After all, the chip in a card is all that's important and that's no bigger than a mobile Sim card. So you could have a contactless card, embedded in a keyring, that you just wave in front of a reader. It would be quicker and you would never need to hand it over to someone else."

zz03 · 01-07-2003 10:22am

Originally posted by sceptre
BBC article

Fascinating how they paint the smart card (invented in 1974 by Roland Moreno), which hundreds of millions of people across the world use on a daily basis in their mobile phone, payphones, workplace security system, movie rental machines, car parking access, debit and credit cards, etc (almost) as a new invention being foisted on the world from Northampton!

Not to mention the bit of de rigueur subtle anti-French propaganda.

At least most of the people who have posted comments to the BBC website aren’t fooled.

zz..

Capt'n Midnight · 06-07-2003 1:11am

I think it was in the UK where they used a simple thumbprint scanning device. Needless to say retail fraud rates dropped.

So as an intrim soultion let's use thumbprints -but not to validate the card - but just to record who had used it..

It could be implemented very quickly as it does not need to tie in with authentication systems - (POS serial input ?) all you need is to store the thumb print and the time. If there is fraud the thumb print goes to the Gardai.

There are no civil liberty implications - the credit card company & retailer already know it was you there at that time... and people without thumbs are very few - if you loose a thumb the SOP is to replace it with your big toe..

(just wondering could you get done for personation as well as fraud ?)

zz03 · 06-07-2003 10:14am

Originally posted by Capt'n Midnight
I think it was in the UK where they used a simple thumbprint scanning device. Needless to say retail fraud rates dropped.

So as an intrim soultion let's use thumbprints -but not to validate the card - but just to record who had used it..

Big deal! You've managed to buy 3 DVD players in the shop with a stolen card and they have your thumb print! Your gone and so are the DVD players.

It could be implemented very quickly as it does not need to tie in with authentication systems - (POS serial input ?) all you need is to store the thumb print and the time. If there is fraud the thumb print goes to the Gardai.

Do the Gardaí have your thumb print on file?

There are no civil liberty implications - the credit card company & retailer already know it was you there at that time...

There are civil liberty implications. The taking of fingerprints is associated with criminality. If anyone tried to fingerprint me while shopping I would leave them with the trolley of merchandise to put back on the shelf!

On a straight credit card purchase the retailer doesn't know who you are (in terms of identity) other than a "Jane Doe" name and a 16 digit card number.

There are two elements to stamping out fraud at the point of sale.

(a) Eliminating counterfeit cards. The chip card does this. It would cost a criminal zillions to replicate a chip card - ie it is uneconomic for them.

(b) Making sure that the card holder is a permitted cardholder. The PIN does this.

PINs are more secure when they have six digits and can be changed by the card holder.

The main reason for biometrics on ID card checking systems (as opposed to payment cards) is to prevent the ID holder giving their identity to someone else. People are unlikely to give their credit card and PIN to a total stranger.

You don't need anything more than a smart card and PIN to get POS card fraud down to miniscule amounts. If/when anyone compromises the authentication system used, the software in the chip cards can be updated at POS and ATM machines automatically the next time the card is used.

zz..

Capt'n Midnight · 06-07-2003 11:33am

Witness the recent events where people have been kidnapped and held whild another of the gang go to the banklink machine.

Also the main point is credit card companies could start rolling that out next week - while preparing for smart cards - and without needing to change their systems... that is if they felt a need for it..

And no the Guards might not already have finger prints - but if you are a repeat offender then if you are caught yo'll be caught rotten.

And there is no point asking the Govt for guidance - at this stage if you have credit/debit cards it's nearly cheaper to use a foreign bank .... - considering how much a credit card costs - Tax + X%
of all purchases - and how little smart cards cost ( less than 1c) there is no excuse.

zz03 · 06-07-2003 3:54pm

Originally posted by Capt'n Midnight
Witness the recent events where people have been kidnapped and held whild another of the gang go to the banklink machine.

I suspect there are a few delightful individuals out there who wouldn't hesitate to chop your thumb off if they thought they could use it to get their hands on your loot.

ATM transactions are typically limited to a thousand or so Euro to cap this risk. The world has been using PIN based ATM cash withdrawals for years without a big problem. The non-Continental European world has been using signature based credit and debit cards with billions of Euros of fraud being incurred. This fraud is being paid for by bank customers in ultra high interest charges, high credit card fees imposed on retailers and anywhere else they can extract money.

The key issue is that the specimen signature on the back of a credit or debit card is rubbish and the mag stripe card is easily replicated. It doesn't require an intrusive laser beam in one's eye or a finger print to remove this risk.

zz..

Jokah · 28-07-2003 2:15pm

Those curious about credit card fraud go to the sites

www.safecard.ie

www.chipandpin.ie

Opinions welcome.

Jokah · 28-07-2003 3:12pm

All I say is

a) Never leave your card out of your site when paying for a good or service. Even if you are trollyed drunk go to the register and hand your card if paying for a meal.

b) Chip cards being introduced in Ireland will help cut down on Lost/Stolen Cards and Counterfeit Cards.

c) Card fraud will never go away. Prevention is better than cure?

People are usually smart about their credit cards. Always check your statements. Always dispose of your credit card receipts when you have finished with them and no longer have a use for them...

Anything suspicious on your card statement report it.

It can happen to you any time.....

Chip and Pin is excellent for Ireland. www.chipandpin.ie

Learn more www.safecard.ie,

ecksor · 28-07-2003 4:56pm

Has anybody here actually lost money due to credit card fraud? As in, someone used your credit card and the losses weren't covered by your credit card company.

Jokah · 28-07-2003 5:07pm

The banks are very good at picking up things with regard to credit card fraud. If they see a dodgy transaction going through they will usually ring you and ask to see if you have just bought something.

If u can prove that u have been a victim of credit card fraud the banks will usually take your word for it. If YOU can prove it.

For example, if your card was compromised without your knowing it and the fraudster bought items in america using your details and you didnt know about it until a month later. You have this massive bill and you dont know anything about it.....

if you can prove that you in fact were not in america when the transactions were made your sorted.

also banks usually pick up errors on cards. E.g. You card is compromised you don't know anything about it. You card is used in say spain to buy stuff. Then that day you yourself say bought something in your local shop a couple of hours after the fraudulent purchase.

The banks will query these kind of things....banks want to keep their customers...usually its the banks that get hit for money unless they can catch the B******s....

I work in this whole area so its handy to know...

:cool:

ecksor · 28-07-2003 5:17pm

I think everyone knows you work in this area after posting links to your sites on two different threads.

And that's my point, if you are generally well covered then what's the problem? As long as I'm not going to get raped by fraud, then the cost/benefit analysis of rolling out a new infrastructure is the business of the credit card companies and I'm happy to leave it to them.

Jokah · 28-07-2003 5:18pm

Im associated with those sites dude.

And yes I agree with your point...thanks

Thousands of credit cards recalled

Comments