Comments on: Justice, in one case at least

By: bingham

bingham — Tue, 15 Apr 2008 14:11:20 +0000

Following on from the Natiowinde thread, we have two members of our family who have had 1800 each taken from their accounts
in the last month.
Having had numerous conversations with the branch it would appear they just pass the ball to their ’special investigation’ units and hope that they do the necessary. It would be interesting to learn how much their exposure to this is at the moment.

By: O B

O B — Fri, 04 Apr 2008 20:29:22 +0000

This is the link to the whole story:

http://forums.moneysavingexpert.com/showthread.html?t=839107

By: O B

O B — Fri, 04 Apr 2008 20:25:41 +0000

FOund this blog when looking for information on CVV Transaction Data. I am helping a friend to sort out a ATM discrepancy. The bank has produced a number of copies from their investigation, but they have little meaning to us. IF someone here is intersted in this, or think you could be of some help, please contact me (email address provided).

I would also be interested in talking with Pete Austin to posted above as this is the same bank (Nationwide), which although I find very forthcoming in its branch, has not really produced results on this particular investigation we are looking in right now.
Read more in the URL (or if that does not work, I will copy the post to here - if allowed)

By: Pete Austin

Pete Austin — Sun, 30 Mar 2008 16:48:59 +0000

>> February 6th, 2008 at 20:01 UTC
Follow-up to my comment. Between 28-30 March 2008 I’ve lost about £1,100 to ATM fraud. I’m paranoid about security, only ever using two specific ATMs, only during daylight hours, so I would expect to notice any skimmer. I still have my card. My PIN has never been written down. Either someone guessed my account+pin, or the the Link database has a leak, or there’s something like an invisible “in-slot” skimmer out there. I wonder whether Nationwide will admit one of these unlikely-sounding scenarios, or just claim I’m a fraudster.

By: Ian

Ian — Fri, 15 Feb 2008 14:24:13 +0000

Correction to the above, in the second paragraph, I meant to say “where the card was initially read using the magstripe”.

By: Ian

Ian — Fri, 15 Feb 2008 14:22:58 +0000

EFT message protocols use the PAN Entry Mode field to distinguish between different ways of capturing the card number and other details. If the magstripe was read and all of its data is available in the transaction message, the PAN entry mode field (defining how the card was read) is set to ‘90′. This means something like ‘magstripe - CVV data reliable’ and indicates that the CVV data in the magstripe can be checked by the bank. It does not indicate that the CVV has been checked - the message hasn’t reached the bank yet and the terminal can’t check the CVV.

Some transaction messages might not contain reliable CVV data, e.g. if they came via a network that did not transmit the full magstripe data, or perhaps (I’m guessing a bit here) for a recurring payment where the card was initially read manually, but the CVV part of the magstripe was not stored for security reasons. Systems like this might then ‘fake’ the CVV part of the magstripe and indicate a mode of ‘02′, defined as ‘magstripe read, CVV data unreliable’. It doesn’t mean that the CVV failed validation.

By analogy with this, 05 means the chip was read, and the CVV data that the message contains was not faked by the network, i.e. it can be checked by the bank. It doesn’t mean the CVV has been checked. For a chip transaction, other transaction data in the message will indicate whether the PIN was entered correctly and so on.

By further analogy there is sometimes a PAN entry mode of ‘95′ defined to mean ‘chip read, CVV data unreliable’. I don’t know if this value is ever used. Maybe on networks that only have partial support for chip and PIN.

By: Rob

Rob — Thu, 07 Feb 2008 14:28:41 +0000

It seems that there may be a parallel with car theft and supposedly “theft proof” transponders. I stumbled across this story via /.

http://www.wired.com/wired/archive/14.08/carkey.html

But the transponder system was intact. The car could have been shifted and steered, the investigator concluded, but the engine couldn’t have been turned on. “Since you reportedly can account for all the vehicle keys, the forensic information suggests that the loss did not occur as reported,” the company wrote to Wassef, denying his claim. The barely hidden subtext: Wassef was lying.

By: Pete Austin

Pete Austin — Wed, 06 Feb 2008 20:01:12 +0000

In “Integrated Circuit Card read”, the word “read” is ambiguous.

I often read the dictionary on my desk, but I have not read it. That would take far too long.

Similarly an ATM might read a chip without reading the data it contains. For example because of errors.

By: Barry

Barry — Mon, 04 Feb 2008 11:42:51 +0000

I have followed the Munden case since way back and told many people about it (including EC officials when I worked there) but this case is worrying because it shows that almost nothing has happened to protect card holders from banks’ inefficiencies and plain old saving money in their security ’system’
Although it ended well it appears it was only because Egg couldn’t or didn’t want to produce the data, not because, as in the Munden case, they were ordered to, and didn’t. The distinction is important, the precedent is still set that a bank is not required to support their contention that the client is perpetrating a fraud.

By: listening banker

listening banker — Sat, 02 Feb 2008 13:47:40 +0000

More egg in the news:
http://news.bbc.co.uk/1/hi/business/7222336.stm

J.A.B.: At least you’ve got an envelope!