Shoppers at the Shell petrol station told us they will never use their bank cards to pay for fuel again, after witnessing the chaos caused to friends who have had bank accounts plundered by fraudsters. Outdoor ATMs are strangely quiet, while inside banks there are queues of customers taking out cash.
The story says — and I’m not questioning it — that in the town (of 33,000 people) virtually everyone the reporter met had either been the victim of card fraud or they knew of someone who has had money illegally taken from their bank account. Usually the illegal withdrawals take place in Australia. This is a novel twist (it’s usually Italy or Bulgaria) suggesting a specific gang at work. Several people said they were now only using cash. Almost all said they would no longer use cash machines unless they were inside the bank. One specific problem identified was — hello 2006 — the petrol station. Card-reading equipment at the Shell garage, on the main road in and out of the town, was compromised. Another was the bank. An ATM at a bank branch had a skimming device fitted The local paper reported the stories with additional coverage when it emerged the problem had spread to another Shell garage in nearby Hitchin. I’m not trivialising the issues: the stories involve real people, such as
Hilary Gibson defaulted on her mortgage because thieves stole the £700 she had deposited to cover the payment the following day. Leisa Virgo from Hitchin was another victim. When the bank called to check a payment, she immediately cancelled the card – but not before £300 had been withdrawn.
Hertfordshire police also reported that CCTV monitoring had foiled another attempt to install a skimming device at another ATM and four people were arrested. Nevertheless, residents such as Peter Merrigan are concerned:
To be honest, I have stopped using bank cards… I now prefer to go into the bank and get out my money the old-fashioned way – I certainly wouldn’t use a cash machine.
The reporter found the ATM outside the Barclays branch with wires hanging out. It had clearly been attacked. The staff were sanguine:
Don’t worry, it still works fine.
I’m not sure that the residents have been doing their risk analysis homework, because (and here I agree with the APACS spokeman) carrying around wads of notes is (I’m sure) more likely to lead to loss than carrying around a card: if I lose a tenner, it’s gone for good, but if my card is skimmed I’ll get the cash back from the bank. Sorted. Since I never, ever, use my debit card except at ATMs, I feel fairly comfortable. But then I don’t live in Bicester, where fraudsters tried to attach a skimming device to every ATM in the town, or Houghton on the Hill, where the local garage was compromised so that everyone’s card details were stolen.
Note that the frauds discussed in that article, and discussed here at the Forum more than once, are not chip and PIN frauds. They are PIN frauds. They rely on the fact that you can put a bent card (with a cloned stripe but absent the non-copyable chip) into a foreign ATM and it will work. That is not to say that one day chip and PIN fraud might occur, but when banks roll out DDA (ie, asymmetric) cards instead of the SDA (ie, symmetric cryptography) cards used in the UK today, the likelihood is slim. I’m not putting on rose-tinted glasses here. There are some issues with SDA chips that need to be resolved because a flawed method of cheaply cloning cards without knowing the PIN does exist. It involves copying the rest of the chip’s data to a another card, nicknamed a “yes card” because whatever PIN you put in the terminal, the (bent) card will say “yes, that’s the right PIN” and then give up the copied data. In theory, this is only a problem in offline terminals, because in an online transaction the bank host is supposed to verify the transaction cryptogram which depends on the security key (this is never given up by the original card, so it’s not present in the copied chip). This cannot be the mechanism behind the fraudster’s rampage through middle England, though, because (as Mike Bond observes in the article) all ATM transactions are online and, in any case, ATMs don’t send the PIN to the card for checking but send it back to the bank host.
The problem with foreign ATMs, on the other hand, is real because they allow “fallback” so that a chip card without a chip can still be used as a magnetic stripe card. I was wondering if, in current circumstances, merely using a chip and PIN card in a foreign non-chip ATM might be enough to trigger anti-fraud alarms, despite the fact that it would inevitably inconvenience customers (eg, me, because I travel a lot and use ATMs because I’m too lazy to get foreign currency sort out in advance) and it looks as if this is now the case:
The “unusual” activity turned out to be cash withdrawals I had made from ATMs in the U.S.
There’s one simple step that the U.K. banks could take, isn’t there? If I could log on to my home banking and switch my debit card on and off for non-UK ATM transactions, that would make a significant dent in the problem. Most of the time, my card would be “off” and all transactions from foreign ATMs automatically rejected. When I’m going overseas, I simply turn it “on” until I get back. I’m sure this plan is too simple to work: how about you?
Note to foreign readers: in the English vernacular, “bent” means fake or counterfeit. Hence, “bent as nine bob note“.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]