Yes that I understand. What exactly is the merchant telling the bank that causes the bank to debit the alleged purchasers credit card. Or can any merchant anywhere simply by having a persons credit card number cause a bank to pay up just by telling the bank that the purchaser has allegedly bought something.
Basically, yes, there's nothing to stop a merchant fraudulently claiming that purchase have been made when they haven't.
But the merchant should also expect the card holder to deny having authorised those transactions, and get them reversed.
Unless it's for a small amount, of course. I suspect there's a degree of fraud along these lines based on the assumption that the consumer won't do anything about a small debit they don't recognise.
Sylvia.
Ok,so does this mean that once a card holder has denied authorizing the transactions, the bank has no choice but to reverse them, ie there is a legal obligation to do so, and the bank cannot refuse.
Of course they can refuse, but the Banking Industry Ombudsman will usually help you if you have a case.
MrT.
Although one talks of 'reversing' it, the reality is that the entry in the account simply reflects the bank's view of how much the account holder owes the bank. The account holder can reasonably have a different view. Faced with a denial by the account holder that a transaction was authorised, and no signature, the bank is on shaky ground if it persists in its view that the account holder owes it the money. A small claims court would very likely find in favour of the account holder, and the bank would know that.
Sylvia.
In message , Sylvia Else writes
Providing the merchant has 'cardholder not present' authorisation from the bank.
Of course a merchant could type in the number pretending that the card/chip wouldn't read but that makes the transaction look suspicious to the bank.
It also depends on the 'floor limit' of the machine which the merchant wouldn't necessarily know, some machines authorise online with every transaction so they'd be taking the risk that you hadn't used the card in the last few minute/hours many miles away from their location as the bank's anti fraud software would detect that and flag the transaction as suspicious, possibly blocking the card (which can be hugely inconvenient to the card holder but is ultimately 'a good thing').
There's definitely fraud of this sort happening but it's a fairly low risk.
-- Clint Sharp
They are starting to roll out eftpos terminals with smart card readers in au, there is a few places I visit on a regular basis that require you to use the smart card. There is no real demand in AU as yet due to the relativly low credit card fraud rates in AU compared to the cost of rolling out smart card technology. The plan is to eliminate mag stripe cards to enhance security, but as we all know the criminals always catch up eventually. However, the harder you make it, the longer it takes and the lest it costs the banks.
BTW. I have been a victim of CC fraud. I went around to all the stores that had purchases on my card and most were big chains. However one was Autobarn, which was a private franchise. The owner was really pissed off because apparently all the banks do is reverse the charge and refund it to the consumer. I got all my money back. Fortunately it was my wifes card that got stolen, and she figured out who it was. It was stolen from her work. I cancellled the cards as soon as she noticed and contacted the police. Printed out all transactions from internet banking and gave them all receipt copies I obtained from the stores. The idiot who stole it decided to to fuel up a car at a service station that had CCTV!! Justice. I doubt the owner of Autobarn would have ever got his money back though, the woman was a drug addict. None of this would have happened if PIN's were enforced.
Well, that's not so clear. The chip based cards contain the PIN. It's encrypted, and the chip is meant to be tamper proof, but the chip itself is clearly capable of validating a requested PIN. In theory getting the PIN wrong three times locks the chip, so that it will no longer respond to PIN checks, and has to be reset at an ATM (which can validate the PIN at the central computer system, and presumably track further failed attempts).
However, this all depends on the tamper resistance of the chip. If someone can deduce where the failed PIN attempt counter is kept, they could conceivably reset it before each attempt. They could then perform an automated exhaustive search of all 10,000 possible 4 digit PINs.
This article is illuminating in regards to tamper resistance of chips.
Sylvia.
Hah, I remember when they tried to force me to Mastercard too. However it seems they were obliged to still offer Visa to those who did not want to change, so I stuck with it, glad I did that now :-).
Yes I've seen that. It's mildly annoying, but I think it might be a good thing. I have had my card used for online fraud a number of times now, one time it was used to purchase airline tickets in Indonesia! I can't understand how someone could board a flight using tickets that were purchased by a completely different person, or how the airline could sell them these tickets, but anyway.. With this new password verification system, the online fraud would've been less likely I think.
Regards,
Ross..
How do they cater for pin changes were your card is never inserted anywhere to have an opportunity to be updated? (yet?)
Or in this case, is it checked online where available, and in an off-line application, the user told to get lost if their new valid pin has not been written to their card yet?
If the pin can be updated willy-nilly as often as the user updates their pin with their bank (or whoever), how long before the card pin update is hacked, and used in an offline application where it trusts the card pin?
Or better still, since they still take signatures everywhere, why not forget the pin, and forge the user's signature (which conveniently is written on the back), just like everyone's been doing since dot?
-- Linux Registered User # 302622
Because the purchaser of the tickets are not always the USER of the tickets.
Much like when I've booked flights for my aged aunty who's english is barely good enough to get through hello pleasantries, let alone get onto the 'net and make an online booking with a credit card she doesn't have.
Or when work sends us to sites (domestic and international), they book and pay a travel agent, who books and pays the airlines. Apart from our names, the airline doesn't care who paid for it or how. The last thing I want is to book in, and be asked why I wasn't the one who paid for it. More importantly, I'm not always aware of the agent who booked and paid for it anyway - so I can't even verify that even if I wanted to.
-- Linux Registered User # 302622
It would appear to me that inserting the card into an ATM is a prerequisite for changing the PIN.
Some of the documents cited in this thread indicate that in any case, for the offline transaction situation, it's simpler just to make a card that claims that any PIN is valid.
But PIN updating can be made secure using public key encryption - at least as long as the chip remains physically immune to tampering. All bets are off anyway if crims manage to overcome the chip's tamper protection.
From the bank's perspective, that's what they're trying to get away from, since if the signature is forged, then it's the bank's loss, or possibly the merchant's loss, but never the consumer's loss.
Sylvia.
I understand that, I have purchased tickets for my relatives in the past, using my credit card.
However I still find it mildly perplexing that a large national airline in Indonesia accepted an Australian credit card with a totally foreign name through their Indonesian website and sold multiple airline tickets to different people with the same credit card (people who incidentally, did not provide complete address details, so the bank couldn't even prosecute them).. These people could have been anyone, e.g major criminals, and due to lax processes, no one can even track them down.
< .. >You're talking about a travel agent arranging the purchase here. The credit card fraud that we are discussing is via WEBSITES. If a travel agent fails to notice that a person used a stolen credit card with them, then that's a bit different.
Regards,
Ross..
What are you idiots going on about? Just because there is a Chip on your card, you still need to SIGN it, unless you want to use your PIN.. There still is a PAPER trail,as the unit still prints out a Docket, regardless if you sign or PIN it..
The reason they are using a chip, is because of Card scamming, where the magnet card swipe is changed to different number, e.g. they use their own credit card, but change the Card number on the strip to YOURS.. That's what is really for,,
The fun bit is these Card chips are not designed for regular use.. We have already had several cards with faulty chips that need to be swiped.. (The contacts have just worn out) Allan
So when they claim that you made some purchase, and you claim you didn't, you'll show them that you don't have a docket, and that will be proof positive.
Sylvia.
Ah, but there's something you weren't aware of. Technically, these cards are usable in situations where you DON'T require a PIN or signature-the PIN is pre-encrypted onto the card itself, thus providing authentication.
There are automated machines such as bus/train/whatever fare machines and such that can handle these cards. Just poke in your card, and you buy a ticket. Or whatever.
There are no such machines here (yet) that I know of, but there are overseas, and THAT'S where things are problematic. If one vendor can make it super-convenient for the buyer to shell out money, it inherently makes it super-convenient for thieves who have duplicated said smart bits, to go shopping.
When you get your statement back with various charges you didn't make, the banks position is, since the cards are COMPLETELY infallible, it could only possibly have been you who made those purchases.
Though, my opinion is that I don't think this is going to last anyway. When enough users get suckered by duplicate cards, and the media gets hold of it (such as the news and other more questionable tabloid journalism programs) the banks will HAVE to admit one or two of their COMPLETELY infallible cards are in fact fallible after all. Shock horror - would have never expected that...
-- Linux Registered User # 302622
There's in the Macfarlane St car park in South Yarra, and it doesn't require a chip-card. Just scan the barcode on your entry ticket, poke in your card, and you get charged the $7 early bird rate (or presumably whatever other rate you deserve).
I'm assuming that the merchant wears the liability in this case however, and can use video evidence to back themselves up.
I had a chip card (for prepay electricity) and it died fairly quickly (from static electricity AFAICT),
Prepay chips are probably designed to have a significant failure rate. Most people wouldn't bother to complain.
Sylvia.
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.