Coinbase have taken £1,000 from my partner's bank account (she doesn't have a coinbase account).

phillw

If the authentication was from a text message, there are a lot of mobile phone apps that ask for access to your text messages and any of those could have been used to pass on the code and then delete the text message.

I think the most recent phone operating systems have taken steps to mitigate that, but the majority are not on the most recent.

Sunflower49

Hi all, sorry for late reply-I’ve had a hectic couple of days whilst also being ill, so haven’t got onto the forum.

 

That is interesting @jimjames. I suspect that’s what’s happened here.

 

I’d like to know that too @griizzlegrizzle.  I don’t know anybody with a CB account to my knowledge but I am going to ask on my SM and see, perhaps someone does and wouldn’t mind answering some questions.

@glasgowexpat2 thank you! The investigator are most definitely going to be sent a link to that-Santander do c0ck up like any other institution.

@languid no it isn’t an iPhone, It’s a Samsung Samsung S10 Plus.

@GlasgowExpat2 , not the same sort of situation unfortunately, but still proof that Santander make mistakes and accuse customers of being in the wrong because they cannot get out of their own frame of reference or ‘occums razor’ mentality-these things can and do happen.

 

Thanks @philw, another thing to think about!

 

This is the investigator’s response today. 

Dear Somebody,

 

Thanks a lot for your response. As I mentioned earlier, due to how the payments were authenticated based on the technical evidence, I'm unable to change my opinion. I appreciate you don't have an account with Coinbase, but I know fraudsters can trick you into making payments to their account. You've confirmed this didn't happen, as a result it's difficult for me to see how an unknown third party was able to gain access to your online banking to complete the transactions. The payments were initiated with your card details, but they were approved in the app (additional security layer). I don't see how an unknown third party was able to obtain your login details to complete the transactions in the app.

 

Please let me know by Friday 9 December 2022 if you want me to pass the case to an ombudsman for a final decision.

 

 

 

Kind regards

 

Josephine Bloggs| Investigator | 

languid

OK this makes more sense now. I have had one of these cases this year. It's very difficult to spot. Looking at the age of your partners phone, I imagine its not fully up to date with Androids latest security updates.

Essentially, a seemingly innocent app from the Play Store has been infected with bank and crypto app specific malware. The malware gives remote access and full media access to the victims device. They gather login details, clipboard information and full photo library over a few days. Generally these infected apps come in the form of QR scanners or fitness tracking apps. The device privileges that you have to give some of these apps to work are also useful to fraudsters. Motion detection, camera and file access to name a few.

From my understanding, Santander do have remote access detecting fraud systems. They may have some concerns a few days or even weeks in advance of the payments happening. These apps with their deep level privileges and remote access tacked on, allow a fraudster to play with your partners phone without being seen.

The malware tends to start its remote session when it thinks the device is not in use (ie when the victim is sleeping). So it may know the device hasn't moved in 5-6 hours and is currently being charged.

With the privileges that it has been granted, the fraudsters will start making payments, authorised with the SMS codes that are obviously sent to the phone.

From Santanders perspective, the phone is trusted and in your partners possession at the time the payments were made. Obviously they are unauthorised.

The weight of the fault should be with Coinbase. They have not fulfilled their KYC/AML requirements for the account that has received the money. Card and bank transfers are only supposed to go to a same named account. Your partner is entitled to a DSAR request with Coinbase if they claim the account was in they name. If they refuse the request, you then know it was not in your partners name and their own terms of service have been broken.

It maybe worth going back to Santander, and asking for a back office team to review the claim with 'Alien', 'Hydra', 'Ermac', and and 'Anatsa' malware in mind. Unusual early morning logins to her mobile or internet banking, around 4-6am should be a give away. Anatsa is the version that hit UK banks the most in the past 12 months or so. Most victims I have come across, were impacted by a compromised PDF managing app.

I have added a list below of the overall types of apps impacting some other victims.

• Two Factor Authenticator
• Protection Guard
• QR CreatorScanner
• Master Scanner
• QR Scanner 2021
• QR Scanner
• PDF Document Scanner - Scan to PDF
• PDF Document Scanner
• PDF Document Scanner Free
• CryptoTracker
• Gym and Fitness Trainer

I would probably reset that phone and get it updated. Some education for your partner around apps on the Google Play Store would useful. The apps are not as well reviewed as the Apple App Store. I would strongly suggest, that they take care on what permissions are given to apps in the future.

I hope this helps.

Sunflower49

@languid thank you so much. I have formulated an email and will let the forum know what happens-you evidently are very knowledgeable with this sort of thing, thank you for sharing!

Sunflower49

and I apologise-when I logged in my response was still there in the box, I thought I'd already sent it last week.

Sunflower49

Well I emailed them back giving more detail, including the link about how the bank cannot simply refuse a refund because the customer cannot prove they've not done this themselves, and some of the details @languid included. I've asked that it is esculated. I've since had one back from the investigator asking for details of where partner was (as I've advised we were on a camping trip, they want to know exactly where the campsite is) and whom with. I've told them where we were (I speak in the first person from partner's perspective obviously) and asked why they need details of who she were with, and how much detail, I mean there's a large difference between ' A group of friends' and detailing names, relationships to partner and ages. 

born_again

Well it will to prove that you were there. IP address can be traced & location in some cases.
Also given they will have the details from Coinbase, if they match anyone that was with you, then you can guess the rest.

End of the day, they have the proof they need to decline refund. So you have to provide something that can counter this.

Sunflower49

Thank you @born_again, that makes sense if they can trace IPs of other who were with us. I have detailed that 'I' was with a group of friends, my sister and my partner. They've come back and said that's enough detail for now. I will see what occurs next.

RhondaD

Can't advise specifically but I've had issues with Santander before and they do make mistakes. I defaulted on an overdraft ten years ago and they wrote and told me they would be writing it off and would not be asking for any repayment or starting any collection activity, they then denied sending the letter, set the debt collectors on me and were really rude on the phone. I had proof of the letter and sent it to the ombudsman. The outcome was the ombudsman reprimanded them for clearly misleading me in telling me they were writing the debt off then denying it and ordered them to pay me more in compensation that the actual debt was. Oddly ten years later they have now practically thrown a credit card at me with a £2,000 credit limit.

Sunflower49

an't advise specifically but I've had issues with Santander before and they do make mistakes. I defaulted on an overdraft ten years ago and they wrote and told me they would be writing it off and would not be asking for any repayment or starting any collection activity, they then denied sending the letter, set the debt collectors on me and were really rude on the phone. I had proof of the letter and sent it to the ombudsman. The outcome was the ombudsman reprimanded them for clearly misleading me in telling me they were writing the debt off then denying it and ordered them to pay me more in compensation that the actual debt was. Oddly ten years later they have now practically thrown a credit card at me with a £2,000 credit limit.

Thanks Rhonda.

Well I did as advised and have received a 'Final Decision'. 

They're still saying they will not uphold the complaint. 

I have to state that I disagree by the 7th of March.  See below if you can be bothered reading it!

I am so annoyed for her. 

The response:

Miss X complains that Santander UK Plc won’t refund payments she didn’t make.

What happened Miss X disputes two payments - for £700 and £300 - made from her account on 17 April 2022 at 10:14 and then 10:16am. (These times are incorrect!)

 She was told that these were to a cryptocurrency merchant. And she says she has no account with it and didn’t authorise any payment. She noticed the lack of money in her account a couple of days later and raised a fraud claim.

Santander said it wouldn’t be refunding this money. It said that the payments were authorised using her registered mobile device and with her five-digit security number. It didn’t see any evidence of a compromise of Miss X's details. As the payments had required two factor authentication there’d been no reason to stop them as Miss X had said should have happened. Our investigator didn’t recommend that the complaint be upheld. Miss X had told her that she hadn’t shared her banking security information or phone passcode with anyone. She’d allowed her friend’s children (of three and nine years old) to use the phone to watch a video the day before but was monitoring what they were doing. She was away at the time in this country and to the best of her knowledge at the time was asleep in a tent and the phone was with her in a sleeping compartment.

Santander had shown that the device used to authenticate the payments was the one Miss x had been using. And it said that the IP address was one previously used by Miss B for genuine transactions. The technical information showed that the transactions were made using strong customer authentication in the app through the use of the security number.

 Miss X  hadn’t identified anyway someone could have discovered her details as she’d kept them safe. Our investigator said it wasn’t our role to find exactly what happened but to look at the information available. The merchant had told both Miss X and this service that it didn’t have an account associated with her email. But based on the evidence our investigator concluded that she had authorised the payments which could have involved allowing someone else to use her details. There was no reason for these payments to be flagged as unusual at the time by Santander.

Miss X didn’t agree and wanted her complaint to be reviewed. She said that she had her phone with her at the time.

 Santander hadn’t protected her from this fraud. She hadn’t been able to get information about any account at the merchant these payments had gone to. And thought that it should have matched her name and she didn’t think it had fulfilled regulatory requirements. Here saying what had ‘probably’ happened wasn’t definitive.

Miss B said she thought that her phone had been infected by malware and that Santander ought to have noticed. Miss X had researched some possible apps that could do this but said she’d not used any of them. Miss X said she would take this further if the complaint wasn’t resolved in her favour.

What I’ve decided – and why:

I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. I won’t be able to say exactly what happened and I’m thinking about what is most likely on a balance of probabilities. I need to take into account the Payment Services Regulations 2017 in considering this complaint. These state that a payment can only be authorised if it was consented to. So, it’s not enough for it to be authenticated. And if they weren’t authorised Miss X wouldn’t generally be responsible for them. Where credit is involved, as is mainly the case here as an overdraft of over £900 resulted from the payments, the Consumer Credit Act 1974 applies to that element of the dispute. And it states that a consumer wouldn’t be liable for an unauthorised payment unless they consented to someone else having possession of the payment method.

So, I will be thinking about the following areas in looking at this complaint:-What is the most likely explanation of what happened to the card and security details used for these payments?-Did Miss X authorise the payments on the account as Santander says?-Did Santander act reasonably? I’ve considered the information Santander has provided about these payments. This required Miss X’s card details including the three-digit card verification number. And in addition, I can clearly see that the payments were authenticated in the app. T

his was using the registered mobile device on the account. And as Santander explained an IP address that had been used before. I’m satisfied that the payments were authenticated.I need to decide whether Miss X consented to the payments and so authorised them. I’m going to think first about the explanation she’s provided. And she’s referred to the possibility that her mobile phone was somehow taken over by malware and that the IP address used could be altered or masked. Her position is that this can effectively be inferred from the nature of the payments. And from the lack of matching information from the merchant. There is no actual evidence to show that her phone was infected and so used remotely in this way. Miss X didn’t identify any malware and hasn’t described any other issues with her information being used.

Miss X was asked about any suspicious texts or emails that she’d responded to and said she hadn’t. And she doesn’t believe that the children who had access to her phone the day before could have been responsible especially given what they were doing was being monitored and their ages.

Miss X also says she hasn’t provided her security information to anyone else, and her phone was in her possession. It seems difficult to see that the phone could be taken and replaced given where she says it was at the time. Sometimes there are cases where a consumer is scammed into making payments in this way linked to expected cryptocurrency gains. But based on what Miss X  has clearly said that’s not a possibility here. Miss X is unhappy at the lack of information from the merchant. Santander took the view that there was no prospect of a successful chargeback given the way the payments were authenticated. I think that’s likely right here. And so, investigating these payments any further would be a matter for Miss X to pursue with the relevant authorities - especially given what she’s said about her unsuccessful contact with the merchant.

I don’t see a specific requirement that there is a name match on any account money was paid to with a card payment as far as Santander is concerned. And I’m looking in this complaint at what Santander did. I note Miss X’s point that what is most likely isn’t a finding about what definitely happened.

But the latter isn’t the basis on which we make assessments. What I need to think about is how the balance of evidence including her testimony supports any particular possibility. And having done so I’m afraid I find that in the absence of evidence of compromise of her details the most likely explanation is that the payments were authorised. Given that finding the issue of whether these payments should have triggered a warning or been blocked by Santander is of less relevance. It’s explained that they didn’t because of the way they were authenticated. And overall, in light of my findings I consider it was reasonable for it to hold Miss X responsible for the payments. I know Miss X will be very disappointed given what’s at stake for her, but I don’t have a basis to require Santander to do anything further. If Miss X doesn’t accept my decision she remains free to pursue this in court subject to any relevant time limit.