Debit card fraud using pin

bert&ernie

You didn't, but the point is that the SDA replay vulnerability affects offline transactions.

SDA and DDA are methods for authenticating the card offline using PKI cryptography within the terminal.

AC generation is separate to this and uses symetric keys, except in the case of CDA cards.

Casa_125

dung_a82 wrote: »

Before, banks used to be able to refuse refunding on payments authorized by CHIP & PINS. However, after 1st November 2009, where a customer claims that an unauthorised transaction has taken place, the bank must refund the amount unless they can show some good reason why they need to investigate the claim (According to FSA announcement 2009). This is also stated in The Payment Services Regulations 2009 (published by HM Treasury in Oct 2009). According to the Regulations, if the user denies having authorised an executed payment transaction, the
use of a payment instrument recorded by the payment service provider is not in itself necessarily sufficient to prove the payment transaction was authorised by the payer (regulation 60) - which means the genuine card along with CHIP & PIN would not be enough for bank to refuse your claim.

It also states that it is the responsibility of banks to prove the payment transaction was authenticated and also request banks to immediately refund the amount of the unauthorised payment transaction to the payer and where applicable, restore the debited payment account to the state it would have been in had the unauthorised payment transaction not taken place (regulation 61). In this case, it is quite straightforward, if your son was at home while the card was used abroad then it is unlikely for the bank to prove the payment was authenticated by your son.

Therefore, unless you act fraudulently (which is a criminal offence) or fail to report the transactions after 13 months of the unauthorized transaction date (in these two cases, you will be liable for all losses), regardless of whether you use debit card or credit card (credit card does not have more protection than debit card like lots of people thought), card not present or present, you are only liable for a maximum of £50 (regardless whether you are careless or not...) (regulation 62).

My suggestion would be writing to the banks and kindly remind them of the regulations they have to comply with. Be very persistent with them and if refunds are refused, further actions would be contacting and seeking help from some organisations like Money Mail... where the last resolution would be FSA. Good luck! My experience with banks generally is quite good though!

Hello, thanks so much for your time in posting this information. We will be very persistent especially with this new ammunition! The complaint my son has put in has been acknowledged by Santander, they say they will write back but give no timescale.

Casa_125

dung_a82 wrote: »

To my opinion, those authentications are too jargon for almost all of the normal users, except banks and EMV designers. I doubt that any of the customer representatives you speak to would have any ideas of whether the cards their bank issued would have dynamic capability or not. So my point here is instead of waiting time finding the right technical person, arguing to find out which authentication it is, with the new regulations, it is the bank's jobs to prove that the transaction was authenticated by the user not the user's job himself, and if they could not do that, they must immediately refund the amount (exact words as in the regulation). A quote from FSA: "A bank can only deny an immediate refund if it has actual proof the customer behaved fraudulently". Your job is only sticking with the idea that your claim is genuine and that the transactions are not authenticated by you and you simply do not know and do not need to know how the frauds happened - it is simply the job of the authority and the banks to find out how, and that you take full responsibility with the laws for your claim. With Santander, they used to refund along with extra compensation and apology to their customers for not refunding earlier a fraudulent money withdrawal transaction (sourced Money Mail 09th March 2011). So, there is history cases and it is not like you are the only person out there that had the problem. Before, banks used to be self regulated and could choose to voluntarily subscribe to Banking Code, of which section 12.5 defines your liability and force you to have "reasonable care" in its T&Cs and you lost when you do not have "reasonable care". However, from November 2009, FSA began to regulate banks and building societies to promote more fairness to consumers. And you got protected by the law even if you are careless, losing your card with your wallet and keeping a note of your PIN in that wallet. If your refund is still refused, take the case to Financial Ombudsman as the last friendly attempt.

More detail on all the steps to complaint against banks:

fsa.gov.uk/pages/consumerinformation/if_things_go_wrong/who_to_complain_to_1-2-3/index.shtml

This is music to our ears, will strive on for justice and keep updating on here as and when there are developments. Thank you!:T:T

bigmike20vt_2

omg I am sorry to hear that. I just posted exactly the same thing in this forum

it happened to me 1.5 weeks back in puerto banus

Barclays refunded me the money initially, read my report and then promptly took the money back again.

so sorry

Casa_125 wrote: »

Hello,
Any advice gratefully received. My 21 yr old son used his debit card in a bar in Maspalomas, Gran Canaria whilst on holiday with a group of mates. When he returned home he discovered there were 4 fraudulent transactions which had cleaned his account out.

dung_a82

Casa_125 wrote: »

This is music to our ears, will strive on for justice and keep updating on here as and when there are developments. Thank you!:T:T

Very happy to help! And please do update us with yours. I also think trying to get public media involved would also be quite good. The Money Mail has a section called ask the expert. You might find that helpful as well. And you definitely have a story for them lol.

The article I mentioned in above posts:
thisismoney.co.uk/money/cardsloans/article-1714572/Banks-ignore-rules-on-chip-and-Pin-fraud.html

My cousin also lost his wallet in Italia. However, he realized that and reported it to banks quite quick, so it is not much hassling to claim his money back.

Casa_125

dung_a82 wrote: »

Very happy to help! And please do update us with yours. I also think trying to get public media involved would also be quite good. The Money Mail has a section called ask the expert. You might find that helpful as well. And you definitely have a story for them lol.

The article I mentioned in above posts:
thisismoney.co.uk/money/cardsloans/article-1714572/Banks-ignore-rules-on-chip-and-Pin-fraud.html

My cousin also lost his wallet in Italia. However, he realized that and reported it to banks quite quick, so it is not much hassling to claim his money back.

Thanks for the link! we are gathering information all the time, still awaiting a response to the complaint, not sure how long that will be. If they refuse a refund on the fraudulent transactions we will keep pursuing, using all the helpful hints and advice given so far on this thread. Determined to get a result however long it takes.

paulclev

Hello Casa 125,

Did you and your son get anywhere in the end? I find my self in an almost exactly the same situation..

Regs

Paul