Our bank account has been cleared out

[lougle]

Today my DH said 'why do we have no money??'
I told him not to be so ridiculous, because we have been working really hard to save money and build up a buffer in our account. So I looked at our bank account: available balance £14.

Someone has used almost £2000 on Next and Foot Asylum purchases, with a pizza and a dessert order thrown in .

The irony is that I never buy from Next because we can't afford for me to buy new clothes. I only ever buy from charity shops or (very rarely) Primark. So the fraud claim is very easy to prove. That and the fact that the man on the phone from the bank had to tell me what Foot Asylum is .

The transactions were all in the last day or so, and were all made using DH's card. We also had a letter today from Next, addressed to a man we've never heard of, thanking him for advising them if his change of address. So Next have given us a fraud case ID number and have put a block on account applications from our address. The bank fraud team will contact us tomorrow.

How gutting. We're lucky that DD1's DLA gets paid into a different account, so we can use that for a few days and reimburse it when we get reimbursed by the bank. If it got paid into the same account we'd be absolutely done for.

[LurkingHusband]

It's possible to set Amazon up to use your bank account directly (like Paypal).

[Kr1stina]

Yes I had the same with Amazon . I made one transaction for several pairs of shoes in the sale but Amazon put them through as several transactions for , say £25 . I assume because they were sale goods they perhaps didn't have them all in stock , or because it was different sellers.

I also discovered that if you haven't bought anything from Amazon for while, they will put through a test of £1 first .

So my one purchase of 4 pairs of shoes turned into 5 transactions , One after the other , which caused an alert and block om my card .

Very annoying when you are in asda with three whining children and a trolley load of food but better safe than sorry .

[BrieAndChilli]

Our bank is pretty hot on fraud, they rang me a few years ago as someone tried to buy tyres in Germany whilst at the same time buy something in America! Then we had a load of PAYG transactions come out for about 4 different mobile companies, about 20x £20 which they also refunded immediately.
Then last pay day I made a load of transactions on line including about 20 transactions via Amazon for a couple of quid each so bank stopped my card until they could speak to me to make sure it was me spending the money

[LurkingHusband]

Or get a phone and use Apple Pay. Much safer.

Doesn't compute, unless you can use Apple pay on a Samsung/Sony/Nexus ...

[Bolograph]

I am disabled and people often have to handle my card hence the worry.

Then just rub at the CV2 until it's "worn" to the point of unreadability.

Or get a phone and use Apple Pay. Much safer.

[LurkingHusband]

I am disabled and people often have to handle my card hence the worry.

MrsLH has found contactless a boon.

When C&P was introduced, there was a FAQ somewhere which noted that the cashier should not have to handle your card. At the same time, there were discussions noting how a lot of smaller establishments (petrol stations in particular) were deliberately laid out to separate you from your card.

Once again, removing the CV2 is the best (and only) protection against having your card details lifted to be used after you leave the store.

I wonder if people using Apple/Android pay would be as happy allowing the assistant to take their phone as card ?

[MiscellaneousAssortment]

I am disabled and people often have to handle my card hence the worry.

[Bolograph]

Will shops / other face to face payments be accepted with a damaged card?

When would they see? Given the number of people on another thread who are sharing cards between husband and wife (ie, name and/or honorific probably obviously wrong), a small detail like the CV2 is neither here nor there. And as LH says, they shouldn't be looking anyway.

[LurkingHusband]

I'd be worried I'm making my card obsolete by scrapeing off the cv2 numbers. Will shops / other face to face payments be accepted with a damaged card?

One of the lesser known rules of C&P is that merchants should no longer handle your card (why would they need to ?). Obviously brain-dead terminal placement making it impossible for wheelchair users to manage (as MrsLH says, hurrah for contactless) excepted. So no one would notice.

To be honest, if anyone did comment, I would be immediately suspicious - why were they even looking ?

[Idontneedanotherhero]

I once worked at a computer company several years ago, and someone bought a laptop online, and supplied an address and delivery slot. I subsequently realised the card was stolen and called the police to tell them that someone at X address would be receiving stolen goods at X time the following day and they said sorry, they wouldn't deal with that! I was flummoxed!

[MiscellaneousAssortment]

I'd be worried I'm making my card obsolete by scrapeing off the cv2 numbers. Will shops / other face to face payments be accepted with a damaged card?

[lougle]

We'll do that, I think.

[Bolograph]

I said I wasn't. "oh, well someone is trying to purchase goods over £2000 using your card - we'll stop the purchase and cancel your card".

This was presumably pre-C&P? It's still possible to make a mag stripe clone of a UK card, but any shop that accepts it does so at their peril.

The best thing you can do, as LH has suggested, is remove the CV2 code: last three digits on the signature strip on most cards, four digits on the front of Amex cards, having written it down somewhere else. That makes use online virtually impossible, even for someone who has a copy of the magstripe and both sides of the card and copies of your statements.

[Woobeedoo]

I've had my card cloned twice - once at a restaurant where the waitress walked off with my card and disappeared for several minutes before returning it, and then at a petrol station.

The first I knew about the first cloning was when I was home off sick from work and got a phone call from the bank asking if I was in a BMW dealership in South London. I said I wasn't. "oh, well someone is trying to purchase goods over £2000 using your card - we'll stop the purchase and cancel your card".

The petrol station cloning involved lots of little purchases - some from petrol stations (oh the irony), mobile phone top-ups and then flights to Germany. With this cloning numerous people were targetted and it was mentioned in the local paper. After investigation it was found to be it minimum wage staff who were being paid cash in hand so no bloody records being asked by a gang to scan cards for extra money.

[Bolograph]

In the same way you don't need experts to "prove" DNA fingerprinting in every court case it's used as evidence.

No, but you need them to attest to the evidential integrity of the chain leading from the crime scene to the DNA analysis, which would be a similar problem for any application of a blockchain. You may have noticed that, blockchain or no, Bitcoin theft and fraud is hardly unheard of how the fuck did anyone take "Magic The Gathering Online Exchange" seriously?

[hanbee]

Once had some dufus at a takeaway pizza place steal DHs card details and buy him home insurance from Tesco. Lord knows why Tesco approved it with different names and addresses! The money was returned very quickly and the stupid thief had given them his name and address. I imagine he found it rather tricky to get any sort of insurance from then on!

[LurkingHusband]

you'd need an expert witness to attest to the integrity of the blockchain

The Great White Hope is that - after a suitable precedent - you won't need to. In the same way you don't need experts to "prove" DNA fingerprinting in every court case it's used as evidence. Which explains why there are so many lawyers crawling around blockchain fora ...

[changshaaini]

All very interesting though, Lurking and Bolograph, although I can't make head or tail of it.

OP, how awful for you I can't believe people do this x

[mizuzu]

Sorry about that op, you will get it back though, sounds like a card clone

[LurkingHusband]

Bolograph

As soon as the money men realise there's nothing for them, you and I are just talking amongst ourselves ....

[Bolograph]

Courts will accept expert witness for provenance; you are being too techy (hey, I'm techy!) in thinking of the solutions to these things as being about technology. You'd need an expert witness to attest to the authenticity of the photograph, you'd need an expert witness to attest to the integrity of the blockchain. The former is more likely to be understandable to a jury than the latter, so even if there were a blockchain construction the expert witness wouldn't go through it anyway, they'd just use it as an input to their "yep, I'm an expert, looks OK to me" process.

You don't need a blockchain in order to hash photographs anyway: the benefit of a blockchain is that it removes an attacker's ability to delete a photograph in the middle of the sequence, and it removes a verifying party's reliance on assertions of tamper resistance in the device used to form the hashes. But for a situation like this, that seems a refinement you don't really need. If you're assuming the courier is in on the scam it doesn't matter what you do, because the courier would simply take photographs of randoms in the street a minute before or after delivery; if you're assuming the courier isn't in on the scam, you don't need to protect against the courier staging an active attack on the phone.

[LurkingHusband]

Given that almost all delivery drivers are using something like a smartphone-based system to log deliveries, you'd think it would be the work of one of these genius "programmers" they have these days to add a feature to require a photograph of the person the parcel was handed to at the door?

That's a very good idea: I've seen any discussion of it, so perhaps you should float it to DPD or someone and ask for a consultancy gig!

The problem is, DPD - et al - are not primarily interested in reducing courier fraud (in the same way banks are not interested in reducing online fraud). So unless the exercise can be pitched as a way to make money, it's doomed to failure. Unless you can convince them that reducing courier fraud is a money-spinner (either directly or as a function of marketability). I suspect the amount of money DPD loses to such fraud is low enough that they have little incentive to innovate. And as long as banks can hide their fraud losses by charging fees on overdrafts and the like, the same applies there.

Welcome to Adam Smiths world.

Anyway, returning to blockchain, one of the issues with a courier-snap would be ability to demonstrate provenance in a court of law. So now you are looking at hashing the image with timestamp to a standard that would be acceptable in a court - if it ever got that far. I'm a techie, not a lawyer, so I have no idea what precedents - if any - UK courts could use in a case where provenance of a digital image is key to an action. Obviously a blockchain-secured key would be ideal, but you'd need to get a blockchain infrastructure in place first. I refer you to my point about rewards for innovation versus cost of losses.

(Non-UK readers can probably ignore all this - it's quiet peculiar to the UK mindset, where the dictionary entry for "investment" says "see 'loss'").

[Bolograph]

There are biometrics which are harder to steal, and do "liveness" checks: for example, palm-vein readers are non-contact, and use the same technology as pulse-ox meters that are clipped on your finger in hospital to ensure that the palm being read has a pulse; the reader only works when the veins have oxygenated blood in them, and the reader also checks that it's pulsing at a sensible rate.

However, all of those checks are moot if the attacker can work on the equipment in the comfort of their own home; producing tamper-resistant equipment which only produces the expected, authentic result and shuts down irretrievably when fiddled with is difficult enough when the device is subject to inspection by the people relying on its output. It's extraordinarily difficult (not impossible, but difficult, and expensive to assure) if the device is in the possession of the attacker and not subject to inspection.

[ijustwannadance]

Lurking
I now have mental images of giant gummi bears stealing our identities. The wobbly bastards.

[Bolograph]

Given that almost all delivery drivers are using something like a smartphone-based system to log deliveries, you'd think it would be the work of one of these genius "programmers" they have these days to add a feature to require a photograph of the person the parcel was handed to at the door?

That's a very good idea: I've seen any discussion of it, so perhaps you should float it to DPD or someone and ask for a consultancy gig!

As you say, people who object can just accept they won't be able to get parcels.