Bank and Credit Card Fraud

Banking and Saving strategies, maximizing interest rates, budgeting, GICs, HISAs.
Post Reply
User avatar
kcowan
Veteran Contributor
Veteran Contributor
Posts: 16033
Joined: 18 Apr 2006 20:33
Location: Pacific latitude 20/49

Post by kcowan »

You thought Canadian Credit Cards protected you? How about this?
Canadian Banks "Share the risk" with their customers.
Here is part of a CIBC Visa credit card agreement, for a Chip card:

"If a cardholder fails to comply with any obligation in the section entitled personal identification number (PIN) and someone other than the cardholder makes any PIN-based transactions on the Visa account, the cardholder will be liable for those transactions and any interest, fees and losses incurred...."
In the debit card agreement for the same cardholder, you will find this additional cautionary tale: "Contributing to unauthorized use: if someone uses your bank card or PIN without your authority but your actions (or inaction) contributed to that unauthorized use, you are responsible for all losses...."
So much for the $50 limit...
We can always dismiss CIBC for it ineptness. But then, other banks are lining up to offer similar protections for you the consumer. Here is the number one bank with the $1 billion (exceptional) loss this quarter:
excerpt from a Royal Bank Visa credit line agreement for small business:

"We (the business cardholder) will not be responsible for debt charged to our account as a result of the fraudulent and unauthorized use of a card, cheque or account number, provided that we can establish to you (the bank) that we have taken reasonable steps to protect cards and cheques against loss or theft and to safeguard our PIN and other security codes in the manner set out in this agreement or as you (the bank) may otherwise advise us from time to time."
Guess where they are going to make up for their subprime losses?
For the fun of it...Keith
User avatar
Bylo Selhi
Veteran Contributor
Veteran Contributor
Posts: 29494
Joined: 16 Feb 2005 10:36
Location: Waterloo, ON
Contact:

Post by Bylo Selhi »

kcowan wrote:So much for the $50 limit...
Did the $50 limit and/or "zero liability" ever apply...

"If a cardholder fails to comply with any obligation in the section entitled personal identification number (PIN) and someone other than the cardholder makes any PIN-based transactions on the Visa account"?

and/or

"Contributing to unauthorized use: if someone uses your bank card or PIN without your authority but your actions (or inaction) contributed to that unauthorized use, you are responsible for all losses."?

IOW why should the bank be responsible if the customer does stupid things like writes down the PIN in their wallet, discloses their PIN to family and friends, use "obvious" PINs like 1234, etc.?

There has to be some incentive for customers to take PINs seriously, otherwise there's a huge moral hazard for the banks (and those of us who invest in their securities.)
Sedulously eschew obfuscatory hyperverbosity and prolixity.
marty123
Veteran Contributor
Veteran Contributor
Posts: 2950
Joined: 23 Feb 2007 13:36
Location: Ontario

Post by marty123 »

kcowan wrote:You thought Canadian Credit Cards protected you? How about this?
As far as I understand, all the credit card agreements are being rewritten to make the user liable when a valid PIN is used to make a transaction. It's a matter of time before a credit card is no more secure than a debit card.

Banks are making the assumption that chip cards are fully secure, so this will make things interesting when cloning and stolen PINs start being a common occurence.
User avatar
kcowan
Veteran Contributor
Veteran Contributor
Posts: 16033
Joined: 18 Apr 2006 20:33
Location: Pacific latitude 20/49

Post by kcowan »

I have some friends who already have chip-equipped Credit Cards. Here in PV, one of 2 things happen:
1) they are swiped like normal, or
2) they are asked to go to the cashier in the restaurant who has the only chip card reader (just like with many debit cards).

I think the merchant gets more protection when the transaction is done through a chip-card reader. It appears that gradually the customer will also need to do it to get the previous level of protection. Thanks Canadian banks for another big takeaway.

Some of the more advanced locations are doing tableside authorization. This will be a big improvement for everyone (except the clients who get to pay extra in their meals for the costs of the equipment for the retailer). There is a business case here but most retailers do not acknowledge it.

(We will be forced to "upgrade" our credit cards in May 2010.)
For the fun of it...Keith
Chuck
Veteran Contributor
Veteran Contributor
Posts: 2048
Joined: 21 Feb 2005 11:48
Location: Manitoba

Post by Chuck »

I'm not too worried about this as long as PIN theft via some scam involving the swipe machine is not common. I'm not careless with my PIN otherwise.

I wonder if banks need to be careful what they wish for. The same, shall we say "not too savvy" folks who carry high credit card balances are likely to be the ones most careless with PINs. Having to bear the brunt of fraud might actually discourage these folks from credit card use. Maybe not - but getting robbed has an emotional affect on people that is not financial savvy related.
marty123
Veteran Contributor
Veteran Contributor
Posts: 2950
Joined: 23 Feb 2007 13:36
Location: Ontario

Post by marty123 »

Chuck wrote:I'm not too worried about this as long as PIN theft via some scam involving the swipe machine is not common.
I can guarantee that it will happen. It's a 100% possibility. The worst is: by default, the PIN assigned by the banks are the same as the PIN assigned to the ATM cards. Count on these swipe machines to intercept your PIN, and a pick pocket to quickly bump into you leaving the restaurant or store.
brucecohen
Veteran Contributor
Veteran Contributor
Posts: 13310
Joined: 20 Feb 2005 16:47

Post by brucecohen »

I have a PIN Visa card. I think it's a great idea BUT Christmas shopping season will be a nightmare if they don't speed up the validation.
FinEcon
Veteran Contributor
Veteran Contributor
Posts: 1306
Joined: 03 Aug 2005 13:41

Post by FinEcon »

IMO the real annoyance of PIN'ing CC's is not the liability swap, as that impact, in practice, will be miniscule. However, for those of use who use multiple cards to leverage different reward schemes, a PIN provides an incentive to just throw in the towel on the grounds that no one wants to remember 3-4 PIN numbers. I can only hope Amex & mbna don't go down the same road that the (shitty VISA) big 5 banks have.
Show me the incentive and I will show you the outcome

--Charlie Munger
User avatar
Yukon Maiden
Contributor
Contributor
Posts: 873
Joined: 14 Dec 2006 12:39
Location: Arctic Circle

Post by Yukon Maiden »

I hate that CIBC just sent me my new visa with a chip. They claim it makes it more secure. Only for them, I would say. Before, if someone stole my card and faked my signature, I was covered. Now, if someone manages to see me entering my pin or skims it, I am on the hook for the damages.

I also noticed in the new card holder agreement changes that they sent in the mail that internet purchases are no longer covered if you don't get what you paid for. In fact they are no longer covering any purchases where the actual card was not presented, in person. I would imagine that almost no one knows this as most would not read through all that fine print. To me, this is huge.
" I reject you reality, and substitute my own!"-Mythbusters
User avatar
kcowan
Veteran Contributor
Veteran Contributor
Posts: 16033
Joined: 18 Apr 2006 20:33
Location: Pacific latitude 20/49

Post by kcowan »

Yukon Maiden wrote:In fact they are no longer covering any purchases where the actual card was not presented, in person. I would imagine that almost no one knows this as most would not read through all that fine print. To me, this is huge.
Well I sympathize with your feelings! However, you have to understand that they are spending a huge amount to convert over to chip card readers, and, if they don't put any teeth into the need to use and protect them, the investment will not pay off.

I don't blame them for doing it. I just get frustrated because, as Canadians, we are once again pawns to their oligopoly.

Remember we really should be mad at the crooks. If the banks can reduce CC losses, everyone except the crooks will benefit in lower prices eventually (I hope).
For the fun of it...Keith
Reckless
Contributor
Contributor
Posts: 21
Joined: 03 Jun 2009 18:27

Post by Reckless »

Yukon Maiden wrote:I hate that CIBC just sent me my new visa with a chip. They claim it makes it more secure. Only for them, I would say. Before, if someone stole my card and faked my signature, I was covered. Now, if someone manages to see me entering my pin or skims it, I am on the hook for the damages.

I also noticed in the new card holder agreement changes that they sent in the mail that internet purchases are no longer covered if you don't get what you paid for. In fact they are no longer covering any purchases where the actual card was not presented, in person. I would imagine that almost no one knows this as most would not read through all that fine print. To me, this is huge.
I received my CIBC chip card and didn't see anything in the terms and conditions which said Internet purchases were no longer covered if my card was used improperly.

Can you please state the paragraph you read this.
User avatar
Bylo Selhi
Veteran Contributor
Veteran Contributor
Posts: 29494
Joined: 16 Feb 2005 10:36
Location: Waterloo, ON
Contact:

Post by Bylo Selhi »

How's this for scary? Cash machines hacked to spew out card details
"SKULDUGGERY," says Andrew Henwood, "is a very good word to describe what this extremely advanced, cleverly written malware gets up to. We've never seen anything like it."

What he has discovered is a devious piece of criminal coding that has been quietly at work in a clutch of cash machines at banks in Russia and Ukraine. It allows a gang member to walk up to an ATM, insert a "trigger" card, and use the machine's receipt printer to produce a list of all the debit card numbers used that day, including their start and expiry dates - and their PINs. Everything needed, in fact, to clone those cards and start emptying bank accounts. In some cases, the malicious software even allows the criminal to eject the machine's banknote storage cassette into the street...
Sedulously eschew obfuscatory hyperverbosity and prolixity.
User avatar
kcowan
Veteran Contributor
Veteran Contributor
Posts: 16033
Joined: 18 Apr 2006 20:33
Location: Pacific latitude 20/49

Post by kcowan »

PINs in Canada are encrypted and they are only in the clear in a secure locked room deep within the banks processing centres. I expect PIN-equipped credit cards will have equal or better security.

Meanwhile there is that 3 digit security code on the back that is not machine-readable.
For the fun of it...Keith
User avatar
Bylo Selhi
Veteran Contributor
Veteran Contributor
Posts: 29494
Joined: 16 Feb 2005 10:36
Location: Waterloo, ON
Contact:

Post by Bylo Selhi »

kcowan wrote:PINs in Canada are encrypted and they are only in the clear in a secure locked room deep within the banks processing centres. I expect PIN-equipped credit cards will have equal or better security.
Yes, I thought about that too, however, the article says, "When a customer inserts their card, the malware records to hard disc its account number, start date, expiry date and three-digit security code, as well as the PIN entered." Presumably that's in the plain, before it's encrypted and sent to the bank's glass house in the sky. As for chip and PIN, that technology has been widely used in Europe for many years so presumably this exploit can handle it.
Meanwhile there is that 3 digit security code on the back that is not machine-readable.
The article claims they can read that code (see above), but regardless, it's not normally required for transactions where the physical card (or clone thereof) is presented.

BTW similar exploits have been demonstrated in which the point-of-sale chip and PIN reader has been hacked to record the same information. Again the PIN is recorded as keyed in by the customer, i.e. in the plain.
Sedulously eschew obfuscatory hyperverbosity and prolixity.
User avatar
kcowan
Veteran Contributor
Veteran Contributor
Posts: 16033
Joined: 18 Apr 2006 20:33
Location: Pacific latitude 20/49

Post by kcowan »

Bylo Selhi wrote:Again the PIN is recorded as keyed in by the customer, i.e. in the plain.
I am pretty sure this could not happen in Canada because the PIN-pad becomes inoperable when "unsealed" and the ATM or POS terminal becomes inoperative until it is recertified on Interac. But hey it is good to be diligent (and avoid ATMs in Russia?).
For the fun of it...Keith
User avatar
newguy
Veteran Contributor
Veteran Contributor
Posts: 8088
Joined: 10 May 2009 18:24
Location: Montreal

Post by newguy »

kcowan wrote:I am pretty sure this could not happen in Canada because the PIN-pad becomes inoperable when "unsealed" and the ATM or POS terminal becomes inoperative until it is recertified on Interac. But hey it is good to be diligent (and avoid ATMs in Russia?).
It happened to me. I only used my debit card in one 'risky' place so I know where it happened. Google for 'Wendy's interac theft'. It seems to be common, they just add a reader to the wire and can get everything. I've dropped pin pads (or things on them) and cracked them open, a little bit of tape and they worked fine (long time ago though). A few years ago a merchant neighbour employee told me someone offered him $1000 for 10 mins alone with his interac machine. I was baffled as to what he could do with one as without the merchant card you can't do returns. Anyway this is the way the Russian mob does it here (according to those old news stories).

newguy

ps. the bank (td) called me to tell me about the theft ($481.5) and refunded it right away. They never asked any questions like they cared how it happened.
User avatar
kcowan
Veteran Contributor
Veteran Contributor
Posts: 16033
Joined: 18 Apr 2006 20:33
Location: Pacific latitude 20/49

Post by kcowan »

newguy wrote:the bank (td) called me to tell me about the theft ($481.5) and refunded it right away. They never asked any questions like they cared how it happened.
It would seem that they have given up on the control that they exercised when we first implemented Interac in the 80s!
For the fun of it...Keith
Hammerer
Contributor
Contributor
Posts: 628
Joined: 21 Oct 2008 00:09

Post by Hammerer »

kcowan wrote:
Bylo Selhi wrote:Again the PIN is recorded as keyed in by the customer, i.e. in the plain.
I am pretty sure this could not happen in Canada because the PIN-pad becomes inoperable when "unsealed" and the ATM or POS terminal becomes inoperative until it is recertified on Interac. But hey it is good to be diligent (and avoid ATMs in Russia?).
Well, since they are all of the same design, it isn't difficult to figure out exactly where one would need to drill the appropriate holes so that it doesn't have to be un-sealed at all.

When thinking about Chip and PIN cards, I tend to think of pay-tv security, many companies around the world spending oodles on security, and every generation seems to get hacked. With the reward here being cash-money rather than free TV, I could only imagine the amount of effort that will be put in place to find every vulnerability imaginable that may exist in these systems.

Don't underestimate the power of organized groups able to take these cards, find appropriate solvents to remove the coating layers, completely reverse engineer the underlying circuitry, dump the internal code, dump encryption keys or find other security flaws.

You'd be surprised of some of the creativity of some of these hacks, like manipulating the clock frequency at precisely the right time in its execution of code so as to cause the card to skip specific crucial steps in their authentication processes.

Here's some food for thought on the UK Chip and PIN system and it's security issues:
http://www.cl.cam.ac.uk/research/security/banking/

Don't forget that the legacy mag-stripes will be on these cards for years to come, so that vulnerability will continue to exist, and the PIN to withdraw cash at an ATM with the mag-stripe is the same as the PIN you'll be entering all day long to purchase anything.
http://www.cl.cam.ac.uk/research/security/banking/ped/

One big problem with the UK system was that it sent the mag-stripe information through the smart-card interface, so with the PIN, one had all the information they needed to make a legacy mag-stripe card and withdraw whatever they pleased at accepting ATMs.
http://news.bbc.co.uk/2/hi/programmes/n ... 265437.stm (Don't forget to watch the report!)

Although the system released here _may_ not have the same vulnerabilities, it just goes to show that they weren't designed to be super-secure devices in the first place. I think we're several generations of cards out before having something that we can really consider "secure" and honestly start placing the full liability on the customer.
bbsj
Contributor
Contributor
Posts: 302
Joined: 16 Nov 2006 20:37

Post by bbsj »

My CIBC Visa was used by fraud three times last week before the bank blocked it and called me. Actually, the bank found out when I tried to use the card in Thunder Bay a minute after someone had used it in a southern Ontario gas station. Obviosly to my embarassment, my purchase was rejected.

My question is - how can the card be used three times in southern Ontario gas stations over two days when the card was in my possession?
User avatar
kcowan
Veteran Contributor
Veteran Contributor
Posts: 16033
Joined: 18 Apr 2006 20:33
Location: Pacific latitude 20/49

Post by kcowan »

bbsj wrote:My question is - how can the card be used three times in southern Ontario gas stations over two days when the card was in my possession?
There are inexpensive magnetic stripe encoders that attach to PCs. The crooks know the format. The card used does not have to look like a valid card if it is used at a pay-at-the-pump device as long as the strip is encoded correctly.

Other fraud is done by crooked retail clerks who can key in the number (although there are limits to what keyed transactions are accepted).
For the fun of it...Keith
User avatar
adrian2
Veteran Contributor
Veteran Contributor
Posts: 13333
Joined: 19 Feb 2005 08:42
Location: Greater Toronto Area

Post by adrian2 »

kcowan wrote:The card used does not have to look like a valid card if it is used at a pay-at-the-pump device as long as the strip is encoded correctly.
The gas stations pumps are one of the few places where no signature is required.
User avatar
Bylo Selhi
Veteran Contributor
Veteran Contributor
Posts: 29494
Joined: 16 Feb 2005 10:36
Location: Waterloo, ON
Contact:

Post by Bylo Selhi »

bbsj wrote:Actually, the bank found out when I tried to use the card in Thunder Bay a minute after someone had used it in a southern Ontario gas station. Obviosly to my embarassment, my purchase was rejected.
The same thing happened to a friend of mine who had his and hers CIBC Visa cards. He was trying to buy gas for his rental car in New Jersey while she was trying to buy gas for her car in Tronno. Apparently his and her cards have identical card numbers and there's no way for CIBC's computers to tell which card is which :(
adrian2 wrote:The gas stations pumps are one of the few places where no signature is required.
However generally such purchases are limited to ~$100. Mastercard does something similar at grocery stores. If you use a PCF MC to pay for groceries at a Loblaws chain store no signature is required below some threshold ($50?)
Sedulously eschew obfuscatory hyperverbosity and prolixity.
Jaunty
Veteran Contributor
Veteran Contributor
Posts: 1539
Joined: 19 Feb 2007 16:41
Location: Niagara

Post by Jaunty »

Many pumps in Florida and S. Carolina (& probably other southern states) require you to enter your American zip code. Becomes a pain when you are Canadian and don't have one, but the retailer will hold the card and run it through their machine when you are done. Doesn't seem to affect the stations along or near the Interstates. Guess the type of fraud mentioned above is the reason for the city stations to require this.
WishingWealth
Veteran Contributor
Veteran Contributor
Posts: 6701
Joined: 27 Feb 2005 10:53

Post by WishingWealth »

I had a msg in my CIBC acct and they offer an extra level of protection for your browser while you're on the site.
It's called Trusteer.
Anybody has installed it?

WW

BTW: The meandering, never ending prompts in their message center just sucks.
pmj
Veteran Contributor
Veteran Contributor
Posts: 3412
Joined: 27 Feb 2005 18:15
Location: Ottawa

Post by pmj »

Bylo Selhi wrote:Apparently his and her cards have identical card numbers and there's no way for CIBC's computers to tell which card is which :(
We have more than one account with joint cards - I haven't checked them all, but both cards on one of the TD VISA accounts have the same numbers, including the CVC number :shock:.
Peter

Patrick Hutber: Improvement means deterioration
Post Reply