Recently I received notifications from Starling for card transactions totalling £450 that were not made by me (annoyingly they didn’t go through 3-D Secure for some reason, so for all intents and purposes were successful and £450 had been stolen from me. Fortunately multiple subsequent transactions to the same merchant, Taptap Send which appears to be a money transfer service to Africa and Asia, were 3DS’d and so I was able to reject them. As soon as I rejected them and locked my card from the app (another thing that all banks should implement if they haven’t already) another flurry of transactions came through from all over the world, America, Albania, Algeria, Taiwan, the list goes on!
My fraud claim has been raised in the app, I now have a nervous wait over the weekend to see if I’ll get my £450 back by close of business on Monday thanks to FCA regulations, but had I not had the notifications nor the ability to lock the card immediately, the thieves would have taken me for well over £1000, very sobering for a Friday evening!
Whilst notifying Starling of the fraud, my thoughts naturally (for me and those who know me!) turned to wondering the following:-
Which merchant I had given my card details to only for them to be leaked in some way?
1. Were they skimmed by some rogue JavaScript on their website
2. Did they store card details without complying with PCI DSS?
3. Will I ever find out which merchant was breached?
4. Will they learn their lesson and employ Content Security Policies and use something like Scott Helme‘s awesome Report URI to spot when they may have been compromised?
5. When will I end up in yet another public breach processed by Troy Hunt and loaded in to Have I Been Pwned
6. What if, rather than me being caught out, this had been someone else without access to the same tools to minimise the damage?
I think the older/more established banks have historically relied on a generation of people that are used to high street branches (even though they’re rapidly disappearing, there are still enough to keep that brand recognition going), also those same banks offer a wide variety of products and services under their brands that the same generation find comforting. They have long standing brand loyalty and won’t switch without major external factors.
I think that unfortunately leads to complacency from the older banks in terms of the need to innovate unless it’s a regulatory requirement.
Incidentally I had a few more failed transactions show up over night and in the week following, so they were still trying their luck. I have spent some time examining the (fortunately) few sites that I’ve recently input my card details into in case I can spot any obvious exfiltration of data from a compromised JS library but unfortunately not been able to identify the culprit yet.
Starling have refunded the successful fraudulent transactions! The merchant apparently now has 45 days within which to object to the refunding and prove to Startling that the transactions were in fact genuine, so things might not be concluded just yet but I can’t see any way that they can reasonably say the transactions were genuine if for no other reason than there were no fewer than 32 other attempted transactions subsequent to the card being blocked and cancelled!
Joe Tiedeman 
Leave a comment