Another revolut user scammed

dubliner8 said:

I have just subscribed to the Irish Times to read that article. The victim does not appear confused in the slightest, not sure how tomdublin got that impression. What does it matter that Apple Pay is said and then Apple plus later on, I wouldn't put too much stock in that.

"Naturally I denied that I had approved any of these transactions. They investigated the matter briefly and claimed that the amounts were verified through my Apple Pay account, which I do not have. The agents insisted I had entered authentication codes to verify the payments, which I did not," writes Caoimhe.
"In addition, they referenced the last four digits of a mobile number, 9012, not mine, which allegedly accessed the Apple Plus account that does not exist. I also tried to impress on the different agents I managed to speak to that I never click on emails, texts or answer calls that are suspicious but to no avail. No responsibility was taken for the complete lack of any robustness within their security system that clearly is not fit for purpose."

Regardless of whether Caoimhe appears confused - though I don't think she is - that Revolut just flat out refuse in these cases where the victim has vehemently declared that they did not authorise is quite wrong and it's allowing fraudsters to continue to fleece people.

Click to expand...

what options do people advise in relation to using Revolut…I mainly use via my iPhone and rarely use physical card and have set the limit to €150 (auto top up disabled) and have disabled all other options via card setup.

Are we saying we should only enable card just before using it for a transaction and disable once action is completed?

It would be useful if the article explained how the scam worked.

It isn't clear from the article whether these were bank transfers in Yen from her account or rogue transactions. I would understand if it was a case of her card details were stolen and used on an online purchase fraudulently, but the reference to Apple pay is more concerning as you should only be able to do this if you have possession of the phone I thought?

dubliner8 said:

I have just subscribed to the Irish Times to read that article. The victim does not appear confused in the slightest, not sure how tomdublin got that impression. What does it matter that Apple Pay is said and then Apple plus later on, I wouldn't put too much stock in that.

"Naturally I denied that I had approved any of these transactions. They investigated the matter briefly and claimed that the amounts were verified through my Apple Pay account, which I do not have. The agents insisted I had entered authentication codes to verify the payments, which I did not," writes Caoimhe.
"In addition, they referenced the last four digits of a mobile number, 9012, not mine, which allegedly accessed the Apple Plus account that does not exist. I also tried to impress on the different agents I managed to speak to that I never click on emails, texts or answer calls that are suspicious but to no avail. No responsibility was taken for the complete lack of any robustness within their security system that clearly is not fit for purpose."

Regardless of whether Caoimhe appears confused - though I don't think she is - that Revolut just flat out refuse in these cases where the victim has vehemently declared that they did not authorise is quite wrong and it's allowing fraudsters to continue to fleece people.

Click to expand...

I actually agree with tomdublin that the victim does appear a bit confused. That´s not a judgement on their character or level of intelligence, just stating that fraudsters will often take advantage of the lack of technical knowledge that some people have. Misremembering the name of the Apple service used is a bit of a red flag, as it shows uncertainity with that technology.

If the victim had an iPhone, Apple Pay is something that they would have to accept or manually set up by entering their card number. It could be very likely that the victim was asked if she wanted to add the card to her iPhone, and didn´t realize that this was setting up an Apple Pay system. Apple Pay is simply Apple using your card that you´ve authorized them to use so you can buy things from Apple Store, buy Apple Music, Apple Books, etc. - this can also extend to making purchases online, where the customer will see that the iPhone has their credit card on file and they have to authorize with a password or Face ID to approve the purchase. I could see someone getting confused what exactly Apple Pay is, as the name makes it appear as if its an entirely new banking account when its not an account or platform at all - its mainly a feature on the phone that helps you save time from re-entering your card number every time.

Its also odd that Revolut wouldn´t have verified the full phone number that contacted them, especially as the customer would have had to pass GDPR questions and verification to enquire about her account. It sounds like they were referencing the last four digits of a card, in reference to the debit or credit card attached to Apple Pay. Often when I approve a purchase through my iPhone, it only shows the last four digits of my card and not the full digits so I can see if I have the correct payment info on file. If Revolut is referring to the approval through Apple Pay associated with her personal card number, it could have been that the customer could have accidentally logged onto the wrong Revolut website, or approved purchases on her phone by entering a password or a Face ID when prompted by the Apple Pay feature on her phone.

I think in these cases its important to remember that user error can also play a part, even with the best intentions.

I don´t think its taking away accountability of Revolut to help the customer further with these issues by mentioning these things. Instead, it can help us all keep an eye out on what we´re doing with fintech to be more safe.

dublinbay24 said:

It would be useful if the article explained how the scam worked.

It isn't clear from the article whether these were bank transfers in Yen from her account or rogue transactions. I would understand if it was a case of her card details were stolen and used on an online purchase fraudulently, but the reference to Apple pay is more concerning as you should only be able to do this if you have possession of the phone I thought?

Click to expand...

Yes, Apple Pay is only available when you are in possession of the phone, laptop, or iPad that has Apple Pay enabled. Most of Apple Pay has defaulted to Face ID for approval, so this is often required over a password (though sometimes a password can be requested if the face doesn´t match). So in this case it sounds like the customer has some kind of security issue with their iPhone or Apple Profile.

So far as the IT article goes, you need to make allowances for journalists getting wires crossed, editors striking out content etc.

So I wouldn't make deductions about the capability or otherwise of the scamed person.

My reading was that they did not have Apple Pay installed & yet that app was used as part of the scam.

I don't use either of these apps so I might have this wrong.

What happens if someone has the Revolut card details (i.e. card number, expiry date, plus security code) and tries to add it to their Apple Pay account?

Does a notification/authorisation pop-up on the Revolut app?

I just can’t remember.

Using online banking is a bit like driving a car in that it is inherently dangerous and requires a lot of knowledge to mitigate risks. Driving a car requires a driving license but online banking doesn't require any formal qualifications. Perhaps that should change, with users required to pass an online module before they can open an account.

I would suggest people look up wider sources on all of this and put things in context. One type of comment is that Revolut has more customers so more fraud, yet this is not the case with their size versus UK banks for instance. The other is blame the victim, call them stupid, don't read and listen to the faults of Revolut's behaviour clearly outlined, etc. etc.

Thread in Reddit here https://www.reddit.com/r/Revolut/s/vor7gVzFcH where a commenter talks about this apple pay activation when they don't have an iPhone:

Hello,

my sister experienced the exact same issue. One day she noticed a couple fraudulent transactions made in Japan and Angola using ApplePay. She never owned an iPhone nor authorized linking her physical card to an apple account and she lives in Germany. Revolut support didn't help.

I told her to block her card asap and she ordered a new one.

I am just curious on how on earth it is possible to link a card to ApplePay without two factor authentication.

Edit:
It seems there are other people that had a similar experience recently:

Also interesting reading this article on a flaw within Revolut that drew criminals in. Somewhat lax security and or refusing to refund customers might be causing fraud attempts to spike for Revolut accounts.

The salient question is whether these victims of fraud are as blameless as they claim or whether somewhere, somehow they’ve compromised their details.

The cynic in me thinks that it’s probably the latter. Scammers in far flung places don’t suddenly start charging stuff to your account unless they’ve obtained the details.

I suspect that these people have all fallen for an eFlow/An Post/FedEx/Amazon text scam or similar and they just don’t know it.

I wonder whether there might be a flaw in the Revolut app that hackers can take advantage of if they can get some malware onto your phone.
So many people are claiming that they never authorized the fraudulent transaction when Revolut claim that they did. Could it be that some malware on the phone is able to take advantage of some flaw in the Revolut app such that the push notifications can be "auto approved" by the malware without the user even being aware of it?

The other thing I wonder about is that even though Revolut claim that the user approved the transaction, they don't seem to ever (be able to) produce evidence of this. I would expect them to be able to say something like "the transaction was approved at 13:45 UTC from IP address 1.2.3.4 on a device running the Android 15 OS" or whatever.