Had my Amex skimmed this month *AT a EH3 PETROL STATION*

[Sanjøy]

Couple of £k withdrawn in Dubai. Word to the wise I used my card and pin in the following locations prior:

B&Q Edin
Easyjet
Firebox.com
Esso, Perth
Halfords Livi
Malthurst Petrol Edin
Massimo Livi
FlyBe
TM Lewins Edin
Green Welly Crainlarich
Khushis Edin
Crombies Edin
First Dubai withdrawl.

Scanning all machiens I used for flights etc at the moment and am happy I never let my card leave my eyes in shops while they get their machines but to be honest it is all slight of hand and I would not have noticed.

I reckon it was Khushis curry house or Crombies, going to pop in today to speak to the managers to let them know Amex will be contacting them as part fo the investigation.

THought I would post to pass on the word to the wise.

Advised by Amex just to change the pin, I asked for it to be cancelled and new cards issued. 6 days for new cards and 6-8 weeks for investigation. Needless to say I killed the Ddebit to stop the £2.5k coming out of my account!

SP

[Sanjøy]

Yeah 6-8 weeks for them to realise that I oculd not have been in Dubai and Crainlarich on the same day though

Wee patronising reminder for everyone.

NEVER LET YOUR CARD OUT OF YOUR SIGHT IN A RETAIL PLACE, IT IS THE RULES THEY SIGNED UP FOR WHEN THEY TOOK ON THE CHIP & PIN MACHINE.


I complained to the Manager of Valvona & Corolla restaurant when they did that to Sarahs card.
I reckon in a few years if you permit somone to walk off with your card for 10 seconds "to get the machine" you will be liable for the bill.

[simon]

The thing is, it can still be skimmed even if you can see it, all you need to do is fix the skimming device to the chip and pin machine. It's dead easy to do once you've got the equipment.

When I worked with Phil years ago, I had to do some work with one of NCR's chip readers and we reprogrammed the boss's AA card to match his door entry card. He then went and told the security man that he could get in to the building with the AA card and the guy started panicking

[thinfourth]

Is it the chip they copy or the magnetic strip

So is it beyond reason if it is the strip they copy which you only need to get cash surely it is not beyond reason that if you kill the strip then the card will still be useable

At this point i'll hand the baton over to the electrical gods


ROBIN!!!!!!!!

[robin]

I may have something to do with these chip and pin machines from time to time

As I understand there are two types of fraud. The first involves cloning the magnetic card data and reading your pin, the second involves getting just the mag stripe data.

Both require either a secondary mag reader to the main unit OR a tap into the data flow downstream. This latter path to attack should become a thing of the past with new regulations preventing the storage and transmission of card data in plain text (i.e. it's all to be encrypted at all times).

The first attack allows you to make your own clone card and then withdraw cash from most cash points. Organised gangs make 10's of cards and hit as many cash points as they can just before and then again just after midnight!

The second attack allows you to mail order stuff to a suitable address, usually consumer electronics that are easy to get rid off - memory sticks, plasma tellies, etc.

The second attack is becoming less common because (a) there is a limit to how much stuff you can accumulate at one address and (b) because increasingly you need to give the registered address as part of the order - but you can order stuff from Hong Kong on a card without any of that, no bother.

The first is easy to avoid, provided you trust the anti-tamper mechanisms that are built into all the PIN entry devices. You should always shield your PIN entry with one hand to prevent visual PIN capture (can be from a spotter, the waiter or a mini-camera). You should also always make sure you touch all the keys - best approach is actually to enter the wrong three digits first, then press the cancel button and then enter the right four digits - this confuses primitive mechanisms such as placing invisible ink on the keys which then shows up under an ulta-violet lamp - if they know the four digits of your PIN they only need 24 goes to get the right PIN - and if there are duplicate digits then even fewer attempts required.

However, trusting the anti-tamper mechanisms is probably going to be risky in the long run - there have already been various successful attacks on these machines, and more will follow I am sure. It's a hard problem to solve, and there is a lot of money at stake ...

Cheers,
Robin

[thinfourth]

So if i was to kill the strip would the card still be useable?

[robin]

Well, it's a complex issue. Many supermarkets still expect the swipe to work even though they're using the chip - basically anywhere that the swipe and chip coupler are in the same enclosure - in those cases they might barf at your card even though the chip transaction would work just fine.

Short answer is, no you shouldn't do that - take care of your PIN as described above and report anything suspicious to the bank. Also use credit cards, especially online, rather than debit cards - your protection against fraud is better with the credit card than the debit card.

Cheers,
Robin

[Skyenet]

your protection against fraud is better with the credit card than the debit card.

good point, must remember that

[Sanjøy]

What dicks me off is the places I used it were reputable "George St" places.

[CSK_423]

Have you maybe paid a visit to this garage........

http://www.dailyrecord.co.uk/news/tm_he ... _page.html

[Sanjøy]

You mean my local petrol station ..... tits.

[The_Rossatron]

I paid many a visit to that garage and had £900 emptied out of my account a few months back!

Sorry to hear about your troubles Sanjoy - seems almost everyone I know has had something like this happen to them.

definately be following some of your tips Robin!

[Sanjøy]

Couple of £k withdrawn in Dubai. Word to the wise I used my card and pin in the following locations prior:

B&Q Edin
Easyjet
Firebox.com
Esso, Perth
Halfords Livi
Malthurst Petrol Edin
Massimo Livi
FlyBe
TM Lewins Edin
Green Welly Crainlarich
Khushis Edin
Crombies Edin
First Dubai withdrawl.

SP

[The_Rossatron]

Maybe we should swing by there with some baseball bats and a match

[Sanjøy]

"A search by fraud officers revealed a cloning device had been fitted to the garage's chip and pin card machine to copy details as people put them in."

What chance do you have eh ?!

So a couple of grand off me, £900 off you, sheesh he must have racked up hunners of thousands off it.