ChipPin' away at fraud
A very worrying story has come to me from a very trustworthy source; I am currently ascertaining how much of the story I am allowed to publish, but the crux of the matter is that retail staff can access your card details when you have paid by Chip and PIN. Rather worried, my correspondant contacted her bank about this.
Did you know that? Because your humble Devil certainly did not (but it might explain how I was scammed a while back)…
My correspondant has authorised me to publish the email; do take the time to read it as there are several dsturbing points in it.
Does anyone other than me think that this is just a touch worrying? And has anyone else had a similar sort of experience?
Now, I'm sure that the vast majority of retail staff are absolutely honest and would not abuse such a system: however, it is extremely fucking worrying that such measures exist. After all, public servants abusing their systems is hardly unknown.
And why the fuck are the over-stretched police forces—and they are over-stretched—acting as debt collectors for the petrol companies? Is it because The Gobblin' King has a highly vested interest in petrol tax?
And, further, does anyone have any idea about the best way to highlight the issue?
UPDATE: Unity picks up on this.
UPDATE 2: there is a very informative article on this subject, and answering some of the concerns, over at Surrepticious Evil.
Finally, my mum calls HBOS/Bank of Scotland, to check the exact legal position of this unauthorised transaction business. She gets bumped about from department to department, by various operatives who are 99% sure that it's illegal but want to check with a senior figure before giving a definite answer. Eventually, she is put through to a senior member of staff in their retail banking division, where she is told the following (somewhat startling) information:
Up to 40 minutes after any Chip & PIN card transaction, the retailer may access your confidential details [this includes your card number and your PIN number] and submit any number of further transactions without your presence or consent. This is perfectly legal practice. The onus is then on the customer to challenge these subsequent transactions with their bank, once the customer actually becomes aware of them.
Did you know that? Because your humble Devil certainly did not (but it might explain how I was scammed a while back)…
My correspondant has authorised me to publish the email; do take the time to read it as there are several dsturbing points in it.
My mum is on a crusade.
It all started innocently enough. My dad went to his local Shell petrol station a week ago. He'd just been given a new PIN code for his switch card and, as is usual for my dad, was rather concerned about remembering the right digits in the right order, etc (my parents only came into this PIN code thing very late, y'see, never used cash machines). He went into the petrol station shop to pay. The lad behind the counter asks him what pump he used. Dad, being a bit distracted, hadn't noted the number. So he pointed out of the window to his car and told the lad that it was the pump with the red Passat (the only red car on the forecourt). Lad saw this and totalled up petrol cost accordingly. Dad sticks his switch card in the little machine, enters his PIN and pays without a hitch.
An hour or so later, my parents are both at home and the 'phone rings. It's the local police station. The man on the 'phone asks if my dad can return to the petrol station, as there's been a problem with his card. Given that it's the police who have contacted him, my dad gets a bit worried. Have his details been stolen in some way? No further info, he just has to go back to the petrol station, which he duly does.
He goes up to the counter and asks what the problem is. The lad behind the counter says that he undercharged my dad for the petrol he bought; turns out the lad enterred the wrong pump number. Fair enough, my dad says, just cancel the transaction and I'll pay the right amount. The lad says there's no need; his supervisor has sorted it.
This rather confused my dad. How exactly had the supervisor managed to sort the mispayment in his absence?
His original payment had been cancelled. No problem. The supervisor had then gone into the till's digital data storage (I've no idea what the technical term for this is, retail transactions have moved on quite a bit since I worked in shops), retrieved his card number and his PIN number and put through a new transaction without his consent or even his knowledge that this was taking place.
Needless to say, my dad was a bit concerned about this. He didn't have a problem with paying the correct amount for the petrol, although he was rather baffled that the police had contacted him about it (more about that in a second). However, he was particularly worried that a retailer could access his details (including the seemingly confidential PIN code) and put through a transaction without his knowledge.
The supervisor came through and explained that these details were held on the system for up to 40 minutes after each transaction. The supervisor had done this sort of additional transaction procedure many times. My dad's a bit pissed off about this, but isn't entirely sure what he can do about it. He goes home and tells my mum what has happened.
My mum is disturbed by the entire episode. She calls Which? magazine about this unauthorised PIN use and transaction stuff. They tell her that it's some sort of fraud and thus a police matter that's beyond their scope (odd, as they cover credit card fraud frequently enough).
Undeterred, my mum 'phones Shell and queries this procedure. Their immediate response is that a) this is not approved procedure within their company, such an incident should never have taken place and b) she will receive a written apology in a couple of days. However, my mum is still angry that this was able to take place at all and they're unable to explain why that's the case.
She then contacts the local police station and asks to speak to the department that had orignally contacted my dad. She gets through and speaks to a pleasant sort of chap about the incident. The first thing she's told is that the petrol station staff inferred that my dad had attempted to dupe them as to the pump he had used, deliberately indicating the wrong pump. A load of balls, but individual cases of dishonesty among retail staff aren't exactly unusual and I'm not exactly shocked by counter staff lying to cover up their own mistakes.
However, the policeman also told her that South Lanarkshire police force are currently in a scheme whereby if there is a transaction problem in any petrol station in the region, regardless of the cause, the police are obliged to sort it out. In effect, they have become unpaid debt collectors for the region's petrol stations. The equivalent would be someone cocking up your bill at the supermarket and calling the police out in order to rectify their mistake. Understandably, South Lanarkshire police aren't exactly happy about this—in fact, they're bloody livid—but they've been told in no uncertain terms to keep their opinions to themselves.
Finally, my mum calls HBOS/Bank of Scotland, to check the exact legal position of this unauthorised transaction business. She gets bumped about from department to department, by various operatives who are 99% sure that it's illegal but want to check with a senior figure before giving a definite answer. Eventually, she is put through to a senior member of staff in their retail banking division, where she is told the following (somewhat startling) information:
Up to 40 minutes after any chip&pin/card transaction, the retailer may access your confidential details and submit any number of further transactions without your presence or consent. This is perfectly legal practice. The onus is then on the customer to challenge these subsequent transactions with their bank, once the customer actually becomes aware of them.
Which rather contradicts Shell's assertion to my mum that this was far from normal or acceptable procedure (no apology has turned up yet, incidentally).
This is where the crusade element kicks in.
My mum thinks this is a bloody disgrace (as do I, for that matter) [As do I—DK]. What on earth is the point of Chip & PIN, of being obsessively paranoid about your personal/identification details in general, if money can be taken from your account—without your consent or knowledge—in a legal fashion? Surely such a system is crying out to be abused?
My feeling is that it further undermines the whole ID card/identity theft bollocks: no matter how careful you are in your own behaviour and with your own details, the system that information goes into is still badly managed and poorly regulated.
Given that the vast majority of consumers are proabably unaware of this little retail loophole, my mum wants to get this information into the public domain. Here's the rub: she's hitting an absolute blank wall at all levels. She can't tell if the media (local and a bit higher) are simply uninterested or absolutely refuse to listen. I'm not exactly an expert about this either.
However, she's heard about these marvellously informed people called 'bloggers' and requested that I seek advice from some (my mum seems to think that I know everyone on the internet. I probably should, given the amount of time I spend on it). In your opinion, does this have legs? D'you think the media would ever be willing to flag up how completely pointless our personal security efforts are in the face of even basic retail law?
(The police thing is a largely separate issue and she's probably going to kick up a bit of a shitstorm about that in the local press.)
Does anyone other than me think that this is just a touch worrying? And has anyone else had a similar sort of experience?
Now, I'm sure that the vast majority of retail staff are absolutely honest and would not abuse such a system: however, it is extremely fucking worrying that such measures exist. After all, public servants abusing their systems is hardly unknown.
And why the fuck are the over-stretched police forces—and they are over-stretched—acting as debt collectors for the petrol companies? Is it because The Gobblin' King has a highly vested interest in petrol tax?
And, further, does anyone have any idea about the best way to highlight the issue?
UPDATE: Unity picks up on this.
UPDATE 2: there is a very informative article on this subject, and answering some of the concerns, over at Surrepticious Evil.
| 18 blogger comments
| links to this post
18 Blogger Comments:
This is why I prefer to use cash whenever I can (or, at a pinch, cheques). Of course, I do use my Switch card, but prefer not to.
Of course my own exposure is limited by having nae fucking money, but it's still a worrying trend.
What we need is some kind of vast, centralised database to tackle fraud...
"Given that the vast majority of consumers are probably unaware of this little retail loophole..."
Yet the consumer retail magazine she contacted ('Which') didn't see fit to raise holy hell about this? What are they waiting for?
"Does anyone other than me think that this is just a touch worrying?"
Pretty much everyone who reads it will be, I'm sure......
The whole point of Chip and Pin was NOT to /reduce/ fraud, rather it was to move the burden of fraud from the banks and move it onto us. Given this I am not surprised that the banks think this is reasonable... Cunts
Make a complaint to the Office of Fair Trading. There's a new man in charge; he might want to make his mark...
Two places I can think of for you DK.
The Information Commisssioner www.ico.gov.uk - Yes I know it's an arm of the state, but the guy in charge seems to take his responsibilities, which include data protection, seriously.
and
Maybe the guys over at No2id (on your sidebar) can point you at one or more crusaders?
(and bear in mind, the fact that you have posted here virtually guarantees that it will be in one or more of tomorrow's dailies - unattributed of course)
I can understand Plod not wanting to get involved, on the face of it no crime has been committed that I can see.
Yup.
It's also worth noting that because Chip and Pin cards are supposedly "more secure", the terms and conditions on Cards Changed to move the proof of Burden from the Credit Card Companies to the Consumer so you now have to prove that you did not make a transaction.
Shell did have to suspend chip and pin for a while see: http://news.bbc.co.uk/1/hi/england/4980190.stm
I am a bot concerned about the Technical Details,
Its worth contacting Ross Anderson at Cambridge University Computer Lab, he's something of a libertarian security guy (a lot of them are) and takes great delight in breaking bank's security measures (or showing that they have none...).
He's been involved in opposing Chip 'n' Pin and is also Chair of FIPR (foundation for information policy research).
Ross Anderson's Web Page - http://www.cl.cam.ac.uk/~rja14/
fipr - http://www.fipr.org/
Ross's Stuff is well worth reading, he has a Blog at http://www.lightbluetouchpaper.org/category/banking-security/ and it's well worth a read.
However I am slightly concerened that Shell seemed to be storing the PIN code, it should just be a short lived thing.....
This is all true. It was the reason Shell had to remove chip and pin from their outlets earlier this year.
Scammers' chipped the devices to save all the information and hey presto.
banks always pay you (eventually) for this fraud; its cheaper than re-designing the system.
As far as raising it goes, I've dropped a link to my piece, which links yours, on the site of an MP of my occasional acquaintance with a note to say its worth pursuing via a chat with HMT or through a question in the House.
Sometimes being a Labour Party member hath its little advantages, especially when one knows that the MP in question has the ear of Gord Almighty in his great counting house.
The biggest fraud opportunity for chip & pin cards is the fact that 99% of the time the person on the till doesn't even put hte card in the machine, let alone see whose it is. I've used my wife's card before without a problem.
They can do this anyway as a "cardholder not present" transaction. All the new terminals print two copies of the credit slip instead of using carbon paper. The retailers copy has your full card number and expiry date on it so restaurants can charge you for anything they missed, days or even weeks later. Your copy of course has most of the numbers *'d out. Whilst you can destroy your copy of the slip you're now at the mercy of the retailers confidential waste handling to ensure the bit with all the information on it is suitably destroyed.
I am totally unshocked by this. 'Cardholder not present' is precisely what it says and more: it means a remote transaction i.e. by 'phone, over the web, via a pre-printed form into which you enter your details etc.
The fact that your details are held for 40 minutes is, simply, a nonsense. The transaction has been approved and no more details need be kept. This has been designed into the system but at whose behest? have the big boy retailers refused to accept chip & pin unless they have the ability to change the value of the transaction retrospectively?
The fact that the garage has made a mistake is their fault - they offered the goods at a price and you accepted and paid the price asked - I understand that's called a contract and if they wish to recover more they have access to the civil courts.
If I found a retailer of any sort adding to my bill (including restaurants) I would contact them asking for the monies to be immediately returned to my account and if not would then approach the police with a complaint of theft. Maybe a lawyer reading your blog will advise?
Why am I unshocked? Run your own business for a while, hit a bad patch and learn what banking is really all about. One thing bankers hate is the threat of legal action (trust me on that, it's the only time I've been invited for tea and biccies in the boardroom).
For some reason people seem to think that because you paid by plastic they have a right of access to your account. Normally, you would call such people criminals. I fail to see a distinction between criminals and retailers raiding my account without permission and treat the situation in the same manner - they might try it on with others thereafter but they never will again with you.
How do I use my card? Larger purchases I use the card, ask to see the retailers' copy of the receipt and agree that is the final price. Everything else I pay cash that I withdraw from one machine at roughly the same time of day as before (not necessarily the same weekday) and always the same amount. It can be inconvenient but the pattern has been established. It also means that if a retailer undercharges me I win a prize (except I am too bloody honest to walk away, doh!).
Hope that helps. Another good point of using cash, of course, is that no-one asks for ID.....
ScotsToryB
Err, no, sorry. This is not how it works. And DK's mum's issue is not connected to the Shell case.
If the terminal has not been modified to record your PIN (which should stop it working, but some crims are clever):
When you conduct a transaction, you enter your PIN and this unlocks the card, allowing the card to do a "challenge / response" authentication with the bank (or, if you are below the floor limit in the shop, just saying "I'm unlocked" to the retailers terminal, which then just does the transaction ignoring the rest of this paragraph.) On most machines, you see "PIN OK" or something similar. The bank and the retailers terminal then do a little dance to determine whether you have enough credit / cash, whether your card has (correctly or otherwise) been reported stolen etc, etc. If the bank says "yes", you get your goods, the retailer's terminal gets an auth code and off you go. The retailer can then modify the transaction - look at this in hotels:
You go in, they make a reservation against your card, which you have authenticated with your PIN. When you check out, they get your signature on your bill (which, unless you have been a real pig, is less than the reservation) - they don't need your card in most cases, they really don't need your PIN. (If they ask for them, they are not necessarily defrauding you, but they are doing a new transaction. The reservation will remain against your credit limit until it times out or they cancel it or you complain bitterly to your card company.
I appreciate people's concern, especially scotstoryb, but the systems as currently engineered to allow for amendments , as far as I am aware this is a function of the electronic tills rather than C&P - what would be interesting to know is whether or not this now makes it a CNP transaction (retailer liable) if they make a deliberate (or otherwise) error ...
The HBOS retail person was wrong - they have the bank auth code, they don't have your PIN. (This doesn't detract from the various comments about the relative weakness of Static Data Authentication as opposed to Dynamic Data Authentication C&P cards - see www.lightbluetouchpaper.org.)
Now, if as in the earlier Shell case, somebody has modified the terminals, especially where you have handed your card over and it has been "swiped and docked" - as per Tescos - they have your PIN and they have the mag-stripe data. Not enough to clone your chip but enough to create a mag-stripe only card and use it where either they don't do C&P or where the machines will "fall-back" to mag-stripe. The intent was for you to personally place it in the short terminal (therefore preventing the swipe either in a Tesco's style till or swiftly through a stripe copier).
I'll write up a bit more on this at home ...
Oh, sorry, DK's correspondent's mum, not DK's mum. Too irritated to read correctly. Apols.
Is it any wonder people hate banks?
This is absolutely shocking! I'm sure that this is going to become viral when people discover this flaw.
This is outrageous, what is the bloody point of us all trying to keep our pin numbers safe & secret as the banks tell us to and then they allow retailers to do this?
A good way to get this public knowledge is to e mail it to everyone you know and ask them to pass it on. As well as that I,m going to write & complain to my bank.
Post a Comment
Links to this post:
Create a Link
<< Home