Margaret and Alan were planning a trip to Australia in December 2016. Alan usually travelled with cash, but was persuaded by his bank that a travel card would be safer. About 8 months after returning from holiday to New Zealand, Margaret and Alan went in to their bank to close the travel card account, expecting a residual balance of about $2,000. They were shocked to discover the account had an almost zero balance.
Alan complained to the card provider and was advised funds had been withdrawn in Brisbane in three transactions: two large transactions of $1,000 each on 12 December, and one transaction of $100 on 13 December. Although Alan had been in Brisbane on the days the money was withdrawn from his account, he said he had not made the withdrawals and had used the card himself to buy a coffee after the second large withdrawal on 12 December. In fact, Alan still had the card when he left Australia early on 14 December. Alan asked his card provider to refund the unauthorised withdrawals.
The card provider declined to refund the money, saying the card and correct PIN were used authorising the transactions. Alan did not accept the travel card provider’s response and complained to FSCL.
Alan could not understand how the money could have been withdrawn from his account. Alan still had the card and said he was very security conscious. The only possibility Alan could think of was that his account details had been skimmed from his card when he last used the card himself, and his card cloned.
We were satisfied Alan’s card had not been cloned. Sophisticated fraudsters are able to obtain information from the magnetic strip on credit and debit cards, known as ‘skimming’, and clone cards. However, we rejected this explanation because all the transactions, both genuine and disputed, were made using information from the chip on Alan’s card. To our knowledge it is not possible to skim data from a chip and transfer that data onto a cloned card. We also noted that if the fraudster had been able to obtain the card data and PIN they would have been able to make the transactions from anywhere, but chose locations close to Alan and Margaret’s hotel.
How did the thief obtain the PIN?
We looked at whether Alan could have left his wallet in the hotel room, and perhaps hotel staff were able to find a written record of Alan’s PIN, remove, use, and return the card. However, Alan advised he had only recorded the PIN on his phone. We were satisfied Alan would have had no reason to keep a written record of the PIN somewhere where a hotel staff member might find it.
We also considered whether Alan could have been overseen entering the PIN when he last used the card. Again, this seemed unlikely. From our experience, once a thief has the PIN they will steal the card on the first opportunity and withdraw funds immediately. Alan last used the card on 10 December, yet the first unauthorised transaction was not until 12 December. It was not credible that a thief, having overseen the PIN, would wait till 12 December to steal the card.
Finally, we observed that it is most unusual for a thief, who is a stranger, to return the card. Returning the card risks detection, with no great benefit to the thief.
Looking objectively at the circumstances of the theft, we were left with the inescapable conclusion that Alan’s card and PIN were used to withdraw money from his account. It was possible Alan had made the transactions himself and had forgotten them. Alternatively, in order for another person to have used Alan’s card, we decided that Alan had failed to exercise reasonable care of the card and PIN. In either case, the card provider was not liable for the loss.
We explained our view to Alan, but he continued to maintain that he must be the victim of a sophisticated fraud and asked us to make further enquiries, in particular about whether there was a recording of the transactions from the ATM. Unfortunately, the travel card provider did not own the ATMs where the transactions occurred, so we were unable to access the recording.
We were unable to uphold Alan’s complaint and discontinued our investigation.
Key insight for consumers
Cardholders should be very careful to protect the security of both the card and PIN, as a thief requires both to withdraw money from their account.