In early April, A$800 vanished from my account, the result of a late-night withdrawal from a cash machine in a Sydney neighborhood I'd never been to before.
It's a type of fraud that happens frequently: Criminals attach devices to cash machines that record the account data stored on the magnetic stripe on the back of the card, a practice known as skimming. The card's PIN (Personal Identification Number) can be spied with a secret camera or a fake number pad overlay.
As a reporter who covers computer security and fraud, I'm aware how easy it is to become a victim of skimming and how difficult it is to defend against. But I've always been more worried about how I'd get the money back than about actually being skimmed, since banks seem less inclined these days to assume liability.
Most banks in the U.K. and Australia would like you to believe they always refund stolen funds. But the reality is that a bank can easily deny a refund based on flimsy reasoning that leaves consumers with little recourse other than going to court.
Commonwealth Bank of Australia is one of the major banks in the country. It assures customers on its website that it will "guarantee to refund any fraudulent transactions that take place within five days from when you report the incident to us."
In my case, things didn't go so smoothly.
I reported the theft within a couple of hours of the transaction and answered the standard liability questions: I hadn't told anyone else my PIN, or written it on the back of the card, etc., and I asked for a refund.
Five days later, Commonwealth Bank sent me a letter saying it had closed the investigation. They explained vaguely that the transaction had been executed using my PIN. Fraud investigators never called me.
Banks would like you to believe that the use of the PIN means that you, the cardholder, performed the transaction, and are therefore liable for it. But the reasoning is flawed. The cash machine verifies only that the correct PIN was used, not that the person who entered the PIN was the actual cardholder.
Nonetheless, it can be grounds to refuse a refund. Stephen Mason, a U.K.-based barrister, has written extensively about security weaknesses and legal issues with cash cards and bank machines in the U.K. and Europe. He represented a U.K. man who took the bank Halifax to court in 2009 over alleged "phantom" withdrawals and lost.
"The banks will deny that their systems suffer from any weaknesses, placing the blame squarely on the customer," Mason wrote in a March article for Butterworths Journal of International Banking and Financial Law. And it will be up to the customer to point out to the judge that there is a series of past cases illustrating the weaknesses, he wrote.
Like many European countries, Australian banks issue debit and credit cards with a microchip that verifies the correct PIN has been entered. In Europe, the system is called EMV, or chip-and-PIN, while in Australia it is called EFTPOS. The U.S. doesn't yet have a chip-and-PIN system, but Visa and MasterCard plan to introduce one.
EFTPOS should have prevented the kind of fraud I experienced. When a criminal copies the information in a magnetic stripe, they can encode it into a dummy card. But cash machines are supposed to verify a microchip is present, and criminals aren't thought to have figured out how to copy microchips yet, though security researchers have found other weaknesses in the EMV system.
The problem is, some cash machines still process transactions even if a card doesn't have the chip, allowing fraudsters to withdraw funds using cloned cards. Fixing the problem will require banks to upgrade all their ATMs, which takes time.
Skimming victims can sometimes prove to their banks that they didn't do a transaction. Cash cards contain an Application Transaction Counter (ATC), which records the number of times a card has been used. An ATC with one less transaction than was performed would presumably be evidence that a bank's customer wasn't lying about withdrawing money.
I offered my card to Commonwealth Bank for forensic analysis but they didn't get back to me. I also asked if they had checked the footage from security cameras where the withdrawal occurred, or if they had filed a police report, but I got no reply.
"As any person who has had money removed from their account by a thief will be aware, making the bank understand that it was not the customer who withdrew the money can be far from easy," Mason wrote in his journal article.
I finally saw the $800 put back in my account after I sent a stern letter modeled on a draft that Mason created, intended for use by people who are having trouble getting a refund. After I received my refund, I decided to write a column about skimming.
Commonwealth Bank spokeswoman Tracy Hicks said no one could be found to answer my questions, while other queries couldn't be answered on security grounds.
Illustrating their reluctance to discuss the topic, Commonwealth Bank even declined to verify that a document I had with the terms and conditions for consumer accounts, including information about liability for fraud, was up-to-date and reflected current policy.
The bank does subscribe voluntarily to Australia's Electronic Funds Transfer Code of Conduct, which describes liability in the case of disputed transactions.
Generally, financial institutions in Australia have 45 days to investigate a disputed transaction, much longer than the five days in which Commonwealth says it will return stolen funds. But that speedy return may depend on how eloquently a consumer complains to the bank. In my case, the bank was more than happy at first to quickly close the case, disingenuously shifting the liability to me absent a real investigation.
If you've had trouble recovering money after a skimming incident and are willing to assist in my reporting, please contact me at the email address below.