PDA

View Full Version : Credit Card Fraud


Salusa
31st May 2008, 03:42
I just tried to use one of my CC's and it was refused.

On calling the issuer they advised me I was over the limit.

Thatís strange say I, first time I have used it since February.

Turns out some scrote has cloned or whatever the technical term is to withdraw nearly $10000 from ATM's in the past month.

Now what I want to know is how do they get the PIN?

Itís only in my head and the last several transactions I done with it were the old swipe and sign not PIN entry.

The fraud department of the issuer commented that there "are some very innovative people around" but would not go into any more detail.

Is it encoded on the card itself?

Any techies that can enlighten me so I can take precautions in future?

Avtrician
31st May 2008, 04:56
Your card may have been swiped thru a handheld reader at some earlier time. There have also been cases where a dummy face has been fitted infront of an ATM allowing the card to be read. The little black stripe on the back of you card holds your pin and other bits of info. After being swiped the reader is connected to a puter, and the info transfered to a blank card, also allowing the culprit to see the info on the stripe. The only way to prevent this happening, is to never let the card out of your hand, that way it cant be swiped in a reader.

Brian Abraham
31st May 2008, 05:07
Only trouble is some crooks attach the reader to the hole in the wall ATM.

Bushfiva
31st May 2008, 05:11
Well I wouldn't know about your specific case, but for example, some retailer software stores PINs after the transaction when it shouldn't, so retailers using that software can be targeted: the retailer may be using the software with the default password still in place, so there's an opportunity to, say, dump all the logs from a remote location. Of course, "retailer" includes some pretty large companies.

A local attack might be a parasitic card reader with camera placed over the slot of a real ATM: it reads the card and watches you type your PIN. It might be programmed to eject your card the first time, to give it two chances at seeing the PIN code. The camera might be separate from the reader, say in a pamphlet holder or a fake rear-looking mirror intended to stop people looking over your shoulder at your PIN.

Anyway, lots of ways of getting the PIN.

If the fraudelent transactions are from all over the place, that indicates that your PIN and card number have been resold probably over the internet.

Banks don't like talking about this sort of thing, as you can imagine.

Bushfiva
31st May 2008, 05:25
The little black stripe on the back of you card holds your pin and other bits of info

It would have to go on Track 3 of the stripe, and I'm not aware of any bank card issuers actually using that track now.

eagle 86
31st May 2008, 06:12
The really clever ones can stand some distance behind you in a queue and work out the pin from the movement of your arm!
GAGS
E86

Salusa
31st May 2008, 06:25
Thanks all,

I have never used my credit card to withdraw cash from an ATM and all me recent transactions have been Swipe and sign receipt.

I just cant get my head round how the PIN number could have been obtained?

In Jakarta if it makes any difference.

ABX
31st May 2008, 07:15
In true prune fashion there is an enormous amount of bul:mad:t in this ever so young thread.

The PIN is not stored on the card, the PIN is verified via the connection to the card issuer.

The thread starter asked about credit card fraud, not ATM fraud. In Australia and most other countries a PIN is only required to operate your card as an ATM card. Credit cards require an authority, most of the time a valid signature is the authority however verbal authority is also valid, ie. over the phone transactions.

In short, a crook would only need to know your credit card number and have access to an EFTPOS machine to start debiting your credit card account. The card holder (Salusa in this case) only needs to report the unauthorised transactions to his card issuer to begin the process of recovering the money.

The credit card system is no where near as secure at the general public perceives it to be.

ABX

Bushfiva
31st May 2008, 07:26
Australia and most other countries a PIN is only required to operate your card as an ATM card.

Where "most other countries" excludes the whole of europe and much of Asia :-) Chip'n PIN in many places since 2003-5, partly because of the sneaky small print: signature fraud on a card is at the bank's risk. PIN fraud is now the retailer's risk. If you can't use retailer PIN terminals for physical reasons, you apply for a special card.


Ooooooh. Earthquake.

Flap 5
31st May 2008, 08:01
Salusa,

Are you saying you have never used the pin? Or just not recently? Bear in mind that a fraudster will usually wait for a substantial period of time (around 3 months) before they use a cloned card to reduce the risk of tracing them.

Have you used chip and pin at a petrol station in the past? That is a common source of cloned cards in the UK. They would use their 'security' cameras to watch you enter your pin when you pay.

Salusa
31st May 2008, 08:11
The last time I used the card with PIN was in February when in Singapore checking out of a hotel.

Since then no use on card.

I am now back in Jakarta and apart from one swipe and sign in a restaurant early May (Jakarta) I have not used the card since.

I tried to use it this morning to check out of a hotel when the card was declined.

Made a call and found out:

Since early May $10k has been swiped from ATM's all in Jakarta and all at one branch of a major US Bank.

Incidentally the card is UK issued.

Flap 5
31st May 2008, 08:18
There you go then. It has to be the hotel in Singapore. February would be about right at around 3 months ago.

I have travelled a lot in the far east and this is not unusual with hotels out there. It is normally an individual member of staff committing the fraud, not the hotel itself.

Flap 5
31st May 2008, 08:57
By the way you should get the money back as it was not your fault. I say should because I can not predict the banks response or which bank the card is with. However it is normal to get reimbursed after a few weeks - as long as you report it.

stagger
31st May 2008, 10:21
In true prune fashion there is an enormous amount of bul:mad:t in this ever so young thread.

The PIN is not stored on the card, the PIN is verified via the connection to the card issuer.

The PIN is not stored on the magnetic stripe - however, in the UK at least, if you have a "Chip & PIN" card the PIN IS stored on the chip on the card (albeit in an encrypted form).

When you enter your PIN at a Chip & PIN terminal it is checked against the PIN on the card (not the card issuer via the network).

This is a key feature of the system. See....

http://www.tridentmicrosystems.co.uk/glossary/chip_pin.html

...the intelligence of the chip allows the card itself to check the cardholder's PIN (Personal Identification Number). In the magnetic stripe world, PINs can only be checked remotely by the banks and, in the UK, have traditionally only been used at cash dispensers. The chip allows PIN to be used everywhere...

SpringHeeledJack
31st May 2008, 12:47
A good friend had last months CC bill and found that he was £5,000 worse off. All of the purchases were in Sri Lanka for fuel (diesel/petrol/gas) and as he hadn't been out of Europe in the last year it was obvious that it was some miscreant at work.

He was informed by the fraud department of his large UK CC company that his card had been cloned at a petrol station in the UK approximately 3 months before and that 'they were on the case'. It transpires that the purchases were by the Tamil Tigers for fuel for their army vehicles and were made through sympathetic petrol stations in Sri Lanka where CC purchases were still done through the old swipe system with a carbon copy underneath so it took longer to go through the system and be noticed....

So next time you pay for petrol at such motorway stations be aware of what happens to your card, i.e that it stays above the counter, otherwise you might unknowingly be supporting freedom fighters/terrorists on foreign shores :uhoh:

Anyhow Salusa, i hope that your card will be re-instated quickly and that you are credited the money back asap AND that the miscreant that stole your card details feels the displeasure of the Singaporean authorities.


Regards


SHJ

fernytickles
31st May 2008, 16:26
Interesting that some of the posters cards have been misused in countries other than their home country. If I use any of my cards in a neighbouring country, they are halted immediatly, unless I've called the card issuer in advance & told them I'll be travelling. Really frustrating the first time it happened, but now I know, its a good safety catch.

Of course, using them in this country doesn't ring any alarm bells. But don't tell the baddies that... :oh:

Flap 5
31st May 2008, 16:54
ferny,

Correct. I have had my and my wifes Abbey card stopped when we were in Italy. Fortunately we were with relatives who could advance us some money. Of course when I got home I was given the usual stuff about security, etc..

However my card was later cloned and used in Sydney, Australia on the same day I used the card in Tescos, Stevenage! It would seem the security, such that there is, mostly inconveniences the genuine user rather than stopping the fraudster. They have the technical knowledge to find ways around the security.

I believe the card was cloned at a petrol station. I now only use cash to pay for fuel.

The cards are used abroad because of the lack of chip and pin there. It is not used in Australia - making it easier to use a cloned card. Although mine was used at an ATM in Australia and not at a shop. I believe the security cameras at the petrol station were used to observe me entering my pin - despite my covering the keypad when I did so. Several cameras are present at the petrol station so you can be observed from many angles.

kms901
31st May 2008, 18:15
The UK petrol station/Sri Lankan card fraud link is well known. Is has been reported that some criminal organsations have raised the funding to allow them to buy petrol station franchises specifically for this purpose.

Avman
31st May 2008, 20:28
Whereas it's not possible for large bills such as hotels, car hire, air fares etc., some years ago I went back to using cash at shops, petrol stations and restaurants especially when on vacation.

Aaaaaaaaaaaaaaaargh!
1st Jun 2008, 04:57
In the US, they won't let you rent a car wigthout presenting a credit card :ooh:

John Hill
1st Jun 2008, 05:45
All these problems with PINs could be easily solved but as yet apparently the problem is not big enough for the banks to invest in the few lines of computer code necessary to put a stop to it.

The easy solution is to require all cards to have more than one PIN, in the simple case it must have two pins and they must be used alternately. If someone sees you using your PIN and steals or clones your card that PIN is useless. For more security use a series of PINs. The software would disable any valid pin that is used 'out of turn' unless the alternate valid pin is used immediately afterwards from the same terminal. If you get a reject on a PIN you know is valid then use your other valid pin to set another so getting back to your minimum of two pins.

Meanwhile, how much trouble is it for you to change your PIN? You could change it every few days or at least immediately after you have used your card in location you do not feel confident about.

wiggy
1st Jun 2008, 08:35
This is vaguely the same subject so I'll tack it on. Has anybody here received an e-mail from EPPIcard querying their account? Since I don't ( to my knowledge) have any such thing I guess someone is on a phishing expedition.

Background Noise
1st Jun 2008, 09:17
You don't need to 'give away' your PIN. I used a single credit card in the US around Christmas - all transactions were swipe and sign. A month or so later there was a fraudulent transaction which I fortunately spotted quickly and, also fortunately, was only for less than £40. When I called to cancel the card etc the bank said that the transaction had been supported by PIN - strange because I never used a PIN and was also therefore surprised that anywhere in the US actually used a PIN system (the fraud was in a Pizza Hut). The bank said that the card could be 'cloned' and used with a PIN or their own, apparently.

Flap 5
1st Jun 2008, 10:08
John,

I would suggest that it is a lot of trouble for some people to change their PIN. Some people have a number of cards with different numbers. There are also many other numbers we have to remember on a daily basis. It becomes self defeating if we have to change those numbers continually. Eventually we forget a number and get locked out of our own account with the subsequent inconvenience of having to wait for a new card and not having access to your account if you are away from your bank.

Too much security just makes it very incovenient for the user. Its like having twenty locks on your house. It just becomes too incovenient to get in and out.

All that can be done is to have sufficient security to make it more inconvenient for the fraudster without it becoming too incovenient for the user.

However the banks could more. If your card is used in Australia on the same day as it is used in Britain that really should flag up an error!

The Real Slim Shady
1st Jun 2008, 10:58
I had my debit card cloned recently.

The bank declined a transaction of £3k in a London nightclub and called me to check; natch, it wasn't me.

The only place I had used it recently, out of my normal pattern the usual Tesco shop etc, was in an ATM in Spain.

The ATM worked and gave me dosh but must have had some scanner attached to it.

ArthurR
1st Jun 2008, 11:22
A friend of mine had his card cloned in Madrid, he drew money from an ATM, then left for the USA to renew his visa, came back discovered 6000Ä was missing, informed bank, police ect...police said it wascommon in Madrid...Scroates install card readers on the ATM and a small camera to read pin codes, then only use them where there are no security cameras installed.....He did get all his money returned with in a few days

El Grifo
1st Jun 2008, 14:25
Only time in 30 odd years my card has been comprimised, was after a short visit to the aforementioned Singapore. I used it for several purchases and my hotel stay.

The transactions that emerged were strange.

£6.50 equvalent pharmacy purchase and £20 lottery ticket type thing in Indonesia, along with £40 of online gambling in Australia.

Credid card company stopped the card at that point, contacted me and refunded the money.

chuks
1st Jun 2008, 19:45
I noticed this big anti-shoplifting mirror in a German filling station/mini-mart that was poised exactly right for the guy behind the register to watch me enter my PIN. Funny thing, that and of course I only noticed it after I had tipped the number in. I never had any trouble, though.

Any time you check in to a hotel, that card disappears below the counter while they swipe it and, anyway, the swipe itself gets all the info they need to clone the card, doesn't it?

I was stood there in front of a cash machine in the drizzle in Switzerland trying in vain to get some Swiss francs. It might have gone better if I had used the PIN for the card I put in the ATM instead of the PIN for another of the three different cards I have, EC card, Visa card and Maestro debit card. I cannot WAIT for someone to develop a cheap and reliable biometric security device!

G-CPTN
1st Jun 2008, 20:34
Over years mankind has evolved from using beads or barter to tokens issued by banks, then paper notes (cheques) - later supported by a plastic guarantee card. Then the plastic charge card, followed by the credit card and later the charge card.
Each stage has been accompanied by measures to combat fraud (silver wires in bank notes, holograms on plastic cards, PINs etc) none of which seem to have been definitively effective.
So, JBers, what's the answer? Who can invent a permanently foolproof countermeasure that will allow the public to trade without being defrauded of their rightful wealth?

Personally I receive a weekly pension which is available only from Post Offices using a plastic card supported by a PIN, and I withdraw 'sufficient' to cover my shopping (including fuel for the car when required). I can (physically) transfer cash to my bank from where I can make electronic payments to cover utility bills (I realise that I'm at risk during the walk from the Post Office to the bank, but there is no electronic transfer facility available for this). I also realise that there is a risk of my internet banking facility being interfered-with. I also appreciate that I'm at risk of street-robbery whilst carrying my weekly wad, and that, being 'retired' I probably don't have the turnover that many others will have.

I invite suggestions as to how others can use existing provisions without (or at least minimising) risk of robbery, theft or fraud (and that includes cash).

Gertrude the Wombat
1st Jun 2008, 22:05
I realise that I'm at risk during the walk from the Post Office to the bank
That's quite a serious risk, actually, being a blindingly obvious target for a mugging. Although the police do from time to time put up temporary CCTV cameras and stake out post offices in order to catch the low-lifes that beat up pensioners and steal their cash, you can't rely on this happening, particularly as they only do it after there have been a serious of attacks because it's insanely expensive.

I suggest you consider finding some other way of moving your money.