Community

This was expected. A question comes to mind: Why did it take E&Y so many years to discover the made up holdings? Something like this means that we have not seen the bottom at 16 euros for WIRECARD. I saw this coming since 2010 (separate story). I didn't shortsell WIRECARD because no one knows if and when an accounting firm will play ball with their client. The stock could have gone the other way with a clean bill of health from an accounting firm.

I would be surprised if we don't see lawsuits and criminal investigations and indictments. I don't do straight short sells but their underlying didn't have any options available (PUTS). I wanted to get some mid-term PUTs first week of this month.

A family member experienced this. She received a call from what showed in her mobile phone as coming from HSBC. Naturally, this made her think that HSBC was calling her. The person on the other side told her that they were contacting her because they want to verify a suspicious transaction - a bank transfer. They told her that they flagged a £750.00 transfer as suspicious. She then panicked and said that of course, she did not do this bank transfer. They then told her that they needed her to generate 2 codes - 1 to confirm that she is the real bank account holder that they are talking to and 2nd code to allow them to cancel that £750.00 transfer. Again, since the phone call showed as coming from HSBC - she generated those 2 single use codes and gave each one to them. Fraudster then used the code to log-in to her account; then trigger a bank transfer with the second code.

APP Fraud is usually done combined with another fraud. In her case, it's called number spoofing.

Surely, it wouldn't be so complicated for the banks to add code so as to store their customers' known device-ids. In addition to processing the single-use code, the bank's system can also check if it's coming from one of the customer's device-ids. If it shows as being triggered from a new device-id then they should stop (not allow) the transaction; notify the customer via text and request customer to confirm that the bank transfer coming from a new device id.

Storing a customer's device ids and checking against the bank of customer's device ids is not a new technique. American Express does this. Amex actually 'whitelists' customer's confirmed device ids.

Was the data migration outsourced? If yes, to whom?

No explanation of common denominator for the compromised card accounts such as 1) all of them were used by legitimate cardholders for ATM withdrawals? 2) which ATM machine/s?  3) were the cash out with the cloned cards made in another country/countries? which countries?

My guess is that pin codes and the mag-stripes were harvested by compromising several standalone terminals were the entire card and pin code have had to be entered. Perpetrators then used the clone cards with pin-codes all within a specific time period.

Seems to be a backward move. It adds more friction to paying. Surely hardly anyone will be looking forward to updating their stored payment instrument with a new CVV on a regular basis with merchants such as Amazon, Uber, etc.

Ketharaman: I just read the FORTUNE article. From what I understand, EMV in North American is with the Liability shift. The merchants in the article are still liable despite using EMV terminals because schemes need to certify these POS's first before merchants are covered by the Liability shift. Sounds like there is a backlog of scheme certification work. EMV in North America will get there eventually. 

Commenting on Ketharaman's post:  I haven't read the FORTUNE magazine article but based on the EMV liability shift and chargeback rules, one reason a merchant who has deployed EMV terminals would still incur high chargeback rates is if the merchant still processes payments with signature. If EMV liability shift isn't implemented in North America as they did in Europe, then I agree there is no point or incentive to deploy EMV terminals over there.

With EMV liability shift, the chargeback cost and fraud is shouldered by the entity in the payment flow that presents the weakest link. For example, if the merchant has an EMV terminal and the issued card does not have chip and pin, then the Issuing Bank is responsible for the fraud and chargeback.

Geolocation service is quite useful in North America where they still physically sign for their purchases. Here in Europe where chip and pin is dominant, it wouldn't be used as much.

you could have had me at tracking device to find lost or stolen bag. the rest is flim-flam. if one needs such a gadget to control impulse buying, then sounds to me person needs psy treatment much more than this thing which they can turn off in anycase. if you still think that such a thing is useful, then why not invent a device that would send electrical shocks instead?