|Is this the worst fraud detection system ever?|
That’s certainly what an acquaintance of mine thinks after having his card cloned in December.
Criminals managed to make 26 cash withdrawals over a period of 20 days totalling around £9000. The withdrawals took place in Seoul, in South Korea. The most typical withdrawal size was just under £500.
They took the credit card right up to its credit limit and then just over before relenting.
What’s remarkable is that:
- The owner of the card had never used it to withdraw cash before (presumably the same as almost all credit cards, since the fees are too steep);
- The owner of the card had previously always made sure to let his bank know when he goes abroad which is rare and predictable anyway, and has never been to South Korea, or anywhere close;
- Even on the same days the card was being used to withdraw cash in South Korea, it was also being used for routine point of sale purchases, here in the UK.
This last point is worth dwelling on. How on earth the fraud management system did not flag this up is beyond comprehension.
Barclaycard never got in touch to check with the card owner until the card was completely maxed out. And when it did, it was to say that it had been alerted to possible fraud activity by another bank.
One can begin to understand the economics of card skimming and cloning, when a single card can yield such rich returns.
£9000 can cover the costs of a fair amount of dedication, a lot of failures and plenty of software development and market research. However, if the fraud management systems are this easy to hoodwink (the only precaution on the part of the fraudsters seems to have been to keep withdrawals under £500, and sensibly including the transaction fee in this calculation), card skimming looks like a decidedly profitable activity.
The loss will of course be borne by the bank rather than the customer in this case. It really should be easy to prevent examples as glaring as this. I contacted Barclaycard about this to ask if they had anything to say, and they declined other than to say that this was an isolated incident, that they take such matters seriously, and that they deploy a wide range of fraud monitoring tools.
Looks like the range isn’t wide enough.