The still photos captured by CCTV are fuzzy: a figure wearing a track suit, a pair of sneakers and a black hooded sweatshirt, standing at various cash machines in northern Sydney in the middle of the night.
In June and early July, the shadowy figure withdrew a total of A$11,790 (US$12,217) from the account of Louay El-sayah, a 38-year-old construction manager from Sydney. (See a map of the withdrawals here.) El-sayah, who has five children, reported the theft to his bank, Commonwealth Bank of Australia, one of the country's largest financial institutions.
After a 45-day waiting period, El-sayah was denied a refund. "I didn't expect that," he said. "Not from Commonwealth Bank."
After several in-person efforts by El-sayah and a telephone query last Friday from IDG News Service, Commonwealth reversed its decision on Monday and will refund his money. But El-sayah's experience highlights the battle consumers can face when claiming fraud on their accounts, and the many reasons banks can use to deny those claims.
El-sayah appears to have been a victim of "skimming," an attack where a person's debit card details are copied from the magnetic stripe on the back of their card and encoded onto a fake card. The four-digit PIN can be recorded by observation or by modifying the PIN pad on point-of-sale devices or ATMs.
Skimming attacks are still successful in Australia since most banks have not yet fully implemented an upgraded security system being rolled out worldwide called EMV (Europay, MasterCard, Visa). EMV debit and credit cards have a microchip that facilitates a complicated cryptographic transaction that so far has not been defeated by criminals.
Many Australian ATMs, however, continue to rely on the card's magnetic stripe, even if the card has a microchip. Due to how the machines are configured, ATMs can't always detect whether a real or a cloned card is being used, although banks are upgrading the ATMs to the EMV specification. It makes it harder for fraud victims to prove they aren't lying since the banks see only that a valid PIN was entered.
Ross Anderson, a professor of security engineering at Cambridge University's Computer Laboratory, said the upgrade to EMV may even make it more difficult for customers because "banks will start claiming that since the system is now secure, customers who complain must be at fault."
"Of course, EMV has vulnerabilities too, and you'll see them being exploited in due course," said Anderson, who had extensively studied payment systems.
El-sayah said he was always in possession of his debit card and never revealed his PIN to anyone else. El-sayah, who describes himself as a "pretty paranoid person," said he was shocked by the fraud. Five of the withdrawals were for $2,000 each. "In this case, someone is pulling $2,000 out of my account every night and nobody contacted me," he said.
Sign up for CIO Asia eNewsletters.