Card fraud — what can one do?

People often ask me what can they do to prevent themselves from being victims of card fraud when they pay with their cards at shops or use them in ATMs (for on-line card fraud tips see e-victims.org, for example). My short answer is usually “not much, except checking your statements and reporting anomalies to the bank”. This post is the longer answer — little practical things, some a bit over the top, I admit — that cardholders can do to decrease the risk of falling victim to card fraud. (Some of these will only apply to UK issued cards, some to all smartcards, and the rest applies to all types of cards.)

Practical:

1. If you have a UK EMV card, ask the bank to send you a new card if it was issued before the first quarter of 2008. APACS has said that cards issued from January 2008 have an iCVV (‘integrated circuit card verification value‘) in the chip that isn’t the same as the one on the magnetic stripe (CVV1). This means that if the magstripe data was read off the chip (it’s there for fallback) and written onto a blank magstripe card, it shouldn’t — if iCVVs are indeed checked — work at ATMs anywhere. The bad news is that in February 2008 only two out of four newly minted cards that we tested had iCVV, though today your chances may be better.

A PIN entry device taped together

2. In places that you are able to pick up the PIN entry device (PED), do it (Sainsbury’s actually encourages this). Firstly, it may allow you to hide your PIN from the people behind you in the queue. Secondly, it allows you to give it a cursory inspection: if there is more than one wire coming out from the back, or the thing falls apart, you shouldn’t use it. (In the picture on the right you see a mounted PED at a high-street shop that is crudely taped together.) In addition, be suspicious of PEDs that are mounted in an irregular way such that you can’t move or comfortably use them; this may indicate that the merchant has a very good camera angle on the keypad, and if you move the PED, it may get out of focus. Of course, some stores mount their PEDs such that they can’t be moved, so you’ll have to use your judgment.

3. Put a hand, wallet, purse, hat over your hand when you punch in the PIN at an ATM or PED. Don’t be shy about it. Practice punching in the PIN in such a way that your hand movements do not reveal the digits (one way is to use your thumb underneath your palm). Hiding your PIN as you enter it is prudent and good practice, though it may not save you if the PED has been compromised during manufacturing, or as we have demonstrated in the past.

4. If you have a debit card, keep as little money as possible in the account that is associated with that card so you minimize the amount of money criminals have access to. Also, try to set the account such that there is no overdraft allowed on it.

5. When you travel outside of the UK with an EMV card, local criminals can steal it and sign for goods at places without EMV infrastructure; they don’t need to know the PIN. You will then have to fight for your money with your bank. So don’t take along cards you do not intend to use, and if you do, hide them well, especially if you leave them behind in a dodgy hotel.

6. Set your cards to have different PINs: if someone saw your PIN when you entered it at a shop and later steals your wallet, he will be able to withdraw money from all of your cards. Even if the PIN wasn’t compromised, if the criminal assums that all PINs are the same, he now has more attempts to guess it. If you find it hard to remember multiple PINs, then set them to have some relationship (that you keep to yourself). Say, each digit of the second card’s PIN is an increment of the corresponding digit of the first card’s PIN; there are many ways to do this such that it is easy to derive PINs from the one you remember.

7. Be observant at ATMs. A broken ATM should either be off, or more properly, display an “out of order” message on the screen. A note posted on the screen may indicate that the criminals are trying to divert you to an ATM they have compromised (by installing an ATM skimmer or a Lebanese loop). Or, they have placed a fake ATM nearby that may give you the cash, but will empty your bank account. In general, avoid using mobile or detached ATMs; fake or tampered ones can be easily passed off as legitimate, and you are unlikely to notice. (The advice on how, where and when to install ATM skimmers by a seasoned card fraudster can also tell us what to look out for.) Finally, be suspicious of anyone “helping” you to use an ATM.

Paranoid:

8. Put a thin opaque tape over the CVV2 (the three digit number on the back of the card that is used for card-not-present, i.e. on-line, transactions). All a cashier or waiter needs to know in order to make an on-line transaction with your card is the account number, name, expiry date, and the CVV2; all helpfully available on the card itself. Hiding the CVV2 from being remembered on casual inspection may save you from paying for someone else’s big screen TV. In some cases the crooks may need your address as well, so the waiter that skims your card also gives you a raffle card to put your details on for a chance to win a free bottle of wine on your next visit. Since the address verification in the UK is inadequate, all they need to do in order to get the TV delivered is to find an address that matches the digits within yours.

The CVV2 is used as a weak indicator that the person making the on-line purchase is actually in possession of the card. There is nothing preventing you from scratching off the three digits and keeping them safe elsewhere (near the only computer you do on-line transactions on, for example). In addition, when you lose your card, it will be harder for criminals to use it on-line.

9. If you have access to a magstripe encoder, replace account details on the magstripe with 0’s. The disadvantage is that this card will be useless where smartcards are not accepted. So if you know that you’ll always use the chip, erasing the magstripe may be a good idea. (Practically, you may not want to erase the whole stripe because some ATM card slots check for data at the front of the stripe in order to accept the card; if that data is gone, you won’t be able to get cash. I also suppose that there are other ways to make the magstripe data invalid other than erasing it with an encoder.)

10. After you return from a trip abroad, if you have any doubt about the places that swiped your cards, change your PIN at an ATM. This will prevent criminals from withdrawing money from your account in countries that do not have EMV. You may also want to consider canceling the card, or ask your bank what to do. (In the UK, it is easy to change the PIN at an ATM, and I am unaware of any limitations on the amount of times that that can be done. I believe that some banks will re-issue you cards a small number of times per year for free, and then start charging you for them.)

11. If you know of shops that let you pay with your card as a chip transaction but also swipe the magstripe for good measure and no apparent good reason, stop shopping there (I’ve experienced this in two different chain stores in the UK). They are not supposed to do that, and it is bad practice to educate cardholders that this is OK. Sometimes, it happens so fast you can’t stop the swipe; if you are concerned, change the PIN. It is common for cashiers to use a ‘swipe-and-dock’ register if the PED fails (or always!) Avoid letting them use it if you can.

12. If a waiter takes your card and walks away, call them back or follow them. With Chip and PIN, they are not supposed to take the card away; in fact, they are not supposed to handle the card at all. If they see you following them, they might think twice before skimming your card and details with a tiny portable card reader.

13. If your PIN has two (or more!) digits that are the same one after another (‘1066‘, is a good example of a really bad one), make sure you pause between them such that you do not help the criminals guess your PIN.

We can argue that in a well designed system some of the tips above would not be necessary, but that’s what we have to work with. It will be interesting to observe how banks will deal with card fraud in the current state of financial affairs. It seems to me that banks are going to be stricter with giving money back when fraud occurs, even in clear cases in favour of the cardholder, while victims are going to suffer even more due to the loss.

14 thoughts on “Card fraud — what can one do?

  1. I can think of a few more bits of advice. Since “waiter skimming” is part of the threat model, I would have thought student cards would have less attraction to fraudsters than gold or platinum ones. Since you can now design your own cards (or at least from preset designs), you can try to pick cheap-looking ones.

    I wonder if it is possible to set up a card to *require* a phone verification (e.g. this happens if you do not receive your recorded delivery mail)? If I am travelling around a moderately dodgy country, I like to keep my cards as an insurance just in case, rather than my everyday means of subsistence.

    Happy Christmas,

    A.

  2. Any advice about how to ‘care’ for one of those dreadful RFID-enabled credit cards (eg Mastercard PayPass)?? Could it be the only thing to do is to carry it around in a foil-lined duct tape wallet?

    William

  3. @Andrei,

    Happy Christmas. I don’t see cheap looking cards making all that much of a difference. If you have an operation in place to skim cards, why discriminate? In some cases, the people who get paid to put tampered PEDs in their shops also earn money per card skimmed; they are not the ones going to the ATM to get cash with it.

    Still, if you make your Black Card look like a debit card from an unknown bank you may save yourself from being targeted for other types of crime; though you’d lose the show-off factor 😉 .

  4. Excellent article and applicable here in Canada with some adjustment. All I would add is that consumers have to stay on top of their bank balances, especially with debit cards. The sooner they discover unauthorised transactions the sooner they can alert their bank.
    Incidentally, Canada will have full-blown chip & PIN cards by 2010 but the USA has decided not to implement this technology so when we start to see “card-present” credit card fraud nosedive, guess where most of this fraud will shift? Yup – south of the 49th parallel

  5. I’m not thrilled with the advice about changing PINs at an ATM. Lets leave aside the whole issue of compromised ATMs for a moment (although a good part of my unease comes from that area), and just consider the increased risk from insider fraud.

    While I’ve seen some good systems (I helped design the Lloyds/TSB crypto protocols), I’ve also seen some very insecure implementations too. I’ve been out of the financial security standards racket for a while (not since 2005), but last I knew these types of transactions fall into the poorly regulated area of on-us transactions.

    There are two basic problems from the cryptographic protocol standpoint. The first is that the card number and the account numbers it accesses are not the same thing. Thus you have the problem of making sure that the PIN change transaction is only applied to the proper accounts.

    Another problem is at the TRSM API level (something the principles of this blog should know a bit about :-), where a naively implemented PIN change function gives attackers many different shots at a successful oracle attack against the PIN. Care must be taken to differentiate (with cryptographically enforced typing) the reference PIN (or hash), the trial PIN, and the changed PIN. Relying upon hashed PINs for a reference is problematic too (especially the older algorithms with 4 digits and a high number of synonyms).

    Most implementations I’ve seen of PIN change transactions ignore all of these issues. They allow the use of any reference PIN as the “changed” value, and do a dandy job of PVN generation. Does anyone know if the UK has put any standards into place in this area? If not, PIN change at the ATM is functionality that I would hesitate to use (except at Lloyds-TSB, because I happen to know how that one works).

  6. @TRSM.mckay

    Interesting comments about PIN change. I agree that there are plenty of dangers back at the verifying host/HSM. To a point I think it’s still true that no-one gives a toss about these despite the published body of attacks. That said, the latests Visa PIN security requirements publicly available do talk about locking down functionality at switches to only the API calls which are required, which is a step in the right direction.

    However, I’m not sure I see how you can avoid being the victim of these attacks by not changing your PIN? From what we have both said, if the PIN blocks are rarely bound to a particular account, then once you have a known PIN you can attack any account of your choice. So change your PIN or not, it’s a risk. But maybe I have misunderstood your attack hypothesis?

    One of the scariest things I heard recently is that some international stand-in PIN auth centres don’t have proper retry counters that are synched with the main DB, or dont maintain state information overnight. So you can try 3 pins in the UK, and then internationally 3 PINs daily, until you just luck out against a particular account. Not that anyone would bother with such an attack, now it’s so easy to skim PINs at POS.

    Mike.

  7. Good point – a poorly designed HSM API allows attacks even if a customer has not done a PIN Change transaction. Any “normal” PIN’ed transaction will provide the needed reference PIN. Realistically, given my knowledge of existing PIN change APIs, I would expect this is the biggest vulnerability in actual implementations.

    But there are scenarios where doing a PIN change transaction is more dangerous than not, particularly if you assume the HSM API is not totally broken. At the very least doing a PIN change will generate some types of data (which may or may not be cryptographically protected) which makes it easier for attackers to chose our particular account to attack. A PIN change transaction might also generate some type of crypto-data that will make the oracle attack easier (again assuming a semi-good HSM API).

    At one point we were going to present this to a standards organization, but I changed jobs before that came to fruition – so I have to assume most details on the Lloyds-TSB implementation are still proprietary. But I can say that the real solution requires the PAN and account number(s) to be cryptographically tied together, and the HSM API to evaluate that relationship before it produces reference PIN values for the changed PIN.

  8. @Wiper

    There are two types of mag cards in standard use, I would presume (but don’t know for sure) that the UK cards use HiCo (since the chips make them more expensive, they probably want the stripe to last). If that is the case, than it will take more than a simple magnet to erase a HiCo track.

  9. I changed my banking habits as my card was cloned. The bank took 2 months to sort it out, and nothing was done after I first reported it. During my first call I told the operator all the necessary details, only to be told on my second call (about a month later as nothing was happening) that there was no record of any conversation, which had lasted 20 minutes. I was told to go to my branch and they would print out a form for me to sign and send back to the fraud team I had originally contacted. More worryingly, during my visit to my branch, I was on the phone to the fraud team in front of a Windows based terminal that was still logged on to the bank network. I was then left alone until the (phone) operator asked me to get a member of staff.

    Now I use cash only from bank cash machines and refuse to use c&p as a rule, only when I absolutely have to. What annoys me is the banks make us use this technology without any consultation, thought for old people (my mother has very bad arthritis, and finds keypads difficult to use).

  10. Interesting article. IMO what the Great Brirish Public (GBP) should be more aware of is a bit more fundamental:

    1. If you use C&P you have No statutory protection in law. If someone steals your money, you can go to your bank and ask for it back but the bank is a signatory of the Banking Code, which isn’t law, so they can give it back, or not, or some portion thereof.
    2. Credit Cards have statutory protection under the CCA. Debit cards don’t. So those that payed for their Excel holidays with Debit cards didn’t get their money back but people who used credit cards did get their money back.
    3. The 5 major high street banks reported tidy profits in 2007 (but not recently) of 38M GBP. A fair chunk of this came about because the banks persuaded people to do their work for them. ‘Do online banking and the world is yours’. What nobody (especially the banks) told the GrtBritPub is that a fundamental shift in responsibility was occurring.

    I don’t do online banking and never have, so if I go into my bank and offer a check for cash for 500 pounda and the clerk says we’re very sorry Sir, but your account is empty, then I can say to the clerk ‘ What have You done with my money?’ AKA if you don’t ever do online banking then the bank has sole responsibility for the proper disbursement of funds. Once you do online banking, then the individual is also responibile for appropriate disbursement of funds. If anything goes wrong then the bank can say ‘Oh well sir, you must have got a virus or keystroke logger or whatever. We aren’t giving you your money back’ AKA the bank has just been given someone else that they can blame, rather than previously, they were solely responsible for proper disbursement of funds.

    The banks have a large incentive to persuade people that online banking is safe & secure because for every 1000 or 5000 people that do it, that’s one less teller the banks have to employ or one less branch they have to keep open.

    So what does this have to do with keeping your money safe?

    As the researchers here have admirably pointed out Chip & Pin is not secure, so don’t use it. PEPs are not secure, so don’t use them unless you have statutory protection, in law. Which means use a credit card not a debit card.

    Limit your exposure, as mentioned in the main article. I have a Credit Card with a 2,000 GBP limit and also a Credit Card with which I can buy a very nice new car. I keep the latter in case an operation in foreign parts, or other emergency, makes it use imperative. I’ve not used it yet. Other than that abuse of the 2,000 pound credit card is unlikely to rain on my parade while the fraud gets sorted out in my favour because I’ve got statutory protection in law.

    The main problem is that that most people do not know the statutory difference between a debit card, a credit card and what doing online banking actually means.

    I would also add: to play fair with the banks: I’ve told my bank not to honour transactions outside of the UK unless I’ve informed them that I’ll be wherever from this date to that date.

    I’m constantly amazed at the number of bright, intelligent people who do not realise the above.

  11. Taking care of your documents and records by storing them and disposing them in a secure manner will also prevent you from becoming a victim of dumpster diving and identity theft. You can destroy or shred your files and paper waste before you recycle them so that your personal information will not be accessed by just anyone.

  12. dose anyone know how 2 find out if my old auntie had abarclay visa /debit card in 2008/2012 the banks are not helpfull because i have no statements she did have a carer he has no idea/ HOW DO IFIND OUT

Leave a Reply

Your email address will not be published. Required fields are marked *