Unauthorized transaction on my debit card done without 3d secure. Who is liable?

[Amitabh S]

I have an Indian debit card and it has all the "3d secure" stuff, which I always use. However, on some sites (mostly overseas ones) I made some online purchases and they went through without going through the 3d secure process.

Yesterday I had two unauthorized transactions on my debit card of a significant amount done on a US site. I contacted the bank immediately and also the site where the tx was done. Both assured me that "it will be take care of". Today morning the bank calls me and says that "there is a chance that you will not get your money back since it is not a transaction done by you but by someone else." (wait, wtf??)

I am 100% sure my IPIN (the thing needed for 3d secure) is not compromised as I don't store it on my computer and it is fairly complex to guess. Therefore it was one of those transactions without IPIN.

Who is liable in such a case?

[MysteryMiner]

Who is liable in such a case?

You, because of having damn trojan on your computer!

Seriously, make sure your PC is clean and any other PCs from what You made purchases. Most of purchases are made without 3D secure even if the 3D password also are intercepted.

Check Your bank contract what is liable in case of unauthorized purchases.

[repentance]

The Terms and Conditions of your debit card account will detail the extent of your liability for unauthorised transactions.  These are updated fairly often and you agree to any changes by continuing to use the card.  

Anything we told you would just be a guess based on our own experience and our local banking regulations.  You need to sort this out with your own bank and if they say they're not going to cover the loss, then get them to put their reasons why in writing.  You may have some recourse through a banking regulator if they're in breach of their general obligations but it's also possible that your bank's Terms of Service impose specific obligations on you in order for you to avoid liability for unauthorised transactions.

More generally, I've noticed a lot of banks are becoming much tougher on the customer liability issue, especially with regard to chipped cards.

If you haven't done so already, you should cancel your card and have a new one issued.  You should also change any passwords/PINs/secret questions, etc associated with the card.  You might want to consider setting your account to require a one-time SMS token for every transaction until such time as this is sorted out.  For the moment, assume everything is compromised and ensure that transactions can't be authorised without something only you can provide (SMS token or Yubikey authentication).

[luv2drnkbr]

Even if you don't have debt, you should use a credit card for most purchases and just pay it off every month.  Then, when shit like this happens, you're not stuck with the money being gone from your bank account, and you can fade a few months of fraud investigation before getting your money back.  Credit cards are evil, but they do have their uses.

[Amitabh S]

Ok so I am almost certain there is no trojan/virus on my computer. It seems godaddy.com was again hacked recently. The only place I have used this card in the last 3 months was at godaddy.com to get a domain name. (no 3D secure that time as well). It is unlikely to be a coincidence that after a week of my purchase, my debit card number got compromised. The card was used without 3D secure password.. just the Exp date and the CVV were used to validate it. I can be certain of this because I don't store the 3D secure password on my computer.

[davout]

In France you're not liable if 3D Secure wasn't used. Banks try to avoid taking responsibility but they legally have to.
Hopefully the law is similar where you are.

I'm not really sure about the liabilities when 3D Secure was used, but that's not really your case.

[vite]

If you bank allows it, try not to have a balance or just keep a minimum required balance on you debit card and transfer accordingly as needed. That way if your card is compromised, the unauthorised transactions are likely not to go through.

Try to ask the bank and company where the transaction originated, in relation to you, meaning that if you can prove you where not in the area the transaction took place, then it cannot have been you.

[davout]

Try to ask the bank and company where the transaction originated, in relation to you, meaning that if you can prove you where not in the area the transaction took place, then it cannot have been you.

Unfortunately banks just don't work that way.

[vite]

Try to ask the bank and company where the transaction originated, in relation to you, meaning that if you can prove you where not in the area the transaction took place, then it cannot have been you.

Unfortunately banks just don't work that way.

Depends on what country your at...

[davout]

Try to ask the bank and company where the transaction originated, in relation to you, meaning that if you can prove you where not in the area the transaction took place, then it cannot have been you.

Unfortunately banks just don't work that way.

Depends on what country your at...

Not really, if bank isn't legally obliged to take money out of its pocket it won't.
That's what banks do. They'll sometimes go around this and waive some fees for example, but that'll be because you're a high value customer to them and that they expect to make it back somehow.

[vite]

Try to ask the bank and company where the transaction originated, in relation to you, meaning that if you can prove you where not in the area the transaction took place, then it cannot have been you.

Unfortunately banks just don't work that way.

Depends on what country your at...

Not really, if bank isn't legally obliged to take money out of its pocket it won't.
That's what banks do. They'll sometimes go around this and waive some fees for example, but that'll be because you're a high value customer to them and that they expect to make it back somehow.

Well, I am not a high value customer compared to what other bank clients volume, but, yes if I have unauthorised transactions in my card, and I show them prove that they where not done by me, then yes they will reimburse and chargeback. Not sure if its because of the competition or if the banking law forces them to. Though banks in Panama regulate themselfs in a decentralized fashion.

[BitcoinINV]

I work with 3d secure, the thing about it is....... Ready?  They protect the merchant not the buyer. The merchant is 100% covered when they use this it has nothing to do with the consumer.

[Amitabh S]

I work with 3d secure, the thing about it is....... Ready?  They protect the merchant not the buyer. The merchant is 100% covered when they use this it has nothing to do with the consumer.

I made a call to Citibank (the bank in question) as a "pretend" customer to find out their liability. One of their people called me and said that online transactions are secured using 3d secure, but what about if a merchant does not use it? who is liable.. That is my question. I could not get an answer to that.

On a sidenote, I'd advise people to stop using their (Citibank) debit cards for online banking. I learned this the hard way.

[BitcoinINV]

It is the merchants responsibility all the time, they have to prove you authorized the purchase.

[Amitabh S]

It is the merchants responsibility all the time, they have to prove you authorized the purchase.

Is there a sureshot way to prove that 3d secure was not used?

[BitcoinINV]

Go to the site where the purchases where made, go all the way through the check out but do not pay. If the verified by visa or MC is displayed it was used. If not then you should win the chargeback.

[davout]

Well, I am not a high value customer compared to what other bank clients volume, but, yes if I have unauthorised transactions in my card, and I show them prove that they where not done by me, then yes they will reimburse and chargeback. Not sure if its because of the competition or if the banking law forces them to. Though banks in Panama regulate themselfs in a decentralized fashion.

What I say is in the context of French law. If you are billed a purchase that was unauthorized the bank *has* to refund you, you do not have to prove the transaction was not authorized. The rationale behind it is that if you did not input your PIN for a transaction the burden of proof is on the merchant, not on you.

What I'm trying to say is that your bank would probably have refunded you even without proof because (at least where I live) they are legally obliged to.

I think it stems from the fact that credit/debit cards are inherently insecure because you can pull money from them simply by knowing some digits, there is no authentication in the payment mechanism when you simply pay on the internet. I assume this legal obligation has been lobbied for by Visa/Mastercard because if it weren't so the insecurity of this payment scheme would be extremely obvious an no-one would want such a card.

Of course, I don't know anything about the laws in your country but I'd tend to assume they are somewhat similar in this respect.

I work with 3d secure, the thing about it is....... Ready?  They protect the merchant not the buyer. The merchant is 100% covered when they use this it has nothing to do with the consumer.

From the consumer point of view it is much harder to reverse.

It is the merchants responsibility all the time, they have to prove you authorized the purchase.

Which is exactly what 3DS is for.

It is the merchants responsibility all the time, they have to prove you authorized the purchase.

Is there a sureshot way to prove that 3d secure was not used?

Yes, well actually it's the opposite, you can prove that the transaction authorization was done with 3DS.

Go to the site where the purchases where made, go all the way through the check out but do not pay. If the verified by visa or MC is displayed it was used. If not then you should win the chargeback.

You are correct for Visa, however, in MasterCard terminology it is called MasterCard SecureCode.
Keep in mind that the protection offered by 3DS varies with the country of the buyer. If you want to guarantee a payment, simply relying on 3DS is not sufficient.

[Annie Wright]

3d Secure Code is for protection.
Anyhow if you feel that it was a unauthorized transaction, you can always report such transactions on:
http://www.vcharges.com/

[Amitabh S]

I found the culprit site. It is Aliexpress!!!
I used the card at AliExpress that time. And recently I used it again, and the same thing happened!! I had not used this card anywhere else.

The good news is I was able to chargeback both times.

Unfortunately AliExpress has a lot of things that we can't find anywhere else, so I may have to use it again. The solution is to cancel the card immediately after shopping there.

[dariuss]

Yeah, I was about to say cant you just charge these back like you did already.

I never worry about these things cause I explain my bank and they confirm its not me.

For aliexpress, you should use a pre-paid debit card? so they cant charge anything on there unless its loaded.