Reply to: Fraud attempt

OK I'll bite. They put devices inside the front of ATMs that read your card. i.e. not extras bolted on the ATM, that's old school, they remove part of the ATM, where they find a nice gap, and install their devices. They don't need much space, these things are small. These devices then video/audio and/or an overlay keypad for your key presses. They get their data back via a blue tooth connection, and get their power from a long life battery or by connecting up to the device to check no one has pulled the entry slot off the front of the ATM to install a cloning device FFS!

It is miniature, designed for purpose, seriously expensive kit, but like I say, these guys buy in bulk.

Not only can they clone swipe cards they can copy Chip n Pin too.

Really good money to be made, so it is very profitable for them.

Not much of an extension to do the same for finger print readers or iris scanners.

Remember these chummies are far better resourced than the bank security departments set against them, so anti fraud attempts are nothing but rather trivial passing annoyances: only providing a little passing amusement for chummy-techie doing the workaround, who generally has already considered it as a next step and has the solution waiting .

HTH

I have had a few beers now and I would like to discuss the points in the whole post you posted tomorrow on clientCo time

I have always proposed a fingerprint database linked in with the passport system, feck it's about 10 extra columns on an existing database and then we make passport numbers linked with hand prints compulsory to access basic government and banking services. Passports are not compulsory as such.

You claim to be a Peoplesoft bloke, that is not much more than what you ask of your users.

I have never claimed the ID system introduction as presented was a good idea, I do claim that an ID system is totally necessary.

Maybe I'm missing something in your argument.

Fraudster uses my stolen / cloned / borrowed credit card (or just the details written down) in a CNP transaction. They aren't interested in stealing myID, just getting some money or goods to sell on. They order something over the phone or fax or internet, and the transaction goes through. (A few years back, I had someone charge a Canadian Pay TV subscription to my credit card, despite my not visiting Canada since 1986).

I also have an ID card which has my address, fingerprints and DNA stored on it (I don't care what information is on there - so assume that the ID card holds all information about me from birth to the current time, excluding my current location).

How does me having an ID card stop the fraudster?

You are missing the point. You have popped up here claiming the government ID cards scheme will prevent credit card fraud. I contend that not only will it not do that, it will divert scarce Police resources away from the real crimes and issues and into chasing up people like me who will do their best to obfuscate the system.

There are many things banks and credit card companies could do if thy were serious about stopping it - Barclays were trialling a card with "rolling" number, so knowing the card number and expiry date won't help a thief - I don't know the outcome, but that's one example, there are others. The simple reason banks aren't more secure is that they don't want to spend the money - they'd rather refund the victims than address the issues.

I have also already said that I support the beefing up of passport, birth certificate and driving licence application procedures.

The government ID scheme offers me nothing but expense, inconveinence and an increased risk of data loss.

As for the address question - how many million addresses will be in the database? Every one of us will be responsible for letting the civil servants know when we move. The only similar operations are the DVLA and HMRC, neither of which have covered themselves in glory with regard to speed or accuracy, and there are millions of vehicles on the roads not registered to anyone - there is a theoretical fine for not telling the DVLA when we move - but is anyone ever prosecuted? And yet, miraculously, all this data will be reliable and up to date under the new system? Not a hope.

The typical MO of the frauster is to change address, the ID card has to have your latest address.

Ummm - no, actually, you haven't. You've said that the ID card would hold my address. How is that going to stop a fraudster using the card in a card holder not present transaction?

If a fraudster is using a card over the phone - at what point are they going to be asked to enter their ID card so that the address can be checked?

There is no answer - if the card holder is not present, then having a system which requires an additional card makes no difference, regardless of what information is held on the card.

The card could have every possible detail about me, my lifestyle, my shopping, everything - but it is not going to stop fraud where the card holder does not have to physically present the card.

So you have stated a problem I have stated how the ID system deals with that.

...

next?

Now, you are aware that the ID system holds your current address?

No. Do you know anything about using a credit card online or over the phone?

Try looking it up in Wikipedia, man.

Or, if you can't manage that:

Computer says "yes" quite often - there is no way to verify the PIN, there is no way to verify the signature. The only verification is that the card is valid - which just means that the number and expiry dates are good.

Are you a tester?

"computer says no"

What the feck are you dribbling about man "Cardholder not present"?

Cardholder not present - give them the card number and they put it through. How is having an ID card going to stop that?

<pedant>
This is post 79 in this thread, so to be answering 80 posts would require a thread significantly longer than this one
</pedant>

Why not?

I have been answering questions for the last 80 posts so it's my time to question.

Tell me the mechanisms fraudsters use and how they cannot be protected by ID cards?

Whether there is anything else that will stop that kind of fraud is a moot point - an ID card won't stop the majority of credit / debit card fraud.

What will then?

I will turn the question to you, I signed the OSA so I'm not going to go into details but a fraud squad detective would have to run time at 100 times slower just to read the cases now. 1000 times to even follow them up.

The crime is completely unmanageable and it is a crime where there are thousands ans thousands of innocent victims. There is no way to stop it with current technology.

So what is your answer? Just let it go on as you so clearly offer as the answer?

I'm in favour of a compulsory ID card.

Just not one that has any kind of link to a big database - I want the lowest technology possible. Bit of cardboard and a black and white photo stuck to it.

If the cards look like they can be easily forged, then people will be wary of accepting them as conclusive proof of ID. It might help, but it won't be conclusive by any means. If the cards look like they are super-dooper high-tech, and the PR companies are telling us that they are hack-proof, forge-proof and all-round wonderful, then people will accept the card and only the card. Which when the data is incorrect, leaves you with a massive uphill struggle to prove that you are who you are rather than who the database says you are.

And for that reason, I'm out.