After uphill battle, bank refunds $12,000 to skimming victim

Commonwealth Bank of Australia eventually reversed its decision to deny a Sydney man a refund for fraudulent withdrawals from his account

The still photos captured by CCTV are fuzzy: a figure wearing a track suit, a pair of sneakers and a black hooded sweatshirt, standing at various cash machines in northern Sydney in the middle of the night.

In June and early July, the shadowy figure withdrew a total of A$11,790 (US$12,217) from the account of Louay El-sayah, a 38-year-old construction manager from Sydney. (See a map of the withdrawals here.) El-sayah, who has five children, reported the theft to his bank, Commonwealth Bank of Australia, one of the country's largest financial institutions.

After a 45-day waiting period, El-sayah was denied a refund. "I didn't expect that," he said. "Not from Commonwealth Bank."

After several in-person efforts by El-sayah and a telephone query last Friday from IDG News Service, Commonwealth reversed its decision on Monday and will refund his money. But El-sayah's experience highlights the battle consumers can face when claiming fraud on their accounts, and the many reasons banks can use to deny those claims.

View The path of a fraudster, one late-night withdrawal at a time in a larger map

El-sayah appears to have been a victim of "skimming," an attack where a person's debit card details are copied from the magnetic stripe on the back of their card and encoded onto a fake card. The four-digit PIN can be recorded by observation or by modifying the PIN pad on point-of-sale devices or ATMs.

Skimming attacks are still successful in Australia since most banks have not yet fully implemented an upgraded security system being rolled out worldwide called EMV (Europay, MasterCard, Visa). EMV debit and credit cards have a microchip that facilitates a complicated cryptographic transaction that so far has not been defeated by criminals.

Many Australian ATMs, however, continue to rely on the card's magnetic stripe, even if the card has a microchip. Due to how the machines are configured, ATMs can't always detect whether a real or a cloned card is being used, although banks are upgrading the ATMs to the EMV specification. It makes it harder for fraud victims to prove they aren't lying since the banks see only that a valid PIN was entered.

Ross Anderson, a professor of security engineering at Cambridge University's Computer Laboratory, said the upgrade to EMV may even make it more difficult for customers because "banks will start claiming that since the system is now secure, customers who complain must be at fault."

"Of course, EMV has vulnerabilities too, and you'll see them being exploited in due course," said Anderson, who had extensively studied payment systems.

El-sayah said he was always in possession of his debit card and never revealed his PIN to anyone else. El-sayah, who describes himself as a "pretty paranoid person," said he was shocked by the fraud. Five of the withdrawals were for $2,000 each. "In this case, someone is pulling $2,000 out of my account every night and nobody contacted me," he said.

He says bank personnel initially advised him to destroy his debit card and not to file a police report. But a subsequent letter from Commonwealth dated Aug. 15 cites the lack of a police report as one reason for rejecting his claim. He later filed a police report anyway, despite the reluctance of the police to accept it.

The letter says his refund was denied under sections 5.5 and 5.6 of the Electronic Funds Transfer Code of Conduct, a set of rules followed by Australian banks regarding payment system problems. The code gives wide leeway to banks when making decisions about fraud.

Commonwealth also said El-sayah's card was used with the correct PIN on the first attempt. "Entry of correct code at first attempt in an unauthorized transaction is a significant factor in determining liability," the letter states.

The bank also says that having a high withdrawal limit increases the liability consumers can have for fraud. El-sayah's limit was $2,000. The high total amount of the fraud was continually referenced by Commonwealth personnel when discussing his case, despite also telling him he was a victim of skimming.

After receiving the letter, El-sayah contested the decision more aggressively. When IDG News contacted Commonwealth's media office on Friday, spokeswoman Tracy Hicks said that "the number of transactions that took place is obviously an issue" and that the bank was obtaining CCTV footage.

On Monday, in a rare move, El-sayah was allowed to view still images taken by the cameras during some of the fraudulent withdrawals. The images, however, were of low quality, and the perpetrator's face was obscured by the hooded sweatshirt, El-sayah said.

Later on Monday, El-sayah was informed he would receive a refund. Had it not been for the increased pressure on the bank, "I don't think I would have gotten the refund," he said.

Commonwealth's Hicks declined to discuss El-sayah's case further on Tuesday, and the bank did not respond to an email requesting an interview with Commonwealth executives about its fraud policies.

Send news tips and comments to

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts