Verified By Visa

[Sharky]

But the point is, that a fake card reader can only copy the magnetic stripe, NOT the CHIP. Thus, the cloned card wouldn't actually be usable later if all machines made sure that the CHIP was present. Unfortunately, as I referred to earlier, the implementation of CHIP & PIN is bad, & many machines which can't find or read the CHIP from a card, just default to reading the magnetic stripe instead - thus defeating the whole point of having the CHIP on the card!

Re. The Real Hustle : I don't know why J-J C evens bothers to carry out these elaborate scams on guys. She could just ask them to give her all their cash, & most (drooling) guys would willingly oblige!



Yes, you've hit the nail on the head.

Quoted from an article in The Guardian:

but a flawed method of cheaply cloning cards without those secrets does already exist. This involves copying the rest of the chip's data to a smartcard, nicknamed a "yes card".

Yes cards don't need the original pin. Because the card alone verifies the user's pin, a cloned card can be told to say "yes" to any number (hence the name). But working without the secret code is trickier, and means that yes cards only work with chip-and-pin implementations using a security technique called Static Data Authentication (SDA). SDA has a crucial weakness, says Bond: "Unless you're talking to a bank while processing a payment, you cannot check to see if the card is a forgery."

http://www.guardian.co.uk/technology/2008/jan/03/hitechcrime.news

It's a flawed technology giving the illusion of security. Any automated method that is invented to try to prevent fraud will eventually be defeated. Think about the counter-theft stuff they put in all games consoles, Windows activation, etc. Not quite the same, but if you consider there's more money in financial fraud than bypassing product activation, you can easily imagine how many people are actively looking for ways to defeat the systems.

My card (with chip & pin) was cloned somehow and used twice within the UK. I shred and sometimes also burn confidential waste, depending on how confidential it is, and have different passwords/PINs for everything. I don't go buying stuff on websites I don't trust, use PayPal on eBay, and try to look out for dodgy ATMs. The card that was cloned is a credit card that charges for cash withdrawals, so I don't even use it in the ATM.

Luckily, they noticed that a £50 Vodafone top up was slightly odd (as I've never used Vodafone), and called me before it was processed successfully.

IMO, the only way to be safe from fraud is to only ever deal with the bank staff, never the ATM, and pay for everything with cash. But then you're susceptible to theft. Unfortunately, it's a lose-lose situation.

 

[zen-r]

@Sharky - I agree the technology is flawed. Even before CHIP & PIN came out, when I first heard about it, I said "FAIL!"

I'd already read the Guardian article you quoted from - it was written in Jan 2008 (so a bit out of date) - & seems to come top in Google's search results!

But - you missed out the preceding line in your quote ; "One possibility is that someone has found a cheaper way to extract the two secrets from a card to make a perfect copy," Bond muses. There's no evidence of that....".

I've referred in my last two posts to Chip & PIN being fairly secure in theory, & just the implementation being bad.


SDA is one such example of the bad implementations. It doesn't mean the card has actually been fully cloned though, & if Dynamic Data Authentication (DDA) were enforced in all machines, then that type of fraud could be prevented. So the point from my earlier posts still stands.

With regard to Verified By Visa : I tried to pay for another dot-com a few days ago. I went through all the stages of entering my details for the Whois registration etc, only to find at the very end that it wouldn't just take my card payment without insisting I signed up for VbV.

I was pretty annoyed & the registrar nearly lost my business at that point. Luckily I still had the patience to reverse the process, & instead chose to pay by PayPal - which worked. I shouldn't have had to use PayPal though, & didn't want to because it involves twice the number of different business processing my payment, & twice the length of transaction details which I have to record & keep tabs on.

 

[Sharky]

There *was* no evidence back in 2008. I'm surprised I didn't point out the article date... well, it was rather early this morning. I just think that without any form of biometric authentication protocol, it's destined to fail. However, then there's the problem of where to store the biometric data. I have multiple bank accounts, as many do, so the whole idea of having bank cards is not likely to go away. Now, the data could be stored on the card, which would have the same problems, or it could be stored centrally. Stored centrally, it's a massive target for attackers.
Surely an ideal solution would be to somehow have a unique encryption key stored on the card which can decrypt the biometric data in combination with a PIN number? I'd need assurance that the data held would be used for nothing more than processing payments, though, for that to be implemented.
What are your thoughts?

 

[zen-r]

Well, it's too complicated for me to sort it all out - that's for the banks to research themselves & hopefully get right! Lol. I'm not holding my breath, though, judging by their past record.

I guess that if we ever get biometric/secure ID cards forced upon us, then our bank cards could somehow be tied in with them when we make a transaction.

 

[mattura]

...and there would be yet a further outcry about privacy, including from me

 

[Sharky]

Like I said, I'd need assurances that it's only to be used for banking purposes (financial transactions, not door entry, or anything else stupid), and a watertight privacy policy. And regular security audits.

 

[mattura]

That kind of technology is bound to be abused
"Those with power tend to abuse it" -- Myself 2009