On June 2017, an unknown skimmer stole more than PHP 40,000 from my savings deposit account. This post details the events that happened when my ATM was skimmed back in June 2017. Note that the goal of this post is not to put BDO or even the stores where I used my debit card in bad light. Instead, I want to share the events that resulted to my card getting skimmed, how cases like these are handled by banks, and how this could have been avoided.
BDO Fraud Management Process
If you’re just looking to have an idea as to how BDO handles skimming cases (maybe because you’re a victim or you’re just interested) and don’t want to read the rest of this post, here’s the summary of the BDO fraud management process (based on my own experience):
- BDO detects and alerts customer for suspicious transactions 5-10 minutes after the transaction. Fraud Management team will call the customer OR send an email (if customer does not pick-up). They will need the customer to respond the call, email, or the SMS and validate/invalidate the suspicious transactions so they can disable the card, if necessary.
- BDO will advise customer to go to branch of account to surrender the compromised card, if the customer wants to get a replacement card. Branch will need an incident report to replace the card and file the case. You can make a handwritten incident report in the branch if you don’t have a typed and printed one with you.
- Since their SLA for fraud cases is 45 to 60 banking days for investigation and resolution, I don’t think you’ll get any response from Fraud Management or the branch if you follow-up before the 45th banking day. So, you’ll just have to wait… patiently. You can probably start ramping up your follow-up efforts after 45 banking days if you don’t hear from them.
- Branch will notify customer that the investigation has been completed. Depending on the result of the investigation, the customer may either be informed that the funds will be returned OR will not be returned due to many different reasons e.g. compromised card was an EMV chip card or transaction is not fraudulent. If the deposit will be refunded, branch will let customer sign a document that states that the bank has, in fact, refunded the account. Customer will have to get this document notarized, at his/her own expense.
What is skimming?
In my own words, skimming is a stressful and inconvenient experience where your money in the bank gets stolen by lazy but talented criminals. But, as BusinessDictionary puts it:
A type of fraud which occurs when an ATM is compromised by a skimming device, a card reader which can be disguised to look like a part of the machine. The card reader saves the users’ card number and pin code, which is then replicated into a counterfeit copy for theft.
In short, they steal the “identity” of your debit card so they can use it to withdraw your money from other ATMs or use it for purchases. The key to the trick here is for the skimmers to get your PIN. This means that you have to, at some point, enter your numbers on a machine or a device that is compromised. Particularly with merchants, they may or may not know that their point-of-sale payment devices are compromised.
Learning about and reporting the suspicious transactions.
On June 4, 2017 at around 7PM, I received 2 text messages from BDO that I just did 2 ATM withdrawal transactions each being around PHP 20,000.00. The transactions happened at a time when I was at home and I had my debit card me the whole time. I received the alerts around 10 minutes after the supposed transactions occurred. A few hours later, I also got an email from BDO Fraud Management team confirming suspicious activity under my deposit account.
Right away, I called the BDO fraud hotline that was noted on the SMS that I received. The support was quick enough to pick-up my call, file the report, and disable my card to avoid further withdrawals. There wasn’t any money left to withdraw anyway. Per the agent I talked to, the process to complete the investigation and to return my money (if proven to be skimming) was 45 to 60 days. That was too long of a waiting time and I needed the money because I was supposed to travel to the US in three weeks.
Tracing my transactions.
I tried to recall where I could have been skimmed and my only transactions during the day that I know that I did myself were: (1) cash withdrawal from an ATM within the Hypermarket at SM North EDSA, (2) debit payment at a ramen restaurant near Hypermarket, and (3) two debit payments at Watsons beside the Hypermarket. The succeeding transactions were not me because I was definitely at home, with my card with me, by then.
I remember the device that I swiped my card on at Watsons. It was gray, like the usual machine used by other merchants, so it looked trustworthy to me.
If I was skimmed at the ATM when I did my withdrawal, my fiancée should have been skimmed too because we used the same machine succeedingly so no one could have placed a device in between our transactions.
Finally, we ate at a ramen house on the same floor and building as Hypermarket. When I paid for our meal, I handed the staff my debit card. I was expecting them to do a MasterCard transaction, which most restaurants do but I was asked for my PIN so I approached the cashier counter where I was handed a device that is unusually white in color. It had a strange branding and I didn’t see any recognizable logo of a bank or payment processing service. I didn’t put much thought into it so I entered my PIN anyway. If I haven’t learned that I was skimmed later, I wouldn’t realize that the device I entered my PIN on looked like something you buy from a CDR-R King store. It was suspicious and I would just have paid in cash had I given it more attention.
Honestly, my card may have been skimmed somewhere else through an earlier transaction but I don’t think thieves would have waited that long to take my money, considering I had almost the same balance for weeks.
Now looking at the fraudulent transactions, they were all made through a merchant that had the ID MasterCard FIB Sofia. You don’t get a lot of information from that alone, but a quick Google Search of “FIB Sofia” returns results pointing to First Investment Bank from Bulgaria. That seems to be the place where my money was cashed out.
BDO’s Response to the Case
BDO was quick to respond to my case. The day after the fraudulent transactions, I went to my branch of account where they made me fill-out some forms and write an incident report. I didn’t have a prepared incident report so I wrote one by hand in the branch. I surrendered my card and they cut it with a scissor in front of me to show that it is was properly disposed of. I was supposed to pay a card replacement fee but it was waived because, you know, I didn’t have money anymore. You may be wondering why my account wasn’t closed down or frozen, it didn’t have to be because only the card was compromised.
The staff of the branch was very helpful and showed sense of urgency in handling my case. However, the entire process and timing of the investigation and refund of my funds were not within their control. So, all I could do is wait for updates from Fraud Management. I sent follow-up emails twice—one after a week and another one 2 days after. I didn’t get responses from both follow-ups. I also called the branch every other day but they didn’t have updates too.
Finally, twelve days after the fraudulent transactions happened, I received a call from the branch that they need me to sign some papers. I went right away, signed the papers, got them notarized, and then was told that I would get refunded right away. Later that evening, I got my money back and just a day before my business trip.
Now, not all cases have a happy endings. Sometimes, investigation results indicate or show evidence that the transactions were not fraudulent at all. The entire process is evidence-based and it doesn’t necessarily favor you just because you are the customer. Some stories go viral on social media where their cards were skimmed but the bank couldn’t refund their accounts as a result of the investigation.
If there’s one thing I learned from the entire experience, that is to be suspicious by default when using your debit card. Here’s my complete list of things to do to avoid being skimmed.
- EMV Chip Cards. If you are still using the old ATMs that don’t have EMV chips, get it replaced immediately. The card replacement fee is so much cheaper than the amount that could potentially be stolen from you.
- Swipe it yourself. If paying using debit, make sure you will swipe the card yourself. Don’t give anyone the opportunity to get your card number, account number, or your CVC (for MasterCard/Visa debit cards) numbers. Cover your hands when entering your PIN, thieves may already copied your card details and can just record a video of you pressing the PIN. That’s all that they need.
- If it looks dodgy, it’s probably dodgy. If asked for PIN for a payment, inspect the device. Look for logos of banks or payment processing services.
- Use a credit card or cash. Credit Cards are probably safer than debit cards because transactions are reversible. Cash is definitely safest.
- Open a separate bank account. If, however, you’re not a fan of credit cards like myself, you may want to open another bank account with a separate ATM so that you can only transfer small amounts into that account. That way, you minimize the amount that thieves get access to should your card get skimmed.
- Update your contact details. Make sure the bank has your most recent mobile number, email address, and other contact details so they can contact you as soon as they detect suspicious activities.
- Know your bank’s guidelines and services against skimming. It pays be familiar with how your bank handles skimming cases because it minimizes the stress from the uncertainty and the disappointment from losing your money. Also, be nice to your branch of account. Don’t go running to Tulfo or any show of same sorts when these things happen. Your branch is there to help you, not rip you off.
I’d, personally, be suspicious than trusting when it comes to using my debit card for payments. Cliché as it sounds, it’s better safe than sorry. Afterall, you worked hard for that money and you’d hate to have someone just take it away from you that easy.
This post is part of Help!, a series of blog posts on Raketero.com about common consumer banking problems.