Barclays Fraud / GDPR breach

PauletteH

This is an amazing thread. Almost like a case study for students. 

phillw

MattMattMattUK said:
they need to prove that you either authorised the transactions or you were negligent in your security measures and/or allowed your devices to be compromised. 

How would they prove the later? Unless you told them.

phillw

HiggiHiggins said:
I work in an office and it’s possible that colleagues may know the code for the phone but again I don’t believe anyone would login.

 

Certainly I would never EVER say anything like that to a bank.

They will instantly say "you've said people in your office have access to your phone and so it's likely they did it no matter what you believe".

Only ever say "I always keep my wallet and phone on my person, nobody has access to it at any time."

As for a phone repair shop, I would be very wary of taking my phone to anyone if it had not been factory reset and security wiped first.

TheBanker

phillw said:

HiggiHiggins said:
I work in an office and it’s possible that colleagues may know the code for the phone but again I don’t believe anyone would login.

 

Certainly I would never EVER say anything like that to a bank.

They will instantly say "you've said people in your office have access to your phone and so it's likely they did it no matter what you believe".

Only ever say "I always keep my wallet and phone on my person, nobody has access to it at any time."

As for a phone repair shop, I would be very wary of taking my phone to anyone if it had not been factory reset and security wiped first.

But the OP has questioned the integrity of Barclays' evidence. So he cannot now lie to the Ombudsman when they ask if anyone else knows his passcodes.

HiggiHiggins

I need to respond to the adjudicator tomorrow really.

I just feel that if someone says that only they have the passcode to access and it’s your phone and ip address the bank state which is the same as previous txns then in theory their view would be well only you can have auth it then

if you say my partner and or children /repair shop have had access then you’d be faced with - ooh that’s negligent you’re now liable.

The adjudicator has said their evidence demonstrates some of the payments were authorised with the banking app. Not sure what level “some” is or if relevant. I’ve still never been supplied anything with regards to the payments is this something they should provide from the merchants? Receipts for what was purchased etc, none of these companies exist and when B approached them with chargebacks should they have provided evidence to support the txn?
if there are links to money laundering and these companies are just moving the money of without any trace then should b be pursuing these further. If they had issued chargebacks then I’d assume the companies would come running with evidence, or did b realise these companies were difficult to locate and speak to and would have their work cut out to get the payments and didn’t bother? 

These we reported in sept and started end April to mid august so if the txn and £ has gone and they realise it’s a monumental amount of work to get each and ever txn back?

HiggiHiggins

PauletteH said:

Why is it obvious that your children partner etc have the code to your phone, and why is it possible that your work colleagues know what it is?

Hi PH sorry comment might have come over a bit laid back. 

I may be wrong but the kids etc and partner have just always known the pass code, for very innocent reasons, photos, maps, searching while I drive etc. I don’t hide accessing my phone in the house in the same way I would in a crowded space and I know it’s a very different avenue but if I hid my passcode from my partner every time they were near then it seems very secretive.

I see it in a very different manner tho looking at it from an overall security prospect in this scenario tho, almost trust no one (in fact it’s not even almost is it)

in terms of work colleagues, it’s not something I’ve shared or broadcast but probably not something I’ve been as thorough as I should really. I’m one of those people who turns away when someone’s typing a passcode in to something, that’s just my reaction. Some people aren’t that way inclined and even innocently can catch you enter 1234 etc while you show them something. 

HiggiHiggins

phillw said:

Certainly I would never EVER say anything like that to a bank.

They will instantly say "you've said people in your office have access to your phone and so it's likely they did it no matter what you believe".

Only ever say "I always keep my wallet and phone on my person, nobody has access to it at any time."

As for a phone repair shop, I would be very wary of taking my phone to anyone if it had not been factory reset and security wiped first.

thank you Phillw that’s exactly what I thought. As soon as you disclose that potentially anyone has had any access you leave it open to “you’ve been negligent”

Playing devils advocate here - b showing data that my ip (which they have from undisputed payments) and banking app authorised some payments would not prove that a certain person authorised or made these payments (yes I get the likelihood or potential is it’s most obvious). 

I can’t show anything to counter that info they produce, no consumer can. All anyone can say is I don’t know the company, didn’t make the payment or didn’t authorise it. 

I’ve never given my login details to anyone or been negligent to the best of my knowledge in my security.

that is as much as anyone can say, as you say, I keep my phone on me at all times.  What would the outcome be then?

phone repair wise it went in locked as the screen was smashed and the code wasn’t given as not needed. I seem to recall it being in recovery mode and plugged in to the mains charging (I guess this could have been any charging mechanism), I did the restore via their Wi-Fi but still plugged in. 

I guess these phone shops could swap your iPhone for an identical model and give you that back as the repaired one. Getting a customer to restore the account on the “repair” and retaining all the info off the original. I’ve checked my cloud data though and only the one mobile logged in 

kaMelo

What technical evidence the banks will have shown the ombudsman will never be disclosed but I would assume, given they asked about a specific phone model, it would include the phones IMEI, certainly proof of other transactions authorised using the same device that went unchallenged, maybe location data and probably more things too.

From my reading of many ombudsman rulings, if a bank can show technical evidence that a payment was authorised using a recognised device that was previously used and is still in your control, the ombudsman will rule in the banks favour without exception. The onus is then on you to provide evidence that it wasn't you who authorised the transaction, a very difficult thing to do to prove a negative. Saying "I think the phone shop might have done it" wouldn't be enough.

born_again

HiggiHiggins said:

I need to respond to the adjudicator tomorrow really.

I just feel that if someone says that only they have the passcode to access and it’s your phone and ip address the bank state which is the same as previous txns then in theory their view would be well only you can have auth it then

if you say my partner and or children /repair shop have had access then you’d be faced with - ooh that’s negligent you’re now liable.

The adjudicator has said their evidence demonstrates some of the payments were authorised with the banking app. Not sure what level “some” is or if relevant. I’ve still never been supplied anything with regards to the payments is this something they should provide from the merchants? Receipts for what was purchased etc, none of these companies exist and when B approached them with chargebacks should they have provided evidence to support the txn?
if there are links to money laundering and these companies are just moving the money of without any trace then should b be pursuing these further. If they had issued chargebacks then I’d assume the companies would come running with evidence, or did b realise these companies were difficult to locate and speak to and would have their work cut out to get the payments and didn’t bother? 

These we reported in sept and started end April to mid august so if the txn and £ has gone and they realise it’s a monumental amount of work to get each and ever txn back?

When a bank reports these transactions as fraud or disputes them (if they believe it maybe you). This gives the retailer a chance to provide information they hold on the acc holder & maybe what was purchased, or the service provided.
But these retailers do not have to provide anything. They can just not answer & lose the case.
Other than the retailer responding, A bank has no information on what was purchased. They do not get copies of any receipts.

My only concern would be if they are saying some were, but some were not. Then I would be asking which ones were & which were not. 
But the fly in the ointment here could be if they were the later payments & a continuous payment authority for a subscription, which require no authorisation, retailer simply takes the funds.

HiggiHiggins

When a bank reports these transactions as fraud or disputes them (if they believe it maybe you). This gives the retailer a chance to provide information they hold on the acc holder & maybe what was purchased, or the service provided.

But these retailers do not have to provide anything. They can just not answer & lose the case.
strangely I’ve had this conversation with the adjudicator today. I’ve asked what was purchased, any receipts etc and he said nothing has been supplied, he said he doesn’t know if they’ve spoken to the merchants as there is nothing to support what they’ve said. 

Other than the retailer responding, A bank has no information on what was purchased. They do not get copies of any receipts.
With the companies being non existent and no proof of anything purchased or posted, if B haven’t spoken to the merchants then how would they know the payments were genuine and not taken in error by them etc?

My only concern would be if they are saying some were, but some were not. Then I would be asking which ones were & which were not. 
But the fly in the ointment here could be if they were the later payments & a continuous payment authority for a subscription, which require no authorisation, retailer simply takes the funds.
I asked this today and he said at a quick glance about 25% look to be authorised from 2 ip addresses. This is where I’m lost as without knowing who the companies are and what was bought from Kazakhstan in USD 12 months later I’m more confused that I originally was. He’s sending me the info on the IP address but itll all be double Dutch to me and have no idea what to look for 

Thanks in advance