Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Credit card fraud, for the Paranoid

  • 09-05-2005 12:50pm
    #1
    Closed Accounts Posts: 123 ✭✭


    I'm not sure if this is the right place, feel free to move it. I've used a credit card for several years now and while I've been conscious and aware of credit card fraud - to my knowledge - have never been a victim of it. However, two incidents (if you can call them that) recently raised my hackles and have made me wonder if there's a danger of being frauded or if I'm merely being paranoid about it?

    1. I bought a suit in a store in Blanchardstown about a month ago (impulse purchase) and when I was paying for it with my credit card, despite the presence of chip & PIN machines, the sales assistant swiped it through the card reader. She seemed to be having some trouble with it and when it eventually worked she asked for my signature. Then she did an unusual thing, on the receipt that the store keeps she ran a pencil over my card, thereby etching the card number on the receipt and shrugged her shoulders saying that the reader asked her to do it for security purposes. This annoyed me and made me wary but I said nothing and left the store. I meant to ring the bank about it but just let it go. Anyone know if this practice is normal or am I being paranoid?

    2. This afternoon, I was in a sports store and bought a pair of cheap enough sunglasses and paid for the purchase with my credit card. The shop assistant took my credit card and handed me out the PIN entry console from the desk and placed it sideways. After entering the PIN number I glanced up to my right and noticed that I entered my PIN directly under a CCTV camera. Could it be possible that someone can make a clone credit card from a store transaction and make it usable having spotted the PIN number from CCTV footage? Or am I being paranoid again and should take these questions to a sanity forum on boards.

    I just keep the one credit card - if you can't manage one you shouldn't have more than one - and despite personally being more of a danger to my credit history than some scumbag fraudster, loathe the very thought of being a victim. What do you guys think?


Comments

  • Registered Users, Registered Users 2 Posts: 27,644 ✭✭✭✭nesf


    Moved to Business/Economy/Finance.

    More people who might have an opinion read that board mate. Personally I'm paranoid and usually check my online statement for my CC every couple of days in order to spot any illegit transactions. Better safe than sorry and all that.


  • Registered Users, Registered Users 2 Posts: 9 ACC


    Worked on Chip and Pin implementation for one of the banks. its impossible to clone a chip and Pin card due to the nature of the chip. Also if you have used your card in an offline machine(cinema or car park) over a certain limit then it will do a security check


  • Closed Accounts Posts: 6,925 ✭✭✭RainyDay


    1. I bought a suit in a store in Blanchardstown about a month ago (impulse purchase) and when I was paying for it with my credit card, despite the presence of chip & PIN machines, the sales assistant swiped it through the card reader. She seemed to be having some trouble with it and when it eventually worked she asked for my signature. Then she did an unusual thing, on the receipt that the store keeps she ran a pencil over my card, thereby etching the card number on the receipt and shrugged her shoulders saying that the reader asked her to do it for security purposes. This annoyed me and made me wary but I said nothing and left the store. I meant to ring the bank about it but just let it go. Anyone know if this practice is normal or am I being paranoid?
    Seems very unusual. I'd certainly query this with the shop manager.
    2. This afternoon, I was in a sports store and bought a pair of cheap enough sunglasses and paid for the purchase with my credit card. The shop assistant took my credit card and handed me out the PIN entry console from the desk and placed it sideways. After entering the PIN number I glanced up to my right and noticed that I entered my PIN directly under a CCTV camera. Could it be possible that someone can make a clone credit card from a store transaction and make it usable having spotted the PIN number from CCTV footage? Or am I being paranoid again and should take these questions to a sanity forum on boards.
    When using any ATM, I make certain that anyone overlooking can't see the PIN I am entering. I avoid stabbing at numbers with a single finger. I hold my hand over the keypad and enter the numbers by moving my fingers only, not my hand. This would make it difficult for anyone to pick up my PIN number. If there was a high-resolution camera which could slow down my movement frame-by-frame, I guess they could possibly beat me at this. However, given the image quality of most CCTV footage that you see on Crimeline, the chances of picking up individual finger movements are quite slip.


  • Banned (with Prison Access) Posts: 16,659 ✭✭✭✭dahamsta


    Citizen Jake, the odds are that the two incidents were relatively innocuous, however if you're concerned about them you should follow up with both the store and the credit card company. In the first case in particular - which sounds odd but not very surprising, since some store owners have odd ideas anyway - I think you should query it with the manager/owner, and then follow up with the credit card issuer to see if it is in fact policy. If it's not, you should lodge a complaint.

    As to the second, you should complain about the placement to the retail outlet, and if the camera isn't moved, you should complain about it to the CC issuer. IMHO, obviously.
    ACC wrote:
    Worked on Chip and Pin implementation for one of the banks. its impossible to clone a chip and Pin card due to the nature of the chip.
    Can we get more detail on this please? Nearly everything with a physical presence can be counterfeited, I'd like to know why chip cards can't.

    adam


  • Registered Users, Registered Users 2 Posts: 9 ACC


    It is due to a couple of things. While obviously I won't go into too much detail basically the encryption used to store the data on the chip along with other security measures make it impossiblle (and I mean impossible) to sucessfully replicate a Chip and PIN card. If you look at the French they have had it since 89 and no confirmed case of a successful CHIP counterfieting has ever been recorded there.


  • Advertisement
  • Banned (with Prison Access) Posts: 16,659 ✭✭✭✭dahamsta


    ACC wrote:
    It is due to a couple of things. While obviously I won't go into too much detail basically the encryption used to store the data on the chip along with other security measures make it impossiblle (and I mean impossible) to sucessfully replicate a Chip and PIN card. If you look at the French they have had it since 89 and no confirmed case of a successful CHIP counterfieting has ever been recorded there.
    They said it would be imposible to forge every single banknote design that's every been released, and all but the most recent have been forged (and they'll be forged in time). I'm willing to bet the crowd responsible for DeCSS - the encryption algorithm used on DVDs - swore blind that it was uncrackable, but it was cracked by a teenager who wanted to play DVDs on his Linux box. I'm also willing to bet the people responsible for the original swipe credit cards said they couldn't be forged.

    If you have physical access to the device, it can be physically reverse-engineered; and the encryption can be cracked, in time, by monitoring the inputs and outputs -- the encryption can't be that strong on a device that size anyway. It may not be cracked for a few years, but it will be cracked. Everything is. That's if it hasn't been cracked already...

    There's no such word as "impossible" when it comes to cryptology; with the possible exception of quantum.

    adam


  • Registered Users, Registered Users 2 Posts: 7,805 ✭✭✭GerardKeating


    and when I was paying for it with my credit card, despite the presence of chip & PIN machines, the sales assistant swiped it through the card reader. She seemed to be having some trouble with it and when it eventually worked she asked for my signature. Then she did an unusual thing, on the receipt that the store keeps she ran a pencil over my card, thereby etching the card number on the receipt and shrugged her shoulders saying that the reader asked her to do it for security purposes.

    You mentioned she had trouble with your card, check the your copy of the receipt, does your name appear? If your name does not appear, this means she had to manually enter the creditcard number. If she has done this, Visa / Mastercard rules mandate that an "impression" of the card is recorded, as proof the card was present in the store when the transaction is made.


  • Registered Users, Registered Users 2 Posts: 27,644 ✭✭✭✭nesf


    dahamsta wrote:
    There's no such word as "impossible" when it comes to cryptology; with the possible exception of quantum.

    No, but there are the words, "by the time someone cracked the encryption the information would be useless to them".

    I agree that there is a lot of misleading information on cryptology available, but unless there is a mathematical backdoor built in, most modern cryptology methods require brute force to crack them. Brute force is not efficient or particularily fast.


  • Registered Users, Registered Users 2 Posts: 1,109 ✭✭✭De Rebel


    ACC wrote:
    ......its impossible to clone a chip and Pin card due to ........

    Great word that, impossible.......


  • Registered Users, Registered Users 2 Posts: 1,109 ✭✭✭De Rebel


    What do you guys think?

    I think that there are lots of possibile ways in which you can get caught, restauraunts where they whisk your card away, web, phone bookings, overseas use etc. I use my card a lot, and put a significant number of transactions through it. I eventually got caught. Not by a fraudster, but by a big name in the retail anti virus software industry that isn't mcafee. Bought antivirus software online (one off) for a friend, and ended up paying his annual subs for 3 subsequent years. Try sorting that one out - a complete waste of time. And don't expect any assistance from the CC company.

    The best thing to do? Now I ask for a replacement account every 12 months. This results in the cards being cancelled and the account being closed, a new account being opened, new cards being issued and most importantly a new number. A crude mechanism, but it wipes the slate clean and gives you a fresh start. Free of charge.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 9 ACC


    Don't know much about the cryptology part of it. But the IT contractors all said that because of the keys that the card used and the way all keys had to be verified online that it was next or near to impossible. It hasn't been done since 89 so i reckon if they could have done it it would have been done by now.


  • Registered Users, Registered Users 2 Posts: 795 ✭✭✭a_ominous


    I don't know which encryption technique is being used, but anything with over 1024 bit encryption would take hundreds of billions of years to break with using brute force task of every possible key even on a supercomputer or a cluster of hundreds of PCs running something like SETI. Your credit card won't be used for that long, hence it is effectively impossible.

    Most fraud and security breaches aren't as a result of technical failures, they're the result of social engineering type attacks. If you want to understand this more, read Kevin Mitnick's book "The art of deception". He's infamous for hacking, was jailed for a few years and has been barred from using a computer for many years. Google for his 'credentials'.

    So the OP is right to be a bit paranoid. CCTV near the tills, okay I accept the shop needs that. But they also should provide a better screen around the PIN machine. I could remember a 4 digit number more easily than I'd be able to copy someone's signature. Can't see any justification for running a pencil over the card. But all that gives you is a CC number, which is on the docket anyhoo.


  • Registered Users, Registered Users 2 Posts: 19,608 ✭✭✭✭sceptre


    a_ominous wrote:
    But all that gives you is a CC number, which is on the docket anyhoo.
    Generally it's not apart from the last four digits.


  • Registered Users, Registered Users 2 Posts: 2,808 ✭✭✭Ste.phen


    Where i work the whole number (and auth. code) appears on the Shop copy of the receipt, but the customer copy has most of the numbers X'd out.
    Presumably because we might need to have the card number handy, but the customer is likely to toss the receipt?


  • Closed Accounts Posts: 88,972 ✭✭✭✭mike65


    Igy wrote:
    Where i work the whole number (and auth. code) appears on the Shop copy of the receipt, but the customer copy has most of the numbers X'd out.
    Presumably because we might need to have the card number handy, but the customer is likely to toss the receipt?

    Where do you work? The print out XXXX XXXX XXXX 4637 is to avoid fraud after stupid customers drop the receipt.

    Mike.


  • Registered Users, Registered Users 2 Posts: 795 ✭✭✭a_ominous


    But the _shop_ has to have a record of the card number. Not all customer receipts have the CC number blanked out. Agreed, some do it for security reasons, but the shop also has to have a hardcopy of the transaction with full CC number and signature on it. I presume shops get a statement showing all CC transactions each week/month.
    But the shop has to be able to trace the card number, no? They'll be the ones out of pocket, not the CC company or the 'customer' with a dodgy card, I believe.


  • Banned (with Prison Access) Posts: 1,405 ✭✭✭NewFrockTuesday


    I dont have a credit card in my own name, but I do have one from bf that ive been using for nearly a year now. i signed his name at least once a week for the last year and never once has anyone checked the sig. i was a bit surprised at first , even tho he would usually be in the shop with me, but now i dont even think twice.
    Once or twice ive forgotten to put his name on and signed my own and still noone has ever even glanced at it.


  • Banned (with Prison Access) Posts: 16,659 ✭✭✭✭dahamsta


    I've seen - as in me personally, not my mate's auntie's granny - at least two customer receipts with both the full credit card number and the expiry date. It was a good while back, while ecommerce was in it's first major spurt of growth, however telesales was still big business around the time.

    Purdee, a guy in the states started signing his own receipts with obviously-fraudulent names like Mickey Mouse a while ago, and no-on ever challenged him on it. I think after he got bored of that he started drawing little pictures instead, but I can't remember the outcome. A google will probably turn it up though.

    On the subject of impossibility, there's no doubt about the definition of the word, and it's a bit much to flip from "impossible" to "near impossible" now. It's not impossible, period, and as time goes on it'll become easier. Such is the beauty of modern computing.

    adam


  • Registered Users, Registered Users 2 Posts: 7,805 ✭✭✭GerardKeating


    dahamsta wrote:
    I've seen - as in me personally, not my mate's auntie's granny - at least two customer receipts with both the full credit card number and the expiry date. It was a good while back, while ecommerce was in it's first major spurt of growth, however telesales was still big business around the time.

    The rule requiring the pan to be "xxxx"'ed is new, it has been phased in over the past year or so. I think Mastercard mandated for for all slips sincde April 1st 2005, not sure bout Visa.

    gerard


  • Banned (with Prison Access) Posts: 16,659 ✭✭✭✭dahamsta


    The rule requiring the pan to be "xxxx"'ed is new, it has been phased in over the past year or so. I think Mastercard mandated for for all slips sincde April 1st 2005, not sure bout Visa.
    Ridiculous. Even back then it was the norm not to put the full number on the receipt - which is why I was surprised - because it was a stupid thing to do. If I can recognise the stupidity as a consumer, how come it took them five years to recognise it?

    adam


  • Advertisement
  • Closed Accounts Posts: 6,925 ✭✭✭RainyDay


    dahamsta wrote:
    I've seen - as in me personally, not my mate's auntie's granny - at least two customer receipts with both the full credit card number and the expiry date. It was a good while back, while ecommerce was in it's first major spurt of growth, however telesales was still big business around the time.
    Every time I clear out my CC receipts, I come across 2 or 3 which don't have the card number blanked out. I keep meaning to check the receipts as I receive them, but somehow I never quite remember.


  • Registered Users, Registered Users 2 Posts: 1,756 ✭✭✭vector


    >impossible to copy chip

    If something can be made legally then it can be copied illegally. Granted, it is imposible for you and me to do it, but when there is money to be made someone, somewhere will figure out a way.

    Hey almost anything is possible with money, lets say you wanted to cross the atlantic in a zepplin with a picture of bertie ahern on the side, given enough money you could make it happen.


  • Banned (with Prison Access) Posts: 16,659 ✭✭✭✭dahamsta


    Bah, if you'd said "hot air balloon" I could've done the "or you could have just brought Bertie along and saved on fuel" joke.

    adam


  • Registered Users, Registered Users 2 Posts: 1,756 ✭✭✭vector


    what about a life size picture of [obese_public_hate_figure]
    it would just fit


  • Closed Accounts Posts: 193 ✭✭MiniMetro


    Where i work the full number is printed on both copies of the receipt. Its an AIB terminal.


  • Registered Users, Registered Users 2 Posts: 2,029 ✭✭✭shoegirl


    dahamsta wrote:
    Can we get more detail on this please? Nearly everything with a physical presence can be counterfeited, I'd like to know why chip cards can't.

    adam

    A company that used to be part of the company I work for manufacture some cards used in Ireland:
    http://www.axalto.com/banking/egalleon.asp

    As far as I know the 8/16/32k chip probably contains personalised data that can only be read by password. Third prty companies (not your bank) hold the symmetric key cryptography data, so only authentic cards can be identified. Apparently its already a legacy technology!

    The old cards were identified only by a single piece of info (magnetic stripe), the chip and pin cards have now two unique pieces of data (stripe plus chip) so both would need to be duplicated in order to counterfeit the card. Additionally they would also need to know the pin, so 3 pieces of info are required instead of one.

    Of course the entire problem is that PIN technology, like passwords, depends on the user not revealing it to make it secure. But if people (and there are many of them), write down their PIN then chip and pin is worth nothing.


  • Site Banned Posts: 5,904 ✭✭✭parsi


    dahamsta wrote:
    Purdee, a guy in the states started signing his own receipts with obviously-fraudulent names like Mickey Mouse a while ago, and no-on ever challenged him on it. I think after he got bored of that he started drawing little pictures instead, but I can't remember the outcome. A google will probably turn it up though.

    Last week in TEsco Mahon Point i paid by laser and entered my PIN. Yer man handed me my receipt and asked me to sign it. I told him I didn't have to sign it (it was the laser receipt and hadn't anywehere to sign because I had used my PIN). He said to sign it. So I did. A big black X. And then, what did he do ? He handed me the receipt to keep....sheesh...


  • Registered Users, Registered Users 2 Posts: 1,756 ✭✭✭vector


    dahamsta wrote:
    ...
    Purdee, a guy in the states started signing his own receipts with obviously-fraudulent names like Mickey Mouse...

    http://www.thescreamonline.com/cartoons/cartoons3-3/


  • Registered Users, Registered Users 2 Posts: 365 ✭✭doriansmith


    shoegirl wrote:
    The old cards were identified only by a single piece of info (magnetic stripe), the chip and pin cards have now two unique pieces of data (stripe plus chip) so both would need to be duplicated in order to counterfeit the card. Additionally they would also need to know the pin, so 3 pieces of info are required instead of one.

    Of course the entire problem is that PIN technology, like passwords, depends on the user not revealing it to make it secure. But if people (and there are many of them), write down their PIN then chip and pin is worth nothing.

    It's been said a few times in this thread that it's impossible to clone a chip and pin credit card. Well it just happened to me.

    Happened to check my online banking today and my credit card balance immediately set off alarm bells. I've only used the card once in the past couple of months and suddenly I owed a fortune. Rang the bank straight away and turns out my card was cloned. it was used several times in the past couple of days to withdraw money from atms in London(i'm in Dublin). The woman i spoke to told me that someone had copied the magnetic strip on my card and cloned it. They couldn't clone the actual chip part because this can't be done but they still managed to clone the magnetic strip and create a new card. I dont know exactly how all this works but apparently this meant that they couldnt use the cloned cards in shops but could still take money out of atm machines no problem.

    How this was done without my pin number I have no idea. Before people start saying I probably had my pin written down somewhere I am 100% certain that I don't. And i certainly wouldnt be stupid enough to have it written down in my wallet or near my card even if i did. I destroyed the slip sent to be by the bank with my pin number straight away when i received it and have never once written it down anywhere. The only place it's stored is in my head. It's also a completely random number, unrelated to DOB or anything like that.

    So my chip and pin credit card still managed to get cloned and I had over 500 euro stolen in the space of a day. It's definitely possible folks. Luckily the bank have said they'll refund me. It's still pretty scary that this can happen so easily though. If i hadn't happened to check my online banking today this could have gone on for the next month until i got my next statement and by then who knows how much would've been stolen. I'll be really worried anytime I use a credit card from now on


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,756 ✭✭✭vector


    your credit card currently has a chip AND a magstrip

    the eventual idea is to have only a chip

    however until all readers (merchant terminals AND ATMs) have chip readers the magstrip will remain

    fortunately most merchant terminals in out region have been upgraded, and in the near future the forgot PIN option will be disabled meaning that if a card has a chip then only the chip can be used.

    However... and this is a big however... the upgrading of ATMs is much slower
    because their primary function is to read basic ATM cards, which are always magstrips they do not have chip readers

    thus the classic shoulder surfing and magstip lebanese loop copier still works

    ask your credit card provider if they can aetup your card account so that only "chip and PAN entry are allowed and magstip entry is never allowed even at ATMs"


  • Registered Users, Registered Users 2 Posts: 365 ✭✭doriansmith


    I forgot to mention that I never use my credit card to withdraw money from atms, mainly because it's too expensive to do so as you get charged for it. So my card wasnt cloned whilst using an atm with someone watching/a hidden camera to see my pin as I only ever use it in shops and on the net.

    So it still baffles me how someone managed to get my pin and then withdraw money from atms. Is there some way that they can change the pin to whatever number they want on the cloned card?

    Anyway, I'll never let my card out of my sight when using it anywhere again. I was told it's highly unlikely to happen twice but I wont be taking any chances. I was on holiday interrailing around eastern Europe two months ago and have only used the card once since then so I reckon it's likely it happened over there as I used it a few times to pay for hostels and such. I hope it did happen there because if it was here then who's to say it won't happen again if I use my new credit card in the same shop


  • Registered Users, Registered Users 2 Posts: 1,756 ✭✭✭vector


    your magnetic strip was read at some point by a machine

    your pin number was noted at some point by a camera or human

    You must have used your card in a shop where you entered you PIN
    as you handed the card to the shopkeeper he swiped it through his magnetic strip reader firstly which then told him to use the PIN reader, which he did, and you entered your PIN in the usual way

    the fact that he seiped it though his magnetic card reader first is not unusual many people still do that when they are not thinking or the default card in their area is still a magnetic strip one, but it seems his reader was "dirty" and he had a human or a camera watch your PIN entry

    his reader, in the terminal has some tamper resistant features, but as the terminal is attached to the card reader by a wire it is likely he had it just under the counter, out of your site, and attached to it was a stand alone magstrip reader, probably also black

    once you left he had the magstip data and the PIN, he then found a blank card from his collection and wrote the magstip data onto it, and memorised the PIN, he then went to an ATM and simply withdrew whatever he wanted


  • Registered Users, Registered Users 2 Posts: 1,366 ✭✭✭whizzbang


    Is the PIN stored only on the card or in the bank as well? If it is in the bank there is a chance your information was sold by an insider.

    Dispatches did a piece on call center workers selling banking details for a tenner. I saw the show and some of them were Irish banks form what I remember.

    http://news.zdnet.com/2100-1009_22-6123067.html


    /edit if you used it to pay for hostels then that was probably it, people working behind the desk in hostels are often travellers looking to make a few bob, not permanent employees.

    That being said, it can happen anywhere, from the dodgiest petrol station to the fanciest boutique.


Advertisement