News Chip and Pin will force fraudsters online

For HSBC the first 8 digits on the solo card is your account number

Mircrodirect gave me some hassle when I was trying to get my TFT delivered to Uni. The guy even said 'can't you go home and get it?', even though I had just told him that I go to uni in York and live in Southampton. Eventually The guy went to speak to his manager and he okayed it and I got it at uni no problems.

 

With a debit card the first four numbers are an identifier (I presume as previous people have said and I have no other knowledge) The next six numbers are you sort code and the rest of the numbers are your account number. When you get a new debit card, all that changes (afaik) is the issue number and the ccv digits on the back. With a credit card I beleive that it is the whole number..

Rod

 

That's not true for my Switch card, my sort number nor my account number is in the 16 digit number across the top.

 

credit cards the whole number is your account number i think, atleast it is with my barclaycard.

 

not true anymore - though it was before.

 

uh its always one way or the other:\

- Sc0

 

shal we just say all cards are different according to which company there affiliated with - eg Visa, Mastercard, Switch ect.

 

back slightly on topic.

ultra best way to fruad C&P.

Take the reader like they have at tesco, that reads both the stripe and the chip. A lot of (stupid) banks, have the same pin for both the magnetic stripe based auth, and the chip.

so you're C&P reader, just logs the pin, and the mag stripe number (of course replicating the chip is too hard).

but then you just goto say france, and use a cash point, which just auth's of the magstripe. So you can create dollys as easily as before, but this time you also have their pin, and can just goto the cash point (much easyer than buying at a store).

so, who wants to come on 'holiday' to france with me

 

Nice idea, will the banks be removing the magnetic strip any time soon? or will they leave it for countries which have not made the jump?

Rod

 

Just look over the person's shoulder, watch them type out their PIN, and then pickpocket/rob them in the street. Nice and secure, non?

 

For me, its a damn site easyer to nobble a reader at some shops, than to mug a few thousand people.

The banks who are smart, have already seen this comming, and have seperate pins for the chip, and the magstripe/cashpoint.

 

Don't forget that magnetic stripes were the uber-leet fraud-prevention technology of the day when they first came out. I'm 99% sure those chips are just EPROM providing similar functionality to the magnetic stripes. Give it a year, maybe less.

Just how are you going to modify a legit terminal without the owner noticing, or get people's cards swiped through your own fraudulent one?

Nothing in this world is secure. If you think PINs are no protection, I don't see why you'd feel any safer with signatures. Why not carry only cash, hidden in a secret place? That way, when you get mugged (reading this thread I get the impression that muggings happen to everyone at least once per day in Britain... "Shall we stop here for a snack?" "Can we wait a moment? It's almost time for my three o'clock mugging, and I don't want it to spoil my afternoon tea."), you'll be fine as long as they don't check your socks.

To all the doom-sayers in this thread: Please remember that exactly the same concept behind Chip & PIN has been a part of daily life for more than a decade in many parts of the world. And we're still fine.

Nezuji

 

I think at the end of the day there will always be a way round the system, however it is always an attempt to reduce fraud. I beleive that the statistic which is banded around is from france which has had this for a number of years and has had a reduction in fraud of 80%...


Rod

 

I quite agree. But At least with a signature system, there is a chance someone will look at your sig and deny it. With a PIN, (and my pin is the same for my cash withdrawals and my chip-and-pin, unsurprisingly), there is no chance.
In the immortal words of T2:
"Please insert your stolen card now...."
"Withdraw three zero zero ...bucks"
"Yes! Eeeeeasy money...."

 

i agree, if you have too, change the billing address!

 

You can buy the readers that are used by say tesco or HMV (big chain stores in the UK). All you have to do is swap em over, 2 plugs, thats it, no screws.

Now the amount of times i've gotten someone to give me a staff discount just by blagging, and the amount of people who work there that are stupid (ie would take a cash bribe) Its easy, and its going to happen.


Also i thought the CHIP was actually a uC, and had a bit of "inteligance".

Also the magnetic stripe was NEVER thought to be hard to copy.

 

Or we could just get rid of the stupid paper & plastic methods & have a nice chip under our skin instead.

 

Really? Well, I don't know about the UK, but in Australia, to get an EFTPOS scanner (which are manufacured here under license for the banks themselves, and not as a general-use item), you have to go through a thorough application process and have a special account set up to recieve the payments. Even then, the scanner you recieved would be keyed to your account, and it might not be exactly the same style as the scanner you're looking to replace. Plus, you have to return the scanner when you close the account, and someone might be suspicious of a long-standing EFTPOS account with no transactions.

I have to admit that although I'm 99% sure, I am also 100% guessing on this one, since Chip & PIN are keeping understandably hush-hush on the details. I suppose that you could have a system in which the card recieves a number from the scanner, and returns the card-holder's identification string, but scrambled by some algorithm based on the recieved number. Then again, I suspect that the attendant increases in cost of production and failure rate compared to the very slight increase in security would make this an undesirable option. I suspect. I could be wrong...

As for the magnetic strips, banks ran TV ads here about the "new, secure magnetic strip", but sure you could copy them... with the right equipment and blank cards. The banks did have to be able to make them, after all. Hard isn't the same as impossible. In a roundabout way, that leads back to my point: If it's worthwhile, someone will come up with a way to copy these new chip cards just the same.

WireFrame, just how was an ATM ever going to recognise your signature anyway? But I do see your point. I guess I would have to say (playing devil's advocate) that checking signatures isn't an exact science. How often does your signature look exactly like the one on your card? How much leeway should I give before I decide that you haven't matched it adequately? Besides that, there's a perfectly good copy of it to practice from on the card itself!

Mark of the Beast, anyone?

Nezuji

 

Half the time no one bothers to check the signature. They just hand your card and receipt back. Once in a while they glance at the signature strip out of boredom.