www.yorkshirepost.co.uk/news/Prolific-chip-and-pin-fraudster.6375243.jp
Sri Lankan-born De Montford, who will be deported on his release, was found with a laptop containing 35,000 card details, 7,000 of which came from a single Shell garage at Bluebell Hill in Maidstone, Kent.
De Montford ... would modify the pin entry devices by inserting a circuit board, memory device and bluetooth transmitter into the existing machinery.
Amrik Kalsi, the owner of the franchise, told the court his business dropped by 47 per cent as he was unaware his machine had been targeted for two months.
He was subjected to a "campaign of vilification" both online and in his community which was "understandable but totally unjustified", the judge said.
A Facebook group was launched to encourage others not to use his garage and he suffered "regular verbal abuse" from customers.
|
I thought the on-the-counter machines which you put the card in yourself were fairly safe.
Obviously not.
Cash for fuel is the only answer.
Last edited by: ifithelps on Tue 22 Jun 10 at 10:05
|
|
That garage owner doesn't seem to be the sharpest tack in the box!
|
Yup, as soon as charlie joins the takings drop? DING DONG alarm bells anyone.
Last edited by: Zero on Tue 22 Jun 10 at 10:12
|
|
I will only ever use cash in those places now. I know too many people who have had their cards cloned after using a garage.
|
|
I was one of the 7000 customers of the Shell garage on Bluebell Hill who had their cards cloned, the fraud on my account amounted to over £2600 ! This was the 3rd time that i have been "hit", and i now too will only use cash to pay for fuel !
|
I know you guys mean well but knee jerk reactions are seldom the answer. In this case you'll be carrying cash around.
The system did it's bit, it worked. It's not perfect and i'm not for a second suggesting it is, but at least this way you can recover your losses, with cash, you can't just call up and cancel the £20 note you've dropped in the wind.
There will always be problems with every system devised, it will never be cured. It's unfortunate but just the way it is.
This is why it's critical that for all systems we implement, we figure out *before* we rely on it, what do we do when it goes wrong.
|
>> This is why it's critical that for all systems we implement, we figure out *before*
>> we rely on it, what do we do when it goes wrong.
Chip and PIN has already been "broken":
www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/
With link to Cambridge's paper.
|
...knee jerk reactions are seldom the answer. In this case you'll be carrying cash around...
Paying for a relatively small purchase in cash is hardly knee-jerk, and it's a lot less bother than having your card scammed.
Mine was done last year.
I was refunded fairly quickly, but there was quite a bit of paperwork/talking to the bank, and there's always the worry you will not get the money back.
My fuel use is reasonably predictable and I don't think carrying an extra £40 or £50 for a day or two to pay for a tank is much of a risk.
|
|
I know someone who works in quite a senior position in a bank and they only ever use cash to buy fuel, and have done for several years.
|
|
My wife is a fraud investigator for a bank. She absolutely won't use a debit card for anything or indeed a cheque. Cash or an insured credit card are the only thing she'll use. When she gets cash in change she also does that irritating thing some shops do and holds it up to the light. I wouldn't know what she's looking for but she reckons she can spot a duff one mostly. It ticks people off though. Seems it's socially acceptable for someone standing behind a counter to do it but bad form for someone standing in front of one. Odd really.
|
>> My wife .. does that irritating thing some shops do and holds it up to the light.
I do this - if I give a £20, for instance, and get a tenner back in the change. The till people sometimes look faintly outraged.
|
One of my sons credit cards was cloned last year - Virgin intercepted transaction, phoned him and asked if he was in London buying a 2nd hand m/cycle @ £3000. He was in Norwich & working.
Not so good was a on-line banking fraud & they took £5000 from a current account - sophisticated attack via several countries in Eastern Europe ..............bank refunded the £5000 in 3/4 days.
|
Nicole got her card cloned in a Co-Op of all places.
None of you actually lost any money tho did you. Sure its inconvenient for a day or three while your card is changed, but the fingerprints of cloning are so clear you are unlikely to be forced to pay for it.
Chip and pin is not "broken" per say, that was a theortical paper, but the mechanism for use is widely compromised. Then again we have had dud cheques as soon as the cheque was invented, we had counterfeit currency as soon as the real stuff was struck, and wire fraud appeared milliseconds after the wires were first connected.
Its nothing new, its crime, its older than the other oldest occupation.
|
>> Chip and pin is not "broken" per say, that was a theortical paper
Great! What a relief. However, it has been demonstrated, and even on TV:
www.youtube.com/watch?v=JPAX32lgkrw&feature=player_embedded#!
and in "The Register":
www.theregister.co.uk/2010/02/12/chip_pin_security_unpicked/
I'm sure this is more widely known where it shouldn't be.
|
you completely miss the point.
That was technological headlines, and completely meaningless.
Breaking the security system is not required when the delivery of it is already compromised. The guy in the op had no idea about all the theory of breaking the protocol. He didnt need to. People have been defrauding chip and pin long before that theory was published.
|
I too had a card cloned at a Shell garage, although the Police caught up with the guy before any money was taken from my account (why is it so often Sri Lankans - raising money for the Tamil Tigers?). Just a bit of a pain while a new card is sent to you.
Any system will have it's weakness - with cash it is the risk of getting mugged. I only use a credit card for all chip & pin purchases - at least it's not my money they are taking if they do clone.
|
>> often Sri Lankans - raising money for the Tamil Tigers?).
>>
I am told it goes something like this:
Asylum seekers pay substantial fees, to facilitators in Sri Lanka, to get them the passage all the way through the channel. Once here, they claim asylum. While the application is processed, they are not normally allowed to work. So these people get unofficial employment at petrol stations at very low wages, and are "blackmailed" to join the scams. Many of them who are granted asylum tehn carry on working legitimately at the petrol station, but they are still under the control of their lenders back home. Their pay will be officially set at or above minimum wage, but then they will often be working doing double the offiicial hours through "unofficial voluntay unpaid overtime", thereby effectively halving the minimum wage. These people dare not complain to anyone, as their families back home are still under threat from the loan sharks. In the meantime, the punters at these petrol stations get their petrol cheaper than otherwise would be the case if the wages overheads were at full legal rates. In return, the punters face the risk of fraud.
|
>> Breaking the security system is not required when the delivery of it is
>> already compromised.
OK, that's an acceptable statement. However, it is true to say, isn't it, that your stolen card could be used to buy goods, apparently being used in conjunction with it's correct PIN.
|
and thats done in various ways,
The first was to take the card, swipe it out of sight and copy details, then have a camera video the user putting in the pin
That is still used with variations.
Now the variation is to modify the chip and pin hardware so you can copy the contents of the card and the pin number entered from the keyboard. You need the two distinct and seperate bits of info. Both however are easily obtained,
You then clone a new card with the contents of the card you copied, easily done with a blank chipcard, and use the pin number. The number and card contents can be sent by email. Thats why the card suddenly apears being used in south africa, or nigeria, or outer umbongo.
For online fraud, you just need the card number, name and security code on the back.
You dont need to break the contents of the details within the card.
Last edited by: Zero on Tue 22 Jun 10 at 17:13
|
|
Yes, yes - but the method outlined above needs no cloning, and there is no need to use the real PIN at all. It is different from those methods.
|
and much more difficult to do at the point of sale. So they go for the simple option.
why should a crook change from simple proven and working, to an unproven lab experiment.
|
Have to say, I agree with Zero. It's theft, as long as people have been exchanging money in whatever form there have been people who will find a way of stealing the money/cheques/card information.
You can reduce the chances but you can't stop it altogether. Let's not get carried away, however, the percentage of transactions and the chance of it happening to any specific, careful individual are incredibly small.
|
|
I called at the local B&Q a few weeks ago to buy some instruments with which to torture the house with...when I went to the check out I glanced up and noticed the security camera at a very extreme angle (pointing down) a glance on the large monitor above the check puts confirmed that this camera was focussed directly onto the keypad of the C&P machine - I went back there a couple of weeks later and lo and behold the camera was in exactly in the same position - now don't tell me that it was that way for a random reason...
|
There are two versions of chip and pin.
Anyone on here used C&P with their UK registered cards abroad ?
I worked on an implementation of C&P six years ago and it was interesting the differences between what was being implemented in the UK and what was happening in western Europe.
|
|
I have - don't tell us, we had the crappy el-cheapo version ?
Last edited by: Pugugly on Tue 22 Jun 10 at 19:12
|
|
You should tell them about it, PU. Be firm.
|
|
I have gone rather limp in the confrontation department since my wife died - she would be very critical of that !
|
|
Braced and refreshed by your spine-stiffening thought, complain next time - you shouldn't need to be confrontational, just mention it to someone in a constructive and helpful manner, and ask to speak to a higher-up someone - you could always e-mail instead, which would avoid all possibility of an electric screwdriver or something mysteriously becoming lodged somewhere really painful.
Last edited by: FotheringtonTomas on Tue 22 Jun 10 at 20:05
|
|
.FT you have the wrong end of the stick. The camera is trained on the chip and pin TO PREVENT FRAUD by the operator. To prevent Exactly what the man in the OP did.
|
|
Oh I know I should do it - but a lifetime of confrontation has been dumped in favour of a quiet life...I must really get annoyed by something soon.
|
>> an unproven lab experiment.
Don't be silly, that it works is quite obviously proven.
It's all the up and coming new stuff (as well as old and old, old stuff) that needs watching.
|
|
I give up. I have a nice bridge to sell you?
|
|
"Whatever". It does work, though, deny it if you can!
|
So does hacking into the mainframe, but the effort does not match the reward. Crime is like a business, it has to pay for the effort.
I am not going to debate with you, you dont have a grasp of the fundamentals. Clearly you didnt read the technical bit.
Last edited by: Zero on Tue 22 Jun 10 at 20:09
|
>> So does
Thanks, Mr. X.
|
And if you get cash out of an ATM you can easily get your card cloned with one of those!
Perhaps a pre paid debit or credit card with a fixed amount on is the answer. Convenience of debit card, no risk for carrying cash but thieving scum bags can only take whatever balance is on the card and you'd have an audit trail on it.
I usually only buy fuel from the same places. Would tend to use cash somewhere I didn't know rather than a card.
All payment systems have weaknesses. The chip and pin one is quite interesting as reading through the technical description you see the implementation missed out a key way of preventing a fraud. But exploiting said fraud is a lot harder than just skimming the mag strip and videoing the pin. Perhaps a random question could be asked at the till eg what's the name of your cat, dog, first school. The bank would have the answers and you'd have to know it or the pin wouldn't be verified. Or there could be the more annoying way of having a passcode but it would only ask for certain characters of it. Card fraud has been going on forever.
Why are mag strips still on cards anyway?? Clearly this is the weak point so they should be removed and outlets without proper readers would have to replace them or go bust. I also don't think a signature should be printed on the back. If you have to verify by signature it should appear digitally on the terminal for the shop or whoever to check. Having a copy of it on the card makes it much easier for a criminal to copy... if that signature is with the bank only you and the bank know it.
|
>> Perhaps a pre paid debit or credit card with a fixed amount on is the
>> answer. Convenience of debit card, no risk for carrying cash but thieving scum bags can
>> only take whatever balance is on the card and you'd have an audit trail on
>> it.
I use one of those. I top it up on line to about 100 quid for day to day use, or more if I know a big ticket item is to be bought
>> Why are mag strips still on cards anyway?? Clearly this is the weak point so
>> they should be removed and outlets without proper readers would have to replace them or
>> go bust.
Believe it or not, some ATMs still use the stripe and not the chip.
IS it me imagining it, or were Shell stations in the majority for cloning? I would have thought Shells franchise department should have something to answer for here.
Last edited by: Zero on Wed 23 Jun 10 at 10:25
|
>> IS it me imagining it, or were Shell stations in the majority for cloning? I
>> would have thought Shells franchise department should have something to answer for here.
>>
No, you're not imagining.
Yes, they should have something to answer for. I raised this with Shell after our local fuel station was in the local paper full of clonees (self included) and their attitude, despite the dramatic loss of custom, was slightly less concerned than "couldn't care less". I guess the franchisee is under such a tight contract, that Shell's profits will continue regardless.
|
Before Chip & Pin my bank Debit Card had my photo on it - better than a signature and a 4 digit pin.
Mind you I have identical twin sons and a photo would be useless for them - they even write in a similar fashion so can sign their names in a very very similar fashion.
|
>> Perhaps a pre paid debit or credit card with a fixed amount on is the
>> answer.
Isn't that just about the same as cash?
|
>> >> Perhaps a pre paid debit or credit card with a fixed amount on is
>> the
>> >> answer.
>>
>> Isn't that just about the same as cash?
You cant pay for a hire car with cash, or send cash over the internet.
|
Garage chip+pin fraudster jailed - Iffy
