Victim of Fraud but Credit card company are saying its my fault and I am liable for the charges.

Grumpy_chap

grumpy_codger said:

penners324 said:

Offline payments wouldn't ask for a payment to be authorised in the app or by otp. Another red flag.

Really? What would be then?
I don't have Santander app, but was sent OTPs for biggish online debit card payments.
With other banks it can be in-app authorisation instead. 

Yes, but the comment was that an offline payment (over the phone to a card terminal) would not seek OTP / app verification.  It was only that the scammer was actually processing an online payment to "Giftcards-R-Us" while speaking with the OP that meant the OTP / app verification was triggered.

grumpy_codger

My apologies. I misread the "offline".

DullGreyGuy

Grumpy_chap said:

martinbainbridge1975 said:

must be a double scam then bike and vouchers

Only one scam:

• The scammer advertised a bike for sale.
• The OP "ordered" the bike over the phone and paid by card.
• The scammer did not have a bike or a card machine.
• The OP provided the scammer with their name, long card number, expiry date, CVV code.  All required to process an over-the-phone card purchase.
• The scammer was not, in fact, processing an over-the-phone card transaction for the bike.
• The scammer was, in fact, on another website entering the OP's card details to purchase gift vouchers.
• The gift voucher website asked the scammer for the OTP.
• The scammer asked the OP for the OTP.
• The OP obtained the OTP from the bank, which is accompanied by a message along the lines of "do not share this code - if any one asks you for this code, hang up"
• The OP gave the scammer the OTP.
• The scammer entered the OTP into the website to complete the purchase of the gift vouchers (which are sent to the scammer, not the OP).
• The OP lost their money and never received the bike or the gift vouchers.

If that is what happened, I am not sure what the bank can do more.  I understand and sympathise with the OP for losing their money, but if the bank is liable here, then would that create a free-for-all that anyone can buy anything from anywhere and bank ends up footing the bill.  Retail banks can't simply print money - they have to get the money from somewhere.

Possibly, there could be legislation passed that means online orders can only be sent to the card holders address.  In this case, at least the OP would have received the gift vouchers, unless the scammer had some means to intercept the physical vouchers or override the address data.  That may reduce scams, but would also reduce flexibility for the majority - it is not unusual to make an order for something to be delivered to other than the card holder's address.  For example, flowers following bereavement, Birthday gifts to a relative, etc.

There wasnt a one time code, it was an authorisation in the banking app which would have said something like "Confirm you are trying to spend £200 with Giftvouchers.com" and the OP pressed "Yes". 

Undoubtably these were digital vouchers so no physical product to send somewhere, whilst you may see people introduce rules that physical goods can only go to the registered address its unlikely that anyone is going to think to ban digital goods, require digital goods to be posted physically (eg as a QR code). Only real option would be to introduce a "registered email address" type concept. 

Grumpy_chap

DullGreyGuy said:

There wasnt a one time code, it was an authorisation in the banking app which would have said something like "Confirm you are trying to spend £200 with Giftvouchers.com" and the OP pressed "Yes". 

You mean like this:

Grumpy_chap said:

I don't have APP banking but, AIUI, the "OK'd the transaction in the APP" is the same security step as OTP.
You get a message that reads along the lines of "this security step authorises a transaction to ABC for the sum of £xxx" please confirm you wish to make the payment." plus some warning about the risk of being scammed.

Again, the security step via the APP authorisation would not occur if the retailer was using a card machine and making an over the phone transaction.  It is only the fact they are making a transaction via an online gift card website that the APP check was initiated (instead of OTP).

A key thing for the bank assessing fraud might well be what the "ABC" part of that in-APP notification said.  If it was "Anytown Bike Centre" then the OP can plausibly believe this is payment for a bike.  If it was "Giftcards-R-Us" then the OP might reasonably have been expected by the bank to notice.

DullGreyGuy said:

Undoubtably these were digital vouchers so no physical product to send somewhere, whilst you may see people introduce rules that physical goods can only go to the registered address its unlikely that anyone is going to think to ban digital goods, require digital goods to be posted physically (eg as a QR code). Only real option would be to introduce a "registered email address" type concept. 

A "registered e-mail address" concept could work.  In fact, for one of my CC's access to the online banking requires the registered e-mail address to be entered.
It is also easy, once received, to pass such an item on if intended as a gift.

I am not in favour of restricting to registered address for physical goods.  It may constrain some fraud but also limits genuine flexibility.
 - I will send flowers to my Niece's for events.
 - I sent flowers to my SiL when she lost her Father.
 - My Nephew is in Australia so being able to send a Birthday Gift without needing to visit in person is helpful.
 - My FiL has mail order stuff delivered to his workplace rather than the doorstep of an empty house.
 - Many other similar genuine examples.

born_again

If this was via Santander & it requires you to go to app to approve payment then it says Amount & companies name for the transaction.

DullGreyGuy

Grumpy_chap said:

DullGreyGuy said:

Undoubtably these were digital vouchers so no physical product to send somewhere, whilst you may see people introduce rules that physical goods can only go to the registered address its unlikely that anyone is going to think to ban digital goods, require digital goods to be posted physically (eg as a QR code). Only real option would be to introduce a "registered email address" type concept. 

A "registered e-mail address" concept could work.  In fact, for one of my CC's access to the online banking requires the registered e-mail address to be entered.
It is also easy, once received, to pass such an item on if intended as a gift.

I am not in favour of restricting to registered address for physical goods.  It may constrain some fraud but also limits genuine flexibility.
 - I will send flowers to my Niece's for events.
 - I sent flowers to my SiL when she lost her Father.
 - My Nephew is in Australia so being able to send a Birthday Gift without needing to visit in person is helpful.
 - My FiL has mail order stuff delivered to his workplace rather than the doorstep of an empty house.
 - Many other similar genuine examples.

In principle it could but many people have more than one email address and may want to separate business and personal or many have special emails setup for various companies. Also makes the anonymous present more difficult to make if it goes to your email address to be forwarded rather than direct to the recipient (given the event we are rapidly approaching). 

I personally own my domains so have amazon@mydomain.com, MSE@mydomain.com, eBay@mydomain.com etc which makes email rules easier to set up and also identify the source of data leaks (have identified 4 data breaches and some unauthorised sale of data over the years). So totally breaks the idea when I have to tell Amazon that the voucher has to be sent to Barclays@mydomain.com or Amex@mydomain.com depending on the card used etc. 

Agree on flexibility but unfortunately as the nanny state gets ever heavier on protecting people from themselves the result will be ever more restrictions as companies become liable for the poor decisions of consumers. Unfortunately these arent things where you can choose to waive your rights in exchange for more flexibility (or lower prices etc etc). 

Kim_13

Grumpy_chap said:

DullGreyGuy said:

There wasnt a one time code, it was an authorisation in the banking app which would have said something like "Confirm you are trying to spend £200 with Giftvouchers.com" and the OP pressed "Yes". 

You mean like this:

Grumpy_chap said:

I don't have APP banking but, AIUI, the "OK'd the transaction in the APP" is the same security step as OTP.
You get a message that reads along the lines of "this security step authorises a transaction to ABC for the sum of £xxx" please confirm you wish to make the payment." plus some warning about the risk of being scammed.

Again, the security step via the APP authorisation would not occur if the retailer was using a card machine and making an over the phone transaction.  It is only the fact they are making a transaction via an online gift card website that the APP check was initiated (instead of OTP).

A key thing for the bank assessing fraud might well be what the "ABC" part of that in-APP notification said.  If it was "Anytown Bike Centre" then the OP can plausibly believe this is payment for a bike.  If it was "Giftcards-R-Us" then the OP might reasonably have been expected by the bank to notice.

DullGreyGuy said:

Undoubtably these were digital vouchers so no physical product to send somewhere, whilst you may see people introduce rules that physical goods can only go to the registered address its unlikely that anyone is going to think to ban digital goods, require digital goods to be posted physically (eg as a QR code). Only real option would be to introduce a "registered email address" type concept. 

A "registered e-mail address" concept could work.  In fact, for one of my CC's access to the online banking requires the registered e-mail address to be entered.
It is also easy, once received, to pass such an item on if intended as a gift.

I am not in favour of restricting to registered address for physical goods.  It may constrain some fraud but also limits genuine flexibility.
 - I will send flowers to my Niece's for events.
 - I sent flowers to my SiL when she lost her Father.
 - My Nephew is in Australia so being able to send a Birthday Gift without needing to visit in person is helpful.
 - My FiL has mail order stuff delivered to his workplace rather than the doorstep of an empty house.
 - Many other similar genuine examples.

A limit on the amount that can be sent to somewhere other than the cardholder’s registered address, maybe? It could have a default and be adjusted upwards/downwards as required as with Contactless. Repeat purchases to go to other addresses in a short space of time can probably be safely blocked, or the cardholder could get the restriction lifted temporarily if they were say ordering several Christmas presents to be sent direct to the recipient on the same day.

jimjames

born_again said:

If this was via Santander & it requires you to go to app to approve payment then it says Amount & companies name for the transaction.

Exactly. The bit I can't understand is the value of the vouchers being "hundreds" which presumably isn't the amount the OP authorised in the bank app. Surely that transaction would be hard to dispute (or could be disputed depending on the context) but the ones that were not authorised in the app should be refunded by the bank. I wonder if the bank are alleging negligence from giving out the card details to the scammer.

grumpy_codger

jimjames said:

born_again said:

If this was via Santander & it requires you to go to app to approve payment then it says Amount & companies name for the transaction.

Exactly. The bit I can't understand is the value of the vouchers being "hundreds" which presumably isn't the amount the OP authorised in the bank app. Surely that transaction would be hard to dispute (or could be disputed depending on the context) but the ones that were not authorised in the app should be refunded by the bank. I wonder if the bank are alleging negligence from giving out the card details to the scammer.

What do you not understand? 

In fact it was " £1000s of purchases and buy gift vouchers" that "have been handled with ... bank as fraud" (= refunded).

The problem is with one payment to some "Bicester village" that was authorised by the OP (the amount and the company), but the OP couldn't know that the payment was for some gift cards (sent to the fraudster), not for the non-existing excercise bike.