Consumers take a swipe at banks over cloning

Illustration: Colin Daniel

Illustration: Colin Daniel

Published Aug 29, 2015

Share

Consumers took to social media to vent their anger this week – directed largely at “Sub-Standard Bank” and “Stranded Bank” – after a frustrated Standard Bank customer told of how the bank dealt with his fraud claim following the cloning of his debit card. A sample of the 530 comments under just one article about the consumer’s experience shows the inconsistency in the way banks deal with customers who have lost money as a result of their cards being cloned.

Card cloning is of serious concern worldwide, Advocate Clive Pillay, the Ombudsman for Banking Services, says in a bulletin advising banks and customers of the approach his office takes on such claims.

Once it has been established that a card has been cloned, deciding whether the bank or the customer is responsible for the losses incurred is a difficult task, Pillay says. “In making a decision on liability for losses, the ombudsman looks at the contract between the bank and the card holder, the Code of Banking Practice and any applicable case law which can provide guidance.”

While there is no directly applicable case law or legislation, the Code of Banking Practice places a responsibility on the bank to “provide reliable banking and payment systems services and take reasonable care to make these services safe and secure”.

“Where a payments system is open to abuse, the bank is expected to take reasonable measures to ensure that it is safe. This then means that the bank has the responsibility to ensure that ATMs and other means of transacting (such as cards) are reasonably protected from being tampered with by thieves,” the ombudsman says.

“The bank would thus be liable for any withdrawals done with a cloned card where the cloning was a result of tampering with a payments system, such as ATMs and ATM cards, that was not reasonably foreseeable or preventable by the card holder.”

Sounds fair, but what does “reasonably foreseeable or preventable by the card holder” mean? And if you couldn’t prevent the cloning, can you expect your bank to compensate you in full for your loss?

Standard Bank is offering Cape Town-based journalist Yazeed Kamaldien R7 500 of about R15 000 that he claimed was stolen out of his cheque account earlier this year after his card was cloned while he was on a business trip in South America. The bank says its offer is a “goodwill gesture”.

Kamaldien is unhappy with the offer, and even more unhappy with the bank for how it has handled his complaint. Over three months, he made countless visits and phone calls to Standard Bank trying to get his complaint resolved. It was only after he contacted the bank’s media department, in his capacity as a journalist, that the bank took action. And when a letter eventually arrived from one of the bank’s fraud officers, it was for an offer of a “partial payment”.

“For the perpetrator to perform the disputed transactions, they had to have your card details and the valid PIN,” the letter states.

This is true. But that’s precisely what happens when you’re the victim of a card cloning: fraudsters obtain both your card details and your PIN.

Standard Bank’s letter to Kamaldien includes an extract from the terms and conditions relating to the use of his card. But it deals with the “security of lost or stolen cards” and includes clauses such as: “you are responsible for the safekeeping and proper use of your cards” and “you must notify us immediately if you realise your card has been lost or stolen, or if any other person knows your PIN”.

This is all good and well, except Kamaldien’s card was neither lost nor stolen. It was cloned, and the bank has acknowledged this in numerous phone calls, he says, but not in writing.

The offer the bank has made him is subject to it being on a “without prejudice” basis and without admission of any liability. It’s also confidential and subject to him agreeing not to disclose the settlement or “cause to give any negative publicity to the bank”.

The offer is “unethical”, says Kamaldien, who has produced a three-part series of You Tube videos entitled “Where’s My Money?”. The first clip has been viewed more than 27 000 times. He story is also on Twitter (see #exposethebanks).

Kamaldien reckons his card was cloned when he was in Argentina or Brazil earlier this year. Standard Bank’s records show that while he was in Brazil, there were four transactions on his account, apparently made in Miami, Florida.

Kamaldien was using a Brazilian SIM card while in South America, so he did not get SMS notifications from the bank alerting him to activity on his account. It was only when he got home that he discovered the fraudulent transactions.

While abroad, he paid his rent via online banking, and the bank says that this is when he ought to have noticed the first disputed transaction. As it turns out, the “first disputed transaction” is no longer in dispute. It was made by him, but it reflected on his account two days after he made it, which confused him. But he never contacted the bank. It was 12 days later that the actual fraud took place, and it is those transactions, which amount to about R13 450, for which he wants the bank to take responsibility.

Standard Bank’s letter to Kamaldien says it “is under no obligation to reimburse your account with more than R7 468.76, which represents the loss at the time of the first opportunity to detect the irregular transactions on your account”.

Kamaldien says he has repeatedly asked the bank what it means by “the first opportunity to detect irregular transactions” on his account, but to no avail.

When asked for comment, Ross Linstrom, the media liaison officer for Standard Bank, says the bank has communicated with Kamaldien but can’t share this information with Personal Finance.

The SMS notification system is commonly used by banks to limit losses due to card cloning and fraud. When you transact on your accounts, you get an SMS. If the transaction was not performed by you, the SMS indicates suspicious activity on your account and places an onus on you to notify your bank and instruct it to put a stop on your account/s.

Pillay says an SMS notification usually forms part of the contract between the bank and the customer. “That contract ... will, in most circumstances, deal with the respective liabilities of the parties.

“We are aware of one bank that explicitly requires a customer to activate roaming in order to receive SMS notifications of activity on his account. If the customer agrees to those terms, then on that basis he may be liable,” Pillay says.

Another bank, which also has an SMS facility, charges for the SMSes, and customers are not obliged to subscribe to the service. Nor are they informed of the serious risk they could face should they elect not to use this service, Pillay says.

“If a customer is notified via SMS of fraud on his account and fails to act by notifying his bank, he may be liable for a portion of the loss,” Pillay says. This is usually the portion or balance of the fraudulent transactions that occurred after the first notification.

The bank must, however, show that it did, in fact, send the SMS.

Kamaldien is taking his case to the ombudsman.

WHAT IS CLONING?

Card cloning is when your bank card’s magnetic strip is copied and then placed on a duplicate card. The cloned card can then be used to make purchases at point-of-sale devices and – where your personal identification number (PIN) has also been obtained – to make withdrawals from ATMs.

The process whereby the card’s magnetic strip is copied is known as skimming. The card is swiped through a skimming device similar to those found on point-of-sale devices.

Your card can also be skimmed at an ATM. Fraudsters place a card skimming device over the ATM’s card reader. Unless you have a trained eye, you wouldn’t notice this device, which is usually used in conjunction with a small camera to record the PIN being entered on the ATM key pad.

Any type of bank card that has a magnetic strip can be cloned. This includes credit cards, debit cards and regular ATM cards – even chip-and-PIN cards, which are the most secure cards. As long as there are ATMs and point-of-sale terminals that are unable to read chips, magnetic strips will remain the fall-back alternative to chip-card technology.

Depending on your type of card, the thief won’t be able to make any purchases or withdrawals unless he has also obtained the PIN. This is the case with certain debit cards, which also need the correct PIN to be entered on the point-of-sale device to process the transaction.

Related Topics: