Is there a website setup for a petition to cancel chip and pin and revert back to signing? If there isn't shall i create one as i'm seriously miffed.

The local garage has been copying cards and low and behold i have had over £300 taken from my account at an ATM in Jakata, which is in Indonisia i think.

Wasn't a shell garage was it there was a big thing where the removed the machines as cards were being cloned.

Texaco i think

Don't you just get the money straight back from your bank?

Exact same happened to a friend of mine in my local area, again at a garage (BP). It got reported in the local newspaper and people boycotted it in a big way. Hard luck :(

(And for Inferno's information, it was the BP garage just off the A127 opposite Progress Road!)

For a refund from the bank you have to wait for them to carry out an investigation which takes 8 weeks

Don't you just get the money straight back from your bank?

No.

If the money was taken out of your account using the pin then they assume that you've been careless with your pin and either told someone it, or kept it wrote down with your card.

Whereas with a signature they'd have to prove you signed for it with chip and pin the burden of proof is onto you to somehow prove you never gave anyone your pin.

Tbh the problem isn't with chip and pin, it's with the magnetic stripe (which isn't used for chip and pin transactions, only for backwards compatability). Chip and pin cards have the ability to use 2 pins, one for the chip, 1 for the stripe, banks decided it was too much hassle to get people to remember 2 pins, so instead the pins are linked. If they delinked the two then when paying by chip and pin it'd be near impossible to clone the card. You'd only get the magnetic stripe and the pin for the chip which wouldn't be of any use.

Which is why when you type in your pin, you cover your hand with your wallet.

Which does precisely nothing when the terminal has been adapted to record the pin as was the case with the shell garage ones...

If they delinked the two then ... .I've heard that you can apparently request this from some card providers. They are linked by default, but can be separated by an explicit request from you.

I meant to get around to finding it out months ago when I read about it, but forgot about that until now.

As for the lack of returning money - the OP needs a new card provider. Mine phoned me up and sent a letter when they found a suspicious transaction (about a ton paid to a major online Poker website) to see if it really was my activity... when I said no they immediately refunded the payment, cancelled the card and sent me a new one!

Im not sure if its an option...

but I have C+P with my card.. but I *ALWAYS* get asked to sign for purchaces.. but might be something you could look into if you want to revert?

Tbh the problem isn't with chip and pin, it's with the magnetic stripe (which isn't used for chip and pin transactions, only for backwards compatability). Chip and pin cards have the ability to use 2 pins, one for the chip, 1 for the stripe, banks decided it was too much hassle to get people to remember 2 pins, so instead the pins are linked. If they delinked the two then when paying by chip and pin it'd be near impossible to clone the card. You'd only get the magnetic stripe and the pin for the chip which wouldn't be of any use.In that case, why not disable the magnetic strip yourself magnet, straches etc?

Or disabled the chip and sign your card but that will probably be rejected by many companies.

I work in retail EPOS IT and can tell you a few things about CnP readers.

A vast majority of pads are legitimate. They have an EEPROM chip that holds the firmware and an anti-tamper system built into the chassis. When you enter your PIN into a proper reader, it takes the PIN, uses it to access the digital private key held on the chip and then accesses the unlocked card details. If you crack open the casing (or even give it a hard enough knock) it will register as "Tamper Detected" and zap the firmware the next time power is applied.

Let me give you my advice.
You're pretty safe with a card reader that ONLY reads the chip and doesn't swipe the magstripe. Ingenico readers take approx 1" of your card, just enough to read the chip and nothing more.

If you feel strongly about this subject, avoid using a CnP reader that takes more than an inch of your card. The chips themselves have NOT yet been cracked... every method I've seen has been skimming the magstripe and somehow recording the entered PIN.

To be honest...

You've be scammed (possibly) out of £300 now you want to make a petition (that no one will listen to) to get the new multi million pound (and much more modern) system reverted? are you nuts?

Looks like internet petitions are the new myspace. Everyone signs up them, because it costs nothing and makes you look cool to your e-friends.

pointless much, its easier to get a copy of your card or card details and jsut copy your sig (most of the time) if you work in a shop than it is to get the stuff set up so that it can copy your amg stripe and record the pin on a chip and ipn device, which doesnt look dodgy. I could have easily ripped so many people off when i worked in a shop if i wanted to, tis like the easiest thing in the world. Just be careful about what you let them read/scan etc and if your ata ll worried about it you can force them to take it on a signature since the machines still ahve the capability as long as they swipe the "supivisor" card.

as far as the bank paying you back your money goes, it shouldtn take 8 weeks, when i went to london last year and spent around £450 my bank phoned me a day later (was on way back) asking if i had noticed any unusual activity on my account and taht if i ahd then i could get the money back within a week or so, obv hasve to prove it wasnt me at the cash point or w/e )

if tha makes no sense dont blame me, i got dragged to the pub tonight so meh

Musicman I know where you got scammed, it was the "Jet" Garage next to Sainsbury's in Great Yarmouth. Unfortantly my parents where also scammed there, but the card provider spotted they bought something in Thailand the very same day they bought something in Norwich and stopped the card/Transaction (lucky for them).

As for the garage expect it to be closed down soon, there was a BP garage in Norwich which was also stealing cards and once the news got out, no-one bought petrol there. A month or two later it is now closed down. (I mean would you really trust your card with that retailer again?).

If you can; use a credit card rather than a debit card to make your purchases. At least then if you are unlucky enough to be had this way; your bank account wont be emptied (thats happened to two people I know this year).

To be honest...

You've be scammed (possibly) out of £300 now you want to make a petition (that no one will listen to) to get the new multi million pound (and much more modern) system reverted? are you nuts?

Looks like internet petitions are the new myspace. Everyone signs up them, because it costs nothing and makes you look cool to your e-friends. Hehe.

Anyone know what the figures are with Chip and PIN versus signatures?

Before it came in I claimed it was inherently weak and could well lead to more (not 90% less, as we were told) fraud... but I got dismissed by everyone who read the credit companies press releases.

Has Chip and PIN had a large reduction in credit card fraud in this country? Because if not it was an ENORMOUS waste of money, and has (technically, even if not yet so much) shifted the burden of proof from the Credit Company to the Customer.

and has (technically, even if not yet so much) shifted the burden of proof from the Credit Company to the Customer.

Which the cynic in me suspects was the aim of the exercise all along.... :(

Afty ... all the figures I have heard indicate that high street fraud has dramatically reduced, but it has moved onto the Internet.

CD

^^^ What he said.

I think you can phone your bank and ask to have chip and pin disabled on your card (they probably have to send you a new card out) but then when you put it in a chip and pin reader it'll always ask for a signature, it was designed as an PC thing in case you couldn't read numbers or where scared of keypads or something.

yay! bring back signatures! i wanna sign for my card payments with the name M.Mouse, or D.Duck again!

No system is foolproof. Even with a signing system, you run the risk of people cloning the cards; should they steal your card, they only have to copy the signature and they've got you! My signatures never look the same twice anyway.

I dont see why people have such issues with security, there are ways to protect yourself which everyone appears not to bother with.
For instance:
Have a spending account with little money it that gets topped up from your primary account - this is the only card you carry round.
OR
Have a credit card and put every transaction you ever make through it thus protecting yourself instantly from fraud and not giving them direct access to your bank account.

I really REALLY don't like chip and pin for the very reason that has occurred here - i tend not to use my card unless in a high street shop or ATM - anywhere else (restaurants included) it all goes on CC.

No system is foolproof. Even with a signing system, you run the risk of people cloning the cards; should they steal your card, they only have to copy the signature and they've got you! My signatures never look the same twice anyway.

With the sinature system, they only need to learn your sig if they physically steal your card.

If they clone it, they can put whatever sig they want on the back of the cloned card.

With the sinature system, they only need to learn your sig if they physically steal your card.This is true, however the burden of proof rests with the retailer to prove that you were the signatory... It doesn't matter if the transaction is accepted or not - if you say you weren't at the store, absent video or similar evidence you WILL have the money refunded to your card.

Contrast with Chip and Pin - if you are shopping in the City Centre and at some point during your spree someone spends £800 on some electronic equipment using Chip and PIN - well, good luck claiming that the purchase was NOT carried out by you. The burden of proof is on YOU, not the retailer - and you don't have access to the retailers CCTV...

I don't mind Chip and PIN so much, it's the assumption that the security burden should be placed on the end user - instead of the Retailer and Credit Card companies who are better placed to do so.

I mean, with todays' technology why on gods green earth can we not have (at least at most major outlets) a photo-screen with a small digitized photo of the card holder that is retrieved from the VISA/MASTERCARD server and displayed on the terminal - it would require just a few kilobytes of bandwidth meaning load times of less than 1 second... and VOILA suddenly at any outlet with such a device, fraud would be almost impossible - and the onus of checking the validity of the card and cardholder is transferred to the retailer.

Get a better garage tbh

A lot of those POS terminals are on 300 or 2400 baud lines today.

There'd be a serious amount of investment to upgrade the telecoms infrastructure at both ends (not that it isn't arguably high time anyway) to transmit even a few kilobytes of bandwidth.

Besides, what do we do about muslim women out shopping :-)

What are the changes of a finger print id system coming within 10 years?

Quite obvious for fraud then when you are carrying around a severed thumb.

Contrast with Chip and Pin - if you are shopping in the City Centre and at some point during your spree someone spends £800 on some electronic equipment using Chip and PIN - well, good luck claiming that the purchase was NOT carried out by you. The burden of proof is on YOU, not the retailer - and you don't have access to the retailers CCTV...


The local garage has been copying cards and low and behold i have had over £300 taken from my account at an ATM in Jakata, which is in Indonisia i think.

even though what you say is true, i'd like to see how someone would prove how withdrawls are being made both from home (or around home assuming its used regularly) and from another continent.....especially if there are many withdrawls abroad while the same card is being used at home.....

i think even i could prove that i wasnt half the way around the world between transactions, couldnt you?

Contrast with Chip and Pin - if you are shopping in the City Centre and at some point during your spree someone spends £800 on some electronic equipment using Chip and PIN - well, good luck claiming that the purchase was NOT carried out by you. The burden of proof is on YOU, not the retailer - and you don't have access to the retailers CCTV...

your assuming someone is gonna be using the card in exactly the same city/shopping center as you, at the same time on the same day, and not out in bumsville india.

I mean, with todays' technology why on gods green earth can we not have (at least at most major outlets) a photo-screen with a small digitized photo of the card holder that is retrieved from the VISA/MASTERCARD server and displayed on the terminal - it would require just a few kilobytes of bandwidth meaning load times of less than 1 second... and VOILA suddenly at any outlet with such a device, fraud would be almost impossible - and the onus of checking the validity of the card and cardholder is transferred to the retailer.

screw it, why not do a DNA check, or retinal scans when i want to buy my £15 CD from HMV when my wallet is empty ? oh wait, because the majority of people will start an outcry similar to the ID Card crap.

What are the changes of a finger print id system coming within 10 years?

Quite obvious for fraud then when you are carrying around a severed thumb.

because people would moan about companies storing far too much information about the individual, then the wah wah sirens and online petitions would be back \o/

afty's comment about an image is a non-starter tbh. It would be simpler, cheaper and quicker to incorporate the image into the chip of the card and the POS reads it. There's no point though because if the correct PIN has been entered it unscrambles the info anyway. If the incorrect PIN is entered, there'd be no image.

bvark's comment about upgrading telecoms equipment and lines is spot on! A VAST majority of shops are still either on dialup modem for card authorisation or using ISDN. The thing is that ISDN is being phased out this year and is now more expensive than ADSL. Sometimes it is interesting to use the backoffice PC to telnet into the router and see the connections opening and closing (only if you know the right passwords!).

I know Iceland are currently converting their routers and comms lines from ISDN to ADSL and Co-Op will be doing the same in the next 3-4 months. All it means is that they will have to tweak their backoffice systems to use BACSTEL-IP (Internet based bank communication) instead of the old BACSTEL system (direct phone into the bank systems).

Finally Pinny's point about companies storing info. Companies are doing it already. You think Tesco, WH Smith, Boots and all the other stores with loyalty cards are doing it from the goodness of their hearts? Nope, they're customer profiling to a very fine level. You can tell when you get your Tesco clubcard points redeemed... you get a load of coupons as well. Some of them are for things you would normally buy (a way to say thank you) and some for items you wouldn't normally buy but might POSSIBLY buy (to drive sales).

That's going off topic though. From my perspective Chip 'n' Pin works well and 'Joe Public' shouldn't worry about stores using his/her information maliciously. The large chains have established credit systems in place and the banks must trust them otherwise they wouldn't accept CC transactions from that store.
The problem readers are the ones in small corner shops and restaurants. The readers themselves aren't the problem... it's how they're used and there will always be unscrupulous people around.

Finally Pinny's point about companies storing info. Companies are doing it already. You think Tesco, WH Smith, Boots and all the other stores with loyalty cards are doing it from the goodness of their hearts? Nope, they're customer profiling to a very fine level. You can tell when you get your Tesco clubcard points redeemed... you get a load of coupons as well. Some of them are for things you would normally buy (a way to say thank you) and some for items you wouldn't normally buy but might POSSIBLY buy (to drive sales).

This is kind of my point on that. I see it on the forums in the discussions about ID Cards and what not, "wah wah i dont want all my personal information in just one place wah wah" and there seems to be no realisation that a hell of alot of companies and places ALLREADY have this info to hand anyway so what does it matter?

its annoying to see suggestions like "oh we should have this this and this info for this card/thing/whatever" then to see moaning about "I DONT WANT <insert company/organisation/ID Cards here> HAVING THIS INFO!"


but thats another subject so meh

Before it came in I claimed it was inherently weak and could well lead to more (not 90% less, as we were told) fraud... but I got dismissed by everyone who read the credit companies press releases.

Chip and pin is inherently far more secure than signature strips (80% reduction in fraud in France when they implemented a similar system) The system has not been cracked, the only way so far to carry out a fradulent chip and pin transaction is a relay attack, where your card has to be in a modified chip and pin terminal at the exact same time as a modified chip and pin card is in a normal terminal, with the modified terminal and card being linked to relay the challenges and responses back to each other.

However, we're not using the most secure version of chip and pin, the UK being how it is for some reason decided to go with SDA cards, which accept the pin in plain text, rather than DDA cards which require the pin to be encrypted. This makes it possible to sit a device between the chip and the terminal and eavesdrop the transaction to get the pin in the first place.

I dont think there's any case of a real world fraud that has been done through a chip and pin transaction though, it's all done by using information from chip and pin, and then duping it onto a magnetic strip card.

Sadly the implementation of chip and pin that requires backwards compatability with every other system is what lets it down. In an ideal world a chip and pin card would be blank, with no customer info on it, no magnetic strip, just the chip (nothing else on the card is used for chip and pin transactions anyway) it'd then be near impossible to exploit (even with the less secure SDA cards) with a relay attack being the only known way at the moment (the window of oppertunity for which is in the region of seconds).

A lot of those POS terminals are on 300 or 2400 baud lines today. I wasn't aware that they were that low, I thought they were all 9600+ - but I'm happy to defer to your expertise.

Still, as an "optional" feature for retailers that would provide a much greater degree of certainty than a signature or a PIN (you'd have to look like the spitting image of the person you stole the card from...) it may well have persuaded the retailers to invest in their comms infrastructure to bring it up from 300 or 2400 baud.
Now the burden has been removed from retailers and placed on the consumer and CC companies, I cannot see an idea like this being implemented even if it did improve security overall.

Furthermore, while I'm sure it would be expensive, the move to chip and PIN was similarly VERY expensive - lots of new cards issued, customer service issues, publicity and the equipment involved. As a replacement for chip and PIN it sounds poor - but if it were originally planned INSTEAD OF chip and PIN I suspect it would be more viable.
afty's comment about an image is a non-starter tbh. It would be simpler, cheaper and quicker to incorporate the image into the chip of the card and the POS reads it.It would, but it would be less secure. The whole idea of obtaining the picture from the central server is to ensure forgeries and clones cannot be made - it would be trivial to include "your" picture on your cloned card - but if the picture is fetched from a central server each time, cloning a card does you no good whatsoever unless you were "separated at birth" from the theft victim...

To be honest...

You've be scammed (possibly) out of £300 now you want to make a petition (that no one will listen to) to get the new multi million pound (and much more modern) system reverted? are you nuts?

Looks like internet petitions are the new myspace. Everyone signs up them, because it costs nothing and makes you look cool to your e-friends.

QFT

Still, as an "optional" feature for retailers that would provide a much greater degree of certainty than a signature or a PIN (you'd have to look like the spitting image of the person you stole the card from...)
<snip/>
Now the burden has been removed from retailers and placed on the consumer and CC companies, I cannot see an idea like this being implemented even if it did improve security overall.Some credit cards used to come with pictures on, the big problem was lazy-arsed shop workers. I know because my colleages would authorise payments all the time before the customer had signed so a picture made no difference because they never looked. It used to really wind me up, but they didn't care because they were never held responsible for their actions.

Chip and Pin has pushed fraud on to the internet because fraudsters can no longer rely on the idiots behind the till. But I wonder how many people are commiting the fraud themselves? brought a new shiny toy but don't want to pay for it - deny all knowledge
Let's face it's not that difficult to work out ways around the system, especially for internet purchases.

P.S. I'm not suggesting anyone here has done that, it truely sucks when it happens to you.

The thing is that ISDN is being phased out this year and is now more expensive than ADSL.

It's really not. Why are so many people saying this at the moment? ISDN is not a comparable service to xDSL. ISDN is digital dial up, xDSL is always on, shared infrastructure to a single destination.

The only service being phased out is BT Highway (the ISDN / analogue combo service, with analogue ports so you can still use your old phones).

ISDN is used all over the place for all kinds of different uses and isn't going anywhere. :)

ISDN is used for a lot of phone trunking into PABXs as far as I know. Plus it does a lot of other weird things here and there. I heard the other day it was being phased out, and found it a little hard to believe!

ISDN is also used to monitor BT LES100 circuits, so ISDN isn't going anywhere soon.

In reference to Moose's post - people authorising the transaction/handing back my card before even checking my signature is REALLY annoying. When I worked in retail, I always made sure the signatures matched before handing back the card or authorising the transaction.

It's really not. Why are so many people saying this at the moment? ISDN is not a comparable service to xDSL. ISDN is digital dial up, xDSL is always on, shared infrastructure to a single destination.

The only service being phased out is BT Highway (the ISDN / analogue combo service, with analogue ports so you can still use your old phones).Business Highway has already gone and Home Highway is disappearing during April. I know for a fact that Co-Op went with Home Highway in each store because it had good reach and cost much less than plain IDSN2e. Now that product is being withdrawn, ISDN2e cannot compete on pricing with ADSL [pricing from BT is right here (http://www.bt.com/isdn/isdn2e/price_info/price_options.htm)].
ISDN is used all over the place for all kinds of different uses and isn't going anywhere. :)Maybe ISDN2e and ISDN30e aren't going anywhere, but BT have structured the pricing so that it makes economic sense to go for ADSL instead of ISDN. Another nice thing is that the store will already have an analogue phone line, so it isn't a great problem to install ADSL on it and drop the ISDN line altogether. The saving from ditching ISDN is paying for the equipment and change over to ADSL.


I also agree with Murray's point about cashiers hitting the complete sale button before I've finished signing. Tesco's petrol station is a bad one for this as I use Allstar and have to check that the milage and reg number are entered correctly by the operative. By rights I'm not supposed to sign the slip if the details are incorrect but it's happened too often now so I make a point of clearly using phonetics to spell my reg number to them.

If I feel I'm being given the run-around, I'll dig in and refuse to sign the slip. It's amazing what happens when the supervisor turns up and you tell them that the operator authorised the transaction before the slip had been signed. :devil:

No.
If they delinked the two then when paying by chip and pin it'd be near impossible to clone the card. You'd only get the magnetic stripe and the pin for the chip which wouldn't be of any use.

Your not very techy are you, talk about simplistic view, its almost certain the ability to clone the cards exists even the chip and pin side. Even the biometric encoding on the new passports has already been broken.

Note how I said "near impossible". Yes the ability to clone the cards does exist (no system like this is ever perfect and never will be, anyone who thinks otherwise is a fool) however, I don't think anyone has cracked RSA yet have they? Nor are they likely to in the foreseeable future. Short of RSA being cracked the only other way would be to extract it from the chip itself, which isn't exactly an easy task as the chips are designed to be tamper resistant against physical attacks (which you're not going to do in a terminal anyway) and all known RSA weaknesses take time to carry out (seeing as factoring a 640bit key took 30 2.2ghz operton cpu years, and the EMV spec calls for 1024bit...) so the time vs reward factor just isn't there, you're not going to invest the cpu time needed to get the key on each card.

So yes, I'd say that it's pretty safe to assume that it's near impossible to clone a chip while it's being used for a transaction.

Incidently, SDA cards can already be "cloned" (it's not really an exact copy) to work for offline transactions (around 20% of transactions, although no where near 20% of the total value, as the vast majority of offline transactions are low cost from small businesses) but the transaction will fail when the terminal goes online. Which is why industry is pressing for banks to switch to the far more secure DDA cards (Which they should have gone with in the first place, 30bn profit and they pick the cheaper option...).

As for biometric passposts, the encryption on them HAS NOT been broken. It's just the key they use is nothing short of a joke. The key to read it is just a combination of the information already printed on the passport (passport number, dob, and expiry date iirc) They haven't been "broken" (encryption isn't broken by someone telling you the key) they have just fell victim to using a key that is printed on the damn things. It'd be like the chip and pin cards coming with the pin number printed on them.

But hey, what would I know? I'm not very techy.

The whole point of chip and pin is to take the shop assistant out of the loop cos they are the weakest link. Having a pic for authorisation sounds like a great idea except the very people you don't trust would have the power to authorise or not. Unless you are suggesting a camera at every till to record a pic at every transaction, which just isn't feasible.

Chip and Pin is a brilliant scheme that has been implemented terribly. If someone captures your card data they can simply use the card abroad or at your atm where only the magnetic strip is used. I rekon the figures for fraud have mainly gone down because many instances that would have been previously called fraud are now attributed to the consumer or retailer, both of which should be more protected. So basically it has been a huge success for the card companies in shifting their liabilities to the retailer (mostly).

The Passport has been broken because of another poor implementation, sticking rfid in the thing just makes it easier. If you want to see a good example of a system that is hard to break look at sky. They have gone through a couple of systems and the latest has not been broken for several years despite being under heavy scrutiny. The cards are pretty much tamper proof and trying to copy them even at a low level destroys them, the keys haven't been cracked and the only vulnerability there is really is that people can use the cards in other devices. Even this wasn't cracked as such but leaked from within the company. So it is possible to do it well.

ISDN 2e and ISDN 30 are still about and are not planned on being phased out for quite a while (ordered an ISDN 30 for a customers phone system last week and asked the bloke at BT after I read this thread :D).

Also these people that complained about the ID card scheme.. I wonder if they have checked their driving licences as of late? They are not exactly that far off what the ID card was attempting to do.

ISDN 2e and ISDN 30 are still about and are not planned on being phased out for quite a while (ordered an ISDN 30 for a customers phone system last week and asked the bloke at BT after I read this thread :D).

Also these people that complained about the ID card scheme.. I wonder if they have checked their driving licences as of late? They are not exactly that far off what the ID card was attempting to do.

so if i have a picture driving licence why do i need an id card?

so if i have a picture driving licence why do i need an id card?

The new model ID cards use a fairly crucial algorithm that essentially uses duplex reintegration so that the TCCNP handshake is reconfigured each time it is scanned. I mean, technically speaking this isn't far off of what countries such as Switzerland have trialled to near crack-proof degrees, but the crucial element in integrating this to our ID cards won't be the use of "soft encryption" such as alphanumeric scatology, but rather a hybrid of RNX digital interfacing and Silver Standard Encryption.

Also these people that complained about the ID card scheme.. I wonder if they have checked their driving licences as of late? They are not exactly that far off what the ID card was attempting to do.Don't be ridiculous, it's not even close.

The scheme, and the database BEHIND the national ID cards is most of the problem - the cards themselves are not.

I heard the other day [ISDN] was being phased out, and found it a little hard to believe!

21cn?

From what I gather the whole point of chip and pin is to shift the blame/liability to the cardholder for fraud on the card, so the banks don't have to pay you back.

And the retailer :p If a retailer accepts a signature transaction for a chip and pin card they become liable if it's a fraudulant transaction.

If it's fraud with a pin the customer pays, fraud with a signature the retailer does, and the issuer, well, they just rake in the money from the transaction processing fees regardless.

From what I gather the whole point of chip and pin is to shift the blame/liability to the cardholder for fraud on the card, so the banks don't have to pay you back.

That was a major bonus yes.

That and to sell you insurance incase it happens.