A warning that urges readers to enter an incorrect PIN when using a card reader to help distinguish between counterfeit card readers and real ones would only work in very specific circumstances, and doesn’t address some of the more common types of card fraud.
The warning below urges readers to enter an incorrect PIN number when using a card reader to see if the card reader correctly rejects a PIN. According to the warning, a counterfeit machine will not reject the PIN and will produce a receipt, while a real machine will reject the PIN. An example can be seen below –
This is from a friend who just had all her bank accounts emptied after she paid a taxi driver with her debit card. She wanted to pay with her credit card but he asked for another method because he didn’t want to pay the 4% visa fee. “Received some great advice from the police today that I want to share: whenever you are asked to use debit instead of credit for whatever reason, first fully enter in the wrong PIN. If it is a counterfeit machine it will pseudo process the payment and produce a receipt. An authentic machine will reject the PIN and request a “try again” of some sort. Help spread the word, as the police tell me this type of fraud is becoming increasingly prevalent.”
There are three main issues with the warning.
1. A “skimming device” placed on a legitimate machine could steal the card details but have no effect on card authorisation.
2. A counterfeit machine could still reject an incorrect PIN number if authorisation is performed locally.
3. The warning ignores more common types of card fraud, and there is no evidence that such a technique described in the message above is becoming popular.
The issue with the above warning is that it doesn’t address some of the more popular types of card fraud, in particular credit card skimming using otherwise legitimate card readers. This is where a small device is placed onto an otherwise legitimate card reader (or ATM) that is able to extract important information from a debit or credit card, such as the card number and expiry date.
Because the card reader itself is legitimate, it will accept or reject a PIN number as expected, but the victim’s card information is still stolen and can be used in any future attempt at committing fraud. As such, the tactic of entering an incorrect PIN is rendered pointless and ineffective.
Sponsored Content. Continued below...
Another aspect this above warning doesn’t consider is that some Chip & PIN debit or credit cards are capable of authenticating themselves locally, meaning they do not need to contact a central server belonging to the bank. Instead they use an encrypted version of the PIN stored on the card’s secure chip to authenticate locally (for example, when using the small card devices many people have to authorize an online payment) meaning a counterfeit machine could still reject an invalid PIN when entered. (To be clear, that would not mean the device knows the PIN, since the card is essentially validating itself.)
The warning above could potentially work if the would-be crook was using a replica card-reader that was designed to look and act like a real card reader, but was essentially just a skimming device, and the device is not capable of allowing chip and PIN cards from authenticating locally. Such a scenario, however, relies on a several specific factors all being true.
Sponsored Content. Continued below...
It would be far more prudent in cases like this to look for more reliable ways of determining if you are a would-be victim of card fraud, many of which you can read about in this article here. In relation to taxi’s (as mentioned in the above warning) the best advice would be to only use registered taxis displaying the relevant medallion and licensing information.
But constantly entering your PIN incorrectly when using card readers isn’t going to prove a reliable method of detecting if you’re going to be scammed.