Recently had my Monzo card cloned but could have been a lot worse


#1

Just want to share a recent experience that had me convinced why monzo is superior to other Banks

Recently, my monzo card was cloned (I have no idea how it was cloned)

The scammer first used it to make a small purchase at sainsbury London. I was not in London at that time. Thankfully, I noticed the monzo app notification and immediately froze the card.

Then I contacted monzo customer service for assistance about the fraudulent transaction. About an hour later, the scammer decided to use it to pay for 3 expensive meals at Soho london. But the scammers didn’t succeed as the card has been frozen. Monzo’s response was prompt and brilliant and they reverse the fraudulent sainsbury transaction and arranged for a new card to be sent to me.

Anyway, I learned a few important lessons here:

  • I could have lost a lot more money if my other bank cards have been cloned instead because I wouldn’t have push notifications of my transactions. I probably would have noticed it a week later as I don’t check my bank statement everyday. By that time, the scammer would have taken a lot more from my bank account.
  • it’s awesome to be able to freeze the card instantly via the app. Imagine having to call a hotline to freeze the app.
  • I believe the scammer timed his operation on a weekend on purpose as it would be outside normal banking hours. Thankfully, monzo has a brilliant, prompt customer service availability on weekend.
  • I have no idea how my card was cloned. It could have been a compromised ATM or a dishonest cashier. I can’t bear the risk of using my other bank cards anymore as it doesn’t give me the control that monzo gives me.

Long story short, monzo is the future of banking. Great customer service. Great technology that allow me to track and minimize unauthorized use of my card.

Given this card cloning scare, I won’t be using any of my other bank cards anymore and I’ll use only monzo from now on.


(Andre Borie) #2

I would be very curious about how this is actually possible. Did you have magstripe transactions enabled?

Actually, even with magstripe transactions enabled, an EMV-capable terminal would reject Monzo’s magstripe as it should have a 2xx service code (2 means “Available for international interchange and with integrated circuit, which should be used for the financial transaction when feasible.”), and altering the service code isn’t possible as that should be rejected by the issuer (Wirecard in this case) when the transaction is attempted.

So either Wirecard is not properly doing their job and allowing fraudsters to alter the service code and still have transactions succeed, or we are looking at an EMV breach and this is bad news for everyone.


(Gareth) #3

I did some digging and found an answer that’s neither Wirecard at fault nor a EMV breach. I won’t say what (it’s a Google away if you know what to search), but consider when it might not be feasible to use the integrated circuit - and how the terminal might react.


#4

Awesome story. Thanks for sharing.

Can just imagine the look on their face when they had to buy it themselves :stuck_out_tongue_winking_eye:


(Marta) #5

Great story and another win for Monzo user! @Stone9, please remember that Monzo is in beta, so it’s worth to carry a backup, but maybe consider rfid protection sleeve for spare card and avoid using it to remove human fraud from the equation?

It looks like we might reach a situation when thieves will make a sad panda face when they find that card is Monzo. :smiley: “Nooo, pink card again!!!” reaction, with slackbot silently correcting “Hot coral”… :smiling_imp: If card was cloned, well, thief is less likely to see hot coral. You know how in animal kingdom certain animals/insects have dangerous colours meaning “don’t eat me for your own good”? That’s what Monzo’s colour is on fast track to be like. :smiley: :smiley:

I wonder what impact it will have on the fraud volumes. Monzo users are very quick on their feet, card gets frozen often within first three fraudulent transaction. I wonder what numbers are like (proportionally, not totals) between Monzo and some high street banks, for fraud transactions and money spent… :thinking:


(Richard Owen) #6

Fallback is common when the chip cannot be read. There is nothing confidential or sinister about this - it’s standard functionality. However it is something many cloned card fraudsters will attempt, because they typically clone the magstripe and not the chip.


#7

No. I did not have magstripe transactions enabled.


(Richard Owen) #8

Hi. The “magstripe enabled” toggle is only for ATM withdrawals anyway. There should not be any barrier to magstripe POS txns.


(Andre Borie) #9

I would consider that a serious bug personally. I always assumed the mag stripe toggle is global and thus wasn’t as careful regarding skimmers as I should’ve.


(Alex Sherwood) #10

Could you please clarify what you’d consider a serious bug sorry?


(Mike) #11

I’m assuming they are referring to:


(Mike) #12

The toggle label is quite clear in that it states Magstripe ATMs (on iOS and I remember it as being the same on Android). I couldn’t assume otherwise from that :confused:


(Richard Owen) #13

It’s fairly clear in the Android app that the toggle refers only to ATMs. Is the IOS app similar?


(Andre Borie) #14

My bad - it does say “Magstripe ATMs” on iOS as well. I would still consider this a bug - what’s the point of preventing ATM withdrawals when the fraudster can just walk into a mall and buy a games console or laptop instead?

Given that mag stripe usage in the UK is extremely rare I would personally like the toggle to be global (as in both ATM and in-store, vs the current ATM-only) instead. In the rare case you do need to use the mag stripe you can quickly toggle it.


(Alex Sherwood) #15

As far as I know, it is global. It sounds like you’re assuming that it doesn’t apply to the UK? Since we don’t know the background behind Stone’s issue, it’s probably not helpful to speculate..

On that note, @Ston9 if you do find out how this happened, it would be great if you could let us know, in case other users can take the precautions that’re necessary to limit the risk of this happening again in the future :raised_hands:


(Keri) #16

Another great reason to use Monzo! I love the notifications and ability to freeze the card. Saves large financial loss and time on hold with the bank! Thanks for sharing. :+1:


(Andre Borie) #17

What I meant is unrelated to the author’s issue – I just think it would be better to have a global (as in both ATM and purchases) toggle for magstripe rather than an ATM-only toggle, as this won’t stop fraudsters since they just have to go in store (which they could already be doing anyway).


(Leonard) #18

I get what you’re saying and frankly think we’d all benefit if the magstripe toggle was for both ATM withdrawals and POS purchases. The only thing is when you’re making a purchase by swiping don’t you have to sign and then have it verified with the signature on the back of the card?

Edit: Although, that’s under the assumption that the merchant is doing their job by checking the signature!


(Mike) #19

Also assumes the card is not duplicated/cloned! :grinning:


(Andre Borie) #20

A fraudster can make their own plastic with a signature they can actually write, so this won’t protect against anything.

I can’t find it right now but I remember reading a blog post about someone trying to see how far he could go regarding the signatures. He got pretty much every transaction approved without signing or with signing “I do not authorise this transaction”. The only time that failed was when he tried to buy an expensive TV and someone actually bothered to check the signature.

Edit: here it is https://www.scribd.com/document/101442/Credit-Card-Signature