We’ve got emails from several people complaining that after their card had been stolen, someone did a fraudulent transaction on it — without knowing the PIN. In some cases the victim had never used the card in a retail transaction and didn’t know the PIN.
An article in yesterday’s Daily Mail hints at how. In technical language, you read the card, which gives you everything except the MAC key. You now write this data to a fresh card, for which you know the PIN. If this clone card is used in an offline terminal, the transaction will go through and the log will show the PIN was correctly entered. The moral, I suppose, is that customers in dispute with their banks should demand that the banks disclose the MAC key and show that the MAC on the transaction log was correct. Whether their systems support this is of course another story.