Page 3 of 3

Re: Some-one has used my card number.

Posted: 25 Aug 2020, 19:41
by Tomliner
Hi Nigel. As I mentioned earlier, try using pay at the pump. You can still get your Tesco points by putting your Tesco card in the slot prior to your payment card. Just follow the instructions at the pump, and of course there is no other person involved. :) EricT

Re: Some-one has used my card number.

Posted: 25 Aug 2020, 19:45
by Nigel H-J
Hi Nigel. As I mentioned earlier, try using pay at the pump. You can still get your Tesco points by putting your Tesco card in the slot prior to your payment card. Just follow the instructions at the pump, and of course there is no other person involved. :) EricT
Thanks Eric, will give that a go next time I need some fuel but with this Covid about we do not travel very far now and probably won't until there is a vaccine.

Regards
Nigel.

Re: Some-one has used my card number.

Posted: 25 Aug 2020, 19:59
by Vc Ten
I don't think there is any more risk at using the chip and pin in the kiosk, than the same device outside. Where the risk is when they wander off with your card to look for the machine, supposedly. :wasntme: Don't forget for any online purchase, all that's needed is the name, long number on the card and the last 3 digits on the back. Quick photo of the card with a phone while it's in their mits and its job done.
Dale

Re: Some-one has used my card number.

Posted: 26 Aug 2020, 17:34
by JKAGary
Hi Nigel,

I was reading your post with interest and I had a couple of observations based on some of the information you provided.

This is only a suspicion, is that my card details were probably hacked at KFC.

If it was a traditional contact terminal transaction (chip and PIN) at KFC I am doubtful that the information was gained from there. To obtain PAN, CVC2, and expiry date (which would be the minimum required to then initiate the fraudulent CNP transaction) is not straightforward – certainly to extract that information from the secure element on the chip and/or decrypt the messaging between the terminal and the ICC chip card is not straightforward.

Two things which you mentioned made me think this was something else.

About a week before this fraud came to light I had a letter from the card company stating that they will be changing our cards and issuing us with new ones and the statement ….£227 was taken to pay A Ferry Ltd

I’m assuming your card wasn’t about to expire hence you weren’t expecting a new card, which makes me suspect the card company were performing a force re-issue of all plastics….a hint that card details may have been compromised….also the random transaction (A Ferry) makes me suspect this was a distributed guess attack as a means to brute force guess card details against your card issuer. (No proof but the M.O. fits)

Distributed guess attacks use bots to guess PAN, expiry date and CVC2 and will use merchant websites where there are potential weaknesses in authentication. Essentially transactions requests are fired through the website for PAN, expiry date and CVC2 incrementing entries in each field until hits are achieved on all three (i.e. when the transaction went through such as the case for you). That card is now compromised. Repeat for every other card under that BIN range and the attackers now have a raft of card details for a given card issuer. See Tesco guess attack in 2017 as an example for which average time for the automated bot to guess PAN, CVC2 and expiry date for a given card was 6 seconds.

The reason it was £227 will be it was based on a random ferry selection to allow entry of card details (from looking at the website) and then batter the merchant payment gateway with guesses on each field until a hit was made and the transaction authorised.

Chances of catching the bad guys are slim as they are never in the country the attack happened and this is seriously organised stuff.

As for card skimming?...that’ll never go away until PAN data is removed from track 2 of the magstripe and full EMV adoption in place – so my advice for everyone at ATM and pump is ensure you cover your PIN when entering it! (the pinhole camera gets hidden in very crafty places and skimmers aren't easy to spot with newer deep insert skimmers)

Just my view *-) :wasntme: ;)

Cheers
Gary

Re: Some-one has used my card number.

Posted: 26 Aug 2020, 18:24
by Nigel H-J
Hi Gary, what you have written is something completely new to me and also very high tech. By your writing and your views and my brain trying to unscramble the information is that it is more likely that a computer programme is run to randomly find a card, when the numbers generated match that of say my card then a fraudulent transaction can be made, but what of the name of the holder? Surely that also must be matched with any transaction from the card company?

I would have thought one method to try to stop these fraudulent transactions would be every-time you used the card it has to be verified by yourself before any transaction is authorised even if that means an additional charge to cover the costs, i.e. text message to mobile phone etc. I would only be too happy to pay extra if it meant a more secure card.

I never use ATM Machines and if I do need cash it will be done at the bank, equally when or if having to tap my pin into a card reader I always put my hand over the hand that I am using to input my pin and if able, to angle the card reader so cannot be view from the ceiling (one case of card pins being read was a small camera in the ceiling of a filling station, right above the card reader).

Many thanks for your thoughts Gary, told the card company I have never bought any ferry tickets in the past nor will I in the future either.

Regards
Nigel.

Re: Some-one has used my card number.

Posted: 26 Aug 2020, 19:48
by TSR2
The only sure fire way to prevent fraudulent transactions is multi factor authentication.. and even that is compromiseable, although someone would have to go to an awful lot of trouble. I don’t think any of the banks allow you to use MFA on every transaction, but I might be wrong. There are very few websites that I use my card on, and my PayPal account has MFA on every transaction, so I try and stick with that as far as possible. I use Apple pay for almost everything else, I even bought my last car with Apple Pay.

Re: Some-one has used my card number.

Posted: 26 Aug 2020, 20:29
by Nigel H-J
Hi Ben, many thanks for your reply, Rick had mentioned that he uses PayPal as well. I used to have PayPal a long time ago so think it may well be the best way forward when making on-line purchases. Now I cannot remember but, do PayPal keep your card details for when you next shop or can you choose not to have your card details stored there. I know with Amazon after making a purchase I have to go into my account and remove my card details which is a pain in the back-side but don't like to allow card details to be held by any-one apart from me.

Regards
Nigel.

Re: Some-one has used my card number.

Posted: 26 Aug 2020, 23:14
by TSR2
They have your card details, but in order to buy something you’d have to log into PayPal, and I’ve set mine to always do 2FA.

So, for example, I go to buy something online, I select PayPal, I log into PayPal, it sends a code to my phone that I then enter on screen, and then I can make the payment.

In order to log into my account to update anything, I also have to use 2FA (a code texted to my phone).

Re: Some-one has used my card number.

Posted: 27 Aug 2020, 20:17
by Nigel H-J
Many thanks Ben, that has been really helpful.

Regards
Nigel.