Hybrid_From_Hell Posted September 23, 2011 Share Posted September 23, 2011 Credit Card Cloning There is a new trick that a friend of mine was caught with Goes to petrol station fills up puts card into machine Petrol assistant asks for PIN NUmber to be entered - he entered it Assistant then says "Oh sorry" theres an error - and asks you to rekey it What has happened is that he didn't put the amount in for the fuel, you then key in you pin which shows up on the screen as keyed info (should have been fuel amount) He then wipes number (Has now your pin) asks for you to rekey, and it goes through He has the reciept with your Card number on it AND now has the pin BEWARE Nige Flame if if you wnat - just thought this should be made aware, he has had his account emptied overnight But they have arrested fuel chap Quote Link to comment Share on other sites More sharing options...
moose Posted September 23, 2011 Share Posted September 23, 2011 thats why you should aways read the screen, and look at what your putting in. Also hardly any machines put your full card number on the receipt these days... Quote Link to comment Share on other sites More sharing options...
CwazyWabbit Posted September 23, 2011 Share Posted September 23, 2011 Cheers Nige, always good to learn of different attacks happening. Helps you to be on your guard. Quote Link to comment Share on other sites More sharing options...
GBMUD Posted September 23, 2011 Share Posted September 23, 2011 Also hardly any machines put your full card number on the receipt these days... I think they do on the retailer's copy. Chris Quote Link to comment Share on other sites More sharing options...
CwazyWabbit Posted September 23, 2011 Share Posted September 23, 2011 I think they do on the retailer's copy. Chris Regardless of whether they have the card number once they have the pin they quite often nick the card one way or the other. There is also at least one technique where a stolen card can be used in a machine without knowing the correct pin. Quote Link to comment Share on other sites More sharing options...
Gazzar Posted September 23, 2011 Share Posted September 23, 2011 The important question is whether the bank recompensed him for a weakness in their system. G. Quote Link to comment Share on other sites More sharing options...
CwazyWabbit Posted September 23, 2011 Share Posted September 23, 2011 The important question is whether the bank recompensed him for a weakness in their system. G. They could argue that you had been careless with your pin by not reading what was said on the terminal and refuse to pay out. Quote Link to comment Share on other sites More sharing options...
BogMonster Posted September 23, 2011 Share Posted September 23, 2011 I think they do on the retailer's copy. Chris Correct. On the terminal at my old job, the cardholder's copy had the first twelve digits blanked out as most cardholders are too stupid not to lose their receipts, but the retailer copy has all the information on it. So with the PIN and a copy of the retailer receipt you have the card number, expiry date and PIN which is probably enough to generate a new card. Didn't realise the number showed up on the screen from the PIN pad though - that's a big design flaw Having said that I think there is an assumption that anybody being issued with a terminal is not going to be a criminal, which is probably a bad assumption to make these days. I was forced to use my card in a questionable petrol station while I was over there on holiday recently, and I watched my account like a hawk for about a week afterwards, though nothing happened. Quote Link to comment Share on other sites More sharing options...
CwazyWabbit Posted September 23, 2011 Share Posted September 23, 2011 ...... So with the PIN and a copy of the retailer receipt you have the card number, expiry date and PIN which is probably enough to generate a new card. Didn't realise the number showed up on the screen from the PIN pad though - that's a big design flaw .... The pin is showing up because it is being entered by the customer at the point where the retailer should be entering the value of the sale, the 'attack' relies on the customer not reading what is on the hand held terminal from what I can tell. So it isn't really a design flaw, hence there could be problems with getting money back from the bank.... JMHO Quote Link to comment Share on other sites More sharing options...
Smego Posted September 23, 2011 Share Posted September 23, 2011 If you are scammed that easy you deserve to loose the money IMHO! the amount of people who do not cover their hand when putting the pin in is amazing how many garages have camera's pointing directly at the terminal (to record attacks on staff they say)? Quote Link to comment Share on other sites More sharing options...
CwazyWabbit Posted September 23, 2011 Share Posted September 23, 2011 If you get bored have a watch of this, no need for the pin as the system has a fairly big design hole. Quote Link to comment Share on other sites More sharing options...
GBMUD Posted September 23, 2011 Share Posted September 23, 2011 amazing how many garages have camera's pointing directly at the terminal In Tesco the other day waiting for SWMBO at the till, I noticed that for every till there is a smoked dome type camera housing. Each one of these could be housing a camera pointing directly at the PIN pad. I am sure Tesco have many legal ways of separating us from our money, but still not good IMHO. Chris Quote Link to comment Share on other sites More sharing options...
Sirocco Posted September 23, 2011 Share Posted September 23, 2011 If you are scammed that easy you deserve to loose the money IMHO! the amount of people who do not cover their hand when putting the pin in is amazing how many garages have camera's pointing directly at the terminal (to record attacks on staff they say)? what your basically saying then is 'fraud is fine' 'they were asking for it'? My card has been done twice now and Lloyds have been very good about it returning all funds to the rightfull owner. G Quote Link to comment Share on other sites More sharing options...
Diablo Posted September 23, 2011 Share Posted September 23, 2011 In Tesco the other day waiting for SWMBO at the till, I noticed that for every till there is a smoked dome type camera housing. Each one of these could be housing a camera pointing directly at the PIN pad. I am sure Tesco have many legal ways of separating us from our money, but still not good IMHO. Chris Those cameras are pointed at the cash drawers to see what the employees are up to. Quote Link to comment Share on other sites More sharing options...
GBMUD Posted September 23, 2011 Share Posted September 23, 2011 Those cameras are pointed at the cash drawers to see what the employees are up to. I assumed that is what Tesco will say. How do the public know that though? And do they really have such a narrow field of vision? Chris Quote Link to comment Share on other sites More sharing options...
Diablo Posted September 23, 2011 Share Posted September 23, 2011 I used to work for Sainsbury's and they covered the cash drawer and the scales of the till. Used to reduce till loss/catch those doing it. Quote Link to comment Share on other sites More sharing options...
pete3000 Posted September 23, 2011 Share Posted September 23, 2011 To follow on from this one, with another way in which fraud is happening now chip and pin and delivery restrictions are enforced. Mail/telephone order you ring up order your gizmos give your card details, exp date, last 3 etc. The Salesperson Fraudster then tags another expensive order on to your card to be delivered express delivery, to your house (card registered keeper address). Hours later you get a phone call supposedly from the company (they have your contact details) saying there has been a mistake with the order, wrong much more expensive item has been dispatched. Not to worry they have now dispatched the correct item (the one you ordered probably on economy/standard post)and the wrong one will be collected by courier at their expense, and that your correct part will be with you in a day or so. Wrong item is delivered to your house and you sign for it. Hours later courier turns up in a white van to collect wrong parcel. Your real parcel turns up a day or so later, all good? Your credit card statement comes in at end of month, with both items invoiced and signed for by you. You ring up card company and shop and say I sent the expensive one back, the courier company collected it. shop: We have no record of any collection, who did you give it to? you: Bloke in a white van? Penny drops. Quote Link to comment Share on other sites More sharing options...
simonr Posted September 23, 2011 Share Posted September 23, 2011 One of the big problems, from a retailers point of view anyway, is that after the Banks realised that Chip & Pin did very little to prevent fraud, they persuaded the Government to change the rules, making the Retailer fully liable for any card fraud. If you put through a fraudulent transaction, the amount will be debited from you plus a £28 charge-back fee. I agree that the retailer has to take some responsibility for fraud prevention, but this move has removed ANY incentive for the banks to do anything about it as now it's not costing them a penny - and arguably they make more out of the chargeback than they would have out of the transaction. They also keep any fixed fee for the payment (any percentage fee, you get back). This change was implemented when the government were pushing the banks to introduce photo or bipmetric cards - much better idea IMHO. I think the banks persuaded them that having the retailers police the system would be more effective (and cheaper for them). I've only had a few of these and only at shows. Someone has used the correct Pin number - so how the hell are you supposed to tell they are a criminal? Now they have implemented address verification on most terminals, its much better - but still not foolproof. The full card number is printed on the retailers copy of the receipt. I cannot see a good reason for this! If I were cynical, I would think its so the banks can blame the retailer for leaking card numbers, should the receipts get lost / stolen. Also, the most valuable part of the card number is the last four digits. If you have the expiry, pin and last four digits, you have the check digit which tells you if the rest of the number is correct. The first four digits tell you which bank and the next three of four, the branch. This dramatically limits the number of possible combinations you have to go through to find the rest of the number from 999999999999 to about 5000000. A computer running a LUHN checker (the formula used to generate the check digit) can find all the valid card numbers with those last four digits in a couple of seconds. Worryingly, there is rarely more than one valid combo if you limit it to UK banks. So, really, the card receipt should have a different combination of digits such as the first four and the last one. Being that there is no incentive for the banks to do anything about it - only Governments can force a change - so get lobbying! Si Quote Link to comment Share on other sites More sharing options...
TobyMellin Posted September 23, 2011 Share Posted September 23, 2011 I stopped using my card at any petrol station, especially the independent ones that have that care reader under the counter! Quote Link to comment Share on other sites More sharing options...
Bowie69 Posted September 23, 2011 Share Posted September 23, 2011 No more 'customer not present' transaction for me with my debit card any more, credit card all the way online and over the phone, I find it much less hassle if something does happen. Quote Link to comment Share on other sites More sharing options...
Quagmire Posted September 23, 2011 Share Posted September 23, 2011 Another Petrol Station trick is that the bad guys fill up a mahoosive car, usually next to a small thing like an Aygo then walk in and "accidentally" pay for the Aygo pump. They then drive off and if they are pulled up on it they say it was an honest mistake. They have in the meantime driven off with a not insignificant amount of fuel unpaid for... Quote Link to comment Share on other sites More sharing options...
Steve King Posted September 23, 2011 Share Posted September 23, 2011 The other thing is ringing up your local takeaway and ordering a meal. They have your card No, expiry date, security code and your address. In fact everything needed to place an order on a website - just need to give an alternative address for delivery. Your card details could be written on a scrap of paper for all (including cleaners and mates of the staff) to see before the payment is processed. Far fetched?? No - it happened to my wife!!! At work we obscure card or bank details on insurance proposals once we have processed the transactions. Others may not be as diligent!! Personally I think card transactions on the net and in person are safer than giving details over the phone, but stay sharp!! Quote Link to comment Share on other sites More sharing options...
rickdulas Posted September 24, 2011 Share Posted September 24, 2011 I don't know how much more secure it is, but I always use a prepaid card for payments to websites etc that I haven't dealt with before, my thinking being that if anyone gets the details, then there won't be any money in tyhere anyway. Rick Quote Link to comment Share on other sites More sharing options...
Hybrid_From_Hell Posted September 26, 2011 Author Share Posted September 26, 2011 Just to add to this His bank are "Looking into this and consideruing his request for compensation" So, he ha financial probs as well now ! Don't expect your bank just to pop all the money straight back in, it can take a while................ In the past I worked for a corporate Bank, when I saw frankly how poor the security really was - and the probs that then had on the poor customers, I made a desicion then which has servred me well ever since. I have a "Main" bank account - this has NO cards attched to it, so the only way I can get to the money (or anyone else for that matter ) is to "Transfer" to the "Second" account I have, whih does have cards attcahed to it. Therefore if I am ever "Cloned" then there are always limited funds in that account, no overdraft facility and I still have my "Main" account with funds in etc so I am not then in a financial problem. I use the main bank account to "feed" the 2nd account which I then use for day to day tranactions All my paypal accounts are linked to the "Second" account, and if needed I transfer out to the "Main" account Means my main account is protected as there is no other link to it other than me transferring. It may seem paranoid, but the voices in my head have always said its a good idea HTH Nige Quote Link to comment Share on other sites More sharing options...
TheRecklessEngineer Posted September 26, 2011 Share Posted September 26, 2011 Jolly good idea Nige - something I do as well. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.