Barclays Fraud / GDPR breach

TheBanker

The first thing to remember is that there hasn't been a 'ruling'. The adjudicator has set out that they believe would be a fair and reasonable resolution to the complaint, but it's not binding on anybody. It is a bit naughty to submit evidence at this stage, but until an Ombudsman has issued a written final decision, nothing is binding.

I don't understand why you asked for an extension if you were happy with the adjudicator's proposals, though? Having done so, it's not really unreasonable for the bank to use the extended time to submit further detail. 

However, it all goes back to the original point, which is whether you or the joint account holder authorised the disputed transactions (or were grossly negligent with your cards/PINs/security details). Have Barclays addressed this within the additional evidence they've provided?

born_again

If Barclays are offering a extra £500 & you are back where you should have been prior to the fraud. I would take it. Draw a line under the matter.
Given the amount of time spent dealing with this.

Sounds like rep dealing with this at the start simply wrote the fraud off, when they should not have. Leading to more issues. Rep will be getting a kick up the backside & retraining for this. As B will hate to have lost the chance to claim the money back, & where this has ended up costing them so much time & further lost ££ due to a complaint, which they will have had to pay for & the money they are having to pay out to you.

HiggiHiggins

The first thing to remember is that there hasn't been a 'ruling'. The adjudicator has set out that they believe would be a fair and reasonable resolution to the complaint, but it's not binding on anybody. It is a bit naughty to submit evidence at this stage, but until an Ombudsman has issued a written final decision, nothing is binding.
appreciate that yes

I don't understand why you asked for an extension if you were happy with the adjudicator's proposals, though? Having done so, it's not really unreasonable for the bank to use the extended time to submit further detail. 

we just wanted to be sure before accepting anything I guess. The extension wasn’t to submit further detail, they had already missed this deadline that they requested, this extension was to either accept or reject his views and refer to an ombudsman if not. 

However, it all goes back to the original point, which is whether you or the joint account holder authorised the disputed transactions (or were grossly negligent with your cards/PINs/security details). Have Barclays addressed this within the additional evidence they've provided?
he’s said b have provided information which they say they should have been provided much earlier.

they provide evidence which explains why they believe the transactions were authorised. They’ve provided evidence that show IP addresses match undisputed payments (2 IP addresses). Also evidence that SOME of the disputed payments were authorised on the online banking app.

he’s asked me to confirm if my device is an iPhone 13 Pro max, if anyone else has access, is it protected and how (bio/passcode/both), anyone else have access to online banking, anyone have access to passcode for app, usual method for logging into online bank.

some of these payments are over 12 months old now and I’m not 100% sure what was the device at the time as I was out of contract and between upgrades but I’m sure it was used at some point that model, I don’t want to say anything that’s going to cause any issue. I don’t believe that everything b produce is genuine, I mean in any transaction dispute this info they have now would not take months to arrive surely. 

If the onus is on them to prove I authorised transactions rather than me proving I didn’t then what can I produce to show my Argument? Ultimately these merchants do no exist on Google, I’ve never bought anything in USD or from Mexico, Azerbaijan or anywhere else similar, the companies have provided no receipt or goods services I’d have used,  I’ve no reason to use primeclick safari in Nigeria and have no history of any similar purchase and so I would have absolutely no reason to authorise any payment to any of these. Given there were 90+ payments, all in USD and times when 5-10 were made in the same day and 2/3 for the same amount within a short space of time, would b not have reason to suspect these and contact the consumer to validate. If they had done this after the 5th transaction let’s say, we would have confirmed we knew nothing about these and haven’t authorised and they would have been stopped 

……..

HiggiHiggins

born_again said:

If Barclays are offering a extra £500 & you are back where you should have been prior to the fraud. I would take it. Draw a line under the matter.
Given the amount of time spent dealing with this.

he said b have declined to change their position. I’m not 100% clear but I think the £500 distress and inconvenience payment is a standalone offer. I read it as not refunding the £2000 outstanding, or 8% interest or £500 compensation suggested. Neither does it include the reworking of credit files etc for us. I literally think the £500 is something they have agreed to pay (his wording)

Sounds like rep dealing with this at the start simply wrote the fraud off, when they should not have. Leading to more issues. Rep will be getting a kick up the backside & retraining for this. As B will hate to have lost the chance to claim the money back, & where this has ended up costing them so much time & further lost ££ due to a complaint, which they will have had to pay for & the money they are having to pay out to you.
certainly appears the story yes, I mean why he would just do that with 1 of 3 cases and not them all as linked is beyond me. Whether this is an elaborate excuse I’m not convinced, I’d expect documented training and it to be a reasonably new agent to make a mistake of this magnitude as procedure wise they can’t have been anywhere close to following. And he would also have had to have done all this after not having received the signed authority form from me allowing him to work on the case and discuss it all with the merchants. 

B seem to want to blame agent error for this rather than it being an employee of theirs who is trained and monitored by them and makes decisions on behalf of the company, ultimately the mistake falls on Barclays and it’s their responsibility. 

If these merchants are as google suggested, involved in money laundering and criminal activities and these transactions have been missed by B then it’s a bigger issue. I don’t know where the funds went to, who they went to and the legitimacy of it all and by the sound of it neither do they. 

But yes it’s cost them a massive amount in the original payment £1000, and time spent dealing with this for 10 months now, it must be well into 5 figures.

…………………….

TheBanker

Rw your last post- stop focusing on the transactions that have already been refunded, even if this was an error. You need to focus on the ones not refunded.

You need to look at the evidence Barclays have supplied, and address it as you have above. Obviously your memory will have faded given the passage of time, but anything you can provide will help. 

MattMattMattUK

HiggiHiggins said:

If the onus is on them to prove I authorised transactions rather than me proving I didn’t then what can I produce to show my Argument? Ultimately these merchants do no exist on Google, I’ve never bought anything in USD or from Mexico, Azerbaijan or anywhere else similar, the companies have provided no receipt or goods services I’d have used,  I’ve no reason to use primeclick safari in Nigeria and have no history of any similar purchase and so I would have absolutely no reason to authorise any payment to any of these. Given there were 90+ payments, all in USD and times when 5-10 were made in the same day and 2/3 for the same amount within a short space of time, would b not have reason to suspect these and contact the consumer to validate. If they had done this after the 5th transaction let’s say, we would have confirmed we knew nothing about these and haven’t authorised and they would have been stopped 

They do not need to prove that you authorised the transactions, they need to prove that you either authorised the transactions or you were negligent in your security measures and/or allowed your devices to be compromised. It does not matter that you never directly bought anything in USD or from Uzbekistan, if you authorised the transactions then that is enough, just the same as if you allowed your account to be compromised, that absolves them of liability. 

HiggiHiggins

MattMattMattUK said:

They do not need to prove that you authorised the transactions, they need to prove that you either authorised the transactions or you were negligent in your security measures and/or allowed your devices to be compromised. It does not matter that you never directly bought anything in USD or from Uzbekistan, if you authorised the transactions then that is enough, just the same as if you allowed your account to be compromised, that absolves them of liability. 

Thanks Matt, sorry yes I understand that too. I guess from my point then there’s a number of payments been made from the account which I know nothing about. 

At the point I found them I reported them as unauthorised, I don’t know the company’s and have no reason to pay them, I wouldn’t authorise payments to them. 

The app is on my mobile and B use a numeric code to login ( not alphanumeric like other banks ) and the code to log on to the bank was the same as the phone login if bio login failed. 

Access wise obviously children partner etc have the code but have no reason to access the app. I work in an office and it’s possible that colleagues may know the code for the phone but again I don’t believe anyone would login.
at some point last year my phone went for a new screen, when I picked it up it had reset and so via their laptop it was restored and all apps appeared. From memory the banking apps needed something addition before I could log back in as security measure I think. That was B, sant and possibly hali tho that needed that doing. May not be related but that was the only anomaly from around that time. 

So in a nutshell, did I authorise them? No. Was I negligent? No (the adjudicator had already stated this in his initial findings although this was prior to whatever B have sent). Have I allowed my device to be compromised? No - the device and app are password protected and I have given no one else the details to log on.

I can’t really prove anything beyond that so I’m a little concerned particularly when B only now managed to find and produce this “evidence” and their honesty hasn’t been all that great up to now. 

The fact that they declined the adjudicators request to make an offer to settle and simply said we decline to change our position kinda says to me they feel they’ve won and don’t need to concede to demands 

PauletteH

HiggiHiggins said:. 

Access wise obviously children partner etc have the code but have no reason to access the app. I work in an office and it’s possible that colleagues may know the code for the phone but again I don’t believe anyone would login.
 

Why is it obvious that your children partner etc have the code to your phone, and why is it possible that your work colleagues know what it is?

MattMattMattUK

HiggiHiggins said:

MattMattMattUK said:

They do not need to prove that you authorised the transactions, they need to prove that you either authorised the transactions or you were negligent in your security measures and/or allowed your devices to be compromised. It does not matter that you never directly bought anything in USD or from Uzbekistan, if you authorised the transactions then that is enough, just the same as if you allowed your account to be compromised, that absolves them of liability. 

Thanks Matt, sorry yes I understand that too. I guess from my point then there’s a number of payments been made from the account which I know nothing about. 

I get that part, but I think the issue is, at least as far as I can see, Barclays think you, or a device you allowed to be compromised, authorised them.

HiggiHiggins said:

At the point I found them I reported them as unauthorised, I don’t know the company’s and have no reason to pay them, I wouldn’t authorise payments to them. 

However someone, who appears to have access to your device, did.

HiggiHiggins said:

The app is on my mobile and B use a numeric code to login ( not alphanumeric like other banks ) and the code to log on to the bank was the same as the phone login if bio login failed. 

Most other banks are numeric as well, I am with Nationwide personally and HSBC for business and both use a numeric code on the app, or biometrics. The code for the phone should really not be the same as for any apps on the device, that is incredibly poor security and is currently why so many people are getting "shoulder surfed" in London, you should not have a single point of failure in your passwords/codes.

HiggiHiggins said:

Access wise obviously children partner etc have the code but have no reason to access the app. I work in an office and it’s possible that colleagues may know the code for the phone but again I don’t believe anyone would login.

Access wise I would say that neither your partner nor your children should know the passcode for your phone, if they want access you can unlock it for them in a particular instance. That is doubly so for your work colleagues, none of them should have access to your personal mobile. If you have told the bank that other people know the code for your banking app they will have deemed you negligent and your account compromised. 

HiggiHiggins said:

at some point last year my phone went for a new screen, when I picked it up it had reset and so via their laptop it was restored and all apps appeared. From memory the banking apps needed something addition before I could log back in as security measure I think. That was B, sant and possibly hali tho that needed that doing. May not be related but that was the only anomaly from around that time. 

The apps will require reauthorisation based on hardware changes on the device, or a restore from backup, however if you gave them the code in the first place, or if you restored the backup on one of their devices that is a huge security compromise, it would be relatively easy for them to copy all they needed. Have you checked either your iCloud or Google account to see all devices signed in with your ID? They will both show you all devices that have ever logged in under your ID, phones, laptops, browsers etc. 

HiggiHiggins said:

So in a nutshell, did I authorise them? No. Was I negligent? No (the adjudicator had already stated this in his initial findings although this was prior to whatever B have sent). Have I allowed my device to be compromised?

There are enough holes in your security that Barclays could well deem you negligent if you have told them what you have told us.

HiggiHiggins said:
No - the device and app are password protected and I have given no one else the details to log on.

That contradicts the above where you state that wife, children, colleagues and a mobile phone repair shop all know your login details.

HiggiHiggins said:

I can’t really prove anything beyond that so I’m a little concerned particularly when B only now managed to find and produce this “evidence” and their honesty hasn’t been all that great up to now. 

The fact that they declined the adjudicators request to make an offer to settle and simply said we decline to change our position kinda says to me they feel they’ve won and don’t need to concede to demands 

They will have been continuing their investigations, if you can refute their evidence then it would be wise to do so, but be aware that you have already admitted to compromising your device and account by allowing other people to know the passcode, that may be enough for them to deny the claim, I suspect from their perspective it could be a slam dunk. They are not going to concede to "demands" if those demands carry no weight, unfortunate as it is that is the position that they will take. 

TheBanker

If you haven't already done so, you need to change your passcodes. The device passcode needs to be different to banking apps, and the banking apps should be different to each other. Also enable biometric authentication where possible, and make sure nobody else's biometrics are stored on your device. 

Another question that may be asked, so you need to think about, is what happened to your old phone(s)? Did you make sure they were securely wiped before selling/disposing of them?

I know you are questioning Barclays' honesty in terms of this new evidence, but the FOS will be familiar with the evidence they would expect Barclays to provide in relation to this kind of complaint. I doubt Barclays would falsify evidence, and if they did I think FOS are likely to spot this. Equally though you need to be honest - have you told Barclays and FOS about the various people who have access to your device, and know your banking app passcodes?

Unfortunately, if Barclays can demonstrate that the fraud happened because you were negligent by failing to keep your devices secure they do not have to reimburse you for the fraud. That doesn't address their poor handling of the claim and complaint, which I imagine is why they have offered the £500. Reading back through your thread, even that is debatable as it appears that you originally told them that you were not authorising them to deal with your claim as part of some kind of GDPR complaint.