Nat West say "Device ID" proves I'm a fraudster?

waveyjane

My debit card was used to make fraudulent purchases on Sainsbury's online groceries over a two week period last month. My bank (NatWest) says that I was responsible for these because Sainsbury's showed the device ID was the same for these transactions as for other legitimate transactions I made elsewhere online.

Do merchants pass on a "device ID" to the banks as part of online purchases? Does anyone know if I have to simply take their word for it or do they need to supply proof?

I've written to Sainsbury's asking them to give me any further information about those transactions (eg times of day, delivery information) so it's just possible that if I can prove I wasn't at my computer on those dates/times, but this is awful! £750!! :eek:

---

Thinking about this a bit more: they are in effect saying I'm a fraudster because I made the purchases. If so, then why don't they arrest me?

cloud_dog

waveyjane wrote: »

My debit card was used to make fraudulent purchases on Sainsbury's online groceries over a two week period last month. My bank (NatWest) says that I was responsible for these because Sainsbury's showed the device ID was the same for these transactions as for other legitimate transactions I made elsewhere online.

Do merchants pass on a "device ID" to the banks as part of online purchases? Does anyone know if I have to simply take their word for it or do they need to supply proof?

I've written to Sainsbury's asking them to give me any further information about those transactions (eg times of day, delivery information) so it's just possible that if I can prove I wasn't at my computer on those dates/times, but this is awful! £750!! :eek:

So, if it was done onlie, was it delivered to an address?

18cc

Device ID is usually related to a smartphone ie not a desktop. They are saying probably that the purchases were made on a smartphone (their app?) and that this exact same smartphone had been used before by you to make genuine purchases. The device id is an excellent indication of what smartphone is being used with an app.

You can google 'how do I find my device id' for instructions how to find the device id for your phone (assuming you have one). You can then ask Natwest if it matches the one they have for the purchases.

It is strange because Sainsburys groceries are not the first thing that springs to mind when thinking of what a purchaser would buy. As above, I would check with Sainsbury where they were delivered.

colsten

18cc wrote: »

Device ID is usually related to a smartphone ie not a desktop.

PCs have MAC addresses (as have other pieces of hardware, e.g. your Network Adapter) that can be transmitted by the browser you use. I think people do generically refer to them as device ID.

Don80

18cc wrote: »

It is strange because Sainsburys groceries are not the first thing that springs to mind when thinking of what a purchaser would buy. As above, I would check with Sainsbury where they were delivered.

One of my colleagues had her contactless debit card stolen on a night out - they managed to get nearly £90 of alcohol at Sainsbury's, Tesco, Aldi and an off licence before the terminal asked for chip and pin. The bank did refund her the money and cancelled her card the next morning after she noticed her card was missing. She found out when she called to report the card lost.

waveyjane

I note that Sainsbury's online do click and collect. So I suspect the fraudster simply went in person to collect the goods. You would hope that they'd need to present the card to claim the goods though - but maybe not.

I have never used my mobile for shopping online, don't have the Sainsbury's app, and have a Sainsbury's literally 5mins walk away so have no need for deliveries.

Right now, I am very suspicious of NatWest's claim that they know about this device ID. They said they would write me a letter, so when I get that I'll see if I can take it further, particularly if Sainsbury's can tell me anything about the transactions.

waveyjane

PCs have MAC addresses (as have other pieces of hardware, e.g. your Network Adapter) that can be transmitted by the browser

Not according to this:
https://en.wikipedia.org/wiki/List_of_HTTP_header_fields

If MAC addresses were visible over HTTP, then cookies wouldn't be needed!

EDIT: Yup - MAC addresses aren't transmitted over the public Internet:

https://stackoverflow.com/questions/3309122/how-can-i-get-a-mac-address-from-an-http-request

unforeseen

Or more precisely your MAC address stops at your router. Your router passes on the packet to the first of the public routers in the path. That router then uses its MAC address to pass it on etc.

What the distant end will see is the MAC address of the last router before their network and that is possibly why they are claiming the same 'device ID'

colsten

When you use the Sainsbury's website to place an order, they have plenty of opportunity to capture all sorts of information from your browser and PC, including MAC address, IP address, location etc etc

Who else has access to your PC and other devices? If you use a PC, have you scanned it for Malware? Have you changed your passwords since these transaction were made?

londoninvestor

colsten wrote: »

When you use the Sainsbury's website to place an order, they have plenty of opportunity to capture all sorts of information from your browser and PC, including MAC address, IP address, location etc etc

As others have said, browsers don't have access to the MAC address. Inferences can be made though from browser fingerprinting.

waveyjane

Who else has access to your PC and other devices? If you use a PC, have you scanned it for Malware? Have you changed your passwords since these transaction were made?

Nobody else knows my password to my machine, and I most certainly don't keep my card details on my computer.

And in any case, I find it highly unlikely a fraudster would take the immense trouble of somehow using my machine remotely (having stolen my card details) to ensure the same "Device ID"? What do they care whether I get refunded or not?

I can run a virus check I suppose...