$16K Fraud with HSBC Star Alliance Credit Card

[Mr H]

I absolutely understand how it works. The card issuer beats the cost of a fraudulent transaction unless they find a way to pass the cost on to someone else (the merchant).

And none of this explains why the card holder - who may or may not have been negligent - should feel angry with the card issuer, which was my fundamental point before people started obfuscating.

 

[BJReplay]

I absolutely understand how it works. The card issuer beats the cost of a fraudulent transaction unless they find a way to pass the cost on to someone else (the merchant).

And the thing is that a fraudulent transaction is the easiest chargeback of all to prove, and so it is passed back to the merchant, or if the merchant can't be made accountable, the merchants bank.

The OP was annoyed with the card issuer for two reasons: One - it took 3/4 of an hour to get through to customer service, and Two, they let through 3 high value transactions, but now require him to authenticate low value transactions. I found that pretty clear. <redacted>

Read the rules: https://www.visa.com.au/content/dam/VCOM/download/about-visa/visa-rules-public.pdf

4.1.13.1: In the AP Region, Canada Region, CEMEA Region, LAC Region, US Region: An Issuer must provide provisional credit for the amount of a dispute or an unauthorized Transaction (as applicable) to a Cardholder’s account, as follows:



That means the OP should get their provisional credit within 5 business days.

11.7.3.5 Dispute Condition 10.2: EMV Liability Shift Non-Counterfeit Fraud – Dispute Processing Requirements



Or

11.7.5.1 Dispute Condition 10.4: Other Fraud – Card-Absent Environment – Dispute Reasons



All HSBC has to do is provide the customer's certification that they didn't authorise the charge. This fraud was clearly either card not present, or someone is using saved credentials.

Please read the rules and explain how HSBC will end out of pocket?

 

[BJReplay]

However, I can't essentially use the card as all my credit limit is exhausted. 2 days after all 3 transactions have been posted on the statement. According to the fraud department, the investigation can take up to 60 days!

You should get the money back in your account, reducing your balance (albeit held, until the dispute is resolved) within 5 days:

4.1.13.1: In the AP Region, Canada Region, CEMEA Region, LAC Region, US Region: An Issuer must provide provisional credit for the amount of a dispute or an unauthorized Transaction (as applicable) to a Cardholder’s account, as follows:

@mpogr If they haven't credited the money / reduced the balance in five business days - call them and point them to the Visa Rules

 

[MEL_Traveller]

Agree with BJReplay.

It’s perfectly open for a customer to be cross with the bank, for the reasons outlined. Length of time it takes to get through, allowing the transaction to go through, etc.

It’s pretty much a given that unauthorised transactions get refunded to the customer. Nothing to be ‘thankful’ to the bank about for that. It’s the risk they accept in offering these very profitable products. And they have the power to stop them. Which they don’t want to do for fear of offending their customers.

 

[mpogr]

You should get the money back in your account, reducing your balance (albeit held, until the dispute is resolved) within 5 days:

4.1.13.1: In the AP Region, Canada Region, CEMEA Region, LAC Region, US Region: An Issuer must provide provisional credit for the amount of a dispute or an unauthorized Transaction (as applicable) to a Cardholder’s account, as follows:

@mpogr If they haven't credited the money / reduced the balance in five business days - call them and point them to the Visa Rules

Thanks for this valuable info, I will definitely do this. It's already 5 calendar days since I reported the fruadulent transactions. 5 business days will be on Tue.

 

[mpogr]

<Cybersecurity Professional Mode>
For those getting confused about the situation, there are 2 unrelated issues here:
1. Criminals got hold of my CC details and used them. Difficult to determine how this has happened, as the details have been provided to many merchants, including pay aggregators like Google Pay and PayPal. This is exactly the reason I always prefer using PayPal if possible, to minimise places where these details get exposed. Specifically, regarding the payment for the UK ETA, I used the Android app provided by them. It's published on Google Play and has all signs of authenticity. And I was granted the ETA, as I entered the UK a few days after the payment (after Jan 8th, which is when it became effective) without any questions asked.
2. How these 3 transactions have been handled by HSBC. There are at least 3 red flags which should have prompted additional verifications, or even outright blocked the transactions on the spot:
a) There have been 3 successive transactions initiated overseas in foreign currency for amounts in excess of $4K. This in itself should be enough for additional layers of protection to be invoked, which I've experienced many times with HSBC (BEFORE this incident, not after, as @BJReplay assumed), for much smaller amounts. This includes temporary passcodes sent to the mobile via SMS or email. None of these happened in this case. The only sign of something going wrong was an SMS telling me about the suspicious transaction (the >$8K one), but it was after it had been let through.
b) The 2 smaller transactions are for EXACTLY the same amount, and the bigger one is for the amount which is EXACTLY twice the amount of the smaller ones. This is also a clear red flag.
c) The last transaction exceeded my credit limit. Normally, such transactions should be (and have been from my past experience) outright declined. Yet, in this case it had still been allowed through.
All the above raise big question marks over the HSBC transaction acceptance criteria. I really want to discuss this with someone with high enough authority on their end and seek not only the resolution of these transactions, but also a compensation.
</Cybersecurity Professional Mode>

 

[Mr H]

<Cybersecurity Professional Mode>
I really want to discuss this with someone with high enough authority on their end and seek not only the resolution of these transactions, but also a compensation.
</Cybersecurity Professional Mode>

Golly gosh! Compensation for what?

 

[mpogr]

Golly gosh! Compensation for what?

For the huge stress and inconvenience caused by their lack of professionalism (see the red flags in my post) and problematic customer service.

 

[I love to travel]

For the huge stress and inconvenience caused by their lack of professionalism (see the red flags in my post) and problematic customer service.

TBH I think you would need an AFCA complaint to get anything from them