2018.3288

THEMA

Betalingen en betaalrekeningen - Verrichtingen op afstand - Betalingen via PC - Betwiste verrichtingen

ADVIES

Aanwezig :
De heer A. Van Oevelen, Voorzitter ;
De heren J. Vannerom, R. Steennot, A. Guigui, leden
Mevrouw N. Spruyt, lid.

Datum : 19 maart 2019

1. EXPLANATION OF THE FACTS - SHORT HISTORY
July 31, 2018 client received a text message from her telecom operator that she had been billed twice. Client had to give her account number, her name, and the expiration date of her bank card. She would be contacted by someone of the telecom company to arrange the correction. August 1st, she received a phone call from someone saying he worked for the telecom operator. Client had to take her bankcard and card reader. She entered her secret code on the card reader. Then she had to enter the number 99999 on her card reader. The person asked for the response code, but she did not give it. After the phone call, she went to look at her account, and she saw there were 2 transactions of each 999,99 EUR in favour of the site ‘paypalopladen.be’.
Client did not authorise these payments so she asks that the bank reimburses her. She confirms that she did not give her PIN code nor her authentication code. She noted that the operations were made on PC ‘s with an IP address in other countries.
Client saw that her account had been debited with the payments 2 hours before her phone call. Therefore there cannot be a link with the telephone call.
Client thinks the system of the bank is not safe and that she should be reimbursed.
2. THE BANK’S POINT OF VIEW
The bank has given the technical document concerning the operations to the client. In total 4 operations were started, but only 2 operations were confirmed correctly. These 2 operations were 3DSecure: they were processed with the client’s card, cardreader and secret code. The operations were therefore duly authenticated.
The bank confirms that when client wants to do a payment, she has to enter her card number and enter her secret code in the cardreader, push on ‘sign’ and then she receives an OTP: ‘One time Pasword’. The payment is duly confirmed with the OTP. For each payment there is an OTP.
The difference in hours is explained by the way Worldline registers the operations. There can be a difference according to the place where the beneficiary of the payments is localised. Here the beneficiary was Paypal Singapore.
The operations were confirmed during the telephone call with the fraudsters.
Since client communicated the OTP at least 2 times to the fraudsters, the bank does not want to reimburse her.
3. OPINION OF THE BOARD OF EXPERTS
The proof of authentication and the rules on liability for unauthorized payment transactions that took place prior to the conversion of PSD II, should be determined on the basis of the rules applicable at that time. The late transposition of the Directive by the Belgian legislature (August 9 2018) does not mean that the rules in PSD II can already be applied to transactions that took place on 31st of July and 1st of August 2018. The rules of the applicable legislation must, however, be interpreted in accordance with the directive.
The client disputes that she authorized the payment transactions carried out for a total amount of EUR 1999,98.
Pursuant to Article VII.34(1) of the WER, the payment service provider (bank) must provide proof that the payment transaction was authenticated, correctly recorded and entered in the account and not affected by a technical breakdown or other failure. The journal roll supplied by the bank shows that the two disputed payments made on August 1, 2018 were authenticated. The Board therefore concludes that in this case the bank has provided proof in accordance with Article VII.34, § 1.
The question then arises as to whether the contested payment transactions were authorized by the client. The Board is of the opinion that the client must make it plausible that she did not initiate the disputed transactions. At the time of the two disputed transactions, the client was in Belgium (see her statement to the Police as a victim about two hours after the execution of the disputed payment transactions). She further shows that on August 1, 2018 the disputed payment transactions were initiated almost simultaneously from two different countries. Finally, according to Wordline's extract, there was only a time difference of 4 seconds between the two transactions, whereby one transaction was initiated via an IP address from France and the other via an IP address from Morocco. The Board therefore considers that the contested payment transactions were not authorized by the client.
Then the question of gross negligence on the part of the applicant arises. The College points out that, in accordance with the first sentence of Article VII.36(3) of the WER, the factual circumstances must always be taken into account when assessing the gross negligence of the payment service user. Thus, it must always be decided on a case-by-case basis, taking into account all the facts, whether the cardholder was grossly negligent. The burden of proving gross negligence should lie with the bank.
In view of the following elements from the file, the Board considers that there is indeed gross negligence on the part of the client :
- The client declares that on July 31, 2018 she received an SMS - allegedly from BASE - asking to click on a web link because the telephone subscription was inadvertently charged twice. At least the url of the weblink in question - according to the PV of August 1, 2018: https://bit/ly/2LBBzOg - should already have raised a certain amount of caution and questions in the client. She could see it was fraudulous.
- The client entered her surname, first name and bank card number on the website concerned, which allowed the fraudsters to initiate payment.
- The contested payment transactions took place during a telephone conversation between the client and one of the fraudsters who presented himself as working for BASE.
The client states in the official report that she inserted her bank card in the card reader, entered her PIN code on the card reader (but without communicating the secret code).
Subsequently, the client entered the challenge '99999'. Since the challenge at the bank concerned corresponds to the amount of the transaction, the client had every reason to doubt the authenticity of the telephone call. An amount of EUR 999,99 should have corresponded to the client’s telephony subscription, what is not the case. She could again establish that it concerned fraud.
- The client states that she would not have given any response codes.
However, the bank provides proof through the journal roll and WORDLINE extracts that the payment transactions at issue have been authenticated, that the client has obtained several OTP – codes (One Time Password) and that these codes were communicated. The transaction were 3D Secure executed. The Board can therefore only assume that codes were communicated by the client during the telephone conversation with the fraudster.
The Board is therefore of the opinion that, in accordance with Article VII.36, § 1, second paragraph, WER, the client is fully liable for the amount of 999.99 EUR, being the amount of the first unauthorised payment transaction.
However, the Board notes that two payment transactions were carried out within a period of four seconds. A client can count on the fact that one unique code is used per transaction, as it is generally known. The bank does not prove the contrary. The bank declares that de fraudster can produce himself response codes with the OTP-codes he receives and the challenge and then validate several transactions at the same time. One must not assume that the average client is supposed to be aware of this. Therefore the Board proposes for equity reasons that the bank is liable for the second transaction of also 999,99 EUR.
4. THE OMBUDSMAN’S OPINION
Client was on the phone with the fraudster during 30 minutes. Since we were not present when client made this telephone call, we cannot verify what has been communicated exactly to this person. Client has always confirmed that she did not communicate any response code. We do not want to doubt her affirmation.
Apparently, the fraudsters obtained several OTP’s and succeeded in making 2 payments. There were also two attempts to make a payment, that did not succeed.
The information we received from the bank concerning the procedure on how the fraudsters obtained the response codes is not very clear. The OTP (one time password) is each time a unique code, produced through Worldline. According to the bank, client has communicated 4 different OTP’s to the fraudsters. The fraudsters have used these OTP’s on different PC’s registered in different countries. They have used the OTP’s they received from the client in a row to confirm different payments.
Client should have noticed the strange web-link she was asked to follow in the message from ‘Base’. This should have triggered some suspicion.
The same with the fact that client had to use her cardreader to obtain a reimbursement. The cardreader must be used only in case she has to make a payment herself. If Base has to reimburse the client, the company can make a payment from her account.
The Ombudsman therefore joins the advice of the Board. There are elements of gross negligence in what client did, but there are also some things in the procedure to make a payment that remain unclear. The solution proposed by the Board seems therefore equitable to the Ombudsman.
The Ombudsman asks the bank to reimburse the client of one of the transactions. The bank has 30 days to react on this advice.
The advices of Ombudsfin are not binding for the parties concerned.