The bank warns the customer of the $1,200 fraud charge, then declares that the purchases were valid. Eh?
Chaithanya Kumar calls himself a loyal Bank of America customer.
So when he received an offer for a new credit card in early November, he decided to take it.
When the card arrived on November 7, he used it to pay his electricity bill. It was his only charge on the card, he said.
“On November 11, just four days after I received the card, I received a fraud alert from Bank of America via email stating that someone had used the card fraudulently for $1,200 in purchases. clothing store in Woodbury Commons, New York,” he said.
Someone had gone shopping at the Timberland and Polo stores in the mall.
Kumar said he called the bank to dispute the charges.
The bank gave him provisional credit, but two months later he received a letter saying that the dispute was denied because “the chip was read, your PIN was entered and/or you signed for the goods or service, indicating that you or someone authorized you to use your card was present.
Kumar said he never gave the card to anyone and did not make any purchases, let alone shop at that mall.
And, he said, he works as a registered nurse and he was caring for COVID patients on the night of Nov. 10-11.
“I regularly sleep through the day after working the night shift,” he said. “Also, after caring for COVID patients, I would never put others at risk by traveling in crowded areas.”
He called the bank again, and was told he was going to be called back by a fraud official.
When he got the call, the manager told him that “the design of the credit card chip was 100% foolproof,” he said. The only way to reopen the case would be if he could provide proof that he was not in the stores, which Kumar said was nearly impossible.
You cannot prove a negative result.
Kumar complained to the Consumer Financial Protection Bureau (CFPB) and a police report in his hometown of Paramus. He said the police department is working to get a video of the sales, but has yet to hear back.
On March 3, he received a reply from the CFPB stating that his investigation had revealed that no fraud had taken place because the chip on the card had been read at the time of purchase.
“I have two other credit cards with Bank of America. Clearly the bank can investigate my transaction history and realize that I never make such large purchases and most are made locally “Also, why would Bank of America send me a fraud alert about this specific transaction and then pretend it wasn’t fraud?” he said.
“Essentially, I was found guilty without being able to prove my innocence,” he said.
He asked Bamboozled for help.
HOW CHIP CARDS WORK
We asked Bank of America to review the case and explain why they would send a fraud alert while denying the customer dispute.
While we waited for an answer, we asked Mitch Feather, a cybersecurity expert at Creative Associates in Madison, for his opinion.
He said he thought it was odd that Bank of America flagged the transactions as potential fraud on a card that had little other activity.
“One aspect of card issuers’ anti-fraud algorithms is the billing model,” he said. “You’re talking about two transactions on a new account with reasonable amounts at merchants within a plausible radius.”
Feather said cards with EMV chips aren’t perfect.
When EMV (short for Europay, MasterCard and Visa) chips were introduced overseas, the chip would be read and then the cardholder would enter a PIN, Feather said. This system was “excellent” at reducing card fraud, he said. But when it was introduced in America, the chip was read, but instead of a PIN, a signature was required – a method that is not as efficient as requiring a PIN.
It’s common for the signature someone adds to a credit card terminal to “look little or nothing like the signature on the signature strip on the physical card.” In fact, some card issuers have completely removed the signature bar on the card,” Feather said.
He also said there are a lot of transactions when EMV chips are not read.
Feather said not all merchants want or can upgrade their terminals, so they always swipe the magnetic stripe on the card.
“In addition, most terminals are configured to allow transactions to be processed from the magnetic stripe to accommodate older cards without a chip or to handle cards with defective chips,” he said.
That leaves the cards vulnerable, he said, because the cards’ magnetic stripes can be cloned and it’s quite easy to get a merchant to accept a swipe.
“The bad actor takes a credit card and sets up a fake EMV chip inside. When they make a purchase at a retail establishment, they insert the card for a chip transaction,” he said. “When the terminal displays an error that the chip cannot be read, typically the salesperson will tell them to swipe the magnetic stripe instead, bypassing the EMV chip altogether.”
The CVV — the three-digit code on the back of the card — is another potential source of compromise, he said.
“Normally the magnetic stripe contains the Card Verification Value (CVV) in its encoding which is the same as the 3-digit code on the back of the card,” he said, noting that some banks don’t verify not that. “Past incidents have already demonstrated that malicious actors have breached point-of-service systems, capturing EMV data. They then create magnetic stripe clones with the captured data and use these cards in card transactions if banks issuers do not properly verify CVV information.”
What does all this mean?
Cards with EMV chips aren’t 100% foolproof after all.
A business day after we asked Bank of America to look into the matter, Kumar discovered that the $1,200 was back in his bank account.
“I haven’t received any notification, email or phone call about this,” he said.
We asked Bank of America what happened.
“It appears that two cards were sent to the customer – one with normal delivery and a second after the customer requested expedited delivery,” spokesman Bill Halldin said. “It appears that one of the cards was stolen, probably intercepted in the mail. We have credited the customer’s account.
So it looks like there was a chip transaction after all.
Kumar then received a call from Bank of America, explaining his decision.
“I believe when I first called in January to respond to the claim, I mentioned that someone had potentially stolen one of the cards, but basically the call ended with my accusation to be guilty. The case was closed,” he said, noting that he believed the bank had likely canceled the original card because the other one had been passed to him overnight.
“Obviously, without your persistence, no one would ever have called me back to look into the matter,” he said.
Please sign up now and support the local journalism YOU rely on and trust.