As for the call, well, credit where it’s due, it’s pretty clever. If you call a landline, it’s up to you to end the call. If the other person, the person who receives the call, puts down the receiver, it doesn't hang up the call, meaning that when I went to find my bank card, the fraudster was still on the other end, waiting for me to pick up the phone and call ‘the bank’.

It's been a while since I've had a landline but I am pretty certain this is not the case in the US. It seems vanishingly implausible that it is the case in England - can anyone confirm?
posted by dirtdirt at 6:39 AM on July 29, 2013 [7 favorites]

I'm missing something. Is this a UK thing where you can pick up your phone and think you're calling your bank, and it's someone else on the line? How is this possible?
posted by Mapes at 6:40 AM on July 29, 2013

It was definitely true at some point in the US that the caller controlled the duration of the call, and that the recipient hanging up the phone did not terminate the call. I do not know if it is still true.
posted by Slothrup at 6:43 AM on July 29, 2013 [3 favorites]

Yes, this works, not just in the UK, but all over Europe. The poor dude should've listened to Radio 4's Money Box or You and Yours, where this type of fraud has been discussed.

So they cold call you with a bullshit story of how your card was cloned, get you to call back the bank (so you think) but because they haven't hung up at their end, you get the fraudsters again.
posted by MartinWisse at 6:44 AM on July 29, 2013 [7 favorites]

That phone thing sounds too crazy to be true. Otherwise, some troll can just call you, not hang up and tie up your line indefinitely--seems kinda dumb and dangerous.
posted by reformedjerk at 6:45 AM on July 29, 2013 [5 favorites]

For a while I thought they'd taken his card and cloned it, then sneakily replaced it with a replica having a fake customer service number on the back.
posted by exogenous at 6:46 AM on July 29, 2013 [3 favorites]

I know this isn't the reaction that I'm supposed to have, but man, that scheme is dead clever.
posted by Diablevert at 6:46 AM on July 29, 2013 [15 favorites]

Wow, that is a slick scam.
posted by His thoughts were red thoughts at 6:47 AM on July 29, 2013

I'm pretty sure there's a time limit (30 seconds?) to how long the connection stays live after the receiving end hangs up. However, if the receiving end picks the line up again while the scammer is still online, there would be no dial tone on the receiver's end, a sure tell that the line is being used and, thus, you should not be dialing.
posted by Thorzdad at 6:49 AM on July 29, 2013 [7 favorites]

Yes, I recall a 30 second timeout as well. In the article, the scammer played a fake dial tone into the receiver.
posted by Slothrup at 6:50 AM on July 29, 2013 [2 favorites]

It's been a while since I've had a landline but I am pretty certain this is not the case in the US.

I'm pretty sure whenever I get a robocall on the landline I can hang up, wait several seconds, then pick up the phone to hear the the same message still being played. It's really annoying during campaign season when there's some long-winded recorded message that just won't shut up.
posted by RonButNotStupid at 6:52 AM on July 29, 2013 [2 favorites]

As for the call, well, credit where it’s due, it’s pretty clever. If you call a landline, it’s up to you to end the call. If the other person, the person who receives the call, puts down the receiver, it doesn't hang up the call, meaning that when I went to find my bank card, the fraudster was still on the other end, waiting for me to pick up the phone and call ‘the bank’.

This is why I still have a cell phone and a landline - if they call the landline, I can "call the bank" from my cell phone. And vice-versa. Either way, it disarms their scam because I actually do get through to the real bank.

Yay for Luddites!
posted by EmpressCallipygos at 6:53 AM on July 29, 2013 [3 favorites]

“It’s OK, Mr Welch, we can’t see it, but we need to perform a PIN block." “I’ve never heard of that," I said, “but fair enough." I packaged the card up as requested – wrapped up snugly in kitchen roll, packed into an envelope so it didn’t look like a bank card – and waited for the courier to arrive. Rajesh called back twice, once to say the car was five minutes away, and again to say it was outside, quoting the car’s number plate and describing the driver.

Never mind everything else, this would have alerted me immediately that I was being scammed.
posted by Redfield at 6:53 AM on July 29, 2013 [31 favorites]

The key thing to remember here is:

Your cards are disposable. No one will ever want them back for any reason - they'll tell you to destroy them on the spot.
posted by pmv at 6:54 AM on July 29, 2013 [48 favorites]

However, if the receiving end picks the line up again while the scammer is still online, there would be no dial tone on the receiver's end, a sure tell that the line is being used and, thus, you should not be dialing.

They probably play a phony dialtone over the line waiting for the mark to dial.
posted by Slap*Happy at 6:54 AM on July 29, 2013 [3 favorites]

They tried this scam on my girlfriend a couple of weeks ago, but they didn't have the dial tone gimmick, so when she tried to call the number on her landline, she knew something was up. She then called the number (which is the legitimate number on the back of the card) on her mobile. The card comoany were very familiar with the scam.
posted by rolo at 6:58 AM on July 29, 2013 [2 favorites]

Yes another reason I'm glad not to have a landline! I do all my banking through my bank's app and my PIN number is 1234--impossible to guess hahah!
posted by Potomac Avenue at 7:00 AM on July 29, 2013 [2 favorites]

That phone thing sounds too crazy to be true. Otherwise, some troll can just call you, not hang up and tie up your line indefinitely--seems kinda dumb and dangerous.

Yeah, they "hang up" but its just a fake dial tone. You think the line is disconnected but its not. If you were to hang up yourself the connection would be terminated. But because you hear the dial tone, you don't.

Very clever scam.
posted by nathancaswell at 7:02 AM on July 29, 2013 [1 favorite]

If only there were a way to test how long the call persists for *racks brain*
posted by unSane at 7:08 AM on July 29, 2013 [1 favorite]

I like to think I’m a tech savvy, culturally aware person. I read about internet security, I know about phishing and all that seemingly tedious shit we’re told about every five minutes, yet the knowledge left me when it counted and I handed over all my money like some wet-behind-the-ears yokel buying magic beans at a county fair.

I am honestly stunned that someone who can say this about themselves would fall for so shoddy a bit of social engineering. It is completely baffling to me that anyone would not find this unbelievably suspicious. Since when has a bank offered this much help? Sending a fucking courier to collect your card to check your card's chip? Are you kidding?
posted by longbaugh at 7:14 AM on July 29, 2013 [14 favorites]

>However, if the receiving end picks the line up again while the scammer is still online, there would be no dial tone on the receiver's end, a sure tell that the line is being used and, thus, you should not be dialing.

They probably play a phony dialtone over the line waiting for the mark to dial.

As explained in the link even:

If the other person, the person who receives the call, puts down the receiver, it doesn’t hang up the call, meaning that when I went to find my bank card, the fraudster was still on the other end, waiting for me to pick up the phone and call ‘the bank’. As I did this, he first played a dial tone down the line, and then a ring tone, making me think it was a normal call.

posted by hoyland at 7:15 AM on July 29, 2013 [4 favorites]

If they don't go through the whole select-the-department-you-want-by-pressing-numbers-on-your-keypad thing and keep you waiting for fifteen minutes while they play bad music down the phone to you, occasionally interrupting with a prerecorded voice to say you're now number seven in the queue and that your call is very important to them... that's a giveaway right there. Or do they do that too? And if they do, isn't it beginning to sound like so much work, they might as well just get a proper job?
posted by Grangousier at 7:16 AM on July 29, 2013 [19 favorites]

Sure, the scam is sort of clever, but this guy more than met them halfway.
posted by Optamystic at 7:16 AM on July 29, 2013 [7 favorites]

Sure, the scam is sort of clever, but this guy more than met them halfway.

Yeah, this. He gave his debit card to someone who showed up at his house? No.
posted by roomthreeseventeen at 7:18 AM on July 29, 2013 [3 favorites]

Once I called my bank's security number, I'd probably be less suspicious. I don't call the security numbers often, after all, and I remember that the wait is usually much shorter but nothing else. The PIN thing -- there are some specific times when I've been sent to an automated system and had to enter it in, I think. The courier is what would surprise me (as well as the "hey, we can do it for all your unassociated cards"), but again, once I'd actually called my bank, it wouldn't occur to me that I had called a scammer.

But I have a cell phone only and so it wouldn't work for me. I don't know if the landline thing works in Canada or not.
posted by jeather at 7:20 AM on July 29, 2013

Yeah, the most suspicious part of the story to me would be the incredibly helpful, responsive, efficient customer service, all from one person in the same "department" who didn't have to transfer me a half dozen times with a minimum of 8-12 minutes of rock flute solos.
posted by elizardbits at 7:21 AM on July 29, 2013 [52 favorites]

The compassion for this guy on this thread is out of this world! He admits he was foolish and spent several days freaking out over this and had a bunch of cheques etc bounce - isn't that enough suffering, or do you want to post on his blog about how dumb he was?
posted by lesbiassparrow at 7:23 AM on July 29, 2013 [16 favorites]

(Sorry - that was unnecessarily cranky. I just...I don't know, I think he's beating himself up enough about this without everyone else getting in the act.)
posted by lesbiassparrow at 7:24 AM on July 29, 2013 [4 favorites]

That was frighteningly clever. Normally, I'd never give my card to anyone but US cards are dumb plastics and EU cards are all smart chipped. As I read it I thought it was great to hear EU bank fraud investigations are through enough that they check the card as well!
posted by mathowie at 7:27 AM on July 29, 2013 [2 favorites]

I guess I missed it - how did they get his name, address, date of birth and all that?
posted by cashman at 7:27 AM on July 29, 2013

Reverse address lookup via those public info databases?
posted by mathowie at 7:29 AM on July 29, 2013

The fundamental rule.

Nobody who actually has access to your account needs your password/pin. Period. End of statement. However, making that access will be logged. Anyone telling you that they need you to type that is trying to access your account without it being logged that they have done so.

In other words, anybody asking you that is *trying to harm you*. You should hang up and go to the bank. Not call the bank, go to the bank, tell them that someone acting like the bank called you and did something suspicious.^* For fun, key in the wrong PIN, and if they say "Okay, we have done X," they are lying -- and, of course, when they go to steal all the monies, they'll lock your account. Even better, if they use an ATM, they'll lock it and it'll keep the card, which will be clear proof that it wasn't your card.

No bank needs your PIN to block your account. Period. None. I don't need your password to lock your account. Period. Remember that, keep it holy, and these sorts of scams, no matter how well executed, fail when tried against you.

The PIN thing -- there are some specific times when I've been sent to an automated system and had to enter it in, I think

If so, you've made a fundamental mistake in setting your card PIN and account PIN the same, and you should change both immediately. It's proper for a call in account line to have a PIN, but it should be a different PIN, and indeed, a differently identity string (the account number rather than the card number.)

I guess I missed it - how did they get his name, address, date of birth and all that?

Well, I'd first try Google. It's remarkable how much personal info is online for any given individual, you might have to do some linkups, but if you call the wrong guy "No, that's not my birthday", you toss the number and try again on the next mark.


^*This does not protect against the bad guys building a fake bank. Protections against this attack are left as an exercise for the reader.
posted by eriko at 7:30 AM on July 29, 2013 [14 favorites]

Yeah, they "hang up" but its just a fake dial tone. You think the line is disconnected but its not. If you were to hang up yourself the connection would be terminated. But because you hear the dial tone, you don't.

Not quite: the connection can't be terminated by the mark. It's all one long incoming call, and (in the UK at least) you can't terminate an incoming call by hanging up; the calling party has to hang up.

Makes for good teen pranks: you call someone, chat, say goodbye and then wait for them to dial someone else and give them a scare.

(This is actually pretty handy if you have multiple phones in your house and someone calls you and you want to switch phones. Just hang up the one you answered, walk to the other and pick it up)
posted by bonaldi at 7:31 AM on July 29, 2013

I guess I missed it - how did they get his name, address, date of birth and all that?

Pure conjecture, but they already had the address, and got the name via a search of the telephone directory and they might have asked him for his date of birth.

Generally speaking, it's a good idea to assume that everyone who approaches you is lying to you.
posted by Grangousier at 7:34 AM on July 29, 2013 [1 favorite]

Reverse address lookup via those public info databases?

You can get some of that, true. But they also had his last legit withdrawal from a specific location, and also his landline number which he says he gave out to all of 3 people.
posted by cashman at 7:34 AM on July 29, 2013

(But not easy. No judgement of nice, honest, open people intended.)
posted by Grangousier at 7:35 AM on July 29, 2013

The belief that you are too smart to be conned in this fashion, expressed repeatedly in this thread, is the surest path to getting conned.
posted by Horace Rumpole at 7:40 AM on July 29, 2013 [40 favorites]

If so, you've made a fundamental mistake in setting your card PIN and account PIN the same, and you should change both immediately. It's proper for a call in account line to have a PIN, but it should be a different PIN, and indeed, a differently identity string (the account number rather than the card number.)

No, I'm fairly sure they ask for the credit or debit card PIN. But it's always an automated system, never a person. With a person we go through the game of guessing what my passphrase is given that they don't actually give me any clues. Could it be . . . my first pet's nickname? My grandmother's city of birth? My uncle's favourite flavour of pie?

But this depends on if your online banking requires a PIN (in which case you use that on the phone) or a password (in which case I am sure I occasionally use the card PIN on the phone before I reach the agent).
posted by jeather at 7:42 AM on July 29, 2013

Sure, the scam is sort of clever, but this guy more than met them halfway.

I don't think this makes him unique or even more stupid than all the clever people on Metafilter and elsewhere. Pretty much every scam of this type relies on a fear of losing money and lures into thinking that you can avoid losing that money by taking a couple of simple steps.

As that is a fear that the vast majority of humanity has, and one that seems to bypass our common sense, at least in the first instant, these scams will not go away any time soon so these kind of articles are essential in raising awareness. As others have said, there's no need to point out his stupidity any further - he already cops to that.
posted by jontyjago at 7:46 AM on July 29, 2013 [1 favorite]

(Sorry - that was unnecessarily cranky. I just...I don't know, I think he's beating himself up enough about this without everyone else getting in the act.)

No, you were spot-on. It's easy for people to dump on the guy when they're not in his shoes. He didn't go into his immediate emotional state in his post, but most people who get this kind of call start stressing out pretty quickly, worrying about all the money they think they're gonna lose. In that situation, they're less suspicious of someone who's offering to help; they're grateful for the assistance and compliant because they want to get out of the nightmare quickly.

I can't say that I wouldn't have been taken in if I were in his shoes, because I work for my credit card issuer and I know exactly what the call should sound like. I know not to give out my PIN over the phone, and I certainly know my employer would not send a courier to pick up my card. But that's because I deal with this stuff every day. So no smugness here.

I salute Mr. Welch for having the courage to publically admit how he was fooled, even though he's opening himself up to derision. He's done a public service by warning other people about the scam. A lot of victims won't do this, out of embarassment, and the scammers count on that to perpetuate their cons.

I didn't know about the callback thing, either, but now I do, and I have Mr. Welch to thank.
posted by ogooglebar at 7:47 AM on July 29, 2013 [13 favorites]

You can get some of that, true. But they also had his last legit withdrawal from a specific location, and also his landline number which he says he gave out to all of 3 people.

Not sure about the landline, but they got the last legit withdrawal when they picked him out at the ATM and followed him home. (From the post: " It all started, said the police, on the Saturday night where one of this gang will have watched me take money from the cash point. That’s details of my last transaction taken care of.")
posted by pie ninja at 7:48 AM on July 29, 2013 [2 favorites]

So they got his name and address and landline and dob from some online database, go to his home and wait for him to leave to go to the store on a trip where he makes a withdrawal, then quickly call him and then wait for him to "call" his bank, then execute a scheme where they get his pin and then get his card? That's a hell of a lot of work. Seems more involved than clever. I feel bad for this guy, but within 10 days he says he had everything back, so I'm glad he recovered.
posted by cashman at 7:53 AM on July 29, 2013

Just tested the landline thing in the UK and it does definitely work. Called my home landline from my mobile - my wife hangs up the landline, I'm still connected. She picks up the handset a few seconds later 'baaaaaaaaar, ring ring; HSBC Fraud Prevention, how can I help?'

Further testing showed it takes a full minute of being hung up on the land-line before my caller connection dropped; if at any point she picked up it reset the timer.

So if you get a phone fraud alert (and I do get automated voice calls from my bank over those, usually small paypal transactions), make sure you hang up for over a minute first before calling the bank, or use a different line...
posted by ArkhanJG at 7:56 AM on July 29, 2013 [7 favorites]

Folks, the reason for the delay is to give landline users the opportunity to change the extension they are using when they are the only person in the house.
posted by scolbath at 8:03 AM on July 29, 2013 [2 favorites]

Yeah, the most suspicious part of the story to me would be the incredibly helpful, responsive, efficient customer service, all from one person in the same "department" who didn't have to transfer me a half dozen times with a minimum of 8-12 minutes of rock flute solos.

On the couple of occasions I've had to call bank fraud lines, they've been very helpful and no telephone extension tennis to be found. I presume it's because fraud costs the bank itself money (as they have to refund lossses) so they have an incentive to make the system quick and efficient to minimise the time the stolen/cloned card is racking up charges.

Asking for my PIN and/or to courier my card would definitely trigger my WTF reflex though, as I know the bank never needs either.
posted by ArkhanJG at 8:07 AM on July 29, 2013 [1 favorite]

The thing is if you have ever dealt with English banks this scam would seem like a significant improvement in their security protocols. HSBC used to routinely cold call for bank service 'upgrades' and ask for all kinds of 'security information'. I always thought it was a scam so I would call my local branch manager to talk about it and he would confirm it every time and the tone was clearly that he thought I was an 'uptight American' for even doubting them. Little did he know I was actually an uptight Canadian and decided quite quickly that I would minimize my banking with them as much as possible to reduce my exposure to their security complacency.

This scam didn't come out of nowhere. It was nurtured in the incredibly sloppy practices of banks in the UK. Also don't forget the UK banks themselves have been running scams...
posted by srboisvert at 8:07 AM on July 29, 2013 [8 favorites]

odinsdream, I haven't had a landline for 8 years, so I can hardly check, but before that, YES, it most certainly did work that way. And I live in Boston.
posted by scolbath at 8:09 AM on July 29, 2013

Potomac Avenue

1234

That's crazy! I use the same number on my luggage!
posted by The Confessor at 8:12 AM on July 29, 2013 [2 favorites]

So much konnenfreude on this board.

You're all pretty smart. Has none of you been conned before?

And watch out for undetectable skimmers. If you get taken by one of these, it's your fault!

Whisper-thin gas-pump credit-card skimmers
posted by etherist at 8:14 AM on July 29, 2013 [1 favorite]

HSBC huh? Why do I suspect this is actually just them scamming their insurer? I bet the dudes making the calls and pickups are actual employees.

"But he had an HSBC name tag and everything!"
posted by [expletive deleted] at 8:18 AM on July 29, 2013

This isn't the way the phone system works in the U.S., as far as I know, and given the geographic distribution of mefites heavily favors the U.S., that's probably why most people haven't heard of it.

In the mechanical days it had to work like this in the UK -- the exchange had no way to know the recipient had hung up, and so the line stayed open until the caller disconnected. Given that it was expected behaviour, it was then reimplemented in software for computerised exchanges.

I'm not sure how the US system could have handled it in the pre-computer days, unless exchanges were very different to the European model.
posted by bonaldi at 8:27 AM on July 29, 2013 [1 favorite]

FWIW, on old 1AESS switches in the US, a caller absolutely could hold a line open even if the caller hung up. I accidentally did this to my dad once. He was rather annoyed, given that several hours later I still hadn't remembered that I'd left the phone off the hook.
posted by wierdo at 8:41 AM on July 29, 2013 [3 favorites]

Yes, I would urge anyone to cut this guy some slack. The 'shock' of these things can really scramble your brains. I was burgled and defrauded in a similar way to this guy, and in both cases I didn't react in very appropriate way. In the case of the burglary I just wandered around the house in a daze, touching everything. These things can really rattle you.

As far as bank security goes, I have worked on credit and debitnet systems and my experience is that in normal transaction mode, things are very very secure. But you can't stop social engineering or card owner fraud or, importantly, when your card experiences an event that cannot be handled automatically.

At that point you have humans emailing un-encrypted card/account numbers around and all bets are officially off. I suspect this accounts for a lot of cooperative theft, high-end fraud and loss but I have no way of knowing.
posted by fingerbang at 8:48 AM on July 29, 2013 [1 favorite]

Years ago I used to do a "mentalism" magic trick that depended on the feature/flaw of the landline system whereby not hanging up kept the line open. I'm somewhat surprised to learn this still happens.
posted by Decani at 8:52 AM on July 29, 2013

Once you call the number on the back of a bank card and go through security stages, you enter into a world of trust

I could totally see falling for this scam. I mean, you called your bank's phone! Spotting it requires you know about the open phoneline trick, that you're aware that they don't need the PIN, that you realize the bank has no reason to need the physical card back. I'd like to think I'd balk at the courier, it just seems so unlikely and expensive, but if the con man were convincing and I were sufficiently flustered I might fall for it.

Security is hard. The fact that every financial institution has a different protocol makes it harder. I mean christ, the way I'm supposed to know I'm legitimately at my bank's website and not a phishing site is recognizing the picture of the cute kitten. Seriously?
posted by Nelson at 9:06 AM on July 29, 2013 [10 favorites]

I would hope that your PIN is stored in the same way as passwords should be stored: as a salted one-way encryption--meaning that nobody at the bank can see it/knows what it is and therefore have no way to tell if you are giving them the right PIN, therefore, there's never a need to ask for it.
posted by tippiedog at 9:07 AM on July 29, 2013

"I would hope that your PIN is stored in the same way as passwords should be stored: as a salted one-way encryption"

It's actually much more sophisticated than that, the PIN 'changes' as it moves around the network. PIN offsets are stored, not the PINs themselves and the machines that handle the PIN verification arrive as sealed units from IBM with nothing but a couple of proprietary ports and a power button to fuck with.

When things go according to plan it's really very secure.
posted by fingerbang at 9:16 AM on July 29, 2013 [1 favorite]

If I recall correctly, there's a detectable and predictable voltage drop on the line when a phone is picked up in a USA household, and this drop goes away when the phone is hung up. I'm nearly sure that this is also detectable. I distinctly recall accidentally tapping the 'hang up' button that gets depressed when replacing the handset and losing whatever call I was on.
posted by destructive cactus at 9:17 AM on July 29, 2013

Just tested the landline thing in the UK and it does definitely work. Called my home landline from my mobile - my wife hangs up the landline, I'm still connected. She picks up the handset a few seconds later 'baaaaaaaaar, ring ring; HSBC Fraud Prevention, how can I help?'

Well? Did you get her PIN number?
posted by orme at 9:17 AM on July 29, 2013 [9 favorites]

This definitely used to work in the US, at least circa 1995. I called the house from a friend's house and my mother put the phone back after the call but it didn't sit in the cradle properly. Friend went to make another call and couldn't. I ended up having to go home to hang up the phone.

In fact, I still have a (VOIP) landline that I never use, will test and get back to you..
posted by zug at 9:18 AM on July 29, 2013

Looks like it now disconnects immediately upon the receiver hanging up and returns a dialtone.
posted by zug at 9:21 AM on July 29, 2013

This is why I still have a cell phone and a landline [...] Yay for Luddites!

Pretty sure if you have a cell phone and a landline you're not a Luddite.
posted by cjorgensen at 9:22 AM on July 29, 2013 [4 favorites]

fingerbang: It's actually much more sophisticated than that, the PIN 'changes' as it moves around the network. PIN offsets are stored, not the PINs themselves and the machines that handle the PIN verification arrive as sealed units from IBM with nothing but a couple of proprietary ports and a power button to fuck with.

Good to hear. In any case, the point I was asking about/hoping was true was that nobody at the bank would ever know your PIN, therefore, there's never any reason for them to ask for it to verify it or such.
posted by tippiedog at 9:26 AM on July 29, 2013

I had no idea that was an aspect of the phone system in Britain, which was interesting to learn.

I also agree that it seems like a lot of work and a lot of risk to get a few thousand dollars. With that level of both I would expect something more like full fledged identity theft, where the goal is to create multiple false accounts without the target knowing so that you can get potentially hundreds of thousands of dollars of credit and access checks (sometimes even loans!) out of them.
posted by codacorolla at 9:28 AM on July 29, 2013

In any case, the point I was asking about/hoping was true was that nobody at the bank would ever know your PIN, therefore, there's never any reason for them to ask for it to verify it or such.

This is true of every financial institution I've worked at. Cardholders sometimes get upset when I can't just give them their PIN over the phone.
posted by ogooglebar at 9:31 AM on July 29, 2013

The belief that you are too smart to be conned in this fashion, expressed repeatedly in this thread, is the surest path to getting conned.

This.

The entire point of these kinds of scams is that they depend on an intangible, human element to work. Read a description of the pigeon drop scam and you'll wonder how anyone ever falls for something so obviously a con. But in the middle of an actual pigeon drop, when there are two people there in front of you and you're being forced to make quick decisions on the basis of very limited information, you'll do what most of us do: fall for the scam.

It's like a shell game. The trick isn't to convince the mark where the ball is, it's to make the mark think they've figured out the con. In Welch's case, the idea that he had already been the victim of fraud, and that he was dealing with trusted parties was enough to short circuit the bullshit detector. If I show up at your door and tell you to give me your credit card and PIN, you'll call the police. If I imply convincingly that you may already be on the hook for a bunch of money, and then show up at your door with the same spiel, promising to expedite your case, you'll gladly hand over your card.

What makes this such an interesting case is the interlocking set of maneuvers these scammers used to open up the blindspot that led to Welch handing over his card and PIN. With this much information at their disposal, I think it'd be nearly impossible for an average person to maintain the skepticism needed to defeat this con. Hence, this is really the bank's problem.
posted by R. Schlock at 9:40 AM on July 29, 2013 [9 favorites]

My card has been subverted... I don't know, at least half a dozen times. No idea why, I don't shop weird places.

I've never lost a penny, the bank has always detected it and called me up.

I'm pretty suspicious and I always assume that each phone call is from a scamster, even if the caller ID is right (you can easily spoof that) - but their first stage is always to ask me to destroy the card and they never ask for any information, just read me a list of transactions and ask me if they were genuine or not.

Assume all phone calls are fake unless proven otherwise.
posted by lupus_yonderboy at 9:42 AM on July 29, 2013

> It's like a shell game. The trick isn't to convince the mark where the ball is, it's to make the mark think they've figured out the con.

Come now, this isn't "The Sting". Don't tell anything at all to people who call you, and be ultra-careful about whom you call, and you'll be fine.

The "hanging line" callback trick is regrettable - I grew up with that but I didn't know it still worked - I personally do all my dialing on Google Voice, because it's free and keeps my hands completely free, and because the quality is much better than my cell phone. Again, you need to be very careful about whom you call...

I feel bad for this guy, but come on - a courier coming to pick up your card? The bank guy calling you with status updates on the arrival? Who'd fall for that?
posted by lupus_yonderboy at 9:51 AM on July 29, 2013

Who'd fall for that?

Someone who is not reasoning at peak ability because he's panicked at the thought of losing his money.
posted by ogooglebar at 9:54 AM on July 29, 2013 [2 favorites]

I also agree that it seems like a lot of work and a lot of risk to get a few thousand dollars. With that level of both I would expect something more like full fledged identity theft, where the goal is to create multiple false accounts without the target knowing so that you can get potentially hundreds of thousands of dollars of credit and access checks (sometimes even loans!) out of them.

Oh, I disagree entirely. You're thinking of it as a lesser form of hacking. I think it's mugging cubed. This required no technical no how beyond the phone hang up trick. Otherwise it's got almost the same profile as a mugging --- stalk a victim at an ATM and follow them. But instead of using a knife to get him to handover his wallet --- with all the additional physical and criminological risks that entails --- he was able to use a phone and a couple hours worth of sweet talk to score over £5,000. And it was quick and dirty --- setting up fake credit accounts requires days or weeks of back and forth before you get cards, and you have to give an address which can be linked to you. No setting up bots or cracking passwords or anything. Anybody could do this.
posted by Diablevert at 9:55 AM on July 29, 2013 [1 favorite]

Who'd fall for that?

Also, look at how he describes the handover:

I packaged the card up as requested – wrapped up snugly in kitchen roll, packed into an envelope so it didn’t look like a bank card – and waited for the courier to arrive. Rajesh called back twice, once to say the car was five minutes away, and again to say it was outside, quoting the car’s number plate and describing the driver.

This is carefully choreographed to prevent Welch from having time to reflect on what's happening and realize he's being conned. Give him specific instructions for how to wrap the card. Keep calling to appraise him on the driver's progress. Give him precise information about the car and the driver to focus attention on other, imaginary fraudsters and away from the actual con happening right in front of his face.

These guys were pros. And in the same situation, you'd fall just as hard as he did.
posted by R. Schlock at 9:57 AM on July 29, 2013 [7 favorites]

And in the same situation, you'd fall just as hard as he did.

Probably not, because I never, ever answer a call coming from an unknown/blocked/anonymous number. Approximately 95% of the time I don't answer it regardless of who is calling me. And if someone left me a voicemail about bank card fraud I wouldn't call the number they left me, I would call the number on the back of my card.
posted by elizardbits at 9:59 AM on July 29, 2013 [3 favorites]

Scary stuff. I do remember jamming up friends' phone lines in high school as a prank, so this definitely was doable back in the day. At least this exact con can't be done with VOIP and mobiles.

My first instinct when I get a call from the credit card company is to check the charges online, then I call the number on my card to go through the process of canceling the card and getting the charges removed. Having been through this several times, there is no way I wouldn't call to question the idea of someone from the bank coming to pick up my card. It's never happened before so being asked to do it now would run contrary to experience. Of course, they can probably get me another way.

For bank cards, I actually am one of the last who absolutely refuse to have a debit card. The bank sends me a replacement every four years, and every four years I ask them to mail me an ATM card as I shred the new debit card. The idea that I want my actual money to be easily extracted via VISA/MC scares me.

I have the credit score and luxury of using a credit card, where false charges can be taken care of without compromising my checking/savings, so why would I use a debit card? I realize others are not in this position, and yet most continue to walk around with debit cards in wallets and purses, and I can't help but wonder if it's simply because of convenience or not realizing ATM cards still exist.
posted by linux at 10:00 AM on July 29, 2013

I can't help but wonder if it's simply because of convenience or not realizing ATM cards still exist.

The credit union I work for is phasing out ATM cards due to lack of demand.
posted by ogooglebar at 10:04 AM on July 29, 2013

I am really enjoying how this thread is just all of us trying to remember how land lines work.
posted by gerstle at 10:06 AM on July 29, 2013 [13 favorites]

So many of the "protocols" involved here seem plausible. If I didn't work at a bank and have some experience with fraud, a lot of these things seem reasonable. I suppose the bank might want to card because maybe it's new scam or they have some reason to think that they'll get something from it that will help prevent things like this in the future. A "PIN block" sounds like a thing that might exist.

The rule, generally, is that if your bank calls you, they give you information. They already know who you are and they have access to all of your information. If you call the bank, you give them information. You know you're talking to your bank but they have no way to be sure you are who you say you are so it would totally make sense that you'd need to give them your PIN. Most banks have an automated system setup on the front end to verify your identity and get your PIN and no human at the company can ever access your PIN. I know that because I work for a bank. If you've never had to call your phone bank before (and with internet banking, why would you?) I can see where the average person wouldn't make that deduction.

That's what makes this scam so clever, first they call you and just give you information just like your bank would. Then they tell you to call your bank and then you start giving them information because that's what happens when you call the bank.
posted by VTX at 10:11 AM on July 29, 2013 [3 favorites]

Everyone who thinks this guy is a dumb is ignoring some pretty important psychology. You're surprised -- amazed -- that anyone would fall for this obvious fraud! That you read about in a thread whose headline includes the phrase 'One man's experience of credit card fraud.' Framing is incredibly powerful in determining how we respond to situations. I'd bet dollars to doughnuts that most of the self-confident in this thread would have been taken in completely by this scam.
posted by samofidelis at 10:18 AM on July 29, 2013 [2 favorites]

I never, ever answer a call coming from an unknown/blocked/anonymous number

And if the Caller ID says "CHASE BANK 1-877-242-7372", would you answer it then?
posted by Nelson at 10:20 AM on July 29, 2013 [2 favorites]

No, because that's not how cellphone caller ID works. If it is a number that I have personally programmed into my phone, then the name of the person or entity that I already know will appear on the caller ID. If it is any other number ever in the entire universe I will not answer the phone.

also i don't bank with chase
posted by elizardbits at 10:22 AM on July 29, 2013 [1 favorite]

I'd bet dollars to doughnuts that most of the self-confident in this thread would have been taken in completely by this scam.

Correct. Because the essential element is not the specific technique used: a telephone call, a courier, or whatever. It's the act of misdirection, to which we are all, by virtue of our embodied consciousness, vulnerable. Cocksure posturing is a sure indicator that someone is over-reliant on the subjective perception of risk and is, accordingly, vulnerable to manipulation of that perception through misdirection.

(on preview: see above)
posted by R. Schlock at 10:23 AM on July 29, 2013 [2 favorites]

I have been proud of myself for avoiding scams in the past, but that doesn't mean I've never been or never will be scammed. So good on this guy for publicizing it.

You know what would be helpful is a good book/website on types of scams...for me, but also to teach my kid as he gets older. Can anyone recommend one?
posted by emjaybee at 10:27 AM on July 29, 2013 [1 favorite]

For bank cards, I actually am one of the last who absolutely refuse to have a debit card. The bank sends me a replacement every four years, and every four years I ask them to mail me an ATM card as I shred the new debit card. The idea that I want my actual money to be easily extracted via VISA/MC scares me.

I'm in Minnesota where every debit card transaction get's processed like a credit card and requires a signature (by law). I believe that, in most states, debit card transactions require a PIN so it's pretty secure. If, however, the card were stolen and they used it as a credit card (with a signature so they don't need the PIN) it would be an electronic transaction and you'd be protected under Regulation E just like with your credit card. It's handy to have in case your credit card doesn't work for some reason or you want to by your SO a birthday present without their seeing the transaction on your joint credit card account (which might not apply to everyone). It can be slightly more hassle while fraud is being dealt with since you have to rely on your credit card and that doesn't work to pay for everything but that wouldn't stop me from having one and keeping it locked up at home with the checkbook.

That said, there are so many very good reasons to use your credit card. It makes tracking your budget easier, it's the least hassle if it's stolen, and it can really smooth out your cash-flow so you worry a lot less about what your checking account balance it day-to-day.
posted by VTX at 10:27 AM on July 29, 2013 [1 favorite]

Also, one of the particular tragedies of these kinds of cons is the way they're targeted often at the elderly. Old people are in a uniquely vulnerable situation. They have a lifetime's worth of experiences of having successfully relied on subjective risk assessment. But they're also entering into a new state of declining critical faculties. So it's a perfect combination of actual cognitive vulnerability combined with inadequate self-criticism.

A similar, though less extreme dynamic applies to tourists, people cruising for sex, drunks, and students. All of them are in a temporary state of diminished critical faculties and so are less able to recognize when they're being conned. In Welch's case, he was probably singled out because he was obviously intoxicated. The scammers were counting on his being hung over the next morning.
posted by R. Schlock at 10:33 AM on July 29, 2013

I'm reminded of a customer I had when I was a retail banker. She had this fraud thing figured out. She didn't carry cash since that can be stolen, checks have way too much information on them, and credit/debit cards are stolen all the time.

Instead, she would buy gift cards to the stores where she shopped and only carried those. She put $500-$1000 on each gift card and recharged them when they ran out. I had to think for a long time about how to tell her how dumb that idea was without calling her an utter moron. People have lots of irrational thoughts when it comes to fraud.
posted by VTX at 10:36 AM on July 29, 2013

I believe that, in most states, debit card transactions require a PIN so it's pretty secure. If, however, the card were stolen and they used it as a credit card (with a signature so they don't need the PIN) it would be an electronic transaction and you'd be protected under Regulation E just like with your credit card.

Reg E covers PIN-based transactions, including ATM card transactions, as well as signature-based transactions.
posted by ogooglebar at 10:38 AM on July 29, 2013

Yeah, I thought that was the case but I wasn't certain. I've only every used my debit card outside the state once and was blown away when it asked me for my PIN instead of a signature. I assumed that it was the same everywhere and people only ever used their PINs at ATMs and POS transactions always involved a signature. Then I saw someone buy something with their card, entered a larger amount on the keypad somehow, and the cashier gave them cash. I nearly fainted.

I had also just seen Dr. Pepper sold as a Coca-Cola product, it was a lot to take in at once.
posted by VTX at 10:45 AM on July 29, 2013

Reg E covers PIN-based transactions, including ATM card transactions, as well as signature-based transactions.

Sure, but while you're waiting for your money to return your bank account remains drained of cash. It took the bank ten days to return Andy's money. With a credit card, it not only is not draining anything but the charges are instantly removed.

Having a card that with a signature can be used to access the quickest to liquidize of my assets is what unnerves me. I carry my ATM card around but it's PIN secured so much more difficult, if stolen, to be used to drain my checking.
posted by linux at 10:46 AM on July 29, 2013

I'd like to think I wouldn't be conned in similar circumstances, but once you are assuming that you are speaking to your real bank due to calling their number, the rest is becomes a lot easier to buy. Sure, they *shouldn't* ask you for a password or pin, but within the last few weeks I've had a genuine communication from an institution (not my bank) which asked for my password. Not that I gave it in that case, but I wasn't panicking over lost money either. The courier is the only real tripwire, and in the state of lowered resistance, I could easily see coming up with some "maybe they need to figure out something from the state of the card" justification. That's the trick, after all -- you get a big solid establishment that this is genuine, and then the victim will do much of the work of smoothing out any discontinuities, because that's how human brains work.
posted by tavella at 11:03 AM on July 29, 2013

Yeah, this all sounds silly and obvious, but considering that I was a victim of credit card fraud a couple months back and my bank's actual way of dealing with it seemed like a scam, I'm not going to blame this guy for not knowing better.

When my credit card number was stolen and was used to make fraudulent purchases, I got a text message from the bank asking me if I'd recently bought some thing I didn't buy, and the message told me to call back a phone number that wasn't on the back of my credit card. I got a voicemail immediately after, telling me to call back that same number (which wasn't the number in the caller ID) because they suspected fraudulent charges.

So I logged into my account and saw that there was indeed a big charge on there I hadn't made, and then I called the number they told me to call. I was pleased to be quickly connected with a person who was able to help me sort it out. It all seemed like it was getting taken care of easily and I felt pretty good about it, until I got off the phone with the guy and started panicking that I'd been conned. I googled the phone number I'd just called, and there were a bunch of people saying it was a scam, phishing, etc. They hadn't asked me for a PIN or password, but still. So then I called the number on the back of the card just to make sure this was actually happening, and they confirmed it was legitimate, my card had been canceled and they were sending me a new one, which was all true.

The whole thing was really disorienting. I can totally see how a person not intimately familiar with the fraud procedures of big banks could fall for the stuff the guy here fell for.
posted by wondermouse at 11:05 AM on July 29, 2013 [9 favorites]

No bank needs your PIN to block your account.

Off topic, but fascinating: for 5-10 years in the 1990s, a few rogue employees of one bank in the UK didn't even need your PIN number to withdraw cash from your account, which apparently they did with wild abandon.
posted by ambrosen at 11:08 AM on July 29, 2013 [1 favorite]

destructive cactus wrote: I distinctly recall accidentally tapping the 'hang up' button that gets depressed when replacing the handset and losing whatever call I was on.

If you tapped, rather than held for several seconds, the switch would have interpreted that as a hook flash and given you dialtone so as to allow you to make a three-way call.

linux wrote: I realize others are not in this position, and yet most continue to walk around with debit cards in wallets and purses, and I can't help but wonder if it's simply because of convenience or not realizing ATM cards still exist.

My bank is rather customer friendly, for a commercial bank anyway, and has a policy of crediting back disputed charges immediately so it doesn't really matter to me if someone steals my debit card. If I had to rely on the protection required by law, I'd shred the damn thing, too.
posted by wierdo at 11:09 AM on July 29, 2013

Sure, but while you're waiting for your money to return your bank account remains drained of cash. It took the bank ten days to return Andy's money. With a credit card, it not only is not draining anything but the charges are instantly removed.

Right. I was only talking about the scope of Reg E, not whether it is better to use a credit card instead of a debit card. Reg E usually applies to credit card transactions only at ATM and POS terminals.

Another advantage of credit cards is that (at least with Visa, I'm not sure about other card programs) your card issuer will, under certain circumstances, act as your advocate if you have a dispute with a merchant. This doesn't apply to debit-card transactions, even signature-based ones, which can cause confusion.
posted by ogooglebar at 11:12 AM on July 29, 2013

VTX: Then I saw someone buy something with their card, entered a larger amount on the keypad somehow, and the cashier gave them cash. I nearly fainted.

Ah, you should have seen our supermarket handle Discover Card ("With Cashback Bonus!") back in the day. They were happy to give us crisp $20 bills on top of a $5 purchase because look, it says Cash Back right there, even through it was a regular credit transaction with a signature...

I had also just seen Dr. Pepper sold as a Coca-Cola product, it was a lot to take in at once.

Yeah. Probably this problem?
posted by RedOrGreen at 11:20 AM on July 29, 2013

VTX - Having just spent three weeks in the US, my first time there, i was blown away [1] that every none ATM transaction involving my preloaded VISA chip and PIN card did *not* require a PIN. I bought a brand new laptop, lots of gifts for friends, made several stops for gas, and not once did i encounter a chip and PIN terminal.

Even better was that for each of those transactions not once did the merchant confirm the signature on the back of the card matched the one i scribbled on the receipt. Once i was tempted to sign my name as Mickey Mouse. I know the signature is almost certainly there for chargeback defence to protect the merchant, which wouldn't apply on a debit card anyway; but that's not where the security should be implemented.

On the original post, part of the problem is banks having conditioned people to expect phone calls that ask to "confirm some details". If you get a call that asks this your immediate response should be "no, you called me so i'm not confirming anything" and to put the phone down.

It's like we were told for years not to enter details into any pop-ups that appear on web sites and then MasterCard implemented 3D Secure, at which point the banks had to say "you know that thing we've said for years not to do, yeah you should now do that".

[1] OK, not really. Several years working with card payments and acquiring banks means very little surprises me on this subject. I could tell several tales on utter disregard to card security and even common sense. Maybe another time.
posted by lawrencium at 11:26 AM on July 29, 2013 [2 favorites]

not once did i encounter a chip and PIN terminal

We don't use chip & PIN in the US. Feel bad for the poor American traveller in Europe who has to queue in line to buy train tickets because our cards don't have chips. And god help you if you need to buy gas at an automated pump.

Why don't we use chip & PIN? Because we're stupid. And because US banks would rather accept a bit of fraud than bother upgrading the network.
posted by Nelson at 11:32 AM on July 29, 2013 [2 favorites]

Even better was that for each of those transactions not once did the merchant confirm the signature on the back of the card matched the one i scribbled on the receipt. Once i was tempted to sign my name as Mickey Mouse. I know the signature is almost certainly there for chargeback defence to protect the merchant, which wouldn't apply on a debit card anyway; but that's not where the security should be implemented.

My understanding is that the merchant gets reimbursed for any fraudulent transactions (by their merchant services provider or Visa/MC maybe?) so they don't really have any skin in the game. I actually get annoyed when the cashier makes me hand over my card so they can "check the signature". They aren't protecting me since my bank will reimburse me for any fraud. Most of the time, they don't really look at it and even if they do I doubt they could spot a forged signature anyways. If you signed it and made it look wrong on purpose, I doubt you'd get confronted about it or asked for an ID or anything. They don't get paid enough to have that kind of awkward confrontation.

Heck I worked in a retail bank and had to tell another banker's customer that we couldn't open an account for them. The only ID they had was a "Notary Public ID" (which doesn't exist) and the banker wanted avoid the confrontation enough that they asked me to do instead and preventing fraud is supposed to be a big part of the job.
posted by VTX at 11:46 AM on July 29, 2013

If you were African-American in the US, your signature would be checked and you would have to show two other forms of ID. At least that's my experience when out shopping with my very respectable-looking African-American friend.
posted by Peach at 11:58 AM on July 29, 2013 [2 favorites]

If only there were a way to test how long the call persists for *racks brain*

If only every phone had a built-in display.

Not knowing the standard procedures -- and not being made aware of them -- creates a social vulnerability. Perhaps every card activation ought to include a run-down of the procedures and the information you'll be expected to provide when reporting fraud or a lost card, a bit like the airline safety check. (Seasoned flyers may now tune out of that, even if there's a quirky video, but they know how it works.) Downside is that it only works if the bank doesn't change its procedures.

Perhaps customers should require their banks to provide them a password? That's a trickier implementation, but if it's asymmetrical, and the bank-to-person password doesn't have any authentication power the other way, then perhaps it helps in these situations.
posted by holgate at 11:58 AM on July 29, 2013

I keep trying to stick my chip into the chip readers when I use my credit card in the US which confuses everyone. I also had someone look at my signature which was a blurry sharpie mess and not terribly useful to compare to my digital signature.

I like chip and pin, which is also useful for those times you need to lend or borrow a credit card.
posted by jeather at 11:59 AM on July 29, 2013

My understanding is that the merchant gets reimbursed for any fraudulent transactions (by their merchant services provider or Visa/MC maybe?) so they don't really have any skin in the game.

As far as Visa goes, if the merchant is presented with a signed, unexpired card, and obtains an authorization and a signature, they have no liability (I imagine MasterCard has similar rules). The cardholder has no liability for fraudulent transactions. The risk is carried by the card issuer (the bank or other financial institution whose name is on the card).

I doubt they could spot a forged signature anyways...They don't get paid enough to have that kind of awkward confrontation.

Exactly. A lot of merchants can't afford to train their staff to be proficient in spotting forged signatures. They'd stop accepting credit cards and lose some sales rather than take on the risk on fradulent transactions.
posted by ogooglebar at 12:01 PM on July 29, 2013

I'm in Minnesota where every debit card transaction get's processed like a credit card and requires a signature (by law).

What law is this? I live in Minnesota and always enter my PIN at stores unless they absolutely only accept credit. I never go to a standalone ATM anymore because I can as you say:

Then I saw someone buy something with their card, entered a larger amount on the keypad somehow, and the cashier gave them cash. I nearly fainted.

I do this all the time all over the Twin Cities. I wonder if you don't see the option because your bank prohibits it or what.

This would have raised flags for me (I hope) but yeah I can't say I wouldn't have been sucked in because they went to such lengths and my bank does pretty weird stuff sometimes. The courrier though is a bit wild.
posted by Clinging to the Wreckage at 12:13 PM on July 29, 2013

My understanding is that the merchant gets reimbursed for any fraudulent transactions (by their merchant services provider or Visa/MC maybe?) so they don't really have any skin in the game.

I'm not sure how it works with card-present transactions, but with card-not-present transactions preventing fraud is a big deal for merchants as chargebacks can be costly. There are also thresholds for fraud levels that, if crossed, can lead to merchants having their accounts terminated by the acquiring banks.

In the Apple store i struggled to sign on the little screen the store employee presented me with. The signature didn't look much like it usually would with a pen and paper. My card issuer actually held the transaction, if i were less honest (and also stupid) i could have disputed it.

It's a balancing act for the acquirers, issuers, and card schemes. And as Nelson says, fraud is acceptable if the cost of the fraud is lower than the cost of implementing better security. Sucks if you're the victim though.
posted by lawrencium at 12:15 PM on July 29, 2013

Oh, I disagree entirely. You're thinking of it as a lesser form of hacking. I think it's mugging cubed. This required no technical no how beyond the phone hang up trick. Otherwise it's got almost the same profile as a mugging --- stalk a victim at an ATM and follow them. But instead of using a knife to get him to handover his wallet --- with all the additional physical and criminological risks that entails --- he was able to use a phone and a couple hours worth of sweet talk to score over £5,000. And it was quick and dirty --- setting up fake credit accounts requires days or weeks of back and forth before you get cards, and you have to give an address which can be linked to you. No setting up bots or cracking passwords or anything. Anybody could do this.

Ehhh, I don't know about that. They have to follow a guy at an ATM, they have to follow him back to his house, they have to do research to construct a convincing amount of held information that a bank could conceivably have, they have to involve more people to act as couriers, they have to script, plan and time phony (heh) phone conversations that exploit the hang-up feature of the telephone system. I don't know exactly about UK law, but instead of a single charge (pointing a weapon and stealing property) you have following, conspiracy, and fraud. You have a HUGE time sink in physically following the guy, and you've actually shown your face to him via the courier. You have to cut in your co-conspirators as well.

Plus, a mugging is an every day occurence, and if you get away with it initially then you probably get away with it. Once you start fucking with the trust relationship between major financial institutions and they're customers (and force those institutions to eat the losses on the money you've stolen) you're starting to fall under the watch of more powerful people.

I would also argue that not 'anyone' could do this. A lot of the stuff they did indicates a familiarity with the fraud protection system. This wasn't something that was done spur of the moment (as a mugging may be), this was premeditated.

That seems like a crazy amount of effort and risk for five thousand pounds.
posted by codacorolla at 12:25 PM on July 29, 2013 [3 favorites]

What law is this? I live in Minnesota and always enter my PIN at stores unless they absolutely only accept credit.

In particular, CVS runs debit cards as debit cards (well, to be precise, you get to choose whether to do it as credit or debit). Target seems to run them as credit cards, but it might depend on when you swipe the card (while the cashier is scanning items or after) or just whether it's over/under $25. I've definitely been at Target intending to get cash back and failed because it went through as a credit card transaction.
posted by hoyland at 12:27 PM on July 29, 2013

hoyland: I've definitely been at Target intending to get cash back and failed because it went through as a credit card transaction.

Can you or someone else explain how this works? I'm kind of baffled here. I'm in the UK, and I have a debit card that is tied to my current account – the account my wages are paid into – so if I want to buy something with said card, it's dependent on me having the money in my account. (If it's not, the transaction is declined.) Whenever I've had a credit card, it's been completely detached from my current account; it's been a totally separate thing (more than once, it's been with a totally different bank to where I have my current account).

So if I bought something on a credit card, I'd get my monthly statement afterwards, and I'd transfer some money from my current account to my credit card account to cover anything from the minimum monthly fee to paying it off in full. But you seem to be saying that in the US, there are some cards which can function both as credit cards and debit cards, depending on how the retailer processes the transaction? That's just ... nuts, from where I'm sitting. It sounds like a recipe for disaster and/or getting your finances completely screwed because you can't remember which purchases went through as debit card transactions and which went through as credit card ones.
posted by Len at 12:46 PM on July 29, 2013 [1 favorite]

The law (or maybe just the interpretation of it) must have changed then. As I recall, there was some kind of dispute about different fees charged to merchants between PIN based transactions and signature based ones. The end result is that cards issued in Minnesota had the PIN functionality turned off.

If I took my MN issued debit card to South Dakota (where, as I later learned, Dr. Pepper is a Coca-Cola product because of an anti-trust suit, RedOrGreen) and tried to use it as a debit card and enter my PIN, the transaction failed. I've seen people with debit cards issued in other states enter their PINs at stores in Minnesota and cashiers here didn't know what was happening. I still see the little card reader boxes in stores here with instructions on them telling everyone to press the "credit" button even when they're using their debit card.

The last time I tried using my debit card and PIN was after we got back from our trip to the black hills in 2003-ish so my information must be out-of-date. I found reference here of a law seeking to change things either to allow PIN-based transactions with debit cards or to require it.
posted by VTX at 12:49 PM on July 29, 2013

Also, my credit's been so ruinously screwed for years that there's no way I'd ever get a credit card. But even though I've got the most basic, you-are-a-financial-idiot-who-should-never-be-trusted-with-even-a-£1-overdraft, I still get a debit card. (Yay for the Cooperative bank!) I'd just never understood them as being interchangeable entities.
posted by Len at 12:50 PM on July 29, 2013

We don't use chip & PIN in the US. Feel bad for the poor American traveller in Europe who has to queue in line to buy train tickets because our cards don't have chips. And god help you if you need to buy gas at an automated pump.

Why don't we use chip & PIN? Because we're stupid. And because US banks would rather accept a bit of fraud than bother upgrading the network.


Actually, EMV cards (the industry preferred term for chip and pin) are becoming more commonplace in the U.S., and the credit card companies (Visa/MC/Discover/Amex) have already announced EMV conversion plans. Liability shift dates can be found here.

This information brought to you by the ridiculous 45 minute meeting I had to endure last week about liability shifts for MasterCard, because it pertains to my job. Ugh. So boring.
posted by palomar at 12:50 PM on July 29, 2013 [3 favorites]

I think it has something to do with retailers wanting to avoid various card transaction fees, but yes, it is pretty commonplace to have a debit card with a Visa or MasterCard symbol on them that can function as a regular credit card.
posted by elizardbits at 12:50 PM on July 29, 2013

@Len: At the register, we have a little box to read the card's magnetic stripe (and some will read the RFID chip if you have one) with a keypad. You swipe the card and can press a button labeled "Debit" or one labeled "Credit". If you press debit, it asks for your PIN (and I assume an amount you want to authorize where you enter a larger amount and get cash-back). If you press credit, you sign (usually an electronic pad with a stylus).
posted by VTX at 12:53 PM on July 29, 2013

Also; I've never heard of the calling-party landline thing, either.

I knew about it. It was the first thing I thought. And I knew about it because of reading it somewhere on Metafilter! I think in AskMe but I couldn't find where it was.
posted by Obscure Reference at 12:56 PM on July 29, 2013

VTX & elizardbits:

Wow, that seems like an insane system, ripe for fraud. We haven't had signature-only confirmation for purchases in the UK for maybe about 10 years now; in person, everything – credit or debit – has to be confirmed with a PIN.

I work in a call centre, and spend most of my day processing payments from peoples' debit and credit cards over the 'phone. We have to take the 16-digit card number, expiry date and security code; in addition to that, we have to indicate on the payment system what type of card it is: Visa or Mastercard; and also whether it's credit or debit. It won't let me process the payment if the type of card selected from a menu doesn't match up to the first few digits of the 16-digit card number. The first six digits indicate both the issuing bank, whether it's a credit or debit card, and what level of account it is tied to; e.g. any card whose number begins 4751 30 is a Natwest Visa debit card. If I try and process a transaction for a card that beings 4751 30, and mark it as a credit card, it won't let me complete the transaction.
posted by Len at 1:08 PM on July 29, 2013

odinsdream - no, it was held because it was a high value transaction. By which time it was a day later and i was 300 miles away with laptop in hand. I could have disputed the transaction because i know the signature was a poor match, but like i say that would be dishonest (and stupid).
posted by lawrencium at 1:11 PM on July 29, 2013

I could have disputed the transaction because i know the signature was a poor match, but like i say that would be dishonest (and stupid).


It also wouldn't be a valid dispute reason, unfortunately. I process disputes as a major part of my job -- anything in the signature field counts as a signature. I've requested draft copies from merchants, received back a copy of a receipt with a smiley face or "YOU BEEN HAD" in the signature field, and had to go back to the financial institution I'm processing for and tell them, sorry, per Visa/Mastercard's regulations this counts as a signature and we can't move forward with a chargeback.
posted by palomar at 1:19 PM on July 29, 2013 [1 favorite]

per Visa/Mastercard's regulations this counts as a signature and we can't move forward with a chargeback

True, the merchant has no liability. At that point, the dispute is between the issuer and the cardholder. If lawrencium were able to convince the issuer that the transaction was fraudulent, the issuer would eat the charge.
posted by ogooglebar at 1:27 PM on July 29, 2013

For phone based transactions, we'd have to provide the same information and I'd bet the same kind of checks are in place.

When you're at a store the cashier does, in theory, have the ability to check your ID if they're suspicious of the transaction. They just don't get paid enough to care. The system is ripe for fraud but I, as a consumer, don't care because it doesn't directly affect me. If someone steals my card (or clones it), I just call me bank and dispute the transaction(s) and I'll get my money back every time. It's mostly bank/Visa policy that drives it.

Even if their policies changed, as long as I report my card stolen within two days, I'm only on the hook for the first $50 and the bank has to assume that the transaction was unauthorized unless they can prove otherwise.
posted by VTX at 1:29 PM on July 29, 2013

Ehhh, I don't know about that. They have to follow a guy at an ATM, they have to follow him back to his house

That's exactly what they'd have to do to mug him, maybe you have to follow him a little further to see the house, but I don't think it's be super hard to watch for drunks say, coming out of a bar or a subway stop and hitting an ATM.

they have to do research to construct a convincing amount of held information that a bank could conceivably have

The only difficulty I see is with the name, and even then you have a fair shot. Not sure what public records are available in the UK. Reverse address lookup to get the landline. Or google the address, or search land records, or grab an envelope out of the bin. Or bluff: "Am I speaking to the account holder for the HSBC checking account associated with this address? Did you take out money from this ATM? Did you then by a bunch of stuff at the Apple store? Sir, you've been the victim of identity theft..." Etc. Then when he calls the bank -- off the number on his own bank card, mind --- you can get him to reveal his name and all the rest of it. I don't think "hours of research" is in it at all.

they have to involve more people to act as couriers

Two's all that's required. One to keep him on the phone, one to pick up the card.

I don't know exactly about UK law, but instead of a single charge (pointing a weapon and stealing property) you have following, conspiracy, and fraud.

"Following" is not a crime I'm aware of. I'm no expert in criminal law either, especially UK law, but as far as I'm aware common law practice is that violent crime faces much stiffer penalties than non-violent crime. Mugging someone with a knife is armed robbery, a violent crime. Plus there's the physical risk to the criminal --- victim might flip out and fight back, you might have to stab him. And the most money you'll get out of it is max £500 bucks. Unless you're willing to hold him a knife point and transport them to another ATM.


You have a HUGE time sink in physically following the guy, and you've actually shown your face to him via the courier. You have to cut in your co-conspirators as well

Dude got followed home from a subway stop; unless the thief is for some reason plying his trade at a deserted suburban stop, it's probs a max 25 min walk, and likely much less. Way more time investment than a typical mugging, to be sure. But way, way less time than typical identity theft, where it may take several business days to open new accounts and get new cards to start racking up charges.

Once you start fucking with the trust relationship between major financial institutions and they're customers (and force those institutions to eat the losses on the money you've stolen) you're starting to fall under the watch of more powerful people.

Who do you think runs HSBC, Batman? £5,000 is a dust speck inside the 0 of the rounding error of their multi-billion bottom line.


i would also argue that not 'anyone' could do this. A lot of the stuff they did indicates a familiarity with the fraud protection system. This wasn't something that was done spur of the moment (as a mugging may be), this was premeditated.

More familiar than anyone who's ever called their bank about a suspicious charge, or been called by them? Like what?

That seems like a crazy amount of effort and risk for five thousand pounds.

People risk death and years in jail for £500 or less when they mug someone. According to wiki, the average salary for the UK is around £20,000 a year. The thieves made a quarter of that for maybe 3-4 hours work, plus the cost of a burner phone, and if they're especially clever, a motorcycle helmet and fake ID for the "courier".
posted by Diablevert at 1:30 PM on July 29, 2013

Dude, you're crazy if you think this was 3 to 4 hours of work or equivalent with mugging in any way other than the criminal got money out of it.
posted by codacorolla at 1:48 PM on July 29, 2013

Though Mr. Welch encountered fraudsters pretending to be bank officials, he was lucky not to meet criminals pretending to be police. I don't know if you have those in England.
posted by bad grammar at 1:49 PM on July 29, 2013

Nelson wrote: And because US banks would rather accept a bit of fraud than bother upgrading the network.

It has less to do with upgrading the network and more to do with making it as easy as possible for the end user to use the card instead of cash (or a check, for that matter). Swipe fees are big money in and of themselves, not to mention the good chance the issuer will get to charge some interest. Same reason why the Visa/MC merchant agreements forbid merchants to check ID on a card that has been signed. Amex does not have this clause, but does have a clause that requires merchants to place no more restrictions on the use of an Amex branded card than any other card the merchant accepts, so the Visa/MC no id rule applies to Amex at the vast majority of merchants.

Visa ran an enormous ad campaign in the late 90s touting how debit and credit cards were so much easier than writing checks because no ID is required.

Also, merchants don't get reimbursed for fraud if they don't have a matching signature unless the transaction is under the limit for them to require a signature. ($25 last I checked) Not only do they get the money clawed back, but they usually have to pay a dispute resolution fee to their merchant account provider, adding insult to injury.

Oh, and to reduce confusion, if you enter a PIN you are using it as an ATM card, processed over a network like PLUS or Star at a fixed fee. You can indeed take an ATM card bearing the logo of one of the ATM interchange networks and use it at any merchant that accepts ATM cards (which they inexplicably refer to as "debit" cards). If you sign, the transaction is being processed through the credit network at a smaller fixed fee plus a percentage of the total, just like if you used a "real" credit card.
posted by wierdo at 1:49 PM on July 29, 2013 [4 favorites]

Dude, you're crazy if you think this was 3 to 4 hours of work or equivalent with mugging in any way other than the criminal got money out of it.

I'm not understanding what you think would take so long about it. All you have to do is find a busy subway stop with a bank nearby (so...pretty much all of them). Hang around for a few hours around pub closing time collect some addresses. Go home, few minutes of googling to collect the phone numbers and if possible the names associated with those addresses. Call 'em up the next day and run the con, and when you've got one on the hook, text your buddy the courier to come by and pick up the card. Bit of luck, you could pull this scam off three or four times in the same day in the same neighbourhood.

What are you seeing that would take a long time?
posted by Diablevert at 2:05 PM on July 29, 2013

I am honestly stunned that someone who can say this about themselves would fall for so shoddy a bit of social engineering. It is completely baffling to me that anyone would not find this unbelievably suspicious. Since when has a bank offered this much help? Sending a fucking courier to collect your card to check your card's chip? Are you kidding?

Don't assume because you're smart that it would never happen to you. The dude writing the article is plenty smart, I'm sure.

Me, I got scammed once when I was 19 and I'm really glad I was.

I was working at a video parlour back when they had such things and this dude walked in, spun me a yarn about how he'd won a bunch of cash, pretended he'd give me a wad of cash, played a couple of rigged games, got $50 off me, shook my hand and waltzed out of my life.

I'm not a stupid person. I even knew I was being scammed, on some level. But he still took $50 off me and walked away.

Knowing there are people who can and will do that, and what it feels like (incidentally: prickly skin and foggy brain) is an experience that is worth way more than $50 to me.
posted by Sebmojo at 3:37 PM on July 29, 2013 [1 favorite]

The amount requiring verification varies quite a bit. My grocery store or gas station seldom needs a signature on a credit card for purchases up to at least 100US, while most small retail stores seem to need a signature at around 25.

Some years ago, I had a small retail store, and called in a sketchy credit card. It was in the name of a good friend, and the address was the same, but the friend hadn't been in. The customer came back, spent more, and I called it in a 2nd time. It was approved again. The sketchy guy was my friend's neighbor, stole her mail, and applied for a bunch of credit cards. When they arrived, he went on a shopping spree. The Post Office sent an investigator, and he pled guilty to mail fraud. No idea of the sentence. The lesson for me was - banks don't care all that much about security.

The credit card industry is extremely profitable - they get 3% or so from every transaction. They care about large scale security, because it gets costly. If banks were more efficient and more careful about security, perhaps that transaction cost could be reduced. It's a pretty massive tax, but the store pays it, and passes along their costs, so the customer doesn't feel it.
posted by theora55 at 3:48 PM on July 29, 2013

My credit union debit card doesn't have a phone number on it. Their site doesn't have a number to call in case of a lost or stolen card. I find this both puzzling and inconvenient.
posted by theora55 at 3:49 PM on July 29, 2013

My credit union debit card doesn't have a phone number on it.

My former credit union didn't have credit card support on weekends so they'd sometimes just cancel my card because I was traveling (and not always awesome at telling them where I was going) and then it would take days to sort it out. I just watched Identity Theft yesterday and was surprised at how much I was all "That would never work!" at a lot of the stuff (the plot revolves around a few improbable "we can't do the normal thing you'd do because of $REASONS" scenarios) and at the same time I see my 86 year old landlady have a really hard time navigating online purchasing and other things where there's some overlap of security/money/security theater.

I think the thing that has kept me the safest is having an account at a little no name bank so that every time I get an email from "Bank of America" I can safely ignore it and any time my bank sends me a dumb email about something I can just call them to figure out what is going on. They make you sign up with a "security phrase" that every email you get from them will come with. Mine is "I am from the government and I am here to help!" at least it gets my attention every time.
posted by jessamyn at 5:03 PM on July 29, 2013 [3 favorites]

scolbath: Folks, the reason for the delay is to give landline users the opportunity to change the extension they are using when they are the only person in the house.

odinsdream: This isn't the way the phone system works in the U.S., as far as I know

This absolutely is how landlines have worked in the US since I was a kid, and the explanation I'd always heard was what scolbath said. (I probably read about it in some phreaker textfiles or other telco wonkery thing ages ago.) I guess I could retest it next time I'm near an actual land line, but right now I just have cell phones and VoIP lines near me.
posted by hattifattener at 7:16 PM on July 29, 2013

Since I seem to be the only MeFite with a landline in the US who's enough of a dork to phone themselves, I can tell you that it does work in Minneapolis. I only hung up the phone for five seconds, though, so I don't know how long you'd stay connected.

What's interesting is that most of us didn't know this, despite scolbath's explanation. Growing up (at least before the advent of cordless phones), you'd just leave the phone off the hook in one room and go hang it up when the call was over, assuming you remembered.
posted by hoyland at 7:38 PM on July 29, 2013

They make you sign up with a "security phrase" that every email you get from them will come with.

Oh, that's what I was looking for upthread. Make the bank authenticate itself to you.
posted by holgate at 8:29 PM on July 29, 2013

These guys were pros. And in the same situation, you'd fall just as hard as he did.

No, I really don't think so. I mean, it's a good scam that leverages people's learned security practices (call the number on the back of the card), but the whole tin foil and courier thing is just patently ridiculous.

As for phone switches not hanging up, it must be a regional thing. It hasn't worked on any phone line I've used since probably the early 1980s. There must still be some really old phone switches out there in the wild. And I still think I could tell the difference between a phony dial tone and a real one. But I may be the last person on earth who listens for a dial tone before attempting to dial my number.
posted by gjc at 9:37 PM on July 29, 2013

The amount requiring verification varies quite a bit. My grocery store or gas station seldom needs a signature on a credit card for purchases up to at least 100US.

I once signed a receipt "I STOLE THIS CARD" to see what would happen. Nothing. Cashier accepted it, never heard from the bank.
posted by nathancaswell at 6:17 AM on July 30, 2013 [2 favorites]

I always sign some wacky thing on my receipts here in California. I was inspired by The Credit Card Prank by John Hargrave. Sadly, zug.com seems to have gone away, and The Wayback Machine is only so-so at images, but this gets the idea across.

"I don't sign my credit cards. Once I went to check into a hotel and the girl checked the back of the card and said it wasn't signed. I signed it there in front of her, and she checked it with the register receipt I also signed in front of her. THANK GOD THEY MATCHED!"

I've been signing as a grid or block of ink lately, but on re-reading this, I think I'll be signing "Ra" more often.

I also appreciate Rob Cockerham's Torn Up Credit Card Application.
posted by Hello Dad, I'm in Jail at 2:06 PM on July 30, 2013 [1 favorite]