Paul Makepeace ;-)

April 1, 2005

Card Fraud

Posted in: Drivel

This afternoon I got a call from my bank about some attempted transaction using "my" debit card. Now, I haven't lost my card so someone's got hold of the details somehow, presumably by running the card through some device that records the magnetic strip and can write that onto a dummy card.

When at a restaurant last week I paid on my debit card and entered my PIN but apparently it was wrong. I was pretty sure it wasn't but whatever, retyped it and the transaction went through.

There are computer programs that look exactly like normal "login" boxes which people type in their details to and then the program reports a "wrong password, please retry" and then hands over to the real login program. This way the intruder program, or "man-in-the-middle" as the security folks call this type of attack, records the password.

Now, doesn't this sound exactly like what happened in the restaurant? Ironically, the PIN system not requiring a signature might be more susceptible to a man-in-the-middle attack: you would need a modified card reader that records the PIN. It'd be interesting to hear from someone who knows more about how the card "chip & PIN" system works and how it could defeat that attack. I'm sure they've thought of this(?!)

I'm not of course saying this is what happened, nor am I going to name the restaurant (OK, it was on Brick Lane) despite, looking at my transaction history, it looks such a likely candidate.

What's interesting about this is that I've never had this happen before and it's just after I've started being asked for my PIN when using my card, as opposed to being asked for a signature.

Paying for restaurant bills on debit cards is generally not recommended as debit cards have less liability coverage than credit cards which are automatically covered. For some reason they wouldn't take my credit card as its PIN is (legitimately) locked. Normally I should just be able to sign for that, and have done on many occasions, but they wouldn't take it.

The good news is that none of the dodgy transactions hit my account, so well done HSBC.

As an aside, this isn't exactly the same but the technical accomplishment and neatness of the sting is quite impressive: modifying ATMs with pictures to skim cards in real time. Has pictures too.

Posted by Paul Makepeace at April 1, 2005 17:42 | TrackBack

Wish my bank HAD called me. Somehow, someone got my details too and cleaned out around $2200. I am just minus the money until it all gets straight. The worst part is that I cannot think of when someone could have gotten my info. It was a debit card on our business account and I rarely use it. My husband, on the other hand, used to use his daily (before we got American Express). Thing is - it was MY card that was used for transactions in Madrid and Gava and other places in the U.S. (New York, Maryland, Tennessee).

I am still bummed to the max and panicky over the least little thing. And, yes, I am very angry too. How could someone not notice when huge transactions were presented on my card in SPANISH?

It is all beyond me. I am still reeling. And, I am stressed to the max wondering if I will be able to get it straight.

NEVER again will I have a debit card. NEVER.

Posted by: Tammy Herman at April 13, 2005 22:06

I have just suffered fraudulent use of my debit card for the second time this year, on a chip & pin card. The rotters have stolen over £4000 from my account and my card is in my possession. My Bank did nothing to flag unusual activity to me even though my account is rarely used. I will NEVER use debit cards again.

Posted by: Jackie at June 10, 2005 13:07
Post a comment

Remember personal info?