back to article €1.5bn swiped from EU cards: Fraud mainly takes place in the US

Most of the credit and debit card fraud in Europe can be pinpointed to criminal transactions in the US, a police report has said. EU police service Europol said that the European Union had invested heavily in the 3-D secure protocol, offered by Visa as Verified by Visa and by MasterCard as Mastercard SecureCode, as well as on …

COMMENTS

This topic is closed for new posts.
  1. Mad Mike

    Of course, the change in terms and conditions to make it the customers problem if the right PIN code is entered, hasn't biased the figures at all? I imagine there's still a substantial amount of fraud going on, it's just that the PIN is used and therefore it isn't counted. That doesn't mean it wasn't fraudulent. Peoples PINs are easy to get just by watching most people at tills etc. The number that cover the terminal or obscure vision is very small. I've heard of plenty of cases where a suitably placed camera can be used to get them on-masse.

    1. Anonymous Coward
      Anonymous Coward

      Indeed...

      http://www.thisismoney.co.uk/money/saving/article-2215223/Victim-chip-pin-fraud-Its-YOUR-fault-insist-banks.html

    2. Joseph Lord
      Facepalm

      The good news is that the chip can't be quickly or easily cloned so the PIN is only useful with the card OR the data from the magstripe.

      The bad news is shoulder surfing the PIN is the least of your worries. How do you verify the machine you are typing your PIN into is A) genuine and B) hasn't been tampered with to record the PIN.

      As far as I can tell there is no mechanism apart from whether you trust the shop and the staff member serving you. There aren't any holographic stickers or any proper security features like the device displaying a secret from you chip to you before you enter the PIN.

      1. Anonymous Coward
        Anonymous Coward

        Plenty of misconceptions on how chip+PIN works, apparently

        It does not matter whether the device records the PIN or not.

        In a nutshell, how it works is that the PIN unlocks the chip, and the chip authorizes the transaction on its end, and signs it. Without the chip, there is no chip+PIN. and so no customer liability.

        Yes, I imagine a device could be modified to display, eg, a transaction of 10 when actually doing 1000. But what would be the benefit? It would be detected and stopped before the crook made any significant benefits.

      2. Anonymous Coward
        Anonymous Coward

        Terminal authentication *is* performed by the chip on your card, in much the same way that the terminal authenticatea the card by a series of public/private key verifications. The chip that implements the EMV standard have their own processing power and support crypto algorithms like DES SHA and RSA, they're not just there for storage.

        What is much more difficult to guard against, but luckily much more difficult to pull off for the bad guys, are man-in-the-middle attacks where the card and/or the terminal are genuine but someone listens in on the exchange and injects fraudulent data.

        1. Joseph Lord
          Alert

          @AC 11:53

          How do YOU know the result of the terminal authentication BEFORE you enter your PIN? If they don't charge you they can get your PIN and magstripe (if you let them stripe it). You only get to find out it might not have been valid when you see fraud on your account OR notice that you weren't charged for something and the not charged thing is your only clue as to where it happened. The fact that your card knows it is in a non authenticated terminal (or maybe isn't even connected to a terminal at all) doesn't protect your PIN. This is why after authenticating the terminal the chip should reveal a secret number or message (known to the user) to be displayed before the PIN is requested.

          The only way I can think you might be able to detect a fraudulent machine is if you enter an incorrect PIN and it doesn't reject it (therefore it isn't connecting to your card).

    3. Anonymous Coward
      Anonymous Coward

      PIN is different from Chip+PIN

      You're missing half the point: the article did say chip+PIN.

      Even if stealing the PIN is possible, you also need the *chip* to have the enhanced fraud protection. And chips are not so easy to clone as you seem to believe. Else, you need to steal the original card, which is one step further, and most people will notice it missing.

      PIN-only is done in the US, using only the magnetic strip. As pointed out by the article, that is why the US suck at fighting fraud. Cloning a magnetic strip is easy. Cloning a chip, not so much.

      So, to answer your question, no, the numbers are probably not biased at all, because PIN-only entry on cloned cards in the US is indeed counted as fraud in the book of Europeans who use more secure chip+PIN technology.

      1. Joseph Lord

        Re: PIN is different from Chip+PIN

        Yes I should have said that if a crook has PIN plus magstripe they need to force a non chip transaction. This could be by technical measures but more likely just sending the data to a country where chips aren't used. During the transition to chip there were places here where it could be done (ATMs that hadn't been upgraded) but I doubt those options still exist.

    4. Anonymous Coward
      Anonymous Coward

      Ever thought to take a bit of personal responsibility - guess it's ok to write the PIN on the card itself as well?

      1. Dogsauce
        Thumb Up

        RE writing number on card

        ...the trick is to write the *wrong number* on your card (or on a bit of paper in your wallet - something like 'HSBC 1884'), slightly scruffily so maybe one of the digits isn't clear (is that an 8 or a 6?). That way any card thief will think they're in luck and probably have a shot at using it (with the unclear digit they'll maybe have a couple of guesses, assuming the first was wrong), and increase the chance that they get caught (or your card retained by a machine), or at worst waste a bit of their time, dash their hopes and piss them off.

    5. Mad Mike

      Simple Method Commonly Used

      In line with several of the other people responding, I do understand how chip and PIN works. However, the simplist (and I know common) method of fraud is actually missing. PIN entry is observed in say a supermarket. Said miscreant (often behind you in queue), along with maybe a mate or two, then proceeds to steal your card. Now, if in a supermarket, there is probably a decent window to use said card and PIN before you notice, get in touch with the bank, and finally, cancel the card etc. So, plenty of scope to make purchases with both the card and PIN. Liabiltiy for this is with the customer, not the bank, as the correct PIN was entered.

      Sometimes the simplist and easiest method is the best and avoids all the technical nasties. Course, this isn't the organised crime angle, so often gets ignored. I've known someone have their card stolen in Redhill and have it used in Leeds before they were aware it was gone. Don't think people realise their card is missing straight away. It is often as not hours and even days in some circumstances.

    6. Anonymous Coward
      Anonymous Coward

      Liabillity for fraud

      It's been the case (written into law) since Nov 2009 that the banks are legally liable for C&P fraud. This includes if a PIN has been used.

      http://en.wikipedia.org/wiki/Chip_and_PIN

      1. Mad Mike

        Re: Liabillity for fraud

        That's as maybe AC, but that's once you've established fraud has occured. The issue is doing so. If the bank can show the correct PIN has been entered, they simply invite you to prove it wasn't you. This is sometimes easy (different continent etc.), but often very hard. Hence, if the correct PIN has been entered, in a majority of cases, it isn't counted as fraud (as the customer can't prove it wasn't him) and therefore isn't covered. Banks constantly go on about you being the only person who knows the PIN and the system making it impossible for anyone else to get the PIN, hence it must have been you or someone else you gave the PIN to etc. As the bank simply has to 'show the transaction was made by you', they cite the correct PIN number as such proof or if someone else, evidence that you've broken the T&Cs by revealing your PIN!!

        So, the 2009 law was rather pointless really. This is all becoming a rerun of the ATM issues where people insisted it wasn't them and the banks continued for years to insist they were foolproof etc.etc. A lot of people lost money that way.

        1. Anonymous Coward
          Anonymous Coward

          Re: Liabillity for fraud

          @Mad Mike - Like I said and the linked article says (IIRC) and is written into law: The burden of proof is on the bank, even if a PIN is entered, they have to show it was you or you were negligent is allowing your PIN to be discovered (ie: wrote it down.)

  2. Joseph Lord
    Facepalm

    Verified by VISA is horrible

    An online retailer redirects you to a third party donain unrelated to your card provider which asks you for personal details and asks you to set a password. Then liability for fraud is shifted to the customer.

    Even if it is actually secure the user education message of the process is horrific.

    Chip and Pin is kind of OK but never enter you PIN if the card has been out of your sight OR swiped rather than just the chip being inserted.

    1. This post has been deleted by its author

      1. This post has been deleted by its author

      2. This post has been deleted by its author

      3. This post has been deleted by its author

        1. Anonymous Coward
          Anonymous Coward

          Re: Verified by VISA is horrible

          The PIN is stored in *both* the chip and stripe. They have to put it in the stripe, for countries like the US which still depend on it. Well, it's not exactly cleartext in the stripe like I said previously. But unlike the chip, the stripe can be fully cloned by a single swipe.

          1. David Hicks
            FAIL

            Re: Verified by VISA is horrible

            The PIN is stored in the stripe?

            What unmitigated bullshit!

            It's not in the stripe at all. Anywhere, coded or otherwise. The stripe contains a very limited amount of data. If you're doing Stripe + PIN transactions the PIN is captured and encrypted then sent to the bank for verification.

            1. Mad Mike

              Re: Verified by VISA is horrible

              Depending on the type of card involved, a PVV may be stored on the stripe of the card. This is the PIN Validation Value and can be used to validate the PIN entered at a terminal. Now, it's NOT the PIN, but at it can be used to determine if an entered PIN is correct and the process is known, it is possible to derive the PIN from it!! The only question is the processing power and number of combinations. This is a VISA standard and is talked about here, amongst other places.

              http://www.gae.ucm.es/~padilla/extrawork/visapvv.html

              Given the processing power now available for a relatively small amount of money...............

            2. Anonymous Coward
              Anonymous Coward

              Re: Verified by VISA is horrible

              The magnetic stripe includes a PIN Verification Value, which is a hash of the PIN. So yes, it is there, and required, and readable with a simple swipe. Not enough by itself to guess the PIN, of course.

              http://www.gae.ucm.es/~padilla/extrawork/tracks.html

              How else could stripe-only devices check the PIN otherwise?

              1. David Hicks

                Re: Verified by VISA is horrible

                The PVV is an optional component and the attack on it would (according to the linked paper) take multiple years to break and many, many more if 3DES is used over DES, which one would hope in this modern day and age. It's also a hash rather than a straight encrypt, as only a portion of the DES output is stored.

                The PIN is not on the stripe.

                And how else could stripe-only devices check the PIN? ISO-(can't remember the number) encoding the captured PIN with a terminal specific key and sending it to the acquiring/issuing bank for verification. There is an online PIN verification capability in EMV, I don't know if it's commonly done for stripe transactions.

                1. Anonymous Coward
                  Thumb Up

                  Re: Verified by VISA is horrible

                  > And how else could stripe-only devices check the PIN? ISO-(can't remember the number)

                  ISO 8583 I believe.

          2. The FunkeyGibbon
            FAIL

            Re: Verified by VISA is horrible

            You clearly have no idea how PKI works.

            http://en.wikipedia.org/wiki/Public-key_infrastructure

            Chip and Pin is by no means foolproof or perfect (PIN written on post-it™ notes etc) but it's not also as simplistic as you seem to think it is either.

            1. Anonymous Coward
              Anonymous Coward

              Re: Verified by VISA is horrible

              AFAICT, the chip+PIN authentication is not exactly a PKI. There is no communication with a central authority involved for the authentication part (there is for the authorization, but that part does not have to happen in real time, it can be done after the transaction is complete, and is often done as a daily batch to minimize communication costs).

              It is the chip itself which is doing the authentication of the PIN and allowing itself to be used to sign the transaction.

              1. David Hicks

                Re: Verified by VISA is horrible

                @AC - "AFAICT, the chip+PIN authentication is not exactly a PKI. There is no communication with a central authority involved for the authentication part (there is for the authorization, but that part does not have to happen in real time, it can be done after the transaction is complete, and is often done as a daily batch to minimize communication costs)."

                Any amount over the card or terminal's limits must go online for authorisation. There is also a limit on the number of offline transactions a card will permit, and a random factor that chooses whether even transactions below the offline limits will go online. An online transaction absolutely is authorised in real time, including cryptographic verification, by the bank, of the transaction cryptogram provided by the card.

    2. Phil O'Sophical Silver badge
      Stop

      Re: Verified by VISA is horrible

      Verified by VISA saved me a considerable amount of money and hassle just recently. As used by my bank, any online order from a retailer who uses it triggers an SMS to be sent to my phone, with a confirmaton code that I enter to complete the website transaction. A very minor inconvenience, but when I recently got such an SMS for a transaction I knew nothing about I went straight to my internet bank account, and found three other online transactions from other retailers which had gone though, for a total of ~ £1000. I called the bank and cancelled the card immediately, during which time 3 other text messages arrived for other retailers. Needless to say none of the attempted "verified" transactions (for substantial purchases) went through successfully.

      It took a few weeks for the bank to validate and refund my claim, but it could have been a lot worse if Verified by Visa hadn't alerted me. I still don't know where my card was copied, although I have my suspicions (shifty cashier at a supermarket I don't normally use).

      The thing that baffles me is the purchases that were made. Usually people use cloned cards for untraceable stuff like PAYG phone top-ups, or porn sites. What sort of clown makes an online purchase of garden furniture, which presumably requires a delivery address?!!

      1. Tom 38

        Re: Verified by VISA is horrible

        Phil, that sounds like a clever system. HSBC have a much more tighter control that apply to my account - not by my choice.

        Every time in the past 12 months I've tried to buy anything significant online - over £100 - HSBC have refused my card, requiring a phone call to them to say that yes, I did order a bunch of computer kit today, filling in the VbV forms.. Verified by Visa, not trusted by HSBC.

      2. Joseph Lord

        Re: Verified by VISA is horrible

        That sounds like a good feature although almost as effective would be SMS messages sent out after any cardholder not present transaction that you could respond "FRAUD" to if they aren't genuine with no VBV.

        I would mind VBV much less if the password setting/resetting process was better (although I have avoided it for the past few years so it may have improved) and that it was hosted if not at your own bank then at least at visa.com so at least it was visibly at a company that people know that they have a business relationship with and are more likely to notice if it is a fraudulent misspelled domain than whatever it is that I normally get redirected to and asked for my date of birth.

  3. Dan 55 Silver badge

    Another solution would be chip only cards

    The vast majority of people don't often travel to the US or South America. If they do need to go they could ask for a magstripe card valid for just the trip.

    1. Robert Carnegie Silver badge

      I used a magnetic tape eraser on my card.

      Apparently they do contractually have to provide only cards that have a compatible magnetic stripe, which also means that someone can stick a stripe reader onto the front of an ATM. But I zapped the stripe on mine with a big electromagnet machine. I did worry that I might kill the chip as well, but it seems to be okay.

      You also probably could scrape the magnetic strip off - scour it with wire wool, for instance. Maybe not the same bit of wire wool that you use for saucepans that you eat out of.

    2. Phil O'Sophical Silver badge

      Re: Another solution would be chip only cards

      The problem isn't that the card is copied when it is overseas, it's that the card is copied at home and then the copy is used overseas where there is no chip+PIN protection. Chip+PIN had made use of cloned cards in Europe pretty difficult.

      People who don't travel can just ask their bank to block any foreign use of the card. Most banks will have alarm bells that ring if an unusual foreign purchase is made anyway. Buying a meal is one thing, but buying, say, a dishwasher isn't likely to be a typical holiday purchase.

      1. Dan 55 Silver badge
        Boffin

        Re: Another solution would be chip only cards

        Okay downvoters, I'll explain more. Having a chip only card would...

        1) Make it impossible to easily copy data off the magstripe at home.

        2) Automatically deny transactions if someone does get hold of enough data which can be used to forge a magstripe card abroad and run it through a magstripe reader; this card account shouldn't be usable from magstripe readers.

        The price...

        Updating all cash machines to chip readers at home.

        1. Anonymous Coward
          Anonymous Coward

          Re: Another solution would be chip only cards

          @Dan 55 - All the ATMs in the UK are already Chip and PIN. (Or at least the vast majority)

  4. Alfred
    Unhappy

    My card was swiped an extra time whilst paying for something overseas, with the criminal in question helping herself to some extra cash. PIN wasn't entered - it was swipe only. Credit Card company (Capital One) insist that the PIN was used to authorise it and as such I'm on the hook for it. It's a way of off-loading the loss onto the customer.

    1. Anonymous Coward
      Anonymous Coward

      Ask for the logs of the transaction. They do bully customers as much as possible, but, at least in parts of Europe, the customers have a lot more leeway than they realize.

      When it comes to the burden of proof, it squarely lies on the bank's side. They must show the signature, or prove the PIN was entered, not just assert it. The paper trail of all transactions is enormous, and they have a duty to keep it (though some are less than dutiful about it).

    2. Simon Harris
      Thumb Down

      Shocking...

      I was quite shocked by the lax security when I visited the US a year ago. Not only did the cashier in a reasonably reputable store just swipe my card without asking for a PIN, but she didn't even look at the back to check whether my signature matched. On the other hand, chip and PIN was aleady de regueur when I was in Romania 8 years ago.

      1. Anonymous Coward
        Anonymous Coward

        Lax US security

        Better yet, a colleague and I accidentally swapped AmEx cards on a business trip (picked up each other's card after we'd split the bill for a meal).

        We didn't notice until after I had paid for a $200 meal the following evening, using my colleague's card but signing the slip with my name. The waitress didn't even notice... Hand-held chip+PIN terminals brought to the table are wayyy more secure. Made filling out the expenses claim fun, that did :)

      2. david 12 Silver badge

        Re: Shocking...

        >but she didn't even look at the back to check whether my signature matched

        That is not what the signature is for. When you sign the card, you sign the contract.

        The cashier may check that the card has been signed -- the signature indicates that the cardholder accepted the card, contract, and charges -- but matching the signature to some other signature is not a required part of the deal.

        1. Simon Harris

          Re: Shocking...

          Certainly American Express think the cashier should check the signature strip...

          "Only the person whose name is on the Card is authorized to use it. For in-person transactions, we recommend the following:

          ...6. Compare the signature of the Cardmember to the signature on the back of the Card..."

  5. Anonymous Coward
    Anonymous Coward

    Verified by Visa/ MastercardSecure has a big hole...

    Speaking as someone who has had attempted fraud against him the online systems have a flaw.

    If you forget the VBV/MCS password you can easily reset it by knowing the card holders name, card expiry date, CVV on the back and the card holders date of birth, and the fraudsters already have most of those. The system then let you change the password, theres no verifiaciton step like sending an email to the prior email address on file when you set the account up.

    Thankfully Capiral one noticed, as it was two lots of fraud for a total of £5K

  6. heyrick Silver badge

    How to stop this dead in its tracks...

    I have two cards with (different) French banks.

    CARD #1 - For *most* online purchases (notably not Amazon.fr), the transaction pauses with a verification screen. In the little box, I need to type not a password, but a code sent to my phone by SMS. This code also tells me what the transaction was for (in case it wasn't me). I can only change my registered phone number by logging in to the bank (and responding to the SMS it sends to the old number), or talking to the bank in person if my phone is stolen or damaged.

    CARD #2 - Will not work, online, at all. I have some software that generates "virtual" cards which are authorised for a specific amount and a specific length of time.

    I think a bank that permits you to use an insecure card for on-line purchases globally is a bank to avoid like the plague...

    1. david 12 Silver badge

      Re: How to stop this dead in its tracks...

      >CARD #2 - Will not work, online, at all. I have some software that generates "virtual" cards which are authorised for a specific amount and a specific length of time.

      Which bank? Do they have an English web site?

      One of our major American suppliers is asking for our PIN for online transactions (this is standard in some countries, but until now, not the US). But here in AUS, providing our PIN to another person voids our credit card protection.

      I have been looking for a provider which provides one-time virtual cards, but I haven't found an AUS (or USA) bank which does that, and I don't know where to look. We would consider a French provider.

  7. Anonymous Coward
    Anonymous Coward

    In the US, they can use the ZIP code as a PIN

    I've just been visiting California. And the most astonishing thing was, when buying gas with my (chipped) Amex, the machines always asked me for my ZIP code. Not a single time for my PIN. And most of them displayed the ZIP in clear, big numbers on the screen. I'm not sure what the rationale is for security.

    I've been told that at least in some places, Visa cards holders also are required for the ZIP code.

    1. pPPPP

      Re: In the US, they can use the ZIP code as a PIN

      Same thing happened to me last week in the US. In the past you could put in any old zip code, as long as it was 5 characters. This time round I had to pay at the till. Only had to sign on one occasion, and that time the clerk didn't bother checking it, as I already had the card back in my wallet, which is standard practice in the US.

      Really, you can use anyone's card in the US. Nobody checks, and most department stores use screens like those that couriers carry. Your signature ends up looking nothing like it's supposed to, even if you do try.

      1. MachDiamond Silver badge

        Re: In the US, they can use the ZIP code as a PIN

        I believe the non-checking by cashiers is due to economics. Stores are indemnified by the credit card companies for fraud up to a certain amount without having to show that they made a good faith effort to verify the purchaser's ID. If you try to make a large value purchase, the clerk will have probably received training to check ID more carefully and may need to enter additional information into the system for an approval. At some value level, the manager may need to approve a credit purchase as the store would not be indemnified for the loss if the credit card was stolen. I would guess that in some venues credit card fraud is very low. I never get asked for ID at the take out. The same at fancy restaurants. The former is such a small amount for a fraudster to risk on the whole and the latter is likely due to internal statistics that show almost no attempts with stolen cards.

        I have noticed at petrol stations that there is a posted limit of about US$75 when using a credit card. I commonly have to input my zip code and I imagine that it's the easiest check that uses the least secure communication regime. If a thief has nicked your wallet or purse, they can check your ID for a zip code, but if they only have the card, they will be thwarted.

        You may want to log in to your credit card account page and search all of the menus for notification options. The companies that I have credit cards with have been complete rubbish when it comes to telling me about this stuff. I can get an email and/or SMS for all transactions, transactions over a certain amount, foreign transactions and many other combinations. I also have them set to message me when my statement is ready and if I haven't made a payment a couple of days before it's due in case I missed something.

        If you travel, keep a list of your card numbers somewhere besides your wallet/purse and NON-toll-free telephone numbers. You will want the direct dial number for the country you are in and the one for your home country. Just because you call the Visa office in France doesn't mean that they can help you with a Visa card issued in Denmark. The home office may have a better contact to get you a replacement card quickly so you can pay for the hotel and car hire when you leave to go home. Remember that the card information you gave them when you booked is going to be void when you report a stolen card. I'm not sure how hotels and other places deal with that sort of thing when all you have to do is leave the room key on the dresser to check out rather than queuing up at the front desk in the morning. Hmmmm.

    2. Tom 13

      Re: rationale is for security.

      Well, the rationale isn't really for security. It's for marketing purposes. But they say it's for security. And since it's a common question for authorization when you call the bank to check your balance (varies between social security, zip code and last four of either of those), people accept it is a valid security authorization. Just like they accept mother's maiden name,.

  8. Anonymous Coward
    Unhappy

    Canada Visa shocking

    I have a Chip/Pin Visa card here in Canada.

    I prefer to use my debit card usually, but for some reason, at a Gas -erm- Petrol station it wouldn't work (insufficient funds I think). So I tried my Visa card which I usually reserve for online transactions where the debit card is often useless.

    Swiped the card at the pump and it allowed me to fill up, nothing further required.

    I was horrified. No PIN, no signature required, nothing.

    Welcome to the modern age...

  9. mhenriday
    Big Brother

    Sure that those dastardly Iranians -

    or perhaps the Chinese - rather than the good, upstanding residents of the US of A , don't lie behind these outrages as well ?...

    Henri

  10. All names Taken
    Joke

    Tsk

    Uh-huh

    I reckon it is the US Treasury with support from US military and US intelligence services as a means to repair US economy and pay at least a little of the trillions of debt US owes to China, Brazil, ...

    Note to emerging nations: please do not get entrenched into maintaining huge government funded bureaucracies. I mean look what happened to former soviet empire, is happening to most of EU and UK, ...

  11. pig

    Banks will try and take the proverbial

    I had £550 of Ryan Air flights go out of my account.

    The bank told me as it was chip and pin they would not refund it.

    I phoned them up and offered to send them instructions of how to commit fraud on a chip and pin card (I was just going to send links to 3 ro 4 Reg articles) and they instantly backed down and refunded me, without me even having to send the links.

    The sad thing is they know they are liable, and tat in many/most cases the customer is not as fault but they will still try it on and although us geeks will know to not accept it I fear many other people will just accept it and end up paying for it themselves.

    The banks should be forced to be more fair, and not just be allowed to take advantage of peoples ignorance in these matters.

  12. Trevor_Pott Gold badge

    PIN numbers

    <incomprehensible rage>

  13. Andy Davies

    I felt sure it would be in the article but it wasn't so:

    when all's done we have got

    chip & pin

    and they have not

This topic is closed for new posts.

Other stories you might like