$16K Fraud with HSBC Star Alliance Credit Card

[BJReplay]

I absolutely understand how it works. The card issuer beats the cost of a fraudulent transaction unless they find a way to pass the cost on to someone else (the merchant).

And the thing is that a fraudulent transaction is the easiest chargeback of all to prove, and so it is passed back to the merchant, or if the merchant can't be made accountable, the merchants bank.

The OP was annoyed with the card issuer for two reasons: One - it took 3/4 of an hour to get through to customer service, and Two, they let through 3 high value transactions, but now require him to authenticate low value transactions. I found that pretty clear. <redacted>

Read the rules: https://www.visa.com.au/content/dam/VCOM/download/about-visa/visa-rules-public.pdf

4.1.13.1: In the AP Region, Canada Region, CEMEA Region, LAC Region, US Region: An Issuer must provide provisional credit for the amount of a dispute or an unauthorized Transaction (as applicable) to a Cardholder’s account, as follows:



That means the OP should get their provisional credit within 5 business days.

11.7.3.5 Dispute Condition 10.2: EMV Liability Shift Non-Counterfeit Fraud – Dispute Processing Requirements



Or

11.7.5.1 Dispute Condition 10.4: Other Fraud – Card-Absent Environment – Dispute Reasons



All HSBC has to do is provide the customer's certification that they didn't authorise the charge. This fraud was clearly either card not present, or someone is using saved credentials.

Please read the rules and explain how HSBC will end out of pocket?

 

[BJReplay]

However, I can't essentially use the card as all my credit limit is exhausted. 2 days after all 3 transactions have been posted on the statement. According to the fraud department, the investigation can take up to 60 days!

You should get the money back in your account, reducing your balance (albeit held, until the dispute is resolved) within 5 days:

4.1.13.1: In the AP Region, Canada Region, CEMEA Region, LAC Region, US Region: An Issuer must provide provisional credit for the amount of a dispute or an unauthorized Transaction (as applicable) to a Cardholder’s account, as follows:

@mpogr If they haven't credited the money / reduced the balance in five business days - call them and point them to the Visa Rules

 

[MEL_Traveller]

Agree with BJReplay.

It’s perfectly open for a customer to be cross with the bank, for the reasons outlined. Length of time it takes to get through, allowing the transaction to go through, etc.

It’s pretty much a given that unauthorised transactions get refunded to the customer. Nothing to be ‘thankful’ to the bank about for that. It’s the risk they accept in offering these very profitable products. And they have the power to stop them. Which they don’t want to do for fear of offending their customers.

 

[mpogr]

You should get the money back in your account, reducing your balance (albeit held, until the dispute is resolved) within 5 days:

4.1.13.1: In the AP Region, Canada Region, CEMEA Region, LAC Region, US Region: An Issuer must provide provisional credit for the amount of a dispute or an unauthorized Transaction (as applicable) to a Cardholder’s account, as follows:

@mpogr If they haven't credited the money / reduced the balance in five business days - call them and point them to the Visa Rules

Thanks for this valuable info, I will definitely do this. It's already 5 calendar days since I reported the fruadulent transactions. 5 business days will be on Tue.

 

[mpogr]

<Cybersecurity Professional Mode>
For those getting confused about the situation, there are 2 unrelated issues here:
1. Criminals got hold of my CC details and used them. Difficult to determine how this has happened, as the details have been provided to many merchants, including pay aggregators like Google Pay and PayPal. This is exactly the reason I always prefer using PayPal if possible, to minimise places where these details get exposed. Specifically, regarding the payment for the UK ETA, I used the Android app provided by them. It's published on Google Play and has all signs of authenticity. And I was granted the ETA, as I entered the UK a few days after the payment (after Jan 8th, which is when it became effective) without any questions asked.
2. How these 3 transactions have been handled by HSBC. There are at least 3 red flags which should have prompted additional verifications, or even outright blocked the transactions on the spot:
a) There have been 3 successive transactions initiated overseas in foreign currency for amounts in excess of $4K. This in itself should be enough for additional layers of protection to be invoked, which I've experienced many times with HSBC (BEFORE this incident, not after, as @BJReplay assumed), for much smaller amounts. This includes temporary passcodes sent to the mobile via SMS or email. None of these happened in this case. The only sign of something going wrong was an SMS telling me about the suspicious transaction (the >$8K one), but it was after it had been let through.
b) The 2 smaller transactions are for EXACTLY the same amount, and the bigger one is for the amount which is EXACTLY twice the amount of the smaller ones. This is also a clear red flag.
c) The last transaction exceeded my credit limit. Normally, such transactions should be (and have been from my past experience) outright declined. Yet, in this case it had still been allowed through.
All the above raise big question marks over the HSBC transaction acceptance criteria. I really want to discuss this with someone with high enough authority on their end and seek not only the resolution of these transactions, but also a compensation.
</Cybersecurity Professional Mode>

 

[Mr H]

<Cybersecurity Professional Mode>
I really want to discuss this with someone with high enough authority on their end and seek not only the resolution of these transactions, but also a compensation.
</Cybersecurity Professional Mode>

Golly gosh! Compensation for what?

 

[mpogr]

Golly gosh! Compensation for what?

For the huge stress and inconvenience caused by their lack of professionalism (see the red flags in my post) and problematic customer service.

 

[I love to travel]

For the huge stress and inconvenience caused by their lack of professionalism (see the red flags in my post) and problematic customer service.

TBH I think you would need an AFCA complaint to get anything from them

 

[BJReplay]

TBH I think you would need an AFCA complaint to get anything from them

You definitely need to start with an official complain process with HSBC - AFCA won't want to look at it until you've had an unsatisfactory result from the official complaint process.

You're most likely @mpogr to get satisfaction if you start your complaint with "I want to make an official complaint before I lodge an AFCA complaint", as they'll sit up and pay attention (eventually - if not at first, depending on the skills and knowledge of the person you first talk to).

Apologies for missing the timing of transaction confirmations, but the fact that they were received before for much smaller value transactions, but not for these makes it look as if they were processed as offline CNP transactions. Offline transactions (e.g. buy something on a flight with your CC) are not subject to real time credit limit checking.

Given your explanation of using the official app, but also travelling to the UK, I'm most likely to put this down to getting skimmed and/or had your card data exfiltrated from somewhere where you paid (e.g. a hotel - where they take down card details, and have a long history of insecure non-PCIDSS compliant storage) in the UK, and the coincidence of the UK based charges being government / government related is down to that's where your card was compromised.

You are, of course, right to prefer Paypal and Google Pay over presenting your card or entering it online for the reasons you have given. It is good opsec.

 

[elanshin]

No, that's not how chargebacks work.

The card issuer (HSBC) doesn't bear a loss if the charge is deemed valid. The customer pays. If the charge is deemed invalid, the issuer claims the charge back (and costs) from the accepter - the account that made the charge. The card accepter's bank bears the cost if they can't recover from the accepter account.

There is no scenario where the issuer bears the costs.

You clearly have no idea how this works.

Without wanting to fully derail this, i can confirm it is possible for the receiving merchant gateways to block fraud transaction chargeback requests if it has passed fraud challenges. Its then back on the issuing bank to figure out how the security challenges were passed and if they were good enough.

I think one of @mpogr gripes is the lack of security fraud challenges or detection HSBC has for transactions in this amount. Although you may wish to enquire if they were actually challenged and passed. (If it did that would pose even bigger problems)

For some other reference point, Westpac immediately flagged and blocked a transaction for a retailer that I didn't shop at in the US from an IP that was nowhere near me and asked if it was me.

 

[BJReplay]

Without wanting to fully derail this, i can confirm it is possible for the receiving merchant gateways to block fraud transaction chargeback requests if it has passed fraud challenges. Its then back on the issuing bank to figure out how the security challenges were passed and if they were good enough.

Oh, absolutely, but it doesn't look like there were fraud challenges in this case, and I was basing my expectations of the chargeback / dispute / arbitration process around the two most likely dispute processes given the description of the way it played out.

I posted more information about the relevant clauses in the rules in another reply.