Visa Debit card - fraudulent transactions - finding source

rolion wrote: »

I guess they may have access to some sort of transactions logs or dashboards across whole industry and they can create patterns of transactions, with the source and some sort of common shared factors,pointing to "where" and "how" that card got compromissed !?

That would be an understatement. The banks, acquiring and issuing systems and card schemes have access to vast amounts of data and have decades of experience using that data to identify fraud. They also have process setup to deal with it.

For online fraud, the issuing banks generally don't have any liability so they have no reason to chase it. Even if they wanted to, they have no contact with the merchant or their acquiring bank so there's not much they can do. You dispute the transaction and get your money back. They inform the card schemes and let them deal with the merchant.

I've had my card details snaffled before while abroad and was pretty sure I knew where and when it happened because I only used that particular card once.

I believe it was in a restaurant where I paid with the card. The waiter was at the table with the card reader and I thought nothing of it until I got the call from the bank.

In hindsight I believe that the waiter sneaked a look at the CVV on the back of the card. Because they have access to the card details in the card reader, he now had all the info he needed to transact.

Now I sellotape a little piece of white paper over the CVV on each of my cards. I don't need the CVV for chip+PIN transactions. If I need it for online transactions, I usually remember it. I also have it in my password manager.

I put my day to day money on Revolut when I get paid every month. It has better options for restricting use and notifies instantly of any transactions. Scammers usually test card they've acquired details of with a small transaction. When this happens on a Revolut card you can block that card instantly via the app.

I'd only use a debit card at an ATM and in a shop - ideally contactless, so the employee doesn't get their hands on the card - ie as is required in France by law - ie for chip and contactless. For some reason Irish card processors don't allow contactless + PIN for transactions over EUR 30 - unlike those elsewhere in Europe. I put it down to the dozy nature of companies in Ireland generally.

A debit card leaves your 'current account' balance up for grabs by fraudsters.

I use an AmEx card everywhere else - eg online shopping. My maximum exposure with AmEx is EUR 50. AmEx provide real-time access to authorizations on their website - so one can see into the pipeline of charges due to hit the account over the next day or two.

Unlike Irish banks, Amex answer the phone within a few seconds. And the points one collects from card use can pay the annual fee.

eusap wrote: »

the contactless + Pin is not true contactless payment, the terminal is just reading the card number via contactless and then presents for the PIN. I really have no idea why more merchants dont enable the feature. I have managed to do it in a few shops in ireland while having the discussion with the person behind the counter "its more the 30 you can't use contactless" and then they are surprised it works.


PCI complience normally means a card terminal can not be plugged directly into a broadband modem but should be behind a firewall. I have seen very few shops with this security, normally its plugged to the eircom box

PCI doesn't cover payments made on physical terminals where the card is present. PTS is the relevant security standard for those.

Contactless transactions are vastly more complicated than reading a card number. The chip on the card verifies the keys presented by the terminal and signs the transaction. It also participates in deciding the level of cardholder verification applied to the transaction. Tokenised EMV is not subject to the €30 limit because it's device authenticated. It's not possible to override the limit on a Contactless EMV transaction.