OT you can be sure of Shell ??

A friend has had £3k stolen from his bank account in the past month after he used his card at our local Shell garage and it was cloned. Fortunately the bank are refunding his money, but it's a pretty bad situation. He only actually found out when he couldn't withdraw money from the cash machine and he went into the bank to find out why.

Matt

It happened to me for the first time only a couple of weeks ago. Reading my monthly bank statement and saw that 5 transactions totalling £138 had been used for coach trips from National Express in Birmingham. This was also on a Friday evening. I was straight on the phone to Nat Express who were actually really helpful,But said it was down to the bank to refund me. I then sent the mrs down to the cashpoint to withdraw the maximum allowance while i phoned the bank to cancel the card. After a lengthy call to the bank and the police i got a crime number. I had a letter from the fraud investigating team saying there is nothing more that they can do(Even though they had a name and address for the bookings)And my card was more than likely cloned. I am still waiting to be refunded. In my job im sometimes away all week,And i use service stations cashpoints a lot,And chip and pin. I didn't know that Shell had now stopped this,Thanks for the info. Its probably now safer to carry a wad full of money to see you through,Than using these so called safe gadgets and risk losing the lot.

This happened some time ago, I'm not sure on the details but I suspect it's the same issue that's hit some stores in the US; when you enter your PIN number into the little machine at the checkout, that number is not supposed to be stored, in a similar manner to the three-digit code on the signature strip that you're often asked for when making telephone purchases with a credit card.

Despite instructions that neither of these bits of info should be stored, many credit-card processing systems do store them, with the end result being that when the system gets hacked, not only does your normal card details get leaked, but your PIN number does too, allowing thieves to walk up to cashpoints and withdraw your money, not something they were able to do before "chip and pin".

The software on our terminal was completely updated last weekend, which would seem to confirm that it was a terminal software issue. The way the transaction is handled has also been completely re-vamped.

Richard

On or around Fri, 19 May 2006 21:34:29 +0100, Ian Rawlings enlightened us thusly:

well, I used the chip and pin in Shell yesterday...

as to notifying etc. if the bank know your card has been cloned, then their best option (and yours, really) is to kill the card ASAP. If they wait several days to notify you, then either you or they are gonna lose money.

mostly, the banks seem pretty good at refunding when this happens - I know that if you lose or steal the card, then you're liable for losses up to the point that you notify the bank.

Makes me glad we're so far behind the technology here in Oz ... no chip & pins here

Karen

How can they *know* a card has been cloned. They can have a pretty good idea, but not *know*. A suddenly stopped card would really piss of a customer, especially if they got it wrong.

The bank should, IMHO, make serious effort to contact the card keeper but that has problems. I will not give personal information to anyone that telephones me, how do I *know* who they are? Especially a cold call. They could me ask to call their Customer Service Center and maybe give me a verification code (not that that is worth much) but I wouldn't call any number they gave me unless I could independantly verify it. Could be anyone...

It may take several days before their automated systems pick up on a pattern of use change. Just because a card suddenly leaps from it's "home" area to Paris doesn't mean it's cloned, unless the time between transactions is too short for the card to have physically done the journey.

They do, just as well. What I don't like is that they tend to tell you to wait for your statement then you have to tell them which transactions you didn't make. They cancel them but still expect full payment (inc the fraudulent ones) if you don't make full payment you get lumbered with interest and another loop getting that back.

Chip and Pin was introduced for the convenience of the wunch of bankers who only have limited vision - there is no way - in reality, that it is safer than a sig - it's cheaper to maintain and administer, though.

Our systems do not store the number or CV2 code - they pass them directly (encrypted) to the clearing bank for an instant verification or denial, however we've lost count of numerous on-line systems where the details, although passed via SSL, are stored locally - in one case in an open text file. Other systems make a big show of how secure their site is - then send the card details via unencrypted email to the office for manual processing!

The simplest way is to have an account with a debit card seperate from your normal bank account. Transer only enough money into the new account for your use - then when it gets cloned you're limiting your exposure.

Personally I only use my debit card for cash withdrawal these days, and use the credit card for everything else. Every saturday I do the finances, which includes paying off the week's credit card purchases.

The idea is that the credit card offers the facility to question stuff that appears on the account, but a debit card sucks it straight out. Also it's easy to change credit card, so if you are worried about the amount of places that have your card details, you can cancel the card and get another one with a different card company.

One of the credit card companies was offering a 'one off' autogenerated number to use for online transactions - can't remember who, offhand, may have been EGG.

Have to say though, I am a fan of analogue transactions (CASH). If I go to a show with a couple of hundred quid in my pocket I know what I'm spending. With a card it's all too easy to get carried away - and exponentially increase the risk of someone with a paper swipe machine misappropriating the card details.

On or around Sat, 20 May 2006 10:03:31 +0100 (BST), "Dave Liquorice" enlightened us thusly:

I assume they know it's cloned if they get 2 transactions in 2 places at the same time, but I suspect there's more than meets the eye - could be there's some kind of checksum or something that isn't cloned right and shows up but isn't checked by the machine on the street. They can also get it from transaction patterns. Try doing something off the wall with your card like making a succession of max withdrawals or huge purchases and I bet you get the bank on asking if it's you.

I reckon there is something by which they can identify a cloned card though

- I know someone who had it happen and was notified almost before they got home.

On or around Sat, 20 May 2006 12:19:59 +0100, Ian Rawlings enlightened us thusly:

the scumbags can put their cloning machine on the front of an ATM though.

There's considerable evidence to refute that. Speaking as a retailer, C&P is a hell of a lot simpler to use, and any doubt about signatures is removed (it's always the retainlers fault, so we used to take the hit every time). Now they either know the PIN or they don't which is nice and tidy.

Richard

|| On Sat, 20 May 2006 08:46:07 +0100, Austin Shackles wrote: || ||| if the bank know your card has been cloned, then their best option ||| (and yours, really) is to kill the card ASAP. || || How can they *know* a card has been cloned. They can have a pretty || good idea, but not *know*. A suddenly stopped card would really piss || of a customer, especially if they got it wrong.

Depends on the customer. I was once away from home and bought a new camera in a branch of Jessops where they had some interesting special offers. I walked out of the shop, and then realised that I had Di's Xmas present sewn up if I went back in. I did so, and my card was refused. I called the bank and they let me know they had spotted two biggish transactions about 250 miles from where I normally do my spending. After some really deep security questions, they unblocked the card. The guy at the bank was really apologetic, as he assumed I would be majorly pissed off, but I was delighted, and I told him so. To recognise an unusual pattern of spending/location and block the card within about 3 minutes was bloody marvellous IMO. Getting the card unblocked was a minor inconvenience, compared to what might have happened if I had had my card stolen or cloned and they had waited 24-48 hrs to inform me.

I've always operated like that, but then Debit Cards are a new fangled thing and I don't like the way the money goes straight from my account. The only place that I use my Debit Card is CostCo but only because they don't take Credit Cards and I hardly ever remember to take my cheque book.

Thats a bit keen, but I do cross check all statements fairly soon after they arrive. So far I've only found (or rather not found) purchases that I have made that have never turned up on my statements. B-)

Yes further down I said "unless the time between transactions is too short for the card to have physically done the journey." Which is actually a bit more open than "the same time".

The last two digits of a card number are a checksum for the card number. Fairly simple algorithm, was (and probably still is) available on the 'net. VAT numbers also have a built in checksum.

The vast majority of card transactions are online these days, very few are not checked with the banks computer before being authorised. If there was something like this cloned card fraud would be much harder.

This is the major part of it and it appears is "real time", at least for some cards. TBH I'm not surprised most of us are creatures of habit and have pretty predictable spend patterns. Mind you they are tightening up, got a flyer with one of my statements asking me to tell them before I go abroad, dates & locations etc. I guess the hidden meaning is that *any* foreign stuff appearing on my account could lead it to being blocked.

"Dave Liquorice" wrote ((snip))

Every time we go to France for the day to buy red wine and stuff, after the first transaction the next purchase gets the instruction "Phone Card Issuer" on the terminal. Of course nobody in the shops ever does, they just ask for another card, so the computer then stops the original card automatically. Ended up with three cards stopped between us a couple of weeks ago. Eventually got a call on the mobile from a person and they went through my last few transactions one of which was Eurotunnel for the tickets, now I would have thought that would have given them a starter for ten but we are talking about a computer, at least they unstopped that card. Didn't get the other cards unstopped until back in UK. We have even phoned beforehand to warn them we will be shopping abroad but still have the problem, thank goodness for mobile phones.

The fault isn't with the Bank, they are just trying to protect both of us, it's the shops for being lazy and not phoning when asked.

Sure, but I rarely draw money out of any ATM other than the one near my house, I work from home so not much call for getting money out elsewhere. Also you can keep your eyes open for such things, all in all much less risk than trusting your details to countless shoddy software implementations all over the place that you can't assess in any way shape or form.

TBH the main reason I pay off the credit card every week is because otherwise I'll end up owing thousands again, done that already, still paying it off! :-( Paying the balance weekly means I can keep it in hand much easier. Some of us have no self control (he says, looking out at driveway where 6-wheeled monster is sitting).