Like many European countries, Australian banks issue debit and credit cards with a microchip that verifies the correct PIN has been entered. In Europe, the system is called EMV, or chip-and-PIN, while in Australia it is called EFTPOS. The U.S. doesn't yet have a chip-and-PIN system, but Visa and MasterCard plan to introduce one.
EFTPOS should have prevented the kind of fraud I experienced. When a criminal copies the information in a magnetic stripe, they can encode it into a dummy card. But cash machines are supposed to verify a microchip is present, and criminals aren't thought to have figured out how to copy microchips yet, though security researchers have found other weaknesses in the EMV system.
The problem is, some cash machines still process transactions even if a card doesn't have the chip, allowing fraudsters to withdraw funds using cloned cards. Fixing the problem will require banks to upgrade all their ATMs, which takes time.
Skimming victims can sometimes prove to their banks that they didn't do a transaction. Cash cards contain an Application Transaction Counter (ATC), which records the number of times a card has been used. An ATC with one less transaction than was performed would presumably be evidence that a bank's customer wasn't lying about withdrawing money.
I offered my card to Commonwealth Bank for forensic analysis but they didn't get back to me. I also asked if they had checked the footage from security cameras where the withdrawal occurred, or if they had filed a police report, but I got no reply.
"As any person who has had money removed from their account by a thief will be aware, making the bank understand that it was not the customer who withdrew the money can be far from easy," Mason wrote in his journal article.
I finally saw the $800 put back in my account after I sent a stern letter modeled on a draft that Mason created, intended for use by people who are having trouble getting a refund. After I received my refund, I decided to write a column about skimming.
Commonwealth Bank spokeswoman Tracy Hicks said no one could be found to answer my questions, while other queries couldn't be answered on security grounds.
Illustrating their reluctance to discuss the topic, Commonwealth Bank even declined to verify that a document I had with the terms and conditions for consumer accounts, including information about liability for fraud, was up-to-date and reflected current policy.
The bank does subscribe voluntarily to Australia's Electronic Funds Transfer Code of Conduct, which describes liability in the case of disputed transactions.
Generally, financial institutions in Australia have 45 days to investigate a disputed transaction, much longer than the five days in which Commonwealth says it will return stolen funds. But that speedy return may depend on how eloquently a consumer complains to the bank. In my case, the bank was more than happy at first to quickly close the case, disingenuously shifting the liability to me absent a real investigation.
If you've had trouble recovering money after a skimming incident and are willing to assist in my reporting, please contact me at the email address below.
Sign up for CIO Asia eNewsletters.