My wife had the unfortunate fate to be hit by credit card fraud this summer.
It can happen to anyone anytime. We all live only one modified-ATM, one shady website or one data breach away from having our card number intercepted (and resold on the dark web).
Don’t worry! All that matters it to cancel the card and any fraudulent payment as soon as possible. Banks are meant to handle that… or so I thought.
What made the fraud peculiar? It was purposefully built and designed upon Revolut. We’re going to dig into what happened.
I consider it important to understand how every fraud works in order to prevent it from happening again and to perform the appropriate follow up actions. I like to believe that I have a minimal understanding of the domain and a vested interest in working against it.
Disclaimer: Previous employers and affiliations include JP Morgan and Chase, Atos Wordline, Ingenico (check out the logo on the card terminal next time you pay for something).
The fraudster got the card number somehow. Not sure how.
They paid £10 twice, on the same day, to O2 using the stolen card (a major UK mobile provider).
Two days later, they transferred £300 to a Revolut account under my wife’s full name. (Revolut can be topped up using a -stolen- card, although bank transfer is more common).
The Magic of Revolut
Let’s say you have a stolen debit card? The goal is to take money out of it and all the way into your pocket, in a safe form and location that cannot be traced or reverted. Knowing the transaction might be identified as fraud and reverted quickly.
There is not a lot you can do with a stolen card in reality. Maybe buy some physical goods and resell them. Shipped and disappeared by the time the vendor is hit with the charge back.
That’s where Revolut comes in. It’s genius to leverage Revolut to clear cards:
1) A Revolut account can be topped up by card, any card in the world. It’s fantastic, you just happen to have a pile of stolen cards, here’s the perfect place to debit them to.
2) The Revolut balance can be used to pay for anything. It’s a bank, they deliver you a genuine card to pay with. A fully clean and laundered card. HALLELUJAH!
3) A Revolut account can be set to the victim’s name. It’s seamless to fraud detection algorithms. It can even pass a visual inspection, “debit from well-known bank to full customer name”, seems legit.
4) Bonus: £10 cash on signup, who doesn’t like extra money? And the fraud is win-win for Revolut in a sense because it benefits their growth metrics, the more user the better.
Of course any regular bank account would be equally awesome, the challenge is that it’s usually too difficult to open a “legitimate” bank account because that requires showing up in person with multiple documents –KYC-. (It is an odyssey to open a bank account after moving to the UK, need a proof of address to open a bank account, need a bank account to rent a home).
That’s where Revolut differentiates from other banks. Revolut has zero KYC. Anybody can register an account online in 5 minutes under any name. It is a literal highway for fraud.
Notice the initial transaction to O2 (a UK mobile provider). Obviously it’s meant to obtain a sim card, there’s plenty of uses for burner phones and sim cards. It can be leveraged immediately to pass a phone verification, assuming there is any to open a Revolut account.
It won’t come as a surprise that the whole process got industrialized by bad actors. Fraud is a full time job for fraudsters, with the more elaborate schemes often carried out by organized crime. Swapping a phone or crafting a good looking identity document is not gonna stop them.
The fraudster got a bank account on Revolut, as legitimate as it gets, under the victim’s full name and ready to receive money from the main account. All that’s left to do is to top up using the stolen card. (By the way the full name comes automatically with any stolen credit card, don’t worry about how to get it).
Tough place to be in. That’s some elaborate card fraud and identity theft.
Worse: My wife was a customer of Revolut. She already had a legitimate account and was using her Revolut card occasionally.
A disaster waiting to happen. Imagine what’s pending if and when Revolut will indiscriminately go against users, or who they think are users.
Reached out to Revolut to report the fraud. Sent a text message to support through the app.
On the same day, reached out to the traditional bank to report the fraud. Called the emergency fraud line. They immediately acknowledged the issue and terminated the card.
Had to spend a bit of extra time on the line to explain precisely which transaction was fraudulent, the wife used Revolut and had legitimately topped up her account the day before (by bank transfer), NOT to confuse with the fraudulent transaction for a different amount by card. For some reason the support from traditional bank was very keen to decisively and immediately charge back all transactions with *REVO*. On a side note, didn’t know Revolut could take top up by card, we were initially really scared it was a fraudulent bank transfer (that might be a whole other level of nightmare to deal with).
Received a call back from traditional bank the next day, to confirm that fraud was reported the day before and that they terminated the card and they started the refund process. All good.
Revolut support woke up a few days later. Revolut asked why were they contacted by traditional bank about fraud and why was a payment charged back on our account? (They wake up suddenly when money is off the table?) That is nonsense of course because there was no charge back on my wife’s Revolut account.
Tried to explain and work things out. The operator said he could see two payments in recently. Critical fact here, Revolut confirmed that Revolut was the recipient of the fraudulent card transaction, which wasn’t know for sure before (the REVO-full-name reference in the transaction could have been a well-crafted placeholder, who knows where money really goes to but the recipient).
The operator didn’t understand -or didn’t want to understand- the issue. He tried to justify that a payment can’t be fraudulent because it was clearly coming from my wife’s bank account like other payments before. It seems he was able to lookup incoming payments but he was unable to identify who initiated the payment or the (distinct) destinations in Revolut. The money was definitely going to a different Revolut account opened by a different person at a different time.
It is mind blowing that Revolut is mixing up customers and is unable to trace payments!
In the end, Revolut didn’t help and accused my wife of defrauding them. Ouch.
It is not safe to use a bank that refuses to recognize fraud, while actively facilitating fraud against the world at large and against their customers in particular.
Drained the money out of the account and closed the account soon afterwards. Well, there is no option to delete an account, had to send a message to support and hope it’s done, will never know for sure.
Strongly recommend to Revolut customers to close their account for their own safety. #deleteRevolut
There are plenty of challenger banks (Monzo, Starling Bank) and traditional banks (Lloyds, HSBC, Barclays) that can provide banking services. Old banks have really improved their mobile apps in the past few years.