Only if the debit card is backed by a credit card company (and thus has their logo on the card). Granted, I think nearly all do at this point, but it is a distinction that has the potential to matter.
Another point about PINs is that in most situations where you’d use the PIN, there will also be a camera on you. So if you steal a debit card and try to brute-force the PIN, not only will you lock out the card, but the bank (and shortly thereafter, the police) will also know what you look like.
You have a 3-in-10000 chance of getting it right before you get locked out. It’s not even remotely foolproof, but it stops a casual thief who finds a card and tries to cash in dead in his tracks. That’s all it’s supposed to do.
The “system” is not that stupid.
Right. On my VISA/MC branded debit cards I usually can either provide a PIN as for an ATM card, or provide a signature (with ID presented to compare signature) as for a traditional credit card. On my traditional bank cash card I must always use PIN. Some merchants will accept a non-VISA/MC bank cash card for POS transactions, others will not.
Maybe so, but Europe is the reason the PINs are only 4 digits long. Citibank and other US Banks used to have 6 digit PINs (obviously a bit tougher to guess). Just before I went to Bermuda my bank manager told me that I have to change my PIN to 4 digits if I want to use it internationally, as the Europeans only use 4 digits and their ATMs will reject uour 6 digit PIN. Bermuda follows the European model.
Yes, if it’s a Visa or Mastercard-branded debit card like most banks issue these days. It can be used either way. The “advantage” is that you can use the card as a credit card in places that aren’t set up for ATM-type payments - e.g. at a hotel or clothing store, or you can use it as a debit card at places that allow it (and you can even get cash back) - like the grocery store.
Sounds like whoever got your niece’s card number did not shop at places that ask for the card verification number (the 3-digit code on the back of the card). Apparently the merchant fees are a bit lower if you forego that level of protection, but the merchant has more risk of chargebacks.
It’s also possible that someone had installed a man-in-the-middle device at the ATM she used. They put their own card reader doohickey in front of the actual one, and hide a camera somewhere that can see what buttons are pushed for the PIN. Then they use the scan of the card to make one of their own, and use it just like she would have with the real one.
Yes and no. The problem is not how secure the password is if after three false entries the card is locked. (Not all banks do this actually, however).
The real problem - besides putting a hidden camera together with the swipe reader as mentioned by Chronos - is that the PIN is stored in encrypted form on the magnetic stripe itself, although it shouldn’t be. For years the Banks claimed that this encryption was mega-super-duper-safe and could not be cracked by anybody ever, so anytime a card was stolen or copied, the courts ruled against the victim.
But then several tech magazines showed that with modern computers, it’s doable to crack the algorithm, and in the past years, copying the card by swipers (a small slot over the ATM, transmitting data over wireless to a laptop in a car parked nearby; the data from the magnetic stripe is then copied onto a blank card, which with the criminals go shopping for high-price goods in Eastern Europe) has risen dramatically. The technical solution against that would be a seperate chip on the card which can’t be copied that way, but banks don’t want to spend the money as long as the customers bear the burden of the fraud because the courts declare “You must have been careless and written down your PIN, because there is no other way for criminals to get it”.
As soon as the courts change it to “The bank is at fault for not hindering the criminals ‘swiping’”, I expect to see a change in cards.
It’s not uncommon, and can even happen at stores - a chain craft store was hit with a wave of multiple compromised card readers at checkouts that stole thousands of credit card numbers. Some banks like Chase recommend you try to feel the slot of the ATM to see if it feels weak/wobbly/otherwise wrong, which may indicate that a thief installed a fake card slot over top of the real one.
Can you provide a cite for that? I’m 99% sure that’s not the case. If for no other reason, it that was the case, why can I change my PIN over the phone?
NETA: constanze, I see you’re in Germany, it could very well be different over there. In the US, I don’t believe the PIN is stored on the card. Another reason I believe this to be the case is that if you enter the PIN incorrectly at a POS, it won’t tell you until after it dials out/connects to the server as opposed to as soon as you hit enter. If the PIN was stored on the card, it would be able to tell you instantly.
On a related topic, my local supermarket has just stopped requiring PINs or signatures for purchases under $35. So now you can steal a card and make small purchases on it with no security whatsoever until the card is stopped.
Apparently the speed advantage is worth more to them than the security.
Most of the places around here do so as well. however, at least one gas station changed back to the old way. I guess they got burned too often.
The banks are not supposed to, and they claim they don’t do it, and that’s why they connect from the ATM to the bank server and check the sum there.
But “Ratgeber Technik” and other magazines did show a hacker using a computer and card reader, but no connection to the bank, cracking the code and extracting the PIN from the card itself, despite the banks promising up and down that the PIN wasn’t on the card, no, it’s secure at the server!
So what the banks tell you, and what reality is, may be two different things.
You’re right, but if were simply a “bank card” and not backed by Visa, MC, etc., I don’t think it would be able to be used online at all.
I used my Visa credit card with a five-digit PIN in Italy. So I guess they added some flexibility since then. My MasterCard still doesn’t have a PIN attached to it, but I’ll have to check whether it’s possible to add one, as I find it more practical than a signature.
As for online purchases, both these credit cards have a password linked to them that in theory I have to use when buying something on the net. Though I’m not asked for them every time.
My debit card (like most Canadian debit cards) isn’t linked to Visa or MasterCard’s networks, but to Interac’s. It’s also possible to use it on the PLUS network.
Another reason I ask is that federal benefits can no longer be received by check. I was reading up on the debit cards they use, and according to the terms of service, the card holder can be liable for $500 or MORE if the card is used fraudulently with the pin and for whatever reason, the recipient isn’t aware right away and fails to report it. Seems like that would be a great deal for the issuing bank - and a nightmare for the cardholder if pin numbers can actually be harvested somehow.