ATM fraud refunds may not come quickly, if at all

Many banks say they'll provide a refund for stolen funds, but obtaining it can be a challenge

In early April, A$800 vanished from my account, the result of a late-night withdrawal from a cash machine in a Sydney neighborhood I'd never been to before.

It's a type of fraud that happens frequently: Criminals attach devices to cash machines that record the account data stored on the magnetic stripe on the back of the card, a practice known as skimming. The card's PIN (Personal Identification Number) can be spied with a secret camera or a fake number pad overlay.

As a reporter who covers computer security and fraud, I'm aware how easy it is to become a victim of skimming and how difficult it is to defend against. But I've always been more worried about how I'd get the money back than about actually being skimmed, since banks seem less inclined these days to assume liability.

Most banks in the U.K. and Australia would like you to believe they always refund stolen funds. But the reality is that a bank can easily deny a refund based on flimsy reasoning that leaves consumers with little recourse other than going to court.

Commonwealth Bank of Australia is one of the major banks in the country. It assures customers on its website that it will "guarantee to refund any fraudulent transactions that take place within five days from when you report the incident to us."

In my case, things didn't go so smoothly.

I reported the theft within a couple of hours of the transaction and answered the standard liability questions: I hadn't told anyone else my PIN, or written it on the back of the card, etc., and I asked for a refund.

Five days later, Commonwealth Bank sent me a letter saying it had closed the investigation. They explained vaguely that the transaction had been executed using my PIN. Fraud investigators never called me.

Banks would like you to believe that the use of the PIN means that you, the cardholder, performed the transaction, and are therefore liable for it. But the reasoning is flawed. The cash machine verifies only that the correct PIN was used, not that the person who entered the PIN was the actual cardholder.

Nonetheless, it can be grounds to refuse a refund. Stephen Mason, a U.K.-based barrister, has written extensively about security weaknesses and legal issues with cash cards and bank machines in the U.K. and Europe. He represented a U.K. man who took the bank Halifax to court in 2009 over alleged "phantom" withdrawals and lost.

"The banks will deny that their systems suffer from any weaknesses, placing the blame squarely on the customer," Mason wrote in a March article for Butterworths Journal of International Banking and Financial Law. And it will be up to the customer to point out to the judge that there is a series of past cases illustrating the weaknesses, he wrote.

Like many European countries, Australian banks issue debit and credit cards with a microchip that verifies the correct PIN has been entered. In Europe, the system is called EMV, or chip-and-PIN, while in Australia it is called EFTPOS. The U.S. doesn't yet have a chip-and-PIN system, but Visa and MasterCard plan to introduce one.

EFTPOS should have prevented the kind of fraud I experienced. When a criminal copies the information in a magnetic stripe, they can encode it into a dummy card. But cash machines are supposed to verify a microchip is present, and criminals aren't thought to have figured out how to copy microchips yet, though security researchers have found other weaknesses in the EMV system.

The problem is, some cash machines still process transactions even if a card doesn't have the chip, allowing fraudsters to withdraw funds using cloned cards. Fixing the problem will require banks to upgrade all their ATMs, which takes time.

Skimming victims can sometimes prove to their banks that they didn't do a transaction. Cash cards contain an Application Transaction Counter (ATC), which records the number of times a card has been used. An ATC with one less transaction than was performed would presumably be evidence that a bank's customer wasn't lying about withdrawing money.

I offered my card to Commonwealth Bank for forensic analysis but they didn't get back to me. I also asked if they had checked the footage from security cameras where the withdrawal occurred, or if they had filed a police report, but I got no reply.

"As any person who has had money removed from their account by a thief will be aware, making the bank understand that it was not the customer who withdrew the money can be far from easy," Mason wrote in his journal article.

I finally saw the $800 put back in my account after I sent a stern letter modeled on a draft that Mason created, intended for use by people who are having trouble getting a refund. After I received my refund, I decided to write a column about skimming.

Commonwealth Bank spokeswoman Tracy Hicks said no one could be found to answer my questions, while other queries couldn't be answered on security grounds.

Illustrating their reluctance to discuss the topic, Commonwealth Bank even declined to verify that a document I had with the terms and conditions for consumer accounts, including information about liability for fraud, was up-to-date and reflected current policy.

The bank does subscribe voluntarily to Australia's Electronic Funds Transfer Code of Conduct, which describes liability in the case of disputed transactions.

Generally, financial institutions in Australia have 45 days to investigate a disputed transaction, much longer than the five days in which Commonwealth says it will return stolen funds. But that speedy return may depend on how eloquently a consumer complains to the bank. In my case, the bank was more than happy at first to quickly close the case, disingenuously shifting the liability to me absent a real investigation.

If you've had trouble recovering money after a skimming incident and are willing to assist in my reporting, please contact me at the email address below.

Send news tips and comments to jeremy_kirk@idg.com

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Father’s Day Gift Guide

Brand Post

Bitdefender 2019

Bitdefender solutions stop attacks before they even begin! Get cybersecurity that 500 MILLION users already have and trust.

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?