[Dave Birch] There are lots of fraud stories around today, including the one about the fraudster who managed to con high street bank Barclays out of £10,000 in a credit card scam by posing as the bank’s own chairman, Marcus Agius. It seems as if the card fraud meme has been spreading. I don’t know if you saw this wonderful story in The Guardian back in December, but it was about the English town of Letchworth (the world’s first garden city) and the essence of the story was that card fraud is so out-of-control that a kind of panic has set in. I won’t reproduce all of the details here, but I wanted to pull out a few key quotes from the story in order to make a couple of points and to reflect on the conclusion of the story, which is that whole communities are losing faith in payment cards and are turning back to cash-only transactions. The meme has been spreading through various channels and there are more and more stories about the failure of chip & PIN (ie, failure to eliminate fraud), the rise in ATM fraud, CNP fraud and so forth. But I’m getting ahead. In the Letchworth story, the reporter found many people “boycotting” outdoor cash machines, and, in some cases, abandoning the use of payment cards at retail POS.

Shoppers at the Shell petrol station told us they will never use their bank cards to pay for fuel again, after witnessing the chaos caused to friends who have had bank accounts plundered by fraudsters. Outdoor ATMs are strangely quiet, while inside banks there are queues of customers taking out cash.

The story says — and I’m not questioning it — that in the town (of 33,000 people) virtually everyone the reporter met had either been the victim of card fraud or they knew of someone who has had money illegally taken from their bank account. Usually the illegal withdrawals take place in Australia. This is a novel twist (it’s usually Italy or Bulgaria) suggesting a specific gang at work. Several people said they were now only using cash. Almost all said they would no longer use cash machines unless they were inside the bank. One specific problem identified was — hello 2006 — the petrol station. Card-reading equipment at the Shell garage, on the main road in and out of the town, was compromised. Another was the bank. An ATM at a bank branch had a skimming device fitted The local paper reported the stories with additional coverage when it emerged the problem had spread to another Shell garage in nearby Hitchin. I’m not trivialising the issues: the stories involve real people, such as

Hilary Gibson defaulted on her mortgage because thieves stole the £700 she had deposited to cover the payment the following day. Leisa Virgo from Hitchin was another victim. When the bank called to check a payment, she immediately cancelled the card – but not before £300 had been withdrawn.

Hertfordshire police also reported that CCTV monitoring had foiled another attempt to install a skimming device at another ATM and four people were arrested. Nevertheless, residents such as Peter Merrigan are concerned:

To be honest, I have stopped using bank cards… I now prefer to go into the bank and get out my money the old-fashioned way – I certainly wouldn’t use a cash machine.

The reporter found the ATM outside the Barclays branch with wires hanging out. It had clearly been attacked. The staff were sanguine:

Don’t worry, it still works fine.

I’m not sure that the residents have been doing their risk analysis homework, because (and here I agree with the APACS spokeman) carrying around wads of notes is (I’m sure) more likely to lead to loss than carrying around a card: if I lose a tenner, it’s gone for good, but if my card is skimmed I’ll get the cash back from the bank. Sorted. Since I never, ever, use my debit card except at ATMs, I feel fairly comfortable. But then I don’t live in Bicester, where fraudsters tried to attach a skimming device to every ATM in the town, or Houghton on the Hill, where the local garage was compromised so that everyone’s card details were stolen.

Technorati Tags: , , , ,

Note that the frauds discussed in that article, and discussed here at the Forum more than once, are not chip and PIN frauds. They are PIN frauds. They rely on the fact that you can put a bent card (with a cloned stripe but absent the non-copyable chip) into a foreign ATM and it will work. That is not to say that one day chip and PIN fraud might occur, but when banks roll out DDA (ie, asymmetric) cards instead of the SDA (ie, symmetric cryptography) cards used in the UK today, the likelihood is slim. I’m not putting on rose-tinted glasses here. There are some issues with SDA chips that need to be resolved because a flawed method of cheaply cloning cards without knowing the PIN does exist. It involves copying the rest of the chip’s data to a another card, nicknamed a “yes card” because whatever PIN you put in the terminal, the (bent) card will say “yes, that’s the right PIN” and then give up the copied data. In theory, this is only a problem in offline terminals, because in an online transaction the bank host is supposed to verify the transaction cryptogram which depends on the security key (this is never given up by the original card, so it’s not present in the copied chip). This cannot be the mechanism behind the fraudster’s rampage through middle England, though, because (as Mike Bond observes in the article) all ATM transactions are online and, in any case, ATMs don’t send the PIN to the card for checking but send it back to the bank host.

The problem with foreign ATMs, on the other hand, is real because they allow “fallback” so that a chip card without a chip can still be used as a magnetic stripe card. I was wondering if, in current circumstances, merely using a chip and PIN card in a foreign non-chip ATM might be enough to trigger anti-fraud alarms, despite the fact that it would inevitably inconvenience customers (eg, me, because I travel a lot and use ATMs because I’m too lazy to get foreign currency sort out in advance) and it looks as if this is now the case:

The “unusual” activity turned out to be cash withdrawals I had made from ATMs in the U.S.

There’s one simple step that the U.K. banks could take, isn’t there? If I could log on to my home banking and switch my debit card on and off for non-UK ATM transactions, that would make a significant dent in the problem. Most of the time, my card would be “off” and all transactions from foreign ATMs automatically rejected. When I’m going overseas, I simply turn it “on” until I get back. I’m sure this plan is too simple to work: how about you?

Note to foreign readers: in the English vernacular, “bent” means fake or counterfeit. Hence, “bent as nine bob note“.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]


  1. On my trip to Argentina a year ago, I notified my bank, beforehand, so that ATM cash and purchases wouldn’t be declined.
    I don’t know why, but the fear of being stranded without any way of getting cash was sufficient incentive to call. Sure enough, they said it was just as well I called as they’d have declined anything from South America. Whether that’s true I don’t know – inconveniencing bank customers is a big sin.
    Which, of course, is precisely why we won’t get the scheme you advocate. Nice idea, but it’s too much for us cardholders to manage – we will get it wrong or not know it is there. I only need to be stranded without cash once for the bank to lose me as a customer.
    Of course, the irony was that while in South America, the genuine (secondary) card was skimmed at a petrol garage in leafy Surrey and the counterfiet card used two days later in an ATM in … London! Yes, in 2007, in a chip-enabled ATM!

  2. Interesting identity theft story from the BBC this week:
    UK – Clarkson stung after bank prank 1/7 BBC TV presenter Jeremy Clarkson has lost money after publishing his bank details in his newspaper column. The Top Gear host revealed his account numbers after rubbishing the furore over the loss of 25m people’s personal details on 2 computer discs. He wanted to prove the story was a fuss about nothing. Clarkson admitted he was ‘wrong’ after he discovered a reader had used the details to create a £500 direct debit to the charity Diabetes UK. Clarkson published details of his Barclays account in the Sun newspaper, including his account number & sort code. He told people how to find out his address. ‘All you’ll be able to do with them is put money into my account. Not take it out. Honestly, I’ve never known such a palaver about nothing,’ he told readers. But he was proved wrong, as the 47-year-old wrote in his Sunday Times column. ‘I opened my bank statement this morning to find out that someone has set up a direct debit which automatically takes £500 from my account. The bank cannot find out who did this because of the Data Protection Act & they cannot stop it from happening again. ‘I was wrong & I have been punished for my mistake.’ Police were called in to search for the 2 discs, which contained the entire database of child benefit claimants & apparently got lost in the post in 10/07. They were posted from HM Revenue & Customs offices in Tyne & Wear, but never turned up at their destination – the National Audit Office. The loss, which led to an apology from Prime Minister Gordon Brown, created fears of identity fraud. Clarkson now says of the case: ‘Contrary to what I said at the time, we must go after the idiots who lost the discs & stick cocktail sticks in their eyes until they beg for mercy.’

  3. And an even more peculiar story about fraud, in the US:
    In Corpse Episode, Echoes of a Grittier Time
    New York Times 1/10/08
    You would see them around Hell’s Kitchen, the men neighbors knew as Jimmy and Fox. They were relics of the past in the once-notorious neighborhood, and now they lived on its edges. Jimmy, James O’Hare, lived with Fox, Virgilio Cintron, in a second-story apartment on West 52nd Street. Both men were in their 60s and Mr. Cintron was ailing, so Mr. O’Hare often took care of laundry and grocery errands. He shopped for soda and sweets at Adam Altareb’s 99-cent discount store on 10th Avenue, counting out change or small bills at the counter. They regularly lined up for a free meal around the corner at the Sacred Heart rectory. They were tolerated, even treated with affection, although they could be trouble: Each had been arrested numerous times since the 1960s on charges including robbery, drug possession and burglary. Their neighborhood was slowly improving, and in some ways, it was leaving them behind. “They are a throwback to the old Hell’s Kitchen,” said Paul J. Browne, a police spokesman. But nothing in their records, or in their daily appearances around the neighborhood, could foretell what became the macabre final chapter of a bond reminiscent of the days when Hell’s Kitchen was known more for its drugs and robberies than its fashionable bistros and high-rises. Neighbors described them as “vein brothers,” addicts who use intravenous drugs. After Mr. Cintron recently died, Mr. O’Hare, 65, and another friend, David Daloia, also 65, whose last known address was in Queens, tried, without success, to cash a Social Security check of Mr. Cintron’s, the police say. They realized that they needed their dead buddy’s help. So on Tuesday afternoon, the police say, they dressed Mr. Cintron’s corpse, carried him down a flight of stairs and heaved his body into a computer chair with wheels. Outside, they rolled him over the uneven sidewalk, pulling the chair toward Pay-O-Matic, a check-cashing shop on Ninth Avenue. But as the men turned the corner, trying to steady the floppy corpse, they ran into the law. At Empanada Mama, a restaurant next door to the Pay-O-Matic, Travis L. Rapp, a detective, had sat down to lunch. Detective Rapp looked out the window and saw the unwieldy trio. Something about the way they struggled to balance the man in the chair caught his eye. “At this point, when they approached closer, I saw the body and I said, ‘Well, this is a dead guy,’ ” Detective Rapp said on Wednesday in a phone briefing. “I ran out and said, ‘Where are you guys going, what’s going on?’ ” the detective said. “The roommate, O’Hare, said: ‘I am cashing my friend’s check. I have to bring him inside to cash his check. He needs to cash his check.’ ” Detective Rapp identified himself as a police officer and called an ambulance. He noticed that the body was stiff. “When they dragged his feet, his feet were just very rigid and they were bouncing off the edge of the sidewalk, and I knew right then and there that he was dead.” Still, Mr. O’Hare was trying to get Mr. Cintron’s body into the check-cashing store. “I said: ‘You are not bringing him anywhere. Just leave him alone.’ I said, ‘Don’t touch him.’ ” It was not clear what had caused Mr. Cintron’s death, although the police do not suspect any foul play. An autopsy was completed on Wednesday but more tests were needed, the city medical examiner’s office said. The two men were to be arraigned on Wednesday on charges of attempted forgery, attempted possession of a forged instrument and petty larceny, the police said. The episode was the talk of the neighborhood. Mr. Cintron had spent his childhood in the same apartment building on 52nd Street. At a secondhand store a block away, Annette Magana, the owner, called out to a neighbor. “Hey, did you hear what happened up there?” she said to the neighbor, Edwin Lubin, walking his dog. Mr. Lubin was aghast. “It is the freakiest thing that I have ever heard happen in this area,” he said, pausing on the sidewalk as Mrs. Magana rang up his purchase of used jeans. “It has come to a point where the community has become more wholesome, with a sense of community. It is more than shocking.” At the Pay-O-Matic on Wednesday, an employee waved away a reporter seeking a comment. “We are not giving any interviews,” he said. Neighbors in the building where the two men lived said that they appeared sickly, and they described the apartment as filthy. One, Leyla Tletuha, 42, said she once came across Mr. Cintron lying flat on the floor in the threshold of his apartment and had to help him inside. She always sniffed the air outside his door to make sure that the gas oven had not been left on, she said, a common habit of the pair that she attributed to attempts to get high. The three men had a history of heroin addiction, the police said. But residents said Mr. O’Hare and Mr. Cintron were often kind. “They seemed down on their luck,” said P. J. Sosko, who lives on the floor below their apartment. “They looked down, they looked bad. But kind.” “Age got the best of them,” Ms. Tletuha said. Neighbors said that the men appeared so sickly that they had trouble climbing the two short flights of stairs to their apartment. To some, to see the two men reminded them of the years of neglect and hard living of a different era in the neighborhood. “A man who drags himself across the wall to get upstairs is pretty sick,” said Noel Valentine, a maintenance worker in the building. “They were on a path of destruction, the babies of Hell’s Kitchen,” he said. “That’s what is left of Hell’s Kitchen, dying out.” On Wednesday, a young woman tried to deliver food from God’s Love We Deliver to the apartment. But a policeman turned her away. The apartment, for the moment, had become a crime scene.

  4. Most all of the fraud issues in the news deals with close contact with the victim’s credit card. What about the wireless acquisition of their data-something the banks and the media don’t want to talk about?
    This is accomplished with a very simple, low-tech antenna ($20 and a trip to Radio Shack) hooked up to a PDA or a laptop. The thief will hook up, then go to a populated area, waiting for passerby.
    With the advent and market penetration of the new RF-enabled cards, over 50 million issued in 2007, the thief simply waits for one to walk by. When the antenna receives a response, they have their victim’s account information. Then, for only a few pennies, they program the stolen data onto a blank card that is indistinguishable from the original (at least by electronic readers).
    The process is called “cloning”. There is only one defense: an RF-Shield to wrap around your cards. An effective shield will prevent the card from either receiving or transmitting the data until removed from its protective cover.
    Go to http://www.ArmadilloDollar.com and you’ll find the best one on the market. This was proven in front of an ABC News Crew and the Arizona Deputy District Attorney on the 9th of January. The show will air during “Sweeps Week” on the segment “Does It Work?”.
    On camera, we demonstrated ALL of our competitor’s product-ALL failed. The Armadillo Dollar was the only one that worked-EVERY TIME-keeping the data protected from both credit and secured-access RF-enabled card readers.
    Our website is dedicated to informing people as to what’s happening in the security of our banking dollar. Even if they refund your money, we all pay. And in the meantime, your checks are bouncing.
    Get informed, and get ACTIVE in your own protection!
    If you want to check it out, then go to ArmadilloDollar.com and order one. It only sells for $25.00, and if you use the code “TopDog” you can take $5 off the top.
    “Don’t be a Sheeple, People!”
    Ron Hatton

  5. We know that these kind of devices work because we have already been playing with them (see for example http://digitaldebateblogs.typepad.com/digital_identity/2006/12/tinfoil_tests.html) but I’m curious about your statement that “This is accomplished with a very simple, low-tech antenna ($20 and a trip to Radio Shack) hooked up to a PDA or a laptop.”
    Could you tell us how much power you put out through the antenna and how far away you could read the card when the person walked by? This would be a useful data point.

  6. I find baking foil works well too. Cut to the size of a card and slip it in your wallet.
    I particularly like the fact that it’s free and available from my handy kitchen.

Leave a Reply

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this:
Verified by MonsterInsights