Now that Visa has made it mandatory for all U.S. processors to support acceptance of chip-based transactions by April, 2013 (http://blog.unibulmerchantservices.com/nfc-ascent-pushes-visa-to-speed-up-adoption-of-smart-credit-cards), the dynamics have changed completely. The banks have no option but to build the infrastructure, so once that’s done, they might as well start using it. After all, if the U.K. chip-and-PIN experience is anything to go by, switching to it would result in hundreds of millions of dollars in savings from lower fraud losses. U.S. banks would certainly take the windfall if it comes their way.

As you can see from the comments above and elsewhere, a significant number of people complain of fraudulent transactions against cards that they had in their possession at the time. But the banks just don’t want to know. They’ve got away with lying about security for years; why should they change?

You are correct. The card never left my person. Of that I am 110% sure. Also, given the nature of the first store (Selfridges in London) I would think it highly unlikely that a relay attack could have been used. The only reasonable answer is a cloned card. However the bank is adamant that their chip and PIN card cannot be cloned. Do you have evidence to the contrary?

Thanks

Tony

The attack we describe above is primarily of use to thieves who wish to use a stolen card without knowing the PIN. The description you give indicates that your card may not have left your possession, and that maybe a cloned card was used, or possibly the relay attack which is described here http://www.lightbluetouchpaper.org/2007/02/06/chip-pin-relay-attacks/

Nonetheless your case is very interesting and the short period of time (only a week that has elapsed) between disputed transaction and you taking steps to investigate could play to your favour.

Feel free to get in touch if I might be of assistance, my mobile number is on my homepage http://www.cl.cam.ac.uk/~mkb23/ and there is useful advice for those involved in card-related banking disputes here http://www.stephenmason.eu/banks-atms-internet-banking/actions-to-consider/ and here http://www.phantomwithdrawals.com

regards,

Mike Bond
(co-author)

My card was used last Thursday (7th July) in Selfridges Oxford Street and a Hifi Store on Edgware Road to purchase goods totalling almost £12,000.

At the time they card was in my possession. I used it legitimately in Clapham at 12.10pm in person. The bank will not disclose to me the times of the transactions as this is “now a police investigation”. However they have pretty much accused me of fraud. I attempted to use the card again at 5.11pm when I found it declined.

The fraudsters then attempted to use “the card” again at an ATM at 7.11pm. At that time I was having dinner with a friend in another part of London and had the card with me. In fact he saw it on my person as I took it out of my wallet to comment it had been declined earlier. He is a barrister and quite prepared to testify to this.

Interestingly at 9.02pm the fraudsters called Lloyds to try and get the card re-enabled and passed some basic security questions (name, address, DoB, mother’s maiden name) but failed beyond that. However if Lloyds is to be believed this was either me or someone who had access to my card and then later replaced it.

It will be interesting to see where this ends up. At the moment I am being made to feel like a criminal, since I know the card was in my possession at all times. Surely the bank’s energy would be better spent on closing loop-holes rather than insulting long-standing customers.

Tony

Is there any similarity with the experience of Job (v Halifax) and Andy?

It is probably time to change my bank!

R.

At point-of-sale, UK cards always use offline unencrypted PIN verification. UK point-of-sale terminals cannot do online encrypted PIN verification. UK ATMs always do online encrypted PIN verification.

You have made an assumption that Banks have implemented EMV ensuring that all security features are implemented. I assume that you expected the Banks to implement simple checks that are available in an EMV transaction flow.

The truth is, as a result just getting EMV implemented, many Banks do not check anything to extra to improve the quality of an Authorisation. ARQC is also not verified. Many Banks would not be able to verify the ARQC or the TC after the event.

I have found many cards that return a TC after the card has failed an External Auth with an Incorrect Field error message. If a card failed to Authenticate the Issuer it should decline the transaction.

The EMV flow has sufficient in it to specify a secure transaction if a proper implementation guide is written for the full transaction flow and processing with sufficient tools being provided to all parties to ensure accurate and correct processing.

I thought that most ATM’s use OS2 , not Windows …
Am i now under a misunderstanding??