Thieving backstards (Thieves, and the bank!)

dlofnep

So my brother's debit card was compromised, and some thief stole 2 grand from his account, spending it on betting websites and plain tickets, etc.

My brother lodged a dispute with the bank - but they are refusing to refund it, because the thief had somehow worked out the pin. Now my brother is oblivious as to how - but you know in these days and ages, with social engineering and phishing scams - anything is possible.

So now my brother is 2 grand short, and some spud-picking thief has got away scot-free with two grand. This is not even my money and I'm furious! The cheek of the bank to charge my brother for the acts of thieves. My brother works long and hard hours, doing two jobs. He doesn't deserve some thieving scumbag to take all of his hard earned dough.

And their reasoning for not refunding it cited (without even knowing how the thief obtained it) - that the pin was not kept safe. Banks, thieves... In cahoots - robbing the working man of all his money in anyway they can

Swampy

Plane ticket to cheltnham. Nice.

dlofnep

I looked at his account, and it looks like the first transaction occurred after my brother used an ATM - so they could have carded him. I wonder if the pin used on the ATM's are the same as the pins used for the online VISA transactions by default?

Sofaspud

He used it to buy plane tickets? That leaves a pretty obvious paper trail to find his identity then . . .

ScouseMouse

Can you not cancel the tickets as fraud?

forfuxsake

Are you sure he isn't trying to hide a gambling problem. It makes absolutely no sense for a thief to use his card to gamble online, any winnings would go to your brother and therefore it wouldn't be gambling. Secondly, if a person got 'plain' tickets then it is very easy to find their name and passport number and arrest them.

he needs this
http://www.gamblersanonymous.ie/gamanon/gam_anon_20_questions.html

dlofnep

Sofaspud wrote: »

He used it to buy plane tickets? That leaves a pretty obvious paper trail to find his identity then . . .

Yeah - and I suppose their IP address(s) from the betting websites. The details have been passed onto the Gardaí of course, but you know the types of people who do this shíte - never work a day in their life, and won't be in a position to actually pay back the money. Meanwhile, my brother is penniless after working day, noon and night in 2 jobs. I feel for him, poor fella.

Same happened to me years back - my credit card was carded, but the bank didn't charge me for it.

Cuddlesworth

There are more ways to steal a pin then humanly possible to list here. Since its two grand, I'd suggest legal aid for the issue. If the false payments are in Ireland it compounds the issue.

dlofnep

forfuxsake wrote: »

Are you sure he isn't trying to hide a gambling problem.

Speak up, I can't hear you from under that bridge!

forfuxsake

This is not real. You do not need a pin to gamble online or book flights.

dlofnep

superscouse wrote: »

Can you not cancel the tickets as fraud?

My brother was away on holidays while they were on a spending spree, when he got back - he only noticed it. They had gone to town for like 2 weeks at that stage - it was too late by then.

Pace2008

Happened to my mother recently. Some thief used her Laser to do her out of €1,500. Luckily, the money was refunded immediately as the thief used her details to purchase 2 laptops online. My Ma's been with AIB for more than 20 years and she'd never once used her card to purchase anything online so the fraud department accepted it probably wasn't her who'd made the transaction. They were able to tell her that her details were not skimmed from an ATM, but couldn't give her any information aside from that.

How do these scammers acquire and use Laser details, and is there anything you can do to stop them?

bijapos

Visa and other cards do not have the same PIN by default although most people tend to change the PIN to have the same one for all cards.

While I sympatise with your brother it doesn't seem to be the banks fault so far so I've no idea why you are blaming them. If your brother isn't happy with the terms and conditions of the ATM card he can always cut it up and go back to the old way of queueing in the bank for his cash.

dlofnep

forfuxsake wrote: »

This is not real. You do not need a pin to gamble online or book flights.

Yes you do! If you came out from under that bridge and got yourself a VISA, you'd know that all VISA transactions these days ask for you to enter a pin online.

dlofnep

bijapos wrote: »

While I sympatise with your brother it doesn't seem to be the banks fault so far so I've no idea why you are blaming them. If your brother isn't happy with the terms and conditions of the ATM card he can always cut it up and go back to the old way of queueing in the bank for his cash.

Well, they haven't proved that he hasn't taken care to protect his pin. They have assumed it's the case. Like I said - this happens all the time, and banks do not charge people for the transactions. It happened myself only a few years back.

The bank should follow up on all cases of fraudulent purchases, especially if they want to keep customers.

Kensington

Probably meant the CVV code, not the PIN.
Was it a Laser card or a Visa Debit?

dlofnep

Kensington wrote: »

Probably meant the CVV code, not the PIN.
Was it a Laser card or a Visa Debit?

Nope, it's not the CVV code. The Visa cards have pins for online transactions now. Not sure when it was brought in exactly. It's Visa Debt I believe.

Procasinator

dlofnep wrote: »

Yes you do! If you came out from under that bridge and got yourself a VISA, you'd know that all VISA transactions these days ask for you to enter a pin online.

There is verified by visa, which is different again though to what people traditionally think of as a PIN.

To me, the pin is what you use at the ATM. This is the first I've ever head of the PIN you use at the ATM/Point of Sale device being the same as the the one you use during purchases on websites.

forfuxsake

dlofnep wrote: »

Yes you do! If you came out from under that bridge and got yourself a VISA, you'd know that all VISA transactions these days ask for you to enter a pin online.

No you don't. You need CVV (card verification value code) which you do not enter when taking out money from a cash machine. It is printed on the back of a card.

You cannot use somebody else's card to gamble as any money won would be sent back to that card. Furthermore you cannot fly as the airline would have details of the passenger and their ID details.

So either the OP is making this up or his brother has a gambling problem and is using the premise that somebody stole his details to hide the missing money.

Kensington

dlofnep wrote: »

Nope, it's not the CVV code. The Visa cards have pins for online transactions now. Not sure when it was brought in exactly. It's Visa Debt I believe.

Ah right, the 3-D secure/Verified by Visa I take it?
Nope, that's entirely your (well, your brothers in this case) responsibility to keep that secure I'm afraid.

dlofnep

Procasinator wrote: »

This is the first I've ever head of the PIN you use at the ATM/Point of Sale device being the same as the the one you use during purchases on websites.

I'm not sure if the pins are the same myself - I know mine are different, but I changed my own visa pin ages ago, and can't remember if it was originally the same as the ATM pin. Does anybody know off the top of their head?

The reason why I'm asking is because judging by the card usage, they started scamming a few hours after he used a local ATM machine.

ballsymchugh

dlofnep wrote: »

Yes you do! If you came out from under that bridge and got yourself a VISA, you'd know that all VISA transactions these days ask for you to enter a pin online.

no they don't. every banking website will have a notice saying that they won't ask for a pin.
when you buy something online, you need the long card number, expiration date, 3 digits from the back and sometimes a name and address.
definitely no PIN needed for online shopping. it's only for use when the chip is used too.

pickarooney

I take payments by Visa, Visa Debit, Mastercard every day of the week and have never once needed a PIN to process the transaction. I don't even see how it would work - a PIN requires the presence of the physical card to perform the check on it.

_feedback_

Why would a thief use a card to gamble online? Any winnings would go back to the card? Or else to an online account in the thiefs name. Tickets have to be in their name too..

Doesn't make any sense at all.

44leto

dlofnep wrote: »

So my brother's debit card was compromised, and some thief stole 2 grand from his account, spending it on betting websites and plain tickets, etc.

My brother lodged a dispute with the bank - but they are refusing to refund it, because the thief had somehow worked out the pin. Now my brother is oblivious as to how - but you know in these days and ages, with social engineering and phishing scams - anything is possible.

So now my brother is 2 grand short, and some spud-picking thief has got away scot-free with two grand. This is not even my money and I'm furious! The cheek of the bank to charge my brother for the acts of thieves. My brother works long and hard hours, doing two jobs. He doesn't deserve some thieving scumbag to take all of his hard earned dough.

And their reasoning for not refunding it cited (without even knowing how the thief obtained it) - that the pin was not kept safe. Banks, thieves... In cahoots - robbing the working man of all his money in anyway they can

Sorry but that seems reasonable to me, think of it this way, I could give my mate my card, tell him the number, he withdraws 2000 gives me 1000 and I go to the bank and scream thief and expect them to refund me.

I hardly think so.

forfuxsake

dlofnep wrote: »

My brother was away on holidays while they were on a spending spree, when he got back - he only noticed it. They had gone to town for like 2 weeks at that stage - it was too late by then.

Away on the flights he booked and betting money on his card.

Not much of a spending spree - gambling money (when you can't access the winnings) and booking flights you can't use.

Cuddlesworth

dlofnep wrote: »

My brother was away on holidays while they were on a spending spree, when he got back - he only noticed it. They had gone to town for like 2 weeks at that stage - it was too late by then.

Did he use his card on Holidays? If he did and he has proof he was away then there is a big case there for a scam.

dlofnep

forfuxsake wrote: »

No you don't. You need CVV (card verification value code) which you do not enter when taking out money from a cash machine. It is printed on the back of a card.

You're simply wrong. It's called a VBV password, look it up!

forfuxsake wrote: »

You cannot use somebody else's card to gamble as any money won would be sent back to that card.

The money could be deposited into another account.

forfuxsake wrote: »

Furthermore you cannot fly as the airline would have details of the passenger and their ID details.

Yes - they could fly. Anyone can pay for the flights of someone with their credit card. I paid for my mother's flights to Scotland with mine. All it means is that the scammers are obviously stupid and have a good chance of being caught.

forfuxsake wrote: »

So either the OP is making this up or his brother has a gambling problem and is using the premise that somebody stole his details to hide the missing money.

Oh jesus christ, you're as annoying as thrush. Why would I want to make it up? My brother doesn't gamble. Stop trolling.

forfuxsake

Cuddlesworth wrote: »

Did he use his card on Holidays? If he did and he has proof he was away then there is a big case there for a scam.

Yes, he was gambling and booking his flight home :eek:

dlofnep

Cuddlesworth wrote: »

Did he use his card on Holidays? If he did and he has proof he was away then there is a big case there for a scam.

The scams began before he went on holidays. It's just that because he was on holidays, he didn't actually get around to checking his statements to actually notice he was being scammed.

dlofnep

pickarooney wrote: »

I take payments by Visa, Visa Debit, Mastercard every day of the week and have never once needed a PIN to process the transaction. I don't even see how it would work - a PIN requires the presence of the physical card to perform the check on it.

It's called a VBV password. I have it on my VISA too - it's used to verify transactions.

See here for more info: https://usa.visa.com/personal/security/vbv/index.jsp

pickarooney

When my card was skimmed a few years back the thieves used it to buy flights to several South American destinations. I had no problem proving that I couldn't possibly have been on any of the flights and was reimbursed by BOI with no quibbles. I presumed the thieves were a small tourist agency who had sold the flights on to some unsuspecting tourist for a higher price before actually purchasing them with my card and in their name. Nowadays it's pretty much impossible to purchase a flight with a card if the cardholder is not one of the people travelling.

forfuxsake

dlofnep wrote: »

You're simply wrong. It's called a VBV password, look it up!



The money could be deposited into another account.



Yes - they could fly. Anyone can pay for the flights of someone with their credit card. I paid for my mother's flights to Scotland with mine. All it means is that the scammers are obviously stupid and have a good chance of being caught.



Oh jesus christ, you're as annoying as thrush. Why would I want to make it up? My brother doesn't gamble. Stop trolling.

Well if the money was (which it can't be) deposited in another account then the name of that account holder is the name of the thief. THIS IS NOT POSSIBLE OR LEGAL DUE TO EU MONEY LAUNDERING LEGISLATION.

Yes you can use the flights, now your brother has to contact the airline and ask for the name on the ticket. THAT'S THE NAME OF YOUR THIEF.

If this was true your brother could find out the name of the thief in minutes.

Procasinator

dlofnep wrote: »

I'm not sure if the pins are the same myself - I know mine are different, but I changed my own visa pin ages ago, and can't remember if it was originally the same as the ATM pin. Does anybody know off the top of their head?

The reason why I'm asking is because judging by the card usage, they started scamming a few hours after he used a local ATM machine.

The only system that I know of around VISA is the 3D Secure system, also known as Verified by Visa.

http://en.wikipedia.org/wiki/3-D_Secure

This system has been shown to have weaknesses (i.e. phishing):
http://www.pcworld.idg.com.au/article/334105/

The password used for Verified by Visa is only used for that scheme. The CCV and PIN are different.

dlofnep

forfuxsake wrote: »

Well if the money was (which it can't be) deposited in another account then the name of that account holder is the name of the thief. THIS IS NOT POSSIBLE OR LEGAL DUE TO EU MONEY LAUNDERING LEGISLATION.

Yes you can use the flights, now your brother has to contact the airline and ask for the name on the ticket. THAT'S THE NAME OF YOUR THIEF.

If this was true your brother could find out the name of the thief in minutes.

He has passed the info onto the Gardaí for them to find out. Not everyone has free time to play Inspector Gadget all day. He works 2 different jobs.

ejmaztec

I'd pester the bank 24/7 until the feckers cracked, the sh1t-bags.

dlofnep

Procasinator wrote: »

The only system that I know of around VISA is the 3D Secure system, also known as Verified by Visa.

http://en.wikipedia.org/wiki/3-D_Secure

This system has been shown to have weaknesses (i.e. phishing):
http://www.pcworld.idg.com.au/article/334105/

The password used for Verified by Visa is only used for that scheme. The CCV and PIN are different.

Yup - that's the one bud. VBV (Verified by Visa)

Kensington

ejmaztec wrote: »

I'd pester the bank 24/7 until the feckers cracked, the sh1t-bags.

They're not going to do anything for you - it's entirely your responsibility to secure your VBV/3-D Secure password.

Procasinator

dlofnep wrote: »

Yup - that's the one bud. VBV (Verified by Visa)

Yes. But, like I said, this is unrelated to the ATM or other Point of Sale devices. The VBV only comes into place when purchasing online.

Your brother was probably either exposed to a phishing attack, or someone got the details another way (password stored next to CC in his wallet or simply guessing the password he used)

dlofnep

Kensington wrote: »

They're not going to do anything for you - it's entirely your responsibility to secure your VBV/3-D Secure password.

And yet - they refund stand credit card fraud transactions. There's no difference, because at the end of the day - both cases are still fraud. One just involved an extra layer of security.

I'd take my business elsewhere to be honest if a bank didn't protect my account against thieves, getting free one-ups IRL.

pickarooney

It's quite ironic that the VBV is an opt-in system flaunted as being an extra level of security on your card and now it's apparently the very reason your brother has no comeback after being scammed.

cyrusdvirus

Penfold, this is AH, trolling is what goes on here!!

Chip & PIN was brought in to protect the banks, and to put the onus on the retailers and customers.

If a card is used and it is processed as a Non Chip & PIN transaction, the retailer is out of pocket.

If the transaction is processed as a Chip & PIN transaction, then it is reasonable to assume that the cardholder is either present or has given their details to someone else, therefore the onus is on the customer.

For someone to have obtained your brothers card & pin it is not unreasonable for the bank to assume there was not sufficient care being taken on the part of your brother.

dlofnep

Procasinator wrote: »

Yes. But, like I said, this is unrelated to the ATM or other Point of Sale devices. The VBV only comes into place when purchasing online.

Your brother was probably either exposed to a phishing attack, or someone got the details another way (password stored next to CC in his wallet or simply guessing the password he used)

Yes, I was guessing a phishing attack myself. I asked him if he received any e-mails or text messages asking him to enter his pin but he said no. Still though - when people aren't that tech savvy, they simply trust technology too much.

I'll ask him a few more questions late when he's finished work to try figure out how they got it.

44leto

dlofnep wrote: »

The scams began before he went on holidays. It's just that because he was on holidays, he didn't actually get around to checking his statements to actually notice he was being scammed.

So your brother still had his card, as in the card was not stolen, I take it he took it on holidays with him. Because as far as I know it is not possible yet to copy the chip and pin cards.

dlofnep

pickarooney wrote: »

It's quite ironic that the VBV is an opt-in system flaunted as being an extra level of security on your card and now it's apparently the very reason your brother has no comeback after being scammed.

Yeah - that's the thing... If they just did normal purchases without the pin, he would be able to get the money back. So you're spot on.

Kensington

dlofnep wrote: »

And yet - they refund stand credit card fraud transactions. There's no difference, because at the end of the day - both cases are still fraud. One just involved an extra layer of security.

I'd take my business elsewhere to be honest if a bank didn't protect my account against thieves, getting free one-ups IRL.

Yes, before they brought in VBV they would have just done it for you but since bringing in VBV, it pushes pretty much all of the responsibility back onto you for securing your credit card because it is up to you to secure your VBV password.
Why do you think all the banks were in such a rush to roll it out?

All banks now follow the same hymnsheet so you'll be met with the same response no matter who you bank with.

dlofnep

44leto wrote: »

So your brother still had his card, as in the card was not stolen, I take it he took it on holidays with him. Because as far as I know it is not possible yet to copy the chip and pin cards.

It's VISA Debit - So I'm assuming they would only need the number of the card, and the VBV password.

wyndham

pickarooney wrote: »

Nowadays it's pretty much impossible to purchase a flight with a card if the cardholder is not one of the people travelling.

What you talking bout? I do it all the time on Ryanair and Aer Lingus. Buying a flight is like buying anything else online. Who is travelling is irrelevant.

dlofnep

Kensington wrote: »

Yes, before they brought in VBV they would have just done it for you but since bringing in VBV, it pushes pretty much all of the responsibility back onto you for securing your credit card because it is up to you to secure your VBV password.
Why do you think all the banks were in such a rush to roll it out?

All banks now follow the same hymnsheet so you'll be met with the same response no matter who you bank with.

I fear this is the case

It wouldn't annoy me so much if I didn't know how hard my brother works. He's saving up so he can go to college. He's never asked the state for a penny. A genuinely lovely chap. It just angers me to see him done wrong by.

dlofnep

wyndham wrote: »

What you talking bout? I do it all the time on Ryanair and Aer Lingus. Buying a flight is like buying anything else online. Who is travelling is irrelevant.

Yup - I bought my mam flights to Scotland on my card without a problem.

Procasinator

dlofnep wrote: »

Yes, I was guessing a phishing attack myself. I asked him if he received any e-mails or text messages asking him to enter his pin but he said no. Still though - when people aren't that tech savvy, they simply trust technology too much.

I'll ask him a few more questions late when he's finished work to try figure out how they got it.

Read the PC World article above that I had. It mentions some of the security problems with this system.

The problem with phishing in this system is actually easier than typical.
A iframe loads the verified by visa scheme, so the URL of where this is hosted is not visible.

Hence, changing the IFRAME location with a malicious duplicate (either by XSS, MITM attack, etc) the user will not be able to look for the typical signs (URL and security lock) as they are not visible for the sub-page.