Some-one has used my card number.

The Crewroom for non-FS related stuff, fun and general chat.

Moderators: The Ministry, Guru's

Tomliner
Battle of Britain
Battle of Britain
Posts: 3901
Joined: 02 Apr 2006, 12:00
Location: Edinburgh UK

Re: Some-one has used my card number.

Post by Tomliner »

Hi Nigel. As I mentioned earlier, try using pay at the pump. You can still get your Tesco points by putting your Tesco card in the slot prior to your payment card. Just follow the instructions at the pump, and of course there is no other person involved. :) EricT
Now at the age where I know I like girls but can't remember why!
Nigel H-J
Red Arrows
Red Arrows
Posts: 6833
Joined: 14 May 2005, 15:33
Location: Lincolnshire

Re: Some-one has used my card number.

Post by Nigel H-J »

Hi Nigel. As I mentioned earlier, try using pay at the pump. You can still get your Tesco points by putting your Tesco card in the slot prior to your payment card. Just follow the instructions at the pump, and of course there is no other person involved. :) EricT
Thanks Eric, will give that a go next time I need some fuel but with this Covid about we do not travel very far now and probably won't until there is a vaccine.

Regards
Nigel.
I used to be an optimist but with age I am now a grumpy old pessimist.
Vc Ten
Concorde
Concorde
Posts: 721
Joined: 18 Apr 2010, 17:02
Location: North Wales

Re: Some-one has used my card number.

Post by Vc Ten »

I don't think there is any more risk at using the chip and pin in the kiosk, than the same device outside. Where the risk is when they wander off with your card to look for the machine, supposedly. :wasntme: Don't forget for any online purchase, all that's needed is the name, long number on the card and the last 3 digits on the back. Quick photo of the card with a phone while it's in their mits and its job done.
Dale
Image Image Image
JKAGary
Chipmunk
Chipmunk
Posts: 33
Joined: 06 Jan 2011, 13:48
Location: Dunfermline

Re: Some-one has used my card number.

Post by JKAGary »

Hi Nigel,

I was reading your post with interest and I had a couple of observations based on some of the information you provided.

This is only a suspicion, is that my card details were probably hacked at KFC.

If it was a traditional contact terminal transaction (chip and PIN) at KFC I am doubtful that the information was gained from there. To obtain PAN, CVC2, and expiry date (which would be the minimum required to then initiate the fraudulent CNP transaction) is not straightforward – certainly to extract that information from the secure element on the chip and/or decrypt the messaging between the terminal and the ICC chip card is not straightforward.

Two things which you mentioned made me think this was something else.

About a week before this fraud came to light I had a letter from the card company stating that they will be changing our cards and issuing us with new ones and the statement ….£227 was taken to pay A Ferry Ltd

I’m assuming your card wasn’t about to expire hence you weren’t expecting a new card, which makes me suspect the card company were performing a force re-issue of all plastics….a hint that card details may have been compromised….also the random transaction (A Ferry) makes me suspect this was a distributed guess attack as a means to brute force guess card details against your card issuer. (No proof but the M.O. fits)

Distributed guess attacks use bots to guess PAN, expiry date and CVC2 and will use merchant websites where there are potential weaknesses in authentication. Essentially transactions requests are fired through the website for PAN, expiry date and CVC2 incrementing entries in each field until hits are achieved on all three (i.e. when the transaction went through such as the case for you). That card is now compromised. Repeat for every other card under that BIN range and the attackers now have a raft of card details for a given card issuer. See Tesco guess attack in 2017 as an example for which average time for the automated bot to guess PAN, CVC2 and expiry date for a given card was 6 seconds.

The reason it was £227 will be it was based on a random ferry selection to allow entry of card details (from looking at the website) and then batter the merchant payment gateway with guesses on each field until a hit was made and the transaction authorised.

Chances of catching the bad guys are slim as they are never in the country the attack happened and this is seriously organised stuff.

As for card skimming?...that’ll never go away until PAN data is removed from track 2 of the magstripe and full EMV adoption in place – so my advice for everyone at ATM and pump is ensure you cover your PIN when entering it! (the pinhole camera gets hidden in very crafty places and skimmers aren't easy to spot with newer deep insert skimmers)

Just my view *-) :wasntme: ;)

Cheers
Gary
Nigel H-J
Red Arrows
Red Arrows
Posts: 6833
Joined: 14 May 2005, 15:33
Location: Lincolnshire

Re: Some-one has used my card number.

Post by Nigel H-J »

Hi Gary, what you have written is something completely new to me and also very high tech. By your writing and your views and my brain trying to unscramble the information is that it is more likely that a computer programme is run to randomly find a card, when the numbers generated match that of say my card then a fraudulent transaction can be made, but what of the name of the holder? Surely that also must be matched with any transaction from the card company?

I would have thought one method to try to stop these fraudulent transactions would be every-time you used the card it has to be verified by yourself before any transaction is authorised even if that means an additional charge to cover the costs, i.e. text message to mobile phone etc. I would only be too happy to pay extra if it meant a more secure card.

I never use ATM Machines and if I do need cash it will be done at the bank, equally when or if having to tap my pin into a card reader I always put my hand over the hand that I am using to input my pin and if able, to angle the card reader so cannot be view from the ceiling (one case of card pins being read was a small camera in the ceiling of a filling station, right above the card reader).

Many thanks for your thoughts Gary, told the card company I have never bought any ferry tickets in the past nor will I in the future either.

Regards
Nigel.
I used to be an optimist but with age I am now a grumpy old pessimist.
TSR2
The Ministry
Posts: 13089
Joined: 17 Jun 2004, 14:32
Location: North Tyneside, UK
Contact:

Re: Some-one has used my card number.

Post by TSR2 »

The only sure fire way to prevent fraudulent transactions is multi factor authentication.. and even that is compromiseable, although someone would have to go to an awful lot of trouble. I don’t think any of the banks allow you to use MFA on every transaction, but I might be wrong. There are very few websites that I use my card on, and my PayPal account has MFA on every transaction, so I try and stick with that as far as possible. I use Apple pay for almost everything else, I even bought my last car with Apple Pay.
Ben.:tunes:

ImageImageImage
Nigel H-J
Red Arrows
Red Arrows
Posts: 6833
Joined: 14 May 2005, 15:33
Location: Lincolnshire

Re: Some-one has used my card number.

Post by Nigel H-J »

Hi Ben, many thanks for your reply, Rick had mentioned that he uses PayPal as well. I used to have PayPal a long time ago so think it may well be the best way forward when making on-line purchases. Now I cannot remember but, do PayPal keep your card details for when you next shop or can you choose not to have your card details stored there. I know with Amazon after making a purchase I have to go into my account and remove my card details which is a pain in the back-side but don't like to allow card details to be held by any-one apart from me.

Regards
Nigel.
I used to be an optimist but with age I am now a grumpy old pessimist.
TSR2
The Ministry
Posts: 13089
Joined: 17 Jun 2004, 14:32
Location: North Tyneside, UK
Contact:

Re: Some-one has used my card number.

Post by TSR2 »

They have your card details, but in order to buy something you’d have to log into PayPal, and I’ve set mine to always do 2FA.

So, for example, I go to buy something online, I select PayPal, I log into PayPal, it sends a code to my phone that I then enter on screen, and then I can make the payment.

In order to log into my account to update anything, I also have to use 2FA (a code texted to my phone).
Ben.:tunes:

ImageImageImage
Nigel H-J
Red Arrows
Red Arrows
Posts: 6833
Joined: 14 May 2005, 15:33
Location: Lincolnshire

Re: Some-one has used my card number.

Post by Nigel H-J »

Many thanks Ben, that has been really helpful.

Regards
Nigel.
I used to be an optimist but with age I am now a grumpy old pessimist.
Post Reply