Credit card verification and Skrill.com

br1anstorm

I have just had a deeply worrying experience when making an online order using a credit card. My concern is over the behaviour of the "payment processing" company involved, called Skrill.

I had never heard of them, but have since done some research. Skrill is apparently UK-based, supervised by the FCA and the successor to a company called Moneybookers. In simple terms it appears to be similar to PayPal and WorldPay.

I had sought to place an online order for some car spare parts with a company in Germany called SDC Parts - which is [later edit: appeared to be....] a genuine retailer with a legitimate, secure website (I did all the usual checks....). The value of the items was about 36 Euros including delivery.

At the final stage of the checkout process after I had provided my NatWest Visa card details and delivery address, a screen appeared saying that the card needed to be verified, and flashed up the familiar 'Verified by Visa' and 'Mastercard Secure' logos. The screen then displayed a QR code which I was supposed to scan with mobile phone. Not having a mobile I could not proceed, so I took the advice on the website's FAQ and sought to arrange clearance "manually" using their online Chat facility.

The outcome of a lengthy chat conversation was that the firm would seek to process the payment; this would trigger a request for a one-time authorisation code which NatWest Visa would send me by phone; I should relay that to the retailer; and the order would then be processed.

I tried that. An automatic voice-message phone call came from NatWest Visa with a code. I passed it on. The retailer said it had failed and the payment had not gone through.

I then spoke on the phone to NatWest Visa and chatted further online with the car-spares retailer. This revealed a complex picture:

• the retailer was using a company called Skrill (aka Skrill.com) as their payment processor;
• the payment authorisation request had been transmitted from the retailer via Skrill to NatWest Visa;
• NatWest Visa's monitoring system had flagged up the payment request as suspicious - principally because (they said) Skrill was flagged as a potential scam risk, and was used mainly for online gambling!
• In addition, although my order-value was some 36 Euros, Skrill had sought authority to charge 200 Euros!
• when I outlined all this to the retailer via online chat, their response was that Skrill was their long-established payments-processor, and that Skrill operated a "hold and release" arrangement where they claimed 200 Euros payment, then processed the order value, then released the held amount...

This seemed an odd way to handle a card-verification process. It seemed a bit like the practice of car-hire companies which take, or block, an amount on a credit card on a pending basis and then charge the actual sum due at the end of the hire period.

So I explained to NatWest Visa that the order was for 36 Euros; I was placing only one order for a single item; if there was a hold and release system, then the amount actually charged should be only some 36 Euros. They advised that I should ask the retailer to try again to process the payment, and it should go through.

The retailer then tried again. Again it failed. At that point I told the retailer that in view of these difficulties I did not wish to proceed with the order. We agreed that it would be cancelled.

I have since spoken several times further to NatWest Visa, including their fraud team. In the course of this they said that within a very short period there had been no less than 13 payments to Skrill "authorised" from my card account - each one apparently for 200 Euros - which seems bizarre, not least as the total amount would significantly exceed the limit on the card account!

I have of course agreed with NatWest Visa to block my card, and have told them that multiple payments to Skrill are - or would be - improper.

It remains unclear whether this reflects simple inefficiency in the systems operated by Skrill and NatWest Visa, in that each attempt by the retailer to process the payment generated a new 'holding' debit of 200 Euros against my card. Or it might be more sinister and fraudulent action by Skrill to take a much larger cumulative amount from my account.

Either way, it is surprising that NatWest Visa - having been explicitly told that I was making a single order for a specific amount from a named retailer - should have permitted those charges.

I hope inefficiency is the explanation. But I cannot be certain. Either way, the behaviour of Skrill as the payment processor or intermediary is deeply disturbing.

NatWest Visa have noted all the details and agreed that the multiple charging pattern is improper, that no order has been placed, and they have 'returned' the money to my card account.

But they have said that apparently there is still a possibility that Skrill will seek to take that money within the next 3-15 days .... and that neither they, nor I, can take any further precautions other than to monitor the activity on my blocked card account to see if any of the amounts charged are actually taken.

This has been an alarming experience. I have since seen extensive online reviews and comments about Skrill (eg on TrustPilot) which reinforce the impression that the company's behaviour is - at best - highly dubious.

Although I have spoken in detail to NatWest Visa, I am left wondering whether - if it transpires that Skrill does take any money from my card account - what recourse do I have, and what further remedial or recovery action might I then be able to take?

[Deleted User]

You would simply ask the bank to do a chargeback.

eco_warrior

Mightn’t be a simple chargeback though, but yes.

Fingerbobs

The only places I've ever seen Skrill mentioned are on gambling web sites, where it's often listed as a method of depositing money into your gambling account. I've never seen it in any other context.

Chino

Fingerbobs wrote: »

I've never seen it in any other context.

Thank you for your helpful insight.

br1anstorm

I need to add some follow up to my original post, with an additional warning.

I noted in my OP that the online retailer in Germany evidently used Skrill as an intermediary (supposedly in the same way as PayPal and WorldPay) although this is not explained on their website.

According to their website order form, they rely on verification of card-transactions either by inviting the customer to scan a QR code, download a mobile app, and 'verify' the payment using the app; or by getting the customer to obtain a one-time code from the card provider and providing that to the retailer via their online chat facility.

I opted for the latter, obtained a code, but it did not work and the payment was not authorised or processed. Nevertheless - as already explained - my card account was almost immediately hit by a series of charges from Skrill made within a matter of minutes, each for over £200: a total debit of over £2000.

This rang alarm bells and resulted in NatWest Visa blocking my card and agreeing to take action to recover any money improperly taken. My card has been cancelled, and I have been assured that action is in hand and I will not suffer any loss from these unjustified charges. But I don't know how long that might take to resolve.

Meanwhile my brother - aiming to be helpful - made a separate attempt to use his (different) credit card to place an order for that 36-euro car spare part with the same German retailer. Bad move!

He opted to verify the payment by downloading the app offered on the retailer's website and verifying the transaction that way. It didn't work. So he did not (could not) complete the order.

However..... you've guessed. Two days later, he found his card account had been hit by a series of 17 different charges from Skrill, each for between £200 and £300 - total around £4,000.

He instantly contacted his card provider (Santander). The story gets worse. The bank claimed they had sent him a text seeking confirmation that the charge by Skrill was acceptable, and they claim that they got a response saying Yes.

My brother received no text message, and sent no such reply.

He has since discovered that the text facility on his (Samsung) mobile had been hijacked or infected - undoubtedly by the app he downloaded from the retailer's website. He was unable to send or receive any texts, and had lost all his contacts/addressbook details. Attempts to uninstall the app failed, until he removed the SIM and the battery, rebooted and reconfigured the phone, and ran McAfee security programmes to remove the malware.

This evidence suggests pretty clearly that the malware app intercepted whatever text(s) the bank sent to him and - presumably - sent an automatic reply to the text, saying in effect 'Yes, authorised'.

A complex and elaborate scam in which (it now seems) both the German retailer and Skrill as the supposed payment-processor are implicated. Naturally my brother deeply regrets choosing to download the mobile app. It's worth noting that the retailer's web pages all appear to be secure and have the "https://" address-designation.

So now we both wait to see whether our respective card providers can untangle this and recover, chargeback or refund the significant amounts of money that Skrill has sucked out of our accounts.

This also leaves the question of to whom - and how - to report what looks very like a deliberate and sophisticated fraud. The banks are notoriously reluctant to discuss what measures they might take in such cases. Skrill is registered with the FCA, but the FCA does not deal with complaints. The retailer is a German firm. And the mobile phone app malware aspect is more of a technical than a financial crime.

Do we go straight to the police and contact Action Fraud?

18cc

You go to your card provider and keep it simple - basically there are number of charges against your card that you did not authorise and are fraudulent.

You should give some time to investigate but if they do not refund then raise a formal complaint with them and give them 8 weeks to respond

if again it is still negative then you go to the FCA clearly you did not authorise these transactions and therefore you should be covered

As an aside I would recommend that you do not try a third time to test the system

br1anstorm

Thanks 18cc, that's helpful advice.

You can be absolutely certain that we won't be trying or testing this out any further....

Just for the record, in case this does become messy, I have followed up the various phone calls to the NatWestVisa customer centre and anti-fraud team with a formal written letter setting out the details of our concerns and seeking confirmation that they are investigating and taking corrective action. I know banks are unlikely to say what their investigations might reveal; but at the very least I need to ensure that they don't look to me to pay charges which are fraudulent.

We are keeping our fingers crossed. My next monthly credit card bill is due in about a week. I shall look at it extremely closely!

br1anstorm

I have been in regular contact with my card provider about the unauthorised and fraudulent charges made by Skrill against my account.

The good news is that they have recognised that the charges were a scam and have removed the unauthorised charges from my account (which has also been closed to avoid the risk of any further attacks). I hope and assume that they will be aiming under the chargeback procedure to recover any money paid out to Skrill.

The interesting news is that I have now discovered that the online retailer website in Germany (https://sdcparts.de) from which I originally tried to order an item is in fact a sophisticated counterfeit phishing site. The site is used to harvest credit card details via an online order form. These details are then passed to Skrill which seeks to seek to extract money from the card accounts.

The online retailer site shows as secure (has https: address and padlock). Online checks confirm the IP address and domain-registration of the site and its host servers. The contact and company information details published on the site are genuine: they give the address and company VAT registration of a real company in Koln, Germany. But it is now evident that the entire site is fake, and that the details of a genuine company have been hijacked or cloned in order to make the site appear legitimate.

Further research in the last few days has also revealed that the site's hyperlink address now redirects to another website designed and configured in exactly the same way, but with a different address (https://sunparts24.com) and with details of a different - but genuine - company in Giessen, Germany shown as the owner/proprietor. So that company, too, has had its details used to give apparent legitimacy to a criminal website.

All the detailed information has now been submitted to Action Fraud and the FCA, as this is clearly a complex criminal phishing and card-fraud setup. For all I know there may be multiple other similar fake websites, each one purporting to be secure and showing the ownership/contact details of a genuine company.

My immediate priority is to ensure that my own card account is not scammed and that the card-provider protects it from unauthorised debits. But the bigger issue beyond that is the relationship between Skrill (the "payment processor" taking the money) and the fake websites which phish the card details. I hope that the card companies and cyber-crime investigators will pursue that...

Meanwhile, an alarming reminder of the need for care: even secure https websites, and checks that the stated retailer/owner is genuine, cannot be relied on.

Chino

br1anstorm wrote: »

the online retailer website in Germany (https://sdcparts.de) from which I originally tried to order an item is in fact a sophisticated counterfeit phishing site. The site is used to harvest credit card details via an online order form. These details are then passed to Skrill which seeks to seek to extract money from the card accounts.

In other words, Skrill is just as much a victim in all this as you are. Skrill will not be attempting to "extract money from the card accounts" so much as passing on the retailer's requests for payment to the card issuer.

br1anstorm

Chino wrote: »

In other words, Skrill is just as much a victim in all this as you are. Skrill will not be attempting to "extract money from the card accounts" so much as passing on the retailer's requests for payment to the card issuer.

Er, only up to a point, your honour. Skrill has a responsibility to carry out due diligence. It is acting as agent for, or on behalf of, the "retailer" which is seeking payment. It is an active party to the transaction, not a passive channel simply for passing messages.

So Skrill has to ensure, not least in order to protect itself and its reputation, that those who are asking it to collect payments are indeed legitimate and genuine traders or businesses.

There has to be some form of business arrangement or contract between those two parties (the 'retailer' and Skrill) - not least because Skrill presumably expects or is paid a commission for its involvement in handling or processing the payment(s).

The situation is comparable to the role of banks - which have to make checks to ensure that they are not opening accounts for criminals and money-launderers. So they have to do due diligence on ID etc before setting up an account to enable the deposit or payment of money. The process is not always 100% watertight, but the principle is clear

In this case, Skrill are accessories to, as well as perhaps victims of, attempted fraud.