Visa/MC/EC/AX card fraud - been to Spain over the past few months?

probe

The German banks are in the process of replacing debit and charge cards of cardholders who have visited Spain over the past few months. A data theft incident in Spain appears to be the culprit. The story is still unfolding this evening.

Cardholders from all over the world who have used their cards in Spain recently are also likely to be affected. The stolen card numbers appear to be used for CNP transactions (online shopping, telephone or mail order).

The Spanish card industry is still living in the dark ages, and few retailers have EMV card terminals or seem to know the difference between an EMV PIN based card and an old fashioned card. One suspects that their banking system is in a similar slumber. No amount of checking "documentos" (showing your national ID card as well as your payment card, as is the norm in Spain) fixes this problem.

There are no real "credit cards" in Germany (as known in the US, GB and Ireland - ie revolving credit) - when you use a German Visa or MC card it hits your bank current account immediately or is charged in full to your bank account by the end of the month, matching when your salary gets credited. Sound money policy. The same applies in other continental countries.

People who see money fraudulently vanishing from their current account in real time are going to be screaming louder and faster to their bank and the police, compared with those living in the Anglo-Saxon dreamland of extended credit, who get a separate "credit card bill" in the post long after the reality hits the banking system.

If you have used a card in Spain recently, check your statement carefully and track it online regularly for unauthorised transactions - until it is replaced or expires. I suspect some fraudsters often hold off on using fresh card numbers for a few months in the hope that people forget about the news.

Capt'n Midnight

It doesn't matter how the frauds were commited , the point being that the public have been told things are more secure , whereas the reality is that the public have less comeback and the banks now have an opt out clause.



The problem with chip and pin is not technical.

The technical problems are
you can fall back to using magnetic stripe info
you can read the pin using a compromised reader, or with an uncompromised reader redirect the transaction with a man in the middle attack to one of a greater value
etc.


The problem the banks have transfered the risk to the customer, had the banks kept all the risk for credit card fraud then we could at least assume they would have a financial interest in making systems secure and we would not be out of pocket when the dust settles.


Instead it's us that loose out and the banks only need to spend as much on security as will stop customers leaving in droves as there is no direct cost to them :mad::mad::mad:


Personally I would like to have two credit cards. One with a chip and another with a magnetic stripe.

When using the stripe I would know that it's less secure but conversally I should be covered by the bank because I'm not using the supposedly secure chip and pin method.
If I use the chip and pin card then yes it's more secure, but I would also know that the bank won't cover any fraud committed with the card.

LookBehindYou

I have an aib credit card and viewed it today to see there was 1200 euro spent on ryanair tickets.
The tickets were bought on 12 th dec hit my account on 15 th dec.
the flights were used on 13th from poland.
i did not lose my credit card, and if i had no internet banking i would not realise it until i get a statement next month.
i got the card blocked.
the question is : will i get the refund of the 1200 euro.

probe

LookBehindYou wrote: »

I have an aib credit card and viewed it today to see there was 1200 euro spent on ryanair tickets.
The tickets were bought on 12 th dec hit my account on 15 th dec.
the flights were used on 13th from poland.
i did not lose my credit card, and if i had no internet banking i would not realise it until i get a statement next month.
i got the card blocked.
the question is : will i get the refund of the 1200 euro.

Yes if you pursue it. EU law transfers liability to the "merchant" (ie Ryanair) for CNP (customer not present) transactions. If the customer was present, s/he would have had to enter the correct PIN at the point of sale.

Pursue this case until you get a refund... Ryanair makes a big show about forcing passengers to show either a national ID card or passport for flights. The Italian government has threatened to sue Ryanair for enforcing passports/NID cards on passengers. Ryanair is trying to roll out Ryanair Irish/British/American style police state bureaucracy on the rest of Europe. With no benefits to the customer.

Instruct AIB to chargeback the fraudulent transactions in writing immediately, if you haven't done so (and received an acknowledgment in writing from the bank) - by registered post with a proof of delivery note going back to you (be sure to get the "accusé de réception" - they will know what that means in your local post office!). Technically it is an RC37 chargeback - no cardholder authorization.

Ryanair has to prove that the cardholder entered the correct PIN at a counter terminal, or they will have to refund the money in full. One would assume these tickets were bought online - which leaves Ryanair carrying the can for the fraud.

LookBehindYou

probe wrote: »

Yes if you pursue it. EU law transfers liability to the "merchant" (ie Ryanair) for CNP (customer not present) transactions. If the customer was present, s/he would have had to enter the correct PIN at the point of sale.

Pursue this case until you get a refund... Ryanair makes a big show about forcing passengers to show either a national ID card or passport for flights. The Italian government has threatened to sue Ryanair for enforcing passports/NID cards on passengers. Ryanair is trying to roll out Ryanair Irish/British/American style police state bureaucracy on the rest of Europe. With no benefits to the customer.

Instruct AIB to chargeback the fraudulent transactions in writing immediately, if you haven't done so (and received an acknowledgment in writing from the bank) - by registered post with a proof of delivery note going back to you (be sure to get the "accusé de réception" - they will know what that means in your local post office!). Technically it is an RC37 chargeback - no cardholder authorization.

Ryanair has to prove that the cardholder entered the correct PIN at a counter terminal, or they will have to refund the money in full. One would assume these tickets were bought online - which leaves Ryanair carrying the can for the fraud.

I got the refund from aib visa of the full amount.
It seems that the tickets were purchased on the internet, no pin number needed, just the 3 numbers on the back of the card.

What happens now ? do the card company follow up the fraud and prosicute the person who commited the fraud ?

probe

LookBehindYou wrote: »

I got the refund from aib visa of the full amount.
It seems that the tickets were purchased on the internet, no pin number needed, just the 3 numbers on the back of the card.

What happens now ? do the card company follow up the fraud and prosicute the person who commited the fraud ?

One wonders where they got the 3 digit CVV code from? My suspicion is that there might be a keystroke logger on your PC (or some PC you used when providing your card details on some other transaction - eg in an internet cafe or shared PC - eg in a hotel lobby or similar). If there is a keystroke logger on your PC (or a PC you use frequently) it might be worth re-formatting the drive(s), re-installing the operating system and application programs. It is a pain to do this - but your new card will be vulnerable to the same mob the next time you do a internet transaction (if this is the route that they got your card details). They might even have your new card details already!

Prosecution is a matter for the police. It didn't cost the card company anything. They simply did a chargeback on Ryanair or the merchant who sold the Ryanair tickets. Assuming "Ryanair" appeared on your card statement, Ryanair got the chargeback. In reality it probably didn't cost Ryanair anything either - (unless the flight(s) in question were full, and they had to forgo ticket sales to other passengers).

If you don't decide to re-format and re-install on your PC - watch your new card account online on a day by day basis. If you find another fraudulent airline transaction and report it immediately, if the criminals haven't yet taken the flight, they could be arrested when they check-in!

Be sure you backup the data files, your email, your browser bookmarks, etc and have a note of any stored browser passwords in your PC before doing a reformat. The other benefit you will get from doing this is that your PC will speed up.....

LookBehindYou

Thanks to PROBE for very helpful information.
In answer to the question about the tickets, the flights were taken before the transaction appeared on internet banking, but they know the names of the passengers because i was asked if i had known the name.
The tickets were booked on 12th, flights were 13 and 14 and only showed up on internet banking on 16th, thats when i saw the transaction and reported it immediately and got the card blocked.
I never use any internet cafe or anywhere public with my laptop for internet.
so it may seem that the merchant : Ryanair will lose out unless they follow up on the passenger name, whom i suppose had to produce passport or national id.
I would like to know that they do follow it up and get whoever was responsible for that fraud arrested and charged.

probe

LookBehindYou wrote: »

The tickets were booked on 12th, flights were 13 and 14 and only showed up on internet banking on 16th, thats when i saw the transaction and reported it immediately and got the card blocked.

Methinks they are a backstreet bank.... They should be showing authorizations (credit reservations) on your account in real-time on their internet banking service. Every bank has access to these details in milliseconds of anyone using a card, anywhere in the world for online transactions. They need these data to mange monthly spending limits (or credit limits in case of the anglo-saxon bubble economy world of credit cards).

Disclosing transactions in real-time to the cardholder would help reduce fraud because the cardholder would be screaming sooner to their bank. But most banks don't seem to care. Regulators don't seem to care either. Symptomatic of the financial mess.

They should also give cardholders the option of getting a text message when say EUR 1,000+ is authorized on a card either in one transaction or a series of transactions from the same merchant within a short period of time. The same applies to debit cards.

LookBehindYou

AIB Visa card

probe

You can't trust cards. Period. You might be travelling somewhere far from home and your card is switched off due to fraud arising from some hacker.

The tiny matter of getting a refund for fraudulent transactions pales into insignificance if you are stuck in some Asian city with a hotel bill to pay and your card has been stopped. Even worse if you need hospital services, and the nice hospital would like to see your means of payment before treating you. No to mention the risk of banks going out of business in the current climate.

It is time they brought back the travellers cheque!

You need backup and multiple alternatives.

PS: Never leave anything of value in a hotel room - even if just going for breakfast.

LoLth

sometimes its not fraud that causes a card to be blocked.

my wife paid for mass booklets for our wedding day on her visa card from an Irish printer about two weeks before the wedding date. two days after the wedding her card was declined when she went to buy something (I honestly dont know what) in a shop in italy.

turns out, the irish printer didnt process the payment until the day after our wedding at which time the bank saw that the card was being used in Italy. they took the decision that the transactions were simultaneous and that the card was compromised. It took *a lot* of phonecalls to get it unblocked. On the bright side, nice to see AIB not just ignoring the anomoly

probe

LoLth wrote: »

sometimes its not fraud that causes a card to be blocked.

my wife paid for mass booklets for our wedding day on her visa card from an Irish printer about two weeks before the wedding date. two days after the wedding her card was declined when she went to buy something (I honestly dont know what) in a shop in italy.

turns out, the irish printer didnt process the payment until the day after our wedding at which time the bank saw that the card was being used in Italy. they took the decision that the transactions were simultaneous and that the card was compromised. It took *a lot* of phonecalls to get it unblocked. On the bright side, nice to see AIB not just ignoring the anomoly

Really stupid bank behaviour. Your wife's transaction was a customer present transaction in Italy (ie she was presumably in a shop with her card). I'm assuming that the printer's transaction was customer not present - had to be because the card was in Italy.

The security issues of customer present and customer not present transactions are mutually exclusive. Any intelligent bank card security system separates them and only blocks one type of transaction. eg if my card number is being used for internet shopping fraud in Russia I have no problem if my bank stops my card for internet and mail order transactions. They have no justification for stopping me using my card in shops, hotels, at ATMs etc at the same time, anywhere in the world. I would sue my bank if they did this to me.

There are four types of blockage of a card, that should be recognised separately by security systems at banks:

1) Blocking a one-off customer not present transactions (eg internet shopping, mail order) where there was no previous history of a business relationship. This would catch the card number getting into the wild and being used for online stuff. The cardholder is still in possession of the card. If you had established card use with Amazon, you could continue to use it there for delivery of goods to your established address. Your card account would be blocked for Russian shopping websites that you never used your card with before.

2) Blocking a monthly payment direct debit to your card (eg to pay your ISP). (eg there is no reason for your bank to stop paying your ISP's monthly bill if some Russian has attempted to buy a Hermes handbag for his wife in a Ukrainian internet store).

3) Blocking magnetic stripe customer present transactions - (eg there is a suspicion that your card's magnetic stripe has been duplicated by some card skimmer). This does not justify blocking your card for EMV transactions (ie where you enter a PIN at the point of use and the chip is used to authenticate the transaction). Magnetic stripe and chip transactions are two separate animals with different mutually exclusive security risks.

4) Blocking EMV transactions - because they bank have reason to believe that someone has got your card and knows your PIN.

Obviously the bank issues the cardholder with a new card number in due course having confirmed the position with the cardholder - but they don't needlessly shut down all aspects of card use when only a limited risk exists.

In your case there was no fraud at all, and if the bank analysed the transactions intelligently they would wake up to the fact that if anything the printer should be refused payment until the issue had been confirmed with you.

Irish banking law needs to be brought up to date to give the cardholders' rights not to have their card blocked willy nilly where there is no basis for a total card number block. It is no different to a bank bouncing a cheque when you have enough money in your account and the cheque is properly completed and signed. It could affect your credit rating and potentially libelous. Not to mention extremely inconvenient when travelling.

conolan

Back to original issue.

There's a story in Guardian that's similar to the German CC issue above, but not fraud. Not sure if the stories are mixed up? Interesting reading.
http://www.guardian.co.uk/world/2010/jan/06/2010-bug-millions-germans

probe

conolan wrote: »

Back to original issue.

There's a story in Guardian that's similar to the German CC issue above, but not fraud. Not sure if the stories are mixed up? Interesting reading.
http://www.guardian.co.uk/world/2010/jan/06/2010-bug-millions-germans

They came to an interim solution by switching off the obligatory requirement to use the PIN with the cards at the point of sale - allowing the cardholder to sign instead.

They are working on a software update for the cards which could be applied to the card when it is used at an ATM - to save the cost of replacing the defective cards.

The cards affected are really debit (EC) http://de.wikipedia.org/wiki/Electronic_cash or charge cards, rather than credit cards.