Bank Fraud! Santander!!!

jamesd

Don't be more certain than you actually are about the location of the card. You might normally have the card with you but are you really certain that it was in your possession at the time of these withdrawals? Maybe it was instead with a family member or co-worker who lifted it from your pocket and returned it, say?

You should instead tell Santander that you did not make the withdrawals and ask them to:

1. Check the camera recordings so they can see that it is not you and perhaps identify who has defrauded them.
2. Say whether the PIN was used and whether the ancilliary information for PIN use confirms the specific card normally in your possession was used or not.
3. Note that since you didn't make the withdrawals your intent if necessary is to take the matter to the FOS but you much prefer them to do a better investigation now than waiting until the FOS says they have to, since that saves them and you cost and hassle.

A bank has to prove that the customer did it, merely claiming that it was the customer is not sufficient.

grumbler

The problem is that a video record for an ATM doesn't prove anything in most cases.
If it wasn't the suspect who took the money, this doesn't prove that the suspect wasn't involved. And it's very easy to cover the face if someone wants to remain incognito when stealing money.

noob33294

Thanks again guys for the extremely informative posts!

Card has been cancelled for me by santander so thats great and its just arrived today (very quick delivery indeed!). I shall be getting a new pin hopefully as stated in the letter.

Yeah to re-itterate, i dont do online banking as im not that tech minded and normally just see my statements via letters. As soon as i noticed it i called up but somehow i failed security so i had to take id to the bank to confirm! So i did that the next day and i got my claim processed. The very next day they said sorry we're not going to pursue this further and i was shocked at the extremely 'brilliant' customer service.

I shall be definitely appealing and i am in the process of sorting this out. What i also found which i didnt really pay attention to was that i spent £25 in wickes which i never go to as screwfix is cheaper and closer! So i think someone may have cloned the card and pin... Anyway no money taken out as of yet and ive been keeping a good eye on it.

Hopefully CCTV at the atm where the cash was withdrawn should prove the fact that the money has been stolen.

Hazzanet

TurnUpForTheBooks wrote: »

Yeah yeah, but how do you get cash from the machine if your card has no CHIP (I have an Electron card like that). And how do you get cash from a machine if your card has a chip but the ATM has no CHIP reader? Or if the CHIP is damaged and the CHIP reader can't read it? Has anyone ever heard of an ATM machine saying "Can't read the CHIP" or some such? ... I've seen "This machine is temporarily unable to dispense cash" and I have seen "Card retained - Contact your branch" but never "Come again? Can't seem to read your card, old boy!"

I've already given the link to the technical specifications, so if you're minded to, you can wade through the 800+ pages to see what happens in a fallback scenario.

This is also interesting:

http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf

In this paper, Ross Anderson et al at Cambridge Uni managed to intercept communication between the chip card and the card reader.

In an extremely simplified explanation, they managed to change some of the messages between the reader and card, giving the card the impression that the PIN Pad was broken and that the machine had 'fallen back' to signature processing, while at the same time giving the reader the message "PIN OK".

This caused the PIN Pad to authorise the transactions as "Verified by PIN" while advancing the transaction counter on the card and leaving the "Wrong PIN" counter at zero.

typistretired

noob33294 wrote: »

Thanks again guys for the extremely informative posts!
I shall be definitely appealing and i am in the process of sorting this out. What i also found which i didnt really pay attention to was that i spent £25 in wickes which i never go to as screwfix is cheaper and closer! So i think someone may have cloned the card and pin... Anyway no money taken out as of yet and ive been keeping a good eye on it.

Hopefully CCTV at the atm where the cash was withdrawn should prove the fact that the money has been stolen.

Keep us informed with the outcome of your appeal???

MPH80

Hazzanet wrote: »

This is also interesting:

http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf

In this paper, Ross Anderson et al at Cambridge Uni managed to intercept communication between the chip card and the card reader.

In an extremely simplified explanation, they managed to change some of the messages between the reader and card, giving the card the impression that the PIN Pad was broken and that the machine had 'fallen back' to signature processing, while at the same time giving the reader the message "PIN OK".

This caused the PIN Pad to authorise the transactions as "Verified by PIN" while advancing the transaction counter on the card and leaving the "Wrong PIN" counter at zero.

But notably:

In the UK, the
standard for communications between merchant terminal and
acquirer is APACS 70, Book 2 [13], which specifies that
both the IAD and CVMR must be sent. This is sufficient
information for the issuer to detect the attack, but our
results clearly show that they are not currently doing so.

So while he came up with an attack - he also points out that it's possible for the banks to detect it.

TurnUpForTheBooks_2

What no-one has picked up upon yet is that there now appear to be three cards:

1. The original card
2. The card which was used fraudulently
3. The new card

AND that the likelihood is that they were ALL issued by Santander.

If my hunch is correct, Card #2. is either (a) a replacement ordered by a fraudster and deliberately intercepted or (b) it is a renewal replacement opportunistically intercepted by a fraudster. More likely it is scenario (a) if a PIN was used because a PIN reminder or new PIN may have been requested by a fraudster pretending to be the cardholder and claiming a lost or damaged card.

Santander will probably keep quiet about Card #2. unless you press them. You may be able to sit down at a branch and ask to see the numbers of all cards issued on your account. The one you don't recognise will be Card #2.:)

Is the PIN for Card #3. a new PIN or same as previous card(s)?

MPH80

There are *possibly* 3 cards in action. We know there are definitely 2.

It's *possible* the three - if there are 3 - were issued by Santander. But if it was that there was a second card issued - why was the first one not disabled? That's what happened when the OP requested the new card.

What we know right now is:

1) The OP believes they had their card at all times
2) The OP believes no one else knows their pin
3) As of yet - it hasn't been proven that a chip can be cloned or faked in an undetectable manner
4) The vast majority of the UK's ATMs will force a read of a chip, only falling back to magstripe if they had to - but Santander would have a record of it as a 'magstripe' withdrawal which would have instantly led to a 'cloned card' assumption.
5) The pattern of transactions does not match that of a 'standard' fraudster who would expect to withdraw and run. Returning and withdrawing the same amount every time isn't normal.

These elements will lead the bank to assume that it is the OP who has made the transactions or given the card to someone who has.

There are several key points which will help the OP:

1) Request exactly which ATMs the withdrawals were made at - and ensure that the CCTV footage is obtained for those ATMs promptly. Many organisations will wipe CCTV on a 7 day or 14 day cycle.

2) Request Santander to produce the chip verification codes. Each transaction will produce a series of data exchanges between the ATM and the chip which will result in those, in theory, being stored by the bank so they can later verify them if necessary. Some banks have been known to default to 'the chip was read' when actually it wasn't and they haven't looked hard enough.

3) The OP needs to think very hard about ANYONE who could have access to their card - including their family members and coworkers. Yes the card was in their wallet - as is mine - but equally my wallet is not on me at all times. Sometimes it's on the side at home, sometimes it's in a jacket.

I still rest with the most likely explanation being a known associate who is doing this.

TurnUpForTheBooks_2

MPH80 wrote: »

There are *possibly* 3 cards in action. We know there are definitely 2.

It's *possible* the three - if there are 3 - were issued by Santander. But if it was that there was a second card issued - why was the first one not disabled? That's what happened when the OP requested the new card.

Because it was reported as "damaged" not lost or stolen perhaps? I have experienced this.

What we know right now is:

1) The OP believes they had their card at all times
2) The OP believes no one else knows their pin
3) As of yet - it hasn't been proven that a chip can be cloned or faked in an undetectable manner
4) The vast majority of the UK's ATMs will force a read of a chip, only falling back to magstripe if they had to - but Santander would have a record of it as a 'magstripe' withdrawal which would have instantly led to a 'cloned card' assumption.
5) The pattern of transactions does not match that of a 'standard' fraudster who would expect to withdraw and run. Returning and withdrawing the same amount every time isn't normal.

These elements will lead the bank to assume that it is the OP who has made the transactions or given the card to someone who has.

It isn't right though, is it, the action of the bank as described in this last sentence based on a flakey assumption? I sometimes think that bank fraud departments believe they are entitled to be detective judge and jury. They can't just say "This doesn't match a typical pattern of withdrawal by a fraudster, ergo it is not a typical fraudster, ergo it must be the cardholder or an associate of the cardholder." That's really simplistic of them, and oh so convenient for the bank

There are several key points which will help the OP:

1) Request exactly which ATMs the withdrawals were made at - and ensure that the CCTV footage is obtained for those ATMs promptly. Many organisations will wipe CCTV on a 7 day or 14 day cycle.

2) Request Santander to produce the chip verification codes. Each transaction will produce a series of data exchanges between the ATM and the chip which will result in those, in theory, being stored by the bank so they can later verify them if necessary. Some banks have been known to default to 'the chip was read' when actually it wasn't and they haven't looked hard enough.

3) The OP needs to think very hard about ANYONE who could have access to their card - including their family members and coworkers. Yes the card was in their wallet - as is mine - but equally my wallet is not on me at all times. Sometimes it's on the side at home, sometimes it's in a jacket.

I still rest with the most likely explanation being a known associate who is doing this.

I really do not know how you can make that conclusion so easily. I believe that a postal intercept of a genuine replacement card is the most likely explanation purely because I have seen it so many times. New cards are being triggered by the hundreds or thousands every day by impersonators who have enough personal data to report cards lost damaged or stolen with confidence. Sometimes they get asked a security question that trips them up, but very many get through. And unless I am mistaken, if a new card is issued, a new PIN or a PIN reminder is almost always offered. Why do banks do that without calling the cardholder to a branch for more security checks if they can't even remember the PIN to the card they are so anxious to replace ? - it seems crazy but again I have experienced it. I am very cynical about the reasoning. Remember turnover of other people's money is the principle aim behind all banking. I simply don't think they are particularly fussy about how it is created. If they launder money they can be prosecuted. If fraudsters create an average year's worth of turnover on your account in a few transactions across a short period, then the bank can just say "it's something we just have to endure". As I have already said, the "cost" of fraud for which JuicyJesus would have us believe the bank pays handsomely, is just shifted on to the customer. Card fraud is so rife that the banks can plot it far more easily than LIBOR. You don't read much about it because banks don't want us to think about it.

If we did, we might ask ourselves how banks might be able to increase profits by managing/manipulating card security in new ways and trust me, they will not be thinking "we need a new way to cut down card fraud so our customers are not inconvenienced/worried".

Call me cynical if you like - I've seen how they work.

MPH80

TurnUpForTheBooks wrote: »

I really do not know how you can make that conclusion so easily.

Simple - it's the easiest, simplest and most likely solution.

In order for the fraudster to order a second card they would have to a) Call in pretending to be the OP, b) have enough personal details to pass the security check, c) be able to intercept the card and d) be able to intercept the pin.

I see four options for someone like that - a postal official, someone working for the bank, a neighbour or a someone living in the same house. There is also the possibility of a fraudster deciding to wait outside the OP's house to collect the post day after day.

The alternative is that someone went to the trouble of having this new card AND pin (which no one has suggested except yourself) delivered to the branch - which would indicate that they went to the trouble of creating fake ID in the OPs name ...

They then follow a truly random methodology for a fraudster in withdrawing small amounts regularly rather than simply draining the account in one go and walking off.

So for a fraudster to go to all that trouble for £100 would astound me when the simpler option would have been to drain and run.

I'm only crediting the fraudster with £100 because they didn't know it wouldn't be spotted the next day and all cards stopped. So if it was a fraudster they got away lucky with an additional £225 (when you account for the £25 in Wickes).

On the other hand - someone the OP knows ... already has seen their PIN having been out with them at the bank ... simply swipes the card because they've got money trouble or whatever, withdraws the cash and puts the card back promising themselves they'll give the OP the money back soon 'once they get paid'. Unfortunately that person continues to be in trouble and can't stop themselves now.

KISS.

It's also worth noting that card fraud has been actively tracked for years ... http://www.theukcardsassociation.org.uk/plastic_fraud_figures/index.asp

You can see it's running at about 60% of the peak prior to Chip and Pin introduction - you can also see how the fraud has changed tactic over that time.

You'll also note how UK cash machine fraud has fallen year on year since 2008 as the machines were being converted over to chip and pin.