Met police commissioner: Fraud victims should not be refunded by banks A senior police commissioner has complained that it would be wrong to interpret his comments about preventing online fraud victims from claiming compensation as a proposal for online fraud victims being unable to claim compensation. Sir Bernard Hogan-Howe asserted that the problem was systemic, telling The Times: “The system …
Doesn't have the same meaning. "Encouragement" is a broader term, where "incentive" normally implies a financial encouragement.
"Disincentive" is also an acceptable word for discouragement that's achieved financially.
I don't particularly like the verbs formed from "incentive" or "disincentive", mainly because there are older, shorter back-formations of those nouns into verbs in the shape of "incent" and "disincent".
I look forward to the day when any officer likely to undergo a disciplinary process is denied the option of taking 'early' retirement. We don't want to encourage lax behaviour do we?
Might as well payback all those PPI compensations as well. After all it was our own fault for not reading the small print in the 5 minutes when we were sold stuff.
The reason why banks refund fraudulent payments is that it draws attention away from the fact that the system is fundamentally moronic in its design and cannot possibly be secure.
In a secure system, customers would initiate payments (cash or BACS) instead of giving payees the authority to take money off them (16-digit numbers, Direct Debit or, craziest of all, "contactless").
Cite ?
my hunch is contactless fraud is very low-level, if it happens at all. Mainly because it's already protected against to a certain degree by the fact that almost all card readers are overlooked by CCTV.
Bear in mind in the UK the maximum loss possible from contactless payments is £90.
And if (as I do) you destroy the CV2 number on your card, the chances of online fraud are vanishingly small.
@yoganmahew
What I meant (as I suspect you knew) was that destroying the CV2 number on my card(s) reduces he risk of someone who has physical access to the card making a note of it and then using it online.
I *know* bank advice is to not hand your card to anyone. However there are a number of merchants who - for whatever reason - have engineered it so they "need" to put your card in the machine.
Normally I don't worry about being misunderstood. But I think destroying the CV2 is such a neat trick - and certainly within the skillset of an El Regger - that it needs promoting.
Amazon don't ask for the CV2. I am not sure whether there are others like that.
I read somewhere (here?) that it's because the CV2 is not allowed to be stored, it can only be used immediately. And Amazon prefer to have your card details stored for later purchases, so they don't worry about the CV2.
Not sure whether that affects fraudulent buying from Amazon.
> Not sure whether that affects fraudulent buying from Amazon.
Amazon have their own fraud detection systems that seem to be really efficient. Twice now they've reversed the transaction within minutes on e-books I bought from "strange locations" (once while travelling, once because I was still connected to a "screw you, Netflix" VPN).
"I *know* bank advice is to not hand your card to anyone. However there are a number of merchants who - for whatever reason - have engineered it so they "need" to put your card in the machine."
Oh no they don't. If they want to get paid by me that is. And not face a polite but increasingly loud conversation, overheard by a lengthening .....
@yoganmahew
Are these online criminals the AI's everyone's been warning us about?
Or maybe - just maybe @JimmyPage realises that the chance of having your CCV number compromised is more like to happen via physical access to your card, rather than a leaky online database.
Sort of. While cvv are Always needed for legitimate online transactions, they are not stored. What IS stored: a verification flag that only changes when the cc exp date is near or reached or the main Number changes. If you get a replacement card due to physical card damage, some banks will send you a replacement sight the same main number, same exp date, different ccv. The ccv changing does not invalidate a good-flagged card number, so there is no reason to change it on record, for recurring transactions.
> > "And if (as I do) you destroy the CV2 number on your card, the chances of online fraud are vanishingly small."
> Do you really think online criminals are looking at your card?
No, they're looking at the postit note on the monitor where he wrote down the CV2 as a reminder.
"if it happens at all. Mainly because it's already protected against to a certain degree by the fact that almost all card readers are overlooked by CCTV."
i'd love to see were you get this worthless idea of a fact from,
as i'd think its to total opposite in the real world
A charity and helpline in the UK called “Action for Elderly Abuse” http://elderabuse.org.uk/ has noticed a large increase of theft from the bank accounts of elderly european citizens, the presumed method of this loss is family members (or sometimes care staff) who have access to the elderly person’s wallet/purse have been making repeated micro-thefts (below the €20 threshold) by using the tap-and-pay method, without the agreement of the card owner.
This has led to comments in the Daily Telegraph and elsewhere of practical methods to disable the RFID, (as allegedly requests to some UK banks for non-RFID credit/debit cards were met wth a negative response)
The method from DT comments seemed to involve shining as many lumens as a 3.7V Li can blast out of a Cree LED holding a torch like http://www.amazon.co.uk/dp/B014H1UDA4/ against the RFID credit-card and use a marker to trace the antenna loop - then being careful not to drill any 0.5mm holes in the wrong place to invalidate it as a non-RFID credit card.
I had to insist with Natwest a year or so ago, but they did send me a new card. With retrospect I wish I'd microwaved it and returned it saying it was broken, and blaming the RFID antenna as a fire hazard.
It'll be interesting to see what happens when the replacement card comes up for renewal.
On the other hand when LLoyds sent my wife an shiny new fraud enabled card and she took it back they immediately sent her a replacement. The very helpful lady commented that a lot of their customers are rejecting them. Promised the account would be marked for non RFID replacements in future.
Banks learning to serve their customers? Anyone know the best treatment for frostbite on a flying pig?
> Credit and Debit Cards don't have RFID chips in them.
What planet have you been hiding on for the last few years ?
In the UK at least, I think most (all ?) the banks have now taken to issuing RFID (aka contactless) cards - some of them several years ago. I know because I've had "discussions" with every bank I do business with regarding having a non-contactless card.
Some have been quite OK - just told them I wanted non-contactless and they obliged.
One was willing but it needed a bit of a workaround. The lass at the other end had to issue a new card (they've cancelled the old one as they'd detected fraud), then cancel that, and only then send a new non-contactless replacement !
And one point blank refused - so I told them "in that case your card won't be in my wallet".
And as to the outright lies they tell. The good old one is "you'd get your money back if it's fraud". Yeah right. I know someone who's been on the receiving end of that "guarantee". Like heck did he get his money back. He was unlucky enough to have his account emptied (well run up to it's overdraft) just after pay day. They sent a long list of transactions and he had to identify the ones that weren't his - but they wouldn't take his word for it, he had to "prove" that it wasn't him as the money was spent locally. Some he could prove from work timesheets - commercial driver so he could prove he was elsewhere. But for some he couldn't. The police were useless - well actively obstructive. He observed that significant amount had been spend on food and drink, so he asked the copper if he'd contacted the establishments to ask them to retain any CCTV that might show the criminal at work. The copper responded along the lines of "when I get round to it", but when my mate said he was going to go round and ask them, the copper threatened to arrest his for interfering with a police investigation !
And given that security researchers have proved (not suggested, but actually proved) that bank (and in particular, card) security has holes - yet the banks still persist in their 100% secure lie ...
Pop over to https://www.lightbluetouchpaper.org/ and you'll find some interesting and quite frankly frightening news.
Card fraud is a possible cost.
Dealing with cash is a definite, rather high, cost.
Also, doesn't the merchant pay a small cut of each transaction? Cash doesn't provide that.
Also, doesn't the government love the fact that all electronic transactions are traceable?
We have financial interest and we have political interest. That will over-ride the fraud costs, which in the end, everyone pays through higher fees or higher transaction fees charged by the bank to the merchant and passed on to the customer in higher prices.
Certainties in life: Death, Taxes and Theft inc. card fraud
"Dealing with cash is a definite, rather high, cost."
Probably less than fraud or can you cite otherwise?
"Also, doesn't the merchant pay a small cut of each transaction? Cash doesn't provide that."
Credit/debit card Merchant service companies charge me between 2.5 and 4% so not such a small cut!
For cash, businesses do get charged a handling fee by the banks. My bank charges 0.5% to pay in bank notes, coins are a lot more. Not sure about withdrawals.
"Also, doesn't the merchant pay a small cut of each transaction? Cash doesn't provide that."
Business banking isn't free. The banks get their cut of the transaction when the business deposits the takings and/or "buys" the bags of coins. But that cut probably isn't big enough for them, especially since so many shops offer "cash back" as a way of "getting rid" of cash to reduce the banking fees.
he market shift to contactless payments (from magnetic stripe) where I am has reduced card-based fraud by nearly two thirds.
Hardly surprising, one of the big things chip-and-pin and contactless did was require merchants to invest in new card readers, which were designed to be taken to the customer and hence the card didn't leave the sight of it's user/owner...
Magstripes suck. Moving to chips can only improve the situation. Contactless as it is still a bit young. Thing is, it's rather limited (a handful of payments without entering a PIN, up to a low ceiling - yes, there were initial bugs with those, they've been ironed out a while ago).
So all in all, right now, it seems that even if fraud *could* work easily on contactless, it's unlikely it *would*, as it couldn't provide much ROI to the fraudster before being noticed.
They seem to be turning now to direct attacks on online bank accounts, accessed via phishing, dataleaks, and others.
The reason why banks are okay with paying? Because it's cheaper. Devising an unbreakable scheme would cost a lot, first in development and deployment, then in lost business. "Unbreakable" rarely goes together with "easy to use", and customers would just start using shiny beads and seashells rather than be subject to a DNA test before buying a beer.
"Don't know where you are but the market shift to contactless payments (from magnetic stripe) where I am has reduced card-based fraud by nearly two thirds."
Most of the civilised world has only used mag stripe as a next to last resort fall back since chip'n'pin was introduced (which admittedly has it's own issues)
When you use direct debit be it via a proximity RFID chip in the card or physically inserting the card and using chip & PIN, you are not handing the merchant the credentials needed to draw against your accounts. What you are doing is giving the bank permission to send an identified merchant a specified amount of dosh for a specific purchase at a specific place and time. Yes your purchases and buying habits are being analysed and tracked, which (aside from being more than a little scary) is also used to help detect fraud against the bank, and to a lesser degree, you.
As pointed out by others, the bank refunds fraud victims when it is their system that has been compromised; "chip and PIN" was introduced to lessen the bank's liability and increase the onus on you. There are many people (especially millenials) who don't seem to understand this concept. They hand their bank card to a mate and give out their PIN without much thought to the fact that they are responsible. If the bank discovers that you compromised security the likely hood of getting compensated for a fraudulent transaction is reduced.
> I send them money but don't give them my credit card details.
But are you aware of the amount and nature of personal information (about you) that PayPal transmits to the merchant? I implemented a merchant solution some years ago and we were basically getting the entire contents of the user's profile: name, address, phone number, email, the lot. Our API would throw all that away as we had no need for it and didn't want any data protection headaches plus we took pride in respecting our customers' privacy. However, I am not sure every other business is the same, so I stopped using PayPal after that.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
