Debit card fraud using pin

bert&ernie

Only_Visiting wrote: »

We agree on this. My view of the situation is that the bank misleads customers by selling them a debit card then 'magically' making it function as a credit one in order to pocket the fees from the transaction and/or charges from the resultant 'unarranged' overdraft. In any event, you won't have a contract with Visa, so you can't really claim against them for anything.

Unlike a bounced check/direct debit, a refused debit card transaction doesn't really cost the bank anything, so there is no way to justify it. If the likes of Santander aren't happy with their contracts with Visa (or Mastercard as the case might be), they can try setting up their own payment systems...

there isnt really any difference between a debit card and a credit card - except the interchange fee. With both type of cards, the bank is free to set its own authorisation parameters.

Just as banks sometimes honour cheques, standing orders and direct debits that take a customer over an agreed overdraft limit, they allow this to happen with debit cards. They generally do this as a courtesy to the customer because most people don't like to look like a fool in the shop when their card is declined.

They do charge you for the privilege, but its not really that hard to avoid.

Most current account products make it pretty clear that its your responsibility to ensure that funds are available to cover the payments you request.

Anyway, I think we are in danger of confusing the OP with this - it needs to be made clear that this is a quite separate argument to the transactions being fraudulent.

In order to make this argument, I think you would need to first accept that the transactions were not fraudulent. You would therefore have to accept that the cardholder had had the benefit of the moneys transferred. Sure, you might convince a judge that any charges should be refunded, but I think it would be a push suggest that the transaction be reversed.

meer53

Casa_125 wrote: »

Hello, just reading through all the info and didn't spot this post first time around! My son only used the card on that date 21st June, and made 2 transactions on his Visa debit card using the pin. It would be very interesting to know if the following 4 fraudulent transactions reported on the Santander system and if not, why? The bank do have his mobile number as they called him the day after he discovered the fraud to ask when he woiuld be putting his account back into credit!!

Not every transaction reports on the fraud detection system. They will be able to tell you if it did, but on our system, the information only stays on for 2 weeks, don't know which system Santander uses.

Casa_125

meer53 wrote: »

The problem the OP's son has is that his bank will look at the circumstances of the "unauthorised" payments and regardless of whether he made them or not, he will have a hard time proving that he didn't. He was in a bar, used his card for 2 transactions, authorised these by inputting his PIN, then 2 more transactions, in the same bar, also verified by PIN which he denies making. I've seen this situation so many times before and it is usually a case of either the customer not checking the amount they're agreeing to before inputting the PIN or the card being used by someone else and replaced without the customers knowledge. It will not be a counterfeit card, you never see counterfeit transactions made at the same retailer where the details were compromised, plus in this case, there wasn't time for this to happen and the PIN was used. In the 17 years i've worked in Fraud i've never seen a counterfeit card (and i've seen thousands) which was chip read.
I hope the OP's son does get his money back but i feel Santander will dig their heels in. They have to use the information they have available to them which all points to negligence on the customers part. Sorry, but this is how they will look at it.

You are right that the information they have points to negligence and we cannot escape that assumption. We feel they have been negligent as well, especially in allowing the 6th transaction in the bar to go through for 1000 euros. Remember the bank did not know my son was abroad, so you would have thought that unusual pattern of spending should have flagged on their system, especially as it put him over £300 overdrawn when he does not even have an overdraft facility.

masonic

Only_Visiting wrote: »

We agree on this. My view of the situation is that the bank misleads customers by selling them a debit card then 'magically' making it function as a credit one in order to pocket the fees from the transaction and/or charges from the resultant 'unarranged' overdraft. In any event, you won't have a contract with Visa, so you can't really claim against them for anything.

Unlike a bounced check/direct debit, a refused debit card transaction doesn't really cost the bank anything, so there is no way to justify it. If the likes of Santander aren't happy with their contracts with Visa (or Mastercard as the case might be), they can try setting up their own payment systems...

You seem to be assuming that the Visa prohibits this behaviour and the banks are in breach of their agreement with Visa. I don't think that's the case. I don't think Visa has any problem with the way the banks process Visa transactions and what Visa has written on its website is not accurate. You can't take your bank to court over potentially misleading comments made by Visa. Your bank isn't responsible for those comments.

dung_a82

Before, banks used to be able to refuse refunding on payments authorized by CHIP & PINS. However, after 1st November 2009, where a customer claims that an unauthorised transaction has taken place, the bank must refund the amount unless they can show some good reason why they need to investigate the claim (According to FSA announcement 2009). This is also stated in The Payment Services Regulations 2009 (published by HM Treasury in Oct 2009). According to the Regulations, if the user denies having authorised an executed payment transaction, the
use of a payment instrument recorded by the payment service provider is not in itself necessarily sufficient to prove the payment transaction was authorised by the payer (regulation 60) - which means the genuine card along with CHIP & PIN would not be enough for bank to refuse your claim.

It also states that it is the responsibility of banks to prove the payment transaction was authenticated and also request banks to immediately refund the amount of the unauthorised payment transaction to the payer and where applicable, restore the debited payment account to the state it would have been in had the unauthorised payment transaction not taken place (regulation 61). In this case, it is quite straightforward, if your son was at home while the card was used abroad then it is unlikely for the bank to prove the payment was authenticated by your son.

Therefore, unless you act fraudulently (which is a criminal offence) or fail to report the transactions after 13 months of the unauthorized transaction date (in these two cases, you will be liable for all losses), regardless of whether you use debit card or credit card (credit card does not have more protection than debit card like lots of people thought), card not present or present, you are only liable for a maximum of £50 (regardless whether you are careless or not...) (regulation 62).

My suggestion would be writing to the banks and kindly remind them of the regulations they have to comply with. Be very persistent with them and if refunds are refused, further actions would be contacting and seeking help from some organisations like Money Mail... where the last resolution would be FSA. Good luck! My experience with banks generally is quite good though!

Olipro

To ascertain whether or not he genuinely did or did not use his card for additional fraudulent transactions will come down to the transaction type that was used in the first place; if the original transaction was PIN verified with SDA (Static Data Authentication) then a replay attack is highly plausible and possible, especially since these charges have originated from the same merchant.

On the other hand, if it was a DDA transaction (Dynamic) then there is unfortunately no way that the subsequent transactions, provided they also are DDA could have been fraudulent; you cannot clone DDA information because a cryptogram must be generated by the smartcard in order to authorise the transaction, and every new transaction results in a brand new cryptogram, you cannot replicate this unless you have managed to obtain the issuer's private key, which, if you had, you would have far bigger fish to fry than merely targeting individuals at a bar.

You should determine exactly what sort of transaction it was, and if Santander aren't proving cooperative, go to the FOS.

dung_a82

To my opinion, those authentications are too jargon for almost all of the normal users, except banks and EMV designers. I doubt that any of the customer representatives you speak to would have any ideas of whether the cards their bank issued would have dynamic capability or not. So my point here is instead of waiting time finding the right technical person, arguing to find out which authentication it is, with the new regulations, it is the bank's jobs to prove that the transaction was authenticated by the user not the user's job himself, and if they could not do that, they must immediately refund the amount (exact words as in the regulation). A quote from FSA: "A bank can only deny an immediate refund if it has actual proof the customer behaved fraudulently". Your job is only sticking with the idea that your claim is genuine and that the transactions are not authenticated by you and you simply do not know and do not need to know how the frauds happened - it is simply the job of the authority and the banks to find out how, and that you take full responsibility with the laws for your claim. With Santander, they used to refund along with extra compensation and apology to their customers for not refunding earlier a fraudulent money withdrawal transaction (sourced Money Mail 09th March 2011). So, there is history cases and it is not like you are the only person out there that had the problem. Before, banks used to be self regulated and could choose to voluntarily subscribe to Banking Code, of which section 12.5 defines your liability and force you to have "reasonable care" in its T&Cs and you lost when you do not have "reasonable care". However, from November 2009, FSA began to regulate banks and building societies to promote more fairness to consumers. And you got protected by the law even if you are careless, losing your card with your wallet and keeping a note of your PIN in that wallet. If your refund is still refused, take the case to Financial Ombudsman as the last friendly attempt.

More detail on all the steps to complaint against banks:

fsa.gov.uk/pages/consumerinformation/if_things_go_wrong/who_to_complain_to_1-2-3/index.shtml

bert&ernie

Olipro wrote: »

To ascertain whether or not he genuinely did or did not use his card for additional fraudulent transactions will come down to the transaction type that was used in the first place; if the original transaction was PIN verified with SDA (Static Data Authentication) then a replay attack is highly plausible and possible, especially since these charges have originated from the same merchant.

On the other hand, if it was a DDA transaction (Dynamic) then there is unfortunately no way that the subsequent transactions, provided they also are DDA could have been fraudulent; you cannot clone DDA information because a cryptogram must be generated by the smartcard in order to authorise the transaction, and every new transaction results in a brand new cryptogram, you cannot replicate this unless you have managed to obtain the issuer's private key, which, if you had, you would have far bigger fish to fry than merely targeting individuals at a bar.

You should determine exactly what sort of transaction it was, and if Santander aren't proving cooperative, go to the FOS.

It isn't really relavant what type of offline card authentication method applies in this case as the transactions would have been authorised by the bank online.

meer53

PSD does state that a bank should refund immediately if a customer states they have fraudulent transactions on their account. However, that refund can be removed if the bank can prove that the cardholder acted negligently. The cardholder is not guaranteed to keep the refund applied at the start of the investigation.

The OP's son was in the bar where the "fraud" took place, he had previously used his card and PIN in the same bar earlier in the evening.

Olipro

bert&ernie wrote: »

It isn't really relavant what type of offline card authentication method applies in this case as the transactions would have been authorised by the bank online.

And where exactly did I say anything about the transaction being offline? the issue of a transaction being SDA or DDA has nothing whatsoever to do with it being online or offline. A card capable of DDA can generate an ARQC online and offline, the authentication method is still DDA regardless.

The same applies to SDA.