Share your card and PIN at your own risk

For 10 years, Anatoly had been using his travel card to transfer money to his sister-in-law Mila, who lived in the Ukraine. This was Mila’s main source of income and she would always withdraw the funds from the same ATM at her local bank.

Anatoly would load the card with funds in New Zealand and Mila would withdraw the funds in the Ukraine. Anatoly was the owner of the account and had personally delivered the second card attached to his account to Mila.

Anatoly and Mila were both very conscious about the security of the card. Anatoly closely monitored all withdrawals and Mila kept the card in a secure place in her apartment where she lived alone.

On 4 June 2017, Anatoly loaded money onto the card. Six hours later he was contacted by the travel card provider saying there was suspicious activity on his account. Fraudulent transactions had been carried out in Bali totalling about $480 NZD. Neither Anatoly or Mila had ever been to Indonesia.

The last time Mila used the card was on 1 June 2017. No one had had access to the card, and it had remained in Mila’s possession and in a secure place, as usual.

Despite these circumstances, Anatoly’s travel card provider did not agree to refund the $480 loss. The travel card provider said Anatoly had breached the card’s terms and conditions by giving Mila the second card and the PIN and, as a result, he was liable for any fraudulent transactions made with the use of the second card.

Anatoly complained to FSCL because he thought the travel card provider was being unfair.

Dispute

Anatoly accepted he had breached the card’s terms and conditions but considered this breach irrelevant, because it did not cause or contribute to the fraudulent transactions. It seemed most likely that the card had been cloned by someone in the Ukraine who had observed Mila entering the card’s PIN at an ATM. Anatoly said if he had been the last person to use the card and had been “shoulder-surfed” for the PIN, the travel card provider would have reimbursed his loss. Anatoly said the real cause of his loss was that the travel card provider had poor security measures in place.

Anatoly also said that the terms and conditions were contradictory, because they anticipated that the card could be used by people other than the cardholder, with the cardholder’s consent.

Our review

We accepted Anatoly’s view that the terms and conditions anticipated that others could use a card with the owners’ consent. However, the terms and conditions made it clear that if the cardholder did not keep the security features of the card safe (including by giving the second card and the PIN to any other person), then the cardholder would be responsible for any unauthorised transactions.

In other words, another person could use a customer’s card or second card but if this occurred, the cardholder would bear the risk of any unauthorised transactions at any stage in the future.

We did not accept that the actual cause of Anatoly’s loss was the travel card provider’s card security. The travel card provider had set out its security requirements in its terms and conditions. If a cardholder breached the terms and conditions about security, the travel card provider could not guarantee the security of the account.

The way Anatoly and Mila had been using the card was akin to them being co-owners of the card. However, because Mila did not personally purchase or own the card, the travel card provider was unable to verify her identity or carry out its due diligence requirements. Also, because Mila was not a New Zealand resident and was not using the card to manage money while travelling (she and Anatoly were using it to transfer funds between themselves), she could never have become a co-owner of the card.

Because Anatoly had breached the card’s terms and conditions by giving the second card to Mila and disclosing his PIN to her, we found that the travel card provider was not obliged to reimburse Anatoly for his loss. Anatoly agreed to discontinue his complaint.

Our insight

It is vital that people safeguard the security features of any travel, debit or credit cards. The most important security feature to keep safe is the card’s PIN. FSCL has seen other cases where New Zealand tourists have been targeted overseas. The fraudster has been able to view the cardholder entering their PIN and then managed to either steal the card or, in some cases, clone the card after it has been inserted into an ATM or Eftpos device.

People should never allow other people to use their card, nor divulge their PIN to any other person.

Search case studies