ATM fraud refunds may not come quickly, if at all

Many banks say they'll provide a refund for stolen funds, but obtaining it can be a challenge

In early April, A$800 vanished from my account, the result of a late-night withdrawal from a cash machine in a Sydney neighborhood I'd never been to before.

It's a type of fraud that happens frequently: Criminals attach devices to cash machines that record the account data stored on the magnetic stripe on the back of the card, a practice known as skimming. The card's PIN (Personal Identification Number) can be spied with a secret camera or a fake number pad overlay.

As a reporter who covers computer security and fraud, I'm aware how easy it is to become a victim of skimming and how difficult it is to defend against. But I've always been more worried about how I'd get the money back than about actually being skimmed, since banks seem less inclined these days to assume liability.

Most banks in the U.K. and Australia would like you to believe they always refund stolen funds. But the reality is that a bank can easily deny a refund based on flimsy reasoning that leaves consumers with little recourse other than going to court.

Commonwealth Bank of Australia is one of the major banks in the country. It assures customers on its website that it will "guarantee to refund any fraudulent transactions that take place within five days from when you report the incident to us."

In my case, things didn't go so smoothly.

I reported the theft within a couple of hours of the transaction and answered the standard liability questions: I hadn't told anyone else my PIN, or written it on the back of the card, etc., and I asked for a refund.

Five days later, Commonwealth Bank sent me a letter saying it had closed the investigation. They explained vaguely that the transaction had been executed using my PIN. Fraud investigators never called me.

Banks would like you to believe that the use of the PIN means that you, the cardholder, performed the transaction, and are therefore liable for it. But the reasoning is flawed. The cash machine verifies only that the correct PIN was used, not that the person who entered the PIN was the actual cardholder.

Nonetheless, it can be grounds to refuse a refund. Stephen Mason, a U.K.-based barrister, has written extensively about security weaknesses and legal issues with cash cards and bank machines in the U.K. and Europe. He represented a U.K. man who took the bank Halifax to court in 2009 over alleged "phantom" withdrawals and lost.

"The banks will deny that their systems suffer from any weaknesses, placing the blame squarely on the customer," Mason wrote in a March article for Butterworths Journal of International Banking and Financial Law. And it will be up to the customer to point out to the judge that there is a series of past cases illustrating the weaknesses, he wrote.

Like many European countries, Australian banks issue debit and credit cards with a microchip that verifies the correct PIN has been entered. In Europe, the system is called EMV, or chip-and-PIN, while in Australia it is called EFTPOS. The U.S. doesn't yet have a chip-and-PIN system, but Visa and MasterCard plan to introduce one.

EFTPOS should have prevented the kind of fraud I experienced. When a criminal copies the information in a magnetic stripe, they can encode it into a dummy card. But cash machines are supposed to verify a microchip is present, and criminals aren't thought to have figured out how to copy microchips yet, though security researchers have found other weaknesses in the EMV system.

The problem is, some cash machines still process transactions even if a card doesn't have the chip, allowing fraudsters to withdraw funds using cloned cards. Fixing the problem will require banks to upgrade all their ATMs, which takes time.

Skimming victims can sometimes prove to their banks that they didn't do a transaction. Cash cards contain an Application Transaction Counter (ATC), which records the number of times a card has been used. An ATC with one less transaction than was performed would presumably be evidence that a bank's customer wasn't lying about withdrawing money.

I offered my card to Commonwealth Bank for forensic analysis but they didn't get back to me. I also asked if they had checked the footage from security cameras where the withdrawal occurred, or if they had filed a police report, but I got no reply.

"As any person who has had money removed from their account by a thief will be aware, making the bank understand that it was not the customer who withdrew the money can be far from easy," Mason wrote in his journal article.

I finally saw the $800 put back in my account after I sent a stern letter modeled on a draft that Mason created, intended for use by people who are having trouble getting a refund. After I received my refund, I decided to write a column about skimming.

Commonwealth Bank spokeswoman Tracy Hicks said no one could be found to answer my questions, while other queries couldn't be answered on security grounds.

Illustrating their reluctance to discuss the topic, Commonwealth Bank even declined to verify that a document I had with the terms and conditions for consumer accounts, including information about liability for fraud, was up-to-date and reflected current policy.

The bank does subscribe voluntarily to Australia's Electronic Funds Transfer Code of Conduct, which describes liability in the case of disputed transactions.

Generally, financial institutions in Australia have 45 days to investigate a disputed transaction, much longer than the five days in which Commonwealth says it will return stolen funds. But that speedy return may depend on how eloquently a consumer complains to the bank. In my case, the bank was more than happy at first to quickly close the case, disingenuously shifting the liability to me absent a real investigation.

If you've had trouble recovering money after a skimming incident and are willing to assist in my reporting, please contact me at the email address below.

Send news tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

More about ATCCommonwealth Bank of AustraliaVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place