We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
Fraudulent transactions

faqinel
Posts: 8 Forumite
So I have just been notified of fraudulant activity on my Santander account. Amongst which was a £300 transaction to Novigroup Ltd. Whilst Santander said that one payment had been stopped an earlier one had gone through and would be reported to Santander's fraud team. Whilst I am expecting this process to find in my favour and the money to be refunded Santander could not tell me much about the transaction other than it was an online payment. They could not say what data was processed to authenticate the transaction, such as Name, Address, 3 digit code, verified by Visa, OTP. This is information that I require to be able to ascertain if and where my own data could have been compromised and what further steps I need to take to other than requesting a new card.
It also raises the question of who sets the standard when it comes to processing any transaction, be it online, over the counter or by telephone. Can the retailer say "who cares, card number and three digits will do" or is it the Bank or Visa that set a minimum authentication requirement to process £300 from ones account.
From my experience online payments seem to be processed differently dependant on the retailer, the amount and who your card issuer is.
But returning to my first point can anyone recommend who I should approach to find out more detail about the transaction. It would appear that the Novigroup, Santander, Visa and the card processor (not sure who this is at the moment) would all potentially hold some or all data pertinent to the processing. Should this be a GDPR request or some other request under FCA guidelines?
Any advice greatly appreciated.
It also raises the question of who sets the standard when it comes to processing any transaction, be it online, over the counter or by telephone. Can the retailer say "who cares, card number and three digits will do" or is it the Bank or Visa that set a minimum authentication requirement to process £300 from ones account.
From my experience online payments seem to be processed differently dependant on the retailer, the amount and who your card issuer is.
But returning to my first point can anyone recommend who I should approach to find out more detail about the transaction. It would appear that the Novigroup, Santander, Visa and the card processor (not sure who this is at the moment) would all potentially hold some or all data pertinent to the processing. Should this be a GDPR request or some other request under FCA guidelines?
Any advice greatly appreciated.
0
Comments
-
Santander should be able to tell you what sort of business Novigroup is from the transaction data they received. They should also be able to access the full suite of transaction data, and that of any auth. request that might have preceded it. They also have the capability to contact the retailer's processor for more information. The problem is finding the right contact within Santander to do this for you.
A quick Google search could give a useful indication of who Novigroup might be. It looks likely to be an internet gaming/gambling company.
I suppose, a retailer could, in theory, put a transaction through to a card using just the card number. However, that would require them to have a system that allowed them to bypass the sort of things that would normally be built in to most POS systems - e.g. generating an auth request, providing Exp. date info, CVV2/CVC2, Address data etc.0 -
You won't be able to find out where your details were compromised, it could have been anywhere at any time. If you've been refunded I would just leave it there. As above, a simple Google shows Novigroup to be a gambling company.0
-
Ask Santander Fraud team when you speak to them. They will be best placed to answer your questions. Rather than the front line you have spoken to.
No need for GDPR etc.
To put your mind at rest. This type of fraud is very common and there is nothing you can do to stop it.
Terry got it spot on on the gambling.
https://secure.gamblingcommission.gov.uk/PublicRegister/Search/Detail/39440Life in the slow lane0 -
I doubt that any bank would provide details of how a fraud was carried out. It would compromise their security.
If you don't recognise a transaction, inform Santander and request a chargeback as I assume the transaction was made by visa debit card..0 -
Hi Mr Towelling - I had already gleaned that they are an online gambling business but not whether it is their UK or Greek operation and Santander did reveal that it was an online transaction but could say nothing else. This was mostly down to the poor teleworker not having access to such detail rather than a grand conspiracy. I did apologise for putting her through the third degree.
Meer53 - I know I cannot determine where my data was compromised but whether they just used card details or went through additional authentication like Verified by VISA is relevent. VbV would indicate that one of my PC's has been compromised whereas card details would most likely point to some online retailer.
Just to note my card details are held in a portable copy of Keepass with an 18 digit random password. Keepass itself is contained in an encrypted zip file again with an 18 digit random password. All online purchases are through an encrypted VPN tunnel though a sandboxed web browser. I work in IT, so whilst I am by no means an expert in network security I do have a high degree of paranoia.
I have not been refunded yet but am hopeful. Whilst I understand your sentiment I'm afraid I cannot 'just leave it there'. It has piqued my interest in just how these bloody transactions are authorised and by whom. It is also ironic that I have to struggle through many layers of authentication just to speak to my bank or have to make a 60 mile round trip to the nearest branch whilst the average fraudster can skip through p**s poor security. Also we all end up paying for these cases of fraud, so despite the likely outcome of my feeble efforts being that of a battle between a mouse and an elephant, I will persist some more.
born again - I will speak to the fraud team on Monday otherwise it will be GDPR and a 28 day wait. Yes I know it is common I see the results of it every day. I have also seen a recent spike over the last few weeks. A data breach from some online database?0 -
How does it compromise their security? And in this era of GDPR can they refuse?0
-
How does it compromise their security? And in this era of GDPR can they refuse?
This does of course raise the usual question of how the fraudsters would have got their hands on any winnings from this gambling activity as any winnings would have been paid to the debit card used and back into your own bank account.Just to note my card details are held in a portable copy of Keepass with an 18 digit random password. Keepass itself is contained in an encrypted zip file again with an 18 digit random password. All online purchases are through an encrypted VPN tunnel though a sandboxed web browser.0 -
I had already gleaned that they are an online gambling business but not whether it is their UK or Greek operation
Also, although not an absolute indication of where the business might be located, if your transaction was processed in Sterling (as the Transaction Currency) that might indicate it to be from their UK operation.0 -
Its incredibly unlikely your PC has been compromised because if it was there would be more than one £300 betting transaction against a single credit card.
Its similarly incredibly unlikely verified by visa has been compromised because again, if it was there would be more than one £300 betting transaction against a single credit card.
Your precautions are somewhat OTT since as you've experienced, p*** poor practices elsewhere most likely a compromised retailer (online or b&m?) , dont really protect you against the immediate impact of cc fraud even if you'll not suffer financial loss.
I used to tag many of the email addresses i used as retailers_name@mydomain and its scary how much spam comes via that route.0 -
I would not be requesting as the 'victim' of a crime. Although at this moment in time, until such time as i am reimbursed, I most definately am as I am currently £300 down. My request will be under GDPR article 15 for data held pertinent to the two transactions made against my account via my card. If such personal data is held then can they refuse to release it?0
This discussion has been closed.
Confirm your email address to Create Threads and Reply

Categories
- All Categories
- 348.2K Banking & Borrowing
- 252.1K Reduce Debt & Boost Income
- 452.4K Spending & Discounts
- 240.8K Work, Benefits & Business
- 617.1K Mortgages, Homes & Bills
- 175.6K Life & Family
- 254K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 15.1K Coronavirus Support Boards