Fraudster capabilities and very suspicious account activity

TechGuy2012

A local business owner has had some real difficulties with fraud of late which I'd love to have and explanation for but I don't! Hopefully someone on here does, however I doubt it's going to offer any reassurances.
Starting from the beginning, he tried to buy an old shipping container for extra storage, paid by debit card online which turned out to be a scam (although they had a website and listing on companies house). The bank refunded the money thankfully and issued a new debit card.

This is where it got interesting, having never physically used the new debit card and used it just 2 times online (ebay and a small supplier which supplied goods). Via a Windows 10 PC.
The card was then compromised and used on lots of contactless transaction totaling about £1200 many miles away in London. Note the card is kept on site so had never left the building!
So I had him run the standard windows security checks, virus checks this came up with nothing. 1)This left us questioning how this was possible?
He asked the bank but they didn't have an answer at the time. Did the small supplier have a security breach and leaked the card details.
2)Can a contactless card be created from just the card details used online?
3)Did it need to be scanned by close connection to be cloned, in which case all we could put it down to was whilst it was mailed?

Thankfully the bank refunded the money and sent a new card but we were left with many questions (1-3)

Then only a few months later (last week) it got much worse.
Due to the previous experience he set up the online banking app with transaction notifications.
He woke up the other day to find several new payee's had been setup in the middle of the night, and several large withdrawals made. The bank were immediately contacted and a supposed stop put on the account whilst they investigated. At this point he's adamant that he's not divulged the security details to create a new payee so once again we are left with questions.
The following day he wakes up to more large withdrawals which has basically emptied the account (even though there was a supposed stop on it by the bank!)
The bank was obviously informed by a now angry customer, along with police and insurance company.
4)How can this be possible?

All I can put this down to is either the business owner has been unwittingly compromised  somehow (still doesn't explain the second set of withdrawals), internal fraud at the bank or a serious security flaw at the bank.

I thought I was fairly savvy and up on current methods of fraud, but I'm struggling to understand this, any explanations appreciated!

Nasqueron

All I can put this down to is either the business owner has been unwittingly compromised  somehow (still doesn't explain the second set of withdrawals), internal fraud at the bank or a serious security flaw at the bank.

It's definitely the first, he is either not being honest with you or someone has access to his phone or accounts or machine. You don't mention the bank but most of them require approval/authentication in the app for a new payee e.g. biometrics, face ID etc

TechGuy2012

From what he has said, I believe he has one of those little calculator type devices that generate a code that has to be entered to add a new payee. It's Co-op by the way.
I have checked their website, that seems to suggest a fixed code on business accounts???
I've arranged to see him tonight so will know for sure then.
Just though I'd start a thread here as there seems to be a few people on here in the know.

km1500

to answer one of your specific questions yes it is possible to make a card contactless by just knowing the card details I do it all the time you basically add it to Google pay or Apple pay or whatever

however it's not that simple there is an authorization step to get through to enable it to be added

born_again

What type of transactions?

As a physical contactless card can not be made from card details gained online. Same with scanning a card. It's is not something that happens in the UK due to method of how cards work.

It is possible that one of the sites used has been compromised, or even a staff member has taken & used the card details.
It is also possible that the card details have been obtained by the shipping container seller, & they have requested new card details via the Visa/Mastercard systems. 

End of the day, this is the type of fraud, no one can do anything to stop. As every time you use your card either online or physically. The 16 digits are out there. Which is all that is needed for online fraud.

xylophone

Far more likely that his security has been compromised than the bank's.

Time to buy new computer, new phone and  a business account with another bank?

TechGuy2012

@born_again The early transactions were card transactions, fairly sure it was contactless as they were all below £100, in fact several were at or very close to £99.99, I thought that was a bit of a give away. I don't think the statement specifically said contactless though.
The shipping company only had the old card details, I think we could have easily put it down to them, but he was on a new card at the point of the contactless fraud. This only puts the small supplier and ebay into question, but by the sounds of it, neither had everything they need to create a contactless payment method. As km1500 said the bank needs to verify with the customer when Google/Apple pay is set up.
The later fraud was bank transfer. All of which were linked to named individual accounts!

TechGuy2012

@born_again
Let me get this straight, from your comment
"It is also possible that the card details have been obtained by the shipping container seller, & they have requested new card details via the Visa/Mastercard systems."

So could the shipping container company request the new card details, even thought they only have the old card details?
It seems crazy that Visa/Mastercard would allow that!

born_again

TechGuy2012 said:

@born_again
Let me get this straight, from your comment
"It is also possible that the card details have been obtained by the shipping container seller, & they have requested new card details via the Visa/Mastercard systems."

So could the shipping container company request the new card details, even thought they only have the old card details?
It seems crazy that Visa/Mastercard would allow that!

Google Visa Account Updater.
It is a system designed for recurring payments. So things like Insurance etc still get paid.

You can not base how a transaction was made by the amount. Checking statement will tell then exactly how they were made. 
In all my years dealing with this, the only contactless fraud has been when a card was lost or stolen. 

Card fraud & bank transfer fraud are 2 totally different methods. So business owner has to look more closely at who may have access to card & account details.

TechGuy2012

Nasqueron said:

All I can put this down to is either the business owner has been unwittingly compromised  somehow (still doesn't explain the second set of withdrawals), internal fraud at the bank or a serious security flaw at the bank.

It's definitely the first, he is either not being honest with you or someone has access to his phone or accounts or machine. You don't mention the bank but most of them require approval/authentication in the app for a new payee e.g. biometrics, face ID etc

So I couldn't wait and messaged him. He has a security token (one of those little calculators), which he has to use every time he logs in and to generate new payee's. It generates a code to enter.
So has that been compromised?

sheramber

Do you not have to enter the vard into the security device to get the code?

I have to put my card in mine.