24 October 2017

A Single Customer View

Michael Fuller - None

6Posts 30,047Views 39Comments
A post relating to this item from Finextra:

Chip and PIN fraudsters jailed

29 October 2008  |  12128 views  |  0
2825.jpg
Two men who purloined the details of thousands of credit cards from Chip and PIN terminals and used them to make counterfeits before stealing over £1 million have been jailed at a London Court.

Convenience Store ATM Fraud

19 November 2008  |  5249 views  |  5

About eight weeks ago I got my wife and I Shell MasterCards from Citi to buy fuel with. This was prompted by the offer of 3% off our fuel purchases at Shell. (6% in the first 60 days from account opening).

This morning (17 November) I got a text from Citi telling me my account balance. It was £1600 more than I had expected so I tried to log on to see why. “Your account has been blocked” the screen said so I phoned instead.

“Press 1 to report your card lost or stolen” the menu said so I did. The voice which answered told me I was through to India. I gave them my card number and told them I was concerned that there were fraudulent transactions on my account since the balance was much higher than it should be. I expected them to help. “Sorry” the agent replied, I can’t deal with this, I’m not trained on Shell Cards!”.

After a while on hold I got transferred to another agent who was trained on Shell Cards but who wasn’t from the Security Department so could only confirm that there were fraudulent transactions on my account, which were cash withdrawals on my wife’s card. He took my details and promised to get someone to call me.

By then I had worked out what must have happened. My wife had only used her card at one filling station in Tooting. The card number and PIN must have been intercepted at the checkout there by Chip and PIN fraudsters and used to clone a cash card.

After no call-back and another call I finally got through to the Fraud Department who confirmed my suspicions that the card had been cloned and used to withdraw cash at an ATM. So despite jailing people the effects are still being felt and card data was still being captured by the criminals in October.

Now while it’s difficult to defeat a determined criminal intent on skimming cards and PINs the whole point of Chip and PIN is to stop fake cards from being used. Why then are ATMs allowed in the UK which don’t validate PINs? I remember this type of fraud from twenty years ago when I think we called it PAN7 the only difference is now the criminals target the non Bank ATMs in convenience stores.

On a lesser but not inconsequential note please would Banks which use touch tone call systems check that the routing makes sense and that their staff who handle lost and stolen calls are trained to handle them!

Finally you may think from my posts that I’m a particular victim of card fraud since I’ve had four or five incidents where my card details have been compromised in the last 12 months. What is really worrying however is that if this level of fraud is happening to me what is happening out there generally? With credit card profits being hit through write offs and the recession generally the Banks and Card Associations need to start closing the gaps to fraud and that means enforcing adoption of Chip and PIN in ATMs.

TagsCardsSecurity

Comments: (7)

Graham Mott
Graham Mott - LINK ATM Scheme - Harrogate | 20 November, 2008, 17:09

Michael

Really appreciate how inconvenient and frustrating it is to be a victim of this kind of fraud

Just one small comment on your post which I appreciate was more about point -of -sale than ATMs. 

All UK ATMs are EMV compliant using Chip and Pin technology and have been for some time.  This means that when a Chip card is used in them it will automatically be read and it prevents a fake Chip card being used to withdraw cash.  

EMV is rolling out across Europe but for the foreseeable future there will be countries where a fake card can be used as the ATM will read the copied mag-stripe.  

 Graham

 Graham Mott, LINK ATM Scheme

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Michael Fuller
Michael Fuller - None - London | 20 November, 2008, 21:45

Graham

These withdrawals took place in the UK so there seems to be a hole somewhere.

Mike

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 21 November, 2008, 09:18

 

""All UK ATMs are EMV compliant using Chip and Pin technology and have been for some time.  This means that when a Chip card is used in them it will automatically be read and it prevents a fake Chip card being used to withdraw cash."

EMV is rolling out across Europe but for the foreseeable future there will be countries where a fake card can be used as the ATM will read the copied mag-stripe.  

 Graham

 Graham Mott, LINK ATM Scheme

 20/11/2008 21:45:52 Michael Fuller added: 

Graham

These withdrawals took place in the UK so there seems to be a hole somewhere.

Mike"

 

------------------------------------------------

OOOUUUUCCCCHHHHH.

No wonder we couldn't convince Mr. Mott - LINK ATM to check out our CARD fraud solution. 

Mike said "banks need to start closing the gaps to fraud and that means enforcing adoption of Chip and PIN in ATMs."

Mike, banks at the moment are going through the "deer stuck in headlights" moment and most likely don't give a mouse's 'behind' about your last invoice and the money that was lost.  Prince Alwaleed Bin Talal's latest injection plus the bailout money will surely cover your citibank losses. Surely, they will remind you that at the end of the day, you will not have to pay for these fraudulent transactions.

The next time you use your new card, you'll probably get blocked by the bank's predictive risk management system. While the entire world have realized the fallacy of predictive risk management systems when it relates to investment and capital, most banks are still applying the same concept and employing these systems of predicting of how you might use your card. When this happens, try calling your bank to complain about getting blocked and you will be told that "Its also for your own safety that they are blocking you from using the card.".

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
David Birch
David Birch - Tomorrow's Transactions - London | 24 November, 2008, 11:41

"These withdrawals took place in the UK"

Were these withdrawals at bank ATMs or at "stand alone" ATMs in pubs or something like that?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Michael Fuller
Michael Fuller - None - London | 24 November, 2008, 21:03

The transactions were not at a Bank and all bear the name "RANC". There were transactions in "Hammersmith", "Shepherds Bush" and "London". I'm assuming they are an ATM because the amounts are all Cash Advances for either £100 or £250 with multiple withdrawals over three days. Since the card was cloned I can't see how these withdrawals would have been over the counter.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Joe Pitcher
Joe Pitcher - Irrelevant - Wirral | 28 November, 2008, 13:55

The loophole is possibly in a setting that states if the Chip is not able to be read, to allow the transaction to proceed. It is then up to the issuing bank to decide whether or not to honour that transaction.

In my (humble) opinion the banks should all be declining such transactions.

At the end of the day if the chip is not read/present the transaction relies on either terminal rules or the issuer to decision based on risk. The 'fault' seems to be a mag stripe transaction being approved on an EMV card.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 30 November, 2008, 17:57

Many people working for companies in the card (transactions) processing industry know that fraudsters have found a way to 'nuke' or 'break' the chip so as to force the fallback not only with the real card but also (of course) simulate an unreadable chip with the cloned card. If banks were to disallow the fallback, then they would most likely get MANY MORE irate calls from their cardholders. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Michael

Who I am and not what's my limit?

26 September 2011  |  3779 views  |  0 comments | recomends Recommends 1 TagsSecurityRetail banking

3-D Insecure -possible heresy

28 January 2010  |  6369 views  |  12 comments | recomends Recommends 0 TagsCardsSecurity

Citi Cards UK direct debit failure

01 January 2010  |  5963 views  |  0 comments | recomends Recommends 1 TagsCards

Convenience Store ATM Fraud

19 November 2008  |  5249 views  |  5 comments | recomends Recommends 0 TagsCardsSecurity

3D, 2D or 1D Secure?

08 November 2008  |  5274 views  |  3 comments | recomends Recommends 0 TagsCardsSecurity

Michael's profile

job title Former Retail Banker
location London
member since 2008
Summary profile See full profile »
Since 1997 I have left the financial sector and am Company Secretary for a large national Housing Association with responsibilities which include regulatory reporting from our data warehouse.

Michael's expertise

Member since 2008
6 posts39 comments
What Michael reads
Michael writes about
CardsSecurityRetail banking
Michael's blog archive
2011 (1)2010 (2)2008 (3)

Who's commenting on Michael's posts