DID THE BANK RIP OFF ITS CUSTOMER?

An Ontario woman says she is out thousands of dollars after her bank blamed her for two unauthorized withdrawals from her account, despite surveillance photos that show another person taking the cash right under the noses of RBC tellers.

Cleopatra Evelyn-Clark worries the chip and PIN technology are used to secure billions of debit and credit card transactions in Canada every year which isn't as safe as banks say after losing more than $6,600 to a fraudster who, according to the bank, used her debit card and PIN to steal the money. 

RBC's investigation found Evelyn-Clark was to blame, insisting that she must have shared her card and PIN with someone else. That allegation is unfounded and a way to avoid responsibility.

"The whole thing is a little bit ridiculous. At no time did I give anyone my card or my PIN. I was in possession of my card during both transactions," Evelyn-Clark said. "There seems to be no protection for the consumer here," she said. "It just seems they're all about their profit and not about protecting consumers at all."

  If she was in possession of her bank card when the money was stolen from her account, then how did a duplicated card end up in the hands of the person who took the money out of her account?  

They are flipping the burden of proof back to the customer. Chip  and PIN] transactions are not foolproof," says John Lawford, executive director of the Public Interest Advocacy Centre which provides legal and research services on behalf of consumer interests.

In December 2018, a woman walked into an RBC branch in Montreal, where Evelyn-Clark lived at the time, and made two withdrawals from her savings account within two days, for $3,000 and $3,650.

The tellers didn't ask for identification. The bank says they didn't need to because the PIN was used. When I withdraw money from my account when I am at the counter, the teller doesn’t ask me for my ID since my card has a PIN.

But when Evelyn-Clark asked for proof that her PIN was used and to see the surveillance photos to try to identify the thief, she says the bank refused. That was a stupid decision.

The bank explained its decision to Evelyn-Clark, adding that it reviews potential fraud and unauthorized transactions, "on a case-by-case basis, considering all relevant facts before making a decision." RBC told Evelyn-Clark the only way she could see the photos was through police, so she filed a report.

But it was only after Go Public got involved that the police investigators requested the surveillance images from the bank, and allowed Evelyn-Clark to finally see them  more than six months after she first asked to see the images.

The photos show a woman making the withdrawals at the teller counter, but Evelyn-Clark says she has no idea who that person is. She said, "I didn't withdraw the money. All I would like from the bank is for them to reimburse me the money that has been stolen from me," The Police told her they're still hoping to identify the other woman. Go Public asked RBC for a copy of the photos but it refused.

How did the unknown woman get a duplicate of the real bank card if the victim still had the original like she claimed?

An expert in consumer protection says there's a "power imbalance" between financial institutions and customers that allows banks to write their own rules, run their own investigations, and determine the results without any obligation to provide proof.

Similarly, a Langley, B.C., couple was held responsible for $4,360 after their Visa was stolen in Mexico in May. CIBC said Carol and Bill Pitts were on the hook for the losses because the four transactions were made with their card and correct PIN.  

"They were basically badgering me and accusing me of having my PIN written down or giving it out," Carol told Go Public. Obviously, that accusation is unfounded.

“That's totally not the case. I'm an office manager for a huge corporation. I know password security."  The couple says they reported the card stolen the same day Carol noticed it missing from her wallet, two days after the fraudulent charges started. They were at an all-inclusive resort and hadn't been using the Visa card which could have been stolen by a staff member in the resort. This is a good reason to put the cards in the room safe or in the resort’s safe.

The bank eventually offered the couple $1,000 as a goodwill gesture, but the Pitts say that's not good enough and have escalated their case to CIBC's ombudsman.

"I'm angry because the bank accused us of lying or being a fool. We're neither," Bill says."We don't steal. We don't cheat. So to have this go sideways and have the bank turn around and say it's our fault with no follow up, it gets me pretty angry."

Like Evelyn-Clark, the Pitts say they asked the bank for proof their PIN was used, but were refused.  They also couldn't get any information on how the bank investigated the loss. CIBC said it worked with them on the matter and is now waiting for the ombudsman's decision.

RBC says chip-and-PIN enabled cards are secure and, to date, the bank hasn't seen a case where a chip card was counterfeited and used with a valid PIN. 

"We thoroughly investigate fraud claims and take all relevant factors into account," wrote CIBC spokesperson Trish Tervit in an email to Go Public.

Tervit said victims of credit card fraud at CIBC are fully reimbursed if "they've met all of their requirements in the cardholder agreement." 

CIBC didn't answer Go Public's questions about the security of the chip-and-PIN system which is fair enough.

RBC says chip-and-PIN cards are secure and, to date, the bank, "hasn't seen a case where a chip card was counterfeited and used in conjunction with a valid PIN."

It's not clear what exactly happened in either case. But cybersecurity expert Claudiu Popa says there's a "fundamental flaw" in the technology that allows fraudsters to trick ATMs and point-of-sale (POS) terminals into thinking the right card and PIN were used.

"People who adequately protect their PINs are still at risk of having their transactions compromised," said Popa, who is a risk adviser at Informatica, a data protection company.

He points to research out of Cambridge University that found fraudsters are getting around chip-and-PIN security either through shimming when a thin, card-sized circuit board is secretly inserted into the card slot in order to clone cards, while a tiny camera is used to record the PIN or by installing malware into the terminals so the machines think the right PIN is being used. 

It's not clear how often those things happen, but the authors of the 2015 study say compromised chip-and-PIN systems could reach a massive scale.

Popa says it doesn't matter whether someone had stolen Evelyn-Clark's PIN. "They might have been able to enter just any PIN and the chip on the card would have said that it's a legitimate PIN," he said. 

There is no way to know if Evelyn-Clark's card was cloned or if there is another reason for the withdrawals. RBC isn't offering details on its investigation. 

In the Pitts's case, there is another possibility. A Mexican mobile payment system called Sr. Pago doesn't always require a PIN since it is only a signature that is required.  

Interac, the company behind debit cards, says Canadians lost $4.4 million to debit card fraud that year, a record low according to the company. 

There is some protection for customers under the Canadian Code of Practice for Consumer Debit Card Services, but it doesn't apply to credit cards.

The voluntary code addresses the power imbalance between banks and customers when it comes to fraud investigations, according to John Lawford of PIAC, and puts the onus on banks to prove customers are to blame. If they can't, financial institutions need to err on the side of the customer. 

"The bank can't just say 'Oh we have the correct chip and the correct PIN therefore you're liable.' That's not the way the rules are written,"Lawford said.

"The rules say if the customer disputes the charge it's up to the bank to show that the PIN was compromised or that the customer was somehow negligent."

All the major banks have agreed to follow the code, but often ignore it in favour of cardholder agreements that give them a lot of leeway with their investigations, Lawford added.

The agreements say if someone is careless with the PIN, or chooses a PIN that's easy to guess, they are liable for losses. RBC says it followed the code when it investigated Evelyn-Clark's case.

Legislation that was meant to better protect bank customers passed last June, but the section of Bill C-86 related to unauthorized transactions was put on hold.

The law would have limited customer liability to $50 for unauthorized credit card transactions unless the cardholder demonstrated "gross negligence in safeguarding the credit card

Lawford says the section wasn't put into force because banks wanted more time to negotiate terms with the government before it was implemented.

But while C-86 addresses credit card fraud, it offers no protection for debit card holders. Both the Pitts and Evelyn-Clark say better protection is what's needed.

At the time I added this article to my blog, the Pitts were still waiting to hear what CIBC's ombudservice decides.