ATM fraud refunds may not come quickly, if at all

Many banks say they'll provide a refund for stolen funds, but obtaining it can be a challenge

In early April, A$800 vanished from my account, the result of a late-night withdrawal from a cash machine in a Sydney neighborhood I'd never been to before.

It's a type of fraud that happens frequently: Criminals attach devices to cash machines that record the account data stored on the magnetic stripe on the back of the card, a practice known as skimming. The card's PIN (Personal Identification Number) can be spied with a secret camera or a fake number pad overlay.

As a reporter who covers computer security and fraud, I'm aware how easy it is to become a victim of skimming and how difficult it is to defend against. But I've always been more worried about how I'd get the money back than about actually being skimmed, since banks seem less inclined these days to assume liability.

Most banks in the U.K. and Australia would like you to believe they always refund stolen funds. But the reality is that a bank can easily deny a refund based on flimsy reasoning that leaves consumers with little recourse other than going to court.

Commonwealth Bank of Australia is one of the major banks in the country. It assures customers on its website that it will "guarantee to refund any fraudulent transactions that take place within five days from when you report the incident to us."

In my case, things didn't go so smoothly.

I reported the theft within a couple of hours of the transaction and answered the standard liability questions: I hadn't told anyone else my PIN, or written it on the back of the card, etc., and I asked for a refund.

Five days later, Commonwealth Bank sent me a letter saying it had closed the investigation. They explained vaguely that the transaction had been executed using my PIN. Fraud investigators never called me.

Banks would like you to believe that the use of the PIN means that you, the cardholder, performed the transaction, and are therefore liable for it. But the reasoning is flawed. The cash machine verifies only that the correct PIN was used, not that the person who entered the PIN was the actual cardholder.

Nonetheless, it can be grounds to refuse a refund. Stephen Mason, a U.K.-based barrister, has written extensively about security weaknesses and legal issues with cash cards and bank machines in the U.K. and Europe. He represented a U.K. man who took the bank Halifax to court in 2009 over alleged "phantom" withdrawals and lost.

"The banks will deny that their systems suffer from any weaknesses, placing the blame squarely on the customer," Mason wrote in a March article for Butterworths Journal of International Banking and Financial Law. And it will be up to the customer to point out to the judge that there is a series of past cases illustrating the weaknesses, he wrote.

Like many European countries, Australian banks issue debit and credit cards with a microchip that verifies the correct PIN has been entered. In Europe, the system is called EMV, or chip-and-PIN, while in Australia it is called EFTPOS. The U.S. doesn't yet have a chip-and-PIN system, but Visa and MasterCard plan to introduce one.

EFTPOS should have prevented the kind of fraud I experienced. When a criminal copies the information in a magnetic stripe, they can encode it into a dummy card. But cash machines are supposed to verify a microchip is present, and criminals aren't thought to have figured out how to copy microchips yet, though security researchers have found other weaknesses in the EMV system.

The problem is, some cash machines still process transactions even if a card doesn't have the chip, allowing fraudsters to withdraw funds using cloned cards. Fixing the problem will require banks to upgrade all their ATMs, which takes time.

Skimming victims can sometimes prove to their banks that they didn't do a transaction. Cash cards contain an Application Transaction Counter (ATC), which records the number of times a card has been used. An ATC with one less transaction than was performed would presumably be evidence that a bank's customer wasn't lying about withdrawing money.

I offered my card to Commonwealth Bank for forensic analysis but they didn't get back to me. I also asked if they had checked the footage from security cameras where the withdrawal occurred, or if they had filed a police report, but I got no reply.

"As any person who has had money removed from their account by a thief will be aware, making the bank understand that it was not the customer who withdrew the money can be far from easy," Mason wrote in his journal article.

I finally saw the $800 put back in my account after I sent a stern letter modeled on a draft that Mason created, intended for use by people who are having trouble getting a refund. After I received my refund, I decided to write a column about skimming.

Commonwealth Bank spokeswoman Tracy Hicks said no one could be found to answer my questions, while other queries couldn't be answered on security grounds.

Illustrating their reluctance to discuss the topic, Commonwealth Bank even declined to verify that a document I had with the terms and conditions for consumer accounts, including information about liability for fraud, was up-to-date and reflected current policy.

The bank does subscribe voluntarily to Australia's Electronic Funds Transfer Code of Conduct, which describes liability in the case of disputed transactions.

Generally, financial institutions in Australia have 45 days to investigate a disputed transaction, much longer than the five days in which Commonwealth says it will return stolen funds. But that speedy return may depend on how eloquently a consumer complains to the bank. In my case, the bank was more than happy at first to quickly close the case, disingenuously shifting the liability to me absent a real investigation.

If you've had trouble recovering money after a skimming incident and are willing to assist in my reporting, please contact me at the email address below.

Send news tips and comments to

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?