Our bank account has been cleared out

[lougle]

Today my DH said 'why do we have no money??'
I told him not to be so ridiculous, because we have been working really hard to save money and build up a buffer in our account. So I looked at our bank account: available balance £14.

Someone has used almost £2000 on Next and Foot Asylum purchases, with a pizza and a dessert order thrown in .

The irony is that I never buy from Next because we can't afford for me to buy new clothes. I only ever buy from charity shops or (very rarely) Primark. So the fraud claim is very easy to prove. That and the fact that the man on the phone from the bank had to tell me what Foot Asylum is .

The transactions were all in the last day or so, and were all made using DH's card. We also had a letter today from Next, addressed to a man we've never heard of, thanking him for advising them if his change of address. So Next have given us a fraud case ID number and have put a block on account applications from our address. The bank fraud team will contact us tomorrow.

How gutting. We're lucky that DD1's DLA gets paid into a different account, so we can use that for a few days and reimburse it when we get reimbursed by the bank. If it got paid into the same account we'd be absolutely done for.

[ThisIsPlanetEarth]

This happened to us when my daughter was a baby, someone used my husband's credit card details. They bought stuff from Mamas and papas, really expensive buggy/ pram, other shops and jewellery from Lynx of London. We got a letter to our house with a false name on it. The irony is that I'd bought a cheap pram from Mothercare whilst these a*holes where buying expensive prams for nearly £400! My husband had bought stuff online, had used iTunes and othe sit's. He got the money taken off his card and the card cancelled. I rarely buy stuff online anyway but this has made me more careful.

[ThisIsPlanetEarth]

Used other sites not sit's!

[happybee1]

This happened to me in a well known family chain restaurant. They took my card away and took their time. I didn't think anything of it at the time but got a call from my cc company telling me that the card had been used fraudulently. Spent £100's in restaurants and clubs in the middle of the night eg 3am. It was a pain as I was sent a statement and had to mark out all the purchases that weren't mine. It went on for ages.
I always try and use a cc rather than a Debitcard as at least the money doesn't actually come out of your account straight away.
Petrol stations are notorious for this. One near where I used to live got done for it, they had been cloning cards for a long time.
My friend has had her online account hacked twice and money taken out of it.
My bil was sent a letter thanking him for signing up with a new phone to a mobile provider. He hadn't.
I do think shops should ask before they use your card contactlessly. A shop assistant did that to me the other day and I was cross, they should ask first.
Good luck op, I hope it gets sorted soon.

[holdinghands]

Someone managed to get my bank account details but not my card details and set up a direct debit on my account with the AA. When I phoned the AA I was told "well they're your details so it must have been you who set it up"! They got my house number wrong, didn't have a car number plate on the account (was told it was family membership so any car can be used) and told me the 2 names and ages on the policy, one was a 9 year old girl! They even set up an email address in my name. The AA were really unhelpful. Barclays on the other hand put the money straight back into my account, within minutes, and always ring if they think any card transactions are unusual.

[PrancingQueen]

This happened to me after I booked a flight with a well known budget airline a few years ago.
The numpties opened up a Sky account (so presumably there was an address), spent around £500 on taxis in 2 days so I reckon the cab co were in on it, and best of all, paid a CCJ using my card details

Despite the fact it caused me a lot of stress (I had just moved abroad so was having to call the UK constantly to sort it out) I was not informed of the outcome, although my money was refunded.
I was also worried it would affect my credit history in some way (it didn't).
They must have had names and addresses, but reading some posts here, it sounds likely that the bastards got away with it

[AnneElliott]

This happened to us too. Card cloned at a Shell petrol station in Essex as we went to visit DHs aunt as his uncle had just died.

Also we had it done at a restaurant in York. The thief went and spent £200 in a Sari shop in Leeds. Bank wanted evidence that it wasn't me.

I think petrol stations are very common. Another Shell one near us was doing it and people stopped going there . Shell put up a sign saying they had sacked all the staff but locals still wouldn't go back.

[clicknclack]

OP, sounds like this is thankfully all going to be fixed!

We had the opposite problem. We had booked plane tickets for an expensive once-in-a-lifetime trip to a sporting event abroad that we'd been saving up for for some time. I got online during the middle of the night to get tickets and had spent many hours trying to get them for our family while the website kept crashing. In the early morning I finally got all the tickets booked I needed and went to pay for them and our little regional bank declined the payment on our credit card because it was an unusual purchase. GAH! I only had so many minutes to complete the transaction and didn't have another card to pay for it and the tickets were going crazy fast. I called a family member and begged them to let me use their card and promised promised promised I wouldn't use it in any other way and got the tickets. The next morning as I was sleeping off the nighttime 'excitement' our bank called to ask if they should authorize the payment....

[Cantstopeatingchocolate]

My CC got cloned at a well known supermarket petrol station (pay at the pump) but my CC company phoned me later that day as it had been used to buy phone too ups which I have never done as I have a contract phone. They were great and refunded me immediately but when I phoned the supermarket to let them know a cloning devise was being used, the person I spoke to just said 'oh ok' I was raging!!!
Last year our joint account was emptied. I got a text telling me I was close to my overdraft limit, checked online account on my phone, it looked OK. A bit more overdrawn than I expected but thought I'd just check on PC when I got home. There were 6 huge payments to companies I had never heard of, phoned the bank straight away, turns out it was being used somewhere in Haiti!!!!!! And worse there was still another £500 to leave my account. First time in years that I have been so close to tears I almost lost it on the phone to the bank. Bank refunded me thankfully.
we had only used the account in food supermarkets and online so it must have been cloned from one of those transactions. Crazy how far away it was used though.
I am now super careful anywhere I have to put in my PIN and totally cover up the screen and only buy online with big well known companies so I don't have to remember to check for the padlock on the bottom of the screen. You get quite lax when online when you haven't had any problems.

[surfandturfcamp]

Really sorry to hear of your experience - grim.
I had one of my home computers hacked. Now I set everything up so I get a PIN to my phone, as well as using a password. (its called 2 factor) By using something that you have 'your phone' to get a random PIN and something that you know your password, you make it harder for hackers. Soon there are systems coming that will allow us to use our face/selfie plus fingerprint so you'll be able to set up and log into accounts just by being yourself...

[LurkingHusband]

Bank wanted evidence that it wasn't me.

There is a existential problem trying to prove a negative ....

[user1464519881]

Yes, that;s te problem for both side. There are a load of fraudster bank customers out there who pretend someone stole their card but i n fact it was they who took the money and bought the goods. So banks sometimes say well it must have been you. Then occasionally it's found the bank was round as Janice who works at Nat West in Slough had her hand in the till in effect and was handing out personal passwords or other details to her criminal boyfriend.

I am even more concerned about conveyancing fraud done on Fridays when solicitors are very busy completing sales. Some of the emails from fraudsters look just like the client's or the solicitor's email and they inevitably say a bank account detail has changed and to send the money somewhere new. Never ever take that at face value or a phone call. Best in person or by post at the start of instructing them get the bank details of both sides and don't let it be changed on any account. It is not at all clear that the solicitors (or their clients) are in the wrong in these cases as the emails are so convincingly copied and it may well be the client's poor home wifi which allowed the hack.

[LurkingHusband]

Soon there are systems coming that will allow us to use our face/selfie plus fingerprint so you'll be able to set up and log into accounts just by being yourself.

Using biometrics is not 2-factor authentication, and will (I suspect) be a flash in the pan. Mythbusters proved that you can fool a fingerprint reader with Gummi Bears. And once a fingerprint is compromised, what do you do ? We have yet to find the "reset my fingerprint" button on the human body.

Seems most UK banks are providing 2-factor authentication as standard (the card readers you need to complete some online actions). And if you have an Android device, there are quite a few sites using Google Authenticator.

Hopefully, through threads like this, peoples awareness of what can be done will be raised, and market pressure will drive better security.

Personally, I think we are still in a transitory phase, and there's an awful lot more functionality that is going to coalesce into our phones before the decade is out. I can see VbV and various other schemes being replaced with something (like) a system where every online transaction generates a QR code, which you need to scan with your phone which will respond back to the requesting merchant, thus authorising the payment. Advantage of this would be it would apply at home or in store (cashiers terminal displays the code).

The coming work on blockchain also looks to be a valuable weapon against fraud ...

[LurkingHusband]

Unless you see the suspect take receipt of the parcel / or find the goods it can be quite difficult.

Given that almost all delivery drivers are using something like a smartphone-based system to log deliveries, you'd think it would be the work of one of these genius "programmers" they have these days to add a feature to require a photograph of the person the parcel was handed to at the door ? I know there will be some fuddy-duddies grumbling about privacy (I suggest they get with the program and see how much CCTV the UK has). But I have a feeling it would reduce these mail-order frauds immensely, as it would give the police a nice mugshot to work with. No photo. No parcel.

It's instructive when you weigh what could be done against what is being done ...

[Bolograph]

only buy online with big well known companies so I don't have to remember to check for the padlock on the bottom of the screen.

That is precisely the wrong way around. It is not worth an attacker with the capability to re-route traffic sufficient to perform a man-in-the-middle attack using that capability to pose as Uncle Joe's Online Craft Emporium, because their attack is likely to be uncertain and difficult to use, and most of the time no-one is visiting Uncle Joe's Online Craft Emporium anyway. An attacker who can pull off the attacks that TLS certificates protect against will use that capability to attack Amazon, because there's plenty of traffic to it and an attack which grabs 0.01% of connections will still pay dividends.

It's almost a standard exam question for an MSc security course:

(a) Describe three common attacks on end-user networks such that an attacker would be able to intercept traffic between local users and a remote site such as Amazon. (3 marks)

(b) Describe the technical countermeasures that could realistically be implemented to reduce the risks of these attacks (6 marks).

(c) What user education could you undertake which would render some of these attacks less effective? Which attacks would still be usable? (3 marks).

The answer to (c) is almost always "checking that the certificates are OK". Attacks which work in the face of users who check certificates are possible, but they are difficult and usually rely on substantial compromise of end systems. If you have an opponent who doesn't check the certificate, then everything is piss-easy and almost any response to (a) works.

[Bolograph]

Using biometrics is not 2-factor authentication

Indeed. It can work, if both the equipment and the act of presenting the biometric are under continuous guard (as in, say, the automatic immigration gates at airports) but even then I can't say it fills me with joy.

But using thumbprints to do anything other than unlock a phone is a complete non-starter.

The coming work on blockchain also looks to be a valuable weapon against fraud

Indeed. Ripe field for PhDs if anyone fancies doing one (I did mine slightly too early for this).

[Bolograph]

Given that almost all delivery drivers are using something like a smartphone-based system to log deliveries, you'd think it would be the work of one of these genius "programmers" they have these days to add a feature to require a photograph of the person the parcel was handed to at the door?

That's a very good idea: I've seen any discussion of it, so perhaps you should float it to DPD or someone and ask for a consultancy gig!

As you say, people who object can just accept they won't be able to get parcels.

[ijustwannadance]

Lurking
I now have mental images of giant gummi bears stealing our identities. The wobbly bastards.

[Bolograph]

There are biometrics which are harder to steal, and do "liveness" checks: for example, palm-vein readers are non-contact, and use the same technology as pulse-ox meters that are clipped on your finger in hospital to ensure that the palm being read has a pulse; the reader only works when the veins have oxygenated blood in them, and the reader also checks that it's pulsing at a sensible rate.

However, all of those checks are moot if the attacker can work on the equipment in the comfort of their own home; producing tamper-resistant equipment which only produces the expected, authentic result and shuts down irretrievably when fiddled with is difficult enough when the device is subject to inspection by the people relying on its output. It's extraordinarily difficult (not impossible, but difficult, and expensive to assure) if the device is in the possession of the attacker and not subject to inspection.

[LurkingHusband]

Given that almost all delivery drivers are using something like a smartphone-based system to log deliveries, you'd think it would be the work of one of these genius "programmers" they have these days to add a feature to require a photograph of the person the parcel was handed to at the door?

That's a very good idea: I've seen any discussion of it, so perhaps you should float it to DPD or someone and ask for a consultancy gig!

The problem is, DPD - et al - are not primarily interested in reducing courier fraud (in the same way banks are not interested in reducing online fraud). So unless the exercise can be pitched as a way to make money, it's doomed to failure. Unless you can convince them that reducing courier fraud is a money-spinner (either directly or as a function of marketability). I suspect the amount of money DPD loses to such fraud is low enough that they have little incentive to innovate. And as long as banks can hide their fraud losses by charging fees on overdrafts and the like, the same applies there.

Welcome to Adam Smiths world.

Anyway, returning to blockchain, one of the issues with a courier-snap would be ability to demonstrate provenance in a court of law. So now you are looking at hashing the image with timestamp to a standard that would be acceptable in a court - if it ever got that far. I'm a techie, not a lawyer, so I have no idea what precedents - if any - UK courts could use in a case where provenance of a digital image is key to an action. Obviously a blockchain-secured key would be ideal, but you'd need to get a blockchain infrastructure in place first. I refer you to my point about rewards for innovation versus cost of losses.

(Non-UK readers can probably ignore all this - it's quiet peculiar to the UK mindset, where the dictionary entry for "investment" says "see 'loss'").

[Bolograph]

Courts will accept expert witness for provenance; you are being too techy (hey, I'm techy!) in thinking of the solutions to these things as being about technology. You'd need an expert witness to attest to the authenticity of the photograph, you'd need an expert witness to attest to the integrity of the blockchain. The former is more likely to be understandable to a jury than the latter, so even if there were a blockchain construction the expert witness wouldn't go through it anyway, they'd just use it as an input to their "yep, I'm an expert, looks OK to me" process.

You don't need a blockchain in order to hash photographs anyway: the benefit of a blockchain is that it removes an attacker's ability to delete a photograph in the middle of the sequence, and it removes a verifying party's reliance on assertions of tamper resistance in the device used to form the hashes. But for a situation like this, that seems a refinement you don't really need. If you're assuming the courier is in on the scam it doesn't matter what you do, because the courier would simply take photographs of randoms in the street a minute before or after delivery; if you're assuming the courier isn't in on the scam, you don't need to protect against the courier staging an active attack on the phone.

[LurkingHusband]

Bolograph

As soon as the money men realise there's nothing for them, you and I are just talking amongst ourselves ....

[mizuzu]

Sorry about that op, you will get it back though, sounds like a card clone

[changshaaini]

All very interesting though, Lurking and Bolograph, although I can't make head or tail of it.

OP, how awful for you I can't believe people do this x

[LurkingHusband]

you'd need an expert witness to attest to the integrity of the blockchain

The Great White Hope is that - after a suitable precedent - you won't need to. In the same way you don't need experts to "prove" DNA fingerprinting in every court case it's used as evidence. Which explains why there are so many lawyers crawling around blockchain fora ...