Debit Card Fraud

Qyburn

Hi,

Both of us have a couple of current accounts that are not regularly used, set up and retained because they are or were a requirement for related savings accounts, or because there were promotions. Both of us have suffered debit card fraud related to these, mine was a one-off taken from Nationwide and the missus was a recurring Amazon subscription taken from TSB.

In both cases the money was refunded with very little formality by either of the banks.

However what concerns me is how these would have come about. Neither of the two debit cards have ever left the house, and have not been used for any transactions prior to these fraudulent one, or after come to that.  The Nationwide card is needed for their Internet login, the TSB card isn't needed for anything.

So it seems to me that for someone to use our debit card details, they must have learned them from the bank. I can't see how else anyone would get them.

What do people think?

k_man

Qyburn said:

Hi,

Both of us have a couple of current accounts that are not regularly used, set up and retained because they are or were a requirement for related savings accounts, or because there were promotions. Both of us have suffered debit card fraud related to these, mine was a one-off taken from Nationwide and the missus was a recurring Amazon subscription taken from TSB.

In both cases the money was refunded with very little formality by either of the banks.

However what concerns me is how these would have come about. Neither of the two debit cards have ever left the house, and have not been used for any transactions prior to these fraudulent one, or after come to that.  The Nationwide card is needed for their Internet login, the TSB card isn't needed for anything.

So it seems to me that for someone to use our debit card details, they must have learned them from the bank. I can't see how else anyone would get them.

What do people think?

There are algorithms available that generate predicted card numbers.
Fraudsters than try the numbers against weaker payment systems (that don't lock out) to get expiry date.
Then these are used on sites like Amazon, that don't require the CVV number.
This doesn't require insiders at the bank.

My advice would be to Freeze any debit cards you don't use.
Not all banks allow you to do this, but with TSB and Nationwide you can do this in the app.

Qyburn

k_man said:

There are algorithms available that generate predicted card numbers.
Fraudsters than try the numbers against weaker payment systems (that don't lock out) to get expiry date.
Then these are used on sites like Amazon, that don't require the CVV number.

Thanks, I wasn't aware about merchants not needing the CVV.  So they still need name and billing address, or do some not check all of these either?

k_man said:

My advice would be to Freeze any debit cards you don't use.
Not all banks allow you to do this, but with TSB and Nationwide you can do this in the app.

That's good advice I didn't know you could do that. Nationwide cancelled the debit card and sent a new one, but didn't say anything about freezing it.  I'll follow that up with both banks.

MEM62

Qyburn said:

So it seems to me that for someone to use our debit card details, they must have learned them from the bank. I can't see how else anyone would get them.

What do people think?

It is interesting that you think it more likely that the security measures of two separate banks were compromised rather than the details being obtained closer to home.      

penners324

Debit card freezing is done in the app fir these banks

phillw

Qyburn said:
Thanks, I wasn't aware about merchants not needing the CVV.  So they still need name and billing address, or do some not check all of these either?

I'm not convinced there are always robust checks on anything. I've had fraud where the fraudsters even used the wrong expiry date.

I believe amazon are on the hook for fraud because they don't use CVV. I assume there is some financial advantage to them doing so.

Qyburn

MEM62 said:

It is interesting that you think it more likely that the security measures of two separate banks were compromised rather than the details being obtained closer to home.      

That sounds sceptical.  However I can't see how the details were learned from home. The transaction was made 150 miles away and the card stays in the desk drawer at home except when it's needed for an Internet login.

phillw

Qyburn said:
That sounds sceptical.  However I can't see how the details were learned from home. The transaction was made 150 miles away and the card stays in the desk drawer at home except when it's needed for an Internet login.

Did you ever use them in an ATM?

Qyburn

No, as I said those particular cards have never left the house.

MEM62

Qyburn said:

MEM62 said:

It is interesting that you think it more likely that the security measures of two separate banks were compromised rather than the details being obtained closer to home.      

That sounds sceptical.  However I can't see how the details were learned from home. The transaction was made 150 miles away and the card stays in the desk drawer at home except when it's needed for an Internet login.

Not skeptical.  However, it is more likely that the security breach was a friend or family member or an establishment where the card was used.  These are much more likely that then banks systems being compromised, yet there seemed to be the automatic assumption that the banks must be at fault.  

Sensory

MEM62 said:

Qyburn said:

MEM62 said:

It is interesting that you think it more likely that the security measures of two separate banks were compromised rather than the details being obtained closer to home.      

That sounds sceptical.  However I can't see how the details were learned from home. The transaction was made 150 miles away and the card stays in the desk drawer at home except when it's needed for an Internet login.

Not skeptical.  However, it is more likely that the security breach was a friend or family member or an establishment where the card was used.  These are much more likely that then banks systems being compromised, yet there seemed to be the automatic assumption that the banks must be at fault.  

Slamming generated numbers is a practice where the fault lies neither with the bank nor the customer, but with payment systems. I have numerous debit cards that are never used and have never been used, whether physically or online. No one has access to them except me. They are frozen (in apps) where possible. Despite this, one night I suddenly received a flurry of over 20 push notifications within 30 minutes from the NatWest app (not SMS), each one informing me of an attempted transaction that was declined.

When I phoned NatWest's fraud department, they weren't at liberty to describe the precise details of each transaction (to maintain the secrecy of their security measures), but they did confirm the correct CVV was not provided. What they did not tell me was whether the CVV was different (or even present) for each transaction.