Unauthorised ATM withdrawal- Ombudsman ruled in favour of bank

DullGreyGuy

Phortoes said:
In my mind the scammer(s) attached something to the ticket machine which sends info to them. Chip and PIN seems fallible to me. Afterall, it was devised by people. But most people including the bank and regulator trust it more than doing any proper investigation especially as my sister's case is not entirely unique given other complaints on the Ombudsman's database. I guess, until it happens to lots more people it won't be taken seriously.

https://www.financial-ombudsman.org.uk/decision/DRN-3462832.pdf

You may have seen the above case but it has similarities in that an ATM withdrawal was made from a machine which the cardholder states they didnt authorise or receive the funds for. Unfortunately it lacks detail to give a definitive version of events but implies it's arguably weirder that your case as the person attempted to use the ATM afterwards and was declined due to the fraudulant withdrawal hitting the limit. 

The Ombudsman isn't the regulator, thats the FCA and PRA (the former being the relevant one for these types of matter). Similarly the ombudsman cannot be an expert on everything that someone could possibly complain about, each person, particularly ombudsman themselves, have specialities in certain products/sectors but for a lot they are reliant on expert evidence as presented. The Ombudsman tracks trends in complaint data and reports that to the FCA who has vastly greater powers and does investigate things (see the current investigation into discretionary commission agreements in the motor finance industry)

The problem is that every source I can see, including fairly respected security websites state that EMV cannot be cloned (yet), all that can be done is create a magnetic strip from reading an EMV chip. Now I accept that some in the security industry will hold back publishing security holes for a period of time to give the owners time to close it before it becomes public knowledge and more bad actors get the idea to exploit it but the above case was from 2 years ago and thats an exceptionally long time for a company to sit on it. Normally if there isn't enough movement the white hat hackers announce they've found a hole but dont publish the details to try and move things on. 

https://www.cryptomathic.com/hubfs/docs/cryptomathic_white_paper-emv_key_management.pdf

The above is a reasonably in-depth review of how the EMV chip actually works, the problem of the idea of some form of relay is the fact that the chip generates a dynamic code using various features of the transaction in question. Whilst in principle that code could be somehow transmitted to the ATM unless the transaction details matched those used to encrypt the code the transaction would fail. 

It feels more likely that there is another explanation than someone has cracked the system and yet on a tiny number of exploits are being reported despite the hundreds of millions of ATM uses per day globally.  

sausage_time

My belief is that if EMV chips have been cracked/cloned we'd see channels such as this board inundated with stories.  The reality is that we see such reports very infrequently.  Not convincing evidence that EMV has not been hacked of course, but crooks would want to rush to exploit before security was tightened.

Hoenir

To persue this matter further. Needs to be tangible evidence rather than simply conjecture. 

On what grounds was the complaint dismissed? 

eskbanker

Hoenir said:

To persue this matter further. Needs to be tangible evidence rather than simply conjecture. 

On what grounds was the complaint dismissed? 

It seemed reasonably clear from the first post, or are you looking for a copy/paste of the exact wording?

Phortoes said:

The bank claimed she must have authorised it from the evidence they have. She went to the Ombudsman who agreed with the bank because apparently the ATM read the chip on the card not the magnetic stripe. They say the chip cannot be cloned so the transaction must have been done with her own card.

Hoenir

Exact wording.  

paul_c123

I wonder if there is now a fraud where the card is stolen (undetected, eg a good pick pocket), the cash withdrawal done (they'd need to know the PIN......but.......an 'over the shoulder' attack could get this) then the card is put back into the possession of its rightful owner, eg slipped into a pocket. Instead of the card owner reporting a stolen card and the investigation focusing on that, it turns into a "bank vs customer" battle on whether the card was stolen/used fraudulently/returned or if the customer is being deceitful in claiming they didn't make the ATM transaction.

born_again

Phortoes said:

born_again said:

Banks have no more rights than the OP here to CCTV. Police is best action. But odds of CCTV still being there are next to none (norm 30 days), given mention of ombudsman, which will have been a couple of months at least.
Bank does not need CCTV for their side. They can see type of card used (chip read), as UK ATM do not take mag stripe read cards, when a chip is expected). If person claiming fraud has their card, then it's a no brainer it will be rejected as fraud.

According to the ombudsman, UK ATMs can read both magnetic stripe and chip. So they accept magnetic stripe cards too. 

All I can say on that is they are wrong, unless it is a savings card that does not have a chip. Chipped card, has to read chip. Been like this for at least 10 years.

Unless it is a internal ATM, then odds on no CCTV, as banks tend not to have them outside. that for the councils. Odds of met police doing anything, From experience is none. Have even spoke to a desk office after a customer had been mugged at ATM. They refused to do anything saying it was up to the bank🤷‍♀️

I wish her well, but do not hold out any hope if ombudsman ruled against her.

Olinda99

paul_c123 said:

I wonder if there is now a fraud where the card is stolen (undetected, eg a good pick pocket), the cash withdrawal done (they'd need to know the PIN......but.......an 'over the shoulder' attack could get this) then the card is put back into the possession of its rightful owner, eg slipped into a pocket. Instead of the card owner reporting a stolen card and the investigation focusing on that, it turns into a "bank vs customer" battle on whether the card was stolen/used fraudulently/returned or if the customer is being deceitful in claiming they didn't make the ATM transaction.

obviously possible but why would they chance getting caught by returning it ?

Hoenir

paul_c123 said:

I wonder if there is now a fraud where the card is stolen (undetected, eg a good pick pocket), the cash withdrawal done (they'd need to know the PIN......but.......an 'over the shoulder' attack could get this) then the card is put back into the possession of its rightful owner, eg slipped into a pocket. Instead of the card owner reporting a stolen card and the investigation focusing on that, it turns into a "bank vs customer" battle on whether the card was stolen/used fraudulently/returned or if the customer is being deceitful in claiming they didn't make the ATM transaction.

The conspiracy theories get more imaginatve by the day.  

paul_c123

Olinda99 said:

paul_c123 said:

I wonder if there is now a fraud where the card is stolen (undetected, eg a good pick pocket), the cash withdrawal done (they'd need to know the PIN......but.......an 'over the shoulder' attack could get this) then the card is put back into the possession of its rightful owner, eg slipped into a pocket. Instead of the card owner reporting a stolen card and the investigation focusing on that, it turns into a "bank vs customer" battle on whether the card was stolen/used fraudulently/returned or if the customer is being deceitful in claiming they didn't make the ATM transaction.

obviously possible but why would they chance getting caught by returning it ?

Why would they chance being caught and recognised on CCTV near the ATM?