TVMs and Credit Card Cloning

[maffi209]

I have a credit card that is exclusively used to pay for work travel. The only uses of the card are:

- Buying rail tickets online
- Tapping in/out on TFL
- Buying rail tickets from ticket office or TVM
- Collecting tickets from TVM
- Contactless payment on buses

Twice in the last four months I have had my card cloned - but the PIN has not been compromised on either occasion. The bank tell me that the magnetic strip has been skimmed when I have put the card into an ATM or similar.

The only machines I ever put my card into are TVM. So my questions are: is the use of TVMs to clone cards common? Is it a known problem within the rail industry? Is there anyone within the railways I should be alerting that this has happened to help the industry prevent this?

 

[Marklund]

Which bank, what card, what type of fraudulent transactions, and where are they getting made?
https://www.moneysavingexpert.com/n...dit-card-customers-hit-by-fraudulent-activity
https://www.moneysavingexpert.com/n...dit-card-customers-hit-by-fraudulent-activity
That wasn't card skimming that caused that.

 

[Bletchleyite]

Wouldn't surprise me if skimmers were attached to some TVMs - they're basically the same as cash machines.

 

[Bantamzen]

If the PIN wasn't compromised, is it possible that the fraud may have been online? It is possible for fraudsters to spoof genuine sites in order to farm details and skim accounts, so it may also be possible to clone cards albeit without PINs. Back in 2013 an awful of fans of Bradford City got hit by a spoof fraud where fraudsters were able to redirect legitimate traffic from designated Wembley ticket merchant to a spoof site, farm the card details then still pass the transaction back to the legitimate site so that the tickets would be paid for and delivered. The fraudsters then started to skim accounts to check for detection and then try for larger amounts.

 

[maffi209]

The magnetic strip was copied and then swiped to spend 200 quid on petrol. The previous occasion it was 600 quid on fags and booze. That it was the magnetic strip that was copied is what leads the bank to be sure it has been skimmed on some machine or other.

Not being a fraudster I am a bit out of my depth on the technicalities but just wondering if this is a known problem with TVMs? I have never noticed anything that looked suspicious on ticket machines and I have tended to look a bit more closely since the first occasion.

 

[Bletchleyite]

I wish more banks would do what Monzo does and allow you to enable the magstripe[1] manually only when you need it, or even better issue two cards, one with a chip but no magstripe for domestic use and one with a magstripe but no chip for use on holiday.

[1] Not the stripe itself, but they automatically reject non-chip authorisations unless you turn it on on the app.

 

[LowLevel]

I believe it has been known, yes. I physically pull and poke at any machine I have to put my card into.

 

[westv]

When I purchase online something which might be different to what I normally buy or when it's over a certain amount I need to enter info from my veri-sign password. I also normally need to enter a billing address. When I purchase in store over £20 I need to enter my PIN.
I don't understand how crooks can bypass these checks to steal money - but I know that they do.

 

[TwistedMentat]

It's entirely possible. Mag stripe scanners can be very small so could be inserted into the slot with nothing hanging outside.

It may be worth contacting the station operators where you've made use of the card to have them check the machines. Not sure how useful that would be though.

The interesting bit to me is they're trying the mag stripe alone attack. In the EU and most places now chip and pin is required. With vendors who continue to use the mag stripe only machines being liable for any fraud as they haven't upgraded to recent machines.

So to try the mag stripe only attack suggests the attackers think they're going to get a bunch of US traffic or something. Seems odd to me.

 

[dgl]

I suppose I you never think you are going to need the magnetic stripe (esp. Given a lot of retailers won't accept swipe payments on a chip card) is to run a magnet along the stripe a few times to destroy the data on it and make it unusable.
I gather a good proportion of cash points now use chip authorisation so no problem there.

 

[Steve Harris]

I remember seeing a programme on tv with Gloria Hunniford that showed that a chip and pin cards details could be copied by a mobile phone with a certain app installed.

I think the programme was 'rip off britian' .

Basically someone sets the NFC settings on their phone to read and as long as they get said phone close enough to your card they can read all the data which is stored on the magnetic strip.

To stop this you should keep your card in a special wallet... basically tin foil !!

 

[PeterC]

I have had several cloning attempts on my credit cards. All in the US where card security is way behind ours.

I don't think that you need more than the data derived from the card number to clone a mag stripe.

 

[Muzer]

When I purchase online something which might be different to what I normally buy or when it's over a certain amount I need to enter info from my veri-sign password. I also normally need to enter a billing address. When I purchase in store over £20 I need to enter my PIN.
I don't understand how crooks can bypass these checks to steal money - but I know that they do.

It's generally up to the merchant to implement all these things. If they don't they'll usually be more liable to fraud, but notable examples include Amazon who don't even implement CVV (the three-digit security code), because the rules (which many people break) say you're not allowed to store it, and having people type in the CVV each time they want to buy something would put more of a dent in their sales figures (through loss of convenience) than just stumping up for cases of fraud.

In cases of using the magstripe it's likely to be taking advantage of less knowledgeable merchants, for example, who don't realise how insecure it is to fall back to magstripe if chip and pin doesn't work.

 

[westv]

I suppose I you never think you are going to need the magnetic stripe (esp. Given a lot of retailers won't accept swipe payments on a chip card) is to run a magnet along the stripe a few times to destroy the data on it and make it unusable.
I gather a good proportion of cash points now use chip authorisation so no problem there.

What happens though if you want cash out from a hole in the wall machine?

 

[Muzer]

I suppose I you never think you are going to need the magnetic stripe (esp. Given a lot of retailers won't accept swipe payments on a chip card) is to run a magnet along the stripe a few times to destroy the data on it and make it unusable.
I gather a good proportion of cash points now use chip authorisation so no problem there.

If you intend to purchase items in a GWR HST buffet car with your card, I would recommend against this as they still use magstripes there!

 

[Bletchleyite]

What happens though if you want cash out from a hole in the wall machine?

They use the chip if it is there.

 

[Bletchleyite]

It's generally up to the merchant to implement all these things. If they don't they'll usually be more liable to fraud, but notable examples include Amazon who don't even implement CVV (the three-digit security code), because the rules (which many people break) say you're not allowed to store it, and having people type in the CVV each time they want to buy something would put more of a dent in their sales figures (through loss of convenience) than just stumping up for cases of fraud.

In cases of using the magstripe it's likely to be taking advantage of less knowledgeable merchants, for example, who don't realise how insecure it is to fall back to magstripe if chip and pin doesn't work.

I vastly prefer 3D Secure etc because the "secret" is something I set so I can remember it, and it isn't on the card or indeed anywhere else so someone in physical possession of the card still can't make a purchase.

 

[Marklund]

I have had several cloning attempts on my credit cards. All in the US where card security is way behind ours.

Way behind indeed, they've not long had chip and pin, and US Contactless payments are unlimited, or an exceptionally high value.

 

[zuriblue]

One of my cards went to Chip and Pin a little while ago, before then I had to charge back payments several times because the card became compromised. They worked out that it had been skimmed at a pay-at-the-pump machine in the States. Since it went to Chip and Pin I've had no further problems touch wood.

 

[TwistedMentat]

It's generally up to the merchant to implement all these things. If they don't they'll usually be more liable to fraud, but notable examples include Amazon who don't even implement CVV (the three-digit security code), because the rules (which many people break) say you're not allowed to store it, and having people type in the CVV each time they want to buy something would put more of a dent in their sales figures (through loss of convenience) than just stumping up for cases of fraud.

In cases of using the magstripe it's likely to be taking advantage of less knowledgeable merchants, for example, who don't realise how insecure it is to fall back to magstripe if chip and pin doesn't work.

More likely is that Amazon has an agreement with the credit card companies which then gives them a waiver on the CVV stuff.

If you want to handle the credit card processing yourself you need to be PCI DSS certified. So a lot of small businesses outsource that to processing companies. https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

The super large orgs can always get some sort of sweetheart deal. Probably in exchange they have to do more to catch any fraudulent activity.

 

[Deafdoggie]

Amazon emailed me not too long ago to say they were preventing fraudulent activity (I hardly use Amazon) and they believed my details were compromised, they changed my Amazon password as a precaution, told me change any other websites I used the same password for. I then had a letter from the bank saying my card was compromised and they sent me a new one. All this cost me nothing, but there is a lot more going on behind the scenes than you realise

My brother-in-law works for a well know high-street bank, he assures me the behind the scenes work they put in is immense, and largely goes unnoticed, when I told him about the Amazon thing, he just smiled and said "At XXXX we are REALLY good at fraud detection, you won't believe how great we are (yes, some still gets through,) but Amazon detect more for us than we do!" I'm guessing them not using CVV is alright in that context!

 

[marcouk2]

Amazon probably get more detail to work with as well. A bank's systems might not trip with an Amazon purchase on an account used legitimately on Amazon in the past. Amazon might be able to flag up an account being used from a different IP address for a large purchase of electronics which has only ever bought pens on Amazon before.

 

[Starmill]

If you intend to purchase items in a GWR HST buffet car with your card, I would recommend against this as they still use magstripes there!

Indeed. It was not long ago I had Hull Trains using an ancient card imprinting machine to take my payment too.

 

[philthetube]

Used one of those in Spain last year to hire a car

 

[route:oxford]

The magnetic strip was copied and then swiped to spend 200 quid on petrol. The previous occasion it was 600 quid on fags and booze. That it was the magnetic strip that was copied is what leads the bank to be sure it has been skimmed on some machine or other.

I'm curious how you knew the transaction was for "fags and booze"? Is it a corporate purchase card? That level of transactional data isn't usually available for standard retail cards.

Also, which retailers accepted the card and in which country? Swiping a magnetic strip is pretty much a no-go event on a European card these days as it is a 100% fallback on the retailer if there is fraud.

 

[hwl]

More likely is that Amazon has an agreement with the credit card companies which then gives them a waiver on the CVV stuff.

If you want to handle the credit card processing yourself you need to be PCI DSS certified. So a lot of small businesses outsource that to processing companies. https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

The super large orgs can always get some sort of sweetheart deal. Probably in exchange they have to do more to catch any fraudulent activity.

They do, TfL have similar agreement for contact-less to always be accepted.

 

[hwl]

Amazon probably get more detail to work with as well. A bank's systems might not trip with an Amazon purchase on an account used legitimately on Amazon in the past. Amazon might be able to flag up an account being used from a different IP address for a large purchase of electronics which has only ever bought pens on Amazon before.

Not just IP address but MAC address and cookies. Lots of retailers will pay much more attention to to high risk purchases for example expensive electronics.

 

[hwl]

I'm curious how you knew the transaction was for "fags and booze"? Is it a corporate purchase card? That level of transactional data isn't usually available for standard retail cards.

Also, which retailers accepted the card and in which country? Swiping a magnetic strip is pretty much a no-go event on a European card these days as it is a 100% fallback on the retailer if there is fraud.

They will usually discuss recent activity with you in detail if they suspect fraud. They will usually have requested details pre call when they suspect fraud.

 

[maffi209]

I'm curious how you knew the transaction was for "fags and booze"? Is it a corporate purchase card? That level of transactional data isn't usually available for standard retail cards.

Also, which retailers accepted the card and in which country? Swiping a magnetic strip is pretty much a no-go event on a European card these days as it is a 100% fallback on the retailer if there is fraud.

I don’t know it was fags and booze but it was 6 separate transactions of about 100 quid in 6 different Co-Op food shops within an hour or two. I am only guessing they weren’t buying cabbages and chickens.

 

[Tetchytyke]

Basically someone sets the NFC settings on their phone to read and as long as they get said phone close enough to your card they can read all the data which is stored on the magnetic strip.

Not quite. The NFC app will read the Contactless part of the card. It will give the app-holder some information about the card, but (theoretically) not enough to be able to complete a transaction on its own. Retailers who don't use CVV or 3D Secure could be used with the data off the NFC chip, but there aren't many of them.