Saturday, 1 October 2016

Card fraud

Who is the fraudster and who is being defrauded?

I have just had a long and annoying conversation with Barclays after they authorised and deducted from my balance over £13k because someone in a Danish auction house used an old (invalid) card number for a card the bank had previously issued to me.

The wording of the call is very much around me being defrauded and me making a claim.

I even had Lloyds call when I tried to top up Monzo (seeing as I have no Barclays card at present from which to do so) and they talk of protecting me from fraud.

I think this is wrong.

A fraudster is someone that lies for some gain (or to make someone else lose).

So a fraudster using my card details to buy something is mis-representing themselves as "me". That is the lie - that they claim to be me. They make this claim by using identification tokens that relate to me. They make this claim to the bank via the merchant and card processing system.

The bank fall for this lie, thinking it is me, and as a result transfer some of the bank's money to a merchant. The merchant then provides goods or services to the fraudster.

I would say that the person being lied to here is the bank - as the merchant has no way to validate the identification tokens provided - they just pass them on, ultimately, to the bank. So the lie is indirect, and the party lied to is the bank.

The bank, having fallen for this lie, change my bank balance. But the bank balance is just a record of the banks liability to repay me the funds I have deposited with them. They can reduce that liability (and hence the balance) by acting on my instructions to transfer money. However, in this case, I did not instruct them to transfer money, so their liability to repay me has not been reduced, and so the balance should not have changed. The change in bank balance is a mistake by the bank which is based on the fact that they mistakenly thought it was me giving them the instruction, when it was not.

My part here is to advise them of that mistake, and confirm that it was not in fact me that gave the instructions.

Now, I can also appreciate that bank customers may lie to banks as well, so they have to be careful, but ultimately, in this case, I am an innocent bystander. I am not really the victim of the fraud, or even the subject of it, I am a victim of my bank mistakenly falling for a fraud and changing my balance - something the bank can (and must) change back. As it was not me that instructed them, they continue to have the same liability to repay what I have deposited as before.

All of the measures the banks put in place are not really to protect me - they are to protect the bank from fraud. I am protected by the simple fact that the bank have an obligation to repay the money I have deposited unless I instruct them to transfer money.

There is one caveat, of course. The bank do have terms about how I use the identity tokens which mean I should not give others the PIN or allow others to use the card, and so on. If the fraud happened, i.e. if the bank were fooled, as a result of my breach of those terms, then I would be liable to the bank to reimburse them for the fraud in some way. Even in that case it would not actually be me that was defrauded, it would still be the bank, but it would be me that broke contract terms.

Am I wrong to get so annoyed by the terminology banks use in these cases?

9 comments:

  1. I'm with you on this one. Institutions don't always play fair though.

    ReplyDelete
  2. Sounds like a good topic for Radio 4's Money Box...

    ReplyDelete
  3. They should give you a temporary refund within a few days of you disputing the transaction.

    ReplyDelete
    Replies
    1. Given that they admitted, in the call, "that should have not gone through", they really should correct my balance immediately and permanently, in my opinion.

      Delete
  4. https://www.youtube.com/watch?v=CS9ptA3Ya9E

    ReplyDelete
  5. Chip and Pin was primarily a liability-shifting exercise. It used to be that the card issuer took most of the fraud liability (if it was proven to be fraud). Now PIN-authorized transactions the bank puts the liability with the card holder, since you're not meant to reveal your PIN, so it must have been your fault. Merchants had their contracts changed so that they could still accept non-PIN-verified transactions, but they were liable for fraud if they did.

    I'm not sure how card-holder-not-present transactions fit into that model, but since it wasn't PIN-authorized (or VbV-authorized as the online equivalent-ish) I can't see how you could be considered liable

    ReplyDelete
  6. Yes, Ross Anderson (Security Prof) argues taht banks are shifting liability to their customers in this way, and also by taking the opportunity to set the terms of chip'n'pin more favourably to them than signatures:
    http://www.cl.cam.ac.uk/~rja14/Papers/weis16fraudreimbursement.pdf
    https://www.lightbluetouchpaper.org/2016/05/27/gchq-helps-banks-dump-fraud-losses-on-customers/

    ReplyDelete
  7. Yes - this has been a bugbear of mine for a while. Party A obtains money from party B by deception. How can anyone possibly argue that it's party C that has been defrauded? Or even that the onus should fall on party C to diagnose and fix the problem at party C's cost.

    ReplyDelete
  8. I had a not dissimilar experience with my bank: I had my debit card details had by some random web site that forgot how to handle credit card data securely. The replacement card that turned up was all of two digits different to the previous card - the penultimate digit was an increment of one and of course the Luhn check digit was recalculated. The fraudsters obviously knew this replacement cycle and within a day of the card arriving, sent a (rather good) phishing e-mail correctly predicting the card number and expiry date - all they needed was the auth code and they would've been laughing. Took ages to get credited back, and then a further two months to explain to them that their card replacement routine was trivial to predict...

    ReplyDelete