Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

Search
  • FIRST POST
    • faqinel
    • By faqinel 19th Oct 19, 8:22 PM
    • 8Posts
    • 2Thanks
    faqinel
    Fraudulent transactions
    • #1
    • 19th Oct 19, 8:22 PM
    Fraudulent transactions 19th Oct 19 at 8:22 PM
    So I have just been notified of fraudulant activity on my Santander account. Amongst which was a 300 transaction to Novigroup Ltd. Whilst Santander said that one payment had been stopped an earlier one had gone through and would be reported to Santander's fraud team. Whilst I am expecting this process to find in my favour and the money to be refunded Santander could not tell me much about the transaction other than it was an online payment. They could not say what data was processed to authenticate the transaction, such as Name, Address, 3 digit code, verified by Visa, OTP. This is information that I require to be able to ascertain if and where my own data could have been compromised and what further steps I need to take to other than requesting a new card.
    It also raises the question of who sets the standard when it comes to processing any transaction, be it online, over the counter or by telephone. Can the retailer say "who cares, card number and three digits will do" or is it the Bank or Visa that set a minimum authentication requirement to process 300 from ones account.
    From my experience online payments seem to be processed differently dependant on the retailer, the amount and who your card issuer is.
    But returning to my first point can anyone recommend who I should approach to find out more detail about the transaction. It would appear that the Novigroup, Santander, Visa and the card processor (not sure who this is at the moment) would all potentially hold some or all data pertinent to the processing. Should this be a GDPR request or some other request under FCA guidelines?
    Any advice greatly appreciated.
Page 2
    • Ben8282
    • By Ben8282 20th Oct 19, 6:26 PM
    • 4,041 Posts
    • 2,220 Thanks
    Ben8282
    If the transaction has been through VbV. We have access to a system that gives you the IP address, type of device & country. This also includes a unique device ID, which we were told is fixed to the device.
    Yet one of our team has proved that wrong as they used the same device 4 times, except using different connections on the same day.
    Each came back with a different unique ID.
    Checking Visa details on VbV hinted that ID is actually controlled by cookies. So can be fooled by these, or being deleted.
    We had tried to raise this issue with the team that trained us and also get it raised to Visa for a definitive answer.
    Nearly 12 months later we are still waiting an answer. They seem to not understand what we are saying.
    Which is quite simple. Is the device ID unique to a device, or can it change.
    Originally posted by born again
    What you have said above is very interesting and informative.
    However, I think yu have missed the point.
    If it has changed then nothing can be proven either way. In order for Santander to use this as evidence that the OP had made the transactions, the situation would have to be that it had NOT changed.

    However, as the transaction was made using a debit card on a gambling website, how would Santander actually know this information anyway?
    Last edited by Ben8282; 20-10-2019 at 6:36 PM.
    • Migster
    • By Migster 20th Oct 19, 7:50 PM
    • 40 Posts
    • 19 Thanks
    Migster
    This does of course raise the usual question of how the fraudsters would have got their hands on any winnings from this gambling activity as any winnings would have been paid to the debit card used and back into your own bank account.
    Originally posted by Ben8282
    If the online gambling site offers poker, you sit at the same table as your fraudster mate and deliberately lose to him. Your mate has used a legit card on the site, so he can withdraw the funds he's won from you back to his card.
    • Uxb1
    • By Uxb1 20th Oct 19, 8:16 PM
    • 303 Posts
    • 411 Thanks
    Uxb1
    If the transaction has been through VbV. We have access to a system that gives you the IP address, type of device & country. This also includes a unique device ID, which we were told is fixed to the device.
    Originally posted by born again
    In these cases.....
    The bank etc will have access to your IP address at the point of transaction
    This will be of your home router if you are there.
    so if a dodgy claimed transaction is found to be from the same IP address as previously done transaction which had no issues the bank will be rather wary of wary of refunding without question.

    It gets more complicated if your ISP is running CGNAT if they are running out of IP address blocks when a single IP address is shared out by fast computers swapping time allocations between users so it appears to the user that they are the only user on the IP address. Much like old fashioned mainframe computers managed 100 or so user terminals at once - by sequentially swapping very fast between them.
    CGNAT make crime detection difficult as you need to know to the milli-second which router was connected to determine who was downloading the illegal stuff.

    Now the actual device ID behind the IP address is more difficult as all the devices in the house will share the same ip address - being that of the router.
    To get the device's unique MAC address cannot be done without getting you to run an activeX type program within the browser which would need specific each time permission from the browsers user to proceed.
    (Crucial used to use such a active X prog to inspect your computer when you wanted to buy memory upgrades from them and they need to see what was there to start with)
    They could be using browser imprinting as pseudo ID. By this I mean what fonts you have installed,what browser version, what OS, what cookies are stored, screen resolution, what addons you have etc all of which is accessible to the bank/VISA/Mastercard and can used to "sort of ID" the device the used within a certain degree of confidence.
    • Ergates
    • By Ergates 21st Oct 19, 10:08 AM
    • 676 Posts
    • 917 Thanks
    Ergates
    GDPR 15 relates to personal information - that is information about you.

    However, you have told the bank that you did not make those transactions (so presumably, another person made them). So you have no right to information about those transactions..
    Originally posted by eddddy
    You do if the data is associated with your account - you have a right to know the information that an organisation holds about you, even if it is inaccurate.
    • Ergates
    • By Ergates 21st Oct 19, 10:14 AM
    • 676 Posts
    • 917 Thanks
    Ergates
    You will not be given details of how this crime has been committed and I would think that the reasons why would be pretty obvious.
    Originally posted by Ben8282
    The OP isn't asking for details of *how* the fraud was comitted, they're asking for the point of intrusion/method of authentication - if known. Which would give an indication of which parts of their personal details are compromised.

    This is the same as asking the police how the burglars broke into your house*. You're asking "Did they pick the lock or jemmy the window?", you're not asking "How do you pick a lock?".


    *Clearly, in real life it would be obvious how - it's an analogy, go with the flow....
    • Ergates
    • By Ergates 21st Oct 19, 11:26 AM
    • 676 Posts
    • 917 Thanks
    Ergates
    So I have just been notified of fraudulant activity on my Santander account. Amongst which was a 300 transaction to Novigroup Ltd. Whilst Santander said that one payment had been stopped an earlier one had gone through and would be reported to Santander's fraud team. Whilst I am expecting this process to find in my favour and the money to be refunded Santander could not tell me much about the transaction other than it was an online payment. They could not say what data was processed to authenticate the transaction, such as Name, Address, 3 digit code, verified by Visa, OTP. This is information that I require to be able to ascertain if and where my own data could have been compromised and what further steps I need to take to other than requesting a new card.
    It also raises the question of who sets the standard when it comes to processing any transaction, be it online, over the counter or by telephone. Can the retailer say "who cares, card number and three digits will do" or is it the Bank or Visa that set a minimum authentication requirement to process 300 from ones account.
    From my experience online payments seem to be processed differently dependant on the retailer, the amount and who your card issuer is.
    But returning to my first point can anyone recommend who I should approach to find out more detail about the transaction. It would appear that the Novigroup, Santander, Visa and the card processor (not sure who this is at the moment) would all potentially hold some or all data pertinent to the processing. Should this be a GDPR request or some other request under FCA guidelines?
    Any advice greatly appreciated.
    Originally posted by faqinel
    At present, most banks won't be able to tell you what method of authentication was used for an online card transaction. This is because the card processors don't pass this information on to the banks - they just say if it passed or failed.

    However, under the up-coming PSD2 legislation, banks (and other card providers) will have to report to the FCA on (amongst other things) the value and volume of all online card transactions, including a break down of if they where stepped up (under SCA) or if they were exempt (and if so, what was the exemption reason).

    This legislation was meant to be going in this year, but the roll out has been delayed (in part because many of the card providers weren't able to provide the banks with the information they needed to report on this). Once it's in place the banks should have more information to hand about how a particular transaction was authenticated. Whether or not they will be willing to pass this information on to customers is another matter....
    • born again
    • By born again 21st Oct 19, 9:46 PM
    • 641 Posts
    • 342 Thanks
    born again
    At present, most banks won't be able to tell you what method of authentication was used for an online card transaction. This is because the card processors don't pass this information on to the banks - they just say if it passed or failed..
    Originally posted by Ergates
    Not quite true.

    As we can see this as the card provider has to authorise the transaction. So things like correct CVV etc are known.
    Its all shown in the security system. Incorrect CVV will prompt a decline, or a block on the security system.
    I would fully expect Santander to know exactly what details were used.
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

503Posts Today

5,626Users online

Martin's Twitter