Join the Community

22,011

Expert opinions

44,184

Total members

424

New members (last 30 days)

166

New opinions (last 30 days)

28,673

Total comments

Join Sign in

Convenience Store ATM Fraud

19 November 2008 5 comments

Michael Fuller

Former Retail Banker

None

About eight weeks ago I got my wife and I Shell MasterCards from Citi to buy fuel with. This was prompted by the offer of 3% off our fuel purchases at Shell. (6% in the first 60 days from account opening).

This morning (17 November) I got a text from Citi telling me my account balance. It was £1600 more than I had expected so I tried to log on to see why. “Your account has been blocked” the screen said so I phoned instead.

“Press 1 to report your card lost or stolen” the menu said so I did. The voice which answered told me I was through to India. I gave them my card number and told them I was concerned that there were fraudulent transactions on my account since the balance was much higher than it should be. I expected them to help. “Sorry” the agent replied, I can’t deal with this, I’m not trained on Shell Cards!”.

After a while on hold I got transferred to another agent who was trained on Shell Cards but who wasn’t from the Security Department so could only confirm that there were fraudulent transactions on my account, which were cash withdrawals on my wife’s card. He took my details and promised to get someone to call me.

By then I had worked out what must have happened. My wife had only used her card at one filling station in Tooting. The card number and PIN must have been intercepted at the checkout there by Chip and PIN fraudsters and used to clone a cash card.

After no call-back and another call I finally got through to the Fraud Department who confirmed my suspicions that the card had been cloned and used to withdraw cash at an ATM. So despite jailing people the effects are still being felt and card data was still being captured by the criminals in October.

Now while it’s difficult to defeat a determined criminal intent on skimming cards and PINs the whole point of Chip and PIN is to stop fake cards from being used. Why then are ATMs allowed in the UK which don’t validate PINs? I remember this type of fraud from twenty years ago when I think we called it PAN7 the only difference is now the criminals target the non Bank ATMs in convenience stores.

On a lesser but not inconsequential note please would Banks which use touch tone call systems check that the routing makes sense and that their staff who handle lost and stolen calls are trained to handle them!

Finally you may think from my posts that I’m a particular victim of card fraud since I’ve had four or five incidents where my card details have been compromised in the last 12 months. What is really worrying however is that if this level of fraud is happening to me what is happening out there generally? With credit card profits being hit through write offs and the recession generally the Banks and Card Associations need to start closing the gaps to fraud and that means enforcing adoption of Chip and PIN in ATMs.

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

6762

Report

Channels

/security

Comments: (7)

A Finextra member

20 November 2008

Michael

Really appreciate how inconvenient and frustrating it is to be a victim of this kind of fraud

Just one small comment on your post which I appreciate was more about point -of -sale than ATMs.

All UK ATMs are EMV compliant using Chip and Pin technology and have been for some time. This means that when a Chip card is used in them it will automatically be read and it prevents a fake Chip card being used to withdraw cash.

EMV is rolling out across Europe but for the foreseeable future there will be countries where a fake card can be used as the ATM will read the copied mag-stripe.

Graham

Graham Mott, LINK ATM Scheme

Report

Michael Fuller Former Retail Banker at None

Author 20 November 2008

Graham

These withdrawals took place in the UK so there seems to be a hole somewhere.

Mike

Report

A Finextra member

21 November 2008

""All UK ATMs are EMV compliant using Chip and Pin technology and have been for some time. This means that when a Chip card is used in them it will automatically be read and it prevents a fake Chip card being used to withdraw cash."

EMV is rolling out across Europe but for the foreseeable future there will be countries where a fake card can be used as the ATM will read the copied mag-stripe.

Graham

Graham Mott, LINK ATM Scheme

20/11/2008 21:45:52 Michael Fuller added:

Graham

These withdrawals took place in the UK so there seems to be a hole somewhere.

Mike"

------------------------------------------------

OOOUUUUCCCCHHHHH.

No wonder we couldn't convince Mr. Mott - LINK ATM to check out our CARD fraud solution.

Mike said "banks need to start closing the gaps to fraud and that means enforcing adoption of Chip and PIN in ATMs."

Mike, banks at the moment are going through the "deer stuck in headlights" moment and most likely don't give a mouse's 'behind' about your last invoice and the money that was lost. Prince Alwaleed Bin Talal's latest injection plus the bailout money will surely cover your citibank losses. Surely, they will remind you that at the end of the day, you will not have to pay for these fraudulent transactions.

The next time you use your new card, you'll probably get blocked by the bank's predictive risk management system. While the entire world have realized the fallacy of predictive risk management systems when it relates to investment and capital, most banks are still applying the same concept and employing these systems of predicting of how you might use your card. When this happens, try calling your bank to complain about getting blocked and you will be told that "Its also for your own safety that they are blocking you from using the card.".

Report

David Birch Grand Poo-Bah at Tomorrow's Transactions

24 November 2008

"These withdrawals took place in the UK"

Were these withdrawals at bank ATMs or at "stand alone" ATMs in pubs or something like that?

Report

Michael Fuller Former Retail Banker at None

Author 24 November 2008

The transactions were not at a Bank and all bear the name "RANC". There were transactions in "Hammersmith", "Shepherds Bush" and "London". I'm assuming they are an ATM because the amounts are all Cash Advances for either £100 or £250 with multiple withdrawals over three days. Since the card was cloned I can't see how these withdrawals would have been over the counter.

Report

Joe Pitcher These are my views at Irrelevant

28 November 2008

The loophole is possibly in a setting that states if the Chip is not able to be read, to allow the transaction to proceed. It is then up to the issuing bank to decide whether or not to honour that transaction.

In my (humble) opinion the banks should all be declining such transactions.

At the end of the day if the chip is not read/present the transaction relies on either terminal rules or the issuer to decision based on risk. The 'fault' seems to be a mag stripe transaction being approved on an EMV card.

Report

A Finextra member

30 November 2008

Many people working for companies in the card (transactions) processing industry know that fraudsters have found a way to 'nuke' or 'break' the chip so as to force the fallback not only with the real card but also (of course) simulate an unreadable chip with the cloned card. If banks were to disallow the fallback, then they would most likely get MANY MORE irate calls from their cardholders.

Report

Michael Fuller

Former Retail Banker

None

Member since

14 Mar 2008

Location

London

More expert opinions

Konstantin Rabin Head of Marketing at Kontomatik