Card Wars: Attack of the Clones

The fraudulent transactions

On 12 May 2015 Julian opened a travel account with Check Card Limited (“Check Card”). Julian loaded $8,493.02 USD onto his Check Card travel card (“travel card”). On 14 May 2015 Julian used his travel card at a liquor store in Albany, Auckland.

Between 15 and 18 May 2015, Julian’s travel card was used at various ATMs in California. $8,376 USD of the $8,493.02 USD loaded on Julian’s travel card was withdrawn.

On 20 May 2015 Julian used his travel card at a petrol station in Browns Bay, Auckland. Later Julian checked his Check Card account online and discovered the US ATM withdrawals. Julian contacted Check Card about the US withdrawals on 21 May 2015.

 

Julian’s position

Julian said he was a victim of fraud and that his travel card was used without his consent or knowledge by a third party in the US. Julian, a software engineer, suggested his card had been cloned. Julian wanted Check Card to reimburse him the $8,376 USD ($11,179.90 NZD) withdrawn from his travel card.

Julian said he had both his primary and secondary Check Cards with him in Auckland. He was never in the US and he did not give his card details to anyone. Julian said that he made the transaction at the liquor store in Albany to check whether the card and the PIN were working.

 

Check Card’s position

Check Card considered that Julian, a software engineer, had been unable to sufficiently prove he was not a party to the fraud and was unable to refund Julian the $8,376 USD.

Check Card accepted that Julian had been in New Zealand in May. Check Card said that it appeared Julian’s card had been cloned and used to withdraw funds in the US. In order to clone a card, the magnetic strip has to be read and the PIN obtained. Cloned cards only use magnetic strip data.

The only transaction that took place before the fraudulent transactions was Julian’s transaction at the Albany liquor store. Check Card concluded that Julian’s travel card could not have been cloned as a result of this transaction. The transaction was authorised utilising the data from the travel card’s chip and by inputting the PIN. Check Card found that the merchant would have been unable to access the travel card to fraudulently swipe the magnetic strip data because Julian said that he kept control of his travel card during the transaction. Further, Check Card said that no other cases of fraud had been reported following transactions at the Albany liquor store.

 

Our view

We did not uphold Julian’s complaint.

Check Card’s terms and conditions say that if there have been unauthorised transactions made on a customer’s card, the customer will not be liable for them. However, the terms and conditions also say that if a customer has acted fraudulently, leading to fraudulent transactions, the customer will be liable for the transactions.

In our view, Julian making the transaction at the Albany liquor store to check whether the card PIN worked was reasonable, and did not indicate fraudulent behaviour. In the same vein, Julian placing funds on a travel card without any solid travel plans was unusual, but not determinative of fraudulent behaviour.

The crucial factor for Check Card’s decision not to reimburse Julian was that there was no explanation for how Julian’s travel card could have been cloned. We accepted Check Card’s conclusion that there was no way Julian’s travel card could have been cloned as a result of his transaction at the Albany liquor store. Also, even if we accepted that Julian’s travel card had somehow been cloned by an unknown person, the fraudster would still have needed the PIN in order to use the card at an ATM. As the PIN was used correctly at the first attempt to withdraw funds in the US, this strongly suggested that Julian had disclosed his PIN to another person. Disclosing a PIN to another person is a breach of Check Card’s conditions of use. Another possible explanation was that someone known to Julian travelled to the US with Julian’s secondary Check Card and used the card and PIN to make the disputed withdrawals.

Taking into account all of the evidence, we were unable to find on the balance of probabilities that Julian was the innocent victim of fraud. Rather, the evidence suggested that either Julian:

a)      participated in the cloning of the travel card and passed on the cloned card and PIN to a third party, or

b)      gave the secondary card and PIN to a third party.

In our view, Check Card had carried out a detailed investigation and considered all possibilities as to how the disputed transaction could have taken place. We found that Check Card’s decision not to reimburse Julian was reasonable, based on the evidence before it, and Check Card was not required to pay $8,376 USD to Julian.