The still photos captured by CCTV are fuzzy: a figure wearing a track suit, a pair of sneakers and a black hooded sweatshirt, standing at various cash machines in northern Sydney in the middle of the night.
In June and early July, the shadowy figure withdrew a total of A$11,790 (US$12,217) from the account of Louay El-sayah, a 38-year-old construction manager from Sydney. (See a map of the withdrawals here.) El-sayah, who has five children, reported the theft to his bank, Commonwealth Bank of Australia, one of the country's largest financial institutions.
After a 45-day waiting period, El-sayah was denied a refund. "I didn't expect that," he said. "Not from Commonwealth Bank."
After several in-person efforts by El-sayah and a telephone query last Friday from IDG News Service, Commonwealth reversed its decision on Monday and will refund his money. But El-sayah's experience highlights the battle consumers can face when claiming fraud on their accounts, and the many reasons banks can use to deny those claims.
View The path of a fraudster, one late-night withdrawal at a time in a larger map
El-sayah appears to have been a victim of "skimming," an attack where a person's debit card details are copied from the magnetic stripe on the back of their card and encoded onto a fake card. The four-digit PIN can be recorded by observation or by modifying the PIN pad on point-of-sale devices or ATMs.
Skimming attacks are still successful in Australia since most banks have not yet fully implemented an upgraded security system being rolled out worldwide called EMV (Europay, MasterCard, Visa). EMV debit and credit cards have a microchip that facilitates a complicated cryptographic transaction that so far has not been defeated by criminals.
Many Australian ATMs, however, continue to rely on the card's magnetic stripe, even if the card has a microchip. Due to how the machines are configured, ATMs can't always detect whether a real or a cloned card is being used, although banks are upgrading the ATMs to the EMV specification. It makes it harder for fraud victims to prove they aren't lying since the banks see only that a valid PIN was entered.
Ross Anderson, a professor of security engineering at Cambridge University's Computer Laboratory, said the upgrade to EMV may even make it more difficult for customers because "banks will start claiming that since the system is now secure, customers who complain must be at fault."
"Of course, EMV has vulnerabilities too, and you'll see them being exploited in due course," said Anderson, who had extensively studied payment systems.
El-sayah said he was always in possession of his debit card and never revealed his PIN to anyone else. El-sayah, who describes himself as a "pretty paranoid person," said he was shocked by the fraud. Five of the withdrawals were for $2,000 each. "In this case, someone is pulling $2,000 out of my account every night and nobody contacted me," he said.
He says bank personnel initially advised him to destroy his debit card and not to file a police report. But a subsequent letter from Commonwealth dated Aug. 15 cites the lack of a police report as one reason for rejecting his claim. He later filed a police report anyway, despite the reluctance of the police to accept it.
The letter says his refund was denied under sections 5.5 and 5.6 of the Electronic Funds Transfer Code of Conduct, a set of rules followed by Australian banks regarding payment system problems. The code gives wide leeway to banks when making decisions about fraud.
Commonwealth also said El-sayah's card was used with the correct PIN on the first attempt. "Entry of correct code at first attempt in an unauthorized transaction is a significant factor in determining liability," the letter states.
The bank also says that having a high withdrawal limit increases the liability consumers can have for fraud. El-sayah's limit was $2,000. The high total amount of the fraud was continually referenced by Commonwealth personnel when discussing his case, despite also telling him he was a victim of skimming.
After receiving the letter, El-sayah contested the decision more aggressively. When IDG News contacted Commonwealth's media office on Friday, spokeswoman Tracy Hicks said that "the number of transactions that took place is obviously an issue" and that the bank was obtaining CCTV footage.
On Monday, in a rare move, El-sayah was allowed to view still images taken by the cameras during some of the fraudulent withdrawals. The images, however, were of low quality, and the perpetrator's face was obscured by the hooded sweatshirt, El-sayah said.
Later on Monday, El-sayah was informed he would receive a refund. Had it not been for the increased pressure on the bank, "I don't think I would have gotten the refund," he said.
Commonwealth's Hicks declined to discuss El-sayah's case further on Tuesday, and the bank did not respond to an email requesting an interview with Commonwealth executives about its fraud policies.
Send news tips and comments to email@example.com