Saturday, December 24, 2011

Cloning Plastic

About a month ago I received an email receipt for a PayPal purchase, in this case an ATM withdrawal. Only problem? I didn't make the withdrawal.

I immediately called and reported unauthorized use of my card, PayPal cancelled said card, and I was issued a provisional reimbursement while a chargeback case was opened. I filled out the online form asking where I had lost my card, etc, and I explained that my card must have been cloned as it was in my possession at the time of the withdrawal.

PayPal wrote this back to me:

We're sorry, but after careful consideration, we're unable to honor your
claim for $___ USD.

Our review of your PayPal debit card claim shows that the merchant properly
authorized this transaction for $___ USD on $___ and this transaction
appears to be valid. You have significant history of making withdrawals at
this ATM. In addition, your PIN number was successfully entered to
complete this charge. As your PIN number is a security code that should
only be known by you, this appears to be a valid charge.

If you have additional information to support your claim, please contact us.

Well that sucked. 'Careful consideration' took at most an hour. I did intend to follow up, as I have the transaction number and I believe that the withdrawal was made at the same ATM that I do indeed, or did indeed, use with frequency. The culprit must have been filmed making the withdrawal. The problem is that I've been crazy busy ever since I opened my store and I don't like to close the store during business hours if I can avoid it, so basically I never followed up except to fill out a stupid online survey re: my chargeback experience, which only led to a request to fill out another online survey, which was more than I was willing to do.

Occam's Razor suggests that PayPal did the right thing. I do use that ATM with frequency, whoever made the withdrawal must have had my PIN, etcetera. But from my point of view it didn't wrap up so neatly. A friend who had stayed with us claimed that his card had been cloned at the very same ATM a couple years earlier, something I must confess I didn't take very seriously at the time. About a week later my wife told me there was a story on the news about a ring of card-cloners in a different bank. And when I googled 'credit card cloned' one of the first results I got showed how the scam works, using, no less, a Brazilian ATM for demonstration. Different bank, but same country, same scam. I don't go into that bank anymore to make withdrawals because the machines are visible from the street, and it is possible that someone could have spied me entering my PIN. Or not - apparently from within the bank PIN numbers can be captured as well.

Anyhow, I've been busy and didn't end up posting about this, kinda like how I don't post about much at all anymore, but yesterday the exact same thing happened to a guest at our house. Same PayPal debit card. Different situation - he thinks his info got stolen when he bought a coffee with the card. Also different result - in his case, someone went on a shopping spree in São Paulo and charged a lot more than they did on my card.

So what's funny about this? Actually, it's not funny at all, because PayPal gave the same response to this guy. Well, whoever had the card also has your PIN, and since you're the only one who knows the PIN it must have been you! Our guest has been trying to explain that there are hundreds of miles between where he and the card were, and where the purchases were made. So far they don't want to reimburse him either.

The thing that is really amazing about this is that it took them a maximum of five hours to clone his card and start spending his money.

Brazilian banks know all about this kind of shit. Brazilian cards have additional layers of encryption, which can vary from using access letters in addition to your PIN, or entering a 3-digit code from a card you carry around with the card. Some ATMs even have a palm scanner to verify your identity. Most cards issued here have an embedded microchip to encrypt your data and make cloning... more difficult.

So what now? Maybe PayPal will read this post and ask me to fill out an online survey.


Anonymous said...

Ugh, what a pain! I try to avoid making any withdrawals here, though it's more because of the $14 international ATM fee that I get charged every time.

You opened a store? Where and what are you selling? I was part of an online capoeira gear store a while back, but we never managed to open up a physical location.

markuza said...

It is a pain - although the advantage of the PayPal card is that they don't have a fee for international withdrawals.

I did open a store, selling graffiti and other art supplies. I've been meaning to write a post about it but haven't gotten around to it yet. It also started as an online store, but the local demand was much stronger than the virtual demand.