Credit card fraud - how is this scenario possible?

[413x]

So I've just been into the fraud dept for a CC transaction.

I'd like to ask the wise OCers how this scenario is possible.

A transaction was carried out against my card on Sunday (14th) at 2pm on a random online retailer in Holland.

Apparently I approved the transaction according to the rep on the phone. Which I don't understand how that's possible. (ie fingerprint approval in app I assume)

Info :
The card itself doesn't come out of my wallet.
The wallet was in my house at the time.
The transaction was carried out on Firefox which I rarely use.
The ISP was spacex (crazy)

What I can't get over is that the transaction was approved.
How is this possible?

The only thing I can think of is a dodgy app with permissions to interact over the screen? But how would this approve a transaction by fingerprint?
Obviously I'm going through and trying to find apps with this permission level.

Other option is somehow I approved this by accident? Seems unlikely as it was only yesterday!

Anyone else know how this is possible?

 

[413x]

Doesn't make sense to me, cards are easy enough to clone, but if a bank thinks you approved something you didn't approve they have a major issue. That would mean the bank doesn't have security so shouldn't be used. You're not a muppet so if you get tricked by unclear app ui it's still the bank's fault.

I'm curious which bank it was (so I can avoid them) and how they dealt with it after the conversation - did you get your money back, did they reset credentials, new cards, advice, etc?

Its lloyds.

Yes they are refunding it as they can see it wasn't me. The conversation was fine. They didn't insinuate it was me. Just that they can see it was approved.

Only thing I can think of is some app can interact with my phone screen (I have a couple which can "draw" over the screen, I have removed these just in case).

The card has been destroyed. And I've asked them not to reissue as its one of those purchase ones with 0pc I'm just paying off.

But if this was a dodgy app it would have to sign into the app, and approve it. Almost like remote desktop.
Because obviously it can't be approved by fingerprint remotely!

 

[413x]

Also. They have removed all access from authorised retailers. Which I asked them to do.

Can't get my head around this one

 

[413x]

Have you paid anything using Stripe pay recently?

This card hasn't been used physically for months. I can't remember the last time.

If that's what you mean?

 

[413x]

My main issue is the apptoval.
I get this card could be cloned,
Or data breach with details.

Its the approval granting I can't get my head around

 

[413x]

I'd be tempted to think it's an error rather than really being approved. Lots of things would need to line up, plus if you "approved" it with biometrics they'd likely not be so quick to refund.

But this is just conjecture, I'd maybe ask them again to confirm how it was approved. If your device is compromised then you have problems

That's what I'm thinking.
Its a small amount.
Surely if my device was compromised this would be happening all over my accounts?

They said they couldn't confirm if it was app or text message. But that it was approved by one of those methods

 

[413x]

Was the call itself a scam?

You went physically into a LLodys bank for this, or they called you, or you called them?

I called them.
I know not to take a cold call

 

[413x]

How did you become aware of the transaction? What made you initiate the call to them?

Looking at my online account I just happened to notice a transaction with a weird name.

 

[413x]

Increasingly a lot of online sites/services have been using Swipe pay to handle CC transactions - there seems to be some IMO rather open to abuse authorisation issues with it if an unscrupulous person is in the right place in the chain.

Its quite possible.
Still, it doesn't bypass the reason lloyds we're saying approval was asked for.. And granted I guess

 

[413x]

Under the limit for fraud checks?

They said it was approved by me.
But yes under 100.

 

[413x]

I know it's highly unlikely to be the case, but does the Lloyds app have a section that shows approved devices? Just to verify there aren't any other devices authorised?

On Barclays at least there is a manage devices section so I can check and remove any old devices.

Unfortunately not. I did also ask if there was a way I could see history of requests for myself.

 

[413x]

Can they not confirm how the transaction was approved? I.e. if it was approved via the banking app then you've potentially got a serious problem with your phone.

I may ring them back and see if I can get this confirmed.
Like you say.. If it's my phone I either approved it without thinking about it (unlikely) or something seriously dodgy on it.

What I can't wrap my head around is they'd need not just visibility of my phone. But to actually be able to interact with it.

They'd need my card details.
And the be able to approve the transaction.

 

[413x]

I'm also a bit confused about the approval thing. I use my Halifax Mastercard online a lot and the overwhelming majority of the time it only needs the card number, exp. date and CVV. The first two can obviously get stored online (and hacked/stolen etc.), but the latter should never be as far as I'm aware.

It rarely asks for any other authorisation, unlike my current account card which often makes me use the app to approve.

Did you have it specifically set up to require approval for all transactions?

I don't think there's an option for this, but I'd have it on if there was

 

[413x]

I believe Lloyds use ThreatMetrix, ask the fraud investigator to check to see what device usage there was at the time of the transaction. If you logged into the app they will have a record of it.

This is really useful.
Because this would clear up some of the ambiguity.

 

[413x]

You got hammered on Saturday night, flew to Amsterdam to bang a hooker, ended up taking some class A narcotics, flew back, wife found out and now you're trying to hide it and are using this thread as evidence.

That would be impressive from my tent on the hill in 3c!

 

[413x]

Can you approve via SMS code?

i.e. SMS hack

Apparently so. That's what I need to clarify. What was used to approve.

 

[413x]

@413x is your phone Android and have you ever used SMS with code to approve things linked to your Lloyds account, like setting up a new payee or approving a payment?
As above, it's possible your phone is compromised or someone carried out a sophisticated sms attack.
I take it your phone it still functioning as normal and you can make and receive calls showing up as your normal mobile number?

I don't recall ever using SMS. But I can't be sure.
I'll try and make a call from it to my work phone.
But everything is working OK from my perspective.

Yeah android

 

[413x]

Didn’t you recently post that you installed a dodgey YouTube app on your phone to remove adverts ?

I’d start there, if someone has full access to your phone they may be able to get card details from the banking apps/digital wallet and authorise transaction's etc.

Yes I have taken this off in case it is. It's revanced and I've not seen anything on reddit etc saying it is this. But just in case I have chopped it.

 

[413x]

Revanced itself is fine. Unless you get it from a none official source. So in that sense it's the same as any app.

That's what I thought. And it's only my lloyds account. Surely if they had that level of access (screen access) they'd do more than a 67 pounds online order.

 

[413x]

In all probability, Lloyds are reading from a script and/or what their systems report on a screen, which says it was "authorised" by yourself when it probably wasn't. These things can grind away at you like you did something wrong or let your guard down, but most of the time it was nothing you did or didn't do. Sometimes you unfortunately just get hacked. Your details will be somewhere in an online dump, and someone got lucky for a short time. They will have already moved onto the next victim. Unless Lloyds are willing to give you more detailed info on what their systems show happened (tip: They won't) then you will never know the true extent of what happened.
I would try to move on. This will likely never happen again. I mean if it does, then you can worry.

Like someone said.. I'm surprised they didn't fight it a bit more if I authorised payment.

Surely that isn't a lie? That would be really bad!

But yes. For now I'm just regularly checking my accounts just to catch any pending.