Maker Pro
Maker Pro

New secure credit cards?

M

Mauried

Jan 1, 1970
0
Basically, yes, there's nothing to stop a merchant fraudulently claiming
that purchase have been made when they haven't.

But the merchant should also expect the card holder to deny having
authorised those transactions, and get them reversed.

Unless it's for a small amount, of course. I suspect there's a degree of
fraud along these lines based on the assumption that the consumer won't
do anything about a small debit they don't recognise.

Sylvia.


Ok,so does this mean that once a card holder has denied authorizing
the transactions, the bank has no choice but to reverse them, ie there
is a legal obligation to do so, and the bank cannot refuse.
 
M

Mr.T

Jan 1, 1970
0
Mauried said:
Ok,so does this mean that once a card holder has denied authorizing
the transactions, the bank has no choice but to reverse them, ie there
is a legal obligation to do so, and the bank cannot refuse.

Of course they can refuse, but the Banking Industry Ombudsman will usually
help you if you have a case.

MrT.
 
S

Sylvia Else

Jan 1, 1970
0
Mauried said:
Ok,so does this mean that once a card holder has denied authorizing
the transactions, the bank has no choice but to reverse them, ie there
is a legal obligation to do so, and the bank cannot refuse.

Although one talks of 'reversing' it, the reality is that the entry in
the account simply reflects the bank's view of how much the account
holder owes the bank. The account holder can reasonably have a different
view. Faced with a denial by the account holder that a transaction was
authorised, and no signature, the bank is on shaky ground if it persists
in its view that the account holder owes it the money. A small claims
court would very likely find in favour of the account holder, and the
bank would know that.

Sylvia.
 
C

Clint Sharp

Jan 1, 1970
0
Sylvia Else said:
Basically, yes, there's nothing to stop a merchant fraudulently
claiming that purchase have been made when they haven't.
Providing the merchant has 'cardholder not present' authorisation from
the bank.

Of course a merchant could type in the number pretending that the
card/chip wouldn't read but that makes the transaction look suspicious
to the bank.

It also depends on the 'floor limit' of the machine which the merchant
wouldn't necessarily know, some machines authorise online with every
transaction so they'd be taking the risk that you hadn't used the card
in the last few minute/hours many miles away from their location as the
bank's anti fraud software would detect that and flag the transaction as
suspicious, possibly blocking the card (which can be hugely inconvenient
to the card holder but is ultimately 'a good thing').

There's definitely fraud of this sort happening but it's a fairly low
risk.
 
T

The Real Andy

Jan 1, 1970
0
Just got a new Westpac Ignite Mastercard today (they bought out
Virgin). It's got a nice shiny smart card style chip in it. Supposedly
a "CHIP based card for increased fraud protection" or some such said
the blurb.
I didn't know there were any infrastructure/readers etc out there that
could take advantage of such a thing.
It's still got the magnetic strip as well of course.
Anyone got any idea how it works or what it's intended for?

Dave.


They are starting to roll out eftpos terminals with smart card readers
in au, there is a few places I visit on a regular basis that require
you to use the smart card. There is no real demand in AU as yet due
to the relativly low credit card fraud rates in AU compared to the
cost of rolling out smart card technology. The plan is to eliminate
mag stripe cards to enhance security, but as we all know the criminals
always catch up eventually. However, the harder you make it, the
longer it takes and the lest it costs the banks.

BTW. I have been a victim of CC fraud. I went around to all the stores
that had purchases on my card and most were big chains. However one
was Autobarn, which was a private franchise. The owner was really
pissed off because apparently all the banks do is reverse the charge
and refund it to the consumer. I got all my money back. Fortunately it
was my wifes card that got stolen, and she figured out who it was. It
was stolen from her work. I cancellled the cards as soon as she
noticed and contacted the police. Printed out all transactions from
internet banking and gave them all receipt copies I obtained from the
stores. The idiot who stole it decided to to fuel up a car at a
service station that had CCTV!! Justice. I doubt the owner of Autobarn
would have ever got his money back though, the woman was a drug
addict. None of this would have happened if PIN's were enforced.
 
S

Sylvia Else

Jan 1, 1970
0
The said:
None of this would have happened if PIN's were enforced.

Well, that's not so clear. The chip based cards contain the PIN. It's
encrypted, and the chip is meant to be tamper proof, but the chip itself
is clearly capable of validating a requested PIN. In theory getting the
PIN wrong three times locks the chip, so that it will no longer respond
to PIN checks, and has to be reset at an ATM (which can validate the PIN
at the central computer system, and presumably track further failed
attempts).

However, this all depends on the tamper resistance of the chip. If
someone can deduce where the failed PIN attempt counter is kept, they
could conceivably reset it before each attempt. They could then perform
an automated exhaustive search of all 10,000 possible 4 digit PINs.

This article is illuminating in regards to tamper resistance of chips.

http://www.cl.cam.ac.uk/~rja14/tamper.html

Sylvia.
 
R

Ross Vumbaca

Jan 1, 1970
0
Hi,

Don said:
BTW
Westpac will be issuing new cards for some customers this month.
Mastercards will go back to Visa. Only a couple of years ago, I was
pushed from Visa to Mastercard. :)

Hah, I remember when they tried to force me to Mastercard too. However
it seems they were obliged to still offer Visa to those who did not want
to change, so I stuck with it, glad I did that now :).
There are two new systems the banks have been pushing on us for on line
transactions for possibly 18 months now. (perhaps longer) Google for
Visa's "Verify by Visa" and Mastercard's "Secure Code".

Yes I've seen that. It's mildly annoying, but I think it might be a good
thing. I have had my card used for online fraud a number of times now,
one time it was used to purchase airline tickets in Indonesia! I can't
understand how someone could board a flight using tickets that were
purchased by a completely different person, or how the airline could
sell them these tickets, but anyway.. With this new password
verification system, the online fraud would've been less likely I think.

Regards,

Ross..
 
J

John Tserkezis

Jan 1, 1970
0
Sylvia said:
Well, that's not so clear. The chip based cards contain the PIN. It's
encrypted, and the chip is meant to be tamper proof, but the chip itself
is clearly capable of validating a requested PIN. In theory getting the
PIN wrong three times locks the chip, so that it will no longer respond
to PIN checks, and has to be reset at an ATM (which can validate the PIN
at the central computer system, and presumably track further failed
attempts).

How do they cater for pin changes were your card is never inserted anywhere
to have an opportunity to be updated? (yet?)

Or in this case, is it checked online where available, and in an off-line
application, the user told to get lost if their new valid pin has not been
written to their card yet?

If the pin can be updated willy-nilly as often as the user updates their pin
with their bank (or whoever), how long before the card pin update is hacked,
and used in an offline application where it trusts the card pin?

Or better still, since they still take signatures everywhere, why not forget
the pin, and forge the user's signature (which conveniently is written on the
back), just like everyone's been doing since dot?
 
J

John Tserkezis

Jan 1, 1970
0
Ross said:
I can't
understand how someone could board a flight using tickets that were
purchased by a completely different person, or how the airline could
sell them these tickets,

Because the purchaser of the tickets are not always the USER of the tickets.

Much like when I've booked flights for my aged aunty who's english is barely
good enough to get through hello pleasantries, let alone get onto the 'net and
make an online booking with a credit card she doesn't have.

Or when work sends us to sites (domestic and international), they book and
pay a travel agent, who books and pays the airlines. Apart from our names,
the airline doesn't care who paid for it or how.
The last thing I want is to book in, and be asked why I wasn't the one who
paid for it. More importantly, I'm not always aware of the agent who booked
and paid for it anyway - so I can't even verify that even if I wanted to.
 
S

Sylvia Else

Jan 1, 1970
0
John said:
How do they cater for pin changes were your card is never inserted
anywhere to have an opportunity to be updated? (yet?)

It would appear to me that inserting the card into an ATM is a
prerequisite for changing the PIN.
Or in this case, is it checked online where available, and in an
off-line application, the user told to get lost if their new valid pin
has not been written to their card yet?

If the pin can be updated willy-nilly as often as the user updates
their pin with their bank (or whoever), how long before the card pin
update is hacked, and used in an offline application where it trusts the
card pin?

Some of the documents cited in this thread indicate that in any case,
for the offline transaction situation, it's simpler just to make a card
that claims that any PIN is valid.

But PIN updating can be made secure using public key encryption - at
least as long as the chip remains physically immune to tampering. All
bets are off anyway if crims manage to overcome the chip's tamper
protection.
Or better still, since they still take signatures everywhere, why not
forget the pin, and forge the user's signature (which conveniently is
written on the back), just like everyone's been doing since dot?

From the bank's perspective, that's what they're trying to get away
from, since if the signature is forged, then it's the bank's loss, or
possibly the merchant's loss, but never the consumer's loss.

Sylvia.
 
R

Ross Vumbaca

Jan 1, 1970
0
Hi,

John said:
Because the purchaser of the tickets are not always the USER of the
tickets.

I understand that, I have purchased tickets for my relatives in the
past, using my credit card.

However I still find it mildly perplexing that a large national airline
in Indonesia accepted an Australian credit card with a totally foreign
name through their Indonesian website and sold multiple airline tickets
to different people with the same credit card (people who incidentally,
did not provide complete address details, so the bank couldn't even
prosecute them).. These people could have been anyone, e.g major
criminals, and due to lax processes, no one can even track them down.
Much like when I've booked flights for my aged aunty who's english is
barely good enough to get through hello pleasantries, let alone get onto
the 'net and make an online booking with a credit card she doesn't have.

Or when work sends us to sites (domestic and international), they book
and pay a travel agent, who books and pays the airlines. Apart from our
< .. >

You're talking about a travel agent arranging the purchase here. The
credit card fraud that we are discussing is via WEBSITES. If a travel
agent fails to notice that a person used a stolen credit card with them,
then that's a bit different.

Regards,

Ross..
 
A

Allan

Jan 1, 1970
0
What are you idiots going on about?
Just because there is a Chip on your card, you still need to SIGN it, unless
you want to use your PIN..
There still is a PAPER trail,as the unit still prints out a Docket,
regardless if you sign or PIN it..

The reason they are using a chip, is because of Card scamming, where the
magnet card swipe is changed to different number,
e.g. they use their own credit card, but change the Card number on the strip
to YOURS..
That's what is really for,,

The fun bit is these Card chips are not designed for regular use..
We have already had several cards with faulty chips that need to be swiped..
(The contacts have just worn out)
Allan
 
S

Sylvia Else

Jan 1, 1970
0
Allan said:
What are you idiots going on about?
Just because there is a Chip on your card, you still need to SIGN it,
unless you want to use your PIN..
There still is a PAPER trail,as the unit still prints out a Docket,
regardless if you sign or PIN it..

So when they claim that you made some purchase, and you claim you
didn't, you'll show them that you don't have a docket, and that will be
proof positive.

Sylvia.
 
J

John Tserkezis

Jan 1, 1970
0
Allan said:
What are you idiots going on about?
Just because there is a Chip on your card, you still need to SIGN it,
unless you want to use your PIN..
There still is a PAPER trail,as the unit still prints out a Docket,
regardless if you sign or PIN it..

Ah, but there's something you weren't aware of. Technically, these cards
are usable in situations where you DON'T require a PIN or signature-the PIN is
pre-encrypted onto the card itself, thus providing authentication.

There are automated machines such as bus/train/whatever fare machines and
such that can handle these cards. Just poke in your card, and you buy a
ticket. Or whatever.

There are no such machines here (yet) that I know of, but there are
overseas, and THAT'S where things are problematic.
If one vendor can make it super-convenient for the buyer to shell out money,
it inherently makes it super-convenient for thieves who have duplicated said
smart bits, to go shopping.

When you get your statement back with various charges you didn't make, the
banks position is, since the cards are COMPLETELY infallible, it could only
possibly have been you who made those purchases.


Though, my opinion is that I don't think this is going to last anyway. When
enough users get suckered by duplicate cards, and the media gets hold of it
(such as the news and other more questionable tabloid journalism programs) the
banks will HAVE to admit one or two of their COMPLETELY infallible cards are
in fact fallible after all. Shock horror - would have never expected that...
 
C

Clifford Heath

Jan 1, 1970
0
John said:
There are automated machines such as bus/train/whatever fare machines
and such that can handle these cards. Just poke in your card, and you
buy a ticket. Or whatever.
There are no such machines here (yet) that I know of

There's in the Macfarlane St car park in South Yarra, and
it doesn't require a chip-card. Just scan the barcode on
your entry ticket, poke in your card, and you get charged
the $7 early bird rate (or presumably whatever other rate
you deserve).

I'm assuming that the merchant wears the liability in this
case however, and can use video evidence to back themselves
up.
 
J

Jasen Betts

Jan 1, 1970
0
What are you idiots going on about?
Just because there is a Chip on your card, you still need to SIGN it, unless
you want to use your PIN..
There still is a PAPER trail,as the unit still prints out a Docket,
regardless if you sign or PIN it..

The reason they are using a chip, is because of Card scamming, where the
magnet card swipe is changed to different number,
e.g. they use their own credit card, but change the Card number on the strip
to YOURS..
That's what is really for,,

The fun bit is these Card chips are not designed for regular use..
We have already had several cards with faulty chips that need to be swiped..
(The contacts have just worn out)
Allan

I had a chip card (for prepay electricity) and it died fairly quickly
(from static electricity AFAICT),
 
S

Sylvia Else

Jan 1, 1970
0
Jasen said:
I had a chip card (for prepay electricity) and it died fairly quickly
(from static electricity AFAICT),

Prepay chips are probably designed to have a significant failure rate.
Most people wouldn't bother to complain.

Sylvia.
 
Top