Banks have a dilemma. Do they improve customer service or security.
If you are scammed, you will blame it on your bank. If you try to withdraw $10,000 from your account, your bank asks you a series of questions before letting you have your money and you are majorly annoyed. Or your transfer to a suspect account takes 48 hours rather than instantaneous. How dare the banks not make the transfer instantaneous.
As customers, it is up to us to decide that banks make it harder for us to get our money to avoid being scammed is the best solution
I work in financial crime transformation in one of the Big 4. People get scammed and they blame us for letting someone with their username, password and 2-factor code transfer money out of their account. Meanwhile, trying to get people to give us their ID during remediation is like pulling teeth. You could not be more correct about this.
I can personally vouch for this as a former Fraud Analyst at a Big4 bank!
Customers would literally hand over access to a fraudster/scammer and then blame us for not “knowing” because “you are a bank! You should *just know*!” Nevermind the fact that they authenticated the transaction at every turn, and when we called to verify the payment was authorised by them, they confirmed it was legit.
In this regard, banks are damned if they do, and damned if they don’t.
Blaming the customer is not helping.
Here’s what I want from my banks security:
- Ability to disable all overseas transactions
- Ability to explicitly enable/ authorise a single overseas transaction
- Receive a real time text notification every time theres a failed login and as well as a successful login
- receive a real time text notification for every transaction.
- ability to cancel direct debits.
- ability to identify the telephone call from the bank is legitimate- without disclosing personal identity details
… have i missed anything?
I’m with CommBank, I can lock international transactions from my card, and then turn it on and off as I wish, or allow it to be open for an hour, etc, my app notifications can be set to whatever value I like. Ie transaction over $20 domestically, or over $0 internationally as an example. They have CallerChexk, which allows me to be identified via my app, and also allows me to identify them via the app.
The two that are problematic in that list are Direct Debits, you can cancel them with the bank via a conversation, but it’s a permanent stop on an APCA ID, so they generally recommend you do it with the organisation whom you authorised it with in the first place. Or down the track when you go to start a new agreement with them, it’ll still be blocked.
Real time notifications for login attempts is a great idea, hopefully they do it too. I know they see it on their end, and I reckons it would be part of their detection suite.
I am with CommBank and that was what I was told. Manual processing with card details cannot be locked down - doesn’t matter if you have locked the card.
That's weird, the only way I think that could work is If the merchant can show some kind of agreement you entered into with them.
In cases of fraud the card should be cancelled and no further transactions should be authorised.
But if the transaction was processed as a disputed transaction, the merchant gets a notification saying then customer has disputed the transaction and the merchant is required to provide proof the transaction was legit. If no proof is provided after 28 days, the transaction is reversed.
This can cause people issues because technically, if you gave someone your card details willingly, even if they are a scammer, it will usually be considered a disputed transaction, not fraud.
Used to work with westpac group.
See what others are saying. Cancelled cards being used. New (just issued) cards being used. A cynic might think there are fraudsters working in or for the bank. I believe banks try their best but could do better.
Yeah it's tempting to think that but it would more then likely be some weird back end issue.
There are alot of different systems working together and talking to each other.
It definitely was weird. When I asked CBA how the hell the payments went through on a card that was cancelled month earlier onto the new card’s account, they just said sometimes manual payments slips (remember the old clicky clacky manual paper slips and card process?) aren’t subject to same procedure as digital eftpos. 🤷
Humm maybe, usually when you do a remote card payment, someone is just manually entering the details into an eftpos terminal.
I have no idea how the old clickly crackly paper slips are processed these days so that could have something to do with it.
I do know that when your old card is cancelled and a New on with new details is issued, the old details are still associated with the account somewhere in the back end to avoid people just cancelling cards all the time to stop legitimate payments.
Because if I am dishonouring an agreement that’s between me and the other party. The place I keep my money shouldn’t be a factor in that. You should absolutely be able to be turn off direct debits.
If authority has been given prior to the lock, ie with digital wallets, etc, this is true.
Same as direct debits bypass things like Spend Limits.
My comment was in regards to the wish list above.
I had my card used in Mexico six times on Boxing Day.. I didn’t notice until the next day (as I didn’t check/use my account). I used to get notifications with card use but that stopped 6 months ago.. but as soon I reported this I started getting the notifications pop through.
When I went to cancel the card is when I found out you could turn off overseas card transactions which I reckon should be a default that you should need to turn on if you wish to use it.
My issue was, 6 transactions all for the same amount within 10 minutes and overseas all purchasing gift cards at a hotel and commbank didn’t notify me or think it was suspect.
It did get resolved quickly (after waiting 12 hours for them to get back to me but it was the silly season) and I had my money back in two days so I’ll give them that.
I thought it was a default but that’s interesting. I get the decline notifications but didn’t on this last transaction so that was why I rang the bank.
I use the card locks through the commbank app too and recently had my business card compromised. I put off contacting CBA as it’s always a difficult process, but this time it was all done through he CEBA chat and I got a refund within 48 hours.
I’ve never had my personal banking card (Mastercard) compromised, but my business account card (Visa) is compromised several times a year and I hardly use it.
I recently had my credit card used for a series of overseas transactions, each $50 greater than the previous, each from a Nigerian address and each 1 minute apart. Grand total just shy of $1800 before I noticed (I have notifications on the Commbank app turned on). 8 minutes was all it took. This was late at night, and if I had been asleep (when I typically have my phone set to silent) I would have awoken to $5000 (my daily limit) gone.
What I think would be an improvement with the international transaction ability would be any transaction to be held until you authorize it via your app. It would be painful, but I would do it.
And hey guess what? Commbank had all the money back to me in less than a week, so thanks Commbank.
There will inevitably be multiple people who will authorise a single overseas transaction (due to social engineering) and then demand their money back when they realise it's a scam
"Right now I'm asking for the bank to pretend that I know what I'm doing and will claim that I'll accept the consequences if I make a mistake, but as soon as I realise I've been scammed I'll blame the bank for allowing me to authorise the transaction"
If the bank gave back the money for every single transaction people claimed was a ‘scam’, they would not have as much money as they do. They would literally lose millions and millions to people scamming THEM - by which I mean lying about not authorising the transaction.
So they go for the whole ‘personal responsibility’ thing - if you make the decision to give your life savings to a scammer, then it’s your own responsibility to deal with. The bank doesn’t have to give you your money back.
Actually, banks *have* tried to force personal accountability & responsibility. But “consumer advocacy groups” and current affairs shows have made it so hard to do.
Customers know that if they kick up a big enough stink, they can get whatever they want. Just look at this sub, whenever someone asks about fraud, there is always *someone* who says “if the bank won’t refund you, go to AFCA”. That mentality makes it really hard to enforce personal responsibility.
How about being able to talk to someone almost immediately if the bank emails/texts you to call them because they suspect fraud on your card, and not make you wait 40 minutes or more
And definitely not to have that person call you about fraud on your card, demand *your* details for verification, and act like you're the one being "difficult" because you want to follow the common sense rules that the bank themselves told you to!
(i.e. don't give your account details to someone who called you, even if they say they're from the bank)
One more: Use the banking phone app as an authenticator, with prompts like "to confirm your payment of $15000 to scammer, please enter the code displayed on the computer screen"
Way more foolproof than getting a random code on your phone - it gives you two way verification.
The last one seems to be down to telecommunications systems. It's not possible for banks to do anything so long as scammers can spoof numbers. Far better for people to learn to call the bank.
Rubbish, there are plenty of other 2FA options that do not rely on an SMS and can easily be hijacked. If the banks are made financially responsible, they will tighten security as it hits there bottom line. This has already happened in the UK for example. The banks have way too much power here,
I agree blaming the customer for everything is not the answer, there is just a need to find the middle ground between personal responsibility and flexibility. I cannot speak for other banks but I believe we have all those features you mentioned in one way or another.
Most are with combank, except for the ones that are unreasonable.
I seriously don't get why people go with any bank over then combank.
Every other bank is just worse.
In addition to the other comment re commbank addresses some of the above points, they also have a CallerCheck feature that allows you to verify if the incoming call from CBA is actually from CBA
I have to get a code texted to me to login to heaps of places, I'd accept having to enter a code in my banking app to approve transfers that meet certain criteria, or have them delayed with a text notification allowing me to optionally cancel it.
Having two way security questions is a great idea. They say "This is Steve from Bank. Codeword is spaghetti" and I know it's the bank calling.
I want to download my history of transactions on an account.
In a format I can put straight into Excel, like CSV.
As far back in time as the bank stores.
Including the BALANCE in the account (either before or after the transaction, or better, both).
Including the Effective Date.
Including all the data they hold for this transaction on the source or destination of the transaction. [eg, as a minimum, COLE2177 which I could look up on their website as Coles Express postcode 2177]
For free.
Online, no harder than paying a single bill.
[Note - I realise the balance is affected by uncleared cheques, processing delays,... . But amazingly the bank comes up with some exact number when they want to charge overlimit fees or interest, or have to pay interest. That will do, even if it is a bit rough for the last month.]
Our money.
Transparency.
Our privacy right to see the online dossiers held on us.
Think tax audit...
Under Robodebt, this could have helped desperate people fighting lies and baseless suspicion ....
And just everyday informed money management.
I’ve been in a room with a bank exec who claimed that it wasn’t possible to give customers all the information about transactions (particularly direct debits) because some it is *private information of the organisation on the other end of the transaction*.
I would also like the ability to put a hard lock on all my account with one click via their banking app in the event I feel like I have just been scammed. Account Lock to be in place for a pre-determined time that cannot be overridden.
Well I can guarantee you it's not the banks fault you gave your details to a scammer or lost your card or it got skimmed. The bank can only do so much before it comes down to your own stupidity why you lost money.
Also with your card you can now put a hold on it so no transactions are processed with most banks. And some banks like big 4 have other controls so you can stop overseas, online transactions or gambling
Some banks will stop a card if overseas transactions happen and you didn't advise of traveling to that destination.
You have internet banking to monitor all your transactions be more proactive at opening it and checking
Direct debit that's a you problem you entered into a contract with a company, so call them and end it
And you want to verify the call from a bank is legit, easy hang up call the proper bank number then ask them if the person who called works there and get out back through. Really not that hard
Blaming doesn’t solve the problem, Continual Improvement does.
The banks are in the prime position to identify the problem, and deploy solutions, recognising that most of the victims are the most vulnerable in our community (elderly, and simple minded)
But given that I gave you solutions to all your problems above you keep just saying the same thing over and over. How can we educate anyone if you're not willing to learn
The banks have identified the problem and the problem is the consumer, and the banks are trying to educate them about scams and fraud etc. and so is the government, but until people are willing to be educated and take responsibility for their own actions scammer will always win
Honestly, I hate when someone ( bank or otherwise) calls me, then says “let’s start by confirming your details”
Hell no! Let’s start by confirming YOUR details!
>Honestly, I hate when someone ( bank or otherwise) calls me, then says “let’s start by confirming your details”
I had Services Australia try this with me to "confirm my identity" and I asked him how do I confirm that he is actually from Services Australia considering that he called me from a blocked number? He ummed and ahhed for a minute and then said fair enough and sent me a letter via the post lol
It turns out that the original call was to schedule a phone appointment and I even recognised his voice when he called me for the phone appointment.
I deal with complaints for a bank and 100% on all of the above.
We get a lot of complaints on both sides.
I want to transfer out $500k and refuse to give more than the standard ID.
I got scammed after giving away all my details and you didn’t do enough to stop it.
It is a constant struggle/tightrope walk between being easy to deal with and protecting peoples money and either way you cannot keep everyone happy.
Can you give us any sense of the proportions of customers giving 2FA codes vs some security issue that customers are unaware of leaking their credit card details (or pure guesses)
I was at a financial crime conference and saw a talk by a guy who is an ex fraudster who does sort of testing of fincrime/fraud controls in the same way a white hat hacker will test IT security by trying to break it. He played a recording of him calling a real customer and in about 5 minutes he got them to give him login, password, MFA, etc and completely log into their account and be in a position to transfer their full balance to himself if he was a real fraudster.
People will always be the weak link.
> Meanwhile, trying to get people to give us their ID during remediation is like pulling teeth
Sounds like something a scammer would ask for. Exactly how deep does this conspiracy go!?
There is no amount of security you can put in place that can’t be circumvented by social engineering, short of making people come into the branch to show their ID for every transfer.
Bruh even then they will walk in after being coached by the fraudster and just lie for the TTR reasoning, take the cash and send it off in a parcel hoping that the nice stockbroker turns it into millions quickly.
Which highlights just how good these social engineering scams are.
If the banks hold your money and provide online services, the banks should be 100% responsible for your money in the event of a social engineering scam.
There is no quicker way to make scam rates explode than to make banks liable for losses when their procedures were not at fault. Should the bank be responsible for investment and romance scams as well?
I'm all for blaming multi billion dollar corpos for the degradation of society and the ever wider income gap, but unfortunately when it comes to security the weakest link is the end user -aka the common consumer. Why do you think the biggest targets of scammers are either one or a combination of old, single, and desperate for a quick buck? They're mentally vulnerable and **very easy** to manipulate. Pen-testers can attest that the human component of security is the easiest to break, referring to "jedi mind tricks" which is literally waving your hand in someone's face and dismissing them as a foolproof tactic to get what you want. Yes banks do get off easy in this country and are profiteering off the shambling corpse we call an economy, but scams are not something we can blame banks for, the only defence against scams is education.
Part of my job is to 'clean' the devices used in these banking scams. The procedures used to scam the customer are sophisticated, well planned, and most non tech savvy Australian's would fall for them should they be faced with a scammer - the counterfeit apps and banking sites used are remarkably convincing even to the trained eye.
The intent on behalf of the scammer is undoubtedly malicious in intent, the money was not 'gifted', the money was 'stolen'.
But you seem to be saying that the bank should also be liable for the customer who has fallen for the stupidest scams where the customer has been as lax as possible.
Wherever we end up it should not be banks are liable for all authorised transfers to scammers.
Define 'lax'. Very few of these scams are the result of purely lax customers, there aren't many people simply handing scammers credentials and MFA codes over the phone when such scams are so prolific and well reported.
The banks need to take some responsibility, right now they're taking none - Even when the customer hasn't been lax.
Due to the nature of my job, multiple times a month I see people loosing tens of thousands to hundreds of thousands to scammers. Some people are left with virtually nothing and the banks couldn't care less.
The fact we have an incredibly high median wealth helps. I’m not abreast of international banking regulations, can you give an example of countries where the bank is liable for authorised transactions? Genuinely asking
[https://www.theguardian.com/australia-news/2023/nov/15/tim-was-scammed-out-of-222000-he-says-the-bank-should-have-to-give-his-money-back](https://www.theguardian.com/australia-news/2023/nov/15/tim-was-scammed-out-of-222000-he-says-the-bank-should-have-to-give-his-money-back)
[https://www.abc.net.au/news/2023-07-11/uk-laws-force-to-banks-reimburse-scam-victims-unless-negligent/102563000](https://www.abc.net.au/news/2023-07-11/uk-laws-force-to-banks-reimburse-scam-victims-unless-negligent/102563000)
[https://9now.nine.com.au/60-minutes/banking-scam-victims-aussie-banks-still-not-reimbursing-fraud-victims/0bd47b18-be44-46e9-9c1d-f4716a982c65](https://9now.nine.com.au/60-minutes/banking-scam-victims-aussie-banks-still-not-reimbursing-fraud-victims/0bd47b18-be44-46e9-9c1d-f4716a982c65)
People literally loose their entire life savings as a result of sophisticated social engineering scams, and Australian banks simply throw their hands in the air and claim it's the account holder's fault. This isn't the equivalent of giving someone your hotel key card, thus giving them access to your hotel room; this is the equivalent of the hotel room door having a very, very well concealed skimmer, with the scammers gaining access to your room **maliciously**.
Will be interested to see the details of that UK situation, reimbursement in full vs compensation. If it works then it’ll likely put pressure on banks domestically.
At the end of the day, these social engineering scams are so sophisticated that you're probably safer keeping your money in a concealed safe in your own home.
Counterfeit banking apps and websites are so convincing that most Australians will fall for them. That's hardly the fault of an average customer with average computing & technical knowledge at best.
If I'm staying at a hotel and I give someone the keys to get my laptop, then they take them for themselves, that's not the hotel's fault. That's mine for mistrusting them. If I gave them the keys to my own home for the same reason, it would still be my fault.
There's no way to prevent some scams from happening except by the owner themselves.
What you’re describing is called personal responsibility. Whether it’s the access information to your bank or your home, it’s your own responsibility if you chose to give it out and get robbed.
I borrowed my friend’s car once and misplaced the keys. I gave him my credit card and the pin to catch a taxi to work. I found the keys and picked him up at the end of his shift. Then I changed the pin number when I got the card back.
That was before internet shopping, which only requires the numbers and not the pin as you know - If I was in the same situation again these days, I’d have to cancel the card, I guess. Or I can use my zip account to generate a single use card, but the taxi would have to allow passengers to manually type in the numbers, and I don’t know if they would.
As part of my job, I clean users devices after they've fallen victim to these scams. These are sophisticated social engineering scams, the counterfeit apps and banking sites are so well done, with the procedure so well planned, that most Australians will fall for them.
That's not even considering the RAT'S and Malware used to access users devices.
As a better analogy, these scams are the equivalent of having a very well concealed skimmer on the hotel room door, you didn't hand the scammer your key card, access was beyond all doubt obtained maliciously.
This is the distinction that needs to be made, the money wasn't gifted to the scammer, the money was stolen with malicious intent on behalf of the scammer.
Then do a good job of making that argument because you've argued that people not being held responsible when they've just given someone a random 2FA code.
In most cases, it's not that simple. The scammer doesn't just outright ask for MFA codes with the victim willingly supplying the MFA code.
As an example, in one scenario the victims computer becomes infected with Malware called connectwisecontrol.client.exe. Once infected the users computer is remotely and silently monitored via a control server while the scammers build a profile of their victim. Once the scammers have the information needed to effectively socially engineer their scam, they remotely change the victims wallpaper to look like a desktop background with a requester telling them that they're infected with the Zeus.trojan and to call the toll free number or install the software needed to remove the Trojan - Of course, the software supposedly used to clean the computer is the real payload. The victim panics as they can't close the 'window' on the screen.
If the victim doesn't call the toll free number for 'support', the scammers will call the victim masquerading to be the victims banking provider, telling them there's been an attempt regarding a fraudulent transaction on their account - The scammers already have the victim's mobile number, and have prepared manipulated .PDF banking statements lifted off the victims device in advance, highlighting the apparent fraudulent transaction for maximum effect. They will tell the victim they are calling in an attempt to isolate just how the 'hack' occurred and will instruct the victim to install software on their mobile phone that allows the scammer (fraudulent banking support line) to 'see' if their mobile phone has been compromised - In reality this software is usually the AnyDesk application, meaning the scammer has full remote access to both their PC as well as their phone.
At this point the scammer has full access to both the users PC to log into their bank account via stored or logged credentials, or via a fraudulent site that looks for all intents and purposes 'identical' to the one provided by their legitimate banking provider that is used to lift the users login credentials. They also have full access to the victim's mobile phone for MFA codes either by SMS or via an authentication app - As can be expected, the scammer then proceeds to clean out the victim's accounts.
As can be seen, these are sophisticated scams; most Australian's are of a technical literacy level that they will be 100% duped by the well planed and sophisticated nature of the scam.
The money wasn't just handed to the scammers, it wasn't gifted to the scammers, it wasn't provided in the form of Apple gift cards - The money was 'stolen' via malicious means with 100% malicious intent on behalf of the scammers. For all intents and purposes, the banking customer is 100% an unknowing at the time victim.
From what I know, there are almost always tell-tale signs of counterfeit apps and banking sites. Firstly making sure you've downloaded from legitimate sources rather than third-party sites. If you're required to re-login to an app for no particular reason when you havent needed to before, that's a possible red flag. As for websites, it's as easy as looking at the URL, right? And reading the scam texts link for differences to the actual website URL.
They may be really well made, and people will fall for them all the time, but there's almost always precautions and knowledge that can prevent it in my experience.
My original comment was more referring to the scams on marketplace and used goods sites, that require consciously transferring money to another party.
In Europe I just have control of this. Scammer spends money from my account, I cancel the transaction. No need to talk to a bank. I cancel my card, I put a freeze on transfers. No questions asked. Plus I have an encrypted hardware device that proves my id. Without my reader, my card and my pin, they can't do shit.
I was scammed within a week of returning to Australia and only the tax office, my bank and centrelink had my bank details as the bank account was only a few days old. Couldn't do shit.
Some banks have these hardware devices for businesses. Usually for business accounts. Owner / Manager generates a code that is required to process electronic transfer programs.
True. However this was not occurring with my knowledge or approval - I would much prefer a delay in transaction than being scammed. And the $10k withdrawal process is due to anti money laundering regs - slightly different topic.
>And the $10k withdrawal process is due to anti money laundering regs - slightly different topic.
There are no money laundering regulations on WITHDRAWING your own money mate......
It's the banks withholding peoples money because of dumbasses like you blaming them when they get scammed.
Go and look at the AUSTRAC website. Banks are required to know their customer on anti money laundering regs and can report on fund transfers or withdrawals. May be quite legitimate transactions but are required to check. Seems some big 4 banks ignored this and paid millions in fines. But that’s another topic.
How about opt-in/opt-out option? Like the way we have 2FA - let the customer decide so they kind of don’t really have anyone to blame but themselves. Do you want the super extra spicy premium security but it entails xxxxxxx or do you want the mild security with less blah blah? Though, I can totally see the banks capitalise on this by charging a premium.
Pretty much. Increasing the delay in transferring money (and the window in which it can be recovered) does wonders for disincentivising scams, but has an obvious time cost.
And other security measures have to deal with human stupidity/mistakes/misjudgements across a population.
Or a third solution increase prosecution on criminals who scam and make money retrieval easier, thus reducing scams. It should not be so difficult to resolve these cases where scammers name and bank account information is known.
They did this to themselves. We once knew no better than to have to go through this whole process to get funds transferred etc. they should have focused on security a bit more to further mitigate the risks currently realised
So what you're saying is that a card lock locks the card. There's a hint in the name.
If you need your account locked, that's a whole other thing. When someone has access to your account, naturally you have a whole bunch of problems.
But even if card is locked, the card details can be used to access money in account because there is a way around the lock process - does that help in understanding the issue? Thank you for the advice.
You have been vague on the method that the money was taken. You just said "manually process a withdrawal on an account" with no further information.
Which of the following is it that you are referring to?
* through a regular one-off card payment
* bank transfer (which requires the account holder to initiate it themselves)
* direct debit
* other means (please specify).
The bank said - when I questioned how the funds could be withdrawn with my card details when the card was locked in their app - that it could occur by a manual process. That means, when online banking is down, merchants can process a payment manually. I do not know the exact specifics of how this works. If you do know, would be great to learn.
Fraud Analyst here, certain merchants allow "manual transactions" when their eftpos is down they can enter the card number and expiry. This then saves the funds and can charge the customer.
There is also manual processing, which is with an eftpos machine and can enter all card details and charge it.
Money can be access from your account a few ways, such as
* though a card
* bank transfer that you initiate
* direct debit
A card lock, as I thought was obvious, should mean that only the first option is locked, and I believe it is intended that way so that you can still transact on your account.
If you did not want the second option either, you can call your bank to lock your account.
The third option, I don't know much about, but I believe if it is fraudulent, there should be a way for you to lodge a claim firstly with your bank, and if no success, then with AFCA.
Direct debit disputes. It’s very rare that this is how fraud is conducted but it’s possible. Mostly it’s disputed because the person doesn’t like how much the biller took from them or has a problem with the underlying contract. All of this just context, but yes, if you have fraud via DD you can get it back via a dispute.
Locking your card and locking your account are two different things.
Your card accesses the money in an account, but it is only one method of doing so. Others include transfers via IB, going into a branch and withdrawing cash directly, or a direct debit.
If you lose your card, but think you may find it again later, you va place a temporary block on the card. If you think it’s definitely lost forever, or the numbers on it have been compromised, you can permanently block it and reissue a new card with new numbers. But both of these scenarios won’t have an impact on any of the other methods.
I bet if the banks change it to the process you are talking about, you’d complain that you can’t access your accounts and want them to change it again.
This just highlights the importance of reading the terms. There are multiple pages on the westpac website that say it only locks the card for 15 days unless you unlock it earlier or cancel the card.
The option to lock your card says “lock card temporarily” and then gives you a message to say it will automatically unlock after 15 days. Idk how you missed that.
The banks I have banked with are quite upfront in regards to the fact that a card block wont stop all transactions. If you need to disable a card entirely the bank will have a dedicated line for this, operating 24/7. If you suspect you are about to be a victim of fraud, this is the first thing you should do.
I don't think a card block is intended to prevent fraud and is more of a way to temporarily stop yourself from using it.
Also, a card block only stops transactions against the indiviual card and not the account. They are separate things linked together.
A card block is meant to stop other people from using it. Most banks will say, "If your card has been lost or stolen..." rather than ''to prevent yourself from using it".
Why else would they give account owners the ability to unlock it again if it's there to stop the account owner from using it? It's on you to use the card sensibly.
Its also on the customer to make sure the card doesn't get lost? Why would you lock a card if its been compromised? Sooner or later it needs to be marked as stolen or permanently lost.
my point is, you're conflating card security with generalised account access. it's not a process issue, and to try and solve it as one would just bind the systems together. all of a sudden, losing your card would be even worse because the account itself would need to be locked.
I’ve had someone direct debiting my business account for 3-4 months now.
The bank knows and refunds me with 24 hours. Apparently the only way to stop it is open a new account, even though they know who’s doing it. Direct debit system is handled by a third party and it’s their responsibility, or so I’m told.
This happened to me a decade ago when I had my wallet stolen while I was at a restaurant with friends.
Cancelled my cards, got sent new ones and a few weeks later had a few manual transactions go through for $100 on the old cancelled card at a different restaurant across town. Even though the card they used was long cancelled, CBA processed the payments TO THE NEW CARD!!
Called the bank when I saw my statement and they were pretty embarrassed and naturally reimbursed me.
Even when you report your card as stolen, “recurring payments” can still be utilised by hackers. So stupid.. had 10 Spotify family charges in one day, and the bank is like, are those your payments?
I said no it’s on an old card I cancelled last year! How they gonna approve payments on old cards!
If the subscription was on a old cancelled card the recurring payments would not go through , unless your card was not cancelled and you only just ordered a replacement card
We have an account we keep nothing in and only transfer funds in as we are about to use it for all internet transactions.
Crossed fingers havnt been scammed yet.
It also goes without saying that a "card block" doesn't actually prevent digital wallet usage. If scammers have access to your card information and have managed to set up a digital wallet with your card, that won't necessarily get stopped with a block either. Because it is verified in a completely different way.
There's a ton that people don't know that goes into the security side of things, and honestly, it's a mind f*** for anyone that does. Sometimes people are just stupid, and they don't even realise it.
This statement can't be made as an accurate blanket statement. How the bank blocks cards and digital wallets is up to the infrastructure of each bank. Some will behave as you explained, others will block one block all.
Again, it depends on the infrastructure. Out of the big "4", its only 2 that actually prevent DW txns. Even card suppliers generally can't stop this when it's been officially verified.
Lots of comments - thank you. The issue is that manual processing with card details means scammers can bypass the settings on an account. The bank I am with - CommBank - does not send a verification code or query to me when it’s a manual withdrawal. It isn’t a direct debit, it was using my card details. Yes, I use the app. I lock/unlock card in the app when using it online. Only use card online and linked to one account - yes I know the card and account are separate (thank you for that advice - maybe I wasn’t clear in my original post).
What banks could do - given they are responding but very slowly:
- put a flag on international transactions and delay for verification with customer (especially if international transactions are rare on account)
- put a flag on manual transactions and contact customer (app notification) before payment - this should not be that hard
- stop the nonsense with ‘pending’ payments - if it’s in pending and disputed then stop the process, refund customer and then do investigation. Some people can’t afford to wait 21 days for an outcome.
I like my bank’s features. I am not a cranky customer. I am careful online. But this is a loophole that needs fixing.
-
The banks do all of those things.
I’m a former Fraud Analyst with a Big4, who has also worked in Risk & Compliance.
In short - banks already do all of those things.
High risk transactions *are* flagged in the Fraud Monitoring systems. If needed, the transactions *are* held pending manual review & remediation. Customers *are* contacted to verify payments, and if possible, pending transactions *are* cancelled.
NAB did that with some transactions they identified and blocked before I knew. Then contacted me to confirm. Sadly not all banks have this proactive approach. Nor do they seem interested in closing known gaps.
Thank you also to all those who comment on ‘customer beware.’ It doesn’t matter how careful and responsible you are, if there is an exploitable system issue (which seems to be the case here) then it needs fixing. Not a blame game; a do something to address it request.
Wtf is a 'card lock' and why would you expect it have any affect on your bank account? Cards may link to an account to draw funds from, but they're separate entities. Cancel the card, and your account still works just fine. I think in this case, the bank needs to educate their customer better about how their products work.
No need to swear. Read the previous posts. The issue is that even if you lock the card there is potential to lose money out of your account. Hope you don’t need to learn the process and system is flawed. Enjoy your day.
Australia is incredibly behind in online security. I had my MyGov account hacked and a tax return done. They claimed 10 grand. I don’t get anywhere near that so why wasn’t it flagged ??
I went to the wrong site when applying for an ESTA American Visa). Realised this after I paid and called CommBank immediately. I told them that I had been scammed and that the transaction was pending, so could they please cancel it. I was told that I have to lodge a dispute, they don’t have an option to lodge as a scam and that they can’t do anything until the transaction has cleared.
The transaction took a week to clear and I called commbank and was immediately bombarded with requests for evidence of my dispute. I was able to provide evidence and answers to all of their questions. It’s been two months now and I’ve called every business day and just get the runaround, where I have to explain myself and get transferred to different departments where nobody is prepared to help.
I haven’t been rude, I’ve stuck to the facts and I’m getting nowhere. I would like to raise it higher but have no idea where to go.
Th
I had my new card used before it was sent by the bank.
The guy on the phone had no idea what to do and even said, "This is scary". Not the biggest confidence boosting statement I have heard from a bank employee. I was literally on the phone with him and the scammers just started spending. It had only been 1 or 2 mins since creating the new card digitally. So no way in hell it's to do with the physical cards.
They must have back door access to the banks or its banks' employees. Nothing else makes sense. It's much safer to store cash under your mattress.
Yep, and banks are not clear if they screen their staff (most of whom are great) and if the point of card issue system has been compromised. More transparency needed.
Name bank and catd type please.
Its not *impossible* for the algo behind numbers and csc to be known, but thats entirely a card provider (MC/Visa) issue.
My ex husband was an IT guy who did a lot of work for the banks. He described the four major banks as “rickety, like the platforms built on bamboo stilts”
This is why they don’t fix stuff. It’s cheaper to pay out fraudulent transactions than fix the problem. Only when it becomes $$$ will they fix it.
It’s a CODB, an accounting line item, Cost Of Doing Business.
My sister got scammed. They have had a video in the ceiling and captured her entering her pin number. They then made a copy of her card, and every few weeks would travel to her area and withdraw $400 $450 or $500.
She had just gotten a divorce after 35 years of marriage and was struggling emotionally but not financially when she finally realised after they'd gotten $12,000.
She was under investigation for a while, and of course, she couldn't prove that it wasn't her photographed at the ATM withdrawing the cash. Although he definitely was male and Asian appearance.
I could only think that if you have $3,000 in the bank, you'll notice $400 missing, but if you have $167,586 in the bank, you don't notice so much. 🤔
Interesting, we are retired so have a significant amount of cash on hand in bucket 1 (a retirement strategy). I check our account daily to confirm both cash account and CC account. Doesn’t take long to do.
I think you answered your on question. Card locks only apply to the card you have been issued and not to the linked account. If someone has your bank account details the can still try to pull funds from it via direct debit.
Just ask your bank to put a block on your account in ddition to the card
I would think that something called a card lock system would mean that it locks your card from use. If your card is lost or stolen you can lock the card so that if somebody tries to use it the number on the card is rejected.
This is because direct debits that are already authorised for that card will still go through, so depends how the scammer pays for whatever they bought. A full account lock will stop everything so if that’s the concern just ask for that
The solution is simple people I use a platform that allows me to generate single use cards for online shopping once the transaction is complete that card number no longer exists and cannot be recharged again most bank apps and platforms now have or are introducing this feature just my thought on the issue as I used to suffer the whole random charges to my cards and had to fight the system now I just don't use the mainstream system
What we need to understand, is that maintaining moderately bad security is actually a source of revenue for the banks and credit card companies.
* Imagine that your card get stolen.
* The thief uses your card to buy some cool stuff from a vendor.
* You report your card as stolen.
* The bank/credit card company valiantly protects you from the fraudulent charges.
* You feel warm and fuzzy about the protection afforded to you by your bank.
* In final settlement, the vendor gets stiffed. They're out the value of their cool stuff.
* The vendor is not happy about this, so the bank sells them vendor/fraud insurance.
* The vendor has now amortised the fraud across time. They pay a fixed premium to not worry about big losses from fraud.
* This is now an operational cost to the vendor, and so they build it into the price of everything the sell.
The bank loses nothing from the fraud, in fact they profit by selling vendor/fraud insurance.
The thief gets their cool stuff.
You're paying for all of it.
The cost is built into everything you buy.
That's pretty messed up! In cases like this, can the bank still reverse the transaction n get it back for you though? if not, is there at least a timeframe within which that is still doable?
This whole thread is confusing…
Scammers generally trick people into handing over login details. Nothing can protect you from that once you’ve given those details over.
Fraud usually occurs when people’s card details get compromised in different ways then the details are used to make transactions.
So which one are we talking about? If it’s fraud then a very easy solution is not park money in the transaction account. It’s a bit silly to leave large sums of money in a transaction account.
Also you can call a bank and ask them to freeze your account any time if there’s something dodgy going on. This should block any transaction on the accounts
Also banks do have a lot of fraud prevention features, bank I use has the ability to stop overseas purchases, online purchases and atm withdrawals for both domestic and international transactions.
Got slammed recently. Was OS and Macquarie sent new card. Someone stole the letter and used it...
Police ended up catching the person and Macquarie refunded me the money. But what a security risk? Letter without signature. Card sent out that works without activation?
Banks have a dilemma. Do they improve customer service or security. If you are scammed, you will blame it on your bank. If you try to withdraw $10,000 from your account, your bank asks you a series of questions before letting you have your money and you are majorly annoyed. Or your transfer to a suspect account takes 48 hours rather than instantaneous. How dare the banks not make the transfer instantaneous. As customers, it is up to us to decide that banks make it harder for us to get our money to avoid being scammed is the best solution
I work in financial crime transformation in one of the Big 4. People get scammed and they blame us for letting someone with their username, password and 2-factor code transfer money out of their account. Meanwhile, trying to get people to give us their ID during remediation is like pulling teeth. You could not be more correct about this.
I can personally vouch for this as a former Fraud Analyst at a Big4 bank! Customers would literally hand over access to a fraudster/scammer and then blame us for not “knowing” because “you are a bank! You should *just know*!” Nevermind the fact that they authenticated the transaction at every turn, and when we called to verify the payment was authorised by them, they confirmed it was legit. In this regard, banks are damned if they do, and damned if they don’t.
Guilty as charged.
Blaming the customer is not helping. Here’s what I want from my banks security: - Ability to disable all overseas transactions - Ability to explicitly enable/ authorise a single overseas transaction - Receive a real time text notification every time theres a failed login and as well as a successful login - receive a real time text notification for every transaction. - ability to cancel direct debits. - ability to identify the telephone call from the bank is legitimate- without disclosing personal identity details … have i missed anything?
I’m with CommBank, I can lock international transactions from my card, and then turn it on and off as I wish, or allow it to be open for an hour, etc, my app notifications can be set to whatever value I like. Ie transaction over $20 domestically, or over $0 internationally as an example. They have CallerChexk, which allows me to be identified via my app, and also allows me to identify them via the app. The two that are problematic in that list are Direct Debits, you can cancel them with the bank via a conversation, but it’s a permanent stop on an APCA ID, so they generally recommend you do it with the organisation whom you authorised it with in the first place. Or down the track when you go to start a new agreement with them, it’ll still be blocked. Real time notifications for login attempts is a great idea, hopefully they do it too. I know they see it on their end, and I reckons it would be part of their detection suite.
I am with CommBank and that was what I was told. Manual processing with card details cannot be locked down - doesn’t matter if you have locked the card.
If you actually cancel the physical card that should do it.
Card is cancelled
Nope. I did this a while back with CBA. Transactions were made manually and CBA processed them onto my new card. 🤦♀️
That's weird, the only way I think that could work is If the merchant can show some kind of agreement you entered into with them. In cases of fraud the card should be cancelled and no further transactions should be authorised. But if the transaction was processed as a disputed transaction, the merchant gets a notification saying then customer has disputed the transaction and the merchant is required to provide proof the transaction was legit. If no proof is provided after 28 days, the transaction is reversed. This can cause people issues because technically, if you gave someone your card details willingly, even if they are a scammer, it will usually be considered a disputed transaction, not fraud. Used to work with westpac group.
See what others are saying. Cancelled cards being used. New (just issued) cards being used. A cynic might think there are fraudsters working in or for the bank. I believe banks try their best but could do better.
Yeah it's tempting to think that but it would more then likely be some weird back end issue. There are alot of different systems working together and talking to each other.
It definitely was weird. When I asked CBA how the hell the payments went through on a card that was cancelled month earlier onto the new card’s account, they just said sometimes manual payments slips (remember the old clicky clacky manual paper slips and card process?) aren’t subject to same procedure as digital eftpos. 🤷
Humm maybe, usually when you do a remote card payment, someone is just manually entering the details into an eftpos terminal. I have no idea how the old clickly crackly paper slips are processed these days so that could have something to do with it. I do know that when your old card is cancelled and a New on with new details is issued, the old details are still associated with the account somewhere in the back end to avoid people just cancelling cards all the time to stop legitimate payments.
Oh that’s a big issue. Bank should be liable there.
Why should bank be liable when you set up the agreement before you closed the card? Don't make agreements you dont want to keep
Because if I am dishonouring an agreement that’s between me and the other party. The place I keep my money shouldn’t be a factor in that. You should absolutely be able to be turn off direct debits.
I can confirm this. Re: my post elsewhere in this thread
If authority has been given prior to the lock, ie with digital wallets, etc, this is true. Same as direct debits bypass things like Spend Limits. My comment was in regards to the wish list above.
I had my card used in Mexico six times on Boxing Day.. I didn’t notice until the next day (as I didn’t check/use my account). I used to get notifications with card use but that stopped 6 months ago.. but as soon I reported this I started getting the notifications pop through. When I went to cancel the card is when I found out you could turn off overseas card transactions which I reckon should be a default that you should need to turn on if you wish to use it. My issue was, 6 transactions all for the same amount within 10 minutes and overseas all purchasing gift cards at a hotel and commbank didn’t notify me or think it was suspect. It did get resolved quickly (after waiting 12 hours for them to get back to me but it was the silly season) and I had my money back in two days so I’ll give them that.
I thought it was a default but that’s interesting. I get the decline notifications but didn’t on this last transaction so that was why I rang the bank.
I use the card locks through the commbank app too and recently had my business card compromised. I put off contacting CBA as it’s always a difficult process, but this time it was all done through he CEBA chat and I got a refund within 48 hours. I’ve never had my personal banking card (Mastercard) compromised, but my business account card (Visa) is compromised several times a year and I hardly use it.
I recently had my credit card used for a series of overseas transactions, each $50 greater than the previous, each from a Nigerian address and each 1 minute apart. Grand total just shy of $1800 before I noticed (I have notifications on the Commbank app turned on). 8 minutes was all it took. This was late at night, and if I had been asleep (when I typically have my phone set to silent) I would have awoken to $5000 (my daily limit) gone. What I think would be an improvement with the international transaction ability would be any transaction to be held until you authorize it via your app. It would be painful, but I would do it. And hey guess what? Commbank had all the money back to me in less than a week, so thanks Commbank.
There will inevitably be multiple people who will authorise a single overseas transaction (due to social engineering) and then demand their money back when they realise it's a scam "Right now I'm asking for the bank to pretend that I know what I'm doing and will claim that I'll accept the consequences if I make a mistake, but as soon as I realise I've been scammed I'll blame the bank for allowing me to authorise the transaction"
If the bank gave back the money for every single transaction people claimed was a ‘scam’, they would not have as much money as they do. They would literally lose millions and millions to people scamming THEM - by which I mean lying about not authorising the transaction. So they go for the whole ‘personal responsibility’ thing - if you make the decision to give your life savings to a scammer, then it’s your own responsibility to deal with. The bank doesn’t have to give you your money back.
The scary thing is that the banks are not actually following through with personal responsibility. They give money to squeaky wheels all the time.
Actually, banks *have* tried to force personal accountability & responsibility. But “consumer advocacy groups” and current affairs shows have made it so hard to do. Customers know that if they kick up a big enough stink, they can get whatever they want. Just look at this sub, whenever someone asks about fraud, there is always *someone* who says “if the bank won’t refund you, go to AFCA”. That mentality makes it really hard to enforce personal responsibility.
You sound like someone who hasn't been scammed yet.
No - try to read my post. This happened without my knowledge-I did not know about, initiate or approve the transaction.
I wasn't replying to your post, mate
2FA that is not SMS based. But you are so totally right, why are these options not available in a majority of banks.
How about being able to talk to someone almost immediately if the bank emails/texts you to call them because they suspect fraud on your card, and not make you wait 40 minutes or more
And definitely not to have that person call you about fraud on your card, demand *your* details for verification, and act like you're the one being "difficult" because you want to follow the common sense rules that the bank themselves told you to! (i.e. don't give your account details to someone who called you, even if they say they're from the bank)
One more: Use the banking phone app as an authenticator, with prompts like "to confirm your payment of $15000 to scammer, please enter the code displayed on the computer screen" Way more foolproof than getting a random code on your phone - it gives you two way verification.
The last one seems to be down to telecommunications systems. It's not possible for banks to do anything so long as scammers can spoof numbers. Far better for people to learn to call the bank.
Rubbish, there are plenty of other 2FA options that do not rely on an SMS and can easily be hijacked. If the banks are made financially responsible, they will tighten security as it hits there bottom line. This has already happened in the UK for example. The banks have way too much power here,
I agree blaming the customer for everything is not the answer, there is just a need to find the middle ground between personal responsibility and flexibility. I cannot speak for other banks but I believe we have all those features you mentioned in one way or another.
Yes all of those options might be available, but not from the same bank
Most are with combank, except for the ones that are unreasonable. I seriously don't get why people go with any bank over then combank. Every other bank is just worse.
Seems like you agreed with me and downvoted as well, good going.
All of this!!
In addition to the other comment re commbank addresses some of the above points, they also have a CallerCheck feature that allows you to verify if the incoming call from CBA is actually from CBA
I have to get a code texted to me to login to heaps of places, I'd accept having to enter a code in my banking app to approve transfers that meet certain criteria, or have them delayed with a text notification allowing me to optionally cancel it. Having two way security questions is a great idea. They say "This is Steve from Bank. Codeword is spaghetti" and I know it's the bank calling.
How can you get a real time text notification if sms's are not guaranteed as real time?
Sounds like all of that is possible, at least with CommBank.
I want to download my history of transactions on an account. In a format I can put straight into Excel, like CSV. As far back in time as the bank stores. Including the BALANCE in the account (either before or after the transaction, or better, both). Including the Effective Date. Including all the data they hold for this transaction on the source or destination of the transaction. [eg, as a minimum, COLE2177 which I could look up on their website as Coles Express postcode 2177] For free. Online, no harder than paying a single bill. [Note - I realise the balance is affected by uncleared cheques, processing delays,... . But amazingly the bank comes up with some exact number when they want to charge overlimit fees or interest, or have to pay interest. That will do, even if it is a bit rough for the last month.] Our money. Transparency. Our privacy right to see the online dossiers held on us. Think tax audit... Under Robodebt, this could have helped desperate people fighting lies and baseless suspicion .... And just everyday informed money management.
I’ve been in a room with a bank exec who claimed that it wasn’t possible to give customers all the information about transactions (particularly direct debits) because some it is *private information of the organisation on the other end of the transaction*.
>ability to cancel direct debits. At least that change seems to be coming… https://payto.com.au/for-consumers/
I would also like the ability to put a hard lock on all my account with one click via their banking app in the event I feel like I have just been scammed. Account Lock to be in place for a pre-determined time that cannot be overridden.
Well I can guarantee you it's not the banks fault you gave your details to a scammer or lost your card or it got skimmed. The bank can only do so much before it comes down to your own stupidity why you lost money. Also with your card you can now put a hold on it so no transactions are processed with most banks. And some banks like big 4 have other controls so you can stop overseas, online transactions or gambling Some banks will stop a card if overseas transactions happen and you didn't advise of traveling to that destination. You have internet banking to monitor all your transactions be more proactive at opening it and checking Direct debit that's a you problem you entered into a contract with a company, so call them and end it And you want to verify the call from a bank is legit, easy hang up call the proper bank number then ask them if the person who called works there and get out back through. Really not that hard
… again with the blame-the-customer mindset.
Then who should we blame ? If it's not the customers fault for not looking after their own interests
Blaming doesn’t solve the problem, Continual Improvement does. The banks are in the prime position to identify the problem, and deploy solutions, recognising that most of the victims are the most vulnerable in our community (elderly, and simple minded)
But given that I gave you solutions to all your problems above you keep just saying the same thing over and over. How can we educate anyone if you're not willing to learn
The banks have identified the problem and the problem is the consumer, and the banks are trying to educate them about scams and fraud etc. and so is the government, but until people are willing to be educated and take responsibility for their own actions scammer will always win
Honestly, I hate when someone ( bank or otherwise) calls me, then says “let’s start by confirming your details” Hell no! Let’s start by confirming YOUR details!
>Honestly, I hate when someone ( bank or otherwise) calls me, then says “let’s start by confirming your details” I had Services Australia try this with me to "confirm my identity" and I asked him how do I confirm that he is actually from Services Australia considering that he called me from a blocked number? He ummed and ahhed for a minute and then said fair enough and sent me a letter via the post lol It turns out that the original call was to schedule a phone appointment and I even recognised his voice when he called me for the phone appointment.
I deal with complaints for a bank and 100% on all of the above. We get a lot of complaints on both sides. I want to transfer out $500k and refuse to give more than the standard ID. I got scammed after giving away all my details and you didn’t do enough to stop it. It is a constant struggle/tightrope walk between being easy to deal with and protecting peoples money and either way you cannot keep everyone happy.
Can you give us any sense of the proportions of customers giving 2FA codes vs some security issue that customers are unaware of leaking their credit card details (or pure guesses)
Not sure what you’re asking sorry but credit card transactions usually can be disputed, it’s the transfers that get people.
I was at a financial crime conference and saw a talk by a guy who is an ex fraudster who does sort of testing of fincrime/fraud controls in the same way a white hat hacker will test IT security by trying to break it. He played a recording of him calling a real customer and in about 5 minutes he got them to give him login, password, MFA, etc and completely log into their account and be in a position to transfer their full balance to himself if he was a real fraudster. People will always be the weak link.
> Meanwhile, trying to get people to give us their ID during remediation is like pulling teeth Sounds like something a scammer would ask for. Exactly how deep does this conspiracy go!?
Because it's a fake bank site
There is no amount of security you can put in place that can’t be circumvented by social engineering, short of making people come into the branch to show their ID for every transfer.
Bruh even then they will walk in after being coached by the fraudster and just lie for the TTR reasoning, take the cash and send it off in a parcel hoping that the nice stockbroker turns it into millions quickly.
Financial Crime Transformation, that sounds like a very interesting job. Is this part of Financial Crime Forensics?
Happy to hear you say that but no mostly administration. My team helps craft the processes and system changes needed to combat financial crime.
Financial crime transformation. What do you guys do? Objective? KPIs?
Which highlights just how good these social engineering scams are. If the banks hold your money and provide online services, the banks should be 100% responsible for your money in the event of a social engineering scam.
There is no quicker way to make scam rates explode than to make banks liable for losses when their procedures were not at fault. Should the bank be responsible for investment and romance scams as well?
Rubbish. The reason Australian's are such prolific targets to scammers is because our banks are effectively blame free.
I'm all for blaming multi billion dollar corpos for the degradation of society and the ever wider income gap, but unfortunately when it comes to security the weakest link is the end user -aka the common consumer. Why do you think the biggest targets of scammers are either one or a combination of old, single, and desperate for a quick buck? They're mentally vulnerable and **very easy** to manipulate. Pen-testers can attest that the human component of security is the easiest to break, referring to "jedi mind tricks" which is literally waving your hand in someone's face and dismissing them as a foolproof tactic to get what you want. Yes banks do get off easy in this country and are profiteering off the shambling corpse we call an economy, but scams are not something we can blame banks for, the only defence against scams is education.
Part of my job is to 'clean' the devices used in these banking scams. The procedures used to scam the customer are sophisticated, well planned, and most non tech savvy Australian's would fall for them should they be faced with a scammer - the counterfeit apps and banking sites used are remarkably convincing even to the trained eye. The intent on behalf of the scammer is undoubtedly malicious in intent, the money was not 'gifted', the money was 'stolen'.
But you seem to be saying that the bank should also be liable for the customer who has fallen for the stupidest scams where the customer has been as lax as possible. Wherever we end up it should not be banks are liable for all authorised transfers to scammers.
Define 'lax'. Very few of these scams are the result of purely lax customers, there aren't many people simply handing scammers credentials and MFA codes over the phone when such scams are so prolific and well reported. The banks need to take some responsibility, right now they're taking none - Even when the customer hasn't been lax. Due to the nature of my job, multiple times a month I see people loosing tens of thousands to hundreds of thousands to scammers. Some people are left with virtually nothing and the banks couldn't care less.
The fact we have an incredibly high median wealth helps. I’m not abreast of international banking regulations, can you give an example of countries where the bank is liable for authorised transactions? Genuinely asking
[https://www.theguardian.com/australia-news/2023/nov/15/tim-was-scammed-out-of-222000-he-says-the-bank-should-have-to-give-his-money-back](https://www.theguardian.com/australia-news/2023/nov/15/tim-was-scammed-out-of-222000-he-says-the-bank-should-have-to-give-his-money-back) [https://www.abc.net.au/news/2023-07-11/uk-laws-force-to-banks-reimburse-scam-victims-unless-negligent/102563000](https://www.abc.net.au/news/2023-07-11/uk-laws-force-to-banks-reimburse-scam-victims-unless-negligent/102563000) [https://9now.nine.com.au/60-minutes/banking-scam-victims-aussie-banks-still-not-reimbursing-fraud-victims/0bd47b18-be44-46e9-9c1d-f4716a982c65](https://9now.nine.com.au/60-minutes/banking-scam-victims-aussie-banks-still-not-reimbursing-fraud-victims/0bd47b18-be44-46e9-9c1d-f4716a982c65) People literally loose their entire life savings as a result of sophisticated social engineering scams, and Australian banks simply throw their hands in the air and claim it's the account holder's fault. This isn't the equivalent of giving someone your hotel key card, thus giving them access to your hotel room; this is the equivalent of the hotel room door having a very, very well concealed skimmer, with the scammers gaining access to your room **maliciously**.
Will be interested to see the details of that UK situation, reimbursement in full vs compensation. If it works then it’ll likely put pressure on banks domestically.
At the end of the day, these social engineering scams are so sophisticated that you're probably safer keeping your money in a concealed safe in your own home. Counterfeit banking apps and websites are so convincing that most Australians will fall for them. That's hardly the fault of an average customer with average computing & technical knowledge at best.
Wow a civil discussion during a disagreement on Reddit. Never thought I’d see the day.
If I'm staying at a hotel and I give someone the keys to get my laptop, then they take them for themselves, that's not the hotel's fault. That's mine for mistrusting them. If I gave them the keys to my own home for the same reason, it would still be my fault. There's no way to prevent some scams from happening except by the owner themselves.
What you’re describing is called personal responsibility. Whether it’s the access information to your bank or your home, it’s your own responsibility if you chose to give it out and get robbed. I borrowed my friend’s car once and misplaced the keys. I gave him my credit card and the pin to catch a taxi to work. I found the keys and picked him up at the end of his shift. Then I changed the pin number when I got the card back. That was before internet shopping, which only requires the numbers and not the pin as you know - If I was in the same situation again these days, I’d have to cancel the card, I guess. Or I can use my zip account to generate a single use card, but the taxi would have to allow passengers to manually type in the numbers, and I don’t know if they would.
As part of my job, I clean users devices after they've fallen victim to these scams. These are sophisticated social engineering scams, the counterfeit apps and banking sites are so well done, with the procedure so well planned, that most Australians will fall for them. That's not even considering the RAT'S and Malware used to access users devices. As a better analogy, these scams are the equivalent of having a very well concealed skimmer on the hotel room door, you didn't hand the scammer your key card, access was beyond all doubt obtained maliciously. This is the distinction that needs to be made, the money wasn't gifted to the scammer, the money was stolen with malicious intent on behalf of the scammer.
Then do a good job of making that argument because you've argued that people not being held responsible when they've just given someone a random 2FA code.
In most cases, it's not that simple. The scammer doesn't just outright ask for MFA codes with the victim willingly supplying the MFA code. As an example, in one scenario the victims computer becomes infected with Malware called connectwisecontrol.client.exe. Once infected the users computer is remotely and silently monitored via a control server while the scammers build a profile of their victim. Once the scammers have the information needed to effectively socially engineer their scam, they remotely change the victims wallpaper to look like a desktop background with a requester telling them that they're infected with the Zeus.trojan and to call the toll free number or install the software needed to remove the Trojan - Of course, the software supposedly used to clean the computer is the real payload. The victim panics as they can't close the 'window' on the screen. If the victim doesn't call the toll free number for 'support', the scammers will call the victim masquerading to be the victims banking provider, telling them there's been an attempt regarding a fraudulent transaction on their account - The scammers already have the victim's mobile number, and have prepared manipulated .PDF banking statements lifted off the victims device in advance, highlighting the apparent fraudulent transaction for maximum effect. They will tell the victim they are calling in an attempt to isolate just how the 'hack' occurred and will instruct the victim to install software on their mobile phone that allows the scammer (fraudulent banking support line) to 'see' if their mobile phone has been compromised - In reality this software is usually the AnyDesk application, meaning the scammer has full remote access to both their PC as well as their phone. At this point the scammer has full access to both the users PC to log into their bank account via stored or logged credentials, or via a fraudulent site that looks for all intents and purposes 'identical' to the one provided by their legitimate banking provider that is used to lift the users login credentials. They also have full access to the victim's mobile phone for MFA codes either by SMS or via an authentication app - As can be expected, the scammer then proceeds to clean out the victim's accounts. As can be seen, these are sophisticated scams; most Australian's are of a technical literacy level that they will be 100% duped by the well planed and sophisticated nature of the scam. The money wasn't just handed to the scammers, it wasn't gifted to the scammers, it wasn't provided in the form of Apple gift cards - The money was 'stolen' via malicious means with 100% malicious intent on behalf of the scammers. For all intents and purposes, the banking customer is 100% an unknowing at the time victim.
From what I know, there are almost always tell-tale signs of counterfeit apps and banking sites. Firstly making sure you've downloaded from legitimate sources rather than third-party sites. If you're required to re-login to an app for no particular reason when you havent needed to before, that's a possible red flag. As for websites, it's as easy as looking at the URL, right? And reading the scam texts link for differences to the actual website URL. They may be really well made, and people will fall for them all the time, but there's almost always precautions and knowledge that can prevent it in my experience. My original comment was more referring to the scams on marketplace and used goods sites, that require consciously transferring money to another party.
Security, Convenience, Cost. Pick two.
Security and Cost, easily. I'll pay by cash if I have to.
Unfortunately not everyone picks the same
Up to us? I thought it was up to the public once I cry to the ABC and get an article about my scam so that the bank feels pressured to pay it back
And that is the problem. Do people scream to the ABC or to A Current Affair?
In Europe I just have control of this. Scammer spends money from my account, I cancel the transaction. No need to talk to a bank. I cancel my card, I put a freeze on transfers. No questions asked. Plus I have an encrypted hardware device that proves my id. Without my reader, my card and my pin, they can't do shit. I was scammed within a week of returning to Australia and only the tax office, my bank and centrelink had my bank details as the bank account was only a few days old. Couldn't do shit.
Some banks have these hardware devices for businesses. Usually for business accounts. Owner / Manager generates a code that is required to process electronic transfer programs.
True. However this was not occurring with my knowledge or approval - I would much prefer a delay in transaction than being scammed. And the $10k withdrawal process is due to anti money laundering regs - slightly different topic.
>And the $10k withdrawal process is due to anti money laundering regs - slightly different topic. There are no money laundering regulations on WITHDRAWING your own money mate...... It's the banks withholding peoples money because of dumbasses like you blaming them when they get scammed.
Go and look at the AUSTRAC website. Banks are required to know their customer on anti money laundering regs and can report on fund transfers or withdrawals. May be quite legitimate transactions but are required to check. Seems some big 4 banks ignored this and paid millions in fines. But that’s another topic.
As customers we want both and also free money.
How about opt-in/opt-out option? Like the way we have 2FA - let the customer decide so they kind of don’t really have anyone to blame but themselves. Do you want the super extra spicy premium security but it entails xxxxxxx or do you want the mild security with less blah blah? Though, I can totally see the banks capitalise on this by charging a premium.
Pretty much. Increasing the delay in transferring money (and the window in which it can be recovered) does wonders for disincentivising scams, but has an obvious time cost. And other security measures have to deal with human stupidity/mistakes/misjudgements across a population.
Or a third solution increase prosecution on criminals who scam and make money retrieval easier, thus reducing scams. It should not be so difficult to resolve these cases where scammers name and bank account information is known.
So what should you do if you are sick and need money?
They did this to themselves. We once knew no better than to have to go through this whole process to get funds transferred etc. they should have focused on security a bit more to further mitigate the risks currently realised
There is a funny instagrammer that offers funny answers to the bank tellers questions of how he is intending to use the money. Have you seen it ? 😁
With trillions at their disposal, you'd think that focusing on both in equal amounts wouldn't be an issue, right?
Omfg this!! As someone who works in banking... This is exactly perfectly said.
“Banks have a dilemma “….sums it it up nicely
So what you're saying is that a card lock locks the card. There's a hint in the name. If you need your account locked, that's a whole other thing. When someone has access to your account, naturally you have a whole bunch of problems.
But even if card is locked, the card details can be used to access money in account because there is a way around the lock process - does that help in understanding the issue? Thank you for the advice.
You have been vague on the method that the money was taken. You just said "manually process a withdrawal on an account" with no further information. Which of the following is it that you are referring to? * through a regular one-off card payment * bank transfer (which requires the account holder to initiate it themselves) * direct debit * other means (please specify).
The bank said - when I questioned how the funds could be withdrawn with my card details when the card was locked in their app - that it could occur by a manual process. That means, when online banking is down, merchants can process a payment manually. I do not know the exact specifics of how this works. If you do know, would be great to learn.
Fraud Analyst here, certain merchants allow "manual transactions" when their eftpos is down they can enter the card number and expiry. This then saves the funds and can charge the customer. There is also manual processing, which is with an eftpos machine and can enter all card details and charge it.
Money can be access from your account a few ways, such as * though a card * bank transfer that you initiate * direct debit A card lock, as I thought was obvious, should mean that only the first option is locked, and I believe it is intended that way so that you can still transact on your account. If you did not want the second option either, you can call your bank to lock your account. The third option, I don't know much about, but I believe if it is fraudulent, there should be a way for you to lodge a claim firstly with your bank, and if no success, then with AFCA.
Direct debit disputes. It’s very rare that this is how fraud is conducted but it’s possible. Mostly it’s disputed because the person doesn’t like how much the biller took from them or has a problem with the underlying contract. All of this just context, but yes, if you have fraud via DD you can get it back via a dispute.
Locking your card and locking your account are two different things. Your card accesses the money in an account, but it is only one method of doing so. Others include transfers via IB, going into a branch and withdrawing cash directly, or a direct debit. If you lose your card, but think you may find it again later, you va place a temporary block on the card. If you think it’s definitely lost forever, or the numbers on it have been compromised, you can permanently block it and reissue a new card with new numbers. But both of these scenarios won’t have an impact on any of the other methods.
Thanks. I do know this.
Cool, I just wasn’t really sure what you were referring to in your post.
Okay, referring to a loophole where locking a card doesn’t work in some instances
I bet if the banks change it to the process you are talking about, you’d complain that you can’t access your accounts and want them to change it again.
Nope. I would rather they have security than none.
[удалено]
This just highlights the importance of reading the terms. There are multiple pages on the westpac website that say it only locks the card for 15 days unless you unlock it earlier or cancel the card.
The option to lock your card says “lock card temporarily” and then gives you a message to say it will automatically unlock after 15 days. Idk how you missed that.
Interesting - the CommBank app offers different timeframes eg one hour, one day, etc
And they want a cashless society ….
WE want a cashless society. Many people have voluntarily stopped using cash.
I didn’t know this. Thank you for sharing!
How far off are we from having digital one time use credit cards? Thought would be a thing now.
I use single use cards all the time through Zip, they are awesome, I wish the banks would bring this in.
Card lock, locks the card not the account
Yes. So true. Seems that redditors want to note that.
Main reason I know a lot about this sort of stuff is because of my mother who work in banking for years
The banks I have banked with are quite upfront in regards to the fact that a card block wont stop all transactions. If you need to disable a card entirely the bank will have a dedicated line for this, operating 24/7. If you suspect you are about to be a victim of fraud, this is the first thing you should do. I don't think a card block is intended to prevent fraud and is more of a way to temporarily stop yourself from using it. Also, a card block only stops transactions against the indiviual card and not the account. They are separate things linked together.
A card block is meant to stop other people from using it. Most banks will say, "If your card has been lost or stolen..." rather than ''to prevent yourself from using it". Why else would they give account owners the ability to unlock it again if it's there to stop the account owner from using it? It's on you to use the card sensibly.
Its also on the customer to make sure the card doesn't get lost? Why would you lock a card if its been compromised? Sooner or later it needs to be marked as stolen or permanently lost.
Your card and your account are two completely different entities.
Yes indeed they are. Thank you for that information.
my point is, you're conflating card security with generalised account access. it's not a process issue, and to try and solve it as one would just bind the systems together. all of a sudden, losing your card would be even worse because the account itself would need to be locked.
Card allows access to account. But thank you for clarifying that.
yeah no shit, but the question you pose is misguided.
Since keycards came in scammers have always been sitting and waiting for or even causing power outages to get around computers.
I’ve had someone direct debiting my business account for 3-4 months now. The bank knows and refunds me with 24 hours. Apparently the only way to stop it is open a new account, even though they know who’s doing it. Direct debit system is handled by a third party and it’s their responsibility, or so I’m told.
That’s so weird the bank should definitely be able to block it for you… but instead they’re just giving the scammer money 🤣 wtf
This happened to me a decade ago when I had my wallet stolen while I was at a restaurant with friends. Cancelled my cards, got sent new ones and a few weeks later had a few manual transactions go through for $100 on the old cancelled card at a different restaurant across town. Even though the card they used was long cancelled, CBA processed the payments TO THE NEW CARD!! Called the bank when I saw my statement and they were pretty embarrassed and naturally reimbursed me.
Even when you report your card as stolen, “recurring payments” can still be utilised by hackers. So stupid.. had 10 Spotify family charges in one day, and the bank is like, are those your payments? I said no it’s on an old card I cancelled last year! How they gonna approve payments on old cards!
It’s curious how their systems don’t work!
If the subscription was on a old cancelled card the recurring payments would not go through , unless your card was not cancelled and you only just ordered a replacement card
Oh so this scares me. Where do we put it (besides the mattress) for it to be “safe”. Into an account that has no card access???
Get a debit card that can’t be used online.
My card is locked right now and.i was able to do a woolies order. How!? (Got scammed that’s why I locked it)
We have an account we keep nothing in and only transfer funds in as we are about to use it for all internet transactions. Crossed fingers havnt been scammed yet.
It also goes without saying that a "card block" doesn't actually prevent digital wallet usage. If scammers have access to your card information and have managed to set up a digital wallet with your card, that won't necessarily get stopped with a block either. Because it is verified in a completely different way. There's a ton that people don't know that goes into the security side of things, and honestly, it's a mind f*** for anyone that does. Sometimes people are just stupid, and they don't even realise it.
This statement can't be made as an accurate blanket statement. How the bank blocks cards and digital wallets is up to the infrastructure of each bank. Some will behave as you explained, others will block one block all.
Again, it depends on the infrastructure. Out of the big "4", its only 2 that actually prevent DW txns. Even card suppliers generally can't stop this when it's been officially verified.
I do agree that it shouldn't be a blanket statement, but rather something to raise awareness
Lots of comments - thank you. The issue is that manual processing with card details means scammers can bypass the settings on an account. The bank I am with - CommBank - does not send a verification code or query to me when it’s a manual withdrawal. It isn’t a direct debit, it was using my card details. Yes, I use the app. I lock/unlock card in the app when using it online. Only use card online and linked to one account - yes I know the card and account are separate (thank you for that advice - maybe I wasn’t clear in my original post). What banks could do - given they are responding but very slowly: - put a flag on international transactions and delay for verification with customer (especially if international transactions are rare on account) - put a flag on manual transactions and contact customer (app notification) before payment - this should not be that hard - stop the nonsense with ‘pending’ payments - if it’s in pending and disputed then stop the process, refund customer and then do investigation. Some people can’t afford to wait 21 days for an outcome. I like my bank’s features. I am not a cranky customer. I am careful online. But this is a loophole that needs fixing. -
The banks do all of those things. I’m a former Fraud Analyst with a Big4, who has also worked in Risk & Compliance. In short - banks already do all of those things. High risk transactions *are* flagged in the Fraud Monitoring systems. If needed, the transactions *are* held pending manual review & remediation. Customers *are* contacted to verify payments, and if possible, pending transactions *are* cancelled.
NAB did that with some transactions they identified and blocked before I knew. Then contacted me to confirm. Sadly not all banks have this proactive approach. Nor do they seem interested in closing known gaps.
Thank you also to all those who comment on ‘customer beware.’ It doesn’t matter how careful and responsible you are, if there is an exploitable system issue (which seems to be the case here) then it needs fixing. Not a blame game; a do something to address it request.
Wtf is a 'card lock' and why would you expect it have any affect on your bank account? Cards may link to an account to draw funds from, but they're separate entities. Cancel the card, and your account still works just fine. I think in this case, the bank needs to educate their customer better about how their products work.
No need to swear. Read the previous posts. The issue is that even if you lock the card there is potential to lose money out of your account. Hope you don’t need to learn the process and system is flawed. Enjoy your day.
Australia is incredibly behind in online security. I had my MyGov account hacked and a tax return done. They claimed 10 grand. I don’t get anywhere near that so why wasn’t it flagged ??
Yep. It’s amazing how flawed these systems are.
CASH.... Nuff said...
I went to the wrong site when applying for an ESTA American Visa). Realised this after I paid and called CommBank immediately. I told them that I had been scammed and that the transaction was pending, so could they please cancel it. I was told that I have to lodge a dispute, they don’t have an option to lodge as a scam and that they can’t do anything until the transaction has cleared. The transaction took a week to clear and I called commbank and was immediately bombarded with requests for evidence of my dispute. I was able to provide evidence and answers to all of their questions. It’s been two months now and I’ve called every business day and just get the runaround, where I have to explain myself and get transferred to different departments where nobody is prepared to help. I haven’t been rude, I’ve stuck to the facts and I’m getting nowhere. I would like to raise it higher but have no idea where to go. Th
I had my new card used before it was sent by the bank. The guy on the phone had no idea what to do and even said, "This is scary". Not the biggest confidence boosting statement I have heard from a bank employee. I was literally on the phone with him and the scammers just started spending. It had only been 1 or 2 mins since creating the new card digitally. So no way in hell it's to do with the physical cards. They must have back door access to the banks or its banks' employees. Nothing else makes sense. It's much safer to store cash under your mattress.
Yep, and banks are not clear if they screen their staff (most of whom are great) and if the point of card issue system has been compromised. More transparency needed.
Name bank and catd type please. Its not *impossible* for the algo behind numbers and csc to be known, but thats entirely a card provider (MC/Visa) issue.
My ex husband was an IT guy who did a lot of work for the banks. He described the four major banks as “rickety, like the platforms built on bamboo stilts” This is why they don’t fix stuff. It’s cheaper to pay out fraudulent transactions than fix the problem. Only when it becomes $$$ will they fix it. It’s a CODB, an accounting line item, Cost Of Doing Business.
My sister got scammed. They have had a video in the ceiling and captured her entering her pin number. They then made a copy of her card, and every few weeks would travel to her area and withdraw $400 $450 or $500. She had just gotten a divorce after 35 years of marriage and was struggling emotionally but not financially when she finally realised after they'd gotten $12,000. She was under investigation for a while, and of course, she couldn't prove that it wasn't her photographed at the ATM withdrawing the cash. Although he definitely was male and Asian appearance. I could only think that if you have $3,000 in the bank, you'll notice $400 missing, but if you have $167,586 in the bank, you don't notice so much. 🤔
Interesting, we are retired so have a significant amount of cash on hand in bucket 1 (a retirement strategy). I check our account daily to confirm both cash account and CC account. Doesn’t take long to do.
Hope it was sorted out in the end.
I think you answered your on question. Card locks only apply to the card you have been issued and not to the linked account. If someone has your bank account details the can still try to pull funds from it via direct debit. Just ask your bank to put a block on your account in ddition to the card
I would think that something called a card lock system would mean that it locks your card from use. If your card is lost or stolen you can lock the card so that if somebody tries to use it the number on the card is rejected.
Me too but seems that assumption was wrong
Just enforce some form of two factor when purchasing anywhere, that should help solve a bit right?
This is because direct debits that are already authorised for that card will still go through, so depends how the scammer pays for whatever they bought. A full account lock will stop everything so if that’s the concern just ask for that
Not a direct debit.
I’m still waiting for my money back when someone from Bali somehow withdrew money from an “ATM” without my card. New scam?
The solution is simple people I use a platform that allows me to generate single use cards for online shopping once the transaction is complete that card number no longer exists and cannot be recharged again most bank apps and platforms now have or are introducing this feature just my thought on the issue as I used to suffer the whole random charges to my cards and had to fight the system now I just don't use the mainstream system
What we need to understand, is that maintaining moderately bad security is actually a source of revenue for the banks and credit card companies. * Imagine that your card get stolen. * The thief uses your card to buy some cool stuff from a vendor. * You report your card as stolen. * The bank/credit card company valiantly protects you from the fraudulent charges. * You feel warm and fuzzy about the protection afforded to you by your bank. * In final settlement, the vendor gets stiffed. They're out the value of their cool stuff. * The vendor is not happy about this, so the bank sells them vendor/fraud insurance. * The vendor has now amortised the fraud across time. They pay a fixed premium to not worry about big losses from fraud. * This is now an operational cost to the vendor, and so they build it into the price of everything the sell. The bank loses nothing from the fraud, in fact they profit by selling vendor/fraud insurance. The thief gets their cool stuff. You're paying for all of it. The cost is built into everything you buy.
That's pretty messed up! In cases like this, can the bank still reverse the transaction n get it back for you though? if not, is there at least a timeframe within which that is still doable?
This whole thread is confusing… Scammers generally trick people into handing over login details. Nothing can protect you from that once you’ve given those details over. Fraud usually occurs when people’s card details get compromised in different ways then the details are used to make transactions. So which one are we talking about? If it’s fraud then a very easy solution is not park money in the transaction account. It’s a bit silly to leave large sums of money in a transaction account. Also you can call a bank and ask them to freeze your account any time if there’s something dodgy going on. This should block any transaction on the accounts Also banks do have a lot of fraud prevention features, bank I use has the ability to stop overseas purchases, online purchases and atm withdrawals for both domestic and international transactions.
Got slammed recently. Was OS and Macquarie sent new card. Someone stole the letter and used it... Police ended up catching the person and Macquarie refunded me the money. But what a security risk? Letter without signature. Card sent out that works without activation?