The son of a friend has recently gone to Uni in London. He banks with Lloyds.

After only a few weeks there he noticed some ATM transactions on his account totalling £740 that he knows he didn’t take out.

He reported this to the police and Lloyds. The police have said that they don’t have sufficient manpower to investigate this and therefore won’t obtain CCTV. Lloyds have said that they won’t refund him without CCTV.

Can anyone offer any advice ?
He can’t afford to lose this money.

Lloyds will have their own atm cameras.

can he prove he was elsewhere when the transactions occured?

problem is if they had his card and pin it’s going to be tricky to prove it wasn’t with at least his collusion.

tell him to go to bank and tell them it wasnt him.. simples.. i had to this had to get really nasty but it was 3500 quid over two months.. eventually bank manager called me apologised .. they knew all along that atm at rochdale branch of Morrisons had been targetted for some time

It’s up to the bank to investigate, if they think there’s a fraud, they should report it to police

What they all said. Nothing to do with the lad, he’s reported it to the bank, that should be the end of his involvement. In fact, I was specifically asked NOT to call the police myself when I had some fraud on my card. The bank made good the money and took care of everything.

I’d recommend firm, yet polite, words.

http://www.guardian.co.uk/money/2012/may/04/banks-pin-card-fraud

This is a useful article.

“The Financial Services Authority’s Banking Conduct of business states that a bank may only hold a customer liable … where the customer has acted fraudulently, or has “intentionally, or with gross negligence, failed to comply with his or her obligations … to take all reasonable steps to keep its personalised security features safe.”

Emery argues that it is quite possible for a customer to keep the card and pin safe, but for a fraudster to obtain them – or just the card details – through other means, which they then use to perpetrate the fraud. In such cases, the bank must repay the customer in full, he says. The Financial Ombudsman Service, where lots of these cases end up, relies on the payment services directive, which came into force in November 2009.

It says that if someone is a victim of fraud, the bank must refund them immediately – unless it has good grounds to suspect that the cardholder has been negligent or acted fraudulently.

A spokesman told Money this week that use of the correct card and pin is not “evidence of negligence in itself. We have always made it clear to financial businesses that just because a pin has been used correctly in conjunction with a card, does not, in itself, mean that the cardholder should be found responsible for the debt.”

The upshot is that the bank has to investigate thoroughly, rather than just fob him off, and unless there is clear evidence of fraud, rather than just the use of the correct chip and pin, then they should refund.

Financial Ombudsman is the next step if Lloyds’ continue to be arsey, but I’m sure quoting the correct legislation/guidelines and threatening to go to the Ombudsman will get him somewhere.

All of the above, and when he’s got it sorted, he should change to a different bank.

Cheers all. Some helpful stuff.

I’ll advise him to go to his branch and not be fobbed off.

Bruce Schneier blogs about security issues. He’s covered chip and pin in the past. It could be worth a search of his blog…

http://www.schneier.com/

… as C & P might not be as secure as they’d like you to believe.

So what’s happening in cases like these? Cloned cards?

I don’t get how the scam works if the card hadn’t been lost/ stolen and the PIN compromised

There are instances of card cloning. Most ATMs carry a warning panel saying to look out for anything dodgy being stuck on the keypad area. In some instances it was also being captured by something attached to the retailers POS machine.

FWIW, in a previous life, I used to take “lost and/or stolen ATM card” calls. You’d be surprised at the number of folk who left their card lying around in their house/flat and who had the PIN written on it, or had lent it to a friend/family member and told them the PIN.

Chip and PIN isn’t safe, it was compromised a long time ago. Anyone with a few hundred quid and the opportunity can buy the equipment to clone cards (including obtaining the PIN)

My advice would be only to ever use your debit card in your own bank’s machines, inside the bank, or better yet withdraw money via the cashier desk, and use your credit card for any non-cash purchases.

My wife knows my PIN numbers, and I often leave my cards lying around.

I guess this is a good incentive to keep her happy, or I’ll come home one day to an empty bank account & maxed out overdraft 😀

I thought all ATMs had cameras that recorded transactions, the onus should be on the bank to prove it was him that withdrew the money?

Chip and PIN isn’t safe, it was compromised a long time ago. Anyone with a few hundred quid and the opportunity can buy the equipment to clone cards (including obtaining the PIN)

Can you point me in the direction of any (recent) information suggesting this is the case?

The cloning/phreaking hardware is fab frankly, we had one stuck to the ATM at the branch I used to work in for ages, we only found out because there was some glue residue left after they removed it. Members of staff had used it and not noticed.

I used to work for HBOS and the policy was to give the punter the benefit of the doubt, certainly no obligation to pursue the police etc. There was internal investigation and we did catch customers at it, but that was after the fact- pay out first.

TBH the card security systems aren’t designed to be truly secure, they’re just designed to be cost effectively secure- and it’s up to the banks to shoulder the cost of fraud, as it’s them that have made that call. Eliminating fraud would cost more than the fraud itself.

Can you point me in the direction of any (recent) information suggesting this is the case?

Yeah use google, it is a “search engine” 🙄

here’s a link to soem stuff http://news.idg.no/cw/art.cfm?id=9B276C24-C650-9143-B16C49BC81CA840E

also there is loads of card cloners stuck to atm’s and petrol pay at pump stuff, they are easy to spot once you know what to look for. Also hand held cloners a cheap and easy to use in shops and restaurants.

My advice would be only to ever use your debit card in your own bank’s machines, inside the bank, or better yet withdraw money via the cashier desk, and use your credit card for any non-cash purchases.

Don’t forget your tin foil hat as well. Never can be too careful.

He should keep a diary of all contact, calls, letters names etc. If this snowballs into a long drawn out affair it is helpful to have accurate record of everything that has gone before.

Yeah use google, it is a “search engine”

I did, but due to my ineptitude can’t find anything recent.

See pupleyeti’s link just shows that vulnerabilities exist, and were demonstrated in a lab situation. Nothing ther about Anyone with a few hundred quid and the opportunity can buy the equipment to clone cards (including obtaining the PIN)

Scaremongering, perhaps?

nope i would post links up to more accurate stuff of pictures form the atm cloners that i have seen but i like my job. Nil’s stuff has been demonstrated i’ve seen it, and the theory in security circles is always that if it’s been found by the good guys then there is a high chance the bad guys are already doing it.